Measuring The Impact of Post-Quantum Cryptography on Complex Applications: A Case Study on Federated Identity Management

The arrival of quantum computers will significantly impact our current Internet infrastructures as quantum com- puters will be able to break current public key cryptography. This means that we need to replace cryptographic algorithms by quantum-safe alternatives, also known as Post Quantum Cryptography (PQC). Many protocols and architectures need to make this transition. While the Internet community is making steady progress on transitioning TLS to PQC, there are still many protocols for which action needs to be taken, especially in more complex scenarios where protocols span multiple layers of the stack. In this paper, we study such a complex scenario: Federated Identity architectures. The objective of these architec- tures is to allow access to multiple services using a single set of login credentials, improving convenience and security across different organizations or domains. In particular we examine the Hub’n’Spoke model, where multiple parties exchange data through a central hub. This hub manages most of the infrastruc- ture workload and deals with many heterogeneous devices and protocols, making it a perfect test case for the PQC transition. Using real-world data from an operator of a large academic identity federation, we benchmark five PQC algorithms finalized by NIST. We also quantify the toll this transition imposes on computational efficiency and hardware capacity. We show that while there is an ever increasing interest towards PQC adoption, many technical challenges remain unaddressed, showing that the Post Quantum transition process is fragmented, with many components of the ecosystem that are still insufficiently taken into consideration