- The paper introduces a Merkle Tree Certificate system that replaces issuer signatures with Merkle inclusion proofs and cosignatures, significantly reducing bandwidth.
- It demonstrates an 85% reduction in PQ certificate chain size and landmark verification speedups of 12–28× (classical) and 200–400× (ML-DSA-65).
- The design integrates with Kubernetes and 5G/B5G core infrastructures to enable scalable, low-latency PKI with transparent index-based certificate revocation.
Merkle Tree Certificate PKI for Post-Quantum Cloud-Native 5G/B5G and Kubernetes
Motivation: Post-Quantum Signature Overhead in Cloud-Native Environments
Recent advances in PQC, exemplified by NIST’s ML-DSA-65 standard, necessitate the adoption of post-quantum algorithms in PKI. However, ML-DSA-65 signatures (3,309 bytes) and keys (1,952 bytes) generate a 51× bandwidth increase over Ed25519, with per-handshake certificate chains (including CT SCTs) ballooning to more than 13,000 bytes. The compounded cost in Kubernetes, 5G SBA, and other environments utilizing frequent mTLS handshakes, potentially induces unacceptable latency and packet fragmentation, directly violating latency budgets in 5G and 6G infrastructures. Classical PKI revocation mechanisms (CRL/OCSP) introduce additional operational bottlenecks and cannot be efficiently scaled to meet 5G/6G’s zero-trust architecture needs.
Merkle Tree Certificates: Architecture and Certificate Lifecycle
Merkle Tree Certificates (MTC), as discussed in the evolving IETF specification, replace per-certificate issuer signatures with Merkle inclusion proofs and employ a cosigner network to countersign checkpoints, supporting signatureless authentication in the landmark operational mode. Each certificate is represented as a leaf in an append-only Merkle tree maintained by the CA, where inclusion proofs replace issuer signatures and cosignatures attest log consistency.
MTC defines two certificate modes:
- Standalone Certificates: Include inclusion proofs and cosignatures; verifiable by parties trusting the cosigners.
- Landmark Certificates: Signatureless unless a pre-distributed subtree hash is available; proof size is constant, decoupled from cryptographic scheme.
Certificate Lifecycle:
Integration in Kubernetes and Cloud-Native 5G/B5G
The paper proposes mapping MTC roles to Kubernetes constructs: MTCA as a Deployment, cosigners as independent pods, landmark distributor as a DaemonSet. Certificate issuances and credential rotations utilize Kubernetes native APIs (cert-manager ExternalIssuer CRD). Control-plane components (API server, kubelet, controller-manager, scheduler) seamlessly transition from classical X.509 to MTC-based certification, preserving RBAC semantics, with bootstrapped trust anchored by the MTCA log ID and cosigner keys. Landmark distribution ensures that signatureless, efficient authentication is possible even in high-throughput, ephemeral connection environments typical of 5G SBA.
For 5G core integration, the proposed design maps the NRF as the MTCA and the SCP as witness cosigner, embedding MTC operations into NF registration, certificate lifecycle, and SBI mTLS flows. This architecture is extended to B5G/6G, with recommended standardization of MTC in NF management APIs and event notification mechanisms (e.g., landmark events).
Empirical evaluation on an Intel i9-12900 demonstrates landmark verification in sub-2 µs, compared to 24 µs for ECDSA-P256, with negligible impact on total TLS handshake latency. MTC landmark certificates reduce PQ certificate wire size from ~17,500 bytes (ML-DSA-65 X.509 chains) to ~2,900 bytes—a reduction of approximately 85%. Certificate authentication with landmark mode is hash-only, yielding verification speedups in the order of 12–28× (classical ECDSA) and 200–400× projected for ML-DSA-65.


Figure 2: Results comparing ECDSA P-256 with MTC (Standalone and Landmark modes), highlighting bandwidth reduction and verification latency improvements.
Transparency, Revocation, and Challenges
MTC guarantees certificate transparency and log integrity via cosigner signatures, mirrors, and effective monitoring. Revocation by index enables constant-time, strictly offline checks, improving resilience in NTN and high-latency environments. Notably, MTC landmark authentication decouples operational cost from signature scheme, preserving bandwidth and computational efficiency across both classical and PQ deployments.
Challenges include increased operational complexity in private PKI deployments, cross-PLMN cosigner scaling for roaming, specification maturity (draft volatility), landmark staleness, and log pruning. These limit immediate universal adoption, particularly given the lack of current 3GPP standardization.
Implications and Future Directions
Theoretical implications include a fundamentally new trust distribution paradigm in private PKI, with strong cryptographic guarantees for transparency, log integrity, and scalability. Practically, MTC enables consistent PQ-readiness in cloud-native infrastructure, facilitating frictionless adoption of PQC without the latency and bandwidth penalties of ML-DSA or SLH-DSA signatures.
Anticipated future developments:
- Standardization of native MTC in 6G core (via extensions to NRF/SCP APIs).
- Potential elimination of CertificateVerify for short-lived landmark certificates, achieving fully hash-based authentication.
- Integration with CMPv2 for RAN and transport automation.
- Expanding MTC for satellite PKI, NTN, and high-latency edge scenarios.
- Decentralized PKI constructions with multi-operator cosigner governance.
Conclusion
MTC-based PKI offers substantial reductions in certificate transmission and verification overhead in post-quantum environments, with strong transparency and revocation mechanisms suitable for Kubernetes, 5G/B5G, and prospective 6G networks. The architecture enables practical deployment of PQ PKI, addressing core challenges of bandwidth, latency, auditability, and operational scalability while supporting future standardization and protocol refinements.