Paper 2025/1792

Zero-Downtime Post-Quantum TLS 1.3 Migration: A Bridge-Server-Based Approach

Abstract

The rapid advancement of quantum computing threatens the security of widely deployed public-key cryptosystems, creating an urgent need for practical migration to post-quantum cryptographic (PQC) standards. Although the U.S. National Institute of Standards and Technology (NIST) and Korea’s KpqC initiative have recently standardized PQC algorithms, integrating them into Transport Layer Security (TLS)~1.3 remains operationally challenging. Larger certificates, higher handshake costs, and incompatibility with legacy clients make naive deployment impractical in production environments. While hot reload has long been supported in classical TLS deployments (e.g., Nginx, HAProxy), these mechanisms were designed for RSA/ECC contexts with small keys and certificates, and they do not address PQC-specific challenges. This work presents a systematic demonstration of \emph{hot reload and rollback in a PQC-enabled TLS context}, incorporating a policy-driven state machine for staged migration and rollback under realistic constraints such as increased handshake latency and legacy-client compatibility. We propose a bridge-server-based framework that operates at the TLS library level, enabling zero-downtime migration across classical, hybrid, and PQC deployments. Experimental evaluation shows that PQC handshakes incur a $\approx$5.8--6.4$\times$ increase in latency in compute-bound settings relative to ECC baselines, while the relative overhead is significantly smaller in network-bound scenarios, highlighting the importance of deployment context. These findings provide a feasible path toward secure and incremental PQC integration in TLS infrastructures, contributing to broader strategies for achieving crypto-agility under evolving cryptographic standards.