Post-Quantum Traditional (PQ/T) Hybrid Authentication with Dual Certificates in TLS 1.3

4.1. Signature Algorithms Negotiation

A new extension, dual_signature_algorithms, is defined to negotiate support for two distinct categories of signature algorithms. The extension carries two disjoint lists: one for classical signature algorithms and one for post-quantum signature algorithms.¶

• In the ClientHello, this extension indicates the client's supported classical and PQ signature algorithms for dual certificate server authentication.¶

• In the CertificateRequest, this extension indicates the server's supported classical and PQ signature algorithms for dual certificate client authentication.¶

This allows both endpoints to signal independently two distinct algorithms for dual authentication.¶

The dual_signature_algorithms can also be used in extensions of CertificateRequest and ClientCertificateRequest structures of Authenticator Request message of Exported Authenticators as defined in Section 4 of [EXPORTED-AUTH].¶

The dual_signature_algorithms extension does not replace signature_algorithms. TLS peers MUST include the signature_algorithms extension regardless of whether dual_signature_algorithms is used. The signature_algorithms extension indicates algorithms acceptable for single-certificate authentication and MUST contain either a non-empty list of such algorithms or be empty if only dual-certificate authentication is acceptable.¶

4.2. Certificate Chain Encoding

TLS 1.3 defines the Certificate message to carry a list of certificate entries representing a single chain. This document reuses the same structure to convey two certificate chains by concatenating them and inserting a delimiter in the form of a zero-length certificate entry.¶

A zero-length certificate is defined as a CertificateEntry with an empty cert_data field and omitted extensions field. TLS 1.3 prohibits the use of empty certificate entries, making this delimiter unambiguous. Implementations MUST treat all entries before the zero-length delimiter as the first certificate chain (typically classic), and all entries after it as the second certificate chain (typically post-quantum).¶

This encoding applies equally to the CompressedCertificate message defined in [COMPRESS-CERT] and to the Certificate message of Exported Authenticators as defined in Section 5.2.1 of [EXPORTED-AUTH].¶

Since TLS 1.3 supports only a single certificate type in each direction, both certificate chains MUST either contain X.509 certificates or certificates of type specified in:¶

• server_certificate_type extension in a EncryptedExtensions message for Server certificates¶

• client_certificate_type extension in a EncryptedExtensions message for Client certificates¶

Note that according to Section 5.2.1 of [EXPORTED-AUTH] Exported Authenticators support only X.509 certificates.¶

4.3. CertificateVerify Signatures

The CertificateVerify message is extended to include two digital signatures:¶

1. One computed using a signature algorithm selected from the first list of the dual_signature_algorithms extension.¶

2. One computed using a signature algorithm selected from the second list of the dual_signature_algorithms extension.¶

Each signature is computed over the transcript hash as specified in TLS 1.3, but with distinct context strings to domain-separate the two operations.¶

This encoding applies equally to the CertificateVerify message of Exported Authenticators as defined in Section 5.2.2 of [EXPORTED-AUTH].¶

The order of the signatures in the message MUST correspond to the order of the certificate chains in the Certificate message: the first signature MUST correspond to a classical algorithm from first_signature_algorithms list of dual_signature_algorithms extension, while the second signature MUST correspond to a PQ algorithm from second_signature_algorithms list of dual_signature_algorithms extension.¶

5.1. dual_signature_algorithms Extension

A new extension, dual_signature_algorithms, is defined to allow peers to advertise support for two distinct categories of signature algorithms: classical and post-quantum.¶

struct {
    SignatureScheme first_signature_algorithms<2..2^16-2>;
    SignatureScheme second_signature_algorithms<2..2^16-2>;
} DualSignatureSchemeList;

5.2. Certificate Message Encoding

TLS 1.3 defines the Certificate message as follows:¶

struct {
    opaque certificate_request_context<0..2^8-1>;
    CertificateEntry certificate_list<0..2^24-1>;
} Certificate;

This document extends the semantics of certificate_list to support two logically distinct certificate chains, encoded sequentially and separated by a delimiter.¶

struct {
    select (is_delimiter) {
        case Delimiter: uint24 delimiter = 0;
        case Non_Delimiter:
          select (certificate_type) {
              case RawPublicKey:
                /* From RFC 7250 ASN.1_subjectPublicKeyInfo */
                opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;

              case X509:
                opaque cert_data<1..2^24-1>;
          };
          Extension extensions<0..2^16-1>;
    };
} CertificateEntry;

5.3. CertificateVerify Message

The CertificateVerify message is extended to carry two independent signatures. Its modified structure is as follows:¶

struct {
    SignatureScheme first_algorithm;
    opaque first_signature<0..2^16-1>;
    SignatureScheme second_algorithm;
    opaque second_signature<0..2^16-1>;
} CertificateVerify;

Each signature covers the transcript hash as in TLS 1.3, but with a distinct context string for domain separation.¶

5.4. Dual Certificate Policy Enforcement

Policy enforcement regarding the use of dual certificates is implementation-defined and driven by the authenticating peer. When dual certificate authentication is required by local policy, such as during high-assurance sessions or post-quantum transition periods, the authenticating endpoint MUST abort a handshake where only one signature or one certificate chain is present with an dual_certificate_required alert. Implementations MUST ensure that both certificates and both signatures are processed together and MUST NOT accept fallback to single-certificate authentication when dual-authentication is expected.¶

A single composite certificate chain and signature such as defined by [TLS-COMPOSITE-MLDSA] MAY be an acceptable alternative during post-quantum transition period as long as corresponding signature scheme is listed in signature_algorithms extension.¶

7.1. Type 1: Single-certificate

Client requires only one classical, pq or a composite signature. Client does not support dual certificates.¶

Client behavior:¶

• Includes supported algorithms in signature_algorithms and optionally signature_algorithms_cert.¶

• Does not include dual_signature_algorithms.¶

To satisfy this client, the server MUST send a single certificate chain with compatible algorithms and include a single signature in CertificateVerify.¶

7.2. Type 2: Dual-Compatible, PQ Optional (Classic Primary)

Client supports both classical and PQ authentication. It allows the server to send either a classical chain alone or both chains.¶

Client behavior:¶

• Includes supported classical algorithms in signature_algorithms and optionally signature_algorithms_cert.¶

• Includes supported classical algorithms in first_signature_algorithms list of dual_signature_algorithms and supported PQ algorithms in second_signature_algorithms list of dual_signature_algorithms.¶

To satisfy this client, the server MUST either:¶

• Provide a single certificate chain with compatible classical algorithms and include a single signature in CertificateVerify¶

• Provide a classical certificate chain followed by a PQ certificate chain as described in Section 5.2 and two signatures in CertificateVerify as described in Section 5.3¶

7.3. Type 3: Strict Dual

Client requires both classical and PQ authentication to be performed simultaneously. It does not support composite certificates.¶

Client behavior:¶

• Includes an empty list in signature_algorithms.¶

• Includes supported classical algorithms in first_signature_algorithms list of dual_signature_algorithms and supported PQ algorithms in second_signature_algorithms list of dual_signature_algorithms.¶

To satisfy this client, the server MUST provide a classical certificate chain followed by a PQ certificate chain as described in Section 5.2 and two signatures in CertificateVerify as described in Section 5.3¶

7.4. Type 4: Dual-Compatible, Classic Optional (PQ Primary)

Client supports both classical and PQ authentication. It allows the server to send either a PQ chain alone or both chains.¶

Client behavior:¶

• Includes supported PQ algorithms in signature_algorithms and optionally signature_algorithms_cert.¶

• Includes supported classical algorithms in first_signature_algorithms list of dual_signature_algorithms and supported PQ algorithms in second_signature_algorithms list of dual_signature_algorithms.¶

To satisfy this client, the server MUST either:¶

• Provide a single certificate chain with compatible PQ algorithms and include a single signature in CertificateVerify¶

• Provide a PQ certificate chain followed by a classical certificate chain as described in Section 5.2 and two signatures in CertificateVerify as described in Section 5.3¶

7.5. Compatibility with composite certificates

Clients and servers may choose to support composite certificate schemes, such as those defined in [TLS-COMPOSITE-MLDSA]. In these schemes, a single certificate contains a composite public keys, and the associated signature proves knowledge of private keys of all components.¶

If a composite signature algorithm appears in the signature_algorithms extension, it can fulfill the client's requirements for both classical and PQ authentication in a single certificate and signature. It is up to the client policy to decide whether a composite certificate is acceptable in place of a dual-certificate configuration. This allows further deployment flexibility and compatibility with hybrid authentication strategies.¶

8.1. Signature Association and Parsing Robustness

Implementations MUST strictly associate each CertificateVerify signature with the corresponding certificate chain, based on their order relative to the zero-length delimiter in the Certificate message. Failure to properly align signatures with their intended certificate chains may result in incorrect validation or misattribution of authentication.¶

Certificate parsing logic MUST reject messages that contain more than one zero-length delimiter, or that place the delimiter as the first or last entry in the certificate list.¶

8.2. Signature Validation Requirements

Both signatures in the CertificateVerify message MUST be validated successfully and correspond to their respective certificate chains. Implementations MUST treat failure to validate either signature as a failure of the authentication process. Silent fallback to single-certificate verification undermines the dual-authentication model and introduces downgrade risks.¶

8.3. Side-Channel Resistance

Since both CertificateVerify operations involve signing the transcript using different cryptographic primitives, care MUST be taken to avoid leaking side-channel information. Implementers MUST ensure constant-time execution and avoid conditional branching that could reveal whether one or both signatures are present or valid.¶

Distinct context strings are REQUIRED for the two signatures to prevent cross-protocol misuse or collision attacks.¶

8.4. Cryptographic Independence

To achieve the intended security guarantees, implementers and deployment operators MUST ensure that the two certificate chains rely on cryptographically independent primitives.¶

8.5. Certificate Usage and Trust

Certificate chains must be validated independently, including trust anchors, certificate usage constraints, expiration, and revocation status. Operators MUST ensure that revocation checking, such as using OCSP or CRLs, is consistently applied to both chains to prevent reliance on revoked credentials.¶

8.6. Preventing Downgrade Attacks

TLS clients that are capable of accepting both traditional-only certificates and dual certificate configurations may remain vulnerable to downgrade attacks. In such a scenario, an attacker with access to a CRQC could forge a valid traditional certificate to impersonate the server and it does not indicate support for dual certificates. To mitigate this risk, clients should progressively phase out acceptance of traditional-only certificate chains once dual certificate deployment is widespread and interoperability with legacy servers is no longer necessary. During the transition period, accepting traditional-only certificate chains may remain necessary to maintain backward compatibility with servers that have not yet deployed dual certificates.¶

9.1. TLS extension

IANA is requested to assign a new value from the TLS ExtensionType Values registry:¶

• Extension Name: dual_signature_algorithms¶

• TLS 1.3: CH, CR¶

• DTLS-Only: N¶

• Recommended: Y¶

• Reference: [[This document]]¶

9.2. TLS alert

IANA is requested to add the following entry to the "TLS Alerts" registry:¶

• Value: TBD¶

• Description: dual_certificate_required¶

• DTLS-OK: Y¶

• Reference: [[This document]]¶

• Comment: None¶

11.1. Normative References

[EXPORTED-AUTH]

Sullivan, N., "Exported Authenticators in TLS", RFC 9261, DOI 10.17487/RFC9261, July 2022, <https://www.rfc-editor.org/rfc/rfc9261>.

[RFC2119]

Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <https://www.rfc-editor.org/rfc/rfc2119>.

[RFC8174]

Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, <https://www.rfc-editor.org/rfc/rfc8174>.

[TLS]

Rescorla, E., "The Transport Layer Security (TLS) Protocol Version 1.3", Work in Progress, Internet-Draft, draft-ietf-tls-rfc8446bis-12, 17 February 2025, <https://datatracker.ietf.org/doc/html/draft-ietf-tls-rfc8446bis-12>.

11.2. Informative References

[COMPRESS-CERT]

Ghedini, A. and V. Vasiliev, "TLS Certificate Compression", RFC 8879, DOI 10.17487/RFC8879, December 2020, <https://www.rfc-editor.org/rfc/rfc8879>.

[ECDSA]

"Digital Signature Standard (DSS)", National Institute of Standards and Technology (U.S.), DOI 10.6028/nist.fips.186-5, February 2023, <https://doi.org/10.6028/nist.fips.186-5>.

[I-D.ietf-pquip-pqt-hybrid-terminology]

D, F., P, M., and B. Hale, "Terminology for Post-Quantum Traditional Hybrid Schemes", Work in Progress, Internet-Draft, draft-ietf-pquip-pqt-hybrid-terminology-06, 10 January 2025, <https://datatracker.ietf.org/doc/html/draft-ietf-pquip-pqt-hybrid-terminology-06>.

[ML-DSA]

Hollebeek, T., Schmieg, S., and B. Westerbaan, "Use of ML-DSA in TLS 1.3", Work in Progress, Internet-Draft, draft-ietf-tls-mldsa-00, 16 May 2025, <https://datatracker.ietf.org/doc/html/draft-ietf-tls-mldsa-00>.

[PQ-RECOMMEND]

Reddy.K, T. and H. Tschofenig, "Post-Quantum Cryptography Recommendations for TLS-based Applications", Work in Progress, Internet-Draft, draft-reddy-uta-pqc-app-07, 25 February 2025, <https://datatracker.ietf.org/doc/html/draft-reddy-uta-pqc-app-07>.

[TLS-COMPOSITE-MLDSA]

Reddy.K, T., Hollebeek, T., Gray, J., and S. Fluhrer, "Use of Composite ML-DSA in TLS 1.3", Work in Progress, Internet-Draft, draft-tls-reddy-composite-mldsa-00, 2 November 2024, <https://datatracker.ietf.org/doc/html/draft-tls-reddy-composite-mldsa-00>.

A.1. General TLS Semantics

A.2. Certificate Handling Semantics

A.3. Use Case and Deployment Flexibility