Migrating Time and Security-Critical PKIs to Post-Quantum Cryptography: SWIM and C-ITS

Abstract

Public Key Infrastructures (PKIs) are foundational to time- and security-critical systems such as air traffic management and cooperative intelligent transport systems (C-ITS). These PKIs rely almost exclusively on classical public-key cryptography, which will become vulnerable once cryptographically relevant quantum computers emerge. Migrating such systems to post-quantum cryptography (PQC) is therefore necessary but non-trivial, as these environments impose strict constraints on latency, bandwidth, interoperability, long system lifetimes, and regulatory compliance. This paper presents a comparative, constraint-driven analysis of PQC migration for time- and security-critical PKIs. Focusing on System-Wide Information Management (SWIM) and C-ITS, we examine how PQC signature and key sizes, verification costs, and certificate structures affect real-time communication, certificate validation, and session establishment. In particular, we analyze the impact of certificate size growth and verification latency on time-critical messaging using published benchmarks and protocol specifications. Rather than proposing new cryptographic primitives or implementations, this work synthesizes existing benchmarks, standardization documents, and protocol specifications to identify feasibility limits, migration risks, and design trade-offs. The analysis shows that certificate chain length and signature overhead can dominate session establishment time in short communication windows, particularly in C-ITS environments, even when individual cryptographic operations remain computationally efficient. We further discuss the operational risks introduced by hybrid cryptographic deployments, including increased system complexity, negotiation failures, and insecure fallback behavior. In addition, we highlight how long system lifetimes and slow standardization cycles in safety-critical sectors complicate timely cryptographic transitions. The results indicate that migration feasibility is often determined by system-level constraints, such as certificate handling, protocol overhead, interoperability requirements, and regulatory alignment, rather than by the performance of individual PQC algorithms alone. Based on this analysis, we present a benchmarking-based migration framework tailored to critical PKIs, highlighting where hybrid cryptographic approaches are unavoidable, where they introduce new risks, and which classes of PQC algorithms are conditionally viable under strict timing and bandwidth constraints. The paper concludes with concrete recommendations for system designers and policymakers to support crypto-agile PQC migration without compromising operational safety.