First complete pure Falcon-512 BGPsec + RPKI chain - December 2024
This repository contains proof that complete post-quantum secure BGPsec certificate chains and RPKI ROAs are technically ready for production deployment right now.
The implementation provides:
- CA certificate using pure Falcon-512
- Router certificates signed by the CA with Falcon-512
- RPKI ROA signed with router certificate using Falcon-512
- Full chain validation end-to-end with rpki-client
Zero classical cryptography - no RSA, no ECDSA, no hybrid fallback.
The "but the certificates" argument is now closed. Full chain validates end-to-end.
This demonstrates that:
- Post-quantum certificates work in real RPKI infrastructure (with patched rpki-client)
- Complete BGPsec certificate chains can be pure post-quantum
- RPKI ROAs can be signed with post-quantum router certificates
- The entire stack - CA → Router → ROA → Validation - works with Falcon-512
Sam Moes
December 2024