The Resource Public Key Infrastructure (RPKI) secures Internet routing by binding IP prefixes to authorized Autonomous Systems, yet its RSA foundations are vulnerable to quantum adversaries. A naive swap to post-quantum (PQ) signatures (eg Falcon) is a poor fit for RPKI's bulk model: every relying party (RP) repeatedly fetches and validates the entire global repository, so larger keys and signatures inflate bandwidth and CPU cost, especially during a long dual-stack transition. We present pqRPKI , a post-quantum RPKI framework that pairs a multi-layer Merkle Tree Ladder (MTL) with RPKI objects, customized to relocate per-object verification material from certificates into the Manifest. To update RPKI for Merkle tree based schemes, pqRPKI redesign the RPKI manifest and delegation chain, introduces a ladder-guided sync and bulk-verification workflow that lets validators localize diffs top-down and rebuild trees bottom-up. pqRPKI also preserves current RPKI objects and encodings, supports both hosted and delegated operation, and provides an additive migration path that coexists with today's trust anchors for dual-stack deployment with little size overhead. Implemented as a working publication point (PP) and RPs, we show that pqRPKI reduces repository footprint to 546.8 MB on average (65.5%/83.1% smaller than Falcon/ML-DSA), cuts full-cycle validation to 102.7 s, and achieves 118.3 s end-to-end PP to Router time, enabling sub-2-minute operating cadences with full-repository validation each cycle. Dual-stack deployment with RSA only adds just 3.4% size overhead versus today's RPKI repositories.

翻译：资源公钥基础设施（RPKI）通过将IP前缀与授权自治系统绑定来保障互联网路由安全，但其基于RSA的密码基础在量子攻击面前存在脆弱性。简单替换为后量子（PQ）签名方案（如Falcon）并不适用于RPKI的批量处理模型：每个依赖方（RP）需反复获取并验证完整的全球资源库，更大的密钥和签名将显著增加带宽与计算开销，在长期双栈过渡阶段尤为突出。本文提出pqRPKI——一种后量子RPKI框架，通过将多层默克尔树阶梯（MTL）与RPKI对象配对，将逐对象验证材料从证书重构至清单文件中。为适配基于默克尔树的方案，pqRPKI重新设计了RPKI清单与授权链，引入阶梯引导的同步批量验证工作流，使验证器能够自上而下定位差异并自底向上重建树结构。该框架完整保留现有RPKI对象与编码格式，支持托管与委派两种运行模式，并提供增量迁移路径：在与现行信任锚共存的双栈部署中仅产生极小存储开销。通过实现可运行的发布点（PP）与依赖方系统，实验表明pqRPKI将资源库容量降至平均546.8 MB（较Falcon/ML-DSA方案分别减少65.5%/83.1%），完整验证周期缩短至102.7秒，实现从发布点到路由器的端到端耗时118.3秒，支持每轮次全库验证的亚两分钟操作节奏。与现有RPKI资源库相比，RSA双栈部署仅产生3.4%的存储开销。