Post-quantum cryptography for a ticketing platform
Plateforme de billetterie (Skedl)
Skedl is an event ticketing platform with integrated cashless payments, used by festival, concert and professional event organizers. Electronic ticketing relies on cryptographic signatures to guarantee ticket authenticity, and cashless relies on key exchanges to secure real-time payments on mobile terminals. Both bricks historically depend on RSA and elliptic curves, algorithms whose lifespan is now limited by the gradual arrival of quantum computing. The initiative to integrate post-quantum cryptography came from Jim himself, out of conviction that these threats require early preparation rather than an emergency migration when the first useful quantum computers arrive. Two critical surfaces were identified as priorities: ticket signing, whose lifespan far exceeds the event itself, and cashless transactions, which handle financial data.
Integrating post-quantum algorithms (CRYSTALS-Kyber for key exchange, CRYSTALS-Dilithium for signing) into a production platform is not a trivial operation. These algorithms have very different performance and key size properties compared to RSA or elliptic curves: keys and signatures are larger, computation times can vary by hardware, and no industrial library is as battle-tested as what we've been using for twenty years. The challenge was twofold: preserve performance on the mobile payment terminals deployed at events, and guarantee compatibility with existing integrations during the transition. We also had to find the right partners: we collaborated with a cryptographer recognized in the post-quantum field and engaged a partnership with an HSM market leader for secure hardware-level key management.
We designed a hybrid classical/post-quantum architecture allowing a progressive transition without service interruption. For ticket signing, each ticket is signed both with a classical algorithm (for compatibility with existing verifiers) and with Dilithium (for long-term protection). Verification can be done with either algorithm depending on context. For cashless transactions, the key exchange uses Kyber, encapsulated in a layer that allows switching to another post-quantum algorithm if a new standard emerges. We conducted exhaustive performance testing on the real terminals used at events to validate that response times remain compatible with expected user experience: under one second for a cashless transaction. Sensitive keys are managed via an HSM to guarantee non-extraction, and the key rotation process has been documented so the operator can execute it without our involvement.