Post-Quantum Cryptography (PQC) Migration
Posted inInformation

Post-Quantum Cryptography (PQC) Migration

No Comments

What is Post-Quantum Cryptography?

Post-Quantum Cryptography refers to cryptographic algorithms (usually public-key) that are thought to be secure against both quantum and classical computers. Unlike current encryption like RSA and ECC (Elliptic Curve Cryptography), which rely on the difficulty of factoring large integers or finding discrete logarithms—tasks a quantum computer using Shor’s Algorithm can solve in minutes—PQC is built on complex mathematical problems that remain intractable for quantum processors.

The NIST PQC Standards (2024–2025 Update)

In August 2024, the National Institute of Standards and Technology (NIST) finalized the first three PQC standards, providing the industry with a concrete foundation for migration:

  1. ML-KEM (FIPS 203): Formerly CRYSTALS-Kyber, this is the primary standard for general encryption and key exchange.

  2. ML-DSA (FIPS 204): Formerly CRYSTALS-Dilithium, this is the primary standard for digital signatures.

  3. SLH-DSA (FIPS 205): Formerly SPHINCS+, a stateless hash-based signature scheme designed as a backup for ML-DSA.

  4. HQC: Selected in early 2025 as an additional code-based alternative for key encapsulation.

Why the Urgency? The “Harvest Now, Decrypt Later” Threat

Many organizations mistakenly believe they have years before quantum computers become “useful.” However, the most pressing threat is immediate. Adversaries are currently intercepting and storing encrypted sensitive data (financial records, national secrets, personal health info) with the intent to decrypt it once a powerful enough quantum computer exists.

If your data has a security lifespan of 10+ years, it is already at risk today.

The PQC Migration Roadmap: A 5-Step Framework

Migration is not a simple “software update.” It is a multi-year technology change program. Based on 2025 guidance from the NCSC and NIST, here is the recommended framework for enterprise migration.

1. Cryptographic Discovery (Inventory)

You cannot protect what you don’t know exists. Organizations must perform a deep audit to create a Cryptographic Bill of Materials (CBOM).

  • Identify: Where are RSA and ECC used in your environment?

  • Locate: Check internal apps, third-party software, and cloud services.

  • Dependencies: Identify hardware roots of trust and long-lived firmware that might be difficult to update.

2. Risk Assessment and Prioritization

Not all data needs to be migrated at once. Prioritize based on the lifespan of the data versus the time to migrate.

  • High Priority: Long-lived data (intellectual property, state secrets) and critical infrastructure.

  • Low Priority: Ephemeral data that loses value in months (e.g., a one-time login token).

3. Implementing “Quantum Agility”

The transition won’t happen overnight. The industry standard in 2025 is the Hybrid Approach. This involves using both a classical algorithm and a PQC algorithm in tandem. Even if the PQC algorithm is later found to have a flaw, the classical encryption still provides a baseline of security.

4. Testing and Interoperability

PQC algorithms often have larger key sizes and longer processing times than their classical predecessors.

  • Performance: Can your VPN handle the increased handshake latency of ML-KEM?

  • MTU Issues: Larger signatures might cause packet fragmentation in older network stacks.

  • Lab Pilots: Use tools like the NCCoE PQC Migration Lab to test interoperability before a full-scale rollout.

    5. Execution and Monitoring

By late 2025, major vendors (Cloudflare, Google, Microsoft) have already integrated PQC into browsers and cloud services. Enterprises should:

  • Update procurement policies to require PQC-readiness from vendors.

  • Begin the phase-out of legacy systems that cannot support the new standards by 2030.

Global Timelines: Where We Stand in 2025

Region / Body Milestone Target Date
NIST (USA) Finalized ML-KEM, ML-DSA, SLH-DSA Aug 2024
Cloudflare Majority of traffic protected by PQC Oct 2025
NCSC (UK) Initial migration plans for all critical infrastructure 2028
NIST / NSA Deprecation of quantum-vulnerable algorithms 2030–2035
Canada Full PQC migration of high-risk systems 2031

Common Challenges in PQC Migration

  • Key and Signature Size: PQC keys are significantly larger than RSA or ECC keys. This can break protocols that expect small packets.

  • Performance Overhead: While ML-KEM is efficient, hash-based signatures (SLH-DSA) can be computationally intensive, requiring hardware acceleration in some cases.

  • Lack of Expertise: There is a global shortage of cybersecurity professionals who understand the nuances of lattice-based or code-based cryptography.

Summary: Preparing for “Q-Day”

Post-quantum cryptography migration is the most significant cryptographic transition in history. It is a fundamental shift in how we secure the digital world. For business leaders and IT professionals, the message is clear: Wait and see is no longer a viable strategy.

By starting your discovery phase now and adopting a hybrid-first approach, you can ensure that your organization remains resilient in the face of the quantum future.

Tags:

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *