Post-Quantum Cryptography Report for Professionals

🚨 NEW PEER-REVIEWED RESEARCH: PQC Migration Timelines Excited to share my latest paper published in MDPI Computers: "Enterprise Migration to Post-Quantum Cryptography: Timeline Analysis and Strategic Frameworks." The transition to Post-Quantum Cryptography (PQC) represents a watershed moment in the history of our digital civilization. Organizations planning for a 3-5 year "upgrade" will fail. The reality is a 10-15-year systemic transformation. Key Contributions: 📊 Realistic Timeline Estimates by Enterprise Size: Small (≤500 employees): 5-7 years Medium (500-5K): 8-12 years Large (>5K): 12-15+ years ⚠️ Critical Finding: With FTQC expected 2028-2033, large enterprises face a 3-5 year vulnerability window—migration may not complete before quantum computers break RSA/ECC. 🔬 Novel Framework Analysis: Causal dependency mapping (HSM certification, partner coordination as critical paths) "Zombie algorithm" maintenance overhead quantified (20-40%) Zero Trust Architecture implications for PQC 💡 Practical Guidance: Crypto-agility frameworks and phased migration strategies for immediate action. Strategic Recommendations for Leadership: 1. Prioritize by Data Value, Not System Criticality: Invert the traditional triage model. Systems protecting long-lived data (IP, PII, Secrets) must migrate first, regardless of their operational uptime criticality, to mitigate SNDL. 2. Fund the "Invisible" Infrastructure: Budget immediately for the expansion of PKI repositories, bandwidth upgrades, and HSM replacements. These are long-lead items that cannot be rushed. 3. Establish a Crypto-Competency Center: Do not rely solely on generalist security staff. Invest in specialized training or retain dedicated PQC counsel to navigate the mathematical and implementation nuances. The talent shortage will only worsen. 4. Demand Vendor Roadmaps: Contractual language must shift. Procurement should require vendors to provide binding roadmaps for PQC support. "We are working on it" is no longer an acceptable answer for critical supply chain partners. 5. Embrace Hybridity: Accept that the future is hybrid. Design architectures that can support dual-stack cryptography indefinitely, viewing it not as a temporary bridge but as a long-term operational state. 6. Implement Automated Discovery: You cannot migrate what you cannot see. Deploy automated cryptographic discovery tools to continuously map the cryptographic posture of the estate, identifying shadow IT and legacy instances that manual surveys miss. The quantum clock is ticking. Start planning NOW. https://lnkd.in/eHZBD-5Y 📄 DOI: https://lnkd.in/ejA9YpsG #PostQuantumCryptography #Cybersecurity #QuantumComputing #PQC #InfoSec #NIST #CryptoAgility

📌The financial sector has now moved from quantum awareness to quantum execution. Europol , FS-ISAC , and the Quantum Safe Financial Forum (QSFF), together with major financial institutions, published: “Prioritising Post-Quantum Cryptography Migration Activities in Financial Services” ; a practical migration framework designed specifically for financial institutions. What makes this report particularly relevant for #boards, #regulators, and #CISOs? It introduces a structured prioritisation methodology based on two measurable dimensions: 1️⃣ Quantum Risk Score Derived from: • Shelf life of protected data • Exposure • Severity of compromise 2️⃣ Migration Time Score Derived from: • Solution availability • Execution cost and time • External dependencies Migration Priority is determined by combining both scores into a risk–time matrix (see pages 8–10) of the Report below ⬇️ . ♨️ This shifts the conversation from “When will Q-Day happen?” to “Which business use cases require action now, and which require long-term orchestration?” Two examples in the report illustrate this distinction: 🔹 Points of Sale (#PoS) Medium quantum risk but high migration complexity due to hardware lifecycles, ecosystem coordination, and standardisation uncertainty (pages 12–15) . ⛔️Early planning is essential to avoid costly out-of-cycle replacements. 🔹 Public Websites (#TLS_confidentiality) Medium quantum risk but low migration time due to hybrid schemes such as X25519MLKEM768 already supported by major browsers and CDNs (pages 16–19) . ⛔️This is one of the earliest practical deployment opportunities for quantum-safe protection in production environments. Another important contribution of the report is its focus on cryptographic antipatterns (pages 21–24) . Before large-scale PQC migration, institutions can implement no-regret actions: • Automate TLS certificate lifecycle management • Standardise TLS configurations (TLS 1.3 baseline) • Eliminate legacy cipher dependencies • Remove hard-coded credentials • Strengthen key management governance This approach aligns closely with supervisory expectations: #quantum_readiness must integrate into existing risk frameworks, asset lifecycle planning, and vendor coordination. For financial institutions, the message is clear: ❌Quantum safety is not a single migration event. ❌It is a prioritised, staged governance programme that integrates cryptography, procurement, architecture, and regulatory alignment. Full publication: Europol (2026), Prioritising Post-Quantum Cryptography Migration Activities in Financial Services Available via Europol Publications Office: https://lnkd.in/d2bgsVKm #PostQuantumCryptography #PQC #QuantumRisk #FinancialServices #CybersecurityGovernance #DigitalResilience #CryptoAgility #QuantumTransition #FinancialStability

NIST – Migration to Post-Quantum Cryptography Quantum Readiness outlines a comprehensive framework for transitioning cryptographic systems to post-quantum cryptography (PQC) in response to the emerging threat of quantum computers. Quantum technology is advancing rapidly and poses a significant risk to current public-key cryptographic methods like RSA, ECC, and DSA. This guide aims to assist organizations in preparing for and implementing PQC to safeguard sensitive data and critical systems. Key Points  The Quantum Threat Quantum computers are expected to disrupt cryptography by efficiently solving mathematical problems that underpin widely used encryption and key exchange methods. This would render current public-key systems ineffective in protecting sensitive data, emphasizing the need for cryptographic agility.  NIST PQC Standards NIST is spearheading efforts to standardize quantum-resistant algorithms through an open competition and evaluation process. These algorithms, designed to withstand quantum attacks, focus on two primary areas: 1. Key Establishment: Protecting methods like Diffie-Hellman and RSA key exchange. 2. Digital Signatures: Securing authentication processes.  Migration Framework The document provides a phased approach to migrating cryptographic systems to PQC: 1. Assessment Phase:    - Inventory cryptographic dependencies in current systems.    - Evaluate systems at risk from quantum threats based on sensitivity and lifespan. 2. Preparation Phase:    - Conduct pilot testing of candidate PQC algorithms in existing infrastructure.    - Develop a hybrid approach that combines classical and post-quantum algorithms to ensure interoperability during transition. 3. Implementation Phase:    - Replace vulnerable cryptographic methods with PQC in a phased manner.    - Ensure scalability, performance, and compatibility with existing systems. 4. Monitoring and Updates:    - Continuously monitor the effectiveness of implemented solutions.  Challenges in PQC Migration - Performance Impact: PQC algorithms often have larger key sizes, increased latency, and greater computational demands compared to classical algorithms. - Interoperability: Ensuring smooth integration with legacy systems poses significant technical challenges.  Best Practices - Use hybrid encryption to maintain compatibility while testing PQC algorithms. - Engage in collaboration with vendors, industry groups, and government initiatives to align with best practices and standards. Conclusion The transition to post-quantum cryptography is a proactive measure to secure data and communications against future threats. NIST emphasizes the importance of starting preparations immediately to mitigate risks and ensure a smooth, efficient migration process. Organizations should focus on inventorying dependencies, piloting PQC solutions, and developing cryptographic agility to adapt to this transformative technological shift.

✏️CEPS (Centre for European Policy Studies) has just published the report "Strengthening the EU transition to a quantum-safe world" This 125-page publication offers a comprehensive and very timely analysis of the global transition toward quantum-safety, highlighting key recommendations and identifying the hurdles that we, as a community, still need to overcome. Accross its 10 general recommendations and 16 additional sector-specific ones, two key aspects take a prominent role: 👉 Operational challenges of the transition, like establishing business-level priorities, building executive support, addressing the limited cryptographic talent issue, cryptographic homogeneization in products, and building cryptographic inventories based on priorities. 👉 Coordination and the role for regulators, identifying that the EU lacks a coherent, unified transition framework, the need to ensure alignment and coherence across roadmaps and the risks of a fragmented transition. Key conclusions on the later, aligned with previous statements from the Europol Quantum Safe Financial Forum and FS-ISAC, is that quantum-safety is already part of the EU's operational resilience compliance through the “state of the art” security principle embedded in GDPR, DORA, CRA and NIS2. However, there is a recognised need for further guidance that can be achieved through open collaboration between the public and private sector. Although the report focuses on the financial, public, and defence sectors, its main takeaways can easily be extended to other critical domains—transport, energy, healthcare, and many more. The principles are the same, and the urgency is the same. This report is an important step forward, and my hope is that the ideas it lays out help shape the conversations and, more importantly, the actions we need across the EU. A well-aligned and coordinated transition is essential if we want the whole ecosystem to move toward a new age where we manage cryptography in a more mature, proactive, and resilient way. Kudos to CEPS, lorenzo pupillo, Carolina Polito, Swann A. and Afonso Ferreira, PhD for achieving this milestone. https://lnkd.in/dpWJ86q2

We just hit 10,000 downloads of my free PQC (post-quantum cryptography) Migration Framework. The most common feedback surprised me. It wasn't "thanks for the resource" or "interesting…" From the people in my network who reached out, the most common response was some version of: "we have to redo our entire quantum security strategy." I've now gotten enough direct feedback to say this is the best empirical data I have for something I suspected - most organizations started thinking about PQC migration this year, but they're working from incomplete mental models of what migration actually requires. A checklist that says "swap RSA for ML-KEM" does not capture the complexity of enterprise-wide quantum readiness program. The PQC Migration Framework (https://pqcframework.com) is free, open-source (CC BY 4.0), and built from what I've learned working across critical infrastructure, financial services, and defense - environments where getting this wrong has consequences that go beyond compliance findings. What it covers that most internal efforts miss: - Cryptographic discovery that goes beyond certificate inventories - hardcoded keys, embedded protocols, third-party dependencies. And Minimum Viable CBOM model - you don't need 100% inventory to start migrating (you can’t even achieve it). - Immediate classical security value - the same inventory that finds quantum-vulnerable RSA also surfaces deprecated TLS 1.0/1.1, weak keys, expired certs, and hardcoded secrets. - Vendor dependency as the real critical path - most PQC timelines are most constrained by vendor GA dates. The framework includes procurement clauses, bridging patterns, and escalation playbooks for when vendors miss commitments. - Hybrid deployment strategies that don't break existing interoperability (but can still introduce new different vulnerabilities and operational overhead if you're not careful) - Governance structures that treat PQC migration as a multi-year program, not a one-off project - and many other points... If your organization has started its quantum readiness journey, or thinks it has, stress-test your approach against the framework. The teams that had to restart weren't behind. They were just working from assumptions that didn't hold up. The framework is completely free. No registration, no email gate, no "request a demo" - just a direct download. https://pqcframework.com #pqc #postquantum #quantumsecurity #quantumreadiness

🔐Word o’ the Day | Year | Decade: Crypto-agility, Baby! Yesterday morning, I did a fun fireside chat with Bethany Gadfield - Netzel at the FIA, Inc. Expo in Chicago. We talked about cyber resilience, artificial intelligence, Rubik’s cubes, and that thing called quantum! A question came up at the end, “What can firms actually do today to begin transitioning to post-quantum cryptography?” So thought I would take the opportunity to share my thoughts more broadly on this important, but not super well understood, topic: 1. Don’t wait. The clock for quantum-safe cryptography is already ticking. NIST released its first set of post-quantum standards last year (https://lnkd.in/esTm8uPw) and CISA put out a “Strategy for Migrating to Automated Post-Quantum Discovery and Inventory Tools” last year as part of its broader Post Quantum Cryptography (PQC) Initiative (https://lnkd.in/evpF4umv). h/t Garfield Jones, D.Eng.! 2. Inventory & prioritize. Map all cryptographic usage: what keys, certificates, protocols, and data streams exist today? Which assets hold long-lived value and are at risk of “harvest-now, decrypt-later”? Build a migration roadmap that prioritizes highest-risk systems (e.g., financial settlement platforms, inter-bank links, legacy encryption). 3. Establish crypto-agility. Ensure your architecture supports swapping algorithms, updating certificates, & layering classical + post-quantum primitives without a full system rebuild. This kind of flexibility is key for resilience. 4. Pilot and migrate. Use the new NIST-approved algorithms; experiment first on less time-sensitive systems, validate performance and interoperability, then scale to mission-critical applications. NIST’s IR 8547 report provides a framework for this transition. 5. Vendor & supply-chain alignment. Ask your vendors & service providers: “What’s your PQC transition plan? When will you support NIST-approved post-quantum algorithms? Are your update paths crypto-agile?” If the answer isn’t clear or (as a former boss of mine used to say) they look at you like a “pig at a wristwatch,” you’ve got a potentially serious third-party risk. 6. Board and Exec engagement. Position this not as an IT problem but a fiduciary risk and resilience imperative. The transition to quantum-safe cryptography is multi-year and multi-layered—waiting until it’s urgent means it will be too late.

The era of quantum computing is closer than we think, and it’s going to change the foundations of digital security. NIST’s recent draft publication, NIST IR 8547 (link in 1st comment), outlines critical steps organizations must take to transition to post-quantum cryptography (PQC). Why This Matters Now ⏩ Quantum computers will eventually break traditional encryption algorithms like RSA and ECC. While secure today, these systems won’t be once quantum systems mature. NIST’s Post-Quantum Standards ⏩ NIST has selected algorithms like CRYSTALS-Kyber (for key establishment) and CRYSTALS-Dilithium (for digital signatures) to lead the transition. What Organizations Should Do ⏩ Inventory Cryptography: Assess where and how cryptographic algorithms are used. ⏩ Test PQC Algorithms: Experiment with hybrid solutions combining classical and quantum-safe algorithms. ⏩ Engage with Vendors: Ensure tech partners are preparing for PQC compatibility. Challenges Ahead ⏩ Performance trade-offs: Some PQC algorithms require more computational resources. ⏩ Interoperability: Integrating new cryptographic methods into legacy systems isn’t trivial. ⏩ Timeline pressure: The longer you delay, the harder it will be to catch up. The message is clear: preparation can’t wait. The organizations that start now will be in a much better position when the quantum era fully arrives.

*** The Quantum Threat (Part 2) *** Mitigating Quantum Risks A plausible roadmap is taking shape to counteract these vulnerabilities. The primary long-term strategy is to integrate post-quantum cryptography into the network – using new algorithms that are resistant to quantum attacks. The U.S. National Institute of Standards and Technology (NIST) has a short list of PQC protocols that include CRYSTALS-Dilithium, SPHINCS+, and FALCON. Note too that we have established the Coinbase Independent Advisory Board on Quantum Computing and Blockchain, a group of world-renowned experts convened to evaluate the implications of quantum computing for the blockchain ecosystem and provide clear, independent guidance to the broader community. Guidance from Chaincode Labs – a bitcoin research and development center – sketches two multi-year processes to mitigate the risk. First, if quantum computing experiences a sudden breakthrough, a short-term contingency path could be implemented within two years that quickly deploys protective measures to secure the network by prioritizing migration transactions exclusively. On the other hand, if quantum breakthroughs do not occur, a longer-term path could be used to standardize quantum-resistant signatures via a soft fork, though post‑quantum signatures are larger and slower to verify than today’s signatures, so wallets, nodes, and fee economics need time to adapt. This could take up to seven years to fully implement. Fortunately, the most advanced quantum machines today have fewer than 1,000 qubits, far short of what would be needed to compromise the cryptography that secures blockchains like Bitcoin. Promising technical proposals to address the quantum threat include: 🔹 BIP-360 (Pay-to-Quantum-Resistant-Hash) to keep public keys off-chain and pave the way for post quantum signatures 🔹 BIP-347 (re-enabling OP_CAT to support hash-based one-time signatures) 🔹 Hourglass (rate-limiting spends from vulnerable outputs to stabilize the transition) Best practices include avoiding address reuse, moving vulnerable UTXOs to unique destinations, and developing client-facing materials to institutionalize quantum-ready operations. This approach is supported by the current understanding that vulnerable scripts are not in production and that per-address fund limits mitigate concentration risk. Overall, we do not view quantum computing as an imminent threat because today’s machines are orders of magnitude too small to break Bitcoin’s cryptography. That said, we are glad that the open-source community remains vigilant about engineering post-quantum migration paths.

🚨 New OMB Report on Post-Quantum Cryptography (PQC)🚨 The Office of Management and Budget (OMB) has released a critical report detailing the strategy for migrating federal information systems to Post-Quantum Cryptography. This report is in response to the growing threat posed by the potential future capabilities of quantum computers to break existing cryptographic systems. **Key Points from the Report:** 🔑 **Start Migration Early**: The report emphasizes the need to begin migration to PQC before quantum computers capable of breaking current encryption become operational. This proactive approach is essential to mitigate risks associated with "record-now-decrypt-later" attacks. 🔑 **Focus on High-Impact Systems**: Priority should be given to high-impact systems and high-value assets. Ensuring these critical components are secure is paramount. 🔑 **Identify Early**: It's crucial to identify systems that cannot support PQC early in the process. This allows for timely planning and avoids migration delays. 🔑 **Cost Estimates**: The estimated cost for this transition is approximately $7.1 billion over the period from 2025 to 2035. This significant investment underscores the scale and importance of the task. 🔑 **Cryptographic Module Validation Program (CMVP)**: To ensure the proper implementation of PQC, the CMVP will play a vital role. This program will validate that the new cryptographic modules meet the necessary standards. The full report outlines a comprehensive strategy and underscores the federal government’s commitment to maintaining robust cybersecurity in the quantum computing era. This is a critical step in safeguarding our digital infrastructure against future threats. #Cybersecurity #PQC #QuantumComputing #FederalGovernment #Cryptography #DigitalSecurity #OMB #NIST

🚨 Quantum Computing: The Next Big Disruption in Cybersecurity 🚨 📑 Preparing for the Quantum Era - A Practical Guide to Post-Quantum Cryptography Quantum computers are on the horizon, and they will break today’s #cryptography. Is your organisation ready? 🔒 Our new white paper, created by leading Belgian #cybersecurity and #quantum experts explains why post-quantum cryptography (#PQC) should be a boardroom priority right now! Here’s what every C-level, security, and strategy leader needs to know: 🕒 The “harvest now, decrypt later” threat is real, data encrypted today could be exposed tomorrow. 🏁 Migration to PQC is a multi-year journey. Early movers will protect their data, reputation, and compliance. 🌍 Global standards are emerging, but waiting is not an option. 🏢 Sector-specific cases in telecom, banking, healthcare, and retail show the urgency for action. 🛡️ Crypto-agility will be a key competitive advantage. 🤝 Leadership and collaboration are essential because quantum resilience is a business challenge, not just a technical one. 🤝 This white paper is the result of a collaborative effort. Bringing together expertise from the Belgian Cyber Security Coalition, the Quantum Circle, and the Centre for Cybersecurity Belgium. It has been produced to the best of the contributors’ abilities. 🙏 Big thanks to our development team who made this possible: Sarah Ampe - EY, Johan Kestens - Link2Trust, Bart Preneel - COSIC (KU Leuven), Maria Chiara P. - Centre for Cybersecurity Belgium, Jan Sonck - Quantum Circle, Joachim Vererfven - Proximus Group, Kristof Verslype - Smals, Laura Vranken - Belfius, Jelle Wieme - Centre for Cybersecurity Belgium   The time to act is now. Be among the first to lead your industry into the post-quantum era. 👇 Download the full white paper (see comment) and get practical guidance for your quantum-safe journey! 👇 #quantum #computing #cybersecurity #cryptography #PQC