01 · Action Plan
The Five-Phase Migration Roadmap
A standardised programme drawn from NIST, NCSC, and BSI guidance. The phases overlap; mature organisations run them in parallel.
01
Discover
Cryptographic inventory across applications, infrastructure, vendors, and third parties. Identify every use of RSA, ECC, DSA, DH. Map data flows by sensitivity and lifetime.
02
Prioritise
Rank systems by Mosca's framework. Identify high-value, long-lived data targets. Map third-party dependencies. Define risk appetite and migration order.
03
Pilot Hybrid
Deploy hybrid classical + PQC in non-critical paths. Validate performance. Train teams. Engage vendors. Stress-test certificate chains and HSM integrations.
04
Migrate
Roll out across production. Replace HSMs and tokens. Reissue certificates. Update embedded firmware. Coordinate with PKI partners and regulators.
05
Stay Agile
Build crypto-agility into architecture. Algorithm-independent APIs, automated rotation, fast deprecation paths. The next algorithm change should be cheap.
Crypto-agility is the strategic outcome, not migration completion. New attacks, broken algorithms, and updated standards will continue arriving. Organisations that build systems where cryptography can be swapped without architectural change will navigate every future transition cheaply. Organisations that treat PQC as a one-off project will face this cost again.
02 · Infrastructure
PKI, HSMs & the Forgotten Layers
Replacing the algorithm is only the visible part. The cryptographic infrastructure beneath it — certificate authorities, hardware tokens, signed documents, identity systems — all need parallel migration.
Public Web PKI
Root CAs, intermediate CAs, and the certificate transparency ecosystem need to support PQC signatures across the entire chain. Browser vendors (Chrome, Firefox, Safari) will drive the timeline. Expect mixed and hybrid chains for years before pure PQC chains are practical.
Code Signing & Software Supply Chain
Code signing certificates, package signatures, container image signing (cosign, sigstore), and OS update mechanisms all require PQC support. Stateful hash signatures (LMS, XMSS) are CNSA-2.0-approved for firmware. Microsoft, Apple, and Linux distribution maintainers are coordinating.
Hardware Security Modules (HSMs)
Thales, Entrust, AWS CloudHSM, Azure Dedicated HSM. PQC support requires FIPS 140-3 re-certification — a 12–24 month process per device family. Enterprise HSM refresh cycles routinely run 5–10 years; planning now is essential. PQ-capable HSMs from major vendors are shipping in 2025.
Document Signing & eIDAS
PDF signatures, qualified electronic signatures under EU eIDAS 2.0, government identity documents, and long-term archival systems all require PQC migration. The eIDAS 2.0 European Digital Identity Wallet is being designed with PQC as a forward requirement.
DNSSEC
DNS Security Extensions sign DNS records with ECDSA today. The IETF DNSOP working group is evaluating PQC signature options for DNSSEC. Signature size is a particular constraint: DNS responses must fit within UDP packet limits.
VPN & IPsec
Enterprise VPN protocols (IPsec, OpenVPN, WireGuard) need hybrid PQC key exchange. IETF drafts are progressing. Site-to-site VPNs protecting long-lived network connections should be the first migration priority alongside TLS.
03 · Proof of Concept
Real-World Deployments Today
Post-quantum cryptography is no longer theoretical. Major technology companies have shipped production PQC to billions of users.
Apple
iMessage PQ3 · Since Feb 2024
Hybrid ML-KEM + ECDH key establishment with periodic rekeying. Protects every iMessage conversation against harvest-now-decrypt-later attacks. Apple's published security analysis is the most thorough deployment write-up to date.
Signal
PQXDH Protocol · Since Sept 2023
Hybrid X25519 + ML-KEM key agreement layered into the existing X3DH handshake. Signal was the first messenger to deploy PQC and influenced the broader industry approach.
Google Chrome
X25519MLKEM768 TLS · Since 2024
Hybrid PQC key exchange enabled by default for Chrome's TLS 1.3 connections. Roughly 30% of Chrome traffic now uses post-quantum key agreement when the server supports it.
Cloudflare
Edge Network · Since 2022
Production hybrid PQC TLS at scale. Cloudflare publishes ongoing measurements of PQC handshake performance, error rates, and rollout statistics — the most reliable open data on real-world PQC deployment.
Amazon Web Services
KMS, ACM, Secrets Manager
Hybrid post-quantum TLS available for KMS API calls. AWS-LC and s2n-tls libraries ship with PQC support. Enterprise customers can request PQC-protected key material via standard AWS APIs.
OpenSSH
Sntrup761x25519 · Since OpenSSH 9.0
Default hybrid PQC key exchange for SSH connections since April 2022. Every SSH connection between modern Linux systems is already using post-quantum cryptography by default — a deployment most administrators are unaware of.
Mullvad / WireGuard
VPN PQC Layer
Mullvad VPN ships a PQC-secured WireGuard tunnel. Several enterprise VPN vendors are following. The IPsec community is finalising hybrid PQC extensions.
Microsoft
SymCrypt, Azure Roadmap
Microsoft has added PQC algorithms to its SymCrypt library and announced Azure PQC support across HSM, key vault, and certificate services. Production timelines align with the CNSA 2.0 federal deadline.
04 · Engineering
Libraries & Tooling Your Engineering Teams Will Use
Production-grade open-source implementations of the NIST standards already exist. The tooling decision is largely about ecosystem fit, not algorithm availability.
The dominant reference implementation is the Open Quantum Safe project (liboqs), maintained by an international collaboration with NIST coordination. It provides every NIST candidate and integrates with OpenSSL via the oqs-provider. For organisations using OpenSSL 3.x, this is the most direct path to PQC support.
Production libraries with PQC support include Cloudflare CIRCL (Go), BoringSSL (Google's TLS implementation), AWS-LC and s2n-tls (Amazon), Bouncy Castle (Java/.NET), wolfSSL (embedded), and PQClean (reference C implementations). Microsoft's SymCrypt includes PQC primitives for Windows ecosystems.
Hardware-accelerated PQC is emerging. Intel, ARM, and IBM are adding instruction-set extensions to accelerate lattice arithmetic. FPGA implementations are routine. The performance landscape will improve substantially through 2026–2028.
05 · Residual Risk
What Could Still Go Wrong
Post-quantum cryptography is not a finished story. Several risk vectors deserve continued attention from security teams and risk committees.
Lattice cryptanalysis is younger than RSA cryptanalysis. RSA's underlying assumption (integer factorisation difficulty) has 50 years of failed attacks behind it. Module-LWE has roughly 15 years. The cryptographic community considers lattices well-studied — but there is no proof, and another SIKE-scale surprise cannot be excluded.
Side-channel attacks against lattice implementations are an active research area. Timing leaks, power-analysis leaks, and fault injection have all been demonstrated against unprotected Kyber and Dilithium implementations. The mitigations exist but require careful engineering. Falcon's floating-point signing is particularly delicate. Implementation security, not algorithm security, is the realistic near-term threat.
Cryptographic monoculture risk. If most of the internet migrates to ML-KEM and ML-DSA — both lattice-based — a single mathematical breakthrough could affect both simultaneously. NIST's selection of HQC as a backup KEM and ongoing additional signatures round are explicit diversity insurance. Mature organisations should plan for multi-algorithm deployments.
Hybrid deployment increases attack surface. Running classical + PQC simultaneously means failure in either component requires careful handling. Implementation bugs in hybrid combiners have already been found. Sophisticated downgrade attacks against early TLS 1.3 PQC hybrids are documented.
Standards are not yet complete. FIPS 206 (Falcon) remains in draft. HQC standardisation is in progress. The additional signatures Round 2 will produce more algorithms. Organisations that lock in implementations too early may face rework. The opposite risk — waiting for "final" standards — is greater.
06 · Balanced View
The Sceptical Counterpoint
Not every cryptographer believes a CRQC is imminent. A credible minority argues quantum computing may never reach cryptographic relevance. The strongest version of this case deserves engagement.
Quantum Sceptic Position
"Despite billions in investment and 25 years of research, no quantum computer has yet performed any practically useful computation. Error-correction overhead grows faster than qubit counts. Large-scale fault-tolerant quantum computing may be physically infeasible at scale, in the same way that controlled nuclear fusion has remained 30 years away for 70 years."
— Synthesis of arguments from Gil Kalai, Mikhail Dyakonov, and others. Most prominently in Kalai's "The Argument Against Quantum Computers" (Notices of the AMS, 2018).
The strategic response is asymmetric: if the sceptics are right, PQC migration was inexpensive insurance with side benefits (crypto-agility, modernised PKI). If they are wrong and migration was skipped, the loss is catastrophic and irreversible — every secret protected by RSA or ECC during the harvest window becomes plaintext.
Standard risk-management practice in any domain with this asymmetry favours action. Boards should hear the sceptical view and weigh it, then conclude — as governments and major technology companies have concluded — that the cost of being wrong about quantum infeasibility vastly exceeds the cost of migration.
Diarka Quantum · Advisory
Need a Migration Roadmap Built for Your Estate?
We design phased migration programmes calibrated to your data lifetimes, vendor dependencies, regulatory obligations, and engineering capacity. From inventory to crypto-agility.