Crypto Agility & Architecture Patterns

Design systems that can rapidly swap cryptographic algorithms — the key to PQC migration readiness.

What is Crypto Agility?

is the ability to rapidly switch cryptographic algorithms, protocols, and implementations without significant changes to application code or infrastructure. It's NIST's top recommendation for PQC transition preparedness.

“Organizations should begin preparing for the migration to post-quantum cryptography by designing systems with cryptographic agility.”

— NIST IR 8547 (Draft), November 2024

Algorithm Agility

Swap algorithms () via configuration changes, not code rewrites.

Protocol Agility

Support multiple protocol versions simultaneously ( 1.2/1.3, hybrid key exchange).

Implementation Agility

Switch between crypto providers (OpenSSL, BoringSSL, AWS-LC) without application changes.

Architecture Patterns

Crypto agility isn't just about code — it's an architectural decision. Organizations typically use one or more of these three macro-patterns to achieve agility:

Provider Model

Applications link to a crypto library through an abstraction API (like JCA or OpenSSL Providers). Agility is achieved at the application level via config changes.

App Code
Provider API
Algorithm
Service Mesh / Proxy

Cryptography for data-in-transit (mTLS) is completely offloaded to an infrastructure proxy (Envoy, Istio). Zero app code changes required.

App (Plaintext)
Sidecar Proxy
PQC Network
External /

Crypto operations are outsourced over the network to a central service (AWS KMS, Azure Key Vault). Upgrading the central KMS upgrades the enterprise.

App (API Request)
Cloud KMS API
Hardware Security Module

CBOM: Cryptographic Bill of Materials

Before you can migrate, you need to find every cryptographic algorithm in your organization. A provides this visibility using the CycloneDX standard.

What a CBOM tracks
  • • Algorithm name and key size
  • • Where it's used (component, service, protocol)
  • • Classical and quantum security levels
  • • Compliance framework requirements
  • • Migration recommendation
Tools for CBOM generation
  • • IBM Quantum Safe Explorer
  • • Keyfactor CBOM Generator
  • • InfoSec Global AgileSec
  • • Cryptosense Analyzer
  • • Manual audit + code scanning

7-Phase Migration Framework

migration follows a structured framework aligned with , CISA guidance, and NSA timelines. Each phase builds on the previous.

1
Assessment & Inventory

Discover all crypto assets, build CBOM

2
Risk Prioritization

Rank by data sensitivity and compliance

3
Preparation & Tooling

Select PQC-ready libraries and HSMs

4
Testing & Validation

Pilot hybrid deployments

5
Hybrid Migration

Deploy dual-algorithm configurations

6
Production Deployment

Full PQC across all systems

7
Monitoring

Continuous compliance and optimization

Industry Case Studies

Cloudflare

Enabled hybrid PQC key exchange (X25519Kyber768, later ) across its network in 2024. TLS handshake times increased ~4%; hybrid client key share is 1,216 bytes vs 32 bytes for X25519 alone.

Google Chrome

Enabled hybrid PQC key exchange (X25519Kyber768) by default in Chrome 124 (April 2024); upgraded to standardized X25519MLKEM768 in Chrome 131 (November 2024).

Apple

iMessage adopted PQ3 protocol (P-256 ECDH + Kyber-1024 initial keys, Kyber-768 rekeying ratchet) in iOS 17.4. Phased rollout leveraging protocol agility.

Related Resources

Risk Assessment
Run a guided PQC readiness assessment
Migration Guide
Detailed migration workflows and software catalog
Compliance Tracker
NIST, , and compliance requirements
Quantum Threats
Why migration matters — the quantum threat explained

Explore abstraction layers, scan a sample CBOM, and plan a PQC migration.