PQC Today

Aircraft avionics cryptographic exposure: RTCA DO-326A defines airworthiness security processes for aircraft systems with 30-40 year service lives. ARINC 664 (AFDX) network security and flight management systems rely on RSA/ECDSA. Aircraft entering service today will operate well beyond CRQC arrival with no practical mid-life cryptographic retrofit path.

Satellite communication HNDL vulnerability: Military and commercial satellites have 15-25 year operational lifespans. NSA CNSA 2.0 mandates PQC for all national security systems including satellite uplink/downlink by 2035. Currently intercepted satellite communications are harvestable for future quantum decryption.

Air traffic management authentication gap: ICAO Assembly Resolution A41-19 (2022) addresses aviation cybersecurity but ADS-B transmissions remain unencrypted and unauthenticated. ADS-B currently lacks any cryptographic protection; quantum computing becomes relevant when authenticated ADS-B is deployed using public-key cryptography, which would itself require PQC to remain secure.

V2X PKI quantum transition: ISO/SAE 21434 (published August 2021) establishes cybersecurity engineering requirements for road vehicles. V2X communications use ECDSA P-256 certificates per IEEE 1609.2. Vehicles have 12+ year lifecycles meaning 2026 production vehicles remain on roads through 2038+ when CRQCs may be operational.

OTA firmware update signature forgery: Over-the-Air update mechanisms for modern connected vehicles use RSA/ECDSA code signing. Quantum forgery of update signatures enables malicious code injection into vehicle ECUs controlling braking, steering, and powertrain systems.

UNECE WP.29 R155/R156 cybersecurity regulation gap: Mandatory for new vehicle type approvals in EU since July 2022 and extended to all new vehicles July 2024. Requires cybersecurity management systems and secure OTA updates but does not yet address post-quantum cryptography creating a future compliance gap.

In-vehicle network security quantum exposure: ISO/SAE 21434 covers the full vehicle cybersecurity lifecycle including CAN bus, LIN, FlexRay, and automotive Ethernet backbone networks. Embedded ECUs have limited computational resources and constrained crypto-agility, making mid-lifecycle PQC migration impractical for vehicles already in production.

Federal cloud PQC compliance requirements: NIST SP 800-210 general access control guidance for cloud systems combined with NIST IR 8547 deprecation timeline means federal cloud deployments must transition to PQC by 2030. FedRAMP and StateRAMP certifications will require FIPS 203/204/205 compliance.

Cloud HSM and key management PQC gap: NIST SP 800-210 defines access control for cloud systems but cloud-hosted HSMs and KMS services currently lack full PQC support. FIPS 140-3 validation for PQC modules is ongoing with multi-year certification timelines. Organizations using cloud HSMs face vendor dependency for PQC migration.

Cloud backup and disaster recovery HNDL risk: Air-gapped backups and long-term archival storage encrypted with RSA/ECDSA key wrapping are vulnerable to harvest-now-decrypt-later. Cloud backup data often retained for 7+ years for compliance.

Cloud Security Alliance quantum readiness guidance: CSA published quantum-safe security guidance identifying crypto-agility as critical requirement for cloud deployments. Multi-cloud environments using 5+ key management systems face fragmented PQC migration paths.

Quantum-safe readiness gap: Organizations score average 25/100 on IBM Quantum-Safe Readiness Index. 70% lack complete cryptographic inventory, creating massive vulnerability window. Estimated 5-6 year gap between CRQC arrival and organizational readiness completion.

NIST IR 8547 proposed transition timeline: NIST Initial Public Draft (November 2024) establishes proposed timeline to deprecate RSA, ECDSA, ECDH, and EdDSA by 2030 and disallow them entirely after 2035. Sets 112-bit security minimum. Final version pending as of February 2026. Landmark publication making PQC migration a compliance requirement for federal systems.

CRQC timeline uncertainty: Global Risk Institute 2024 survey of 32 quantum experts estimates 19-34% probability of a cryptographically relevant quantum computer (CRQC) within 10 years and 5-14% within 5 years. Most credible estimates place CRQC arrival in the 2030-2040 range with wide uncertainty. Harvest-now-decrypt-later attacks make immediate PQC migration urgent regardless of exact timeline.

EU coordinated PQC transition roadmap: European Commission published coordinated PQC roadmap (June 2025) establishing EU-wide milestones. By December 2026: national transition roadmaps and initial identification steps. By December 2030: high-risk use cases transitioned and PQC-by-default for new systems. By December 2035: full PQC transition complete across all EU member states.

Vendor dependency crisis: 62% of organizations incorrectly assume vendors will manage quantum-safe transition automatically. Lack of contractual PQC requirements and service-level agreements for crypto-agility.

FIPS 206 FN-DSA (Falcon) standardization: NIST submitted draft FIPS 206 for approval August 2025. FN-DSA is the 4th PQC algorithm to be standardized, selected for use cases where compact signature size is critical (root and intermediate certificates, constrained environments). Based on NTRU lattices using FFT. Expected IPD release for public comment followed by finalization in late 2026 or 2027.

HQC selected as 5th PQC algorithm: NIST announced March 11 2025 the selection of HQC (Hamming Quasi-Cyclic) as a backup KEM to ML-KEM. HQC is based on error-correcting codes rather than lattices, providing algorithmic diversity in case a lattice-based vulnerability is discovered. Draft standard expected for public comment in early 2026 with final standard in 2027.

NIST SP 800-227 KEM recommendations: Published September 2025 as final guidance on key-encapsulation mechanisms. Provides definitions, security properties, and implementation recommendations for KEMs as companion guidance to FIPS 203 (ML-KEM). Establishes best practices for KEM usage in protocols, hybrid constructions, and key management — essential reference for correct PQC deployment.

Bitcoin ECDSA transaction hijacking: Approximately $718B in quantum-vulnerable P2PK addresses with exposed public keys (price-dependent estimate). Early P2PK addresses including Satoshi's estimated 1.1M BTC are permanently vulnerable as public keys are exposed on-chain. P2PKH addresses are protected until first spend.

Ethereum Foundation PQC initiative: Dedicated post-quantum security team established January 2026 with $2M in research prizes. Active development of account abstraction and Verkle tree migration paths. All Ethereum accounts that have transacted expose public keys making them quantum-vulnerable via secp256k1 ECDSA and BLS12-381.

Blockchain HNDL permanence risk: Federal Reserve research confirms distributed ledger networks face permanent data privacy risks from harvest-now-decrypt-later attacks even with future PQC deployment. On-chain transaction data is immutable — encrypted data harvested today remains permanently exposed once CRQCs arrive.

Cryptocurrency custody HSM quantum vulnerability: Institutional custody solutions managing billions in digital assets rely on secp256k1 ECDSA keys stored in HSMs. NIST PQC standardization identifies ECDSA as quantum-vulnerable. Custody HSM vendors face multi-year FIPS 140-3 recertification timelines for PQC-enabled modules, creating a gap between threat emergence and mitigation availability.

Power grid SCADA quantum vulnerability: IEC 62351 specifies security for power system communications (DNP3, IEC 61850, IEC 60870-5-104) using RSA/ECDSA for authentication. Critical infrastructure with 20-30 year equipment lifecycles and limited OTA update capability creates massive quantum exposure window.

Nuclear facility digital I&C quantum exposure: NRC 10 CFR 73.54 requires cybersecurity for nuclear power plant digital instrumentation and control systems. Nuclear plants operate under 60+ year licenses (80-year extensions approved). Digital safety systems deployed today will operate well into the CRQC era.

Smart grid quantum security research: University of Toronto CA$1.45M research project identifies real-time quantum attack scenarios targeting grid controllers, smart meters, and energy routers. Over 1 billion smart meters globally will require PQC migration; many lack OTA update capability requiring physical replacement.

Pipeline and oil/gas SCADA quantum vulnerability: IEC 62443 governs industrial automation security for natural gas, oil, and water pipeline control systems. Equipment lifecycles of 20-30 years and air-gapped or semi-air-gapped network architectures complicate PQC migration. Pipeline SCADA systems are classified as critical infrastructure by CISA.

BIS Project Leap quantum-safe payment system cryptography: Phase 2 launched July 2025 with Bank of Italy, Bank of France, Deutsche Bundesbank, Nexi-Colt, and SWIFT testing hybrid PQC on TARGET2 real-time gross settlement system. Demonstrates quantum-safe cryptographic integration for cross-border payment infrastructure processing trillions daily.

Harvest Now Decrypt Later (HNDL) attacks targeting long-lived financial data including transaction records and settlement logs. Federal Reserve research confirms cryptocurrency networks face permanent data privacy risks from HNDL even with future PQC deployment. Financial records retained for regulatory compliance spanning decades are prime targets.

HSM backup key extraction vulnerability: Master encryption keys wrapped with RSA in HSM backup archives become recoverable with quantum computers, exposing entire key hierarchies protecting decades of financial data. NIST SP 800-227 (September 2025) provides formal KEM guidance for transitioning key wrapping to quantum-safe mechanisms.

G7 Cyber Expert Group PQC roadmap: January 2026 statement coordinated by U.S. Treasury and Bank of England establishes G7-wide framework for financial sector quantum-safe migration. Calls for cryptographic inventory, vendor roadmap alignment, and coordinated transition planning across G7 financial systems.

FS-ISAC PQC migration urgency warning: Financial Services Information Sharing and Analysis Center (September 2025) warns that financial sector organizations have not defined or allocated resources for quantum-resistant migration, compressing transition into unrealistically short timeframes. Without immediate action, roadmap collapse by 2030 compliance deadlines is likely.

HNDL on classified data: TOP SECRET information requiring 25-75+ year protection is actively harvested for future quantum decryption. Current encryption provides no protection against this threat.

CNSA 2.0 compliance deadline pressure: NSA mandates CNSA 2.0 compliance with phased deadlines — software/firmware signing supported and preferred by 2025 (exclusively by 2030), networking equipment supported and preferred by 2026 (exclusively by 2030), NSS acquisitions by January 2027, web browsers/servers/cloud supported and preferred by 2025 (exclusively by 2033), full transition by 2035.

Nuclear command and control quantum exposure: NC3 (Nuclear Command, Control, and Communications) systems operate on 50+ year lifecycles and represent the highest-consequence quantum threat scenario. NSA CNSA 2.0 specifically identifies national security systems including strategic communications as priority for PQC transition.

Federal PQC procurement mandate: CISA January 2026 federal buying guidance pursuant to Executive Order 14306 (June 2025) requires agencies to procure only quantum-resistant technology across designated product categories including cloud services, collaboration tools, web browsers/servers, and endpoint security. Vendors without PQC FIPS validation risk federal contract exclusion.

Federal PKI signature forgery risk: Quantum-enabled impersonation of federal systems and fraudulent certificate issuance affecting government-wide trust infrastructure. The Federal PKI serves as the root of trust for digital identity across federal agencies, and quantum forgery of CA certificates would compromise the entire federal trust hierarchy.

HNDL on patient records: Healthcare data has lifetime sensitivity; genomic data and mental health records remain sensitive indefinitely. HIPAA mandates 6+ year retention but records persist 25+ years.

Healthcare cloud encryption and breach crisis: Only 4% of healthcare operators encrypted 80%+ of sensitive cloud data. Thales 2025 report shows 57% evaluating PQC but low actual deployment. 677 major breaches in 2024 exposed 182M+ individuals globally. Health records retain lifetime sensitivity making them prime HNDL targets.

Connected medical device lifecycle quantum exposure: FDA Section 524B of FD&C Act requires cybersecurity for medical devices. Implantable and connected devices (pacemakers, insulin pumps, remote monitoring) with 10-20 year lifecycles being deployed today will operate well into the CRQC era. Limited computational resources and power constraints in implantable devices restrict PQC options.

FDA premarket cybersecurity guidance: FDA finalized guidance (September 2023) under Section 524B of FD&C Act (Consolidated Appropriations Act 2023). Requires cryptographic risk assessment and Software Bill of Materials for new device submissions. Medical devices with 10-20 year lifecycles deploying now will operate into the CRQC era.

Drug supply chain authentication quantum risk: Drug Supply Chain Security Act (DSCSA) mandates product serialization and verification to prevent counterfeit drug infiltration. EPCIS (Electronic Product Code Information Services) and verification systems rely on digital signatures and TLS. Quantum forgery of verification responses enables counterfeit drug injection into the legitimate supply chain.

NAIC Insurance Data Security Model Law (MDL-668) quantum exposure: Adopted 2017 and enacted in 25+ states, requires encryption of nonpublic information in transit and at rest. Actuarial models, claims history spanning decades, and underwriting algorithms represent long-lived sensitive data prime for HNDL attacks.

New York DFS cybersecurity regulation (23 NYCRR 500) quantum gap: Requires risk assessment and encryption for financial services including insurance companies. Life insurance and annuity records with 50+ year retention periods are prime HNDL targets. Regulation does not yet address post-quantum cryptography.

Systemic cyber risk to insurance sector: Geneva Association research identifies systemic cyber risk including quantum threats to insurance industry managing multi-decade policy data. Life insurance and pension records retain sensitivity for 50+ years. Reinsurance treaties with multi-year duration vulnerable to data manipulation.

IoT device risk escalation: Forescout 2025 research reports overall average device risk scores increased 15% year-over-year, with country-level averages rising 33%. Billions of constrained devices using ECDSA P-256 and RSA-2048 with limited crypto-agility and no practical firmware update path for PQC migration.

Industrial IoT SCADA quantum vulnerability: IEC 62443 governs industrial automation security. OPC UA protocol uses RSA/ECDSA for authentication across manufacturing, energy, and critical infrastructure. IIoT environments with 15-25 year equipment lifecycles and air-gapped networks face complex PQC migration.

IoT firmware update security (IETF SUIT): The IETF SUIT working group defines firmware update architecture (RFC 9019) with COSE-based manifest signing (using ECDSA/EdDSA per RFC 9052/9053) for firmware authentication. Constrained devices (Class 1-3) cannot support full PQC signature verification creating a security gap during migration.

Smart city infrastructure quantum vulnerability: Traffic management, public safety cameras, environmental sensors, and municipal IoT systems form interconnected networks with diverse device types and long deployment cycles. ISO/IEC 30182 defines smart community infrastructure framework. City-wide mesh networks and cloud gateways aggregate sensitive data from thousands of endpoints.

Open source cryptographic library PQC integration: OpenSSL 3.5 (April 2025) includes ML-KEM, ML-DSA, and SLH-DSA support with X25519MLKEM768 hybrid key exchange offered by default in TLS. Millions of applications depend on OpenSSL and similar libraries. Libsodium and other popular libraries lag behind creating widespread dependency risk during the PQC transition.

Certificate authority and PKI PQC transition: CA/Browser Forum must coordinate migration of the global WebPKI trust hierarchy to post-quantum algorithms. Chrome and Firefox have shipped ML-KEM hybrid key exchange (X25519+ML-KEM-768). Root CA key migration requires coordinated trust store updates across all major browsers and operating systems.

NIST FIPS 203/204/205 standardization milestone: First official PQC standards published August 2024. FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), FIPS 205 (SLH-DSA) provide the foundation for all PQC migration. CMVP validation of implementations is ongoing with first validated modules expected 2025-2026.

Code signing and software supply chain quantum vulnerability: Software supply chain integrity depends on RSA/ECDSA code signing for open source repositories, package managers, and CI/CD pipelines. SLSA (Supply-chain Levels for Software Artifacts) framework identifies signing as critical trust anchor. Quantum forgery of code signatures enables malicious package injection at scale.

Authentication infrastructure quantum vulnerability: Enterprise authentication systems including X.509 digital certificates, SAML assertions, OAuth/OIDC tokens, and FIDO2 attestation rely on quantum-vulnerable PKI. FIDO Alliance has published a PQC roadmap for WebAuthn migration. Migration to PQC-compatible credential systems requires coordinated ecosystem updates.

eIDAS long-term signature vulnerability: EU Regulation 910/2014 Article 25(2) grants qualified electronic signatures legal equivalence to handwritten signatures across 27 EU member states. Property deeds, constitutional documents, and notarial acts require 50-100+ year validity. Quantum signature forgery would retroactively undermine the integrity of millions of legally binding documents.

eIDAS 2.0 Digital Identity Wallet quantum risk: Regulation 2024/1183 (entered force May 20, 2024) amends eIDAS to mandate European Digital Identity Wallets for all EU member states. Wallets must support qualified electronic attestations of attributes. Cryptographic protocols underpinning wallet-to-verifier authentication rely on RSA/ECDSA.

Qualified timestamp quantum forgery risk: ETSI EN 319 422 governs qualified time-stamp authorities under the eIDAS framework using RFC 3161 time-stamp protocol. Timestamps cryptographically prove document existence at specific moments for legal evidence and IP filings. Quantum-capable adversaries could forge timestamps to backdate contracts or fabricate audit trails.

Court electronic evidence repudiation risk: As quantum computing advances, defense attorneys may challenge the integrity of digitally signed electronic evidence, arguing signatures could have been forged. This introduces reasonable doubt for any evidence authenticated solely with quantum-vulnerable cryptography. Courts will need to establish new standards for digital evidence admissibility in the post-quantum era.

Content encryption master key HNDL risk: AACS (Advanced Access Content System) protects Blu-ray and UHD content using RSA key hierarchy. Studio content libraries worth billions have indefinite commercial value. Master encryption keys harvested today enable future mass decryption of entire studio catalogs once CRQCs arrive.

Streaming platform DRM quantum vulnerability: Major streaming services (Netflix, Disney+, Amazon) use Widevine, PlayReady, and FairPlay DRM systems with RSA key hierarchies for content license distribution. Combined global streaming revenue exceeds $100B annually with content catalogs representing irreplaceable IP.

Broadcast conditional access quantum exposure: DVB Conditional Access Systems use ECM (Entitlement Control Messages) with RSA/ECDSA encryption protecting pay-TV content distribution. Set-top boxes and smart TVs with 7-10 year lifecycles have limited crypto-agility for PQC migration.

EMV offline authentication quantum vulnerability: EMVCo specifications use RSA as the only approved asymmetric algorithm for offline card authentication (CDA/DDA). Approximately 14.7 billion EMV chip cards in circulation globally (end 2024). Quantum forgery of RSA signatures enables counterfeit card acceptance at any offline-capable terminal.

PCI DSS 4.0.1 cryptographic gap: PCI DSS requires 'strong cryptography' for cardholder data protection but does not yet mandate post-quantum algorithms. Organizations meeting current PCI compliance may still be quantum-vulnerable. Cryptographic inventory requirements (Req 3/4) do not address PQC readiness assessment.

PIN block encryption quantum vulnerability: Triple-DES DUKPT base derivation keys protecting PIN blocks at millions of payment terminals face quantum compromise. AES-256 DUKPT provides quantum-resistant symmetric alternative but terminal hardware replacement required at massive scale.

Railway signaling system quantum vulnerability: EN 50159 (Safety-related communication in railway systems) governs cryptographic authentication for ERTMS/ETCS (European Train Control System) train signaling. GSM-R and its successor FRMCS (Future Railway Mobile Communication System) provide the communication layer. Signaling infrastructure has 25-40 year lifecycles with limited upgrade paths. Quantum compromise of signaling authentication could enable unauthorized train movements.

Transit ticketing and access control quantum exposure: ISO/IEC 14443 contactless smart cards and NFC-based ticketing systems used by transit authorities worldwide rely on cryptographic authentication. MIFARE DESFire and similar platforms use AES/3DES symmetric encryption (quantum-resistant) but PKI infrastructure for card issuance, key management systems, and back-office settlement use RSA/ECDSA.

E-commerce payment flow quantum vulnerability: PCI DSS 4.0.1 requires strong cryptography for online payment processing but TLS protecting checkout flows uses RSA/ECDSA key exchange vulnerable to quantum attacks. E-commerce transaction volume exceeds $6 trillion globally with payment data in transit continuously exposed.

Customer data HNDL exposure: Retailers store customer PII, loyalty program data, payment history, and behavioral analytics for 5-10+ years for marketing and compliance. NIST Cybersecurity Framework identifies data protection as core function. Encrypted customer databases harvested today become readable with CRQCs.

Retail supply chain authentication: GS1 standards govern product identification and supply chain visibility for billions of products globally. RFID, EDI (AS2/AS4), and electronic product codes use digital signatures for authentication. Quantum forgery enables counterfeit product injection and supply chain manipulation.

Maritime cybersecurity quantum exposure: IMO MSC-FAL.1/Circ.3 guidelines address maritime cybersecurity. Maritime sector carries approximately 80% of world trade by volume. Port management systems, AIS (Automatic Identification System), and electronic navigation use RSA/ECDSA for authentication.

Electronic Bill of Lading quantum vulnerability: DCSA standards for electronic Bills of Lading (eBL) enable digital trade documentation for containerized shipping. Digital signatures on eBL documents prove ownership and transfer rights for cargo worth billions. Quantum forgery enables cargo theft and trade document fraud.

Customs and cross-border trade quantum risk: WCO SAFE Framework of Standards governs security and facilitation of international trade. Digital certificates for customs declarations, AEO (Authorized Economic Operator) credentials, and single window systems use RSA/ECDSA. Quantum forgery enables customs fraud at global scale.

HNDL on subscriber data: Mobile network operators retain call detail records, location data, and encrypted communications for 2-10 years. 5G user data encrypted with vulnerable algorithms.

GSMA Post-Quantum Telco Network Taskforce: Established September 2022 to coordinate quantum-safe migration for mobile network operators worldwide. Published PQ.03 guidelines (July 2025) providing telecom-specific PQC migration guidance. Taskforce brings together major operators and vendors to develop industry-wide PQC migration roadmap for 5G/6G infrastructure.

5G network security quantum vulnerability: 3GPP specifications define 5G security architecture (TS 33.501) using ECDSA and RSA for network authentication. 5G network slicing authentication and RAN encryption protect critical enterprise, IoT, and emergency services. N2/N3 interface security relies on IPsec with quantum-vulnerable key exchange.

SIM card and eSIM authentication quantum vulnerability: Billions of SIM cards globally use RSA-2048 or ECDSA P-256 for authentication. GSMA eSIM remote provisioning (SGP.22) relies on PKI with quantum-vulnerable key exchange. SIM replacement cycles of 3-5 years provide a migration window but legacy devices will persist longer.

6G native PQC design window: 6G standards development (2025-2030 in 3GPP and ETSI) represents a critical opportunity to incorporate PQC from the design phase, avoiding the crypto-agility retrofit challenges facing 5G. ETSI ISG on Quantum-Safe Cryptography is providing input to 6G security architecture development.

Water treatment plant SCADA quantum vulnerability: America's Water Infrastructure Act (AWIA) of 2018 requires community water systems serving 3,300+ people to conduct risk and resilience assessments including cybersecurity. Water treatment SCADA systems use ICS protocols with RSA/ECDSA authentication. CISA identifies Water and Wastewater Systems as one of 16 critical infrastructure sectors. Equipment lifecycles of 15-25 years with limited remote update capability.

Smart water infrastructure quantum exposure: AWWA (American Water Works Association) standards govern smart water metering, leak detection sensors, and distribution network monitoring using IoT-connected devices. Advanced Metering Infrastructure (AMI) for water utilities faces similar PQC migration challenges as energy smart meters — constrained devices with limited crypto-agility deployed for 10-15 year cycles.