Post-Quantum Cryptography Migration
Replace quantum-vulnerable encryption with NIST-standardized post-quantum algorithms before adversaries can break your current cryptography. A structured migration from RSA, ECC, and Diffie-Hellman to ML-KEM, ML-DSA, and SLH-DSA.
Key Takeaways
- NIST published three finalized PQC standards in August 2024: ML-KEM (FIPS 203), ML-DSA (FIPS 204), and SLH-DSA (FIPS 205)
- NSA CNSA 2.0 mandates quantum-resistant algorithms for National Security System software by 2025 and hardware by 2030
- Google announced a company-wide PQC migration deadline of 2029 on March 25, 2026
- Migration typically takes 18-36 months from initial assessment to full production deployment
- Hybrid mode (running classical + PQC algorithms simultaneously) is the recommended transition approach
Why Post-Quantum Migration Cannot Wait
The cryptographic algorithms that protect virtually every digital communication today, including RSA, elliptic curve cryptography (ECC), and Diffie-Hellman key exchange, will be broken by quantum computers running Shor's algorithm. This is not a theoretical concern. It is a mathematical certainty given a sufficiently powerful quantum computer.
The relevant question is timing. The Global Risk Institute's 2024 Quantum Threat Timeline Report found that more than half of surveyed experts assign a significant probability to a cryptographically relevant quantum computer (CRQC) existing by 2034. Google internally set 2029 as its PQC migration deadline. The NSA's CNSA 2.0 timeline requires software migrations to begin immediately and hardware migrations by 2030.
But the threat is not only in the future. Harvest now, decrypt later (HNDL) attacks are already underway. Nation-state adversaries intercept and store encrypted data today, banking on future quantum decryption. Any data that must remain confidential beyond the CRQC timeline is already at risk. For healthcare records (50+ year shelf life), classified defense data, long-term financial records, and government secrets, the migration window is closing now.
The migration itself is not a simple certificate swap. It requires changes to protocols, libraries, hardware security modules, key management systems, and application code. Organizations that start their quantum readiness assessment in 2026 and begin migration in 2027 will complete the process by 2029-2030, just ahead of the projected CRQC window. Organizations that wait until 2028 or later risk running out of time.
The NIST Post-Quantum Cryptography Standards
After an eight-year evaluation process that began in 2016 with 82 candidate algorithms, NIST published its first three finalized post-quantum cryptography standards on August 13, 2024. These are the algorithms your migration will target:
ML-KEM (Module-Lattice-Based Key Encapsulation Mechanism) handles key establishment for encrypted communications. It replaces the RSA and ECDH key exchanges used in TLS, VPN tunnels, and encrypted email. ML-KEM key sizes are larger than ECC but significantly smaller than the other PQC finalists, making it practical for most applications.
ML-DSA (Module-Lattice-Based Digital Signature Algorithm) handles digital signatures for code signing, document authentication, certificate issuance, and blockchain transactions. It replaces RSA and ECDSA signatures.
SLH-DSA (Stateless Hash-Based Digital Signature Algorithm) is a conservative alternative to ML-DSA. Its security relies solely on hash functions rather than lattice problems, providing defense-in-depth if lattice-based algorithms face unexpected cryptanalytic breakthroughs. SLH-DSA signatures are larger and slower, so it is typically used for high-assurance applications like root certificate signing.
NIST has also selected a fourth algorithm, FN-DSA (FALCON), for standardization, expected in late 2025 or 2026. FN-DSA offers the smallest combined key and signature sizes of any PQC signature scheme, making it attractive for bandwidth-constrained environments.
Start Your PQC Migration
PTG's initial consultation is free. We assess your cryptographic environment, identify your highest-risk systems, and map a migration timeline aligned to your compliance deadlines.
The Six-Phase Migration Process
PTG's post-quantum cryptography migration follows a battle-tested six-phase methodology. Each phase produces documented deliverables, and the process builds crypto agility into every step so your infrastructure can adapt as PQC standards evolve.
Cryptographic Inventory
Before you can migrate, you need to know what exists. Our AI-powered scanning tools catalog every cryptographic algorithm, key, certificate, protocol, library, and hardware module across your infrastructure. This includes TLS certificates on load balancers, VPN tunnel configurations, database encryption at rest, HSM firmware versions, SSH key algorithms, S/MIME email encryption, code signing certificates, and embedded device cryptography. For a mid-size enterprise, this phase completes in 3-5 business days.
Risk Prioritization
Each cryptographic asset is scored by three factors: quantum vulnerability (RSA/ECC are critical; AES-256 is safe), data sensitivity (how long must the protected data remain confidential), and regulatory exposure (CNSA 2.0 deadlines, CMMC requirements, HIPAA obligations). The output is a prioritized migration queue. High-priority items include systems protecting data with confidentiality requirements beyond 2030, systems subject to CNSA 2.0 mandates, and systems with active HNDL exposure.
Architecture Planning
We design the target cryptographic architecture using NIST-standardized algorithms. This includes selecting appropriate PQC algorithm variants (ML-KEM-768 vs. ML-KEM-1024 based on security requirements), planning hybrid deployments (classical + PQC running simultaneously during transition), identifying vendor dependencies (which libraries and HSMs support PQC), and designing the crypto agility layer that will allow future algorithm swaps without re-architecture.
Pilot Implementation
We deploy PQC algorithms in a controlled environment, starting with the highest-priority systems identified in Phase 2. Pilot deployments use hybrid mode: both classical and PQC algorithms run simultaneously. This approach means that if a PQC implementation has compatibility issues, the classical algorithm maintains security while we resolve them. We measure performance impact (PQC key sizes are larger, affecting handshake times and bandwidth), validate interoperability with partner systems, and document operational procedures.
Production Rollout
With pilot data in hand, we execute the phased production migration. Systems migrate in priority order with rollback procedures tested at each stage. Key management systems are updated to support PQC key sizes and lifecycle requirements. Certificate authorities are migrated or replaced with PQC-capable alternatives. Network appliances receive firmware updates. Application libraries are updated. Each migration wave includes validation testing and performance monitoring.
Classical Deprecation
Once all systems are running hybrid mode with PQC algorithms proven stable, we begin deprecating classical algorithms. This is a gradual process: classical algorithms are first removed from preferred cipher suites, then disabled entirely. The timeline for full classical deprecation depends on partner ecosystem readiness and regulatory guidance. CNSA 2.0 provides specific deprecation deadlines for National Security Systems.
PQC Migration Readiness Checklist
Use this checklist to assess where your organization stands in the migration process:
- Completed a quantum readiness assessment with full cryptographic inventory
- Identified all RSA, ECC, and DH key exchanges in TLS, VPN, and application layers
- Classified protected data by confidentiality shelf life (5-year, 10-year, 25-year, lifetime)
- Mapped regulatory requirements (CNSA 2.0, CMMC, HIPAA, PCI DSS) to migration deadlines
- Inventoried vendor dependencies: which libraries, HSMs, and appliances support PQC algorithms
- Evaluated crypto agility requirements for abstraction layers and algorithm negotiation
- Planned hybrid deployment (classical + PQC) for transition period
- Budgeted for HSM firmware upgrades or replacements (many current HSMs do not support PQC key sizes)
- Established performance baselines to measure PQC impact on latency and throughput
- Trained engineering and operations teams on PQC algorithms and key management procedures
Hybrid Mode: The Recommended Transition Approach
NIST, NSA, and the cybersecurity community broadly recommend hybrid mode for PQC migration. In hybrid mode, both a classical algorithm and a PQC algorithm protect each communication. An attacker would need to break both algorithms to compromise the data.
Hybrid mode provides three critical benefits during migration:
Backward Compatibility
Not all systems in your ecosystem will migrate at the same time. Hybrid mode ensures that partners, vendors, and legacy systems that still use classical algorithms can communicate with your migrated systems. The classical component maintains interoperability while the PQC component provides quantum protection.
Safety Net Against PQC Vulnerabilities
While the NIST-standardized PQC algorithms have survived years of cryptanalysis, they are newer than RSA and ECC. If an unexpected vulnerability is discovered in a PQC algorithm, the classical component maintains security while the PQC component is patched or replaced. This is defense-in-depth applied to the migration itself.
Phased Deprecation
Hybrid mode lets you deprecate classical algorithms gradually, system by system, rather than executing a risky big-bang cutover. You can monitor performance, validate interoperability, and build operational confidence at each stage before removing the classical safety net.
Migration Takes 18-36 Months
If your compliance deadline is 2027 (CNSA 2.0 software) or your data must remain confidential past 2030, the planning window is now. PTG's initial consultation is free.
NSA CNSA 2.0 Migration Timeline
The NSA's Commercial National Security Algorithm Suite 2.0 (CNSA 2.0) provides the most specific migration timeline available. While CNSA 2.0 is mandatory only for National Security Systems (NSS), it serves as the de facto benchmark for all organizations handling sensitive data. The CMMC framework, which governs the defense industrial base, will align with CNSA 2.0 requirements as they mature.
- 2025: Software and firmware implementing quantum-resistant algorithms should be preferred for new NSS acquisitions
- 2027: All NSS software and firmware must support quantum-resistant algorithms. Legacy TLS, IPsec, and SSH implementations begin deprecation
- 2030: NSS network equipment (routers, switches, firewalls) must support quantum-resistant algorithms in hardware
- 2033: Complete deprecation of all classical public-key algorithms for NSS. Full quantum resistance required for all components
- 2035: Final transition point. No classical public-key cryptography permitted in any NSS implementation
For organizations outside the NSS/DIB ecosystem, these timelines still matter. Financial regulators, healthcare compliance frameworks, and state data protection laws will follow similar trajectories. Starting your migration now positions you ahead of mandatory deadlines rather than scrambling to meet them.
Common Migration Challenges
Larger Key and Signature Sizes
PQC algorithms use significantly larger keys and signatures than classical algorithms. ML-KEM public keys are approximately 1,184 bytes (compared to 256 bytes for ECC P-256). ML-DSA signatures are approximately 2,420 bytes (compared to 64 bytes for ECDSA). This affects TLS handshake times, bandwidth consumption, certificate sizes, and storage requirements. Architecture planning must account for these increases, particularly in bandwidth-constrained environments like IoT networks and mobile applications.
HSM and Hardware Limitations
Many current hardware security modules (HSMs) do not support PQC key sizes or algorithms. Firmware updates may be available from some vendors, but others may require hardware replacement. This is often the most significant capital expenditure in a PQC migration. PTG inventories your HSM fleet during the assessment phase and identifies upgrade paths for each device.
Third-Party and Partner Dependencies
Your cryptographic ecosystem extends beyond your own infrastructure. Customers, partners, vendors, and SaaS providers must also support PQC algorithms for end-to-end quantum resistance. Hybrid mode mitigates this during transition, but full quantum resistance requires ecosystem-wide migration. PTG helps you map third-party dependencies and coordinate migration timelines with critical partners.
Legacy System Constraints
Some legacy systems cannot be updated to support PQC algorithms. Embedded devices with hardcoded cryptography, end-of-life software, and custom protocols may require replacement rather than migration. The quantum readiness assessment identifies these systems early so replacement can be planned and budgeted.
Frequently Asked Questions
What is post-quantum cryptography?
Post-quantum cryptography (PQC) refers to cryptographic algorithms designed to resist attacks from both classical and quantum computers. Unlike current public-key algorithms (RSA, ECC, Diffie-Hellman) that rely on integer factorization or discrete logarithm problems, PQC algorithms are based on mathematical problems believed to be hard for quantum computers: lattice problems (ML-KEM, ML-DSA), hash functions (SLH-DSA), code-based problems (Classic McEliece), and isogeny problems. NIST standardized the first three PQC algorithms in August 2024 after an eight-year evaluation process.
How long does a PQC migration take?
For a typical mid-size organization, the complete migration process takes 18-36 months from initial assessment to full production deployment. This includes 2-4 weeks for the cryptographic inventory, 4-8 weeks for architecture planning, 2-3 months for pilot implementation, and 6-18 months for phased production rollout. Larger enterprises with complex multi-cloud environments, legacy systems, or extensive partner ecosystems may require 3-5 years. The key variable is the number of cryptographic dependencies and the pace of vendor support for PQC algorithms.
Can we use quantum key distribution (QKD) instead of PQC?
Quantum key distribution (QKD) and post-quantum cryptography solve different problems and are not interchangeable. QKD uses quantum mechanics to distribute encryption keys and requires specialized hardware (single-photon detectors, quantum channels). It works over limited distances (typically under 100 km without quantum repeaters) and is impractical for internet-scale communications. PQC algorithms are software-based and can be deployed on existing infrastructure. The NSA has explicitly stated that QKD is not approved for protecting NSS and recommends PQC instead. For most organizations, PQC is the correct migration target.
Will PQC slow down our systems?
PQC algorithms have different performance characteristics than classical algorithms. ML-KEM key encapsulation is actually faster than RSA key exchange in most benchmarks. However, ML-KEM and ML-DSA use larger keys and signatures, which increases TLS handshake sizes and may add latency on bandwidth-constrained connections. In PTG's pilot deployments, we typically see 1-3 ms additional latency per TLS handshake and 2-5% bandwidth increase. For most web applications, these differences are imperceptible. For high-frequency trading, IoT, or real-time systems, architecture planning addresses performance optimization.
Is it safe to deploy PQC algorithms now, or should we wait?
NIST's August 2024 publications (FIPS 203, 204, 205) are finalized standards, not drafts. They are ready for production deployment. The hybrid mode approach (running classical + PQC simultaneously) provides an additional safety net: if an unexpected vulnerability is discovered in a PQC algorithm, the classical algorithm maintains protection while a fix is deployed. Waiting increases your HNDL exposure and compresses your migration timeline. NIST, NSA, CISA, and major technology companies (Google, Cloudflare, Amazon) all recommend starting PQC deployment now.
What about AES and SHA? Do they need to be migrated?
Symmetric algorithms (AES) and hash functions (SHA) are not broken by Shor's algorithm. Grover's algorithm provides a quadratic speedup for brute-force search, effectively halving the bit strength: AES-256 becomes equivalent to 128-bit security, and AES-128 becomes equivalent to 64-bit security. AES-256 and SHA-256 remain secure against quantum attacks. The only action required is upgrading any AES-128 instances to AES-256, which is typically a configuration change rather than an architectural migration. Your PQC migration focuses on public-key cryptography: key exchange, digital signatures, and key agreement protocols.
Does CMMC require post-quantum cryptography?
CMMC 2.0 requires FIPS-validated cryptography for CUI protection (based on NIST SP 800-171). As NIST's Cryptographic Module Validation Program (CMVP) adds PQC algorithm validations and deprecates quantum-vulnerable algorithms, CMMC compliance will increasingly require PQC. NSA CNSA 2.0 provides the specific timeline for National Security Systems. Defense contractors who proactively migrate to PQC will be ahead of their competitors when these requirements formalize. PTG's CMMC-RP and CCA credentials ensure your PQC migration documentation aligns with what CMMC assessors expect.
What is the difference between ML-KEM and ML-DSA?
ML-KEM (FIPS 203) and ML-DSA (FIPS 204) serve different cryptographic functions. ML-KEM is a key encapsulation mechanism used for establishing shared secrets over insecure channels. It replaces RSA key exchange, ECDH, and Diffie-Hellman in protocols like TLS, IPsec, and SSH. ML-DSA is a digital signature algorithm used for authentication, code signing, certificate issuance, and document integrity. It replaces RSA signatures and ECDSA. Both are based on lattice cryptography but are not interchangeable. A complete PQC migration requires deploying both algorithms across your infrastructure.
How much does a PQC migration cost?
Cost varies significantly by organization size, infrastructure complexity, and regulatory requirements. The primary cost drivers are HSM upgrades or replacements, engineering time for protocol and application updates, vendor license renewals for PQC-capable versions, and testing/validation. For a mid-size enterprise (500-5,000 endpoints), PTG's migration engagements typically range from $150,000 to $500,000 over the 18-36 month timeline. The initial readiness assessment and consultation are free, and we provide detailed cost projections before any engagement begins.
Can PTG help with compliance documentation for the migration?
Yes. PTG produces all migration documentation in formats aligned to your compliance requirements. For defense contractors, this means CMMC-compatible evidence packages and SSP updates. For healthcare organizations, this means HIPAA Security Rule documentation. For financial services, this means PCI DSS audit evidence. CEO Craig Petronella holds CMMC-RP and CCA credentials, is a Licensed Digital Forensic Examiner, and has published 15 books on cybersecurity. Our compliance documentation has been accepted by CMMC assessors, HIPAA auditors, and PCI QSAs.
Ready to Begin Your PQC Migration?
The first step is a free quantum readiness consultation. We assess your environment, identify your highest-risk cryptographic dependencies, and map a migration timeline to your compliance deadlines.