The moment quantum computers can break today’s public-key cryptography. Q-Day.org - Q-Day, Y2Q, PQC, Quantum Readiness, Quantum Security 2030+ Quantum computer emerges 2036 End of retention period Q-Day HNDL attack 2026 Data encrypted with RSA/ECDSA
against quantum attacks. Based on math problems that quantum computers (as far as we know) cannot solve efficiently lattice problems (e.g.; ML-KEM, ML-DSA) hash-based structures (e.g.; SLH-DSA) error-correcting codes (e.g., HQC), etc. No quantum hardware is needed. These algorithms run on classical computers.
2024 and has been effective since 14 August 2024. FIPS 203 ML-KEM FIPS 204 ML-DSA FIPS 205 SLH-DSA • CRYSTALS-Kyber based • Module Lattice based Key Encapsulation Mechanism • Key establishment • CRYSTALS-Dilithium based • Module Lattice based Digital Signature Algorithm • Digital signatures • SPHINCS+ based • StateLess Hash-based Digital Signature Algorithm • stateless hash-based signatures Post-Quantum Cryptography FIPS Approved | CSRC
by Craig Gidney and Martin Ekerå How to factor 2048-bit RSA integers in 8 hours using 20 million noisy qubits – Quantum Estimated in 2019 20M Re-estimated in 2025 1M Research by Google’s Quantum AI team (Craig Gidney) [2505.15917] How to factor 2048-bit RSA integers with less than a million noisy qubits
5% of organisations are concerned about HNDL attacks 2025_07_10_Capgemini_Post-Quantum-Cryptography- Report_News-Alert.pdf of organisations believe quantum computing will break encryption within 5 years Quantum Readiness Gap: A DigiCert Study On Quantum-Safe Encryption of organizations have deployed PQC solutions. Just 5% of Enterprises Have Deployed Quantum-Safe Encryption - Infosecurity Magazine
– New procurement must incorporate PQC ~2030 – Deadline for phasing out non-PQC-compliant equipment ~2035 – Full transition of national security systems NSA's CNSA 2.0 Guidance [NSA's CNSA 2.0 Guidelines (NSM 10)] ~2026 – Each country shall formulate plans ~2030 – Commence transition to priority systems ~2035 – Achieve full implementation Recommendation on a Coordinated Implementation Roadmap for the transition to Post-Quantum Cryptography
– Full transition target (estimated) Timelines for migration to post-quantum cryptography (March 2025) ~2035 – Full transition target (estimated) A roadmap will be formulated during the 2026 fiscal year. Transition to Post-Quantum Cryptography (PQC) in Government Agencies and Other Organizations (2025) report_202511.pdf ~2030 – Ensure quantum resistance for confidential data Planning for post-quantum cryptography (September 2025)
migrate from the vulnerable primitive SHA-1 to its secure successor SHA-256, even after the necessary specifications and implementations were available. – The PQC Migration Handbook Cryptographic migration takes a long time...
major cloud services. Amazon Web Services ML-KEM post-quantum TLS now supported in AWS KMS, ACM, and Secrets Manager Amazon CloudFront launches TLS security policy with post-quantum support AWS Private CA now supports post-quantum digital certificates Google Cloud Announcing quantum-safe digital signatures in Cloud KMS Post-quantum cryptography (PQC) Microsoft Azure Quantum-safe security: Progress towards next-generation cryptography Post-quantum resilience: building secure foundations
• Default to hybrid post-quantum TLS. • By late 2025, all leading browsers and TLS libraries have X25519+Kyber- 768 enabled by default. • OpenSSL 3.5.0 supports PQC algorithms. • Per TLS enhancement, hybrid PQC KEM groups are added and X25519MLKEM768 is used for Default TLS key share. OpenSSL 3.5 Series Release Notes | OpenSSL Library X25519+ML-KEM-768 hybrid key exchange in production (opt-in) Over 50% of Cloudflare’s traffic uses PQC encryption. Cloudflare Radar State of the post-quantum Internet in 2025 • About 55% of human traffic • ~35% of all traffic was using hybrid KEM Cloudflare Akamai Post-Quantum Cryptography Implementation Considerations in TLS
their post-quantum crypto features: JEP 452: KEM API (Key Encapsulation Mechanism) # No PQC algorithms included (APIs only) Java 21 Sep 2023 JEP 496: ML-KEM (Kyber-based) JEP 497: ML-DSA (Dilithium-based) Java 24 Mar 2025 JEP 510: Extended KDF API (Key Derivation Functions) for hybrid protocols Java 25 Sep 2025 RFC 9180 compliant Hybrid Key Encryption algorithm (Cipher “HPKE”) (JDK-8325448) Signed JAR Support for ML-DSA (JDK-8349732) Java 26 Mar 2026
the JDK. BC 1.79 (the latest is 1.81) or later implement ML-KEM, ML-DSA, as well as SLH-DSA (SPHINCS+), HQC, and Falcon. Can use all NIST finalists (and some alternates) on Java 8, 11, 17, etc., via Bouncy Castle. Integration via JCA Provider To use BC’s PQC, register the provider and request algorithms by name and provider: import java.security.Security ; import org.bouncycastle.jce.provider.BouncyCastleProvider ; Security.addProvider ( new BouncyCastleProvider ()); ... // The JCA will pick Bouncy Castle in the list KeyPairGenerator kpg = KeyPairGenerator.getInstance ( "ML- DSA" , "BC" );
their post-quantum crypto features: JEP 452: KEM API (Key Encapsulation Mechanism) # No PQC algorithms included (APIs only) JEP 496: ML-KEM (Kyber-based) JEP 497: ML-DSA (Dilithium-based) JEP 510: Extended KDF API (Key Derivation Functions) for hybrid protocols RFC 9180 compliant Hybrid Key Encryption algorithm (Cipher “HPKE”) (JDK-8325448) Signed JAR Support for ML-DSA (JDK-8349732) Java 21 Sep 2023 Java 24 Mar 2025 Java 25 Sep 2025 Java 26 Mar 2026 Java 26 has not incorporated PQC into the JSSE standard TLS.
their post-quantum crypto features: Java 24 Mar 2025 Java 25 Sep 2025 Java 26 Mar 2026 JEP 527: Post-Quantum Hybrid Key Exchange for TLS 1.3 (target, integrated) # Default JSSE will cover these algorithms in TLS. Java 27 Sep 2026
Java 27!! • Post-Quantum Hybrid Key Exchange for TLS 1.3 • Current default JSSE doesn’t cover PQC in TLS. (JSSE provider can be added.) Java Secure Socket Extension (JSSE) Reference Guide • ML-KEM and ML-DSA are available in JDK 24/25 APIs.
Exchange Mechanism KEM Communication data stolen risks being decrypted by quantum computers in the future. Exactly ‘Harvest now, decrypt later’. Signature Authentication (signature) need only remain unbroken until quantum computers become practical.
better. draft-ietf-tls-ecdhe-mlkem - Post-quantum hybrid ECDHE-MLKEM Key Agreement for TLSv1.3 draft-ietf-tls-hybrid-design - Hybrid key exchange in TLS 1.3 JEP 527: Post-Quantum Hybrid Key Exchange for TLS 1.3 Classic PQC Pros Long security verification history. No efficient solution using quantum computers. Cons Vulnerability to quantum computers is a concern. Short security verification history. (a risk to be broken)
certificate issuance. (Enterprise JavaBeans Certificate Authority) AWS Private Certificate AWS Private CA now supports post-quantum digital certificates - AWS DigiCert Started offerings and pilot operations for issuing “PQC certificates.
ML-KEM draft-ietf-tls-hybrid-design - Hybrid key exchange in TLS 1.3 Generate (EC)DHE key pair Send ClientHello 1. Decide key algorithm 2. Generate (EC)DHE keypair Derive shared_secret_x with (EC)DHE Derive handshake_secret from shared_secret by HKDF shared_secret_x =ECDH(PK_c, SK_s) handshake_secret =HKDF(shared_secret ...) Public key (PK_c) Private key (SK_c) Public key (PK_s) Private key (SK_s) Generate (PQ)KEM key pair Encapsulation key (EK) Decapsulation key (DK) 1. Generate shared_secret_y 2. Encapsulate the secret with EK Enc=Encap(EK, shared_secret_y) Concatenate shared_secret=shared_secret_x || shared_secret_y ClientHello - key_share (includes PK_c, EK) - signature algorithms - psk_key_exchange_modes - pre_shared_key [Note] In the key_share extension of ClientHello , a new public key and the encapsulation key (EK) are sent at the same time. The server performs 1. ECDH key exchange to derive shared_secret_x 2. Encapsulates the randomly generated key shared_secret_y 3. Combines shared_secret_x and shared_secret_y to derive shared_secret 4. Generates handshake_secret using the HMAC Key Derivation Function (HKDF).
by HKDF shared_secret_x =ECDH(PK_s, SK_c) handshake_secret =HKDF(shared_secret ...) Decrypt encrypted parts of ServerHello with a key derived by HKDF from handshake_secret Decapsulate enc with EK and obtain shared_secret_y shared_secret_y =Decap(DK, Enc) Concatenate shared_secret=shared_secret_x || shared_secret_y ServerHello - key_share (includes PK_s, Enc) - pre_shared_key - EncryptedExtensions - CertificateRequest - Certificate - CertificateVerify - Finished - Application Data [Note] In the key_share extension of ServerHello , a new public key and the shared_secret_y are sent at the same time. The steps in the client are similar to what the Server performs. That is, 1. Performs an ECDH key exchange to derive shared_secret_x 2. Decapsulates to derive shared_secret_y 3. Combines shared_secret_x and shared_secret_y to derive shared_secret, 4. Generates handshake_secret using the HKDF. Encrypted with a key derived by HKDF from handshake_secret .
Eliminates overhead of the hybrid method (though PQC keys are still larger than ECC). • Simplicity: Relying on a single cryptographic primitive reduces code complexity. • Full Compliance (Future): Aligns with mandates like NSA CNSA 2.0. • Single Point of Failure: If the PQC algorithm is broken, you're unprotected. • Incompatibility: Legacy systems lacking PQC won't connect. • Significant variation between vendors: Many current HSMs and smart cards lack hardware acceleration for PQC, slowing performance on older devices
will be the goal. Feature Hybrid (Composite) Direct Replacement (Pure) Security Posture Classical + Quantum Resistant Quantum Resistant Only Risk of Algorithm Break Low (Classical backup exists) High (No backup) Performance Lowest (Dual overhead) Medium (PQC overhead only) Primary Use Case Commercial/Civilian Transition Military/Intel (High Security) CYBER; Migration strategies and recommendations to Quantum Safe schemes Migration to Post-Quantum Cryptography | NCCoE Announcing the Commercial National Security Algorithm Suite 2.0 Avis de l'ANSSI sur la migration vers la cryptographie post-quantique (suivi 2023)
broken next year, you can switch to an alternative PQC candidate immediately. Testing: Allows you to roll out PQC to 1% of users for testing and revert instantly if issues arise. Please note that... Engineering Effort: Requires refactoring legacy codebases where crypto is hardcoded (e.g., hardcoded RSA-2048 keys).
Primary Goal Full System Compliance Rapid Internet Protection First Step Upgrade PKI/Root CA Upgrade Edge Gateway Complexity High (Touches everything) Medium (Touches Gateway+Client) Best For Banking, Identity Systems Web Apps, Mobile Apps
protocol is challenging. Both the ClientHello and ServerHello packets get much bigger. ClientHello packet could be fragmented at lower layers. Unexpected behavior at intermediate switches. The performance loss from segmentation and reassembly. ML-KEM-768 Public key shared key for encapsulation X25519 public key Key size (byte) 1184 1088 32
ready Already supported PQC Hybrid + crypto-agility Start now HNDL is active! • ML-KEM • ML-DSA • SLH-DSA Other standards are now being discussed. Hybrid key exchange support in TLS 1.3 (JEP 527) expected in upcoming JDK. For safe migration Migration spans years; monitor and iterate.
logico_jp
tatsukoni
kaacun
cybozuinsideout
thehajime
grandbig
sansan33
ikomachi226
rocketmartue
databricksjapan
kaminashi
jmmastey
nwiizo
matthewcrist
ivargrimstad
bluesmoon
bermonpainter
soysaucechin
varn
eileencodes
bkeepers
frankvandijk
coloredviolet
