Post Quantum Cryptography (PQC): Trusting the Transition

Part of the Trust in Digital Life Webinar Series 2025

The second webinar in the 2025 TDL programme took place on 6 February 2025 and was a lively discussion and deep dive on issues relating to post quantum cryptography.

The speakers, who between them had considerable experience from a range of different backgrounds, were:

· Nigel Smart, Cryptographer, Professor, COSIC, KU Leuven

· John Velissarios, Founder & Director, Otranto Ltd

· Michiel Marcus, Cryptography Researcher, Applied Cryptography and Quantum Algorithms, TNO

The session was moderated by Steve Purser, the former Head of Operations at ENISA and a TDL Strategic Advisor.

The key takeaways and next steps were:

1. Understanding PQC vs Quantum Computing

· PQC is a response to advances in quantum computing, not quantum computing itself

· Quantum computers pose specific threats to current cryptographic systems, especially public key/asymmetric algorithms

· The "harvest now, decrypt later" threat is immediate and serious for long-term sensitive data

2. Crypto Agility is Critical

· Organisations need to focus on crypto agility rather than just PQC implementation

· Crypto agility allows switching between algorithms and adapting to new threats

· This approach helps address both current and future cryptographic vulnerabilities

3. Implementation Challenges

· Larger key and data sizes in PQC may require significant system re-engineering

· Performance impacts must be considered when implementing new algorithms

· Legacy systems and middleware present particular migration challenges

· Hybrid approaches (combining current + PQC) recommended during transition

4. Organisational Approach

· Most organisations (99%) using cloud services may not need immediate action

· Critical first steps include:

• Inventory of cryptographic assets

• Risk assessment based on data time-value

• Understanding core business processes

• Identifying crown jewels requiring protection

5. Industry Response

· Vendor-customer deadlock exists: vendors waiting for demand, customers waiting for solutions

· Need for better coordination between sectors and stakeholders

· Regulatory pressure may help drive adoption

· Public-private partnerships and sectorial approaches could facilitate transition

6. Practical Next Steps

· Organisations should start planning now, especially for sensitive long-term data

· Focus on crypto agility rather than just PQC implementation

· Consider forming consortia to share experiences and resources

· Engage vendors early about their PQC transition plans

· Monitor standardisation efforts and available implementations

· Public sector institutions should consider making more use of public private partnerships (PPPs) to drive this issue forward

To watch the full recording of the session, tune into TDL's video channel.