A Cybersecurity specialist, a cryptographic engineer, a cryptographer and a quantum communications researcher walk into a room.

This is a follow up on my earlier article "Post-quantum migration mis-steps". It captures my thoughts after attending the ETSI/IQC Quantum-safe conference (June 2026) where pQCee presented our joint collaboration with IoTex on "Performing Post-Quantum Transactions on IoTeX (an EVM-compatible chain)"

While everyone can agree that applications using classical public key cryptosystems such as RSA are vulnerable to harvest-now-decrypt-later quantum attacks, it is very unlikely that the different groups agree wholeheartedly with one another on how to approach the post-quantum migration process to mitigate the threat. Why is that so? 

Different Mental Models

I believe that is because the threat mental model for each of them is different. 

Let's start with the quantum communications researcher. The researcher advocates an information-theoretically safe communication method such as the one-time pad (OTP) since any public key cryptosystem will have to include a mathematical trapdoor (aka private key), and it is a matter of time that quantum algorithms will be able to compute the trapdoor.

The cryptographer, on the other hand, will argue that post-quantum cryptography (PQC) works because while public key cryptosystems are not unconditionally safe, they can be designed to be computationally-secure. This means that it will take a long time (e.g. more than 1000 years) for a hacker with a quantum computer to find the private key. How the cryptographer designs the PQC algorithm is based on the principles of Indistinguishability under Chosen-Plaintext Attack (IND-CPA) and Indistinguishability under Chosen-Ciphertext Attack (IND-CCA) where the adversary, given the opportunity of providing samples of plaintexts or ciphertexts to observe the encryption process, will still not be able to compute the private key.

Next comes the cryptographic engineer who works on applied cryptography (i.e. enabling the business application to use the cryptographic algorithms). To have effective data security, the engineer needs to architect the protocol and management of the keys and algorithms including when, who, how the keys are generated, stored, used, combined, split, derived and deleted across the useful lifetime of the data. The design principles applied are based on the STRIDE threat model which takes into account how an adversary can spoof, tamper, cause repudiation, disclose information, deny the service or elevate the privilege through improper use of the algorithm.

Finally, the cybersecurity specialist approaches the problem from a vulnerability management perspective. The MITRE ATT&CK and the Cyber Kill Chain threat models look at where, when and how adversaries are able to gain a foothold into the protected system in order to launch the compromise, and seek to prevent such attacks by shutting down the vector. In the case of post-quantum migration, the specialist will focus on discovering the vulnerabilities and prioritize removal of weak cryptographic algorithms through remediation actions.

Comparing the differences in opinion

I breakdown the differences in the mental models and their implication in the table below:

Cybersecurity SpecialistCryptographic EngineerCryptographerQuantum Communications Researcher
Threat ModelMITRE ATT&CK / Cyber Kill ChainSTRIDEIND-CPA / IND-CCAInformation security
How to approach quantum-safe migrationDiscover where all weak cryptography is used and replace them with quantum-safe algorithmsLook at the data under threat and design mitigation measures to remove the threatStart using PQC algorithms, and build in capability to switch them in the futureUse QKD to generate a random sequence for both communicating parties to scramble the data  
Typical QuoteYou can't protect what you don't know We have successfully migrated from MD5, DES in the past. We can get PQC done.PQC is superior to QKDPQC will eventually be broken
Biggest criticismDoing cryptographic discovery does not solve the quantum threat. Not all classical implementations can be replacedCryptographic design is complex and requires experience. Many deployments still have vulnerabilitiesPQC algorithms are not efficient and take up too much resources and storageQKD is expensive, commercially viable and limited in use-cases

So herein lies the difficulty. I don't think any of these groups are fundamentally wrong in their opinion, but these differing views will only serve to confuse the broader community who need to get their systems protected against the upcoming quantum threat. 

So how does it concern you?

Regardless whether you are a regulator setting up the quantum-safe policy for your industry, or a CISO overseeing the post-quantum migration efforts of your organization, or an operations manager tasked to plan an upgrade of your application, you are likely to be speaking to various industry practitioners and vendors. I hope this article will help you get clarity on the mindset of the people you are talking to, and understand where the advice is coming from.

Let me know if this makes sense? I'm available at teikguan@pqcee.com

Author

Tan Teik Guan

Teik Guan is CEO of pQCee.com. He works in the niche area of cryptographic security design and integration, having implemented numerous successful projects for banks, government agencies and enterprises. He holds a BSc and MSc from NUS and a PhD from SUTD.


Built with Konigle