Post-quantum migration mis-steps

(Warning: Article content is not politically correct. Do not read on if you can be offended)

Fresh from my trip to the PKI Consortium PQC Conference 2025, I noticed a worrying trend about how divisive the industry has been in driving the post-quantum migration efforts, and how it may negatively impact our quantum-readiness momentum.

But first, lets understand what happened previously

Game 1 (the past): QKD vs PQC

QKD (Quantum Key Distribution) has been touted as the ultimate security solution to solve the quantum threat. Relying on the fundamental properties of light photons to generate and transmit tamper-proof keys versus the use of complex Mathematics which has let us down (after three decades) seemed like a good idea.

Until the rubber hit the road....

The current state of QKD technology required rather expensive equipment and was dependent on physical dark fibre connectivity between each of the communicating nodes. This severely limited the use-cases that QKD could be deployed for, reduced the scope of applications and data it could protect, while significantly increasing the cost of protection. Which unfortunately broke the quantum camel's back. Businesses operate on bottom-lines and return-on-investment (ROI). Having something unbreakable at an exorbitant cost is not acceptable.

An extreme analogy would be: 
Would you spend a million dollars to protect a safe that contains a thousand dollars?  - Probably not.

So after the many millions of dollars spent on implementing QKD pilot projects all around the world, none have gone into commercial production besides maybe military applications which I am unable to comment about. Ask the CISO of any bank or government agency and they are likely to prefer the use of post-quantum cryptography (PQC) to protect their sensitive data assets, and the main reasons cited are usually costs or limitations in the QKD technology. Even NSA has publicly mentioned that QKD technology will not be considered until the limitations are overcome. This probably sounded the death knell for widespread QKD adoption.

Could team QKD have done better? On hindsight, yes. Instead of the "QKD good PQC bad" narrative, a layered-defense, complementary approach could be presented.

If the main communications backbone carrying all the sensitive data could be protected with QKD, while the individual applications remain protected with PQC, then the ROI math may have worked out for QKD. More engineering would then be put into QKD, and the overall cost of QKD could be further decreased, reinforcing its place in the quantum-safe transition journey.

Game 2 (the present): Cryptographic inventory vs Pilot implementations

There had been a flurry of guidelines and advisories made by various industry groups and regulatory watchdogs. And many of them have strongly advised organizations to start their post-quantum migration journey by carrying out a holistic cryptographic inventory exercise to map out where and what cryptography is used within their organizations. Sounds reasonable right? If you don't know what you have, how do you know what to protect? Many have even labelled this a "no-regrets move".

Except that the cryptographic inventory exercise for many organizations is painful. A vanilla windows PC installation has over 300 assets of cryptography in use, and practically none of these assets are under the control of any organization (except Microsoft). In the first two workshop sessions I attended at the PQC conference, representatives from no less than three organizations have expressed, in no uncertain terms, NOT to start with cryptographic inventory. Each of these organizations had carried out a cryptographic inventory exercise and none of them were happy with the outcome.

On the other hand, the web browsing community have come together to create a standard for quantum-safe web-browsing. An IETF draft to use hybrid post-quantum key exchange in TLS (link) has been written and the leading browsers (Chrome by Google, Edge by Microsoft, Firefox by Mozilla, and Safari by Apple) have released support for this protocol. Through their hard work, we now know that more than 50% of web browsing traffic that goes through Cloudflare is actually quantum-safe.

This is an amazing achievement which was mentioned and praised in at least 5 sessions in the PQC conference. And none of them have expressed any tinge of regret....

I'm rooting for team implementation (if you didn't realize it by now). I've written about it subtly in the past, and now I'm openly telling people to just GET SH*T DONE. There is a time for cryptographic inventory, but the time is not now. I just hope that this game doesn't run into overtime and that the efforts and resources spent by team inventory does not negatively impact the quantum-readiness of most organizations.

Are there more games?

You bet there are.

The arguments between using hybrid PQC versus pure PQC are still not clear. The calls on when to start migrating digital signing applications such as PKI and blockchains are starting to be heard. And we have not yet figured out what it really means to be cryptographically agile.

At the end of the day, I sincerely hope we can work together as team quantum-ready. While there may be diversity of opinions, we need to unite against team hackers and make the world ready and resilient against any quantum threat.