The Personal Site of Lalo Morales


Quantum-Safe Cryptography in Software Engineering: Preparing for the Post-Quantum Era

Quantum-Safe Cryptography in Software Engineering: Preparing for the Post-Quantum Era

1. Introduction

Modern digital security relies heavily on public-key cryptography, using algorithms such as RSA and elliptic-curve cryptography (ECC). These systems underpin everything from secure website connections (TLS/SSL) and virtual private networks (VPNs) to software code-signing and banking transactions. However, the rapidly evolving field of quantum computing poses a serious threat to these classical cryptographic methods. Once sufficiently large and error-corrected quantum computers become available, Shor’s algorithm could break RSA and ECC in polynomial time—something impossible for conventional computers to achieve within a reasonable timeframe.

Security agencies, corporations, and government bodies have become increasingly concerned that adversaries may already be harvesting encrypted data now, with the aim of decrypting it later when quantum computers mature—often called “store-now, decrypt-later.” In response, the U.S. National Institute of Standards and Technology (NIST) led a multi-year public process to identify and standardize post-quantum cryptography (PQC) algorithms believed to be secure even against quantum attacks. By the end of 2024, NIST published draft standards (with finalization in progress) for four main algorithms:

  • CRYSTALS-Kyber (key encapsulation).
  • CRYSTALS-Dilithium (digital signatures).
  • FALCON (digital signatures).
  • SPHINCS+ (digital signatures).

These quantum-safe algorithms rest on mathematical foundations such as lattices and hash trees, which are currently believed to be resistant to known quantum attacks. They are set to replace RSA and ECC in the coming decade as organizations prepare for the advent of large-scale quantum computers.

In this blog post, we explore the essentials of quantum-safe cryptography in software engineering. We will look at the NIST-selected post-quantum algorithms, recommended migration strategies, expected performance impacts, emerging library support, ongoing standardization, and real-world case studies that illuminate the path forward. By following these guidelines, software professionals can future-proof their systems and ensure that sensitive data remains secure—even in a quantum-capable world.


2. Post-Quantum Algorithms

2.1 NIST-Recommended Algorithms

After a rigorous, multi-year global competition, NIST announced the first group of quantum-resistant algorithms in 2022 and 2023 for standardization:

  1. CRYSTALS-Kyber (Key Encapsulation Mechanism, or KEM)
    • Security Basis: Lattice-based cryptography (Learning-With-Errors problem).
    • Why It Matters: Kyber features fast key generation and encapsulation, plus relatively small keys and ciphertexts (on the order of 1–1.5 KB). It also outperforms popular elliptic-curve Diffie-Hellman methods (e.g., X25519) in many benchmarks, making it a prime choice for post-quantum key exchange.
  2. CRYSTALS-Dilithium (Digital Signatures)
    • Security Basis: Lattice-based (module lattices).
    • Why It Matters: Dilithium offers a good balance of signature size (a few kilobytes) and speed. NIST recommends Dilithium as a general-purpose signature scheme, thanks to its efficiency and robust security track record throughout the competition.
  3. FALCON (Digital Signatures)
    • Security Basis: Lattice-based (NTRU lattice).
    • Why It Matters: Produces smaller signatures (hundreds of bytes) compared to Dilithium but involves more complex implementations—particularly floating-point sampling. NIST suggests FALCON for specialized use-cases that require ultra-compact signatures, such as certain certificate chains.
  4. SPHINCS+ (Digital Signatures)
    • Security Basis: Hash-based (Merkle trees).
    • Why It Matters: Offers a completely different security foundation (relying on robust hash functions). It produces larger signatures and is slower in signing, but it’s considered a “conservative” choice and a fallback should lattice-based methods face unforeseen vulnerabilities.

These algorithms withstand known quantum attacks because they rely on mathematical problems (like the Learning-With-Errors problem for lattice-based crypto or hash preimage resistance) that are believed to be hard for both classical and quantum computers—unlike RSA or ECC, which are susceptible to Shor’s algorithm.

2.2 Comparison to Traditional Cryptography

Post-quantum algorithms introduce larger key and ciphertext sizes compared to RSA or ECC. For instance, Kyber typically adds around 1–1.5 KB of overhead for a key exchange (compared to 32 bytes with X25519). Digital signature schemes, like Dilithium, similarly involve signatures in the kilobyte range (vs. 256 bytes for RSA-2048). However, these new algorithms can be surprisingly fast—lattice-based methods often outperform traditional crypto in raw signing and verification throughput. The trade-off is an increase in network bandwidth and storage requirements for keys, but most software ecosystems have deemed these increases acceptable.

NIST aims to finalize official FIPS standards for the four algorithms, which will shape cryptographic libraries and protocols for decades to come. Although additional algorithms—like Classic McEliece—remain under consideration for further diversity, Kyber and Dilithium are expected to become the “workhorses” of next-generation, quantum-safe encryption and signatures.


3. Migration Strategies

3.1 Planning and Crypto-Agility

Transitioning to quantum-safe cryptography requires strategic foresight. Organizations must:

  • Inventory all systems and applications that rely on public-key cryptography (e.g., TLS, SSH, VPNs, code-signing).
  • Embrace crypto-agility, designing software so that cryptographic algorithms can be swapped out or upgraded without overhauling entire infrastructures.
  • Follow guidance from NIST and government agencies recommending a thorough plan for replacing RSA/ECC with PQC well before quantum computers become a direct threat.

For instance, in 2022, the White House directed U.S. federal agencies to compile an inventory of vulnerable cryptographic systems and develop detailed migration roadmaps. Corporate leaders—especially in banking, healthcare, and other critical sectors—are similarly forming “quantum-safe transition” programs to coordinate budgets, timelines, and personnel training.

3.2 Hybrid Deployment Approaches

A popular hybrid strategy combines traditional and post-quantum algorithms during the transition period. For example, in a TLS handshake, one can generate shared secrets using both X25519 (ECC) and Kyber (PQC), then combine them. This dual key approach ensures that, even if the new PQC scheme has undiscovered flaws, the classical scheme will maintain some level of security (and vice versa).

Real-world examples of hybrid approaches include:

  • Google’s Chrome experiments (CECPQ1, CECPQ2) combining elliptic-curve Diffie-Hellman with a lattice-based KEM for TLS.
  • OpenSSH 9.0 defaulting to a hybrid key exchange that uses NTRU Prime plus X25519.

These transitional techniques allow organizations to begin integrating PQC without “breaking” existing clients or devices, since older software can simply fall back to classical ciphers if it doesn’t recognize the new ones.

3.3 Maintaining Services During Migration

Because cryptographic protocols interconnect with countless legacy systems, migrations tend to be phased and carefully tested:

  1. Enable quantum-safe ciphersuites in addition to classical ones on servers.
  2. Gradually roll out support to test groups or beta clients, monitoring performance and compatibility.
  3. Transition to fully PQC-only configurations once most clients support it and major security standards are in place.

Challenges commonly arise when older protocols or devices cannot handle larger PQC keys or signatures, leading to crashes or handshake errors. Many organizations must upgrade or replace outdated firmware, hardware security modules, and embedded systems that cannot be patched. This underscores why starting early is critical—especially for large enterprises juggling legacy components.


4. Performance Overheads

4.1 Key Operations and Throughput

A central question about PQC is whether it slows down real-world applications. The good news: many lattice-based algorithms are extremely fast in both key generation and encryption/decryption (encapsulation/decapsulation).

  • Kyber often outperforms classical Diffie-Hellman in raw CPU benchmarks, albeit with slightly bigger key material (around 1–1.5 KB).
  • CRYSTALS-Dilithium signature operations generally exceed RSA’s speed, though Dilithium signatures are a few kilobytes in size (compared to RSA-2048’s 256 bytes).

Hash-based solutions like SPHINCS+ are noticeably slower, but they serve as a valuable fallback if lattices are compromised. For high-frequency signing (like TLS certificates), lattice-based schemes (Dilithium or FALCON) are likely preferable due to faster performance.

4.2 Impact on Network and Memory

The most notable overhead lies in increased key, ciphertext, or signature sizes. In many web scenarios, adding a kilobyte or so in a TLS handshake does not significantly impact user experience, because network latency often dominates. High-bandwidth deployments (e.g., data centers, content delivery networks) have reported only minimal slowdowns—on the order of a few milliseconds—in large-scale TLS experiments.

For resource-constrained IoT devices, the bigger keys can pose challenges in flash memory or bandwidth usage. However, selected algorithms such as Dilithium at lower security levels (e.g., “Dilithium2”) offer relatively small key sizes suitable for many embedded scenarios. Careful benchmarking is essential to ensure that chosen parameter sets fit each device’s constraints.

4.3 Benchmark Examples

  • Google & Cloudflare (CECPQ2): A live test of a hybrid post-quantum key exchange in TLS 1.3 added only negligible latency (1–2 ms) to the handshake.
  • IBM z16 mainframe platform: Successfully integrated Dilithium into its hardware security modules without noticeable performance penalties, demonstrating feasibility even in mission-critical environments.

As a result, performance overhead is generally manageable and often overshadowed by network delays or other system bottlenecks. Engineers simply need to plan for modestly larger packet sizes and ensure that cryptographic libraries are optimized for modern CPU architectures.


5. Library Support and Integration Efforts

5.1 Open Source Initiatives

The Open Quantum Safe (OQS) project, hosted by the Linux Foundation, spearheads early adoption of PQC within major libraries:

  • OpenSSL OQS Fork: Provides an OQS provider module for OpenSSL 3.x, letting developers experiment with CRYSTALS-Kyber, Dilithium, FALCON, and SPHINCS+ well before official OpenSSL releases include them by default.
  • BoringSSL: Google’s fork of OpenSSL used in Chrome and Android has tested PQC hybrid ciphers (e.g., NTRU-HRSS) through real-world pilot programs.

Other libraries, such as wolfSSL and mbedTLS, also offer prototypes or optional PQC ciphersuites. As NIST finalizes the standard specifications, these implementations are expected to move from “experimental” to mainstream.

5.2 Protocol Integration: TLS, SSH, and Certificates

Standards bodies like the IETF are working on formal specifications to incorporate PQC into widely used protocols:

  • TLS 1.3: Internet drafts define how to negotiate Kyber as a key exchange option, and how to handle Dilithium/FALCON signatures in X.509 certificates.
  • OpenSSH: Version 9.0 and later support a hybrid key exchange approach (NTRU Prime + classical X25519). Although the exact final NIST algorithm chosen for SSH may change (e.g., migrating to Kyber), the concept is well-tested.
  • Certificate Authorities (CAs): Must be able to issue and verify larger PQC signatures. The industry is exploring dual-signature certificates (classical + PQC) to ease compatibility concerns.

5.3 Compatibility Concerns

One known issue is that older clients or devices might reject unknown or oversized cryptographic parameters. During pilot tests (e.g., Chrome-Cloudflare’s CECPQ2), some legacy TLS implementations crashed on receiving large PQC key shares. This highlights the importance of:

  1. Hybrid ciphersuites that gracefully fall back for older clients.
  2. Incremental rollout, with telemetry to pinpoint and patch failing endpoints.
  3. Proactive vendor engagement to ensure their products update buffer sizes and handshake logic accordingly.

Ultimately, widespread adoption depends on seamless integration into standard protocols so that users do not notice any major disruptions.


6. Standardization and Industry Research Outlook

6.1 NIST’s Standardization Progress

NIST’s post-quantum standardization process has been underway since 2016. After three rounds of global competition and cryptanalysis, NIST announced the selection of Kyber, Dilithium, FALCON, and SPHINCS+ in 2022. Draft standards were published in 2023–2024 under proposed FIPS designations (e.g., “ML-KEM” for Kyber, “ML-DSA” for Dilithium). NIST is expected to finalize these as official FIPS publications soon, enabling stable references for:

  • Cryptographic library development (OpenSSL, BoringSSL, NSS, etc.).
  • Network protocol specifications (IETF, ETSI).
  • Hardware manufacturers (TPMs, smart cards, HSMs).

NIST’s Round 4 continues with several additional algorithms under evaluation, such as Classic McEliece, to increase diversity of security assumptions.

6.2 Industry Pilots and Initiatives

Major players have already kicked off pilots:

  • Google: Deployed post-quantum TLS in Chrome experiments (CECPQ1, CECPQ2) and now protects portions of its internal data center traffic with PQC by default.
  • Cloudflare: Integrated post-quantum ciphers into their CDN edge servers and collaborated on open-source tooling (like CIRCL for Go) to test large-scale performance.
  • IBM: Introduced quantum-safe firmware signing with Dilithium in the IBM z15 and z16 mainframes, ensuring that mission-critical hardware updates remain secure.
  • Microsoft: Built a prototype PQC VPN and developed code analysis tools to identify legacy crypto usage in large codebases, guiding developers toward a systematic transition.

6.3 Threat Timeline and Policy

Experts estimate that cryptographically relevant quantum computers could emerge in the 2030s. The U.S. government set the target date of 2035 for fully replacing vulnerable cryptography in federal agencies. This lead time (roughly 10 years from now) provides a window for software engineering teams to implement changes without panic. However, the risk of store-now, decrypt-later attacks means it is prudent to start upgrading any data with long-term sensitivity (e.g., classified information, personal health records) as soon as feasible.


7. Case Studies and Real-World Implementations

7.1 Google & Cloudflare: Post-Quantum TLS Experiments

  • Project: CECPQ2 (TLS 1.3 with a hybrid lattice-based KEM).
  • Challenge: Measure performance impact and identify compatibility issues.
  • Outcome: Minimal latency overhead (1–2 ms), no major user experience disruption, and only a handful of corner-case interoperability failures. This success validated the concept of large-scale PQC deployment on the web.

7.2 IBM: Quantum-Safe Mainframe (z15/z16)

  • Project: Migrating HSM firmware signing keys to CRYSTALS-Dilithium.
  • Challenge: Maintain the reliability and speed expected of enterprise mainframes.
  • Outcome: Dilithium integration worked smoothly, and IBM even used hybrid certificates as a safety measure. IBM z16 systems now ship with quantum-safe cryptography by default, securing mission-critical financial transactions for major banks.

7.3 Verizon: Quantum-Safe VPN Trial

  • Project: High-speed (100 Gbps) IPsec VPN tunnel protected by a post-quantum key exchange.
  • Challenge: Prove that quantum-safe cryptography can handle carrier-grade bandwidth.
  • Outcome: Successful test with no significant throughput or latency drops, indicating PQC readiness for telecom environments and next-generation 5G networks.

7.4 HSBC: Quantum-Secure Blockchain Integration

  • Project: Using a post-quantum VPN tunnel to protect distributed ledger transactions (tokenizing physical gold).
  • Challenge: Secure cross-ledger communications without rearchitecting the DLT or sacrificing performance.
  • Outcome: HSBC reported that the quantum-safe setup functioned seamlessly and at scale, highlighting that PQC can be integrated into blockchain solutions, a domain that traditionally demands robust cryptographic security.

8. Conclusion

Quantum-safe cryptography is rapidly transitioning from academic theory to widespread deployment. Although large-scale quantum computers capable of breaking RSA or ECC remain some years away, the security community is acting with urgency to ensure a smooth migration. The NIST-selected algorithms—CRYSTALS-Kyber for key exchange and CRYSTALS-Dilithium, FALCON, and SPHINCS+ for digital signatures—offer robust security against quantum attacks while staying efficient enough for real-world software systems.

Migration strategies emphasize crypto-agility, hybrid deployments, careful performance testing, and phased rollouts. Early experiments and pilot projects from Google, Cloudflare, IBM, and others confirm that the performance overhead is modest—often negligible in typical network scenarios. Meanwhile, cryptographic libraries like OpenSSL and BoringSSL have laid the groundwork for developers to start experimenting today, offering post-quantum cipher suites that align with emerging IETF and NIST standards.

As we look ahead, organizations large and small should begin inventorying their cryptographic assets, planning for upgrades, and engaging with the evolving ecosystem of quantum-safe tooling and protocols. With a prudent transition roadmap, the shift to post-quantum cryptography can be accomplished in a timely, cost-effective manner—ensuring digital trust and data confidentiality remains strong for decades to come.


9. References

  1. NIST Announces First Four Quantum-Resistant Cryptographic Algorithms | NIST
  2. NIST finalizes post-quantum encryption standards | LWN.net
  3. NIST’s pleasant post-quantum surprise | Cloudflare Blog
  4. What NIST’s post-quantum cryptography standards mean for data security | IBM Security Intelligence
  5. White House to require post-quantum encryption plans from agencies | Federal News Network
  6. When will a quantum computer break RSA? (ISC2 Community, referencing Global Risk Institute’s Quantum Threat Report)
  7. How we quantum-proofed IBM z16 | IBM Research Blog
  8. CECPQ2 | Wikipedia
  9. Verizon explores how Quantum Safe VPNs could protect today’s data | Verizon News Release
  10. HSBC tests post-quantum VPN tunnel for digital ledgers | Computer Weekly
  11. Securing tomorrow today: Why Google now protects its internal comms with post-quantum cryptography | Google Cloud Blog
Share via
Copy link