Navigating the Transition to Post-Quantum Cryptography

As quantum computing advances, traditional cryptographic methods face obsolescence. This article explores the transition to Post-Quantum Cryptography (PQC), highlighting migration strategies, hybrid solutions, certification requirements, and global policy alignment. Readers will gain insights into key migration phases, industry impacts, and how organizations can prepare for a secure quantum future.

Market Overview

The year 2025 marks a turning point in the adoption of Post-Quantum Cryptography (PQC). With the first PQC standards released in 2024, governments worldwide are driving organizations to transition to quantum-safe solutions. The United States and the European Union (EU) have published recommended migration timelines, urging companies to begin their migration strategies now. This proactive approach is essential to protect against potential quantum attacks that could render current encryption methods obsolete.

Organizations in the United States will primarily follow guidance from the National Security Agency (NSA) and the National Institute of Standards and Technology (NIST). Meanwhile, the EU, through the European Commission (EC), aligns its timelines closely with the United States, signaling a united front in the global push for PQC adoption. Other regions, notably Latin America and Asia-Pacific, will gradually align their PQC timelines with Western nations.

ABI Research forecasts that hybrid PQC solutions will peak in 2033, when it will achieve a 70% penetration rate. By then, PQC-only solutions will experience rapid growth as hybrid and classic algorithms become less relevant.

“NIST Round 4 KEM is still ongoing. The current candidates include BIKE, Classic McEliece, and HQC (SIKE has already been excluded). The expectation is for NIST to announce the selected algorithms by the end of 2024, likely to be Classic McEliece, alongside either BIKE or HQC. ABI Research expects the resulting standards to be published late 2025/early 2026..” – Michela Menting, Senior Research Director at ABI Research

Embracing Hybrid Solutions for a Smooth Transition to PQC

Transitioning to PQC requires a phased approach. While the ideal goal is to implement PQC-only algorithms immediately, existing infrastructure constraints make this impractical. Initially, organizations must optimize cryptographic software libraries and leverage hardware accelerators to enable PQC compatibility with current systems.

Hybrid solutions, combining classical algorithms like RSA or ECC with PQC, offer a practical path forward. These hybrid signatures allow organizations to maintain compatibility with existing systems, while gradually transitioning to quantum-resistant algorithms. Implementing hybrid schemes mitigates the risks associated with early PQC adoption, ensuring a secure bridge between legacy and future technologies.

The Importance of Early Certification and Compliance

One of the key steps in transitioning to PQC is achieving certification against published standards. This ensures robust security and the integrity of cryptographic operations in a post-quantum era. Certifications like the Cryptographic Module Validation Program (CMVP) and Cryptographic Algorithm Validation Program (CAVP) (NIST 140-3) are foundational requirements. Additionally, Common Criteria Evaluation Assurance Level (EAL) certification may be necessary to provide market guarantees.

Early certification helps vendors demonstrate compliance and build trust with customers. By adopting standardized PQC algorithms, organizations can securely provision devices, manage firmware verification, and establish trusted channels. This proactive approach positions them to meet emerging security demands and stay ahead in the rapidly evolving cybersecurity landscape.

Adapting to Post-Silicon Flexibility

As PQC standards continue to evolve, product vendors must integrate post-silicon flexibility into their offerings. This enables customers to select between multiple algorithms, even after silicon manufacturing, allowing adaptability to changing security needs and aligning with crypto-agility trends.

Post-silicon flexibility extends product life cycles by reducing the risk of obsolescence. Vendors can facilitate compliance with emerging standards and protocols that may specify different PQC algorithms in the future. This approach not only ensures long-term security, but also enhances the value proposition of their products.

Key Migration Phases and Industry Impacts

ABI Research outlines several key phases in the PQC migration process:

• Discovery and Inventory Management: Organizations begin by identifying cryptographic assets, creating Cryptography Bills of Materials (CBOMs) to gain visibility into their networks. This step is crucial for planning a smooth transition to PQC.
• Remediation Tools: Once discovery is complete, remediation tools help ensure compatibility with various systems and applications. These tools support both technical and enterprise needs, accompanying the development of transition roadmaps.
• Interim Hybrid Solutions: Over the next 10 to 15 years, hybrid schemes will be the primary mode of transition. These solutions will first target software and firmware signing, followed by networking equipment and communication protocols.
• Full PQC Adoption: By 2030, more efficient PQC technologies and standardized algorithms will emerge, driving a second phase of transition. Government and critical infrastructure will be among the first to adopt PQC-only algorithms, with broader industry adoption expected by 2035.

The deprecation of classical algorithms like RSA and ECC in the United States will catalyze global migration to PQC-only solutions. As North America and Europe lead the charge, the rest of the world is expected to follow suit, creating a unified, quantum-safe cybersecurity landscape.

Global Policy and Alignment

Policy remains a significant driver for PQC adoption. Western governments, including the United States, France, Germany, and the EU, are closely aligned on timelines and hybrid transition strategies. This unified stance is fostering cohesive market adoption and reducing fragmentation across borders.

In May 2024, the U.S. NSA released a timeline for adopting CNSA 2.0, outlining key dates for the exclusive use of PQC algorithms. Similarly, the EU’s EC published recommendations for coordinated migration strategies, emphasizing hybrid schemes as a transitional step. These policy efforts are laying the groundwork for a secure quantum future.

Key Companies

• CryptoNext
• genua
• InfoSec Global
• PQShield
• QuSecure
• Secure-IC
• Veridify

Conclusion

Post-Quantum Cryptography represents a new era of cybersecurity. With governments driving the transition and industry leaders optimizing hybrid solutions, organizations must act now to prepare for the quantum future. Early certification, post-silicon flexibility, policymaking, and robust migration strategies will be critical to ensuring long-term security and compliance.

Download the report to explore ABI Research’s comprehensive insights on Post-Quantum Cryptography and stay ahead in the evolving cybersecurity landscape.