Quantum-Safe Architecture: The Path to Cryptographic Resilience Starts with Discovery and Classification

The advent of quantum computing presents one of the most profound shifts in cybersecurity since the invention of public-key cryptography. As quantum technology rapidly develops, it poses a direct threat to the classical encryption algorithms that underpin the global financial system, digital identities, secure communications, and data privacy. In response quantum-safe security—which includes post-quantum cryptography (PQC) and quantum key distribution (QKD)—has emerged to prepare digital infrastructure for the quantum era. However, an important dimension is the time it will take to transition from asymmetric encryption to quantum-safe systems. A report from the US’ OMB estimated that it will take an investment of $7.1B over a period of 10 years for the federal government to transition to PQC. Whilst the quantum threat may appear distant, the long migration timeline means that governments and critical national infrastructure operators should start planning now.

Quantum computing leverages the principles of quantum mechanics to process information in fundamentally different ways than classical computers. While still in its initial stages, progress has accelerated significantly over the last decade. In 2019, Google claimed "quantum supremacy" by solving a problem in minutes that would take classical supercomputers thousands of years. More recently, breakthroughs in error correction, gate fidelity, and qubit coherence times have brought the industry closer to building fault-tolerant quantum computers—the type capable of executing long, complex computations such as breaking modern cryptographic algorithms. Most experts estimate that large-scale, cryptographically relevant quantum computers could become viable sometime between 2030 and 2040. While this timeline remains uncertain, the cryptographic threat is already pressing due to the "harvest now, decrypt later" risk: encrypted data captured today can be stored by adversaries and decrypted retroactively once quantum capabilities mature.

The most widely used public-key encryption schemes—RSA, Diffie-Hellman, and Elliptic Curve Cryptography (ECC)—rely on the difficulty of mathematical problems like integer factorisation and discrete logarithms. These problems are believed to be easily solvable by quantum computers using Shor’s algorithm. When that happens, the foundations of secure internet communications, including TLS/SSL, VPNs, code signing, and digital certificates, will become vulnerable. This makes the migration to quantum safe alternatives both essential and urgent—especially for systems that require long-term confidentiality (e.g., health records, intellectual property, national security data).

Despite increasing awareness, industry adoption of quantum-safe security remains immature. Most organisations have limited visibility into their cryptographic estate—let alone the crypto-agility to migrate algorithms without major system reengineering. Tools for crypto discovery, hybrid certificate deployment, and PQC integration are emerging (e.g., from InfoSec Global, ISARA, SandboxAQ), but implementation is often ad hoc and siloed. The largest cloud providers (Google, AWS, Microsoft) and financial services firms are piloting post-quantum TLS and VPNs, and some organisations have demonstrated considerable progress. Signal upgraded its protocol from X3DH to quantum-safe PQXDH and will use it alongside its existing elliptic curve cryptography, augmenting current systems so that attackers must break both. Yet outside of highly regulated sectors, most enterprises are in the early assessment or “watch and wait” stage, which creates systemic risk.

The slow pace of adoption is due to a myriad of reasons including lack of knowledge, expertise and security teams being overwhelmed by current threats. However, it also points to a broader issue: cybersecurity is a textbook case of market failure. Cryptographic weaknesses do not manifest immediately, and the costs of fixing them are often borne by technical teams, while the benefits are diffuse and long-term. As a result, rational actors often underinvest in preventative controls—especially for threats like quantum computing, which remain hypothetical in the short term. This disconnect is likely to lead to regulatory intervention. Without it, there is a risk scenario where systems remain quantum-vulnerable due to economic incentives misaligned with societal resilience. Financial institutions, government agencies, and critical service providers should expect growing pressure to demonstrate crypto-agility, conduct quantum risk assessments, and report on PQC readiness as part of broader cyber governance. Whilst there has been some progress with regards to ‘recommendations’ and ‘best-practice,’ very few governments are yet to issue strong regulation.

In response to this threat, the U.S. National Institute of Standards and Technology (NIST) launched a global competition in 2016 to standardise post-quantum cryptographic algorithms. In 2022, NIST announced its first selected algorithms: CRYSTALS-Kyber (for key establishment) and CRYSTALS-Dilithium (for digital signatures), with additional candidates under review. Simultaneously, regulatory bodies are beginning to respond: the NSA released the CNSA 2.0 suite, mandating post-quantum readiness for national security systems by 2035 whilst the EU’s ENISA and ETSI are developing guidance for quantum safe network design and key management. This regulatory environment is still fragmented but evolving rapidly. What is clear is that regulatory expectations will soon harden into compliance mandates, particularly in sectors like banking, defence, healthcare, and critical infrastructure. Payment Card Industry Data Security Standard v4 provides an insight into what can be expected. While PCI DSS 4.0 does not directly reference PQC, it introduces explicit, strengthened requirements around cryptographic asset management, algorithm use, and key lifecycle control, which make cryptographic discovery and inventory a foundational requirement. As the quantum threat moves from theoretical to tangible, organisations must begin by understanding their current cryptographic landscape. Inventory, discovery, and classification of cryptographic assets will become preconditions for future compliance and resilience.