Everyone else just set a date
Three weeks in June and July produced hard US deadlines for post-quantum cryptography, a blunt statement from the US military about which quantum-safe technologies don’t count, and a machine-checked paper on what it actually costs to break RSA-2048 and P-256. New Zealand remains the only Five Eyes member with no migration deadline at all.
For years the honest answer to “when does post-quantum migration actually have to be done?” was a shrug and a range. That answer expired on 22 June. Between an Executive Order, the first enterprise-wide Department of War PQC strategy, and a UK timeline that vendors are now building sales decks around, the deadline has stopped being a projection and become a compliance date.
Read together, those three weeks produced something more useful than dates. They produced a rough consensus on what quantum-safe means, what it doesn’t, and — from a new arXiv preprint — a machine-checked account of why anyone is in a hurry.
The US drew its line at 2030
Executive Order 14412, Securing the Nation Against Advanced Cryptographic Attacks, was signed on 22 June 2026. The United States has had quantum-safe policy on the books since 2022. What’s new here is teeth.
The directives that matter:
- Agencies must transition all high-value assets and high-impact systems to PQC for key establishment by 31 December 2030, and for digital signatures by 31 December 2031. Each agency had 30 days to name a PQC migration lead reporting to its CIO.
- NIST must begin a pilot PQC migration within 180 days, completed no later than 31 December 2027.
- CISA and NIST must publish, within 270 days, guidance on the minimum elements for a cryptographic bill of materials — enough to enable automated assessment of the cryptographic assets inside any hardware or software element.
- Contractors: within 180 days, the FAR Council must publish a proposed rule requiring covered contractors to comply with NIST’s FIPS, including those incorporating PQC algorithms, by 31 December 2030. A second proposed rule, due within 270 days, would extend contractor vulnerability disclosure programmes to cover cryptographic vulnerabilities — including testing for absent encryption and non-FIPS-approved algorithms.
Two clauses deserve more attention than they’ve had. Under Section 5, every agency acting as a Sector Risk Management Agency must work with CISA to assist critical infrastructure owners and operators in developing their PQC migration plans. And the Secretary of State is directed to engage foreign governments and industry groups in key countries to encourage their transition to NIST-standardised PQC algorithms. That is not a domestic housekeeping order. It has an outward-facing arm, and New Zealand is downwind of it.
Note the caveat the order carries on its face: it is to be implemented “subject to the availability of appropriations.” Quantum Computing Report’s read is that migrating high-value assets across the civil and defence apparatus will scale into the billions and require dedicated congressional funding. A deadline without money is a deadline with a fight attached. It is still a deadline.
One correction to the record while we’re here, because it has been reported wrongly in several places: the order sets 2030 for key establishment and 2031 for signatures, not 2031 for both. And the companion order signed the same day, EO 14413, is the innovation and commercialisation one — sensors, supply chain, workforce. If someone cites 14409 for the cryptography order, they’ve got the wrong number.
The military went further — and named what doesn’t count
The Department of War’s CIO, Kirsten Davies, has released the DoW Post-Quantum Cryptography Strategy. The timeline is tighter than the civil one: all high-impact National Security Systems and non-NSS infrastructures must fully support quantum-resistant primitives by 31 December 2030, with transition across the entire force by 31 December 2031. Systems that fail those gates get retired or phased out. No grandfathering. The threat model is stated plainly — state-sponsored entities are intercepting and storing encrypted tactical radio, satellite communications and command-and-control traffic to decode once fault-tolerant machines arrive.
The strategy’s most interesting contribution isn’t the dates. It’s the exclusions, and it is the clearest statement yet from a serious buyer about what quantum-safe isn’t.
The DoW explicitly bans several approaches from counting as valid quantum-safe solutions. Increasing legacy key sizes, proxy-only overlay patches, and quantum communication technologies — Quantum Key Distribution, quantum networking, and non-local quantum randomness generation — will not be accepted as security solutions for confidentiality or authentication. For high-assurance environments, encryption devices must move to the NSA’s Commercial National Security Algorithm Suite 2.0, using asymmetric post-quantum algorithms for key establishment, while commercial pre-shared key architectures are phased out entirely.
Read that carefully, because it’s easy to over-read. It is not a claim that quantum communications are worthless science. It’s a procurement position: you cannot substitute physics for algorithm migration. QKD protects a link. It does not find the hard-coded RSA in your firmware. The strategy is explicit that readiness comes not from rolling out new algorithms but from the complete deprecation of legacy ones across data pathways, software supply chains and storage.
Delivery splits into two tracks — a high-assurance End Cryptographic Unit track under the Cryptographic Modernization 2 framework, covering embedded components, weapon platforms and tactical arrays that depend on NSA Key Management Infrastructure and formal NSA certification; and a commercial track pushing NIST-approved algorithms into COTS enterprise IT, cloud and software via the CSfC programme and NIAP protection profiles. Across both, five lines of effort. The second is the one every CISO should recognise: cryptographic inventory and planning, discovering legacy dependencies using automated cryptography discovery and inventory tooling.
Governance, inventory, standards work, commercial integration, fielding. Strip the military vocabulary and that is simply what the work is.
Why the dates moved: the cost of the attack is collapsing
The most substantial piece of research in this batch arrived on 15 July. Zhang and colleagues at QudeLeap Research and HKUST (Guangzhou) published Building Shor’s Algorithm in Lean: An Agentic Formalization of Quantum Attacks on RSA-2048 and P-256 — a formalisation, in the Lean theorem prover (a system in which mathematical proofs are written as code and checked mechanically by a kernel), of what it costs to break the two algorithms most of the internet runs on.
Reference: arXiv:2607.14082v1
Their headline numbers, machine-checked:
- RSA-2048: an algorithm returning a prime factor with probability at least 2/3, using 6,190 logical qubits, 8.1 × 10⁹ Toffoli gates, 6.42 × 10⁹ maximal circuit depth, and 36,906 classical arithmetic operations. This is three sequential runs of the Gidney–Ekerå short-discrete-logarithm construction, whose single run costs 2.7 × 10⁹ Toffoli gates.
- P-256: the private scalar recovered with probability at least 2/3, using 2,330 logical qubits, 1.26 × 10¹¹ Toffoli gates, 1.16 × 10¹¹ maximal Toffoli-gate depth, and seven classical operations.
Three things there are worth an architect’s attention.
First, elliptic curve is not the safer choice — it’s the differently expensive one. P-256 needs roughly a third of the logical qubits of RSA-2048 but around fifteen times the Toffoli gates. If you have been quietly assuming your ECDSA certificates buy you more runway than your RSA ones, the qubit count says otherwise. A smaller machine gets to P-256 first; it just has to run much longer.
Second, the authors are scrupulous about what these numbers are not. They are logical-circuit estimates. In their words, circuit noise, error correction, scheduling and physical resources all require additional models. They are also candid that their terminal theorems receive some resource values as imported assumptions rather than deriving them from a formal run — a complete execution starting from an actual 2048-bit modulus “remains to be constructed.” This is a paper that tells you where its own joints are. That is worth more than a rounder number.
Third — and this is the line that explains the Executive Order — look at the trend in the literature they cite for future work. The physical-qubit cost of breaking RSA-2048 has gone from 20 million noisy qubits (Gidney and Ekerå, 2021), to under a million (Gidney, 2025), to 100,000 via quantum LDPC codes (Webster et al., 2026), to a claim of as few as 10,000 reconfigurable atomic qubits (Cain et al., 2026). Three orders of magnitude in five years. The algorithm didn’t change. The engineering around it did.
Treat those as what they are — preprints, unformalised, each with its own architectural assumptions, and cited by Zhang et al. as targets for future formalisation rather than endorsed results. Nobody should tell a board that Q-Day is 2029 on the strength of them. But if you want to understand why a US administration replaced a 2035 runway with 2030, the answer is not political. It’s that the number keeps falling and nobody has found the floor.
There’s a secondary point in this paper that Kaysec readers will appreciate. The work was produced by “agentic formalization”: software agents researched the sources, decomposed the claims and wrote the Lean proofs; humans reviewed the scientific statements against the sources; and the Lean kernel machine-checked the results. The authors draw the trust boundary explicitly — kernel acceptance proves a proof term has its declared type, and nothing else. Source fidelity, model selection and the interpretation of a theorem in prose remain human work. That is roughly the correct posture for using AI in security work generally: let it do the volume, check the boundary, and never let a machine’s confidence stand in for provenance.
The physics route, measured
Which brings us to the other preprint, and a useful reality check on the DoW’s exclusions.
Du and colleagues at Guangxi University deployed a hybrid quantum blockchain over a commercial telecommunications fibre network in Nanning (arXiv:2607.12249v1). Five nodes on silicon photonic chips, ten point-to-point links averaging 13.1 km, BB84 key distribution feeding a recursive quantum Byzantine agreement protocol. It is genuinely impressive engineering: it achieves fault tolerance approaching one-half, beating the classical one-third bound, with secure key rates up to 273.49 kbps.
Now read the fine print, and note that the authors report it plainly rather than burying it. The quantum consensus layer reaches agreement on a 1-Mbit message at roughly 0.43 transactions per second — bottlenecked by the slowest link’s 2.98 kbps key rate divided across 36 required signature operations. The 500 transactions per second in the headline is the classical Hyperledger Fabric layer sitting on top.
That gap is not a criticism of the work. It’s the whole argument in one measurement. Physics-based security is real, it’s deployed, it’s on commercial fibre, and at the quantum layer it currently moves at half a transaction per second between five nodes 13 km apart. Meanwhile Europe is investing accordingly for the long horizon: on 14 July the European Commission awarded Deutsche Telekom and Austria’s AIT two coordination actions — PETRUS2 and HarmoniQCI — to move the European Quantum Communication Infrastructure from localised testbeds toward a cross-border framework, covering CEF-funded QKD networks, IRIS² satellite work, and the standardisation needed for a domestic industrial base.
Europe and the DoW are both right, because they’re answering different questions. The DoW is asking “what discharges my 2030 obligation across millions of endpoints?” — and the answer is algorithms, because you cannot run dedicated fibre to a rifle. Europe is asking what the continent’s communications backbone should look like in 2040. The trap is letting the second question’s glamour crowd out the first one’s deadline.
Crypto-agility is the actual deliverable
Underneath all of it sits a design principle. Microsoft, writing up NIST’s framing, put it clearly: crypto-agility is the ability to change cryptographic algorithms without interrupting the flow of a running system — designing protocols, applications and infrastructure so cryptographic mechanisms can be updated repeatedly, safely, and with minimal disruption. NIST hedged itself by adding HQC as a backup key-encapsulation standard, precisely because no new standard has the decades of cryptanalysis behind it that AES does.
The uncomfortable observation in the same piece: the industry has known for at least fifteen years that crypto-agility is solid engineering practice, and few products actually support it for their own cryptography. The blunt advice for any team about to hand-roll this — offload the cryptographic work to a service or product you trust has a PQC plan, rather than building your own — rhymes exactly with the DoW’s commercial track.
Arqit’s recent CISO guide restates the NCSC’s three-date framework (plan by 2028, high-priority work by 2031, done by 2035) and then makes the point that reframes all three: for data that must remain confidential beyond 2035, the deadline has effectively already passed. Its historical note is the one to keep: the shift from TLS 1.0 to TLS 1.2 took many large organisations the better part of a decade, and that was a simple upgrade with broad vendor support. Read the guide as what it is — Arqit sells an inventory product, and the guide exists to sell it. There’s also a live tension worth naming: the guide presents QKD and symmetric key agreement alongside post-quantum algorithms as routes to quantum-safety, and the DoW has just ruled QKD out for confidentiality and authentication and is phasing out commercial pre-shared keys in high-assurance environments. Two credible parties, two answers. Ask which one your regulator will land on. The timeline the guide quotes, though, is the government’s, not the vendor’s.
The NZ read
Everything above has one thing in common, and it’s the one thing New Zealand still doesn’t: a date.
The US now has 31 December 2030 for federal key establishment, for contractors, and for high-impact defence systems; 2031 for signatures and for the full force. The UK has 2028, 2031 and 2035. Both are Five Eyes partners. New Zealand — the fifth eye — remains the only member of the alliance with no formal PQC migration deadline of any kind. Our nearest external pressure point is Google’s and Cloudflare’s 2029 target for their own estates, about three and a half years out. Against the reality that a straightforward TLS version bump took large enterprises a decade, three and a half years to inventory, migrate, certify vendors and deploy is not a runway.
Our own measurements — and this is Kaysec’s scan, not anyone else’s research — show a market behaving exactly as one with no deadline behaves: it is standing still. The June re-scan of NZ critical-infrastructure entities put headline PQC adoption at 52.2%, essentially flat on April’s 52.6%. The apparent good news of origin-side PQC nearly doubling from 13 to 25 entities is mostly an artefact of a CDN change revealing capability that was already there, not a wave of new deployments. Strip that out and the number of entities we can confidently say deployed PQC between the two scans is one: Southern Cross Cables, the operator carrying New Zealand’s primary international internet connectivity, which went classical-origin to PQC-origin. One genuine enablement in seven weeks, absent any regulatory clock, is the argument in a single data point.
KiwiRail is what a missing deadline looks like when it fails in the other direction. In April its public endpoint had PQC — but only because a CDN provided it. When that CDN changed its footprint, KiwiRail’s own origin negotiated classical X25519 and the protection vanished. A nationally significant rail and ferry operator regressed not because anyone made a bad decision, but because nobody was required to make a good one: the protection was a side-effect of a commercial contract rather than a deliberate configuration. Note how precisely that is the failure mode the DoW just banned by name. A CDN in front of a classical origin is a proxy-only overlay. It is the appearance of the work.
The durable position — the one a deadline would force — is PQC at both the CDN and the origin, so that a CDN change is a CDN change and not a security regression.
The sectors at zero origin PQC remain the ones you’d least want exposed: water and wastewater, transport, and the energy grid operators are all still on nothing. Nine endpoints are still TLS 1.2-only, so they cannot negotiate the hybrid key exchange even if someone asked them to. Among the big-four banks — subsidiaries of Australian parents, so the decisions sit in Sydney and Melbourne — only ANZ runs origin PQC. Meanwhile the DPMC’s critical-infrastructure consultation, which closed in April and which we submitted to, made no substantive mention of cryptography, and the Critical Infrastructure Bill expected later this year still carries no public enforcement mechanism for NZISM Section 2.4.
Two things follow, and neither requires waiting for Wellington.
The deadline may arrive from outside. EO 14412 instructs the US Secretary of State to engage foreign governments and industry groups to encourage adoption of NIST-standardised PQC. It requires covered contractors to comply by 2030. If your organisation sells into a US federal supply chain, or is a subsidiary of a parent that does, your date may be set in Washington rather than Wellington, and you will hear about it from a procurement officer rather than a regulator.
And the first step is identical under every regime above. The DoW calls it automated cryptography discovery and inventory. The White House calls it a cryptographic bill of materials, with public guidance due within 270 days. The NCSC calls it 2028. Arqit calls it stage one. It is the same task: know what cryptography you are actually running, including the parts embedded in firmware, in libraries, and in products you inherited through acquisition. An organisation that does that now — that abstracts its cryptography, kills its hard-coded algorithms, gets a real inventory — is ready whichever date lands, whether from a future NZ regulator, an Australian parent, or Google simply switching off classical key exchange.
The work a deadline would compel is the work that protects you while there isn’t one. The only thing a missing deadline changes is whether you start before or after it’s urgent.
There is no prize for going last.
Kaysec is the post-quantum security practice of Spinsphere, a New Zealand-based quantum technology company. We help NZ organisations with cryptographic inventory, HNDL risk assessment, TLS configuration auditing, and PQC migration planning. Get in touch.
References
- The White House. Executive Order 14412: Securing the Nation Against Advanced Cryptographic Attacks, 22 June 2026. Companion: Executive Order 14413: Ushering in the Next Frontier of Quantum Innovation, 22 June 2026.
- Doug Finke, “A Deeper Dive Into the Recent White House Executive Orders,” Quantum Computing Report, 26 June 2026.
- US Department of War, Office of the Chief Information Officer. DoW Post-Quantum Cryptography Strategy. Reported: Quantum Computing Report, 1 July 2026.
- Lei Zhang, Yusheng Zhao, Hongshun Yao and Xin Wang, “Building Shor’s Algorithm in Lean: An Agentic Formalization of Quantum Attacks on RSA-2048 and P-256,” arXiv:2607.14082v1 [quant-ph], 15 July 2026.
- Craig Gidney and Martin Ekerå, “How to factor 2048 bit RSA integers in 8 hours using 20 million noisy qubits,” Quantum 5, 433 (2021). Martin Roetteler, Michael Naehrig, Krysta M. Svore and Kristin Lauter, “Quantum resource estimates for computing elliptic curve discrete logarithms,” ASIACRYPT 2017, 241–270.
- Yongqiang Du et al., “A fault-tolerant quantum blockchain deployed on commercial telecommunications network,” arXiv:2607.12249v1 [quant-ph], 14 July 2026.
- “Deutsche Telekom and AIT to Spearhead EU Quantum Communication Infrastructure via PETRUS2 and HarmoniQCI,” Quantum Computing Report, 14 July 2026.
- Michael Howard, Microsoft Post-Quantum Crypto Tech Blog, “Post-Quantum Cryptography and Crypto-Agility.” Reported: Quantum Zeitgeist, 25 June 2026.
- Arqit Group, The CISO’s Guide to Migrating to Post-Quantum Cryptography by 2030, 29 June 2026. (Vendor source; restates the NCSC 2028/2031/2035 timeline.)
- NSA, Commercial National Security Algorithm Suite 2.0. NIST, FIPS 203/204/205, August 2024; HQC selected as backup KEM, 2025.
- Kaysec / Spinsphere, NZ Critical Infrastructure Post-Quantum Security Readiness Assessment (April 2026) and Seven Weeks Later: The June 2026 Update (2 June 2026).