Reports

More reasons why PQC migration is the hard part

by Simon McCorkindale

Our read of a sweeping new survey of quantum computing and security keeps circling back to one under-addressed problem. Two specialist papers from the same week show why getting your organisation quantum-safe is becoming harder, not easier.

Three papers landed on arXiv in the space of a fortnight in late May and early June, and read together they tell a story the vendor marketing tends to skip. A broad survey maps the whole field of quantum computing and security. A cryptanalysis paper quietly trims the cost of breaking the elliptic-curve cryptography that underpins much of the internet — and most cryptocurrencies. And an architecture paper proposes a quite different post-quantum cipher for the parts of a 6G network where the standard choices do not fit.

The common thread is the one the survey names directly: we have spent a decade inventing quantum-resistant algorithms, and comparatively little effort working out how to actually migrate real systems to them. The threat side keeps getting cheaper. The deployment side keeps getting more complicated. The planning gap in the middle is where almost everyone, New Zealand included, is exposed.

The survey: a map of the whole battlefield

The headline paper is a comprehensive survey of “security with quantum computing” out of the Indian Institute of Information Technology Guwahati and Trellix. It is unusually wide-angled, and that breadth is its value: it treats the subject as two distinct problems that often get conflated.

The first is the security of quantum computers themselves — noise and crosstalk that can be exploited to leak information, side-channel attacks on quantum hardware, untrusted third-party compilers that could steal circuit IP or insert the quantum equivalent of a Trojan, and interference between tenants sharing a cloud quantum processor. This is a genuine and growing research area, but for a CISO defending classical infrastructure today it is mostly a “watch this space” concern rather than an action item. Worth knowing the field exists; not worth losing sleep over yet.

The second problem is the one that matters for everyone reading this: the impact of quantum computing on existing cybersecurity. The survey walks through the now-familiar threat model — Shor’s algorithm breaking RSA, ECC and ECDSA outright; Grover’s algorithm halving the effective strength of symmetric ciphers and hashes — and then surveys the defences across cryptography, blockchain, malware detection, intrusion detection and IoT. Post-quantum cryptography (lattice-, hash- and code-based schemes) and quantum key distribution come out as the two main pillars, with the survey noting QKD’s stubborn practical limits: roughly 70 km of fibre before noise and loss become prohibitive, plus specialised and costly hardware. The quantum-machine-learning material on malware and intrusion detection is honestly handled, including the awkward finding that several quantum approaches still underperform well-tuned classical models, sometimes by around five percentage points of accuracy.

But the part worth pinning to the wall is in the open-problems section. The authors are blunt that most current research proposes new algorithms rather than practical migration strategies for the systems that actually need them — PKI, TLS, blockchain networks. They flag the urgency of “store-now-decrypt-later” (their phrasing for what we call HNDL) as the reason this gap matters now rather than later, and they call out the heavy dependence on a single hardware vendor’s machines for nearly all experimental validation, which leaves open whether published results generalise. The recurring message is that no single technique solves any of this, and that real deployments will need layered combinations — which is precisely the kind of problem that rewards planning and punishes procrastination.

The threat clock: the cost of breaking ECC keeps falling

If the survey describes the gap, the second paper — from André Schrottenloher at Inria Rennes — shows one half of why it is closing. It is a quantum resource-estimate paper: how many qubits and quantum gates would it take to run Shor’s algorithm against elliptic-curve discrete logarithms, specifically on secp256k1, the curve Bitcoin uses.

The trend is the story. A recent result from Babbush and colleagues cut the gate and qubit counts for this attack by a factor of two to three compared with the previous best (Litinski, 2023). This paper details a circuit architecture that matches those figures and trims the gate count a further 6.5% to 10%, landing at roughly 1,200 to 1,460 logical qubits and on the order of 2^26 (around 67 million) Toffoli gates for a single discrete-log recovery.

The rigour point matters here, so let me be precise about what this is not. These are logical estimates — they assume a fault-tolerant machine and ignore the enormous error-correction overhead of building one. The physical cost is far higher than the logical count, but it too is falling: factoring RSA-2048 was estimated in 2025 at under a million physical qubits, and Babbush et al. put breaking secp256k1 at fewer than half a million physical qubits on a superconducting machine, running in minutes. The catch — and it is a large one — is that no such machine exists, and nobody is decrypting your traffic this year. What is happening is that the logical cost of these attacks has fallen steadily, year on year, as the circuits get smarter — and falling logical cost is exactly the input that pulls forward every serious estimate of when a cryptographically relevant quantum computer becomes feasible. This is not the kind of progress your risk register enjoys.

The deployment menu: one cipher does not fit every wire

The third paper, from Vincenzo Sammartino (Pisa / KAUST), shows the other half. It proposes “Q-FE”, a quantum-native architecture for 6G industrial IoT, and its cryptographic core is a deliberate choice: CSIDH, an isogeny-based scheme, rather than the NIST-standard ML-KEM/Kyber.

The reasoning is physical. ML-KEM-1024 public keys run to about 1,568 bytes — too large to fit in a 6G control frame, so they fragment across multiple transmission slots and blow the sub-millisecond latency budget that closed-loop industrial control demands. CSIDH-512’s public keys are around 64 bytes, small enough to ride inside a single control frame. The paper’s simulations claim a 62% reduction in MAC-layer overhead versus Kyber-1024 and 99.9th-percentile latency of 0.78 ms.

The honest caveats are substantial, and the paper states them: the results are simulation-only on an idealised channel; CSIDH-512’s group-action computation is not constant-time, leaving a residual timing side-channel; its security rests on a hardness assumption with no formal proof; and the scheme is not NIST-standardised. SIKE, a related isogeny scheme, was famously broken in 2022 — though by an attack that does not apply to CSIDH. So this is a research proposal, not a product, and I would not deploy a non-standard primitive on the strength of one simulation paper.

The useful takeaway is the principle, not the cipher. Post-quantum migration is not a single swap. Latency-critical, bandwidth-constrained and operational-technology environments may genuinely need different primitives and different trade-offs from a web server’s TLS handshake. Every such variation is another line item in a migration plan — which is the survey’s exact complaint, dramatised.

The NZ read

Put the three together and the picture for New Zealand is uncomfortably clear. The threat is getting cheaper to mount, the defence is getting more heterogeneous to deploy, and the survey’s central finding — that we plan migrations far less than we invent algorithms — describes our national posture almost perfectly.

Our maintained baseline of 118 critical-infrastructure entities makes the point concretely. As of the June re-scan, origin-side PQC adoption sits flat at 52.2%, essentially unchanged from April. Forty-nine classical origins remain classical with no movement between scans — now with one fewer week of lead time before the 2029 pressure point that Google and Cloudflare have set. Nine endpoints still negotiate only TLS 1.2, which cannot carry the hybrid post-quantum key exchange at all until they move to 1.3. New Zealand remains the only member of the Five Eyes without a formal PQC migration deadline, and the Critical Infrastructure Bill expected later this year still carries no public enforcement mechanism for the cryptographic provisions of NZISM Section 2.4.

KiwiRail is the migration-planning failure made flesh, and it maps directly onto the survey’s thesis. In April it appeared to have post-quantum protection — but that protection was a function of its content-delivery network contract, not its own configuration. When Imperva stopped fronting it, its origin fell back to classical key exchange. A nationally significant rail and ferry operator’s public endpoint regressed not because anything was attacked, but because nobody had planned for the CDN dependency. That is precisely the difference between deploying an algorithm and planning a migration. The durable position is post-quantum at both the CDN and the origin, so that a contract change is just a contract change.

There is one bright spot worth naming. Southern Cross Cables — the submarine-cable operator carrying much of New Zealand’s primary internet connectivity — moved from a classical origin in April to a post-quantum one in June. It is the single entity we can confidently say deployed PQC between the two scans, and it sits at exactly the kind of long-haul, long-retention chokepoint where store-now-decrypt-later is not theoretical. The contrast with the sectors still sitting at zero origin PQC — water and wastewater, transport, the energy grid operators — is the whole argument in miniature.

The Sammartino paper’s “right primitive for the constraint” debate is, frankly, a luxury problem we have not earned yet. Our operational-technology environments are exactly where naive “enable Kyber everywhere” advice runs into real limits — but the more pressing fact is that most of them are not at the starting line, let alone agonising over which post-quantum scheme suits a SCADA link. And for the big-four banks, the planning problem is partly offshore: only ANZ runs origin PQC, and because the others are subsidiaries of Australian parents, the crypto decisions are effectively being made in Sydney and Melbourne — under retention obligations that mirror our own AML/CFT seven-year shape, which is to say, long enough for harvested traffic to still matter.

The runway to 2029 is about three and a half years. That sounds generous until you cost out the actual sequence: inventory, then prioritise, then migrate, then have vendors certify, then deploy — across estates that, in the KiwiRail case, did not even know where their post-quantum coverage was coming from. The survey is right that the algorithms are largely solved. The migration is the hard part, and it is the part the runway is for.

There is no prize for going last.

Kaysec is the post-quantum security practice of Spinsphere, a New Zealand-based quantum technology company. We help NZ organisations with cryptographic inventory, HNDL risk assessment, TLS configuration auditing, and PQC migration planning. Get in touch.

References