What an Australian payments paper says about NZ banks

Reports

by Simon McCorkindale May 5, 2026

A new arXiv preprint runs the numbers on something every Australian bank — and by extension every NZ subsidiary of one — should already have answered: can post-quantum signatures actually run inside a real-time payments SLA?

Reference: arXiv 2605.02276v1, 4 May 2026.

The simulation covers Australia’s real-time retail payments rail at production volume — 5.2 million transactions a day, two-second SLA. The headline answer is boring, which is the point: the lattice-based algorithms (ML-DSA, Falcon) add roughly 1–2 milliseconds to a transaction that already takes 40–45 ms end-to-end. The argument that real-time payments cannot afford post-quantum cryptography is, on the numbers, finished.

The interesting findings sit elsewhere.

SPHINCS+ — the hash-based signature standard NIST published as a backup to the lattice schemes — chokes the signing infrastructure at retail payment volumes. Not a little: the hardware queue saturates, transactions back up indefinitely, and the paper characterises this as a denial-of-service surface in its own right. Any insider with the wrong configuration access can effectively freeze a bank’s signing pipeline by selecting the wrong algorithm. SPHINCS+ has a legitimate role in low-frequency, high-assurance contexts — settlement, correspondent banking — but you have to architect it to stay there. The migration plan that quietly leaves it as a fallback option is the migration plan that hands an insider a DoS button.

The second finding is more mundane and more decision-forcing: the SWIFT message format that underpins international correspondent banking has a 2 KB payload limit older than post-quantum cryptography itself, and only one of the new signature algorithms (Falcon-512) is small enough to fit inside it. Every other option overflows. Banks running cross-border traffic over the legacy format don’t really have an algorithm choice — they have a Falcon choice they may not realise they’ve already made.

The NZ read

Our Big 4 are subsidiaries of theirs. The cryptographic decisions protecting retail payments in Auckland are in practice being made in Sydney and Melbourne — and our April scan showed exactly one of them, ANZ, actually running post-quantum cryptography on infrastructure they control.

The Australian regulator has put cryptographic risk on the agenda. Ours hasn’t. Retention obligations under our AML/CFT Act 2009 are the same seven-year shape as theirs. The harvest-now-decrypt-later clock is running on the same data, archived in the same data centres, governed by largely the same head offices. This paper is what a serious early answer looks like. The corresponding New Zealand work has not been done.

There is, as ever, no prize for going last.

Kaysec is the post-quantum security practice of Spinsphere, a New Zealand-based quantum technology company. We help NZ organisations with cryptographic inventory, HNDL risk assessment, and PQC migration planning. Get in touch.