Quantum computing is expected to render many traditional methods of exchanging cryptographic keys obsolete. Encryption keys that have protected confidential information from even the most powerful computers for decades could be easily broken by a cryptographically relevant quantum computer (CRQC) – and so-called Q-Day, when that computer becomes available to criminals, could be as little as 3 years away.

Governments, regulators, and businesses are scrambling to prepare. As well as Q-Day being very close indeed, criminals are currently operating “harvest now, decrypt later” schemes where they steal encrypted data with the expectation that they can crack it once a CRQC becomes available.

All of this means there are and will be new legislation, standards and guidelines that you need to understand and follow. In this blog, we’re taking a look at the legislative and regulatory landscape around quantum security.

Why Quantum Computing is Changing Security Standards

When quantum computers become widely accessible, existing methods of data encryption will be vulnerable due to the way that the cryptographic keys are created and exchanged. Most conventional key exchange protocols, such as RSA, rely on difficult maths problems to make it difficult for an attacker to work out the key.

These algorithms, most often found in asymmetric systems, have been largely impregnable for years. Breaking the encryption requires reverse engineering the math problems, which would take a conventional computer billions of years.

A quantum computer will be able to break these key exchange algorithms much more quickly. That makes data, and many authentication protocols such as public key infrastructure (PKI) vulnerable.

Even if a CRQC takes a few more years to become available, hackers taking a “harvest now, decrypt later” approach can collect encrypted data today and then use quantum computers to decrypt it when the technology is there. Chances are a lot of that data will still be relevant, valuable, and potentially damaging. Coupled with the fact that many devices and software built today will still be in service when Q-Day happens.

That makes taking action sooner rather than later, for businesses and governments alike, vital. For the most part, post-quantum cryptography (PQC) efforts are focussed on structured lattices, with others on hash functions. Unlike classical key exchange, lattices and hash functions rely on mathematical problems — such as finding short vectors in high-dimensional grids or reversing complex one-way hash operations — that are difficult for even quantum computers to solve.

PQC is recognised as the most promising current method of quantum-safe key exchange, and as such it’s the focus of the growing number of countries mandating a move to quantum-safe security in the near future.

Quantum Security Legislation

Depending on where you are in the world and where your business operates, the quantum security standards that apply to you may be slightly different. You know already that there are common expectations for how you encrypt and secure your data, but advances in quantum technology mean that these are being rapidly updated.

Who is Responsible for Quantum Security Legislation?

While governments and legislators are responsible for passing laws on cybersecurity, there are also specific bodies that exist to define and enforce standards, or provide guidance. Let’s break down the different bodies for some of the world’s major economies:

1. United States: National Institute of Standards and Technology (NIST)

In the US, quantum security standards are set at the federal rather than the state level. The National Institute of Standards and Technology (NIST) is responsible for measurement science, standards, and technology, including post-quantum cryptography. NIST has a 2035 target for a full transition to its new standards on key establishment and digital signatures, set out in more detail below.

2. UK: National Cyber Security Centre (NCSC)

The UK’s National Cyber Security Centre (NCSC) is part of the Government Communications Headquarters (GCHQ) and has a broad remit that includes providing advice and guidance on quantum security. Unlike NIST, the NCSC doesn’t set standards per se, but it does issue guidance in line with international (generally NIST) standards. The NCSC is targeting a full migration to PQC by 2035.

3. EU: The European Union Agency for Cybersecurity (formerly the European Network and Information Security Agency, ENISA)

In EU countries, Cybersecurity standards are set at a European rather than a national level. The body that coordinates policy and guidance on those standards is ENISA, short for European Network and Information Security Agency. It’s now called The European Union Agency for Cybersecurity, but still goes by ENISA. Don’t ask why.

ENISA works alongside standards organisations such as ETSI and CEN/CENELEC to align PQC guidance across member states and will have a big role to play if and when the EU’s proposed European Quantum Act is passed. The EU is targeting broad adoption of post-quantum cryptography by around 2030, and its guidance is that initial planning should be in place by 2026.

4. Japan: Cryptography Research and Evaluation Committee (CRYPTREC)

Japan’s Cryptography Research and Evaluation Committee (CRYPTREC) is responsible for “the establishment of evaluation criteria for cryptographic modules.” According to its 2024 Cryptographic Technology Guidelines, CRYPTREC is targeting a broad transition to PQC standards by around 2035.

5. China: State Cryptography Administration (SCA)

In China, the State Cryptography Administration (SCA) oversees the development of cryptographic standards. Working with other government bodies, the SCA is guiding China’s transition to quantum-safe encryption under the Commercial Encryption Law. According to China’s National Cybersecurity Strategy, the aim is to achieve widespread implementation of PQC by around 2035.

China has also launched the Next-generation Commercial Cryptographic Algorithms Program (NGCC), calling for proposals for new PQC algorithms. This is similar to NIST’s approach, and it will be interesting to see what comes of the call.

For the purposes of this blog, we’ll focus on the US and the UK as representative examples.

What are the Quantum Security Standards in the United States?

In the US, existing legislation, e.g. the Federal Information Security Modernization Act (FISMA, 2014), gives NIST the power to develop standards that federal agencies and their contractors need to follow.

If you’re not a federal agency, you don’t necessarily have to follow those standards, but it gives you an idea of the minimum level of security you should be aiming for.

NIST has set out three standards so far: The Federal Information Processing Standards (FIPS) 203, 204, and 205. These are the first approved standards for key establishment and digital signatures. In short:

1. FIPS 203 is the primary standard for key establishment, based on the CRYSTALS-Kyber algorithm, named ML-KEM, short for Module-Lattice-Based Key-Encapsulation Mechanism. Although it offers relatively compact key sizes with a reasonable speed of operation, it may be too computationally complex for some use cases, such as IoT devices.
2. FIPS 204 is the primary standard for generating secure digital signatures, using the CRYSTALS-Dilithium algorithm (aka the Module-Lattice-Based Digital Signature Algorithm, ML-DSA).
3. FIPS 205 is also designed for digital signatures and employs SLH-DSA (Stateless Hash-Based Digital Signature Algorithm). SLH-DSA is intended as a backup in case ML-DSA proves vulnerable.

FIPS 206 and 207 are also expected imminently, setting FN-DSA (Fast-Fourier Transform over NTRU-Lattice-Based Digital Signature Algorithm) and HQC (Hamming Quasi-Cyclic) as two more approved PQC algorithms .Federal agencies are expected to complete migration to these new standards by around 2035, in line with the 2022 Quantum Computing Cybersecurity Preparedness Act.

What are the Quantum Security Standards in the UK?

The NCSC’s approach is to rely on guidance and recommendation, rather than enforcement. As such, it largely recommends that standards set by NIST provide a useful minimum standard. The NCSC’s advice is that ML-KEM and ML-DSA are “suitable for general purpose use”, specifically ML-KEM-768 and ML-DSA-65.

The NCSC recommends organisations follow this approximate timetable:

• 2028: Complete a discovery phase to assess and identify the services and infrastructure using cryptography that will need to be upgraded to PQC   
• 2031: Complete high-priority PQC migration activities.
• 2035: Complete migration to PQC of all your systems, services and products

In circumstances where interoperability between new and legacy key exchange methods is needed, its advice is that ML-KEM will generally “make it possible for systems with different security policies to interoperate and should also allow for a migration to a PQC-only future.” For more sensitive datasets or those requiring encryption for a long time period, the NCSC recommends hash-based signatures like SLH-DSA.

How Can You Prepare?

The standards set by NIST and used as recommendations by the NCSC mean that procurement criteria for government will likely include provision for post-quantum security in the next 12-18 months, with the private sector not far behind. That’s a short timeline, so you need to be making progress now.

Where can you start?

• Carry out a full discovery exercise, assessing your estate to understand where and how you rely on classical cryptography now.
• Use the results of that assessment to identify the areas you need to upgrade to PQC.
• Identify the best solution, considering areas like authentication where crypto agility is going to be important.
• Develop a plan and timetable for migration.
• Start with your highest priority areas, refine your plan, and move quickly to a concrete solution.

The point about crypto-agility is worth considering more closely. Solutions that enable you to upgrade from classical to quantum key exchange without the need for extensive re-architecting would help you get quantum-ready faster, with less complexity.

Lastly, remember that guidelines and minimum standards are just that. They represent the basic level of protection you should be providing. But, when it comes to your business and data, meeting minimum standards may not be enough. Likewise, NIST-approved may not always be appropriate, depending on the sensitivity of your data and the ability of approved algorithms such as ML-KEM to meet your use case, you may well need alternative options.

For PQC, start with Symmetrikey

One of those options is Symmetrikey. Symmetrikey is a quantum-safe key exchange protocol that enables the creation of faster PQC solutions that function in constrained environments. By using Ring Learning with Errors (RLWE) and correlation filtering, Symmetrikey enables two parties to generate identical secret keys independently, without revealing anything useful to a potential attacker.

Importantly, with the addition of a correlation filtering process, Symmetrikey has been proven to be up to twice as fast as ML-KEM and more computationally lightweight. That means you have a lightweight key exchange efficient enough to run even on IoT and embedded devices.

That same security underpins Authentikey, Cavero’s authentication solution. Authentikey provides mutual endpoint authentication using a shared ledger of key exchanges, presenting a viable alternative to certificate-based authentication that can often be too large to run in constrained environments. Crucially, Authentikey is compatible with a range of key exchange algorithms, including Symmetrikey, ML-KEM, and ECDH. This means you can migrate from ECDH to a quantum-safe key exchange when you’re ready, nearly effortlessly – a priceless level of crypto agility.

Conclusion: Get Ahead

Just as it was with data protection legislation towards the end of the 2010s, with quantum security standards you’ll likely be best placed to start early rather than scramble to catch up later. That means upgrading your approach to key exchange and authentication now. But if your goal is to maximise the efficiency and effectiveness of your protection, consider choosing Symmetrikey over standard ML-KEM.