Update from the 4. PQC - Post-Quantum Cryptography Conference

Oct 01, 2025Conference, InnovationComments (0)

Last week, I attended the 4th Post-Quantum Cryptography (PQC) Update Conference organized by Fraunhofer AISEC near Munich. I’d like to share some insights and highlights, particularly relevant for businesses and security professionals planning ahead for the post-quantum era.

🔍 Why Post-Quantum Cryptography Matters – A Brief Recap

 Quantum computers are expected to break widely used cryptographic algorithms such as RSA, Elliptic Curve Cryptography, and Diffie-Hellman, by using algorithms like Shor’s or Grover’s. These classical algorithms rely on mathematical problems (e.g., factoring large primes) that are hard for today’s computers—but not for future quantum machines.

To prepare, the global cryptographic community has been working on quantum-resistant algorithms, now referred to as Post-Quantum Cryptography (PQC). Many of these algorithms have recently been standardized (e.g., by NIST), signaling the transition from research to implementation.

🗓️ When Will Quantum Computers Be a Real Threat?

According to IBM’s Quantum Roadmap, we can expect quantum computers with 2,000 error-corrected qubits by 2033. At that point, many existing cryptographic protections could become vulnerable.

Importantly, IBM has largely kept pace with its prior milestones—so this timeline should be taken seriously.

🚀 Real-World Adoption: Cloudflare Leading the Way


  • One standout case from the conference: Cloudflare, which handles around 20% of global internet traffic, has significantly increased PQC adoption.
  • 38% of their traffic between client and edge nodes now uses PQC algorithms, up from 20% after mobile client support was rolled out.
  •  However, only ~1% of the origin-server-to-Cloudflare traffic is PQC-protected. This shows the backend migration is lagging, especially among hosting providers and site operators.

⚠️ What Makes PQC Integration Difficult?

While the theory is sound, PQC implementation has practical challenges:

  • Key Sizes: PQC public keys and signatures can be 10x larger than RSA or ECC equivalents.
  • Increased Overhead: Communication latency and bandwidth usage increase, especially for small payloads (e.g., REST APIs or IoT messages under 10KB). In some tests, PQC overhead reached 40% of the total payload.
  • Algorithm Diversity: There’s no one-size-fits-all. You must analyze your system requirements and select the algorithm that balances security, performance, and interoperability.


🛠️ What Tools Are Available Today?

 Some encouraging developments:

  • The BOTAN cryptographic library, endorsed by the German BSI, already includes support for PQC.
  • Migration projects are emerging with practical tooling—for instance, introducing a Crypto Bill of Materials (CBOM) as part of your Software Bill of Materials (SBOM) to track cryptographic dependencies systematically.

🧨 What’s Already at Risk – Today

Two areas deserve immediate attention—even before the first practical quantum computer exists:

1. Long-Lifetime Hardware (e.g., Smart Grid Devices)

Devices like solar inverters, smart meters, and home appliances are expected to run 10+ years. If they depend on classical algorithms for firmware updates, they may become vulnerable to malicious updates by 2035.

Once compromised, these devices could be used in coordinated attacks, destabilizing energy grids or delaying stabilization response.

2. “Store Now, Decrypt Later” Attacks

Even when using symmetric encryption (e.g., AES, which is quantum-resilient), many systems rely on asymmetric encryption (RSA/ECC) to distribute the keys or enforce access control.

An attacker today could record encrypted communications and decrypt them in the future when quantum computers become available. Sensitive corporate data, legal documents, or government records might become exposed.

💬 Final Thoughts: Is Your Organization Ready?

These were just a few highlights from a rich two-day program.

For many organizations, PQC migration is not just a cryptographic update—it’s a chance to revisit outdated software architectures, strengthen key management, and improve security-by-design practices across the board.

📩 If you’re assessing your readiness or need support in navigating the PQC migration, feel free to reach out.