Training crypto-agility to win the giant slalom among Quantum threats

Pierluigi Pilla Avatar
Pierluigi Pilla
Trust Services & Technologies Director

The race against quantum threats is a high-stakes slalom. Navigating between skepticism and urgency is crucial for cybersecurity resilience. While some experts believe large-scale quantum computers capable of breaking cryptography are decades away, others, including national security agencies and cryptographers, warn that the transition to quantum-resistant algorithms must begin now [1,2,3]. The fear of a “Harvest Now, Decrypt Later” strategy fuels this urgency, as malicious actors could store encrypted data today, waiting for future quantum advancements to unlock it. 

In this uncertain landscape, crypto-agility emerges as the key to staying ahead. It represents an organization’s ability to swiftly adopt new cryptographic standards without disrupting operations. Much like elite skiers mastering the Giant Slalom, security professionals must train for adaptability, navigating the twists and turns of evolving threats.  

We at Namirial are on the safe side and in this article we will coach you as a business, government or cybersecurity leader to help you develop the agility needed to seamlessly transition to post-quantum cryptography, ensuring your organization will not miss the podium in the race for secure digital transactions. 

The imminent Quantum threat: warm-up session

The rise of quantum computers promises to revolutionize computing, but simultaneously, it raises critical questions about the security of modern cryptography. Standard algorithms like RSA and ECC underpin data protection in countless applications, from financial transactions to government communications. However, these same algorithms could become vulnerable once quantum computers achieve sufficient power to quickly perform operations that would take classical computers millennia. 

Shor’s algorithm, developed in 1994, demonstrates that a sufficiently powerful quantum computer could factor large prime numbers in record time, rendering algorithms like RSA, which rely on the difficulty of this problem, obsolete. While some experts believe this threat is still distant, citing limitations in current quantum computer technology, others highlight the “Harvest Now, Decrypt Later” risk. This scenario involves malicious actors intercepting and storing encrypted communications today, waiting for quantum computers to become powerful enough to decrypt them in the future. This concern is a major driver for proactive measures by governments and institutions.

The tech community’s response: preparing for the Quantum avalanche 

While the debate about the timeline continues, the scientific and technological community is actively preparing. The U.S. National Institute of Standards and Technology (NIST) is leading an initiative to standardize new quantum-resistant cryptographic algorithms. After years of evaluation, NIST has selected promising algorithms like CRYSTALS-Kyber and CRYSTALS-Dilithium, which could become the new security standard in the coming years. 

Companies are also adapting. Tech giants like Google and Microsoft are experimenting with post-quantum cryptography, while some banks and financial institutions are exploring hybrid solutions that combine classical encryption with these new algorithms. The European Union is also investing in quantum security research and development through programs like Quantum Flagship. 

Post-Quantum Cryptography: timing is everything 

Regardless of the exact timeline, the transition to quantum-resistant cryptography is not an overnight process. Many existing cryptographic systems are deeply integrated into complex IT infrastructures and replacing them will require significant time and resources. This is why many organizations are taking a cautious approach: starting the transition now. Major corporations can already implement hybrid cryptographic solutions, while governments can begin mandating the use of post-quantum algorithms for sensitive data. 

Corestrategies for achieving crypto-agility: training for the giant slalom

Let’s explore now the core strategies that empower organizations to stay ahead of cryptographic threats and embrace security with confidence: 

1. Algorithm independence 

Abstract Cryptographic Implementations: Use cryptographic libraries (e.g., OpenSSL, Bouncy Castle, or Microsoft CNG) rather than hardcoding specific algorithms. 

Interface-Based Design: Develop applications that call cryptographic functions via standardized interfaces (e.g., PKCS #11, CryptoAPI, or CryptoTokenKit) instead of directly referencing specific algorithms. 

2. Hybrid cryptography (Dual-Layer Security) 

Combining Classical and PQC Algorithms: Implementing both traditional and post-quantum encryption (e.g., ECC + Kyber) to maintain security until quantum-safe cryptography is widely tested and adopted. 

Hybrid TLS: Some organizations are already experimenting with hybrid cryptographic solutions in TLS (e.g., Google and Cloudflare have tested Kyber in TLS 1.3). 

3. Key and Certificate Management enhancements 

Shorter Certificate Lifetimes: Reducing certificate validity periods (e.g., 90 days instead of multi-year) allows for quicker transitions when needed. 

PQC-Compatible PKI: Public Key Infrastructure (PKI) should be designed to support multiple algorithms, ensuring that certificates, signatures, and key exchanges can be updated dynamically. 

4. Automated cryptographic upgrades 

Versioning & Negotiation Protocols: Implementing versioned cryptographic protocols allows clients and servers to negotiate the most secure available option dynamically (e.g., TLS extensions, SSH key exchange mechanisms). 

Automated Key Rotation: Regularly rotating cryptographic keys ensures that outdated algorithms can be phased out with minimal operational risk. 

5. Standardization and compliance monitoring 

NIST & ETSI Standards: Keeping up with post-quantum cryptography (PQC) standardization efforts and ensuring compliance with evolving security policies. 

Continuous Testing: Regularly updating software to test new PQC algorithms and identify potential performance bottlenecks. 

6. Secure Software Development Lifecycle (SSDLC) 

Code Audits & Cryptographic Inventory: Identifying and documenting where cryptographic functions are used in an organization’s software stack. 

Dependency Management: Ensuring third-party libraries and APIs support crypto-agility. 

Next steps for crypto-agility implementation: getting ready for the race 

Taking crypto-agility from theory to reality requires proactive steps and a well-defined roadmap for transition. One of the most critical steps is conducting an inventory of your cryptographic dependencies—in other words, identifying where and how cryptography is used across your systems. 

To achieve this, don’t miss these key steps: 

  1. Identify All Cryptographic Use Cases – Map out where cryptography is applied within your infrastructure, including data encryption, authentication, digital signatures, and secure communications. 
  2. Scan and Audit Code for Cryptographic Implementations – Use automated tools and manual reviews to detect cryptographic functions, algorithms, and libraries in your codebase. 
  3. Catalog Identified Cryptographic Artifacts – Document all findings in a structured inventory, including algorithms, key lengths, libraries, and dependencies. 
  4. Identify Legacy and Weak Cryptography – Assess the inventory to pinpoint outdated or vulnerable cryptographic algorithms, such as RSA-1024, SHA-1, or deprecated TLS versions. 
  5. Implement Continuous Monitoring & Reporting – Establish automated monitoring, compliance checks, and regular reviews to ensure cryptographic agility and readiness for future upgrades. 

By systematically following these steps, your organization can build a strong foundation for a crypto-agile security strategy and prepare for the transition to quantum-resistant cryptography. 

Creating a cryptographic dependencies inventory is not only the starting point for a crypto-agile, post-quantum transition but also one of the most challenging steps. In our next article, we’ll dive deeper into this crucial process and provide practical guidance to overcome its inherent difficulties. 

Stay tuned. 

[1] https://spectrum.ieee.org/the-case-against-quantum-computing 

[2] https://www.theverge.com/2024/12/12/24319879/google-willow-cant-break-rsa-cryptography

[3] https://billatnapier.medium.com/shock-news-sha-256-ecdsa-and-rsa-not-approved-in-australia-by-2030-3d1c286cad58 

Last modified:

March 13, 2025

Read the Content Integrity Policy

Share Post

Pierluigi Pilla Avatar
Pierluigi Pilla
Trust Services & Technologies Director
Pierluigi Pilla holds a Ph.D. in Information Engineering and began his career as a scientific consultant and a researcher at institutions such as the National Research Council (CNR), the University of Sannio, the University of Salerno, and the Regional Information Communication Technology Center (CeRICT). His research focused on developing cutting-edge ICT projects, where he led international, multidisciplinary teams. Additionally, he supervised numerous master’s theses and Ph.D. dissertations, and taught university courses in Microelectronics and Optoelectronics. Since 2012, Pierluigi has been with BIT4ID, a leading company in the digital identity sector, where he has primarily contributed to the company’s internationalization efforts by helping to develop marketing strategies for the EMEA and APAC regions. He now oversees the activities of the Trust Services and Technology Business Unit at Namirial, which includes BIT4ID’s PKI Competence Center, focusing on advancing and innovating the technological core of the CA services.