Key insight
Turn the risk register into waves, not a big-bang: Wave 1 = quick wins + highest-risk trust anchors; middle waves = the bulk; final wave = the hard long tail (embedded/vendor/legacy, engaged early). Run hybrid classical+PQC as a safety net so you’re protected if either algorithm holds. Build in test-and-rollback at every step (crypto is on the critical path) and pace it as a sustainable multi-year programme alongside normal delivery.
Move in waves with a hybrid safety net, test-and-rollback discipline, and a pace you can actually sustain.
Working in waves
Don’t change everything at once. A sensible roadmap has three kinds of wave, each tied back to the risk register so priorities stay honest.
| Wave | What’s in it | Why now |
|---|---|---|
| Wave 1 — quick wins + top risk | Easy modern services (flip on provider PQC) + long-lived trust anchors | Fast value + catastrophic risk demands early action |
| Middle waves — the bulk | Moderate-risk, moderate-difficulty systems | Steady rhythm through most of the estate |
| Final wave — the long tail | Embedded, vendor-locked, legacy (engage vendors early) | Hard/slow; change lands late but must start now |
Hybrid: the safety net
In hybrid mode, a system uses a classical algorithm and a PQC algorithm together, secure as long as at least one holds. So if a new PQC algorithm has a flaw, the classical one still protects you; and against quantum, the PQC one does. Hybrid lets you deploy PQC now, with confidence — and it’s what most standards bodies and platforms recommend for the transition.
Concretely, “combining” isn’t vague hand-waving: in a hybrid TLS handshake both key exchanges run in the same negotiation — a classical one (say X25519) and a PQC one (ML-KEM) — and their two shared secrets are concatenated and fed through a key-derivation function to produce the single session key. Because the final key depends on both inputs, an attacker must break both to recover it; breaking one leaves the other still protecting the session. (The IETF X25519+ML-KEM design in the references is exactly this.)
Testing & rollback
Cryptography sits on the critical path — a broken handshake is an outage. A slice is the smallest independently-deployable unit you can flip and revert on its own: one service tier, one certificate, one endpoint pair, or one route through a load balancer. Change a slice, test it thoroughly, keep the ability to roll back, and only then move on.
“Test thoroughly” for crypto means more than a unit test passing:
- Interoperability: both ends actually negotiate the new algorithm (and gracefully fall back if one side is older).
- Size & transport: the larger PQC payloads don’t overflow buffers, blow past MTU, or trip timeouts.
- Load: the extra bytes and compute don’t degrade throughput or latency under real traffic.
Rollback for crypto usually means keeping the old algorithm configured and negotiable (hybrid makes this natural), so reverting is a config flip back — not a redeploy — and in-flight connections keep working. The sizes to plan for are concrete: a classical ECDSA P-256 signature is ~64 bytes, but an ML-DSA-65 signature is ~3.3 KB; an RSA-2048 key is 256 bytes, while an ML-KEM-768 public key is ~1.2 KB and its ciphertext ~1.1 KB. Test for size, not just correctness.
Pacing the programme
This is a multi-year programme, not a weekend project. Resource it, track it like any major initiative, tie each wave to the risk register, and revisit the plan as standards evolve and the time-to-quantum estimate shifts. In practice that means a named owner with budget, a cross-team working group (security, platform, app owners, procurement), a cadence to re-score the register (quarterly is common), and clear signals that trigger a re-plan — a new NIST or regulator deadline, a shift in the quantum-timeline estimate, or a break in a deployed algorithm.
- Wave
- A grouped batch of migration work, sequenced by risk and difficulty.
- Hybrid mode
- Running classical + PQC together; secure if either survives.
- Trust anchor
- A long-lived root/signing key; high priority because forgery is catastrophic.
- Rollback
- The ability to revert a change quickly if it breaks connectivity.
- PQC (Post-Quantum Cryptography)
- The quantum-resistant algorithms you deploy, ideally in hybrid mode during transition.
- TLS (Transport Layer Security) / IETF (Internet Engineering Task Force)
- The protocol whose hybrid handshake carries the migration, and the body standardising the X25519+ML-KEM design.
- ML-KEM / ML-DSA
- The lattice-based PQC standards for key exchange (ML-KEM) and signatures (ML-DSA) — both larger than their classical counterparts.
- RSA / ECDSA
- The classical algorithms being replaced: RSA (Rivest–Shamir–Adleman) key transport and ECDSA (Elliptic-Curve Digital Signature Algorithm) signatures.
- MTU (Maximum Transmission Unit)
- The largest packet a network path carries; larger PQC payloads can exceed it and force fragmentation.
What to carry forward
- Migrate in waves: quick wins + top risk → the bulk → the long tail (vendors engaged early).
- Hybrid classical+PQC is the safety net — deploy PQC now, protected either way.
- Build in test-and-rollback; watch for larger key/message sizes.
- Pace it as a sustainable multi-year programme tied to the risk register.
Next: Quantum-Safe on Microsoft Platforms → — what’s actually shipping.
Understand it in your own words
Paste into any AI assistant to check yourself:
I'm learning to build a post-quantum migration roadmap. Quiz me one question
at a time, correcting me gently:
1. Why migrate in waves instead of all at once?
2. What goes in Wave 1, and why include hard trust anchors so early?
3. What is hybrid mode and why is it a safety net during migration?
4. Why does crypto migration need test-and-rollback at every step?
5. Why is this framed as a multi-year programme rather than a project?
References & further reading
- CISA, NSA & NIST, Quantum-Readiness: Migration to PQC. cisa.gov/quantum
- NIST NCCoE, Migration to Post-Quantum Cryptography (practice guides & playbooks). nccoe.nist.gov
- IETF, Hybrid key exchange in TLS 1.3 (draft) and X25519+ML-KEM work. datatracker.ietf.org
- NSA, Commercial National Security Algorithm Suite 2.0 (timelines). CNSA 2.0 (PDF)