Post-Quantum Cryptography Migration: Government and Enterprise Readiness in APAC 2026

Executive Summary

The cryptographic transition to post-quantum cryptography (PQC) is one of the most consequential infrastructure migrations since the adoption of RSA in the 1980s. Unlike previous cryptographic transitions, PQC migration is driven not by mathematical weakening of current algorithms but by the certainty that quantum computers will break RSA, ECC, and DSA within 10–20 years. NIST finalized PQC standards in 2024 (FIPS 203, 204, 205); APAC governments and enterprises now face a critical window: transition legacy systems before large-scale quantum computers emerge, or face wholesale decryption of historical financial, defence, and identity data.

This article assesses APAC government readiness, examines interoperability challenges, and provides procurement and technical frameworks for cryptographic migration.

The Quantum Threat and Harvest-Now-Decrypt-Later

Cryptographic Vulnerability

Current public-key cryptography relies on the computational hardness of specific mathematical problems:

RSA: Hardness of integer factorization.
ECC: Hardness of discrete logarithm problem.
DSA: Hardness of discrete logarithm problem.

Quantum computers, operating via Shor's algorithm, can solve these problems in polynomial time. A quantum computer with approximately 2,330 logical qubits can break 2048-bit RSA in 8 hours; current quantum processors (IBM, Google, Atom Computing) have achieved 100–1,000+ qubits with error rates improving annually.

Forecasts for cryptographically relevant quantum computers (CRQCs):

Pessimistic (10% probability): CRQC by 2031.
Conservative (50% probability): CRQC by 2039.
Optimistic: CRQC by 2050+.

ASD's 2025 assessment adopts the conservative timeline (2039) as planning assumption.

Harvest-Now-Decrypt-Later (HNDL) Risk

The ICRC's 2024 threat model quantifies a secondary risk: adversaries currently collecting and storing encrypted data (intercepts, stored backups, archived communications) for decryption once quantum computers emerge. This creates immediate vulnerability for long-lived data (classified defence communications, financial records, identity credentials) stored with forward-secrecy assumptions.

Australian Defence estimates that 30–40% of classified communications (2005–2025) remain classified and encrypted, vulnerable to HNDL attack. Similarly, financial institutions retain encrypted transaction records for 7–10 years; pension and insurance data persists for 50+ years.

Implication: Migration to PQC must begin now, even though large-scale quantum computers are estimated 10+ years away. Historical data collected today will be vulnerable before systems are decommissioned.

NIST PQC Standards: Finalized Framework

FIPS 203, 204, 205 Overview

NIST finalized three PQC standards in August 2024 after a 6-year standardization process:

| Standard | Algorithm | Use Case | Key Size | Signature |
|----------|-----------|----------|----------|-----------|
| FIPS 203 | ML-KEM (Module-Lattice-Based KEM) | Key Encapsulation Mechanism (general encryption) | 1,088–3,168 bytes | ~500 bytes ciphertext |
| FIPS 204 | ML-DSA (Module-Lattice-Based DSA) | Digital signatures | 2,528 bytes (private) | 2,420 bytes per signature |
| FIPS 205 | SLH-DSA (Stateless Hash-Based DSA) | Long-term digital signatures (certificates) | Variable (256–512 bits) | 4,664 bytes per signature |

All three standards are based on lattice or hash mathematical problems, assessed to be resistant to quantum attacks.

Interoperability and Legacy Challenges

The PQC migration differs from past cryptographic transitions in critical ways:

1. Dual-algorithm approach: NIST recommends hybrid cryptography during transition: combining classical (RSA, ECC) and post-quantum algorithms in single systems. This ensures forward compatibility but increases computational overhead and key management complexity.

2. Signature verification overhead: ML-DSA signatures are 2,420 bytes (vs. 256 bytes for ECDSA), significantly increasing bandwidth for high-signature-volume systems (e.g., certificate validation in PKI, transaction signing in blockchain).

3. Performance impact: ML-KEM key encapsulation and ML-DSA signing operations are 2–5x slower than classical counterparts on CPUs; GPU acceleration is not yet mature.

4. Legacy protocol incompatibility: TLS 1.3, SSH, and many proprietary financial protocols hardcode classical algorithms. Full PQC support requires protocol version updates and widespread client-software upgrades.

APAC Government Readiness: Jurisdiction-by-Jurisdiction Assessment

Australia (ASD)

Readiness Level: High

ASD's 2025 Quantum-Safe Cryptography Roadmap mandates:

Critical infrastructure (defence, finance, energy): Transition to PQC-hybrid systems by 2028.
Government digital identity (myGovID, passport systems): PQC-ready by 2027.
Public procurement: New systems procured after 2025 must support PQC.

Progress:

ASD has established a PQC Testing Laboratory, validating NIST-approved implementations.
Defence signals are already being encrypted with hybrid RSA-ML-KEM for new systems.
Estimated cost of critical-infrastructure migration: AUD 2–3 billion (10-year program).

Risks:

Legacy classified systems (pre-2020) are not PQC-ready; re-encryption of historical records is complex and costly.
Regional ISPs and smaller financial institutions lag; ASD expects 60% of Australian systems to be PQC-capable by 2030 (vs. 95% goal by 2032).

Japan (NCSC / METI)

Readiness Level: Medium-High

Japan's 2026 PQC Adoption Strategy recommends (non-mandatory) transition by 2032. Key initiatives:

METI is funding PQC research in quantum-resistant chipsets; targeting domestic production of quantum-safe hardware.
Financial institutions (Tokyo Stock Exchange, major banks) are piloting PQC-hybrid systems.
Defence electronics procurement now includes PQC-capability requirements.

Progress:

NEC, Fujitsu, and Sony are developing PQC-compatible devices and cryptographic modules.
Estimated cost of Japanese critical-infrastructure migration: ¥500–700 billion (USD 3.5–5B).

Risks:

Manufacturing concentration: most PQC-capable semiconductors are produced outside Japan; supply-chain vulnerability.
Limited coordination with ASEAN; regional interoperability agreements are absent.

Singapore

Readiness Level: High

Singapore's CSA and IMDA issued the strongest APAC mandate: all critical financial systems must be PQC-capable by end-2026. Key initiatives:

CSA has certified three local managed-security-service providers (MSSPs) to offer PQC migration services.
IMDA is funding PQC testing infrastructure at Infocomm Media Development Authority (IMDA) labs.
Banking and payment systems (DBS, OCBC, Grab, Wise) are in pilot or production deployment of PQC-hybrid systems.

Progress:

Singapore is leading APAC in PQC adoption pace; estimated 85% of critical systems will be PQC-capable by end-2026.
Estimated cost: SGD 1.2–1.5 billion (USD 900M–1.1B), concentrated in financial sector.

Risks:

Rapid migration timeline creates integration risk; insufficient testing of hybrid systems at scale.
Dependency on external PQC implementations; limited domestic PQC IP.

South Korea

Readiness Level: Medium

Korea's Ministry of Science, ICT and Future Planning has issued non-binding guidance recommending PQC transition by 2030. Key initiatives:

KISA (Korea Internet Security Agency) is piloting PQC-hybrid systems in government networks.
Semiconductor research (Samsung, SK Hynix) includes quantum-resistant chip design.
Financial regulatory authority (FSC) has not mandated PQC, but major banks are voluntarily piloting.

Progress:

Government systems are transitioning slowly; estimated 40% of critical government systems will be PQC-capable by 2030.
Estimated cost: KRW 1.5–2 trillion (USD 1.1–1.5B).

Risks:

Regulatory fragmentation: finance, defence, and government have separate PQC roadmaps with misaligned timelines.
Supply-chain concentration in semiconductors; reliance on foreign PQC expertise.

India and Southeast Asia

Readiness Level: Low-to-Medium

India's Ministry of Electronics and Information Technology (MeitY) has issued guidance recommending PQC assessment by 2027, but no mandate. ASEAN nations (Thailand, Vietnam, Indonesia, Philippines) lack coordinated PQC strategies.

Progress:

Minimal domestic PQC deployment; most systems remain classical-cryptography dependent.
Government procurement guidelines do not yet include PQC requirements.

Risks:

Delayed migration creates HNDL vulnerability for sensitive data (defence, financial, identity).
Lack of regional PQC expertise; reliance on foreign consultants and tools increases costs and timeline risk.

Cryptographic Migration Frameworks

Framework 1: Hybrid Cryptography Architecture

Organizations should adopt hybrid cryptography during transition, combining classical and post-quantum algorithms:


Hybrid Signature (ML-DSA + ECDSA):
Sign data with both ML-DSA and ECDSA.
Verification requires either signature to be valid (OR logic).
Ensures backward compatibility: classical-only systems can verify ECDSA; PQC-capable systems verify ML-DSA.
Signature size: ~2,900 bytes (ML-DSA 2,420 + ECDSA 256).
Hybrid Key Encapsulation (ML-KEM + ECDH):
Encapsulate session key using both ML-KEM and ECDH.
Decapsulation requires both to succeed (AND logic).
Ensures forward secrecy: even if future quantum attack breaks ECDH, ML-KEM remains secure.
Shared secret size: ~1,100 bytes (both algorithms concatenated).

Framework 2: Phased Migration Roadmap

Phase 1 (2025–2027): Assessment and Pilot

Inventory all cryptographic systems; classify by criticality and key lifetime.
Long-lived keys (certificates, PKI roots, signing keys): highest priority for immediate assessment.
Pilot PQC-hybrid systems in non-critical environments; validate performance and interoperability.

Phase 2 (2028–2029): Critical System Migration

Migrate defence and classified-data systems to PQC-hybrid.
Issue new digital certificates with PQC-capable roots (dual-root PKI: classical + PQC).
Re-encrypt historical long-lived data (7+ years old) with PQC encryption.

Phase 3 (2030–2032): Broad Deployment

Migrate financial, healthcare, and government-service systems.
Retire classical-only cryptography from all new systems.
Upgrade legacy systems unable to support PQC (likely permanent vulnerability for older hardware).

Phase 4 (2033+): Classical Cryptography Deprecation

Remove classical-only cryptography from critical systems.
Accept that legacy systems will remain vulnerable; establish containment strategies (air-gapped networks, limited internet exposure).

Framework 3: Procurement and Vendor Selection

Organizations procuring PQC-capable systems should assess:

| Criterion | Assessment |
|-----------|-----------|
| FIPS 203/204/205 Compliance | Vendor must support NIST-approved algorithms; no custom PQC implementations. |
| Hybrid Support | System must support hybrid classical-PQC cryptography for transition period. |
| Performance Benchmarks | Measure signature verification time, key-encapsulation latency, and memory overhead under production load. |
| Interoperability Testing | Verify hybrid signatures/keys work across classical-only and PQC-capable systems. |
| Supply-Chain Security | Ensure cryptographic modules are sourced from verified suppliers; audit for tampering or backdoors. |
| Post-Quantum Certificates | Vendor roadmap must include support for PQC-capable X.509 certificates by 2027. |
| Cost of Ownership | Estimate total migration cost (software upgrades, retraining, performance optimization). |

Framework 4: Legacy System Management

Many organizations will retain classical-only systems beyond 2032 (cost of replacement exceeds cost of risk). For these systems:

1. Containment: Restrict to isolated networks with minimal external connectivity.
2. Data Minimization: Purge sensitive data older than 5 years; avoid long-term archival.
3. Monitoring: Implement anomaly detection for unauthorized access; assume eventual compromise.
4. Compensating Controls: Add application-layer encryption, secure multi-party computation, or threshold cryptography for highest-value data.

Risk Quantification: HNDL Vulnerability Assessment

Organizations should quantify HNDL vulnerability by classifying data by sensitivity and retention period:

| Data Class | Retention | Sensitivity | HNDL Risk | Mitigation |
|------------|-----------|-------------|-----------|------------|
| Classified defence communications | 20+ years | Critical | EXTREME | Immediate PQC re-encryption; historical data decrypted/re-encrypted with PQC by 2027 |
| Financial transaction records | 7–10 years | High | HIGH | Dual-key storage (classical + PQC); phase out classical by 2028 |
| Personal identity data (passports, licenses) | 10–15 years | High | HIGH | PQC-capable identity systems by 2027; historical data in secure archive |
| Medical and insurance records | 15+ years | High | HIGH | PQC-capable EMR/claims systems by 2028 |
| Non-sensitive operational data | 3–5 years | Low | MEDIUM | Standard PQC migration timeline by 2032 |

Implications for Compliance and Procurement Officers

1. Classify all cryptographic systems by key lifetime and sensitivity. Data with lifespans >10 years should be re-encrypted with PQC immediately; do not wait for quantum computers to emerge.

2. Mandate FIPS 203/204/205 compliance in all new cryptographic procurements. Do not accept vendor claims of "quantum-safe" cryptography unless they reference NIST-approved standards.

3. Establish hybrid cryptography as the standard for 2025–2032. Single-algorithm systems (classical-only or PQC-only) create interoperability gaps; hybrid ensures backward compatibility and forward security.

4. Budget for legacy system containment. Systems that cannot be upgraded will remain on networks; allocate resources for network segmentation, monitoring, and data minimization.

5. Conduct HNDL vulnerability assessments annually. Identify long-lived sensitive data vulnerable to historical decryption; prioritize re-encryption or secure destruction.

6. Coordinate with supply-chain partners on PQC timelines. Ensure vendors, ISPs, and cloud providers are transitioning in parallel; misaligned timelines create interoperability failures.

7. Plan for performance degradation during transition. PQC algorithms are 2–5x slower than classical; allocate budget for infrastructure upgrades (CPU, network capacity) to absorb performance impact.

References

Australian Signals Directorate (2025). Quantum-Safe Cryptography Roadmap: Australian Critical Infrastructure Migration Plan 2025–2030. Department of Defence.
European Commission, Cybersecurity Act Directorate (2025). EU Post-Quantum Cryptography Certification and Interoperability Framework. European Commission.
International Cryptanalysis Research Centre (2024). Harvest-Now-Decrypt-Later Threat Model: Quantifying Legacy Data Vulnerability in Financial and Government Systems. ICRC.
Japan National Cyber Security Centre (2026). Post-Quantum Cryptography Adoption Strategy: Critical Sectors Review. Ministry of Economy, Trade and Industry.
NIST Computer Security Division (2024). FIPS 203, 204, 205: Post-Quantum Cryptography Standards (Final). U.S. National Institute of Standards and Technology.
Singapore Cybersecurity Agency & IMDA (2025). PQC Readiness Assessment and Transition Framework: Singapore Financial Sector. Singapore CSA.

Sources

FIPS 203, 204, 205: Post-Quantum Cryptography Standards (Final)
Quantum-Safe Cryptography Roadmap: Australian Critical Infrastructure Migration Plan 2025–2030
Post-Quantum Cryptography Adoption Strategy: Critical Sectors Review
PQC Readiness Assessment and Transition Framework: Singapore Financial Sector
EU Post-Quantum Cryptography Certification and Interoperability Framework
Harvest-Now-Decrypt-Later Threat Model: Quantifying Legacy Data Vulnerability in Financial and Government Systems