Consulting

Post-Quantum Cryptography

Post-quantum security consulting and migration: make your IT systems post-quantum secure, now

Quantum computers utilise the computing power of quantum systems and can solve computational problems that were previously considered unsolvable. However, they pose a future threat to the asymmetric cryptography (especially RSA and ECC) that is widely used today. This threat can be mitigated by using new cryptographic tools that are believed or known to be resistant to quantum attacks.

As the timeframe for completing the transition depends on factors such as the resilience of a company’s information, the speed at which quantum-secure technologies can be deployed and the overall threat level to quantum computers, the transition to quantum-secure cryptography must be tailored to each company. Although a fully functional quantum computer is probably still a decade or more away, the work to achieve this milestone is being pursued intensively by many researchers around the world. This is because quantum technology promises advantages in areas such as sensors, communications and optics, in addition to its use in computer technology. However, once cryptographically relevant quantum computers (CRQCs) become available, they will essentially be able to efficiently break public-key encryption systems that have been considered secure to date. More traditional encryption systems (such as AES) will also be affected, making them about half as secure. This will have devastating consequences for systems used to protect electronic communications and digital transactions. Companies should therefore start preparing for these scenarios today.

The 2024 edition of the Quantum Threat Timeline Report states that experts estimate a 34% probability that a crypto-relevant quantum computer will be available within the next 10 years.

Why should one prepare for crypto-relevant quantum computers?

Most secure internet processes rely on public-key cryptography protocols, including those used to secure websites, banking transactions, secure email and digital signatures. These processes will be particularly vulnerable to cryptographic quantum computers in the future.

Therefore, preparing for this threat should be considered an integral part of cybersecurity risk management. In an attempt to quantify this risk, the 2024 edition of the Quantum Threat Timeline Report by the Canadian Global Risk Institute surveyed 32 leading international experts from academia and industry. The experts selected probability ranges for the realisation of a cryptographically relevant quantum computer within various timeframes ranging from five to 30 years. An ‘optimistic’ interpretation of the responses yielded an average estimate of ~34% that a CRQC will be developed within ten years (compared to 31% in 2023).

Our approach to a successful post-quantum migration

Post-quantum migration can be divided into four phases: diagnosis, planning, execution and maintenance. The diagnosis phase involves data collection, qualification and validation, data analysis and quantum risk assessment. The planning phase involves creating a roadmap for transition and convergence. The first phase is diagnosis, in which the migration team collects all relevant information about the existing infrastructure and identifies all cryptographic methods vulnerable to quantum algorithms. Close coordination between a strategic, top-down approach (which defines the overall strategy and governance) and a practical, bottom-up approach (which ensures technical implementation and integration) is essential for a successful post-quantum migration. During the planning phase, the migration process is designed and prioritised, suitable tools and approaches for creating a cryptography inventory are evaluated and selected, and a roadmap for migration is created, taking into account the information previously collected. Execution consists of migrating all cryptographic methods vulnerable to quantum algorithms and continuously maintaining the crypto inventory.

1. Data collection, qualification, and validation

In order to lay the foundation for a meaningful assessment, we start by collecting structured and automated data from various sources and in multiple areas. This initial step typically focuses on a single business area or unit and a subset of assets identified as priorities by our client. The following measures are employed: source code scanning, network traffic analysis, system inventory scans, metadata qualification and results validation.

2. Analysis of data

We perform a detailed analysis of the data obtained to determine the security status of existing cryptographic implementations. The outcome of this phase is a cryptographic risk inventory that identifies which types of cryptographic usage are secure, which require monitoring and which need to be addressed as a priority.

3. Quantum Risk Assessment

We are expanding our assessment to include an evaluation of cryptographic vulnerabilities in the context of quantum threats. This analysis helps our customers to understand the urgency and scale of transitioning to post-quantum cryptography (PQC).

4. Roadmap for transition and convergence

Based on our assessments, we create a clear, actionable roadmap setting out the priorities for cryptographic modernisation. This includes the following measures:

Prioritisation of remediation measures: Classifying systems according to business criticality and cryptographic risk to inform remediation planning.
Migration plan: We provide a step-by-step migration plan for transitioning from classical to quantum-safe algorithms (e.g. lattice-based and hash-based cryptography).
Tooling and automation: Recommend the implementation of crypto-agility frameworks to facilitate future transitions.
Timeline and milestones: Set realistic, risk-based timelines incorporating quick wins and long-term transitions.
Mapping governance and compliance: Align roadmap steps with customer regulatory goals and best practices.

EU Commission: Coordinated PQC roadmap

On the 23rd of June 2025, the European Commission presented a coordinated roadmap for transitioning Europe’s digital infrastructure to post-quantum cryptography (PQC). This includes a timetable for the adoption of quantum-resistant encryption. The key milestones in the EU’s PQC transition roadmap are as follows:

By the end of 2026

All EU member states are called upon to initiate the transition to PQC by developing national strategies and taking the first steps towards migration. This means that by 2026 at the latest, assessments, awareness campaigns and cryptographic inventories must have begun.

By the end of 2030

Post-quantum cryptography must be used to secure high-risk systems, especially critical infrastructure and other vital sectors, as soon as possible and by 2030 at the latest.

Until 2035

As many systems as practically possible across Europe should transition to PQC. While some older or less risky systems may take longer to transition, they should be as quantum-secure as possible by 2035.

SAMA PARTNERS and evolutionQ – Your team of experts for quantum-secure cryptographic solutions

SAMA PARTNERS and evolutionQ have formed a trusted, long-term partnership combining deep technical expertise and cutting-edge research to help companies build, evaluate and safeguard their cryptographic assets for the future. Rather than evaluating off-the-shelf solutions, we focus on maximising the value of existing infrastructure and components. Our joint approach ensures high data quality and completeness, avoids redundant network functionalities and significantly reduces the complexity typically associated with introducing new solutions into large IT environments.

As part of this collaboration, SAMA PARTNERS is responsible for the technical analysis and development, while evolutionQ contributes its expertise in cryptographic risk modelling, vulnerability assessment and methodology design. This ensures that our customers remain secure and compliant, and are optimally prepared for the transition to quantum-safe cryptographic solutions.