Post-Quantum Migration Planning for Ukraine's Cryptographic Infrastructure

Quantum computers capable of running Shor's algorithm at sufficient scale would break the mathematical foundations of RSA, Diffie-Hellman, and elliptic curve cryptography—the algorithms securing most of today's internet communications and digital signature systems. While fault-tolerant quantum computers capable of this feat remain years to decades away from realization, the "harvest now, decrypt later" threat model requires that organizations begin migrating away from vulnerable algorithms today: adversaries who archive current encrypted communications can decrypt them once quantum computing matures. For Ukraine, whose communications are actively targeted by Russian state-sponsored collection, this threat has immediate operational relevance.

NIST Post-Quantum Cryptography Algorithms

NIST completed its post-quantum cryptography standardization process in August 2024, publishing three primary algorithms as Federal Information Processing Standards. ML-KEM (formerly CRYSTALS-Kyber) is the key encapsulation mechanism for securing symmetric key exchange—replacing ECDH and RSA key exchange in TLS and other protocols. ML-DSA (formerly CRYSTALS-Dilithium) provides digital signatures—replacing ECDSA in certificate authorities, code signing, and document authentication systems. SLH-DSA (formerly SPHINCS+) provides a hash-based digital signature algorithm as an alternative with different security proof structure.

CRYSTALS-Kyber was developed by an international team including several Belgian and German researchers, with support from academic institutions rather than government agencies—providing greater transparency about design intent than government-primarily-designed standards. Its security is based on the hardness of the Module Learning With Errors (MLWE) problem, which is not efficiently solvable by known quantum algorithms. The NIST standardization process included four rounds of public evaluation and cryptanalysis, providing higher assurance than any single organization's assessment.

Ukraine's Post-Quantum Migration Roadmap

Ukraine's official post-quantum migration planning began accelerating after NIST's draft standards release in 2022-2023, aligned with the broader cryptographic standards modernization program prompted by NATO integration requirements. The roadmap prioritizes migration targets by their combination of data classification sensitivity and data lifetime (the length of time the data needs to remain confidential)—highest-classification communications with decade-long or longer secrecy requirements are prioritized for earliest migration, while general-purpose web traffic encryption is on a longer timeline reflecting lower immediate quantum risk.

Post-Quantum Algorithm Priority Matrix

Crypto-Agility for OT Environments

Industrial control systems and operational technology present particular challenges for post-quantum migration. OT devices have constrained computational resources that may not support resource-intensive post-quantum algorithms—CRYSTALS-Dilithium signatures are significantly larger than ECDSA signatures, and CRYSTALS-Kyber key exchange requires more computation than ECDH. Devices with 8-bit microcontrollers, limited RAM, and slow processors may be unable to implement current NIST PQC algorithms without hardware replacement.

The concept of crypto-agility—designing systems to allow algorithm replacement without complete system redesign—is particularly important for OT environments where device lifetimes span 20+ years and hardware replacement is extremely costly and operationally disruptive. New OT deployments in Ukraine should incorporate crypto-agile design principles: separating algorithm implementation from protocol logic so that algorithm updates can be deployed as software updates rather than requiring hardware replacement.

Harvest Now, Decrypt Later Threat Relevance

For Ukraine specifically, the harvest now decrypt later threat is not hypothetical. Russian intelligence services routinely collect encrypted Ukrainian government and military communications. If those communications include classified information that retains value over a decade-long time horizon (strategic plans, intelligence source identities, long-term policy discussions), and if quantum computing advances as expected, Russia could eventually decrypt archived communications. The operational intelligence value of such a capability justifies early migration of the most sensitive communications to post-quantum algorithms even before quantum computers exist.

Hybrid Post-Quantum Approaches

During the transition period, hybrid cryptography—combining a classical algorithm with a post-quantum algorithm in such a way that security requires breaking both—provides protection against the risk that the new PQC algorithms themselves could have undiscovered weaknesses. If CRYSTALS-Kyber were to be broken by unexpected cryptanalysis, a hybrid ECDH+CRYSTALS-Kyber key exchange would still be secure against classical computers. The NSA and NIST have both endorsed hybrid approaches during the transition period for the highest-security applications.

FAQ

When will quantum computers actually threaten today's encryption?

Current scientific consensus estimates that fault-tolerant quantum computers capable of breaking RSA-2048 are 10-20 years away, with significant uncertainty. Progress has been faster than some pessimistic predictions but slower than optimistic ones. The actual timeline depends on advances in quantum error correction—the primary bottleneck—which requires reducing error rates by several orders of magnitude from current capabilities. However, the "harvest now, decrypt later" risk means migration should begin regardless of timeline uncertainty.

What is the difference between ML-KEM and ML-DSA?

ML-KEM (Kyber) is a key encapsulation mechanism used to securely establish shared symmetric keys—it replaces RSA and ECDH in key exchange. ML-DSA (Dilithium) is a digital signature algorithm used to authenticate data and verify identity—it replaces RSA signatures and ECDSA. The two algorithms serve different cryptographic functions and must both be replaced to achieve post-quantum security.

Can Ukraine's DSTU algorithms be replaced with PQC algorithms simultaneously?

The DSTU-to-PQC migration can potentially be combined into a single migration rather than a two-step process (DSTU → FIPS → PQC). For new system deployments, implementing NIST PQC algorithms directly saves a migration step. For existing systems using DSTU/GOST algorithms, prioritizing those that also need NATO-interoperability improvements for early PQC migration makes strategic sense.

What is the signature size difference between ECDSA and ML-DSA?

ECDSA P-256 produces 64-byte signatures. ML-DSA (Dilithium) at security level 2 produces 2,420-byte signatures—approximately 38 times larger. This size increase has implications for systems that include digital signatures in protocol headers, certificates, or documents: certificate chains become larger, TLS handshakes transmit more data, and bandwidth-constrained OT communications may need protocol optimization in addition to algorithm migration.

Does Russia have a quantum computing capability that threatens Ukraine today?

No credible public evidence indicates that Russia currently possesses cryptographically relevant quantum computing capability (CRQC). Russia's quantum computing research program is acknowledged but is generally assessed to be behind leading programs in the US, Europe, and China. The threat model is forward-looking—anticipated future capability rather than present capability—which is precisely why proactive migration is warranted rather than reactive response after the threat materializes.

Sources

1. NIST — "FIPS 203, 204, 205: Post-Quantum Cryptography Standards," nist.gov August 2024
2. NSA — "Commercial National Security Algorithm Suite 2.0 (CNSA 2.0)," nsa.gov 2022
3. CISA — "Post-Quantum Cryptography Initiative," cisa.gov 2023
4. European Union Agency for Cybersecurity (ENISA) — "Post-Quantum Cryptography: Current State and Quantum Migration Roadmap," enisa.europa.eu 2021
5. NATO — "Post-Quantum Cryptography Working Group Summary," 2023