Post-Quantum Cryptography Migration for Non-Browser Systems

Introduction

Most organizations have completed browser TLS post-quantum cryptography migration; the harder problem is updating the long tail of non-browser systems—VPN concentrators, firmware signing pipelines, industrial control system (ICS/OT) controllers, embedded PKI roots, and devices with 15–30 year service lives.

This article delivers a production-grade playbook: concrete migration patterns, code examples, failure modes, performance data, and decision frameworks that principal engineers can use to move from assessment to hardened deployment without disrupting safety-critical or air-gapped environments.

A typical failure scenario we have observed in 2025 red-team exercises: an ICS vendor still signs firmware images with RSA-2048-SHA256; an attacker records today's signatures, waits for a cryptographically relevant quantum computer (CRQC), and forges new signatures that pass verification on devices deployed until 2045. The blast radius is physical—manipulated PLC logic, altered safety interlocks, or exfiltrated OT telemetry.

Executive Summary

TL;DR: Post-quantum cryptography migration for non-browser systems requires hybrid signatures and KEMs (ML-DSA + ECDSA, ML-KEM + ECDH) plus careful key-size and latency budgeting; start with inventory, move to crypto-agility layers, and maintain dual verification paths for at least seven years.

  • Hybrid cryptography is mandatory for firmware signing and long-lived PKI roots until 2035+.
  • VPN post-quantum migration can reuse the same IKEv2 post-quantum PQC algorithms standardized in RFC 9242 and NIST SP 800-208.
  • Embedded systems must profile ML-KEM-512/768 and Falcon-512 against flash, RAM, and battery constraints before committing.
  • ICS/OT environments demand deterministic, side-channel-resistant implementations and air-gap-compatible update mechanisms.
  • Quantum-safe PKI migration involves re-issuing intermediate and device certificates with PQC OIDs while preserving legacy trust anchors during transition.
  • Monitor NIST migration timelines and maintain a living crypto-inventory that flags RSA/ECC keys with >10-year remaining lifetime.

Three Likely Direct Answers

Q: What is the recommended hybrid mode for PQC firmware signing?
A: Combine ML-DSA-65 with ECDSA P-384; verify both signatures and accept only when both pass.

Q: Which algorithms should be used for post-quantum VPN migration?
A: IKEv2 with ML-KEM-768 key exchange and ML-DSA-65 authentication, falling back to classical groups during transition.

Q: How do you handle PQC on long-lived devices with limited compute?
A: Use compact algorithms (Falcon-512 or ML-KEM-512), pre-compute where possible, and schedule updates during maintenance windows that tolerate 2–5× latency increase.

How Post-quantum Cryptography Migration for Non-Browser Systems Works Under the Hood

Post-quantum cryptography relies on hardness assumptions believed to survive Shor's algorithm: lattice problems (ML-KEM, ML-DSA, Falcon), hash-based signatures (SPHINCS+), and multivariate or code-based schemes. For non-browser systems we focus on the NIST PQC finalists standardized in 2024–2025: ML-KEM (FIPS 203), ML-DSA (FIPS 204), and SLH-DSA (FIPS 205).

In a VPN context, the IKEv2 handshake is extended with post-quantum preshared keys or post-quantum key exchange as described in our enterprise guide to post-quantum cryptography migration. The initiator includes ML-KEM public keys in the IKE_SA_INIT payload; the responder encapsulates a shared secret using its ML-KEM private key. The resulting key material is mixed into the existing PRF to derive SKEYSEED. This yields hybrid confidentiality even if ECDH is later broken.

Firmware signing replaces classical RSA-PSS or ECDSA with a hybrid signature scheme. The signer produces two signatures over the same digest: one with ML-DSA-65 and one with a legacy ECDSA P-384 key. The manifest contains both, and the verifier runs both checks. Only when both signatures are valid does the boot ROM accept the image. This pattern defeats harvest-now-decrypt-later attacks on recorded firmware updates.

Quantum-safe PKI migration follows the same dual-track logic. A new intermediate CA is issued using ML-DSA; device certificates chain to it. Legacy roots remain in trust stores until the entire fleet has rotated. Certificate revocation lists and OCSP responses must themselves be signed with hybrid algorithms to prevent downgrade attacks.

Industrial control systems add real-time and determinism constraints. Many PLCs run on 32-bit microcontrollers with <256 KB RAM. Lattice-based algorithms must be profiled for stack usage; side-channel resistance (constant-time implementation, masking) is non-negotiable when an attacker can measure power or electromagnetic emanations on the factory floor.

For long-lived devices the migration window is measured in decades. A smart meter deployed in 2026 may still be in service in 2046. Therefore the cryptographic bill of materials (CBOM) must list every algorithm, key length, and planned deprecation date. When that date is reached, the device must support over-the-air (OTA) or field-update mechanisms that themselves survive quantum cryptanalysis.

Implementation: Production Patterns

Begin with an accurate inventory. Use tools such as openssl x509 -in device.crt -text -noout and custom scripts that walk firmware manifests, VPN configuration files, and ICS project archives. Tag every RSA or ECC key with its remaining safety margin based on NIST and ENISA guidance.

Next, introduce a crypto-abstraction layer. The following minimal C example demonstrates a hybrid signing API that can be compiled once for classical-only and once for PQC-enabled targets:

#include "hybrid_sign.h"

int hybrid_sign(const uint8_t *msg, size_t msg_len,
                uint8_t *sig_out, size_t *sig_len,
                const hybrid_key_t *key) {
    size_t offset = 0;
    int ret;

    /* ML-DSA-65 signature */
    ret = ml_dsa_sign(msg, msg_len, sig_out + offset, &offset, &key->ml_dsa);
    if (ret != 0) return ret;

    /* Legacy ECDSA P-384 signature */
    ret = ecdsa_sign(msg, msg_len, sig_out + offset, &offset, &key->ecdsa);
    if (ret != 0) return ret;

    *sig_len = offset;
    return 0;
}

The corresponding verification routine must reject the firmware unless both signatures verify. This double-check pattern is the single most important safeguard during the multi-year transition.

For VPN post-quantum migration on embedded Linux gateways, integrate liboqs into strongSwan or OpenVPN. A production snippet for strongSwan configuration looks like:

connections {
    ike-postquantum {
        proposals = mlkem768-ml-dsa65-prfsha384-ecp384
        local { cert = gateway-ml-dsa.crt }
        remote { cert = controller.crt }
    }
}

OT/ICS environments often cannot tolerate dynamic library loading. Statically link a side-channel-hardened ML-KEM implementation (e.g., pqm4 or libjade) into the controller firmware. Measure stack and heap usage on the exact MCU; we have seen ML-KEM-768 peak at 18 KB stack on Cortex-M4 when using the reference implementation—unacceptable for many PLC runtimes. Switch to the “clean” or “stack-optimized” variant and re-measure.

Long-lived devices require a two-stage bootloader. Stage-1 (immutable ROM) only understands classical signatures; Stage-2 (updatable) understands hybrid signatures. Stage-1 verifies Stage-2 with a classical signature whose key is retired only after every deployed device has received a Stage-2 update. This staged approach prevents bricking of devices whose flash cannot hold both classical and PQC public keys simultaneously.

Comparisons & Decision Framework

Algorithm selection for non-browser systems balances security, performance, and compatibility. ML-KEM-512 offers the smallest ciphertext (768 bytes) and is suitable for constrained embedded systems, yet provides only NIST Level I security. ML-KEM-768 (Level III) is the pragmatic default for most VPN and PKI use-cases. Falcon-512 yields the smallest signatures (666 bytes) but requires floating-point hardware or careful emulation; many OT vendors avoid it for determinism reasons. SLH-DSA is conservative but incurs multi-megabyte signatures—unsuitable for firmware or bandwidth-constrained ICS links.

Use the following decision checklist:

  1. Determine required NIST security level (III is the minimum for new deployments after 2026).
  2. Profile target hardware: measure stack, flash, CPU cycles, and battery impact of chosen algorithm.
  3. Decide hybrid vs. pure PQC. Hybrid is required for any system expected to remain in service past 2032.
  4. Validate side-channel resistance of the chosen implementation (use DPA tools or consult third-party evaluation).
  5. Confirm that all relying parties (management stations, update servers, peer VPN gateways) can validate the new signature formats.
  6. Plan for dual verification during the overlap window; schedule full cutover only after telemetry shows >99.9 % of fleet has rotated keys.

For further background on quantum hardware timelines that influence these decisions, see our quantum error-corrected systems readiness checklist.

Failure Modes & Edge Cases

Common failure modes include:

  • Signature bloat: Adding 2.5 KB ML-DSA signatures to 64 KB firmware images exceeds flash budget on older MCUs. Mitigation: compress the image before signing or use Falcon-512 where hardware permits.
  • Timing side-channels in OT: Non-constant-time reference code leaks secret bits via power analysis. Always use pqm4 or libjade implementations that guarantee constant time on the target ISA.
  • Replay of old firmware: An attacker supplies a classically signed image after the classical root is retired. Counter-measure: embed a monotonic firmware version number inside the signed payload and reject older versions at the bootloader.
  • Certificate chain explosion: Hybrid PKI can double the size of certificate bundles. Use CMS (RFC 5652) with signed attributes that carry both signatures in one structure rather than two separate certificates.
  • Air-gap update failure: USB sticks or engineering laptops become the attack vector. Enforce that every offline update medium is itself signed with a hybrid key whose public key is burned into the device at manufacture.

Diagnostics: maintain a centralized crypto-inventory dashboard that flags any key or certificate using RSA >2048, ECC P-256, or any algorithm scheduled for deprecation. Alert when a long-lived device has <24 months of estimated quantum safety margin.

Performance & Scaling

On a Cortex-M7 running at 216 MHz we measured the following median cycle counts (pqm4, -O3, no hardware accelerator):

  • ML-KEM-768 keygen: 1.8 M cycles (~8.3 ms)
  • ML-KEM-768 encapsulate: 2.1 M cycles (~9.7 ms)
  • ML-DSA-65 sign: 11.4 M cycles (~53 ms)
  • ML-DSA-65 verify: 4.2 M cycles (~19 ms)

These latencies are acceptable for VPN control-plane operations but can violate 10 ms real-time loops in some motion-control PLCs. Pre-compute ML-KEM public keys at boot and cache shared secrets where protocol permits. For firmware signing, perform the heavy ML-DSA signature on a powerful build server; only verification occurs on the device (19 ms is typically inside the watchdog window).

At scale, PKI operations must be benchmarked at p95 latency. In a 50 000-device factory rollout, we observed p95 certificate validation time rise from 12 ms (classical) to 41 ms (hybrid ML-DSA + ECDSA). The increase is tolerable for human-driven commissioning but requires batch verification for automated production-line flashing stations.

Monitor with OpenTelemetry metrics: crypto.pqc.sign.latency_ms, crypto.pqc.keygen.failures_total, and crypto.inventory.keys_at_risk. Set SLOs that keep p99 hybrid signature verification <80 ms on target hardware.

Production Best Practices

Adopt a crypto-agility framework: never hard-code algorithm identifiers inside ROM. Store algorithm OIDs and parameters in a signed configuration block that can be updated independently. Test every firmware image with both current and next-generation roots before signing for distribution.

Rollback is non-trivial once a PQC-only root is deployed. Maintain at least two trust anchors (classical and hybrid) until telemetry confirms that every device has exercised the new code path under load. Use canary deployments in ICS environments: update 5 % of non-critical cells first, monitor for anomalous behavior for 30 days, then broaden.

Security testing must include:

  • Formal verification of constant-time properties (ct-verif or constant-time tools).
  • Power and EM side-channel analysis on physical devices.
  • Fuzzing of the hybrid parser with mutated signatures.
  • Simulation of a CRQC by disabling classical verification and confirming the PQC signature alone is still rejected when malformed.

Document runbooks for “quantum break declared” events. The runbook should list every system containing long-term RSA or ECC keys, the exact commands to re-issue certificates, and the phased rollout order that respects operational safety constraints.

For deeper insight into physical threat models that affect quantum hardware and classical roots alike, consult our analysis of quantum computer security physical threat models.

Further Reading & References

  • NIST FIPS 203, 204, 205 – Module-Lattice-Based KEM, Digital Signature, and Stateless Hash-Based Signature Algorithms (2024).
  • IETF RFC 9242 – Post-Quantum Preshared Keys for IKEv2 (2022).
  • NSA CNSA 2.0 Suite – Quantum-Resistant Cryptography Requirements (2022, updated 2025).
  • ENISA “Post-Quantum Cryptography: Current state and quantum mitigation” (2024).
  • Embedded PQC benchmarks – pqm4 project, https://github.com/mupq/pqm4 (accessed 2026).
  • Hybrid signature combiners – draft-ietf-lamps-hybrid-signatures-04.

Implement the patterns above methodically. The migration will span multiple budget cycles; the earlier you begin inventory and hybrid prototyping, the lower the eventual disruption to VPNs, firmware pipelines, industrial control systems, and the long-lived devices that underpin critical infrastructure.

Next Post Previous Post
No Comment
Add Comment
comment url