Part IV · 3 — The migration

draft

Having the standards is not enough — you have to swap the cryptography of whole systems without breaking them, and in an order that attacks first what is most at risk. The keyword is hybrid, and the discipline it demands is crypto-agility.


3.1 Hybrid: belt and suspenders

The dominant recommendation for the transition is not to swap classical for PQC — it is to combine the two. A hybrid KEM runs ECDH (X25519) and ML-KEM together and mixes the two secrets through a KDF; the session key is secure only if both are.

Hybrid mode: X25519 and ML-KEM combined through a KDF

The logic is the risk management of SIKE's lesson:

  • If PQC has an undiscovered flaw (these are new schemes), classical still

    protects against today's adversaries.

  • If/when quantum arrives and breaks classical, PQC already protects.

You only lose if both fail at the same time. This is what hybrid TLS 1.3 (X25519MLKEM768) already does in browsers and servers since 2024.


3.2 The migration order

Not everything runs the same risk. The priority follows from HNDL:

  1. Key exchange / KEM first. This is what HNDL threatens: traffic encrypted

    today can be archived and opened later. Migrating to a hybrid KEM cuts the recording risk immediately. Top priority.

  2. Signatures next. A signature only needs to resist *ntil the moment of

    verification*— there is no "sign now, forge later" analogous to HNDL (unless they are long-lived roots of trust, like CAs and firmware, which move up the queue).

  3. Symmetric: already handled with AES-256 / SHA-384+ (Part 1).

3.3 Crypto-agility

The most important structural lesson: never again hardwire an algorithm into the code. Crypto-agility is designing systems where the algorithm is a negotiable and replaceable parameter — so that the next swap (there will be others) is configuration, not a rewrite.

In practice: name suites, version formats, abstract the primitive behind an interface, and have a safe downgrade/upgrade path. Whoever did this for the PQC transition reaps the benefit in every future transition.


3.4 Deadlines and posture

Governments have already set milestones. CNSA 2.0 (NSA, 2022) requires PQC in U.S. national security systems over this decade; the EU and others follow a similar line. The common message: start the inventory and the pilot now.

Koder posture: the Stack treats PQC as a case of crypto-agility (section 3.3) — abstracted primitives, hybrid KEM as the target for any long-lived channel, and symmetric already at 256 bits. The inventory of what uses asymmetry (Koder ID, Vault, ICP-Brasil signing, the services' TLS) is the starting point of Part V — Applied crypto at Koder.


Dense reference: CNSA 2.0, the generic migration approach, and the state of adoption in 08-post-quantum. End of Part IV — the asymmetric foundation has a successor and a path. Part V — Applied crypto at Koder (under construction) lands all of this in the Stack's real components.