The Australian Cyber Security Centre (ACSC), a division of the Australian Signals Directorate (ASD), has issued a comprehensive call to action for organizations to begin preparing their cybersecurity infrastructure for the advent of cryptographically relevant quantum computers (CRQC).  

The guidance outlines the urgency of adopting post-quantum cryptography (PQC) and provides a detailed roadmap to complete the transition by the end of 2030. 

CRQC: A Future Threat with Present-Day Implications 

While fully operational CRQCs do not yet exist, ASD warns that their emergence would render current asymmetric cryptographic algorithms, including RSA, ECDSA, and Diffie-Hellman, ineffective. This could undermine the confidentiality and integrity of encrypted communications, authentication mechanisms, and critical infrastructure. 

The threat is particularly acute due to the potential for “harvest now, decrypt later” attacks. Adversaries may already be intercepting and storing encrypted data, intending to decrypt it once CRQC capabilities become available. 

“Early action is critical,” the ACSC notes, highlighting three key reasons for urgency: 

• Transitioning to post-quantum cryptography is complex and time-consuming. 

• The development timeline for CRQC is uncertain due to ongoing research in quantum computing. 

• Sensitive data encrypted today using classical methods may be compromised in the future. 

Transition Timeline: Milestones Through 2030 

To address the rising CRQC risk, the ASD’s Information Security Manual (ISM) provides a phased approach with concrete milestones: 

• By the end of 2026: Organizations should have a detailed transition plan that reflects their security priorities, data sensitivity, and system complexity. 

• By the end of 2028: the Implementation of PQC algorithms should begin with the most critical and sensitive systems. 

• By the end of 2030: Full transition to post-quantum cryptography should be completed. 

• Post-2030: Ongoing monitoring, validation, and adaptation of PQC implementations will be necessary to maintain resilience. 

The ISM also recommends using ASD-approved post-quantum cryptographic algorithms and advises against using traditional asymmetric encryption methods beyond 2030. 

The LATICE Framework for PQC Transition 

ASD encourages organizations to adopt the LATICE framework, which outlines five high-level phases for a successful PQC transition: 

1. Locate all uses of traditional asymmetric cryptography. 

2. Assess the sensitivity and value of affected systems and data. 

3. Triage systems are based on criticality and transition difficulty. 

4. Implement PQC algorithms using standardized libraries and vendor guidance. 

5. Communicate and educate stakeholders to ensure sustained awareness and compliance. 

A crucial component of the “Locate” phase involves building a Cryptographic Bill of Materials (CBOM), an inventory of cryptographic dependencies similar in function to a software bill of materials. This allows organizations to track all encryption-related implementations, including protocols, algorithms, and configurations. 

Quantum Key Distribution and Hybrid Schemes 

Although quantum key distribution (QKD) is often presented as a secure method for quantum-era communication, ASD currently does not endorse QKD due to its reliance on specialised hardware and its practical limitations, particularly around authentication. 

In cases where legacy systems require compatibility, ASD allows, but does not recommend, post-quantum/traditional (PQ/T) hybrid schemes. These offer interim interoperability but are ultimately considered vulnerable, as the traditional components will become obsolete once CRQC is achieved. 

International Context and Supporting Standards 

The ACSC acknowledges that various international bodies are also preparing for the quantum shift. These include: 

• NIST (U.S.) – Leading the standardization of PQC algorithms. 

• CISA (U.S.) – Offering critical infrastructure-specific guidance. 

• UK NCSC, Canadian CCCS, and New Zealand NCSC – Providing national roadmaps and technical advisories. 

• IETF – Updating cryptographic standards such as TLS for PQC readiness. 

• ETSI – Developing frameworks for quantum-safe migration. 

• Post-Quantum Cryptography Coalition – Supporting industry collaboration and tooling. 

While these organizations may provide different timelines or approaches, they share a common emphasis on the urgency of preparing for CRQC. 

References 

• https://www.cyber.gov.au/about-us/view-all-content/news/stay-ahead-of-the-quantum-threat-with-post-quantum-cryptography 

• https://www.cyber.gov.au/business-government/secure-design/planning-post-quantum-cryptography