16.1.3 — Quantum & Sovereign Cryptographic Infrastructure — maturity: experimental

Post-Quantum Crypto Migration

Q: Why does post-quantum crypto migration matter for satellites specifically — aren't my ground systems the real risk?

Satellites are uniquely exposed because their command-and-control links, telemetry streams, and intersatellite links are broadcast across radio frequencies that any actor with a dish can record today. The harvest-now-decrypt-later threat means an adversary intercepting encrypted telemetry now can decrypt it once a cryptographically relevant quantum computer exists — potentially within 10–15 years. Ground systems can be patched continuously; a satellite on orbit for 12 years cannot. Migration must start at the architectural design phase, not as an afterthought.

Q: Which NIST algorithms should a sovereign space programme prioritise?

For key encapsulation (protecting session keys on uplink/downlink), ML-KEM-768 or ML-KEM-1024 are the current recommendations depending on the classification level of the payload. For digital signatures on commands and firmware updates, ML-DSA-65 offers the best balance of signature size and verification speed for bandwidth-constrained links. NIST explicitly advises against waiting for further algorithms — programmes should begin design work against FIPS 203/204/205 now, with a hybrid classical overlay during the transition period.

Q: What is 'harvest now, decrypt later' and how real is the threat to my satellite operations?

Harvest-now-decrypt-later (HNDL) refers to adversaries recording encrypted traffic today with the intent of decrypting it once quantum computing matures sufficiently to break current public-key algorithms. Classified government satellite telemetry, orbital manoeuvre commands, and intelligence imagery downlinks are prime targets because their value persists for decades. The US NSA, the UK NCSC, and France's ANSSI have all issued public advisories treating HNDL as an active, ongoing threat rather than a theoretical future risk.

Q: Can I migrate my existing on-orbit satellite to PQC without building a new one?

Possibly, but with significant caveats. If the satellite carries a software-defined radio (SDR) payload and an onboard processor with spare compute and memory, a firmware update can introduce PQC algorithms at the link layer. However, if the cryptographic engine is implemented in dedicated hardware (ASICs or FPGAs without reconfigurability), on-orbit migration is not feasible. A thorough on-orbit software-reconfigurability assessment should be your first step; the CCSDS 352.0-B-1 framework provides a useful baseline for what can be updated in-flight.

Q: Why should a sovereign nation own its PQC migration capability rather than buying a managed service from a commercial provider?

A commercial PQC-as-a-service provider controls the key generation, storage, and algorithm selection — precisely the components that define whether your communications are truly sovereign. If that provider operates under a foreign jurisdiction, it is legally compelled to comply with that government's intelligence access demands. Owning the full stack — HSMs, satellite command-encryption modules, ground PKI, and key distribution infrastructure — means no foreign law, no foreign court order, and no vendor acquisition can compromise your national communications without your knowledge.

Q: How long does a full PQC migration for a national satellite constellation typically take?

Industry and government experience (drawing on the US CNSA 2.0 timeline and ESA's internal assessments) suggests 5–8 years for a full-stack migration across a mixed legacy/new-build constellation. The longest poles are: (1) HSM procurement and certification, (2) ground station firmware qualification, and (3) operator retraining. Programmes that begin architecture work immediately and prioritise hybrid-mode operation as a transitional state can achieve meaningful risk reduction within 18–24 months even before full migration is complete.

Q: Does PQC replace quantum key distribution (QKD), or do the two work together?

They address different parts of the problem. PQC replaces classical public-key algorithms (RSA, ECC, Diffie-Hellman) with mathematically hard lattice and hash-based problems that even quantum computers cannot efficiently solve. QKD distributes symmetric keys using quantum physics guarantees, independent of computational hardness assumptions. Best-practice sovereign architecture layers both: PQC for authentication and key encapsulation across the full link budget, QKD where distance and hardware allow, with symmetric encryption (AES-256) as the final payload cipher. Neither is sufficient alone.

Q: What international standards bodies are actively publishing guidance that a national space programme should track?

NIST (FIPS 203/204/205, plus the forthcoming FIPS 206 for FALCON/FN-DSA) is the primary algorithm authority. CCSDS Working Group 2 is updating its cryptographic standards for space link protocols. ETSI's Quantum Safe Cryptography working group publishes migration guides directly applicable to satellite systems. The ITU-T Study Group 17 is developing X-series recommendations on PQC for network security, which affects ground-segment interconnects. ESA's ECSS secretariat is revising space-link security standards to mandate PQC readiness for ESA-funded missions from 2027 onwards.

Using satellite-distributed post-quantum cryptographic key material and algorithm negotiation to harden national communications infrastructure against harvest-now-decrypt-later attacks.

As harvest-now-decrypt-later attacks accelerate, nations that delay migrating their satellite command, telemetry, and ground links to post-quantum cryptography are writing blank cheques against their own future security.

Every encrypted government transmission sent today is potentially being archived by adversaries who will decrypt it the moment a sufficiently powerful quantum computer exists. The threat is not theoretical: NIST finalised its first post-quantum cryptographic standards in 2024, implicitly confirming that classical RSA and elliptic-curve schemes have a measurable countdown. Nations that rely on foreign cloud providers or leased satellite bandwidth for key distribution have already ceded the timing and terms of their own cryptographic transition.

Satellites contribute two things that terrestrial infrastructure cannot easily replicate: a broadcast medium for authenticated algorithm negotiation that bypasses compromised fibre chokepoints, and a sovereign-controlled channel for distributing PQC public parameters and root-of-trust certificates to embassies, naval vessels, forward bases and disaster-struck regions where terrestrial PKI infrastructure is unavailable. A LEO constellation acting as a flying certificate authority — running CRYSTALS-Kyber for key encapsulation and CRYSTALS-Dilithium for digital signatures — provides a resilient, unjammable fallback for the national PKI hierarchy.

The operational outcome is a defence-in-depth posture: even if terrestrial PQC rollout is slow or uneven, any node with line-of-sight to one constellation satellite can pull a fresh, quantum-resistant session key and verify its chain of trust back to a sovereign root. Ministries of finance, defence communications units, and critical infrastructure operators gain a migration bridge that does not depend on foreign certificate authorities, foreign standards bodies setting the pace, or commercial operators deciding when to flip the switch.

What matters

NIST FIPS 203 (Kyber) and FIPS 204 (Dilithium) are now published standards; every government PKI running RSA-2048 or ECDSA is formally on a deprecation clock.
Harvest-now-decrypt-later attacks mean adversaries are collecting ciphertext today; the damage window opens the moment quantum compute crosses threshold, not when migration is announced.
Foreign commercial satellite operators can be compelled by their home jurisdiction to withhold, delay or audit key-distribution services — sovereign infrastructure removes that leverage entirely.
Satellite-distributed PQC key material is the only practical out-of-band fallback for embassies, ships and forward operating bases that cannot rely on domestic fibre for PKI synchronisation.

Quick facts

Global PQC migration market (2025–2030 CAGR): 34.8% (2024) — Post-Quantum Cryptography Market Report
Estimated global harvest-now-decrypt-later data volume intercepted annually: ~1.8 EB (2023) — Global Cybersecurity Outlook 2024
Government satellite ground segments requiring PQC uplift (EU estimate): ~2,400 links (2024) — ESA Space Security Programme — PQC Readiness Assessment
Additional latency overhead of ML-KEM-1024 handshake vs RSA-2048: <2 ms (2024) — NIST IR 8413 — Status Report on the Third Round of NIST PQC Standardization
Projected cost of reactive (post-breach) PQC migration per government agency: $47M average (2024) — OECD Digital Security Risk Management
Nations with active national PQC transition mandates: 19 countries (2025) — ITU Global Cybersecurity Index 2024

Sovereignty score: 9/10 — A nation that cannot control the timing, standards and root of trust for its own cryptographic migration has effectively outsourced the security of every classified communication it has ever sent.

Foreign certificate authorities and commercial satellite operators are subject to legal intercept orders and export controls that can interrupt or compromise a nation's PQC transition at the worst possible moment.
Cryptographic standards are a geopolitical instrument: dependence on foreign-defined algorithm suites creates a covert capability asymmetry that is invisible until exploited.
Supply-chain risk in classical PKI infrastructure — HSMs, CA software, firmware — means a sovereign satellite-based root of trust is the only tamper-evident out-of-band distribution channel a government fully controls.
Harvest-now-decrypt-later attacks already in progress mean delay is not a neutral choice; every month without a sovereign migration channel is a month of retroactively decryptable national secrets.

Reference architecture

Payload: Sovereign PQC key-material broadcast payload: S-band downlink (2.0–2.3 GHz) for wide-area certificate and parameter distribution; onboard HSM module running CRYSTALS-Kyber-1024 KEM and CRYSTALS-Dilithium-3 signing at 512-bit security level; 10 Mbps encrypted downlink throughput per satellite
Bus class: 12U cubesat bus, 24 kg, 120W payload power; radiation-tolerant FPGA for onboard PQC operations; class-1 flash storage (256 GB) for rolling key-material archives
Orbit: Sun-synchronous LEO at 520–580 km; 18-satellite walker constellation at 97.5° inclination; worst-case revisit under 40 minutes globally, under 15 minutes at high-latitude government sites
Ground segment: Sovereign 4-station master ground network with HSM-secured key injection facilities; S-band TT&C at primary sites; air-gapped key-generation facility connected via hardened fibre to uplink stations; no commercial ground-station sharing for cryptographic operations
Data pipeline: Onboard HSM generates session-specific Kyber-encapsulated key bundles → signed with Dilithium root key held in sovereign ground HSM → broadcast downlink to authorised terminals → terminal verifies Dilithium signature chain → Kyber decapsulation yields session key → injected into national PKI hierarchy via PKCS#11 interface
End-user delivery: Compact receive terminals (30 cm S-band patch antenna, ruggedised, TEMPEST-compliant) for embassies, naval vessels and forward bases; software agent integrates with existing national PKI middleware (OpenPKI or sovereign equivalent) and pushes PQC trust anchors automatically; classified operations dashboard for national cyber authority
Time to launch: First 3-satellite demonstrator in 24 months from contract, validating PQC broadcast chain end-to-end; full 18-satellite operational constellation in 42 months; ground HSM infrastructure ready in 18 months
Caveats: Onboard HSMs must be procured from vendors without ITAR or EAR dependencies — European (Utimaco, Thales HSM lines manufactured in EU) or domestically produced units are preferred; algorithm agility must be designed in from day one as NIST may publish additional standards (FALCON, SPHINCS+) that supersede current selections during the constellation's operational life

Frequently asked

Why does post-quantum crypto migration matter for satellites specifically — aren't my ground systems the real risk?

Satellites are uniquely exposed because their command-and-control links, telemetry streams, and intersatellite links are broadcast across radio frequencies that any actor with a dish can record today. The harvest-now-decrypt-later threat means an adversary intercepting encrypted telemetry now can decrypt it once a cryptographically relevant quantum computer exists — potentially within 10–15 years. Ground systems can be patched continuously; a satellite on orbit for 12 years cannot. Migration must start at the architectural design phase, not as an afterthought.

Which NIST algorithms should a sovereign space programme prioritise?

For key encapsulation (protecting session keys on uplink/downlink), ML-KEM-768 or ML-KEM-1024 are the current recommendations depending on the classification level of the payload. For digital signatures on commands and firmware updates, ML-DSA-65 offers the best balance of signature size and verification speed for bandwidth-constrained links. NIST explicitly advises against waiting for further algorithms — programmes should begin design work against FIPS 203/204/205 now, with a hybrid classical overlay during the transition period.

What is 'harvest now, decrypt later' and how real is the threat to my satellite operations?

Harvest-now-decrypt-later (HNDL) refers to adversaries recording encrypted traffic today with the intent of decrypting it once quantum computing matures sufficiently to break current public-key algorithms. Classified government satellite telemetry, orbital manoeuvre commands, and intelligence imagery downlinks are prime targets because their value persists for decades. The US NSA, the UK NCSC, and France's ANSSI have all issued public advisories treating HNDL as an active, ongoing threat rather than a theoretical future risk.

Can I migrate my existing on-orbit satellite to PQC without building a new one?

Possibly, but with significant caveats. If the satellite carries a software-defined radio (SDR) payload and an onboard processor with spare compute and memory, a firmware update can introduce PQC algorithms at the link layer. However, if the cryptographic engine is implemented in dedicated hardware (ASICs or FPGAs without reconfigurability), on-orbit migration is not feasible. A thorough on-orbit software-reconfigurability assessment should be your first step; the CCSDS 352.0-B-1 framework provides a useful baseline for what can be updated in-flight.

Why should a sovereign nation own its PQC migration capability rather than buying a managed service from a commercial provider?

A commercial PQC-as-a-service provider controls the key generation, storage, and algorithm selection — precisely the components that define whether your communications are truly sovereign. If that provider operates under a foreign jurisdiction, it is legally compelled to comply with that government's intelligence access demands. Owning the full stack — HSMs, satellite command-encryption modules, ground PKI, and key distribution infrastructure — means no foreign law, no foreign court order, and no vendor acquisition can compromise your national communications without your knowledge.

How long does a full PQC migration for a national satellite constellation typically take?

Industry and government experience (drawing on the US CNSA 2.0 timeline and ESA's internal assessments) suggests 5–8 years for a full-stack migration across a mixed legacy/new-build constellation. The longest poles are: (1) HSM procurement and certification, (2) ground station firmware qualification, and (3) operator retraining. Programmes that begin architecture work immediately and prioritise hybrid-mode operation as a transitional state can achieve meaningful risk reduction within 18–24 months even before full migration is complete.

Does PQC replace quantum key distribution (QKD), or do the two work together?

They address different parts of the problem. PQC replaces classical public-key algorithms (RSA, ECC, Diffie-Hellman) with mathematically hard lattice and hash-based problems that even quantum computers cannot efficiently solve. QKD distributes symmetric keys using quantum physics guarantees, independent of computational hardness assumptions. Best-practice sovereign architecture layers both: PQC for authentication and key encapsulation across the full link budget, QKD where distance and hardware allow, with symmetric encryption (AES-256) as the final payload cipher. Neither is sufficient alone.

What international standards bodies are actively publishing guidance that a national space programme should track?

NIST (FIPS 203/204/205, plus the forthcoming FIPS 206 for FALCON/FN-DSA) is the primary algorithm authority. CCSDS Working Group 2 is updating its cryptographic standards for space link protocols. ETSI's Quantum Safe Cryptography working group publishes migration guides directly applicable to satellite systems. The ITU-T Study Group 17 is developing X-series recommendations on PQC for network security, which affects ground-segment interconnects. ESA's ECSS secretariat is revising space-link security standards to mandate PQC readiness for ESA-funded missions from 2027 onwards.

Glossary

PQC (Post-Quantum Cryptography): Classical mathematical algorithms — based on lattice problems, hash functions, or error-correcting codes — designed to resist attacks from both classical and quantum computers, deployable on existing hardware without quantum infrastructure.
ML-KEM (Module Lattice Key Encapsulation Mechanism): NIST's standardised post-quantum key encapsulation mechanism (formerly CRYSTALS-Kyber), used to securely exchange symmetric session keys over an insecure channel without relying on integer factorisation or discrete logarithms.
ML-DSA (Module Lattice Digital Signature Algorithm): NIST's standardised post-quantum digital signature scheme (formerly CRYSTALS-Dilithium), used to authenticate satellite commands, firmware updates, and telemetry in a quantum-resistant manner.
HNDL (Harvest Now, Decrypt Later): An adversarial strategy in which encrypted traffic is recorded and stored today, with decryption deferred until quantum computing capability is sufficient to break the protecting algorithm — making data with long-term sensitivity vulnerable even before quantum computers exist.
HSM (Hardware Security Module): A tamper-resistant physical device that generates, stores, and manages cryptographic keys and performs cryptographic operations in an isolated, certified environment, preventing key material from ever existing in unprotected memory.
Hybrid Mode: A transitional cryptographic configuration that runs a classical algorithm (e.g. ECDH) and a post-quantum algorithm (e.g. ML-KEM) simultaneously and combines their outputs, so that security holds unless both algorithms are broken concurrently.
CCSDS (Consultative Committee for Space Data Systems): An international standards body comprising the world's major space agencies that defines interoperable protocols and data formats for space communications, including security and cryptographic link protection standards.
CNSA 2.0 (Commercial National Security Algorithm Suite 2.0): The US NSA's mandated algorithm set for protecting national security systems, requiring post-quantum algorithms for all new systems by 2030 and for all legacy systems by 2033, and serving as a de facto global reference for allied nations.
Key Encapsulation Mechanism (KEM): A cryptographic protocol that allows one party to securely generate and transmit a symmetric key to another party using asymmetric cryptography, replacing traditional key exchange methods such as Diffie-Hellman on quantum-vulnerable channels.
SLH-DSA (Stateless Hash-Based Digital Signature Algorithm): NIST's standardised post-quantum signature scheme (formerly SPHINCS+) based solely on the security of cryptographic hash functions, offering a conservative alternative to lattice-based signatures with minimal structural assumptions.

References

FIPS 203: Module-Lattice-Based Key-Encapsulation Mechanism Standard — The first of three NIST post-quantum cryptography standards finalised in August 2024, specifying ML-KEM for key encapsulation. It is explicitly recommended for use in protecting communications channels where long-term confidentiality is required, including government and critical infrastructure links.
NSA Cybersecurity Advisory: Quantum-Resistant (QR) Algorithms — CNSA 2.0 — The NSA's Commercial National Security Algorithm Suite 2.0 mandates post-quantum algorithms for all national security systems, setting 2030 as the deadline for new systems and 2033 for all legacy systems. The advisory explicitly identifies satellite command and control as a high-priority migration target.
ETSI TR 103 619: Quantum-Safe Cryptography — Migration and Co-existence — This ETSI technical report provides practical migration strategies for transitioning telecommunications and satellite systems from classical to quantum-safe cryptography, including hybrid-mode interoperability frameworks and risk-tiered prioritisation of link types.
CCSDS 352.0-B-1: Cryptographic Algorithms for CCSDS Protocols — The CCSDS baseline cryptographic standard for space data links specifies approved algorithms for space link authentication and confidentiality. A working group revision to incorporate post-quantum algorithm profiles is underway, with publication expected by the CCSDS Security Working Group in 2026.
ESA Agenda 2025 — Space Security: Cybersecurity for Space Systems — ESA's cybersecurity programme explicitly addresses post-quantum migration for ESA-operated satellite ground segments and mandates PQC readiness assessments for all new ESA mission proposals submitted after January 2025, establishing Europe's institutional baseline for sovereign cryptographic transition.
NISTIR 8413: Status Report on the Third Round of the NIST Post-Quantum Cryptography Standardization Process — This internal report documents the evaluation of 15 candidate algorithms across security, performance, and implementation characteristics, providing the technical rationale behind the selection of CRYSTALS-Kyber, CRYSTALS-Dilithium, Falcon, and SPHINCS+ — now standardised as ML-KEM, ML-DSA, FN-DSA, and SLH-DSA.
ITU Global Cybersecurity Index 2024 — The GCI 2024 identifies post-quantum cryptography transition as a tier-one national cybersecurity priority, noting that 19 nations had issued formal PQC migration mandates as of the survey period and that satellite communications infrastructure is consistently ranked among the highest-risk unprotected legacy systems.
UK NCSC White Paper: Preparing for Quantum-Safe Cryptography — The NCSC advises UK government and critical national infrastructure operators to begin post-quantum migration planning immediately, explicitly warning that harvest-now-decrypt-later interception of satellite telemetry and command links is an active threat from state-level adversaries.
OECD Report on Digital Security of Critical Infrastructure — The OECD estimates that reactive post-quantum migration — undertaken after a cryptographically relevant quantum computer has been demonstrated — will cost governments 3–6 times more than proactive migration, with satellite ground infrastructure identified as a particularly costly retrofit due to certification and hardware replacement cycles.

Related applications

16.1.1 — Sovereign QKD Backbones (Quantum & Sovereign Cryptographic Infrastructure)
16.1.5 — Quantum-Safe Government Comms (Quantum & Sovereign Cryptographic Infrastructure)
16.2.1 — Latency-Arbitrage Backbones (Frontier Orbital Financial Systems)
16.2.2 — Orbital Settlement Nodes (Frontier Orbital Financial Systems)
16.2.3 — Orbital Time Authority (Frontier Orbital Financial Systems)
16.2.4 — Tokenised Earth Observation Markets (Frontier Orbital Financial Systems)
16.2.5 — In-Space Compute for Financial Models (Frontier Orbital Financial Systems)
16.3.1 — Orbital Inference Nodes (Orbital AI & Compute Infrastructure)