As one of the two organizers of the PQC Update 2026 at Fraunhofer AISEC, I experienced the day as a journey: from an international perspective on strategies and standards, through concrete implementations in ID cards, chips, HSMs, and ID tokens, to very specific migration considerations and tools for businesses.
1. The Context: Strategies, Standards, and Migration as a Shared Responsibility
Bor de Kock from TNO in the Netherlands provided the broader context. He demonstrated how the Netherlands is organizing the transition to post-quantum cryptography as a collaborative project. TNO serves as a bridge between research, government agencies, and industry: through a PQC working group, projects on quantum-secure PKI (Public Key Infrastructure, the certificate system of our internet), and a PQC migration handbook, which is now available in version 2.0.
This handbook translates abstract recommendations from NIST, ENISA, or national authorities into concrete steps: inventorying cryptographic assets, assessing risks, setting priorities, selecting algorithms, and planning migration paths. De Kock’s key message: Success comes to those who start early and view PQC as an ecosystem project, rather than a task for a single cryptography team.
Benjamin Zengin of Fraunhofer AISEC took up this thread. He compared the strategies of the EU, Germany, France, the Netherlands, the United Kingdom, and the United States. The general consensus:
By around 2035, all major players aim to have largely transitioned their cryptography to PQC. Hash-based signatures are considered particularly secure and are permitted everywhere, even without being combined with classical methods. For all other PQC methods standardized to date, the differences lie in the role of hybrid methods – that is, combinations of classical cryptography and PQC. While Europe generally views hybrid methods as a safety net for many years to come, the UK and the US regard them more as a necessary but temporary transitional solution.
Peter Thomassen (SSE Secure Systems Engineering GmbH) from the Internet Engineering Task Force (IETF) explained how such consensus is translated into technical standards. The IETF develops the protocols that keep the Internet running, such as TLS (Transport Layer Security, i.e., the encryption behind »https://«) or IPsec (securing network connections). Decisions at IETF are made based on »rough consensus and running code«: An idea only gains acceptance once major objections have been resolved and there are working implementations.
Numerous working groups are already working to integrate PQC into core protocols, including hybrid and pure PQC schemes for TLS 1.3, PQC extensions for IPsec, SSH, and OpenPGP, as well as new certificate structures using Merkle trees (tree structures that secure many values with a single manageable »root«).
Even today, a growing portion of HTTPS traffic is already protected against post-quantum attacks, often without end users even realizing it.
2. Identities, Logins, and IDs: How PQC Is Being Adopted in Everyday Life
PQC became particularly tangible whenever the topic of everyday applications came up – for example IDs and logins.
Frank Morgner of Bundesdruckerei GmbH presented a »PQC Ready ID Card«: an ID card that already uses PQC in the protocols for electronic identity documents (eID) and electronic travel documents (eMRTD). The card employs a hybrid approach combining traditional methods (such as ECDSA, an ECC signature) and new PQC methods (e.g., ML-DSA and ML-KEM, two standard algorithms selected by NIST).
Tests have shown that while the PQC variant is slightly slower, the difference is barely noticeable in everyday border control operations. Factors such as NFC transmission of facial images and fingerprints continue to be decisive for processing time, not cryptography. Morgner therefore proposes a two-step migration path: first, switch passive authentication (signatures based on ID data) to PQC, and later, in a second step, switch active protocols such as chip authentication and PACE.
Samuel Schedler and Thomas Lachmann (Giesecke+Devrient) expanded on this approach with a fully functional demonstrator for the German ID card. On a real smart card chip with very limited memory, they implemented the relevant protocols (EACv2) using both classical and PQC algorithms, as well as hybrid variants.
The clear conclusion is that even on these limited platforms, PQC is practically feasible if memory and computational resources are carefully optimized and hardware support for key components is added as needed.
Even more relevant to the daily lives of many users was the presentation by Johann-Philipp Thiers (Swissbit AG), who demonstrated how FIDO2 and passkeys can be integrated into the PQC ecosystem. FIDO2 and WebAuthn are standards that replace passwords with cryptographic key pairs. They are considered particularly resistant to phishing because each login credential is tied to a specific domain.
Thiers demonstrated security keys that are already capable of generating PQC-based passkeys using ML-DSA. Messages are becoming significantly larger and protocols more complex, but the principle remains the same: the private key remains secure in the authenticator (e.g., the security key or smartphone), while the service only knows the public key. Going forward, it will be crucial for all components – hardware, operating systems, browsers, and services – to become crypto-agile, enabling them to flexibly support multiple families of algorithms.
3. Hardware in the Quantum Age: From Open Root of Trust to HSM
To ensure that PQC is embedded not only in software but also deep within devices, new hardware components are needed.
Tobias Stelzer (Fraunhofer AISEC) presented OpenTitan, an open hardware platform that serves as a silicon root of trust – that is, as a security anchor in devices such as Chromebooks or security keys. At its core is the OTBN coprocessor, which was originally developed for classical public-key cryptography and is now being specifically enhanced for PQC: with special instructions for lattice-based methods, vector operations, and larger memory.
PQC signature verifications become possible in the millisecond range, within strict secure boot requirements (a device must boot up in under 120 milliseconds). Stelzer’s conclusion: With manageable hardware modifications, it is possible to create an open, auditable platform that supports PQC out of the box.
Volker Krummel of Utimaco then turned his attention to large hardware security modules (HSMs) – devices used to protect the keys of banks or certification authorities, for example. He demonstrated that while hash-based signatures such as LMS or XMSS are cryptographically very attractive (small keys, good performance), they have one critical drawback: they allow only a limited number of signatures per key and require strict state management. A single incorrect backup or improper synchronization of multiple HSMs can completely undermine security.
To this end, Utimaco has developed a generic, formally analyzed framework that ensures all security-critical operations remain within the HSM, states are properly synchronized, and communication between HSMs is protected end-to-end. The message to operators: PQC in HSM infrastructures is feasible if state management is taken seriously as a core security task.
4. Practice in Large Organizations: From E-Government to Deutsche Bahn
Two practical presentations demonstrated how all of this plays out in large organizations.
Sara-Jane Bittner and Klaus Lüttich (Governikus GmbH) used OSCI (the standard transport protocol for many German e-government processes) as an example to explain how complex PQC migration becomes when billions of messages need to be transmitted confidentially and authentically. OSCI combines signatures, encryption, multiple key pairs, and asynchronous processes. The system runs through numerous specialized procedures, from the population register to family benefits.
Her key points:
- A »big bang« transition is unrealistic.
- We need to run traditional and PQC methods in parallel, with clear roles and coordinated timelines.
- Many stakeholders must be coordinated: the BSI, KoSIT, standardization bodies, PKI providers, specialized software vendors, and government agencies.
Manfred Rieck (DB Systel GmbH) demonstrated how a critical infrastructure like Deutsche Bahn is addressing PQC. For DB, quantum computing represents both an opportunity (improved scheduling and resource allocation solutions) and a risk (a threat to current cryptography). That is why Deutsche Bahn is working on a group-wide roadmap which includes the following essential topics: inventorying cryptographic assets, assessing risks by criticality, establishing a PQC testbed, introducing hybrid methods, and later phasing out classical methods in a controlled manner. Key to this is integration into an ecosystem comprising research projects and the Federal Quantum Alliance.
5. No transparency, no migration: Cryptography inventories
Further presentations made it clear: Before we migrate anything, we need to know exactly what we’re using.
Alexander Küchler of Fraunhofer AISEC demonstrated, how open-source software can be analyzed automatically. Using code graphs, cryptographic calls, algorithms, and libraries are identified and compiled into a Cryptographic Bill of Materials (CBOM), a kind of cryptography parts list. This CBOM not only shows which methods are used where, but also assesses whether they are still recommended and how exposed they are within the software architecture.
Christian Näther (Xitaso GmbH) presented a »Cryptographic Inventorization Pipeline« that generates a CBOM with every build or deployment and feeds it into a central cryptographic inventory. Especially in light of the NIS 2 Directive and Implementing Regulation 2024/2690, it becomes clear: Those who do not know which certificates, cipher suites, and keys are in use and where cannot properly implement PQC or credibly meet regulatory requirements.
6. How to use hybrid methods correctly
Jan Klaußner (Bundesdruckerei GmbH) took a closer look at a question that ran like a common thread through many of the presentations: How do we use hybrid methods correctly?
He categorized hybrid designs along three axes:
- Where is the combination made – in the protocol (e.g., two handshakes) or in the algorithm itself (a signature or KEM scheme that internally combines multiple methods)?
- How tightly are the components bound together – can they be verified separately, or does the verification fail if one component is missing (keyword: »non-separability«)?
- What is the hybrid’s role in migration – does it primarily serve interoperability, backward compatibility, or maximum security?
Using existing email logs, he demonstrated how new hybrid formats can quickly conflict with existing systems.
The most practical approach involves algorithmic hybrids that are built into cryptographic libraries, are protected against »stripping« attacks through weak non-separability, and promote interoperability. Explicit composite standards, such as those currently being developed within the IETF, represent a pragmatic first step in this direction. More generic approaches promise greater agility in the long term, but still require standardization and practical experience.
Following the 5th PQC update, a clear picture has emerged:
- The strategies are in place: international roadmaps, national guidelines, and industry-specific scenarios.
- Standards are being developed and are already in use in some cases.
- The technology works: from PQC ID cards and open security chips to passwordless logins using new algorithms.
- The tools we need to clean up our cryptographic landscapes are ready to go.
The real challenge now is less about the math and more about organization: creating transparency, clarifying responsibilities, building ecosystems, and planning migration as a multi-year process.
Or to put it bluntly: The post-quantum era has begun. The question is no longer whether we will make the transition, but how well prepared we will be when we do.
You can find impressions of the event here: PQC Update 2026
Thank you!
Special thanks go to my colleague Marian Margraf, Head of the Secure Systems Engineering Department at Fraunhofer AISEC, with whom I co-organized the PQC Update, and to Georg Sigl, Director of Fraunhofer AISEC, who co-initiated and opened the event.
Glossary:
- PKI (Public Key Infrastructure): An infrastructure consisting of certificates, keys, and services that enables, for example, »https://« and digital signatures.
- FIDO2 / WebAuthn: Open standards for passwordless login using key pairs and authenticators (security keys, smartphones, platform authentication).
- TLS (Transport Layer Security): A protocol that encrypts connections on the Internet (indicated by »https://« in the address bar).
- HSM (Hardware Security Module) stores and uses cryptographic keys in highly secure hardware.
- CBOM (Cryptographic Bill of Materials): A structured list of all cryptographic components (algorithms, keys, certificates) in a software application or system.
- Hybrid methods: Cryptographic schemes that combine classical and PQC methods to enhance security and compatibility.
Author
Daniel Loebenberger
Prof. Dr. Daniel Loebenberger is head of the Secure Infrastructure Department at Fraunhofer AISEC in Weiden i.d.OPf. since 2019 and is a professor of cybersecurity at Ostbayerische Technische Hochschule (OTH) Amberg-Weiden. His research focuses on applied cryptography, secure infrastructures, and practical applications of post-quantum cryptography.
