Quantum Risk Institute
Crypto-Agility Roadmap
Crypto-agility is the ability to find, evaluate, replace, and monitor cryptography without rebuilding the organization every time standards change.
Why it matters
Quantum readiness starts with knowing where public-key cryptography exists. Many organizations do not have a complete inventory of certificates, protocols, libraries, embedded devices, vendor dependencies, and long-lived data flows.
QRI roadmap
- Inventory cryptographic assets and data shelf life.
- Prioritize systems that protect long-lived or high-value information.
- Map dependencies on RSA, ECDH, ECDSA, DH, and related public-key systems.
- Test hybrid and PQC-ready deployments where appropriate.
- Create governance for algorithm updates and emergency migration.
Related QRI pages
Sources and further reading
- NIST NCCoE - Migration to post-quantum cryptography
- CISA - Quantum-readiness migration to post-quantum cryptography
- NSA - Post-Quantum Cybersecurity Resources
- NIST CSRC - Post-Quantum Cryptography project
QRI content is educational research commentary, not financial advice, legal advice, or a prediction.
QRI analysis notes
Crypto-Agility Roadmap should be read as part of a broader risk model, not as an isolated prediction. QRI separates three questions: what has been publicly demonstrated, what would be required for cryptographic relevance, and how long migration would take for systems that depend on vulnerable public-key cryptography.
The current public evidence still supports a low near-term Bitcoin threat level. At the same time, the 2025 expert timeline discussion, post-quantum standards activity, and harvest-now-decrypt-later risk all point to the same planning lesson: organizations should use the quiet period to inventory cryptography, understand data shelf life, and reduce future migration pressure.
How QRI reviews this topic
For this page, QRI looks for primary-source support, clear language, internal consistency with the 0-100 Quantum Threat Level, and explicit separation between Bitcoin-specific risk and broader public-key infrastructure risk. A page does not earn trust by sounding certain. It earns trust by explaining what is known, what is unknown, and what evidence would change the conclusion.
Readers should treat this page as educational research commentary. It is not financial advice, legal advice, or a prediction that a specific quantum computer will arrive by a specific date. The right operational response is proportional readiness: monitor credible evidence, follow standards, and prepare migration paths before urgency becomes expensive.