Skip to content

CONCEPT Cited by 1 source

Crypto agility

Definition

Crypto agility is the architectural property of a system that allows cryptographic algorithms to be swapped — upgraded, replaced, or deprecated — without re-architecting the system. It means the upgrade path is a configuration change, not a re-architecture.

Why it matters for PQC migration

The PQC transition mandates specific NIST algorithms (ML-KEM, ML-DSA, SLH-DSA) today. But cryptography history shows algorithms get broken or superseded:

  • MD5 → SHA-1 → SHA-2 → SHA-3
  • DES → 3DES → AES
  • RSA-1024 → RSA-2048 → ECC → ML-KEM

A system built with hard-coded algorithm assumptions requires engineering effort proportional to the number of integration points each time a swap is needed. A crypto-agile system abstracts the algorithm choice behind a negotiation layer or configuration boundary.

Crypto agility doesn't mean supporting every algorithm at once. It means building systems so that when the community converges on a better algorithm in the future, the upgrade is a configuration change, not a re-architecture. (Source: sources/2026-06-23-cloudflare-post-quantum-eo-milestone)

Absence from EO 14409

Cloudflare notes that Executive Order 14409 (June 2026) mandates migrating to specific NIST PQC standards but says nothing about crypto agility — a critical omission. OMB implementation guidance should require it.

Design principles

  • Algorithm negotiation at handshake time — TLS cipher-suite negotiation is the canonical example (though imperfect — cipher-suite bloat is a real cost).
  • Pluggable crypto backends — library code programs against an abstract KEM/signature interface; the concrete algorithm is injected at deploy time.
  • Feature flags for algorithm rollout — progressive deployment of new algorithms behind feature gates with rollback capability.
  • Avoid protocol-level algorithm lock-in — design wire formats that include algorithm identifiers and can accommodate new algorithm parameters (key sizes, signature sizes) without breaking framing.

Seen in

Last updated · 559 distilled / 1,651 read