CONCEPT Cited by 1 source
Crypto fragmentation¶
Definition¶
Crypto fragmentation is the deployment anti-pattern where different jurisdictions, vendors, or protocol communities mandate or ship different cryptographic algorithms for the same function, resulting in:
- Cipher bloat — more code to write, test, and audit
- Increased attack surface — more negotiation paths means more opportunities for downgrade attacks
- Interoperability failures — endpoints can't negotiate a common algorithm
- Delayed deployment — vendors wait for convergence rather than shipping
Case study: IPsec vs. TLS PQ deployment¶
The article contrasts two protocol communities' approaches to PQ migration:
| Protocol | Approach | Result |
|---|---|---|
| TLS | Converged on a single hybrid: X25519MLKEM768 (draft-ietf-tls-ecdhe-mlkem) | Rapid, broad deployment; 2/3 of browser traffic PQ-protected by June 2026 |
| IPsec | Vendors shipped proprietary PQ key agreement algorithms that couldn't interoperate | Deployment delayed by years; fragmentation persisted until IETF standardized |
We've seen this happen firsthand in IPsec, where the lack of an interoperable standard led vendors to ship proprietary PQ key agreement algorithms that couldn't interoperate, delaying the migration by years. The TLS community went the opposite way, converging on a single hybrid key agreement (X25519MLKEM768), and deployment followed quickly. (Source: sources/2026-06-23-cloudflare-post-quantum-eo-milestone)
Geopolitical fragmentation risk¶
If different nations mandate different PQ algorithms (e.g. NIST algorithms vs. national alternatives), a TLS connection between endpoints in different jurisdictions only works if both negotiate the same cryptography. The EO directs the State Department to pursue international alignment on NIST-standardized algorithms.
Historical precedent: NIST's open competitions (AES, SHA-3, PQC) all selected algorithms designed by international teams — the Belgian- designed AES, the Belgian-Italian SHA-3, the European-led ML-KEM. The algorithms belong to the global community despite NIST organizing the process.
Seen in¶
- sources/2026-06-23-cloudflare-post-quantum-eo-milestone — TLS vs. IPsec fragmentation contrast; geopolitical alignment recommendation