Skip to content

CONCEPT Cited by 1 source

PQC prioritisation framework

Definition

The PQC prioritisation framework organises use cases for post-quantum-cryptography migration by attack class, not by asset value. Meta proposes a three-tier taxonomy:

Tier Attack class Example primitive use Priority
High Offline attacks — initiable today, completed later via Shor (SNDL) Quantum-vulnerable public-key encryption + key exchange (RSA-KEX, DH, ECDH) Highest — attacker only needs patience. Further split by external-dependency status.
Medium Online attacks — requires a CRQC to execute via Shor Quantum-vulnerable digital signatures (RSA, ECDSA, Ed25519) Further split by patching capability: medium-high (hard to patch — hardware-baked keys) vs medium-low (software-upgradeable).
Low Grover-only attacks with inadequate parameters Symmetric primitives (AES-128, SHA-1) Lowest — "enormous resource requirements" + "doubts about whether such an attack will ever be feasible."

This is Meta's 2026-04-16 PQC migration-strategy framework:

We have created a criteria that allows us to classify any application into different prioritization levels. To this end, we analyze various aspects that influence such a prioritization. (Source: sources/2026-04-16-meta-post-quantum-cryptography-migration-at-meta-framework-lesson)

High-priority: offline-attackable

Susceptible to attacks that can be initiated now without the existence of a quantum computer (offline attacks) and efficiently completed later (SNDL attack by means of Shor's algorithm). Any application using quantum vulnerable public-key encryption and key exchange primitives falls into this category.

The high-priority classification is independent of when a CRQC arrives — the attacker needs nothing from the future except patience. This is the HNDL threat applied to classification.

Meta sub-divides by external dependency status:

  • High, no external dependencies: can be migrated right away.
  • High, external dependencies: must wait for external actors (standards bodies, HSM vendors, OSS implementations) before migration is possible. The organisation has done its part but is gated.

This distinction matters for migration project planning: unblocked High-priority work runs in parallel; dependency-gated High-priority work needs an explicit waiting-room-with-tracking process.

Medium-priority: online-attackable

Susceptible to attacks that can only be initiated with a quantum computer in the future when a sufficiently powerful quantum computer is available (online attacks) and which will be efficiently performed (Shor's algorithm).

The key distinction from High: online attacks cannot be pre-staged. The attacker must have the CRQC operational to execute. This buys time that HNDL-vulnerable primitives don't have.

Meta sub-divides by patching capability for long-lifespan applications:

  • Medium-high risks are hard to patch:

    Applications that have public keys baked into hardware.

Examples: firmware-signed devices with embedded root public keys, HSM-baked roots of trust, hard-coded-in-silicon certificate authorities. Even if the CRQC threat is lower today, the cost of response when the threat materialises is enormous. - Medium-low risks are possible to patch:

Software upgrades.

Deployable fixes once PQ signature primitives mature.

"The patching capability is particularly relevant for applications with long lifespans (i.e., time for development + time deployed in the field)." — see concepts/long-lived-key-risk.

Low-priority: Grover-only

Susceptible to inefficient quantum attacks only (Grover's attack). As presented in many academic publications (e.g., Gheorghiu and Mosca, 2025), the enormous resource requirements to run such an attack (which even raises doubts about whether such an attack will ever be feasible) make them the lowest risk. Any application using symmetric cryptography with inadequate parameters falls into this category.

Grover's algorithm gives a quadratic (not exponential) speedup against symmetric search. Doubling key sizes (AES-128 → AES-256) restores security margins. The practical resource cost for Grover at scale is "enormous" — enough to raise doubts about whether the attack will ever be practical.

Low-priority doesn't mean ignore: AES-128 applications should be on the PQC migration radar eventually, but after all High and Medium work is done.

Why by attack class, not asset value

Traditional risk-prioritisation weighs the value of the protected asset — classify the most valuable data as highest priority. Meta's framework inverts the axis and classifies by attacker cost:

  • Attack class is a more stable input. Asset values shift (reorgs, product launches); the primitive-to-attack-class mapping is fixed by mathematics.
  • Attack class captures temporal dynamics. HNDL attacks are initiable today; online signature attacks are not. This forces ordering: start with primitives vulnerable to already-initiable attacks.
  • Asset value enters second. Once classified by attack class, within each tier the highly-valuable use cases are migrated first — but you don't skip tier-High-low-value to migrate a tier-Low-high-value use case first.

Complements the ladder, doesn't replace it

The framework sits orthogonal to PQC Migration Levels:

  • Levels answer "what readiness state are we in for this use case?" (PQ-Unaware → PQ-Enabled).
  • Framework answers "which use case do we advance first?" (High / Medium / Low + dependency / patching status).

Together they drive a portfolio roadmap:

  • For each High-priority-no-external-dependencies use case, drive it from PQ-Unaware → PQ-Enabled as quickly as possible.
  • For each High-priority-external-dependencies use case, drive it to PQ-Ready and track the dependency.
  • For each Medium-priority use case, prioritise by lifespan and patchability.
  • For Low-priority, schedule after High and Medium.

Seen in

Last updated · 319 distilled / 1,201 read