PQC
Post-Quantum Cryptography
Cryptographic algorithms that remain secure even when large-scale quantum computers exist. The foundation of long-term data confidentiality for enterprises deploying AI agents at scale.
Why It Matters for Agentic AI
AI agents exchange sensitive business data across organizations -- financial models, legal documents, customer records, strategic plans. Today, this traffic is encrypted with algorithms like RSA and ECDH that will break when sufficiently powerful quantum computers arrive.
The risk isn't theoretical. Intelligence agencies already practice "harvest now, decrypt later" (HNDL): recording encrypted traffic today, storing it, and waiting for quantum capabilities to decrypt it years from now. If your agents handle data that must remain confidential for 5+ years, HNDL is a real threat.
The NIST Timeline
- August 2024: NIST published FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA) -- the first standardized post-quantum algorithms.
- 2025-2030: Transition period. Hybrid mode (classical + PQC) recommended.
- 2030: NSA CNSA 2.0 begins deprecating classical-only algorithms.
- 2035: Full deprecation. Classical RSA/ECDH no longer acceptable for national security systems.
Enterprises in financial services, healthcare, and defense should be planning their transition now.
Three Algorithms You Need to Know
- ML-KEM (FIPS 203, formerly Kyber) -- Key encapsulation. Replaces ECDH for key exchange. This is what protects data in transit.
- ML-DSA (FIPS 204, formerly Dilithium) -- Digital signatures. Replaces ECDSA/RSA for signing. This is what proves identity.
- SLH-DSA (FIPS 205, formerly SPHINCS+) -- Stateless hash-based signatures. Backup for ML-DSA, based on different mathematical assumptions.
What Needs Protection in an Agentic Platform
Not everything is equally sensitive. Here's how to prioritize:
- High priority: Federation key exchange (cross-org agent communication), master encryption keys (CMEK), identity credentials (SVIDs, OAuth tokens)
- Medium priority: Agent-to-agent handoff context, conversation histories containing sensitive data
- Lower priority: Ephemeral intra-tenant messages, status updates, telemetry -- these have short confidentiality windows
How MeetLoyd Implements PQC Readiness
MeetLoyd's security architecture is designed for PQC transition:
- TLS 1.3 enforced on all federation endpoints -- inbound, outbound, and at trust creation time. No TLS downgrade attacks possible.
- Hybrid key exchange ready: Federation trust handshake is architected for ML-KEM-768 + ECDH P-256 hybrid mode (classical + quantum-safe combined).
- Cloudflare edge: All public API traffic already negotiates ML-KEM hybrid when the client supports it.
- CNSA 2.0 aligned: Full migration roadmap for ML-KEM key wrapping (CMEK), ML-DSA signing (SVID), and classical deprecation.
- Sovereign infrastructure: Self-hosted models on private GPUs ensure no cryptographic material transits third-party infrastructure.
The Recommended Transition Strategy
NIST recommends a hybrid approach: combine classical and post-quantum algorithms during the transition period. This way, security is maintained even if one algorithm is broken.