India’s National Quantum Mission launches detailed roadmap to quantum resiliency

India’s Department of Science & Technology, under the National Quantum Mission (NQM), has released a comprehensive roadmap for building a quantum-safe ecosystem.

Contents

The quantum-safe migration roadmap: Phased approach
Testing and certification framework: Assurance levels and lab structure
Technology approaches: PQC, QKD, and interim solutions
Testing requirements: Cryptographic, interoperability, performance, and security
Certification process
Crypto-agility: Preparing for continuous change
Technology considerations for quantum-safe migration across CII
Looking ahead: Strategic roadmap for post-quantum security

The NQM’s objectives include:

Quantum Computing Hub (IISc Bengaluru): Advancing scalable quantum processors.
Quantum Communication Hub (IIT Madras & C-DOT): Developing secure quantum communication systems, including long-distance fibre-based and satellite-based QKD links.
Quantum Sensing and Metrology Hub (IIT Bombay): Advancing ultra-precise quantum sensors and measurement standards.
Quantum Materials and Devices Hub (IIT Delhi): Driving innovation in quantum materials and device engineering.

A Task Force, chaired by Dr. Rajkumar Upadhyay (C-DOT), was constituted to develop a structured roadmap for quantum-resilient security. Two sub-groups were formed:

Sub-Group I (TEC): Developed a unified structure and minimum framework for testing and certification of quantum-safe products and solutions.
Sub-Group II (DSCI): Developed a strategy for PQC migration, quantum resiliency, and crypto-agility.

The Task Force includes leaders from C-DOT, NSCS, TEC, DRDO, DSCI, RBI, SEBI, IITs, and industry, reflecting a multidisciplinary approach. Sub-groups focused on testing/certification and migration strategy, with extensive input from government, academia, and industry.

The quantum-safe migration roadmap: Phased approach

Milestone 1: Building Foundations (Critical Information Infrastructure [CII] by 2027, Enterprises by 2028)

Establish leadership, governance, and cross-functional quantum risk management.
Inventory cryptographic assets and assess quantum risk.
Initiate pilot projects and early migration of high-priority systems.
Mandate Cryptographic Bills of Materials (CBOMs) from vendors.
Conduct quantum risk analysis and adopt crypto-agility as a guiding principle.

Milestone 2: Migration of High-Priority Systems (CII by 2028, Enterprises by 2030)

Convert pilots into full migration programs with KPIs.
Enforce “no new classical-only deployments”.
Upgrade PKI, HSMs, KMS, and libraries to PQC-ready versions.
Mandate PQC-capable digital signatures.
Develop cryptographic incident response playbooks.
Integrate PQC training into cybersecurity, DevOps, and IT programs.

Milestone 3: Full PQC Adoption (CII by 2029, Enterprises by 2033)

Complete enterprise-wide PQC/hybrid adoption.
Operate PQC-only trust chains.
Maintain long-term vendor oversight and continuous algorithm updates.
Layered risk management for legacy systems.
Establish long-term certification and audit programs for external PQC solutions.

Testing and certification framework: Assurance levels and lab structure

A national framework for testing and certifying quantum-safe products has been developed, with four assurance levels:

Level 1: Basic conformance for low-risk environments.
Level 2: Secure software and hardware assurance for medium-risk deployments (subdivided into software, IT/IoT hardware, and OT hardware).
Level 3: Enterprise infrastructure security for high-risk sectors.
Level 4: Critical infrastructure security for sovereign-grade systems.

A three-tier laboratory structure supports scalable certification:

Tier-1 labs: Basic testing and standards conformance.
Tier-2 labs: Software/hardware assurance, vulnerability assessment.
Tier-3 labs: Advanced evaluations, crypto-agility, and indigenous algorithm assessment.

Certification validity is risk-aligned, ranging from three years for Level 1 to ten years for Level 4, subject to ongoing surveillance and re-assessment. The certification process includes submission, pre-assessment, testing, evaluation, review, issuance, and surveillance.

Technology approaches: PQC, QKD, and interim solutions

Post-Quantum Cryptography (PQC): Upgrades algorithms to resist quantum attacks, deployable via software or hardware. PQC is the most pragmatic and scalable approach for broad adoption.
Quantum Key Distribution (QKD): Hardware-intensive, suited for high-assurance environments; must be combined with PQC for comprehensive security.
Composite Approaches: Combine PQC and QKD for strategic communication links.
Interim Solutions: Quantum gateways, VPNs, proxies, and tunnels are recommended to protect data in motion during transition. Quantum & True Random Number Generators (QRNG/TRNG) enhance cryptographic key generation.

Testing requirements: Cryptographic, interoperability, performance, and security

The framework specifies rigorous test cases for each assurance level, including:

Cryptographic algorithm checks (e.g., ML-KEM, ML-DSA, SPHINCS+).
RFC protocol conformance (TLS, IPsec, SSH, S/MIME).
Cross-library, cross-platform, and cross-language interoperability.
Performance metrics (key generation time, throughput, memory footprint).
Security assurance (side-channel resistance, vulnerability analysis, secure coding, hardware root of trust).
Supply chain security and disaster recovery validation.

Certification process

Vendors submit products for certification, which undergo pre-assessment, testing, evaluation, and review by certification authorities. Certificates are issued with clear assurance levels and validity periods. Surveillance and re-certification are mandated for major upgrades or vulnerabilities. The maximum time for testing and certification is six months, subject to infrastructure development.

Strategic Roadmap: Timelines and PQC Personas

Urgent Adopters: Critical infrastructure (defence, power, telecom, ISRO, DRDO, ONGC) must complete migration by 2029.
Regular Adopters: Enterprises with moderate risk follow baseline milestones (2028, 2030, 2033).
Technology Providers: Vendors must lead by example, publish migration roadmaps, and enable PQC features by default.

Crypto-agility: Preparing for continuous change

The roadmap emphasizes crypto-agility—the ability to rapidly update algorithms, keys, and protocols. This is essential as PQC standards evolve and new vulnerabilities emerge. Governance, system design, procurement, and operational practices must embed adaptability. Elements of crypto-agility include:

Governance and oversight.
System and architecture design.
Procurement and vendor alignment.
Operational practice (periodic reviews, automated certificate and key rotations).

Challenges and Opportunities

Legacy System Complexity: Diverse and inflexible legacy infrastructures, often lacking crypto-agility, will require redesign or replacement.
Interoperability: Coexistence of classical and quantum-safe cryptography increases complexity and introduces risks of downgrade or insecure fallback.
Vendor Readiness: Uneven PQC preparedness among suppliers may delay migration and disrupt enterprise timelines.
Performance Impact: PQC algorithms may increase computational overhead, necessitating performance testing and infrastructure optimization.
Skills Shortage: Limited availability of PQC-skilled professionals highlights the need for targeted capacity building and continuous training.
Governance and Investment Continuity: Sustained executive oversight, funding, and program discipline are essential to move beyond pilots to enterprise-wide adoption.
Assurance and Validation Gaps: Independent validation is critical to ensure correct implementation and prevent reversion to vulnerable cryptography.
Cross-Sector Coordination Risks: Inconsistent migration approaches across interconnected sectors could undermine interoperability and trust chains.

Recommendations of the Task Force

Launch PQC/hybrid pilots in high-priority systems.
Establish a National PQC Testing & Certification Program.
Adopt common procurement requirements for crypto-agile and PQC-compliant assets.
Prefer indigenously developed quantum-safe products.
Organize awareness workshops and sector-specific guidance.
Upgrade labs and develop national testbeds for PQC and QKD.
Continuous monitoring, capacity building, and vendor alignment.
Mandate CBOM submissions from vendors starting FY 2027-28.
Government and CII deployments must act as anchor adopters for validated indigenous quantum-safe technologies.
Collaboration with international government agencies actively engaged in PQC migration.

Technology considerations for quantum-safe migration across CII

Latency Sensitivity: PQC overhead is manageable in millisecond-level systems but problematic in microsecond-level environments (e.g., defence, telecom).
Handshake Frequency: Systems with long-lived sessions face minimal impact, while frequent TLS renegotiation or short-lived sessions amplify PQC costs.
User/Service Tolerance: Some services can absorb modest delays, but safety-critical or financial systems cannot tolerate even small performance degradation.
Hardware Constraints: Long-lived hardware platforms, embedded devices, and certified systems may lack compute headroom for PQC, requiring PQC-capable HSMs/KMS or interim controls until refresh cycles.
Vendor Dependence: Migration depends on OEMs and third-party platforms for firmware updates, interoperability, and backward compatibility.
Cross-Border Dependencies: Many critical systems rely on international standards and protocols, so migration must align with global bodies to ensure interoperability.

Interim Quantum-Safe Technologies

Quantum Gateways, VPNs, Proxies, Tunnels: Used to protect data in motion during transition.
Quantum & True Random Number Generators: Enhance cryptographic key generation.

Looking ahead: Strategic roadmap for post-quantum security

India’s roadmap provides the foundation for coordinated national action, defining clear priorities, transition pathways, and indicative timelines for safeguarding critical digital infrastructure against emerging quantum threats. The next phase must focus on operationalizing this vision through clear mandates, coordinated procurement, sector-specific migration planning, and accelerated deployment of indigenous solutions.

Global Context: International Migration Timelines and Strategies

India’s roadmap aligns with global efforts:

US: Targeted migration by 2035, $7.1 billion estimated cost, with federal agencies required to maintain cryptographic inventories and initiate migration planning.
EU: Coordinated PQC adoption, hybrid PQC-QKD mechanisms, with critical systems migrated by 2030 and full transition by 2035.
UK, Australia, Canada, Singapore, UAE, South Korea, China: Each has published migration timelines, pilot deployments, and national standards, with China pursuing indigenous quantum-safe algorithms and space-based QKD links.

For further details, refer to the full 140-page report provided by the Department of Science & Technology.

TRENDING

China’s photonic computer Jiuzhang 4.0 demonstrates instance of quantum advantage

Cisco’s quantum vision: A conversation with Global Innovation Officer, Guy Diedrich

NVision closes $55 million Series B, will expand from quantum sensing to organic quantum computing

India’s National Quantum Mission launches detailed roadmap to quantum resiliency

India's Department of Science & Technology, under the National Quantum Mission (NQM), has released a comprehensive roadmap for building a quantum-safe ecosystem.

The quantum-safe migration roadmap: Phased approach

Testing and certification framework: Assurance levels and lab structure

Technology approaches: PQC, QKD, and interim solutions

Testing requirements: Cryptographic, interoperability, performance, and security

Certification process

Crypto-agility: Preparing for continuous change

Technology considerations for quantum-safe migration across CII

Looking ahead: Strategic roadmap for post-quantum security

POPULAR

China’s photonic computer Jiuzhang 4.0 demonstrates instance of quantum advantage

Cisco’s quantum vision: A conversation with Global Innovation Officer, Guy Diedrich

NVision closes $55 million Series B, will expand from quantum sensing to organic quantum computing

Google launches life sciences initiative REPLIQA, committing $10 million to five universities

Casimir launches with $12M seed round to bring world’s first quantum energy chip to market

RELATED

13 quantum nations hold UK summit, to boost cooperation

Quantonation raises €220m to back industrialisation of quantum and physics-based tech

India begins construction on Amaravati Quantum Valley, launches multiple quantum initiatives

Australia-funded consortium to build quantum-enabled “Brain-on-Chip” platform addressing Alzheimer’s, epilepsy & other neurological conditions

TRENDING

The quantum-safe migration roadmap: Phased approach

Testing and certification framework: Assurance levels and lab structure

Technology approaches: PQC, QKD, and interim solutions

Testing requirements: Cryptographic, interoperability, performance, and security

Certification process

Crypto-agility: Preparing for continuous change

Technology considerations for quantum-safe migration across CII

Looking ahead: Strategic roadmap for post-quantum security

POPULAR

Subscribe to our Newsletter

RELATED