Critical sectors must have quantum-safe encryption, urges task force

A task force constituted by the Department of Science & Technology (DST) has recommended that India’s critical sectors — government, defence, power, telecom, transport, and banking and finance — begin a phased switch to post-quantum cryptography (PQC), warning that the encryption now protecting the country’s most sensitive data could one day be broken by quantum computers.

Failure to act within the current window, the report warns, “may result in irreversible compromise of confidential data, erosion of trust in digital governance, exposure of financial systems, and forced emergency migration under crisis conditions.”

PQC refers to a new generation of encryption algorithms designed to run on ordinary computers but engineered to withstand attacks from future quantum machines, which are expected to be able to crack the public-key cryptography that today secures everything from bank transactions to government communications. Quantum computers, unconstrained by the binary logic underlying conventional computers, can in theory, perform demanding tasks in a fraction of the time. However, they have yet to prove themselves in practice.

The task force is chaired by Rajkumar Upadhyay, chief executive of the Centre for Development of Telematics (C-DOT), with Manindra Agrawal, Director of IIT Kanpur, as co-chair. Its report was prepared under the National Quantum Mission (NQM).

The NQM, approved by the Union Cabinet in April 2023, carries a ₹6,003.65-crore outlay through 2030–31 and operates four thematic hubs at the IISc and the IITs to advance quantum computing, communication, sensing and materials.

Migration calendar

The report sets out a tiered migration calendar. Critical Information Infrastructure (CII) sectors are placed on an accelerated track: laying foundations by 2027, migrating high-priority systems by 2028, and achieving full PQC adoption by 2029. Other enterprises are given a slightly more relaxed schedule of 2028 for laying the foundation, 2030 for migrating high-priority systems and 2033 for full PQC adoption.

In the short term — by 2028, or 2027 for critical sectors — the task force wants “sandbox pilots” (controlled, isolated tests) of PQC and “hybrid” systems that pair existing encryption with the new algorithms.

Sector-specific rules

The task force also recommends circulating the report to Ministries such as Railways, Finance and Power and to regulators such as the Securities and Exchange Board of India (SEBI), the Reserve Bank of India and the electricity regulator CERC, to frame sector-specific rules. It has also suggested the creation of a National PQC Testing and Certification Programme, with the first testing laboratories operational by December 2026.

Medium-term steps, to be completed by 2030, include migrating long-lifetime systems and building national test-beds. By 2033 (2029 for critical infrastructure), PQC is to become the default across all systems, supported by a national quantum-key-distribution backbone.

The report invokes a warning by the chief executive of American quantum-computing firm IonQ that “Q-Day” — the point at which quantum computers can break widely used public-key cryptography — “may arrive within the next three years”.

‘Countdown has begun’

Migration planning, it says, must proceed on an “assume-breach” principle, guarding against “harvest now, decrypt later” attacks in which encrypted data stolen today is stored for decryption once quantum machines mature. “The countdown has already begun,” the report states, “and hesitation will be the weakest defence”.

The task force also addresses quantum key distribution (QKD), a separate, hardware-based method that uses the properties of light to exchange encryption keys with security guaranteed by the laws of physics. While the United States, the United Kingdom, the European Union, Canada and Australia have largely prioritised software-based PQC, the report envisions a composite Indian architecture combining PQC with a QKD backbone over the longer term.

The push comes amid heightened anxiety over the security of India’s digital infrastructure. The concern sharpened in April after AI major Anthropic disclosed Mythos, an unreleased AI model it billed as a powerful scanner — and potentially a vector — of undiscovered software vulnerabilities, which it said had already found flaws in widely used systems such as OpenBSD, FFMPEG and the Linux kernel. Officials at the Ministry of Electronics and Information Technology and CERT-In are deliberating the implications, while Anthropic patches bugs through Project Glasswing, a consortium of some 40 firms with early access.