Post-Quantum Cryptography for AI Infrastructure

NIST PQC Algorithm Reference

Phase 1: Inventory Your Cryptographic Attack Surface

• Generate a Cryptography Bill of Materials (CBOM) — every RSA, ECDSA, and ECDH instance in your AI infrastructure is a migration target.
• Prioritize "Harvest Now, Decrypt Later" exposure: long-lived data (patient records, contracts, credentials) is at risk today even before quantum computers arrive.
• Map each cryptographic primitive to its compliance mandate: NSA CNSA 2.0 (DoD/Federal), CISA PQC guidance, EU eIDAS 2.0 (document signing).

Phase 2: Migrate Agent Identity to ML-DSA

• Replace Ed25519/ECDSA agent certificates with ML-DSA-87. RuntimeAI's Agent Identity Fabric issues PQC-native SPIFFE/X.509 certs out of the box.
• Use hybrid certificates during the transition period (classical + PQC) to maintain backward compatibility with existing verifiers.
• Automate certificate rotation — ML-DSA keys are larger; manual rotation processes will not scale.

Phase 3: Protect In-Transit Communication with ML-KEM

• Deploy PQC-hybrid TLS (X25519 + ML-KEM-1024) for all agent-to-service and service-to-service communication. Both Chrome and BoringSSL already support X25519Kyber768 hybrid.
• Update your service mesh and API gateway TLS configuration before rotating to pure PQC to avoid connectivity interruptions.
• Monitor cipher negotiation logs — any connection falling back to classical-only indicates a component that still needs to be patched.

Phase 4: Upgrade Document and Code Signing

• Replace RSA-2048/4096 and ECDSA signing with ML-DSA-87 or SLH-DSA. Use SLH-DSA for long-term archival (it requires no state and is hash-based).
• For AI-generated documents: QuantoSign issues ML-DSA timestamps that satisfy eIDAS 2.0 and ESIGN Act requirements for long-term legal validity.
• Re-sign existing documents with PQC signatures before the legacy signature's validity period expires — do not wait for the deadline.