Post-Quantum Cryptography Preparedness for Singapore Businesses: Are You Ready for Q-Day?

What Is Post-Quantum Cryptography — and Why It Matters Now

Quantum computers threaten the mathematical foundations of nearly all asymmetric encryption in use today. RSA, elliptic curve cryptography (ECC), and Diffie-Hellman key exchange rely on the hardness of factoring large integers and computing discrete logarithms — problems that a sufficiently powerful quantum computer could solve in hours, not centuries.

The most immediate threat is not a quantum computer that exists today. It is harvest-now, decrypt-later attacks: adversaries — including state-sponsored groups — are already collecting encrypted network traffic with the intent to decrypt it once quantum computing capability arrives. Sensitive data with a 10–15 year shelf life — healthcare records, financial transactions, intellectual property — is already at risk.

NIST's finalised post-quantum standards (FIPS 203, 204, 205) standardise three quantum-resistant algorithms: ML-KEM (formerly CRYSTALS-Kyber) for key encapsulation, ML-DSA (formerly CRYSTALS-Dilithium) for digital signatures, and SLH-DSA (formerly SPHINCS+) for stateless hash-based signatures. These are now the approved foundation for US federal systems — and Singapore's CSA and MAS are beginning to reference them in guidance.

The Regulatory Forces Driving Your Migration

Three regulatory currents are converging on Singapore businesses:

• MAS TRM Guidelines — While not yet mandating post-quantum cryptography explicitly, MAS has begun referencing algorithm longevity and cryptographic agility in its technology risk guidance. Financial institutions with long transaction histories and data retention obligations are particularly exposed.
• CSA Cyber Trust Mark — The assessment criteria increasingly touch on cryptographic hygiene and algorithmic currency. organisations that cannot demonstrate a cryptographic upgrade path will face harder questions during certification.
• ISO 27001 Annex A — The 2022 Annex A revisions already call for cryptographic controls review. Post-quantum readiness falls squarely within this mandate for certified organisations.
• PDPA — Personal data encrypted today with RSA-2048 may be readable in 10–15 years. The PDPA requires "reasonable security" — a standard that will increasingly be interpreted through a post-quantum lens.

Which Systems Are Most at Risk

Not every system needs to be upgraded immediately. Prioritise by classifying assets against two dimensions: data sensitivity and cryptographic exposure.

Highest Priority — Upgrade Now

• Public-key infrastructure (PKI) — Certificate authorities, intermediate CAs, and any system issuing or validating X.509 certificates
• VPN gateways and TLS terminators — Any point-to-point encryption carrying sensitive data across untrusted networks
• SSH key management — Long-lived SSH keys used for server access, CI/CD pipelines, and infrastructure automation
• Document signing systems — Digital signatures on legal documents, contracts, and regulatory filings
• Hardware security modules (HSMs) — Devices managing cryptographic key material; firmware upgrades may be required

Medium Priority — Plan Within 18 Months

• TLS 1.2 with RSA key exchange — Migrate to TLS 1.3 with hybrid key exchange; ECDHE+RSA should be replaced with ECDHE+ML-KEM
• Secure email (S/MIME, PGP) — Email encryption and signing systems using RSA or ECC
• Cloud key management — AWS KMS, Azure Key Vault, GCP Cloud KMS configurations using RSA keys
• API authentication tokens — Systems using RS256 JWT signatures or RSA-based OAuth client authentication

Lower Priority — Monitor and Schedule

• Symmetric encryption (AES-256) — Already quantum-resistant with sufficient key lengths; focus on key management hygiene
• Hash-based MACs (HMAC-SHA256) — Not threatened by quantum computing in the near term
• Internal legacy systems — Document, segregate, and plan retirement or replacement

How to Build Your Post-Quantum Migration Roadmap

A practical migration has four phases. Do not attempt to upgrade everything simultaneously — cryptographic transitions are complex and brittle if done poorly.

Phase 1: Cryptographic Inventory (Months 1–3)

You cannot protect what you cannot see. Build a complete inventory of all cryptographic uses across your environment:

• All TLS certificates — issuer, algorithm, key size, expiry
• All SSH keys — purpose, owners, access paths
• All HSMs and key management systems — firmware version, supported algorithms
• All VPN configurations — protocol, cipher suites, key exchange algorithms
• All document signing and code signing systems
• All SaaS applications handling your data — request vendor post-quantum roadmaps

Tools like Google's Open Quantum Safe library, Watcher for certificate discovery, and GitLab's Supply Chain Security features can assist. For a enterprise-scale inventory, engage a cybersecurity consultant with cryptographic assessment experience.

Phase 2: Hybrid Migration — TLS and VPN (Months 4–9)

Start with network transport encryption — the highest-traffic, most visible attack surface. TLS 1.3 already supports hybrid key exchange through Hybrid ECDH+Kyber (X25519Kyber768Draft00 or the NIST-standardised ECDH+ML-KEM). Most modern platforms support this without code changes.

For VPN gateways, check with your vendor — many major vendors (Cisco, Fortinet, OpenVPN) have posted quantum-ready roadmaps. Enable hybrid mode where available now, even if the quantum component is still in draft.

Phase 3: PKI and Signing Systems (Months 10–18)

Certificate authorities need the longest lead time. Begin requesting post-quantum certificate profiles from your CA vendors. Microsoft AD CS, DigiCert, and Sectigo have all signalled post-quantum roadmap support. Test in a non-production environment first.

For code signing and document signing, the transition is more complex — signatures are often embedded in documents and binaries and verified for decades. Plan for a dual-signature approach during the transition period.

Phase 4: Long-Term Cryptographic Agility (Ongoing)

Post-quantum migration is not a one-time project — it is the beginning of more frequent cryptographic transitions. Build cryptographic agility into your architecture:

• Abstract cryptographic operations behind internal APIs so algorithm swaps require code changes in one place
• Implement certificate pinning with algorithm agility — avoid hardcoding RSA-only expectations
• Monitor NIST's algorithm transitions and CSA guidance for updates
• Include cryptographic currency in your ISO 27001 internal audit scope

What Singapore Businesses Should Do This Year

You do not need to overhaul your entire infrastructure this quarter. But there are three concrete actions every Singapore business handling sensitive data should take in 2026:

1. Assess your TLS posture. Audit all external-facing systems for TLS version and cipher suite. If any system still accepts TLS 1.0 or TLS 1.1, upgrade immediately — these are already deprecated. Begin planning for TLS 1.3 with hybrid key exchange.
2. Request vendor roadmaps. Contact your key SaaS vendors, cloud providers, and security tool vendors. Ask specifically about their post-quantum cryptography timelines. Document their responses — this is evidence of due diligence.
3. Add cryptography to your risk register. Document the quantum risk to your most sensitive data assets, assign an owner, and set a target upgrade date. This demonstrates to auditors — and to MAS examiners — that you are aware of the risk and managing it.