A toolkit for assessing and planning organizational migration from classical public-key cryptography to post-quantum cryptographic algorithms
Project description
Quantum PQC Migration Toolkit
A Python toolkit for assessing and planning organizational migration from classical public-key cryptography to post-quantum cryptographic (PQC) algorithms.
Overview
As quantum computing advances, organizations face the critical challenge of migrating their cryptographic infrastructure to quantum-resistant algorithms before cryptographically relevant quantum computers (CRQCs) become available. This toolkit helps organizations:
- Assess quantum-vulnerability risk across their cryptographic inventory
- Prioritize systems for migration based on data sensitivity, exposure, and lifetime
- Recommend target algorithms aligned with NIST PQC standards (FIPS 203-205)
- Model risk scenarios through Monte Carlo simulation of adoption strategies
Installation
pip install quantum-pqc-migration-toolkit
Or install from source:
git clone https://github.com/quantum-pqc-migration-toolkit/quantum-pqc-migration-toolkit.git
cd quantum-pqc-migration-toolkit
pip install -e .
Quick Start
1. Create a Sample Inventory
pqc-migrate init -o my_inventory.yaml
This generates a sample YAML file demonstrating the inventory format.
2. Edit Your Inventory
Modify the generated file to reflect your systems:
systems:
- name: customer_database
sector: technology
current_algos:
- RSA-2048
- ECDSA-P256
tls_versions:
- TLS1.2
- TLS1.3
data_lifetime_years: 15
data_sensitivity: high
internet_exposed: false
vendor_type: first_party
system_role: database
has_qkd: false
description: Primary customer data storage
3. Analyze Your Inventory
pqc-migrate analyze my_inventory.yaml
This produces a prioritized table of systems with risk scores and migration recommendations.
4. Run Simulation (Optional)
pqc-migrate analyze my_inventory.yaml --simulate --runs 1000
Compare risk outcomes across early, baseline, and late adoption strategies.
CLI Commands
| Command | Description |
|---|---|
pqc-migrate init |
Create a sample inventory file |
pqc-migrate analyze <file> |
Analyze inventory and generate recommendations |
pqc-migrate simulate <file> |
Run Monte Carlo strategy comparison |
pqc-migrate info <algorithm> |
Display PQC algorithm information |
Analyze Options
pqc-migrate analyze inventory.yaml \
--strategy baseline \ # Adoption strategy: early, baseline, late
--json report.json \ # Output JSON report
--csv report.csv \ # Output CSV report
--simulate \ # Include Monte Carlo simulation
--runs 1000 # Number of simulation runs
Python API
from quantum_pqc_migration_toolkit import (
load_inventory,
compute_inventory_risk,
plan_inventory_migration,
compare_strategies,
Scenario,
)
# Load inventory
systems = load_inventory("inventory.yaml")
# Create scenario
scenario = Scenario.baseline()
# Compute risk assessments
assessments = compute_inventory_risk(systems, scenario)
# Generate migration recommendations
recommendations = plan_inventory_migration(systems, assessments, scenario)
# View results
for rec in recommendations:
print(f"{rec.system_name}: Priority {rec.priority_score}, "
f"Migrate to {rec.target_kem}/{rec.target_sig} by {rec.migrate_by_year}")
# Compare adoption strategies via Monte Carlo
results = compare_strategies(systems, scenario, n_runs=1000)
for strategy, result in results.items():
print(f"{strategy}: Mean risk = {result.mean_risk:.4f}")
Inventory Schema
| Field | Type | Description |
|---|---|---|
name |
string | System identifier |
sector |
string | Industry sector (healthcare, financial, technology, etc.) |
current_algos |
list | Current cryptographic algorithms |
tls_versions |
list | Supported TLS versions |
data_lifetime_years |
int | How long data must remain confidential |
data_sensitivity |
string | Sensitivity level: critical, high, medium, low |
internet_exposed |
bool | Whether system is internet-facing |
vendor_type |
string | Supply chain position: first_party, third_party, tier1_vendor, saas |
system_role |
string | Functional role: pki, authentication, database, api_gateway, etc. |
has_qkd |
bool | Whether quantum key distribution is available |
Risk Scoring
The risk engine computes a PQ risk score (0-1) for each system based on:
- Algorithm vulnerability: Classical algorithms (RSA, ECDSA, ECDH) vs PQC/hybrid
- Data lifetime: Overlap between data protection needs and quantum threat timeline
- Sector baseline: Industry-specific breach rates from empirical data
- Exposure factors: Internet-facing, supply chain position, system criticality
- Adoption timing: Risk multipliers based on early, baseline, or late migration
Key Parameters
- Quantum arrival window: 2030-2035 (baseline), aligned with NSM-10 planning
- Laggard uplift: ~340% increased breach probability for late adopters
- PQC overhead: ML-KEM ~2.3x compute, ~4.6x key size growth
Supported Algorithms
Target PQC Algorithms (NIST FIPS 203-205)
Key Encapsulation (FIPS 203)
- ML-KEM-512, ML-KEM-768, ML-KEM-1024
Digital Signatures (FIPS 204)
- ML-DSA-44, ML-DSA-65, ML-DSA-87
Stateless Hash-Based Signatures (FIPS 205)
- SLH-DSA-128s/128f, SLH-DSA-192s/192f, SLH-DSA-256s/256f
Hybrid Schemes
For backward compatibility:
- X25519 + ML-KEM-768
- ECDSA-P256 + ML-DSA-65
Examples
See the examples/ directory for sample inventories:
hospital_inventory.yaml- Healthcare organization with 12 systemssaas_startup_inventory.yaml- Cloud-native SaaS company with 12 systems
Theory Background
This toolkit implements a simplified, practitioner-oriented version of Monte Carlo supply-chain risk models. Key parameters are derived from:
- NIST PQC Standards: FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), FIPS 205 (SLH-DSA)
- NSM-10 Timelines: Federal implementation deadlines for PQC migration
- Empirical breach data: Sector baselines from industry data breach reports
- Performance analysis: Computational overhead and key/signature size factors
The simulation models quantum arrival uncertainty using triangular distributions and compares organizational risk under different adoption strategies (early, baseline, late).
Future Work
- Optimization of PQC rollout schedules using combinatorial optimization
- Integration with vulnerability scanners for automated crypto discovery
- Extended hybrid scheme recommendations
- Cost modeling for migration planning
Author
Syon Balakrishnan Email: balakrishnansyon@gmail.com
Acknowledgments
- EM Normandie Business School for supply-chain security research collaboration
- ThreatVisor for applied cybersecurity context and pilot testing
- NIST for the post-quantum cryptography standardization effort (FIPS 203-205)
License
MIT License
Contributing
Contributions are welcome. Please open an issue to discuss proposed changes before submitting a pull request.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file quantum_pqc_migration_toolkit-0.1.0.tar.gz.
File metadata
- Download URL: quantum_pqc_migration_toolkit-0.1.0.tar.gz
- Upload date:
- Size: 31.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.1
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
348416d96a424b8c792d50756a3b828fa51bc9433449ad1dfaa6f9d64a8acd8a
|
|
| MD5 |
3dd9a1d9982dd9b681e94d8a98f7cf83
|
|
| BLAKE2b-256 |
abcee7898fdb3f278c889f37ecb4791c0538e749e197cd79534a94ff398cc801
|
File details
Details for the file quantum_pqc_migration_toolkit-0.1.0-py3-none-any.whl.
File metadata
- Download URL: quantum_pqc_migration_toolkit-0.1.0-py3-none-any.whl
- Upload date:
- Size: 31.9 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.1
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
6a315d65b0237ad46c7a9ba2fe4e6495283616ed688826b41b3fd344421930b0
|
|
| MD5 |
f6b0601a5784988793dad075be5c2bb3
|
|
| BLAKE2b-256 |
ab930d0b2b368dbb4d68092551f843c6c6b571c749b85b711993ec022c8a56fa
|
