Towards a Field-Informed Risk-Based Framework for PQC Migration in Legacy Systems

Scientific Articles QRC Lab
Written By Paul Chammas

By Paul CHAMMAS, Khalil HARISS, Carole BASSIL, Maroun CHAMOUN.

Download the article here.

Abstract

Ongoing advances in quantum computing represent a growing risk to modern cryptography (potentially threatening both asymmetric and symmetric encryption protocols), thereby challenging the foundations of digital security. In response, global cybersecurity communities, led by standardization bodies such as NIST and ETSI, launched initiatives to establish migration pathways toward post-quantum cryptography (PQC). However, the migration of legacy systems to quantum-safe cryptography presents many challenges that have not yet been addressed due to their limited cryptographic agility, outdated infrastructure, and regulatory constraints. These legacy environments, even though they rely on aging technologies and constrained hardware, are still vital to major sectors (such as finance, energy, healthcare, and government). This paper explores some obstacles to the implementation of PQC in these environments, such as hard-coded cryptographic functions, outdated programming languages, hardware limitations, vendor lock-in, interoperability constraints, and certification issues. This shows that, in contrast to contemporary systems, legacy systems cannot be readily modified or easily re-engineered. A critical review of existing standards and academic publications revealed key limitations: their focus on algorithms specifications, the abstract guidance provided without operational depth, the lack of empirical validations, and the insufficient risk modeling and attention to legacy constraints. These gaps prevent effective planning and secure execution of the PQC migration in legacy systems. Consequently, this position paper argues that existing deliverables remain insufficient to address the specific challenges of PQC migration in legacy systems. It proposes the elaboration of a field-informed risk-based framework for PQC Migration in Legacy Systems to guide this transition. This proposed framework combines three interdepedent layers: a diagnostic characterization of legacy system constraints, a qualitative risk assessment grounded in those constraints, and a quantitative evaluation of migration options through an ROI-based analysis to support decision-making. Unlike existing approaches that treat legacy as generic labels, this framework begins by exploring what makes each system legacy in its specific context before applying the risk model. Its development is informed by an empirical survey conducted among large organizations across critical sectors, ensuring relevance beyond theoretical assumptions. Future work will focus on elaborating the framework through applied research, tool development, and real-world case studies in collaboration with financial institutions and critical infrastructure operators. In addition, continued engagement with cyber authorities and standardization bodies will help us ensure alignment with emerging regulations.

Find the article on Cryptology ePrint Archive.

Paul Chammas

Co-Founder - QuRISK

https://www.linkedin.com/in/mchammas/
Next

The Quantum-Safe Sentinel #7 – April 2026