Classified communications and citizen services with post-quantum protection
Governments move in decade-long cycles: a classified document today has a 25-50 year lifespan. The NSA has published CNSA 2.0 mandating full PQC transition by 2035, starting 2027 for new systems. The EU with eIDAS 2.0 and eu-wallet requires qualified signatures that remain verifiable even after Q-Day. Without PQC today, eID credentials issued now will not be legally sustainable in 15 years.
Three scenarios where PosQuantum acts
Inter-ministerial VPN with network separation (MLS)
Defense Ministry connecting 14 bases to a central HQ. Traffic classified RESTRICTED/CONFIDENTIAL/SECRET. Requirement: NIST + ETSI accredited crypto.
IPsec with IKEv2 + ECDSA — all handshake material is harvestable. SECRET-classified traffic encrypted today must be considered compromised post-Q-Day.
PQSL Secure Channel as L3 overlay on IPsec: hybrid handshake X25519 + ML-KEM-1024 + ChaCha20-Poly1305. Bidirectional deterministic rekeying every 1M messages or 30min (whichever first). Common Criteria EAL4+ pipeline compatible.
Long-term qualified-signature citizen eID
National CA issues qualified-signature certificates (QSCD) for 4M citizens. Signed documents legally valid for 30+ years (wills, deeds).
Current RSA-3072 certificates — valid today, legally invalid post-Q-Day. Signatures stored at notary will lack forensic proof.
Crypto-agility at the CA: dual issuance (RSA + ML-DSA-65). Notarial PUCE Archive stores manifest signed by both — preserves mathematical evidence even if RSA falls. AdES BASELINE-LT (long-term validation) compatible.
Video conferencing for government cabinets
Classified video conferencing for prime ministers + cabinets (dedicated Jabber/Webex-type). Encrypted traffic subject to foreign SIGINT interception.
SFU with SRTP-GCM + DTLS. DTLS uses ECDHE — trivial harvest-now-decrypt-later for a state adversary.
PUCE Stream with TTL-PQC playback tokens. PQC-hybrid handshake between participants. Recording to PUCE Archive with legislative retention (15 years for Cabinet minutes).
Reference architecture
1. PQ identity
CA issues ML-DSA-65 certificates alongside RSA (dual-stack).
2. VPN overlay
PQSL Secure Channel over existing MPLS / IPsec.
3. Rich comms
PUCE Stream for video conferencing + PUCE Archive for recording.
4. Compliance
Dashboard generates automatic CNSA 2.0 / eIDAS 2.0 reports for internal audit.
5. Key escrow
Government HSM + split-key (Shamir 3-of-5) for PQ key recovery.
Applicable PosQuantum products
Regulatory compliance covered
CNSA 2.0 / eIDAS 2.0 transition plan for your agency?
We offer a 1-day technical workshop for government CISO teams — system mapping + quick-wins + 24-month roadmap.