Introduction: The time bomb that’s already ticking
While quantum computing’s full potential remains several years away, its threat to current cryptographic systems is already pressing. For global financial institutions, large, connected networks and compliance-led digital infrastructure players, the window to act is not when quantum supremacy arrives—it’s now. Why? Because of a tactic known as Harvest Now, Decrypt Later (HNDL)—where encrypted data is siphoned today, only to be decrypted with quantum machines tomorrow.
According to Dr. Sharmila, “In my work on cryptographic infrastructure audits, I’ve seen real-world use cases where data protection horizons are grossly underestimated. A quantum-capable adversary wouldn’t need access tomorrow—they need a copy today.”
India’s burgeoning FinTech and public digital infrastructure ecosystems, while progressive, are alarmingly underprepared for post-quantum threats. In this piece, we unpack how India can lead with quantum-resilient custody models that protect not just digital assets but also data integrity, sovereign infrastructure, and user trust.
What exactly is the post-quantum threat?
At its core, quantum computing threatens classical cryptographic assumptions. Algorithms like RSA, ECC (Elliptic Curve Cryptography), and DSA, widely used in banking, blockchain, and APIs, rely on mathematical problems that are currently hard for classical computers. Quantum computers, via Shor’s algorithm, could solve these problems exponentially faster breaking these cryptosystems entirely.
Google’s 2019 claim of achieving quantum supremacy, executing a task in 200 seconds that would take a classical supercomputer 10,000 years, was symbolic but real. More recently, researchers have debated new optimisations of Shor’s algorithm, and Chinese physicists have even suggested practical cryptanalysis using far fewer qubits than previously assumed
India’s quantum leap: Policy moves and gaps
India launched its National Quantum Mission (NQM) in 2023 with a Rs 6,000 crore outlay to develop quantum technologies. While it reflects strategic foresight, the policy frameworks for cybersecurity and custody remain fragmented.
- CERT-In’s advisory (May 2023) highlights quantum vulnerabilities but stops short of mandating transitions.
- SEBI’s Cyber Security and Cyber Resilience Framework (2023) touches on key rotation and redundancy but remains post-facto in guidance.
- India’s custodial institutions—whether managing private keys or digital identities—have little formal push toward PQC (Post-Quantum Cryptography) readiness.
“In a 2024 simulation of a hybrid key rotation strategy I oversaw with a private bank’s custody arm, we found over 80% of their off-chain API logs were still using ECDSA-based authentication—a perfect storm for HNDL-style breaches, “she added.
Real-World use case: When ‘Secure’ is not secure enough
In December 2023, a consortium of digital asset exchanges and custodians in Singapore uncovered a vulnerability rooted in ECC signatures. The breach, although controlled in scope, exposed how dormant data—secure by classical standards—could be quantum-exploitable under HNDL assumptions.
Closer to home, QNu Labs, India’s leading quantum-safe firm, has already deployed Quantum Key Distribution (QKD) networks for defense communications. The Indian Army lab in Mhow is reportedly experimenting with these to secure battlefield telemetry.
But such innovations haven’t yet translated to financial custody or data vaulting at scale.
Dr Sharmila explained, “Most digital asset vaults I’ve audited, especially in hybrid cloud environments, maintain backups and cold keys in classical encryption envelopes. This isn’t negligent—it’s the norm. But quantum-ready standards demand that this ‘norm’ be rewritten.”
Tools and frameworks for transition
To prepare for the post-quantum era, the U.S. National Institute of Standards and Technology (NIST) has selected four quantum-resistant algorithms for standardisation: CRYSTALS-Kyber, Dilithium, Falcon, and SPHINCS+
Some key practices that Indian custodians should start implementing:
- Cryptographic agility: Systems should be able to swap cryptographic algorithms without redesign.
- Hybrid keying systems: Combine classical and quantum-safe signatures to ensure transitional integrity.
- Quantum-entropy sources: Random number generators (RNGs) should be reviewed for quantum security standards.
- Audit readiness: Quantum-vulnerable endpoints (legacy APIs, backups, identity stores) must be mapped and reclassified.
She added, “In audits conducted in 2024, I found that firms who started adopting cryptographic agility—even at the software abstraction layer—reduced their projected quantum-exposure surface by over 60%.”
The role of custodians: Beyond key storage
Custody is no longer just about storing private keys—it’s about ensuring cryptographic continuity. Digital custodians must adopt a forward-looking security mindset. This includes:
- Post-quantum signing schemes for vault APIs
- Upgradable smart contract multisig schemes
- HNDL-resilient archival and data escrow mechanisms
Emerging regulatory discussions, like the IMF’s Digital Asset Custody Paper (2024), underline the role of quantum security in upcoming custodial norms.
India’s quantum opportunity
India, with its UPI infrastructure, DigiLocker, and Open Credit Enablement Network (OCEN), has one of the most digitised citizen-level data systems in the world. Securing these under quantum standards isn’t optional—it’s essential.
Expressing the same, Dr. Sharmila added, “India has the rare opportunity to leapfrog legacy barriers. If quantum-safe custody becomes the de facto in Aadhaar-linked financial infra, we not only future-proof but lead.”
Conclusion: Quantum-readiness as trust infrastructure
Quantum computing is not just a technology shift—it’s a trust shift. Infrastructure designed without quantum assumptions will become obsolete not by failure, but by irrelevance.
She concluded, “As someone working closely with developers and compliance teams, I can say with confidence: preparing for a quantum future is not a matter of complexity, but of commitment. Those who move first won’t just be safe—they’ll be trusted.”
Send your exclusive thoughts to:
info@thebankermedia.com
