Post-Quantum Cryptography for Enterprise Crypto Wallets: A Deep Dive on Migration Solutions
The quantum computer that breaks Bitcoin doesn’t exist yet, and your wallet keys are already being stolen for it. That sounds like a contradiction, but it isn’t, and the reason explains why enterprises holding billions in digital assets are spending money on cryptography that defends against a machine nobody has built.
The mechanism has a name: harvest now, decrypt later. An attacker copies your encrypted data today, and waits for a cryptographically relevant quantum computer to arrive. Anything with a long secrecy lifespan becomes a target right now, which is why the timeline of the threat and the timeline of the defense don’t line up the way people expect.
The problem RSA and ECC created by being good
Enterprise crypto wallets run on public-key cryptography. Specifically RSA and ECC, the two schemes that secure custody platforms, exchange APIs, and tokenized asset systems across the industry. Both rest on math problems that classical computers can’t solve in any useful timeframe. Actions like factoring large numbers and computing discrete logarithms on elliptic curves are hard for the machines we have.
They’re not hard for the machines we’re trying to build. Shor’s algorithm, run on a sufficiently large quantum computer, dismantles both RSA and ECC. The private key falls out of the public key. The signature scheme that proves you own an address stops proving anything.
So the foundation of wallet security has an expiration date. We just don’t know what it is exactly.
Why “we’ll fix it when quantum arrives” fails
This is the position most operators hold, and it’s directionally correct. You can’t deploy a defense against a capability that doesn’t exist, and rushing into immature standards carries its own cost, which is fair enough.
The specific flaw is the harvest-now problem. Encrypted custody records, key material, and authentication data captured today can be decrypted the moment the hardware matures. A custody platform holding assets meant to stay secured for a decade is exposed to a 2035 attacker starting in 2026. Waiting for quantum to arrive means you’ve already lost the data you cared about most.
What NIST standardized
In August 2024, the U.S. National Institute of Standards and Technology (NIST) approved the first batch of post-quantum standards. Three algorithms got formal designations, and the naming convention tells you what each one does.
ML-KEM, published as FIPS 203, handles key encapsulation. It’s the mechanism for establishing a shared secret over an untrusted channel, the thing TLS depends on. ML-DSA, published as FIPS 204, handles digital signatures, which is what proves wallet ownership and authorizes transactions. SLH-DSA, FIPS 205, is the hash-based signature fallback, slower and larger but built on assumptions that have held up under decades of scrutiny.
These algorithms cost more than what they replace. Larger keys, bigger signatures, fatter ciphertexts. ML-DSA signatures run several kilobytes against ECC’s few dozen bytes, and that difference shows up in storage and transaction throughput. Any operator who skips benchmarking before production deployment is going to learn this the hard way.
The five integration paths worth knowing
The market has organized itself into a few categories, including hardware security modules, cloud-native services, and discovery tooling. Each solves a different piece of the migration, and the right pick depends on what your infrastructure already looks like.
Thales Luna HSM with CipherTrust
Thales holds an estimated 28% of the global HSM market, which makes it the default starting point for a lot of institutions. The Luna series paired with the CipherTrust platform gives wallet operators a path to adopt PQC at the hardware level. The High Speed Encryptors are built on field-upgradable FPGAs supporting ML-KEM, ML-DSA, and SLH-DSA, and the Luna G7 and K7 have FIPS 140-3 Level 3 CMVP validation.
This is the choice for Tier-1 exchanges and custodians that need certified hardware and centralized key management. It’s the heaviest option, and that weight is the point.
Entrust nShield with Quantum Safe Services
Entrust adds PQC support through updates instead of forcing a hardware swap, which cuts the capital cost of migration. The nShield 5 carries FIPS 140-3 Level 3 validation, and Entrust holds NIST CAVP certification for ML-DSA. There’s also nShield as a Service, a subscription model that gives you access to ML-DSA APIs through dedicated HSMs without buying the boxes outright.
That subscription path is useful for piloting before you commit. Entrust has also partnered with IBM Consulting on large-scale migration programs for financial institutions, which tells you where its customer base sits.
Utimaco Quantum Protect on u.trust GP HSM Se-Series
Utimaco’s Quantum Protect activates PQC algorithms directly on existing u.trust General Purpose HSM Se-Series hardware. It covers the algorithms required under the NSA’s CNSA 2.0 suite, with SLH-DSA on the active roadmap. The detail that earns it a place here is the free PQC simulator, which lets security teams test ML-KEM and ML-DSA performance in their own environment before spending on hardware.
For enterprises that need CNSA 2.0 compliance and want to test before buying, this is the low-exposure entry.
IBM Quantum Safe Explorer and Transformation Services
IBM attacks a problem the others mostly assume away. You can’t migrate cryptography you don’t know you have. Quantum Safe Explorer scans applications, libraries, and infrastructure to produce a Cryptographic Bill of Materials, a full map of every cryptographic dependency in a system.
This is essential and underrated. Upgrading a crypto library doesn’t fix the code calling the old algorithms, so the dependency map is what keeps a migration from missing half the system. Transformation Services then builds a prioritization plan based on the data being handled and its harvest-now exposure. Large institutions with tangled multi-system wallet infrastructure are the natural fit, because hidden dependencies are exactly where their risk lives.
AWS Post-Quantum Cryptography Services
As it happens, AWS embedded PQC into managed services for cloud-native operators. AWS KMS and Amazon CloudFront support hybrid key establishment that combines classical ECDH with ML-KEM for TLS connections. In November 2025, AWS Payments Cryptography added hybrid post-quantum TLS, which lets enterprises protect payment and wallet API calls against harvest-now attacks. AWS Private CA issues certificates using ML-DSA for quantum-resistant authentication.
The pricing detail decides a lot of cases. These capabilities cost nothing extra across AWS regions, and activation needs only a compatible SDK version. For a cloud-native platform, that’s a low barrier to crossing the starting line.
Comparing the options
| Solution | Type | Validation | Migration model | Best fit |
|---|---|---|---|---|
| Thales Luna + CipherTrust | Hardware HSM | FIPS 140-3 Level 3 | Field-upgradable FPGA | Tier-1 exchanges, custodians |
| Entrust nShield | Hardware + service | FIPS 140-3 Level 3, NIST CAVP | Firmware update or subscription | Regulated financial institutions |
| Utimaco Quantum Protect | Hardware activation | CNSA 2.0 aligned | Activate on existing Se-Series | CNSA 2.0 compliance, testing-first |
| IBM Quantum Safe | Discovery + planning | N/A | Map then migrate | Complex multi-system infrastructure |
| AWS PQC Services | Cloud-native | Managed service | SDK activation | Cloud-native asset platforms |
Crypto-agility is the requirement
Picking ML-KEM today and calling the job done is the trap. NIST’s standards will keep evolving, attacks against the new algorithms will surface, and at some point you’ll need to swap a scheme that looked solid in 2026. Building a system that can replace algorithms without rebuilding the infrastructure underneath them is the requirement that outlives any single standard.
Hybrid deployment is how most serious operators are handling the transition. You run classical and post-quantum algorithms together, so a flaw in either one doesn’t collapse the whole channel. AWS does this with ECDH plus ML-KEM, and the logic generalizes. It buys you a gradual migration with a fallback the whole way through.
Where this goes next
The hardware is the moving variable. Estimates for a cryptographically relevant quantum computer span a wide range, and anyone quoting a precise year is guessing. What’s settled is that the standards now exist, the vendors now ship, and the harvest-now clock has already started for long-lived data.
So the planning question has shifted. It’s no longer whether to migrate, but how fast and in what order, and which data carries enough secrecy lifespan to justify moving first. Build for crypto-agility, benchmark the performance hit before it surprises you in production, and treat hybrid deployment as the bridge rather than the destination. At the very least, run a discovery pass on your own infrastructure, because the dependencies you can’t see are the ones that’ll outlast your migration plan.