Post-Quantum Discovery as a Governance Capability: Evidence-Based Cryptographic Visibility and Exposure Prioritisation in a Critical Service Provider
arXiv SecurityArchived May 19, 2026✓ Full text saved
arXiv:2605.16549v1 Announce Type: new Abstract: Post Quantum Cryptography (PQC) readiness is increasingly constrained not by algorithm availability, but by cryptographic visibility, dependency complexity, and fragmented governance. This paper presents an anonymised case study of a large European critical service provider that initiated PQC readiness through a discovery first strategy, utilizing tool supported cryptographic inventorying to establish an evidence based baseline prior to migration p
Full text archived locally
✦ AI Summary· Claude Sonnet
Computer Science > Cryptography and Security
[Submitted on 15 May 2026]
Post-Quantum Discovery as a Governance Capability: Evidence-Based Cryptographic Visibility and Exposure Prioritisation in a Critical Service Provider
Jelena Zelenovic, Leila Taghizadeh, Edoardo Pena-Gonzalez, Jaime Gomez Garcia, Bart Preneel
Post Quantum Cryptography (PQC) readiness is increasingly constrained not by algorithm availability, but by cryptographic visibility, dependency complexity, and fragmented governance. This paper presents an anonymised case study of a large European critical service provider that initiated PQC readiness through a discovery first strategy, utilizing tool supported cryptographic inventorying to establish an evidence based baseline prior to migration planning. The discovery phase revealed systemic challenges, including distributed cryptographic ownership, uneven evidence quality across legacy and modern environments, and high dependency on third party cryptographic roadmaps. To operationalise these findings, the organisation introduced a structured exposure register that enabled prioritisation based on asset criticality, confidentiality longevity, and migration feasibility. We argue that PQC discovery should be understood as a governance capability that stabilises organisational knowledge and converts cryptographic uncertainty into measurable accountability, supporting risk based decision making and ecosystem coordination. The results contribute actionable lessons for institutions pursuing crypto-agility and resilience under post quantum harvest now, decrypt later threat models.
Comments: Eurocrypt 2026, Sapienza University, Poster presentation
Subjects: Cryptography and Security (cs.CR); Computational Engineering, Finance, and Science (cs.CE)
ACM classes: D.4.6, K.6.5
Cite as: arXiv:2605.16549 [cs.CR]
(or arXiv:2605.16549v1 [cs.CR] for this version)
https://doi.org/10.48550/arXiv.2605.16549
Focus to learn more
Submission history
From: Jelena Zelenovic Matone [view email]
[v1] Fri, 15 May 2026 18:46:15 UTC (624 KB)
Access Paper:
view license
Current browse context:
cs.CR
< prev | next >
new | recent | 2026-05
Change to browse by:
cs
cs.CE
References & Citations
NASA ADS
Google Scholar
Semantic Scholar
Export BibTeX Citation
Bookmark
Bibliographic Tools
Bibliographic and Citation Tools
Bibliographic Explorer Toggle
Bibliographic Explorer (What is the Explorer?)
Connected Papers Toggle
Connected Papers (What is Connected Papers?)
Litmaps Toggle
Litmaps (What is Litmaps?)
scite.ai Toggle
scite Smart Citations (What are Smart Citations?)
Code, Data, Media
Demos
Related Papers
About arXivLabs
Which authors of this paper are endorsers? | Disable MathJax (What is MathJax?)