Q-day and the Irish public sector — what to migrate first

Q-Day is the day a cryptographically relevant quantum computer can break RSA-2048 or break elliptic-curve discrete log inside a useful window. Nobody knows the date. What we do know is that adversaries are already harvesting encrypted Irish state traffic and storing it — health records, tax filings, justice case files, defence cables — with the intention of decrypting it later. That means the migration clock for Irish public sector cryptography did not start on Q-Day. It started years ago. This article is a working engineer's view of what the Irish state should migrate first, in what order, and why the superconducting-qubit machines actually being built — including the one we're standing up in Tipperary — change the assumptions you used to be able to make.

The threat model is harvest-now-decrypt-later, not Q-Day itself

If you only model the day a fault-tolerant quantum computer comes online, you will under-invest. The real threat is the gap between today and that day, because anything sent over a public network using RSA, Diffie-Hellman, or ECDSA is recordable now and decryptable later. For Irish public-sector data with a long secrecy half-life — citizen health records under HSE, Revenue tax filings, court records, garda intelligence, Defence Forces communications, diplomatic traffic from Iveagh House — the practical question is: how long does this data need to remain confidential? If the answer is more than ten years, you are already late.

The shor's-algorithm timeline depends on physical qubit count, gate fidelity, and surface-code overhead. To break RSA-2048 you need on the order of millions of physical qubits at current error rates, distilled down via the surface code into a few thousand logical qubits running for hours. Today's largest superconducting transmon devices sit in the low thousands of physical qubits with two-qubit gate errors around the 10⁻³ range. The gap is real, but it is closing on a curve that compounds — fidelity improvements multiply with qubit count, and surface-code overhead drops sharply as physical error rates fall below threshold.

NIST PQ standards are the floor, not the ceiling

NIST finalised the first post-quantum standards in 2024: ML-KEM (FIPS 203, formerly Kyber) for key encapsulation, ML-DSA (FIPS 204, formerly Dilithium) for digital signatures, and SLH-DSA (FIPS 205, formerly SPHINCS+) for hash-based signatures. FALCON is following as FIPS 206. These are the algorithms Irish public sector should be migrating to. Not "considering". Migrating.

The thing every Irish CIO needs to internalise: NIST PQ migration is not a drop-in. ML-KEM public keys are roughly 1,184 bytes versus 256 bytes for X25519. ML-DSA signatures are around 2,420 bytes versus 64 bytes for Ed25519. That breaks assumptions baked into TLS record sizes, DNS UDP responses, smart-card storage, embedded firmware, and any protocol with hardcoded buffer limits. You cannot migrate by flipping a flag. You migrate by inventorying every cryptographic dependency and rebuilding the ones that fail under larger keys and signatures.

The ceiling is hybrid: combining a classical KEM (X25519) with a PQ KEM (ML-KEM) so that an attacker has to break both. Cloudflare, Google, and AWS are already running hybrid X25519+ML-KEM in production TLS. The Irish state should default to hybrid for any new system. Pure PQ deployments invite a second migration if a flaw is found in the lattice assumptions — and lattice cryptography is younger than RSA by four decades.

What Irish public sector should migrate first

Inventory before action. Most departments do not have a cryptographic bill of materials. You cannot migrate what you cannot see. Once you have the inventory, the priority order is roughly:

• Long-lived confidential data in transit. HSE inter-hospital traffic, Revenue Online Service submissions, court filings, Defence Forces and DFA cable traffic, anything carrying personal data under GDPR with a retention period over five years. Migrate the TLS termination layer to hybrid PQ first.
• Root certificate authorities and code signing. Anything that signs firmware, OS updates, or long-lived certificates. A forged signature in 2030 from a stolen 2025 key is a ten-year backdoor. SLH-DSA is the conservative pick here because it relies only on hash-function security.
• VPN and remote access. The pandemic taught us that civil service traffic flows over IPsec and WireGuard tunnels for years at a time. Move to PQ-hybrid IKEv2 and PQ-WireGuard variants as they stabilise.
• Identity infrastructure. MyGovID, public service cards, any PKI underpinning eIDAS-compliant signatures. These have replacement cycles measured in years, so the migration plan needs to start now even if rollout is slow.
• Encrypted backups and archives. Re-encrypting a petabyte of cold storage is expensive but necessary if the plaintext has a long half-life. Tape archives written today with AES-256 keys wrapped in RSA-2048 are the textbook harvest-now-decrypt-later target.

What does not need to move first: symmetric cryptography. AES-256 is fine. Grover's algorithm gives a quadratic speedup, which means AES-256 has roughly 128 bits of post-quantum security — still well above the comfort threshold. SHA-256 and SHA-3 are also fine. The panic is asymmetric, not symmetric.

Why sovereign quantum compute matters to the migration question

There is a second-order reason Ireland should care about hosting its own quantum hardware, not just buying cycles from US or Chinese clouds. Migration testing, red-teaming, and protocol benchmarking against actual quantum hardware — even small noisy devices — gives you ground-truth data that simulation cannot fully replicate. When an Irish department tests whether its PQ migration holds up, doing that against a sovereign machine on Irish soil avoids exporting sensitive cryptographic posture data to a foreign cloud.

The Ireland Quantum 100 build in Tipperary is a 100-physical-qubit superconducting transmon system on a heavy-hex topology, running in a dilution refrigerator at sub-15 millikelvin, with a roadmap toward surface-code error correction as fidelities improve. That machine is not going to run Shor's algorithm against RSA-2048 — nothing of that size will, for years. What it will do is give Irish researchers, civil service security teams, and climate scientists a domestic platform for variational quantum eigensolver chemistry, QAOA optimisation, and PQ protocol stress-testing without sending workloads abroad. You can read more about the build at our quantum programme.

The integration with cryptographic agility

The deepest lesson from the SHA-1 deprecation, the MD5 collapse, and the slow death of RSA-1024 is this: cryptographic agility is the only durable defence. If your system hardcodes an algorithm name, you will pay the migration cost again every fifteen years. Build for agility now: algorithm identifiers in protocol headers, cryptographic libraries behind clean interfaces, key rotation as a first-class operation.

For Irish public sector procurement, this means writing crypto-agility requirements into every new contract. No more "uses RSA-2048" in a tender — instead, "supports algorithm negotiation per NIST SP 800-227 and IETF hybrid PQ drafts, with documented migration path to ML-KEM, ML-DSA, and SLH-DSA". The cost of retrofitting agility into a system already in production is roughly an order of magnitude higher than building it in. We see this pattern repeatedly in the supply-chain audits we run for our offset-stack work — most enterprise crypto stacks are not agile, and the ones that are tend to be the ones that already survived one migration.

Where the gaps will hurt most

Three areas where the Irish state is likely to find migration genuinely painful:

• Embedded and OT systems. Water treatment, electricity grid SCADA, transport ticketing — devices with twenty-year lifecycles, constrained memory, and crypto baked into firmware. ML-DSA signatures may simply not fit. SLH-DSA is even larger. Some of this kit will need replacement, not migration.
• Smart cards and HSMs. Public service cards, Revenue digital certs, hardware security modules in banks and ministries. PQ key sizes stress smart-card storage and HSM firmware. Vendors are shipping PQ-capable HSMs but adoption is uneven and the certification lag (FIPS 140-3, Common Criteria) is significant.
• Inter-state interoperability. Ireland is small. Most of our cryptographic surface area touches the EU, the UK, the US. Migration timing has to align with eIDAS 2.0, with NCSC-UK guidance, with NIST SP 800-208. Move too fast and you break interop. Move too slow and you carry the harvest-now risk.

For teams who want to go deeper on the engineering side of how quantum hardware actually changes the cryptanalytic threat — qubit counts, gate fidelities, surface-code overheads, and what realistic timelines look like — see our breakdown of superconducting transmon architecture.

Where to start this week

If you run cryptography for an Irish public-sector body, this week's job is the inventory. Not the migration. The inventory. Every TLS endpoint, every signing key, every VPN tunn