Public Key Infrastructure (PKI) and Post-Quantum Cryptography (PQC), what does it mean to defence?

The Strategic Defence Review (SDR)  “sets a new vision for how our Armed Forces should be conceived, a combination of conventional and digital warfighters; the power of drones, AI, and autonomy complementing the ‘heavy metal’ of tanks and artillery; innovation and procurement measured in months, not years; the breaking down of barriers between individual Services, between the military and the private sector, and between the Armed Forces and society”. ¹

A foundational part of that defence security is the Public Key Infrastructure (PKI), PKI not only underpins COMSEC (Communications Security) and INFOSEC policies, but it is also a critical component in securing digital communications and operations across military and defence systems. The threat Quantum poses to Public Key Cryptography (PKC) is significant, especially as the UK’s National Cyber Security Centre (NCSC) warns, "Most PKC algorithms in use today will be vulnerable to a Cryptographically Relevant Quantum Computer (CRQC)." So, what does that mean for defence and why should this be seen as a future digital challenge? 

The PQC challenge to defence 

Public Key Infrastructure (PKI) plays a foundational role in securing defence systems, ensuring confidentiality, integrity, authentication, and non-repudiation across a wide array of mission-critical environments. Below is a breakdown of how PKI is used within defence systems, organised by functional domain: Its primary uses include:

• Secure communications: Encryption of emails and data-in-transit between defence personnel and systems, Secure Voice over IP (VoIP) communications and Protection of tactical and strategic communications in theatre and command environments.
• Authentication and access control: Enforcing strong identity verification of users and systems via digital certificate, Smart cards and tokens used in military operations often rely on PKI-backed credentials for access to systems, Managing role-based access to classified or mission-critical systems and Integration with multi-factor authentication (MFA) systems for enhanced security.
• Data integrity, blockchain and non-repudiation: Ensuring the authenticity and integrity of messages, documents, and software through digital signatures, chain-of-command validation in operations to guarantee order authenticity.
• Secure software and firmware updates: Digitally signed software updates ensure tamper-evident delivery and secure network appliances, it is also increasingly used to secure code deployment in an agile DevOps world.

PQC to be considered alongside digital transformation

As noted in the 2025 SDR there is a renewed emphasis on home defence and resilience is also imperative, having PKI that is able to operate within a Post-Quantum Cryptography (PQC) is a critical business challenge because it intersects with cybersecurity, regulatory compliance, risk management, and long-term data protection, all of which are foundational to modern defence enterprise systems. 

• Post-Quantum Cryptography (PQC): The  National Institute of Standards and Technology (NIST) has selected several PQC algorithms (e.g. Kyber, Dilithium) to replace quantum-vulnerable ones. Defence agencies are beginning to evaluate these for implementation in sensitive systems.
• Crypto agility: Ensuring systems can swap cryptographic algorithms easily. Supporting the transition to PQC as it becomes standardised.
• Hybrid cryptographic approaches: Combining classical and quantum-safe algorithms to maintain backward compatibility and ensure security during transition.
• Quantum Key Distribution (QKD): Defence organisations should start to explore QKD for secure communications, though it has limitations in scalability and deployment.

What does it mean to defence?

For defence, post-quantum cryptography is not just an IT upgrade, it's a national security imperative. The challenge lies in the scale of modernisation, strategic importance of cryptographic trust, and urgency posed by quantum threats. Successfully navigating this shift demands long-term investment, inter-agency coordination, crypto agility, and close collaboration with industry and allied partners.

Learn more

Let us help you protect your business uninterrupted, secure, and future-ready.

Read our viewpoint  Crossing the rubicon with Post-Quantum Cryptography

Contact CGI todayto begin your Quantum-Safe Computing (QSC) transition journey 

References 

1. Strategic Defence Review: Making Britain Safer: secure at home, strong abroad 2025