Q-Day is Coming: Notes from the SCS Quantum Communications & Cybersecurity Event

We've all heard of D-day. It's probably time we got more comfortable hearing about Q-day too.

As a professional member of the Singapore Computer Society, I recently had the opportunity to attend Quantum Communications and Cybersecurity in the Quantum Era, an event hosted by the Cybersecurity Agency of Singapore at their Punggol Digital District office. The evening featured three speakers: Wei Wen (Assistant Director, CSA), Cai Yu (Quantum Communication Applied Scientist, HSBC), and Robert Bedington (CTO, SpeQtral), covering the quantum threat from regulatory, industry, and infrastructure perspectives respectively.

This post is my attempt to distil what I learned, written for a mixed audience: some of you will already be familiar with cryptography and the quantum threat landscape, others will be encountering this for the first time. I've tried to layer the content accordingly. There's also a Further Study section at the end, which I'll be expanding as I go deeper into some of the topics raised.

A Quick Primer on Cryptography

Symmetric and asymmetric encryption [3].
"Developing a New Hybrid Cipher Algorithm using DNA and RC4 - Scientific Figure on ResearchGate. Available from: https://www.researchgate.net/figure/Symmetric-and-asymmetric-encryption-3_fig1_320741257 [accessed 18 May 2026]"

Before getting into the quantum threat, it helps to understand what's at risk.

Modern cryptography broadly falls into two categories. Asymmetric (public-key) cryptography uses a pair of mathematically related keys: one public, one private, and underpins key exchange, digital signatures, and authentication. Common algorithms include RSA, ECC, and Diffie-Hellman. Symmetric cryptography uses a single shared key for bulk data encryption and message authentication: think AES and ChaCha20.

The two also face different quantum threats. Shor's algorithm, running on a sufficiently powerful quantum computer, can efficiently factor large integers and solve discrete logarithm problems: the hard mathematical problems that asymmetric cryptography depends on. The impact: asymmetric encryption is completely broken. Symmetric cryptography fares better; Grover's algorithm reduces its effective security strength by half, meaning AES-128 drops to the equivalent of 64-bit security. The mitigation there is more straightforward: double the key length (i.e. move from AES-128 to AES-256).

This asymmetry matters enormously for understanding what needs to change and how urgently.

The Threat is Accelerating

Wei Wen opened with two threat scenarios that, once you hear them, are hard to forget.

Harvest Now, Decrypt Later (HNDL): An adversary captures encrypted traffic today: TLS handshakes, VPN sessions, sensitive data in transit, and stores it. They cannot decrypt it now. But when a Cryptographically Relevant Quantum Computer (CRQC) exists, they go back to their archive and break the asymmetric key exchange, recover the symmetric session key, and decrypt everything. The interception already happened. The damage arrives later.

Trust Now, Forge Later (TNFL): Public keys are, by definition, public; no interception needed. An adversary records a public key and signed document today. When a CRQC arrives, they use Shor's algorithm to derive the private key from the public key, and can then forge signatures. The implications range from fake contracts to malicious firmware to rogue certificates; essentially, the entire basis of digital trust becomes malleable.

What makes both scenarios acutely uncomfortable is that the harvesting can start now, with decryption following later. The threat is not merely a future concern; it has a present-tense dimension.

On the engineering timeline: a slide from Wei Wen illustrated how the estimated number of physical qubits required to break RSA-2048 has dropped dramatically over the last decade of research, from approximately one billion (Fowler et al., 2012) to under 100,000 in the most recent estimates (Webster et al., 2025/2026). This is not a sign that the problem is solved; it is a sign that the engineering challenge is getting progressively easier to meet. No single factor determines the exact timeline, but every relevant factor: qubit count, error correction, gate fidelity, algorithm efficiency, is trending in one direction.

Governments have taken note. Regulatory deadlines are already on the books: the US and EU have set 2030 targets, the UK 2031, Malaysia 2030. Singapore's MAS issued an advisory to financial institutions on quantum computing risks in February 2024. NIST published its first finalised post-quantum encryption standards in August 2024, and separately announced the planned deprecation of RSA and ECDSA in November 2024.

The Two Pillars of Quantum-Safe Security: PQC and QKD

Wei Wen covered both primary responses to the quantum threat, and Robert Bedington expanded on QKD from an infrastructure perspective.

Post-Quantum Cryptography (PQC) consists of mathematical algorithms designed to run on classical hardware and resist attacks from quantum computers. Rather than relying on the factoring or discrete logarithm problems that Shor's algorithm breaks, PQC algorithms are based on different hard problems: lattice-based, hash-based, and code-based constructions. NIST standardised three algorithms in August 2024: ML-KEM (Kyber) for key encapsulation, ML-DSA (Dilithium) for digital signatures, and SLH-DSA (SPHINCS+), a hash-based signature scheme. PQC's major advantage is that it runs on existing hardware infrastructure as a software upgrade. Its limitation: larger key and signature sizes compared to classical algorithms, and certain implementations may require hardware changes.

Quantum Key Distribution (QKD) takes a fundamentally different approach. Rather than mathematical hardness, QKD's security is grounded in the laws of physics. Keys are encoded in quantum states of single photons; any eavesdropping attempt disturbs the quantum state and is therefore detectable. QKD is limited to key establishment only; it does not provide digital signatures or authentication, and has significant infrastructure requirements: specialised optical hardware, dedicated fibre or satellite links, and a current practical range of approximately 100km over fibre before signal degradation requires trusted relay nodes or satellite extension.

PQC and QKD are complementary rather than competing. A typical implementation pairs them: QKD for site-to-site key establishment between datacentres and headquarters, PQC for endpoint-level cryptographic functions on computers and mobile devices. Robert Bedington framed this explicitly as defence in depth: layering quantum-resistant security at different points of the architecture so that a failure or future vulnerability in one layer does not compromise the whole.

Singapore's Response: The Quantum Readiness Initiative

Cybersecurity Agency of Singapore office at Punggol Digital District

CSA's response to the quantum threat takes a practical, structured form.

The Quantum Readiness Index (QRI) is a self-assessment questionnaire that helps organisations evaluate their readiness for quantum-safe migration: whether the necessary expertise, governance structures, and processes are in place to plan and execute the transition. It is designed to surface capability gaps and facilitate management buy-in for migration planning.

The QS Migration Handbook provides practical guidance for the transition to quantum-safe cryptography, targeted primarily at critical information infrastructure (CII) owners and government agencies, though applicable more broadly. It highlights risks, key focus areas, and practical migration considerations.

The handbook organises quantum readiness across five key domains: Risk Assessment, Governance, Technology, Training and Capability, and External Engagement. Critically, the initial objectives within each domain are flagged as "no-regrets" actions: steps that are beneficial regardless of exactly when the quantum threat materialises. This framing is important: it removes the excuse of timeline uncertainty. You don't need to know the exact date of Q-day to justify starting.

The practical starting point CSA recommends is straightforward in principle if demanding in execution: identify your crown jewels (what data and systems are most critical), discover your cryptographic assets (what cryptographic controls exist within those critical systems), and perform a threat and risk assessment to inform migration priority and sequencing.

Both resources are available at the CSA website link at the end of this post.

The Financial Sector Gets Real: HSBC's Quantum Journey

Cai Yu's session grounded the quantum threat in the context of a global financial institution actively navigating it, which made for some of the most concrete content of the evening.

HSBC's motivation for quantum investment has two dimensions. The first is opportunity: quantum computing is projected to unlock approximately $2 trillion in value globally by 2035 (McKinsey/Oxford Economics), with financial services specifically expected to capture over $600 billion of that. The second, more immediately pressing, is risk: the Global Risk Institute's 2025 Quantum Threat Timeline Report estimates a 38% probability of a quantum computer breaking RSA-2048 within ten years, with the optimistic scenario reaching 49%.

On the regulatory side, Cai Yu presented a timeline of escalating action from 2024 through 2026: MAS advisory to Singapore financial institutions in February 2024, NIST's PQC standards in August, G7 Cyber Expert Group recommendations in September, China launching its own quantum-resistant standards in February 2025, the EU pressing for quantum-safe encryption by 2030 in July 2025, and Google stating in March 2026 that "quantum frontiers may be closer than they appear." The direction of travel is consistent.

The most practically interesting part of Cai Yu's session was HSBC's proof-of-concept work. As the first bank to test PQC on a gold tokenisation platform, HSBC used a PQC VPN (built on Quantinuum's technology) to secure a distributed ledger: the same HSBC Orion platform that underpins their gold tokenisation for retail investors in Hong Kong. The key learnings from the trial were notable precisely because they were reassuring: cost-effective, seamless integration, minimal changes to existing systems, and low latency impact. PQC migration, at least for this use case, did not require a ground-up rebuild.

HSBC has also engaged with QKD: they were the first bank to join the BT/Toshiba UK quantum network, have executed what is reported as the world's first quantum-secure FX trade, and have participated in MAS's QKD network trial in Singapore.

The Bigger Picture: Global Quantum Networks and the Road to a Quantum Internet

Robert Bedington presenting SpeQtral quantum network infrastructure at the SCS event

Robert Bedington's session shifted focus from the immediate threat to the infrastructure being built in response, and toward what comes after.

SpeQtral is a spinout from the Centre for Quantum Technologies at the National University of Singapore, and their focus is on using QKD to secure networks today while building toward quantum networking infrastructure for the longer term. Rather than summarise their proprietary roadmap in detail here, I'd point readers directly to SpeQtral's blog for specifics; they publish regularly and the content is worth reading.

What I can speak to is the broader landscape Robert covered. Quantum networks are not a future concept; they are being actively deployed:

  • China has built a 10,000km fibre quantum network and launched satellites (Micius in 2016, Jinan-1 in 2022) to bridge distances beyond fibre range.
  • South Korea secured the communications of 48 government agencies across an 800km QKD network in 2022.
  • The UK has commercial QKD deployments in London and is participating in ESA-led satellite QKD programmes.
  • The EU launched the European Quantum Communication Infrastructure (EuroQCI) initiative in 2019, a collaboration across all 27 member states.
  • Singapore has its National Quantum Safe Network Plus (NQSN+), with participation from IMDA, ST Engineering, Singtel, SpeQtral, and Toshiba among others.

The longer-term arc is a Quantum Internet: a global network secured by quantum mechanics rather than mathematical hardness assumptions. Robert drew a parallel to the evolution from ARPANET to the present-day internet, with a tentative 2040 horizon. QKD over fibre and satellite demonstrators represent the first steps on that staircase.

My Takeaways

One thing became clear across all three sessions: it is not a matter of if classical cryptography is broken, but when. Recent estimates put a CRQC within reach by 2029, and all three speakers pointed to the engineering gap closing faster than most organisations realise.

The arguments for urgency that landed most strongly with me weren't about fear; they were structural. Tech refresh cycles run 5-10 years. Missing the current cycle may mean waiting another decade before quantum-safe design gets embedded into your systems. Every new system deployed today without quantum-safe design adds to your future migration burden. Delay doesn't pause the clock; it grows the risk.

The HSBC PoC results matter here because they remove one of the more convenient reasons to defer: the assumption that migration is technically brutal. For at least some implementations, it isn't. The harder challenge is organisational: the governance, the cryptographic asset discovery, the prioritisation, and that work can start now, with or without the technical components being fully resolved.

Most tasks in the QS Migration Handbook are regret-free. There is no version of the future in which identifying your crown jewels and your cryptographic assets turns out to have been a waste of time. The time to assess and act is not when the threat materialises.

Further Study

This section will be updated as I go deeper into the topics raised at the event. For now, the resources I'm prioritising:

[More to follow]

← All Posts