Part 6: PQC in Action—Real-World Use Cases and Pilots

While post-quantum cryptography (PQC) is often discussed in theoretical terms, it is already being deployed across industries—from telecom and cloud computing to financial services and government networks. This article presents a curated set of real-world PQC pilots, early adoptions, and implementation challenges. For decision-makers and boards, these examples reveal how the transition to quantum-safe security is unfolding now, not just in the future, and what lessons can be applied to their own risk and investment strategies.

1. Telecom: PQC in Backbone Networks and Interconnects

Deutsche Telekom, Orange, and Vodafone have jointly trialled PQC in the context of secure inter-operator handshakes over fibre and MPLS backbones. These trials, conducted with partners like Thales and ID Quantique, have focused on hybrid cryptographic schemes combining classical and PQC algorithms to ensure backward compatibility.

AT&T and BT Group are reportedly testing PQC readiness in 5G core elements and metro backhaul routes, targeting both IPsec and TLS tunnels.

These trials highlight:

• Importance of crypto-agility in software-defined networking (SDN).

• Need for chip-level support in routers and switches.

• Coordination with national timing and regulatory agencies.

2. Cloud and Enterprise IT: Browser-to-Server and Internal Comms

Google began integrating post-quantum key encapsulation (e.g. Kyber) into the Chrome browser in 2023 via experimental rollouts. As of 2025, Kyber is being tested in production-like environments within Google Workspace and internal APIs.

Amazon Web Services (AWS) now offers hybrid PQC cipher suites for selected TLS services through CloudFront and AWS KMS, allowing enterprises to experiment with quantum-resistant encryption in a cloud-native environment.

Key insights:

• Application-layer PQC is maturing faster than network-layer PQC.

• Enterprises must monitor cloud service SLAs and PQC rollout timelines.

• PQC migration plans often surface legacy software and API fragility.

3. Financial Services: Secure Messaging and Key Management

Global financial networks like SWIFT and the Bank for International Settlements (BIS) are exploring PQC for secure messaging and real-time gross settlement (RTGS) systems.

• Pilot projects in the Netherlands and Singapore have tested hybrid PQC + RSA signature schemes for payment instructions.

• Some banks are using PQC to encrypt long-term vault and compliance data (retained for 7–25 years).

These institutions emphasize the value of:

• Crypto-agile HSMs (Hardware Security Modules).

• Regulatory clarity on PQC acceptance.

• Long-term auditability of cryptographic decisions.

4. Public Sector: National Infrastructure and Identity Systems

The U.S. Department of Homeland Security has issued guidance for federal agencies to inventory cryptographic assets and prioritise PQC upgrades. Meanwhile, Canada, the UK, and Singapore have begun integrating PQC pilots into digital identity, public key infrastructure (PKI), and secure email systems.

• The UK’s NCSC has trialled PQC in the GovAssure cloud platform.

• Estonia’s e-ID program is exploring hash-based signature schemes for ID verification in a post-quantum context.

Lessons learned:

• PQC rollout often requires legislation or procurement reform.

• National standards must align with or complement NIST’s guidance.

5. Common Challenges in Early Deployments

Across sectors, PQC pilots reveal consistent friction points:

• Key sizes and performance: Lattice-based schemes like Kyber and Dilithium increase handshake latency and bandwidth.

• Tooling gaps: PQC libraries are immature relative to mature TLS/SSL stacks.

• Skills shortage: Many security teams are unfamiliar with PQC concepts or implementation best practices.

• Supply chain misalignment: Vendors differ on which algorithms and timelines to support.

Boards must recognise that this is not purely a technical issue. Delayed vendor alignment or governance confusion can derail even well-funded transitions.

6. So What? Strategic Takeaways for Decision-Makers

• PQC is live, not theoretical. If Google and Vodafone are piloting now, your enterprise needs a roadmap.

• Hybrid modes are the interim norm. Pure PQC adoption is rare; most deployments combine classical and quantum-safe components.

• Crypto-agility is the real enabler. Organisations that can switch algorithms easily will navigate future PQC changes with minimal cost.

• Benchmark peers and vendors. Use pilots as a way to pressure-test your partners’ readiness.

The early movers aren’t just securing data—they’re positioning themselves as leaders in a world where digital trust becomes a strategic differentiator.

Footnotes and References

1. Google Chrome PQC rollout: https://security.googleblog.com/2023/08/protecting-chrome-traffic-with-hybrid.html

2. AWS KMS PQC support: https://aws.amazon.com/blogs/security/test-post-quantum-tls-with-hybrid-kyber/

3. Deutsche Telekom PQC pilot: https://www.telekom.com/en/media/media-information/archive/quantum-safe-networks-tested-by-telekom-644812

4. UK GovAssure PQC efforts: https://www.ncsc.gov.uk/blog-post/quantum-resilient-cyber-security-strategy

5. SWIFT PQC exploration: https://www.swift.com/news-events/news/quantum-safe-cryptography-secure-financial-future

Next in the Series: Part 7 — What CIOs, CISOs, and Boards Must Do Today