Collaborative research among industry, academia, open source communities, and government is proactively developing quantum-resistant solutions.
The rise of large-scale quantum computers presents a direct threat to the cryptographic primitives that secure our most critical digital infrastructure. As these machines advance, they will be capable of breaking algorithms like RSA and ECC, which form the bedrock of modern public-key cryptography. Global regulatory momentum has already driven a significant acceleration in security research. The US National Institute of Standards and Technology (NIST) finalized its first set of post-quantum cryptography (PQC) standards in August 2024, and the development and drafting of RFCs for the Internet Engineering Task Force (IETF) are now underway, with federal agencies receiving mandates to begin the migration process immediately. These new standards will soon be required for use in commercial and government systems, leading up to meeting the target of a broader government-wide transition to PQC no later than 2035—although security experts suggest that Q-Day may come closer to 2030. In either case, there is a great deal of work to do in the next few years.
Engineers from Red Hat’s Office of the Chief Technology Officer (OCTO) are collaborating on two recently launched projects with the aim of preparing for this transition: Quantum-Resistant Cryptography in Practice in EMEA and the introduction of frameworks to enable future PQC software signing as part of the upstream open source project Sigstore.
Quantum-resistant cryptography in practice
The Quantum-Resistant Cryptography in Practice (QARC) project is an initiative under the European Union’s Horizon Europe program*, coordinated by the Brno University of Technology, set to run for three years starting in early 2026. The project aims to create a robust and practical framework for the transition to PQC. It brings together a diverse consortium of partners from 11 European countries, representing three key sectors: industry, academia, and governmental organizations. The objective is to move beyond theoretical research and develop real-world, secure implementations of quantum-safe cryptographic algorithms for complex, sensitive applications like e-voting, cloud services, and Linux authentication. Cryptographic agility is a key element of the project, enabling systems to adapt quickly to new standards and threats.
Another impactful component is hands-on application through practical pilots. Pilots will test PQC implementations in real-world scenarios including e-government services in Estonia, cloud services by the Latvian company Tet, and Linux authentication for enterprise. QARC will also address the broader, non-technical challenges of PQC transition by establishing an international network of National Cybersecurity Authorities to coordinate national strategies and provide harmonized recommendations. The goal is to generate open source software, hardware designs, and best practices to help a wide range of organizations navigate the shift to a post-quantum world.
Red Hat is a major contributor in the QARC consortium, leveraging engineers’ experience in open source software and standards. Contributions center on the practical implementation and standardization of PQC in widely used open source ecosystems, with a specific focus on core open source cryptographic libraries like OpenSSL, GnuTLS, and NSS. Their work involves extending the tlsfuzzer test suite to detect vulnerabilities in these new algorithms, ensuring the implementations are robust and secure. Red Hat engineers lead the PQC Linux Authentication pilot, which aims to make the Kerberos authentication protocol quantum-safe, adapting existing protocols to work with new PQC standards and prototyping changes to MIT Kerberos based on these updates. We will also integrate post-quantum Public Key Infrastructure into FreeIPA, its identity and authentication solution for Linux, allowing it to generate and manage PQC certificates. The findings from this pilot will provide crucial insights into how to deploy quantum-safe cryptography in existing enterprise workflows.
PQC software signing
In early March, the Red Hat Emerging Technology Security Team embarked on a project to introduce PQC to the secure software supply chain in collaboration with the Red Hat Trusted Artifact Signer (RHTAS) team. Currently, the team works with Sigstore, an open source project providing the tools to sign software and artifacts then publish proof of lineage to a transparency log for simple, non-repudiable verification. Though Sigstore is widely adopted by industry and government entities—those who need PQC most—it has lagged behind on PQC adoption, in part due to lack of signature support in core upstream packages like Go standard cryptographic library, as well as delays in finalizing worldwide cryptographic standards.
We’ve had to get creative and stay flexible. Much of our time was spent just negotiating plans, and plans made one week will be different the next, depending on the wider PQC ecosystem: changing government regulations, industry needs, emerging academic research and weaknesses, and volatile APIs. It’s a fascinating, exciting space to work, and we’re making real progress. Portions of our software design have already been merged upstream with much more to come.
Towards the end of the year, the team hopes to have a proof-of-concept for PQC software signing with Sigstore, functionality that will then be expanded and incorporated into RHTAS. Contributing these features directly to the upstream community accelerates industry-wide innovation and ensures Red Hat continues its long legacy of open source contributions and collaboration, while keeping our products at the bleeding edge of mitigating one of the greatest existential cybersecurity threats of the modern day. In the future, the Emerging Tech team will be investigating how to maintain the hardware root of trust in a post-quantum world—a matter critical for confidential computing and zero-trust architecture.
Strength through openness
The imperative to transition to post-quantum cryptography is no longer a distant concern but an immediate necessity, driven by rapid advancements in quantum computing and evolving regulatory mandates. Collaborative initiatives like the Quantum-Resistant Cryptography in Practice (QARC) project and the integration of PQC into Sigstore for software signing demonstrate the importance of solving PQC problems in the open. Engaging a diverse set of stakeholders will fuel more rapid innovation, create greater transparency, and ensure wide access to security solutions.
*QARC is to be funded by the European Union under Grant Agreement No. 101225691 from 2026.