To Proxy or Not to Proxy

Practical quantum computers will eventually break today's public-key cryptography. NIST's Post-Quantum Cryptography (PQC) standards are emerging to resist these attacks. But not every environment can flip overnight to PQC across the board.

One option is post-quantum tunnels: dedicated gateways that encapsulate data inside a PQ-secured channel before forwarding it. Think VPN, but with PQ key exchange or hybrid (PQ + classical) crypto at the outer layer. Like Web Application Firewalls (WAFs), these tunnels can reduce risk quickly — but whether they are a temporary bridge or a longer-term control should be driven by your security architecture and threat model, not a one-size-fits-all timeline.

What Post-Quantum Tunnels Do

• Overlay protection: A gateway negotiates a PQ or hybrid key exchange, then wraps legacy traffic inside it
• Pros: Fast deployment, centralized key management, shields legacy systems.
• Cons: Extra latency, single point of failure, and the underlying traffic still uses legacy crypto. Digital signatures remain untouched.

When Proxied PQ Tunnels Make Sense

• Wrapping insecure or legacy endpoints that cannot be upgraded to PQC
• Mitigating "harvest-now, decrypt-later" risk for long-life data
• Government or enterprise WANs where a few gateways are easier to upgrade than thousands of apps
• Piloting PQ crypto in production without modifying existing systems.

When Direct PQ Algorithms Are Essential

• Mission-critical applications/crown-jewel data: upgrade at the source where compromise risk is unacceptable
• End-to-end security: if compromised proxies are in your threat model, prioritize PQ algorithms at the endpoints
• Latency-sensitive workloads: double encryption and routing may not work for SCADA, HFT, etc.
• Digital signatures: proxies can't "upgrade" signatures for software updates, documents or non-repudiation — swap RSA/ECDSA for PQ signature schemes at the endpoint
• Long-term simplicity: running legacy crypto inside a PQ wrapper adds operational complexity; direct PQ adoption is cleaner and future-proof.

A Practical Roadmap

1. Identify choke points where traffic enters/exits.
2. Deploy PQ tunnels there where appropriate to shield recorded traffic now.
3. For crown-jewel systems, begin replacing digital signatures and crypto at the endpoints directly.
4. Prioritize high-value or long-life data for early PQ adoption.
5. Gradually upgrade other endpoints to PQ protocols as vendor support matures.
6. Phase out tunnels where possible as systems become PQ-native — treat them as a supplement, not an automatic substitute.

The Bottom Line

Post-quantum tunnels aren't always just a "temporary bridge." In some cases, they're the only realistic option for hard-to-migrate systems; in others they're too weak a control for critical workloads. Use them where they fit your threat model and architecture — but keep the end goal in sight: a network where both encryption and signatures are post-quantum directly at the endpoints.