“We are at the teenager days of zero-knowledge proofs… and in the post-quantum world, they are really expensive.” – Sofia Celi
The global conversation about post-quantum cryptography (PQC) often swings between panic and denial. Some expect quantum disruption tomorrow. Others assume the transition will neatly align with their roadmap five years from now. The truth sits somewhere far more nuanced, and far more actionable.
In this episode of Shielded: The Last Line of Cyber Defense, Sofia Celi, Senior Cryptography and Security Researcher at Brave and co-author of the MAYO signature scheme, joins host Jo Lintzen to explain what is actually ready today, what still demands research, and where the real bottlenecks live inside the internet’s cryptographic foundations.
Sofia brings the unusual combination of deep protocol knowledge, standards leadership at the IETF, and real-world experience deploying privacy-preserving cryptography at scale. Her clarity cuts through speculation and makes one thing unmistakable: PQC is not a single migration. It is two migrations unfolding at different speeds.
The First Migration: Confidentiality Is Already Being Protected
Despite how often PQC is labeled as “emerging,” much of the confidentiality layer is already active in the real world. Major browsers, CDNs, and cloud providers have implemented hybrid post-quantum key exchange inside TLS 1.3, directly addressing the harvest-now-decrypt-later threat.
This is no longer experimental work. It is production.
The shift is meaningful because the simplest quantum attack, decrypting stored communications, relies on organizations having left old traffic vulnerable. Hybrid KEMs break that assumption.
Sofia’s message here is that confidentiality can be secured now. Teams running TLS 1.3 + hybrid PQ KEMs already have a path to protect encrypted data without disrupting operations.
But protecting confidentiality is only part of the journey.
The Second Migration: Authentication Is the Hard Problem
If confidentiality is progressing, authentication is the part that still demands patience.
Signatures, certificates, PKI, identity systems, and more advanced privacy-preserving tools all need to resist quantum attacks. Yet these components come with tradeoffs that affect performance, size, memory, and verification cost, making them far harder to deploy at scale.
This is the motivation behind NIST’s second signature call. The first round leaned heavily on lattice-based schemes. The next phase aims to diversify mathematical foundations and identify options that fit real-world authentication workloads.
One of those candidates is MAYO, the multivariate signature scheme Sofia co-authored.
MAYO offers compact public keys, small signatures, and natural compatibility with threshold cryptography, making it well-suited for digital identity, distributed signing, and cloud-scale environments. Its strength is not only cryptographic security, but it is also operational fit.
As Sofia puts it, MAYO allows authentication systems to work with “really small public keys” and signatures sized for real-world bandwidth, which is rare in PQC today.
Authentication is the part of the migration that affects:
- certificates inside every TLS handshake
- identity systems that authorize transactions
- code signing across software supply chains
- attestation in cloud, mobile, and embedded systems
And it is the part of the stack that is not ready for mass adoption yet.
Why Hybrid Must Not Become Permanent
A theme that keeps resurfacing is how long deployed systems tend to remain in circulation.
Sofia points to SHA-1 as a cautionary example. Its existence in active systems today illustrates how easy it is for “temporary” cryptography to outlive its intended lifespan.
Hybrid KEMs are essential right now. But they must not become a long-term resting place. They exist to buy time while PQ algorithms are validated, not to be the final state of global cryptography.
The earlier organizations define the point at which they expect to transition beyond hybrid, the healthier the ecosystem becomes.
TLS 1.3: The Forgotten Prerequisite
One of the most grounding insights Sofia shares is that PQC cannot scale until organizations adopt TLS 1.3.
This protocol revision took nearly five years to standardize, and much longer to deploy. Even now, large segments of the internet still rely on TLS 1.2 or lower, blocking their ability to use hybrid KEMs or transition to PQ-only configurations later.
The IETF publishes standards, but it does not enforce adoption. That responsibility lies with implementers.
For many organizations, the biggest obstacle to PQC readiness is not quantum complexity, it is legacy debt.
The Zero-Knowledge Proof Gap
Zero-knowledge proofs (ZKPs) sit at the center of digital identity, selective disclosure, and privacy-preserving verification. But today’s ZKP landscape is far from ready for post-quantum deployment.
Sofia summarizes the state of the art:
“We are currently at the teenager days of zero-knowledge proofs… and post-quantum versions have really big computation and communication sizes.”
This creates a contradiction. Governments and enterprises promote privacy-preserving identity, yet rely on cryptographic components that cannot meet their own performance or privacy guarantees under PQ assumptions.
The gap between ambition and capability is widening, especially in Europe’s digital identity plans.
Why the 2027 EU Digital Identity Target Cannot Hold
The European Union aims to deliver a quantum-safe digital identity framework by 2027.
Sofia believes the goal is admirable, but the timeline is unrealistic.
Even classical identity systems struggle under performance constraints and privacy requirements. Adding PQ guarantees multiply the load dramatically.
This mismatch between policy and technical readiness risks encouraging shortcuts, and shortcuts that weaken the very privacy and integrity these frameworks aim to strengthen.
Quantum-safe identity requires not only strong algorithms but a quantum-safe architecture. And that architectural piece is still under active research.
The First Quantum Target: Stored Traffic
If a quantum machine became available tomorrow, Sofia says the most immediate attack would be against stored encrypted traffic.
Many organizations, governments, and service providers log vast amounts of communication. A future quantum attacker does not need live access; they need only what has already been recorded.
This is the foundation of the harvest-now-decrypt-later threat and one of the strongest reasons confidentiality should be upgraded without waiting for authentication to catch up.
Two Actions Every Organization Must Take This Year
Sofia concludes with two steps that any organization, large or small, can take immediately:
- Migrate fully to TLS 1.3 – PQC cannot function on outdated foundations.
- Enable hybrid post-quantum key exchange – It provides immediate confidentiality protection with little operational friction.
Authentication will evolve over time, shaped by ongoing research, new standards, and emerging algorithms. But confidentiality can be secured now.
Progress is possible right now. Teams must not wait for the full cryptographic stack to mature before taking the steps already in reach.
The Takeaway
Sofia’s perspective offers a welcome dose of clarity at a time when the landscape of PQC feels crowded with prediction and uncertainty.
PQC is not a single transition. It is two transitions:
- one already unfolding in production systems, and
- one still being built in research labs, standards bodies, and engineering teams.
It touches protocol design, identity architectures, supply chains, policy, and long-lived trust models. And it requires organizations to distinguish urgency from aspiration, acting where they can now, and preparing thoughtfully for what is still ahead.
Sofia reminds us that being early is helpful, but being precise is essential. The migration ahead requires discipline, sequencing, and a realistic understanding of what is ready today versus what still needs to evolve.
You can hear the full conversation with Sofia Celi on Shielded: The Last Line of Cyber Defense, available now on Apple Podcasts, Spotify, and YouTube Podcasts.
About Sofia Celi
Sofia Celi is a Senior Cryptography and Security Researcher at Brave, where she focuses on practical deployment of privacy-preserving and post-quantum cryptography. Her work spans Private Information Retrieval (PIR), zero-knowledge proof integration, TLS attestation, and the real-world application of advanced cryptography beyond blockchain. She is a co-author of MAYO, a multivariate post-quantum signature scheme submitted to NIST’s second signature call, and has led efforts to bring privacy technologies such as PIR into production environments. Sofia serves as WG/RG Chair and Ombudsperson at the IETF, where she co-chairs a working group shaping global post-quantum protocol standards. She is an IACR ePrint co-editor, a reviewer for BlackHat, a member of the Open Technology Fund Advisory Council, and previously worked as a Cryptography and Security Researcher at Cloudflare. Her career sits at the intersection of research, protocol design, and applied security, advancing cryptography from theory into widely deployed systems.