Post-quantum cryptography (PQC) isn’t just a research project; it’s an urgent engineering challenge. While global standards are still settling, devices and platforms are already moving. Samsung’s Galaxy S25, for instance, has integrated PQC in hardware, a milestone Professor Bill Buchanan calls “a leap forward” in preparing for a quantum future. But according to Buchanan, the work required isn’t just technical. It’s cultural. It’s strategic. And it’s personal.
In a recent episode of Shielded: The Last Line of Cyber Defense, Buchanan, a professor, author, cryptography pioneer, and Fellow of the Royal Society of Edinburgh, took us on a deep and surprisingly human journey through the evolution of digital trust and the road to quantum readiness. From his early fascination with analog systems to his decades of work in cryptographic standards, Buchanan lays out both the urgency of post-quantum preparation and the massive opportunity ahead.
“I got into it and I loved it, and I still love it. And every day I learn something new,” he says. But that enthusiasm is matched with a clear warning: our systems may be cryptographically sound, but it’s the humans and the institutions behind them who often fail. “The cryptographic methods are near perfect,” he explains. “It’s just us. We’re the problem.”
As Buchanan tells it, we’ve spent the last 50 years building the digital world we rely on today, but we’ve done it unevenly. “We didn’t properly integrate privacy and trust,” he notes. Even now, some governments are seeking to weaken end-to-end encryption, despite overwhelming support from users and the maturity of solutions. This is where Buchanan sees resilience becoming the defining trait of future systems, not just resilience against attacks, but against regulatory backsliding, vendor lock-in, and poor architecture.
That’s where cryptographic agility comes in. And Buchanan’s not just talking about it in theory; he points to TLS as a working example of agile cryptography done right. “The models are there,” he says. “It’s about understanding where we are, where we want to be, and how to get there step by step.”
One of the most fascinating parts of the conversation is how he dismantles the myths that PQC is slow or impractical. “Performance is fine,” he says plainly. “It’s better than RSA, about the same as elliptic curve.” And what about the larger key sizes? Not a problem, either. “They’ll fit into TLS. No gigabytes needed.” By dispelling these myths, Buchanan clears a path for practical implementation. “Samsung’s doing it in a chip. Most others will do it in software. But it’s not hard.”
Buchanan explains that two families of algorithms, ML-KEM for key exchange and public key encryption, and ML-DSA for digital signatures, will replace RSA and ECC as they are deprecated by 2030. This, he says, is just five years away, which means the migration needs to begin now. For Buchanan, the quantum shift isn’t about tearing everything down; it’s about layered evolution. He advocates for a hybrid approach, deploying new and old algorithms together, and predicts that certificates will soon contain two signatures: one quantum-safe, one classical. “You’ll be stripping off either one to prove the actual site.”
He doesn’t romanticize the complexity. Hybrid systems, dual certificates, and cryptographic negotiations add complexity. But they also provide a transition path. “It’s almost like double signing everything,” he says. “We’re still working on that. But certificate authorities will be generating two key pairs in the future.” That future is coming fast, and the regulatory landscape is already adapting. Buchanan outlines how mandates from the U.S., UK, EU, and even Australia are accelerating the migration. HIPAA in the U.S., for example, is getting stronger on encryption, and the EU is expected to mandate PQC for public sector systems. “You’ll be negligent if you do not move,” he says.
But technology is only one piece. Buchanan sees three core priorities for organizations:
- Understand your data and build systems designed for real security, not just compliance checklists.
- invest in skills, because “skills in this area are terrible,” and
- Communicate better, to the public, to executives, and especially to politicians.
“Everyone should understand the basics,” he says, criticizing the thin, surface-level knowledge in many IT teams. “Even CISSP and other certifications are thin and long.” And the stakes are high: “A politician once said they didn’t know the difference between a hashtag and hashing,” he shares. “If our politicians don’t understand why this matters, then our citizens aren’t protected.”
Still, Buchanan is optimistic. With innovations like fully homomorphic encryption and zero-knowledge proofs, he sees the potential for a digital world that is truly private, resilient, and secure, where we can process data without ever decrypting it. “We need to get better at communicating our art,” he says. “It’s a really interesting area. And it’s one of the best industries to be in.”
The final takeaway? This shift isn’t just a technical upgrade. It’s a societal one. Start by redesigning your systems. Prioritize education. And bring post-quantum readiness out of the security silo and into the boardroom.
You can hear the full conversation with Professor Bill Buchanan on Shielded: The Last Line of Cyber Defense, now available on Apple Podcasts, Spotify, and YouTube.
About Professor Bill Buchanan OBE, FRSE
Professor Bill Buchanan, OBE, FRSE, is a cybersecurity professor at Edinburgh Napier University and one of the most recognized voices in applied cryptography and digital trust. With over 30 books, 400+ research papers, and multiple spin-out companies to his name, Buchanan has dedicated his career to bridging the gap between theoretical cryptography and real-world implementation. His work spans homomorphic encryption, digital identity, secure system design, and blockchain-based trust frameworks. As a passionate advocate for privacy, fairness, and resilience in digital systems, Buchanan has contributed extensively to shaping both academic research and public policy in cybersecurity. He regularly advises governments and organizations on the future of secure infrastructure in a post-quantum world and is a driving force behind efforts to improve cryptographic literacy and engineering practices. Known for his clear thinking, technical depth, and human-first approach to security, Buchanan remains a trusted voice in the global conversation on quantum readiness and digital transformation.
With the shift to post-quantum cryptography accelerating, Buchanan’s message is clear: crypto agility and system design, not just new algorithms, will define the next era of trust.