Strengthening Post-Quantum Cybersecurity for Law Enforcement Agencies with PQ-REACT
Nowadays, quantum risks across critical infrastructure sectors are significant and cover multiple aspects of our daily lives.
Almost every encrypted connection we make online, banking, messaging, healthcare portals, and government services, relies on a type of mathematics called public key cryptography. The two main algorithms are RSA and ECDSA (Elliptic Curve Digital Signature Algorithm).
These work because certain mathematical problems are extremely difficult for classical computers to solve.
However, quantum computers alter that. A sufficiently powerful quantum machine running Shor’s algorithm can crack RSA and ECDSA, impacting many sectors. Furthermore, a rising concern in cybersecurity has introduced a new concept: Harvest now, decrypt later. Attackers can already collect encrypted confidential data today, including health data, and decrypt it in the future once quantum-capable hardware becomes available.
So they do not need to decrypt now; they are just waiting, and this might affect several critical sectors, such as:
Energy grids run on SCADA systems that use RSA and ECC for firmware signing and authentication, which can be broken by Shor’s algorithm. Many operational technology (OT) protocols remain completely unsecured even today, leaving an open wound for future quantum attacks.
Telecoms, including 5G and the 6G networks being designed now, rely on TLS and IPsec with classical key exchange. These are the protocols that secure everything from your phone calls to the network slicing capabilities that operators use to manage infrastructure.
Financial services and digital identity are deeply exposed. Public Key Infrastructure (PKI), digital signatures, and the new eIDAS-qualified certificates being rolled out across the European Union all depend on algorithms that quantum computers will eventually break. Forged signatures could undermine legal transactions and identity systems at scale.
Connected vehicles, hospital IoT systems, and air traffic management share the same vulnerability
If we do not act swiftly and adhere to migration guidelines, similar cyberattacks and fraud incidents could be carried out using quantum computers.
Europe has responded with regulatory urgency. The NIS2 Directive mandates stronger cybersecurity requirements for essential services, and post-quantum cryptography guidance now threads through multiple resilience frameworks and regulations covering connected products. The question is no longer whether to migrate; it is whether organisations will act before adversaries exploit the window.
The PQ-REACT Project
Within the PQ-REACT project, researchers identified that smart meters have very limited computing power, making the deployment of quantum-safe encryption difficult. The project, therefore, tested three quantum-safe methods on real smart meter hardware to securely verify firmware updates.
Key Findings:
- Signing operations completed in under 0.1 milliseconds and were imperceptible to users.
- Compact signatures could fit within bandwidth-limited networks.
- We standardised three validated smart meter workflows.
Mobile networks present a different order of exposure. Current 5G systems use conventional encryption to protect traffic flowing between towers and the core network. When quantum computers capable of breaking these schemes arrive, the scale of potential compromise becomes staggering; entire national communication architectures are exposed simultaneously.
To address this, PQ-REACT constructed a lab-scale 5G testbed and replaced conventional encryption at two critical points:
- Network tunnels using IPsec between the core and radio access networks.
- Secure web connections using TLS 1.3 based on libOQS libraries.
Performance Results:
- Near-zero performance impact.
- Around 0.1% additional CPU usage.
- No noticeable slowdown in speed or latency.
- Zero service interruption during migration experiments.
The project also worked on a quantum-safe blockchain system for network provisioning in 5G networks.
Blockchain systems depend heavily on cryptography, which quantum computers could eventually undermine. While much attention is given to Bitcoin, blockchain technology is widely used for auditing, trust management, and operational ledgers across various sectors.
PQ-REACT replaced signing algorithms inside a blockchain platform with quantum-safe alternatives to manage 5G network slices.
The Results Demonstrated:
- Quantum-safe signing could be up to 33% faster than current methods
- Transaction throughput remained unchanged
- Full migration could be completed in under one second with zero downtime
Although one second might seem significant, ledger technologies inherently need synchronisation across multiple nodes.
What PQ-REACT validated overall was a real migration path showing how PQC can be deployed on constrained IoT devices, telecom networks, and distributed ledgers—not just in theory.
PQ-REACT also created a crypto-agility framework that supports hybrid classical/PQC deployments and allows algorithm swapping when vulnerabilities are identified. This is particularly vital for long-lasting critical infrastructure systems. Additionally, the project developed benchmarking and validation tools, including:
- A context agent manager
- A quantum simulation environment
These tools allow critical infrastructure operators to test post-quantum algorithms on their own hardware and under their own performance constraints.
The entire body of work was aligned with the EU PQC roadmap, NIST standards, and recently standardised post-quantum cryptographic specifications, ensuring operators can meet compliance requirements ahead of regulatory deadlines.
Why this matters for Law Enforcement Agencies
Quantum computers are theoretically capable of breaking RSA, ECDSA, and other public-key algorithms. Law enforcement agencies depend on secure communications, evidence integrity, and cross-border operations, all of which are at risk.
“Adversaries are already collecting encrypted surveillance data and evidence archives today, with the intention of decrypting them once quantum capabilities mature.”
Digital evidence is also vulnerable. Chain-of-custody logs, forensic images, submissions, and digital signatures could potentially be forged by quantum attacks, undermining prosecutions or enabling impersonation of law enforcement personnel.
Post-quantum cryptography and secure cross-border data exchange can help agencies transition their:
- IT systems
- Databases
- Communication platforms
- Evidence management systems
This transition can occur without operational disruption while maintaining security across IoT systems, smart grids, secure communications, and quantum-resistant ledgers.
A Practical Roadmap for Law Enforcement PQC Adoption
The following phased approach translates the PQ-REACT findings into an actionable sequence for law enforcement organisations beginning or accelerating their quantum-safe transition.
Inventory all cryptographic assets:
- VPNs
- PKI systems
- Evidence systems
- Encrypted datasets
- Identify quantum-vulnerable services.
- Begin adopting currently available PQC signatures for chain-of-custody logs and evidence protection.
- Deploy hybrid encryption schemes on operational communication channels.
- Use benchmarking tools to validate PQC performance before full deployment.
- Complete migration to quantum-safe encryption across all systems while aligning with NIS2 and eIDAS quantum-safe signature requirements.
For law enforcement agencies, the stakes are especially high: the integrity of evidence, the confidentiality of surveillance operations, and the trustworthiness of cross-border communications all rely on cryptographic systems that quantum computers will eventually break.
PQ-REACT shows that the shift to post-quantum cryptography is both necessary and feasible. Across constrained IoT devices, 5G networks, and distributed ledgers, the project has demonstrated that quantum-safe algorithms can be implemented with minimal impact on performance and no operational disruption. Law enforcement agencies that are prepared will be best placed to stay ahead of the threat, preserve evidentiary integrity, and meet upcoming regulatory requirements.
If you are interested in the topic, you can watch the full recording from our joint webinar with the SMAUG EU project here!