V2X · POST-QUANTUM · PKI MIGRATION

Your V2X stack runs on cryptography a quantum computer will break.

ECDSA P-256, the backbone of SCMS and C-ITS CCMS, is mathematically defeated by Shor's algorithm. Vehicles you certify today will outlive that defeat. We migrate V2X PKI to NIST-standardised post-quantum cryptography without breaking interoperability, blowing past the 1,400-byte V2X frame budget, or stranding fleets in the field.

Book a PQC readiness audit See the migration path
2024
NIST PQC standards finalised (FIPS 203/204/205)
15 yrs
Typical service life of a vehicle shipped today
~38x
ML-DSA signature size vs ECDSA P-256

THE THREAT TIMELINE

Three timelines, one collision.

A new vehicle's service life, the harvest-now-decrypt-later threat, and the arrival of a cryptographically-relevant quantum computer all overlap in the next decade. That overlap is the engineering problem we exist to solve.

Q-Day threat timeline vs vehicle service lifespan THE Q-DAY EQUATION A vehicle shipped today will still be on the road when ECC breaks. 2024 2026 2028 2030 2032 2034 2036 2038 years NOW VEHICLE SHIPPED 2026 → IN SERVICE ~15 yrs HARVEST-NOW · DECRYPT-LATER ATTACKS storing today's traffic CRYPTOGRAPHICALLY-RELEVANT QUANTUM COMPUTER ~2030 – 2038 window Q-DAY ESTIMATE The window where vehicle-lifespan, today's harvested traffic, and quantum capability all overlap ↓ this is what we close

THE SPECIFIC PROBLEM

Why V2X is the hardest place to deploy PQC.

01 · BANDWIDTH

A V2X message has a 1,400-byte ceiling.

5G-V2X PC5, DSRC, and ITS-G5 all enforce a hard maximum transmission unit. ECDSA fits comfortably. ML-DSA signatures alone are 2,420 bytes. Naïve PQC substitution fragments every Basic Safety Message and collapses effective transmission range. The fix is not a drop-in replacement. It is a re-engineering of the certificate format, the message format, and the validation pipeline.

02 · INTEROPERABILITY

Every vehicle, every RSU, every CA, in lockstep.

SCMS and C-ITS CCMS were not designed to negotiate algorithms. A PQC-only vehicle entering a region of legacy ECDSA infrastructure is invisible. A legacy vehicle entering a PQC region is rejected. The migration must preserve forward and backward compatibility through a hybrid certificate phase. IEEE 1609.2 and ETSI TS 103 097 are evolving, but the integration work is real and proprietary.

03 · ENDPOINT CAPABILITY

HSMs in the field were not built for lattice arithmetic.

The Secure Elements deployed across existing fleets were designed around elliptic curves. Lattice-based signature schemes need substantially more compute and memory. Some endpoints will get over-the-air firmware updates. Some will require hardware refresh. Some will be retired early. A migration plan is also a procurement plan and a portfolio strategy.

04 · TIME

The harvest is already happening.

State-level adversaries are recording V2X traffic today, knowing they can break it later. Vehicle identity, location traces, and over-the-air session keys are all in scope. Waiting for the first cryptographically-relevant quantum computer is not a strategy. By that point, a decade of harvested signal is already retroactively decryptable. The deployment must precede the threat by years, not match it.

THE MIGRATION PATH

From ECDSA, through hybrid, to quantum-durable.

Three stages, each with concrete technical targets. We move you across them without breaking a single vehicle in production.

V2X PKI migration from ECC to post-quantum cryptography STAGE 01 · TODAY ECC-based V2X PKI SCMS (US) and C-ITS CCMS (EU) with ECDSA P-256. Vehicle OBU ECDSA P-256 keypair SCMS / CCMS RCA → ICA → PCA SIGNED BSM / CAM MESSAGE payload : 200–400 B cert : ~120 B (ECC) signature : 64 B (ECDSA) total : ~580 B ✓ PSEUDONYM POOL P01 P02 P03 P04 P05 … 20 / week ! QUANTUM EXPOSURE Shor's algorithm breaks ECC. Every ECDSA signature ever sent is exposed once a CRQC exists. "Harvest now, decrypt later" attackers are already storing today's V2X traffic. PHASE STAGE 02 · 2025 – 2028 Hybrid certificates ECDSA + ML-DSA in the same cert. Backward compatible. Vehicle OBU ECC + ML-DSA-44 + HSM firmware update Hybrid CA Dual-signature root + ETSI TS 119 312 HYBRID-SIGNED MESSAGE payload : 200–400 B cert : ~120 B (ECC) cert ext : ~1,300 B (ML-DSA) sig (ECC) : 64 B sig (ML-DSA): 2,420 B total : ~4.5 KB ⚠ fragmenting MITIGATIONS WE DEPLOY Implicit cert chains, batched verify Selective ML-DSA on safety-critical only Bandwidth: 5G-V2X & DSRC fallback paths FALCON (FIPS 206) for size-constrained CRL → short-lived cert pivot PHASE STAGE 03 · 2029+ Full PQC fleet Pure ML-DSA / FALCON. ECC retired in service. PQ Vehicle FALCON-512 / ML-DSA-44 PQ-HSM (FIPS 140-3) PQ-SCMS FIPS 203/204/206 Quantum-safe root PQ-SIGNED MESSAGE payload : 200–400 B cert : ~900 B (FALCON) signature : 666 B (FALCON-512) opt. KEM : 1,568 B (ML-KEM) total : ~2.2 KB ✓ optimised single-frame on 5G-V2X PC5 OUTCOMES QUANTUM-DURABLE No retrofit needed for 15-yr fleet life 0 HARVEST EXPOSURE Traffic captured today stays opaque REGULATOR-READY EU CRA, BSI TR-02102, NSA CNSA 2.0

WHAT WE DELIVER

Engineering, not a consultancy deck.

01

Cryptographic inventory

A complete map of every place ECC, RSA, or DH is used in your stack. Vehicle firmware, ECUs, V2X stack, OTA pipeline, OEM cloud, supplier interfaces. Delivered as a queryable registry, not a PDF that goes stale.

02

Hybrid certificate scheme

Dual-signed certificates using ECDSA + ML-DSA, compliant with ETSI TR 103 619 migration guidance and emerging IEEE 1609.2 extensions. Backward compatible with deployed fleets. Forward compatible with full PQC.

03

Bandwidth engineering

Implicit certificate chaining, selective signing of safety-critical messages, FALCON deployment for size-constrained channels, batched verification, fragment-aware MAC handling. The bandwidth budget never breaks.

04

HSM & SE strategy

A per-platform plan: which HSMs can ship PQ-enabled firmware, which need silicon replacement, which can be virtualised, which retire. We bring the vendor relationships and the test harness.

05

SCMS / CCMS evolution

Root CA migration with crypto-agility. Pseudonym pool resizing. CRL distribution tuned for larger PQ certificates. Test infrastructure with conformance to NIST PQC validation suites and OmniAir-style interoperability.

06

Regulatory artefacts

Audit-grade documentation aligned to ISO/SAE 21434, UNECE R155 / R156, EU CRA, NSA CNSA 2.0, and BSI TR-02102-1. The evidence pack that turns a type-approval review from a problem into a checkbox.

FREQUENTLY ASKED, HONESTLY ANSWERED

Questions your team will ask.

Should we wait for FIPS 206 (FALCON) to finalise?
No. Start the cryptographic inventory and design work with ML-DSA today and add FALCON when FIPS 206 lands. The inventory and the migration scaffolding work for both. Waiting for the final signature standard costs you a year you cannot afford on a 15-year fleet horizon.
Won't a CRQC arrive later than predicted?
Possibly. The risk is asymmetric. If quantum capability arrives in 2030, vehicles you ship in 2028 are exposed within their warranty period. If it arrives in 2038, you spent a few years deploying cryptography you would have had to deploy anyway. The cost of being early is bounded. The cost of being late is unbounded.
What does the V2X message size penalty really look like in production?
With naïve substitution, BSMs go from ~580 bytes to ~4.5 kilobytes. That fragments at the MAC layer and reduces effective transmission range and channel capacity meaningfully. Our hybrid scheme combined with implicit cert chaining and FALCON for size-constrained traffic keeps single-frame messages at ~2.2 kilobytes, which fits within a single 5G-V2X PC5 frame and within DSRC fragmentation tolerances.
How do you handle vehicles already in the field?
Per-platform assessment. Some HSMs can take an OTA firmware update that enables ML-DSA. Some need replacement at service intervals. Some can be moved to a hybrid attestation model where a cloud-side PQ signer co-signs messages. We design a fleet-specific roadmap rather than assume one approach fits.
What about backup algorithms if ML-DSA or ML-KEM is broken?
Cryptographic agility is built in. The certificate format, key registry, and validation logic support algorithm swap-in. NIST selected HQC as a backup KEM in March 2025 and SLH-DSA / FALCON as alternate signature schemes. Our deployment uses a versioned algorithm identifier so a fleet-wide swap is an OTA campaign, not a re-platforming exercise.

START WITH A READINESS AUDIT

Two days. One honest answer.

Our PQC readiness audit is a fixed-scope, two-day engagement. We inventory your cryptographic surface, map it against your fleet lifecycle, and hand back a prioritised migration plan with cost ranges. No retainer. No upsell. If the gap is small, we tell you that too.

Request the audit