Why Classical Public-Key Cryptography is Structurally Phasing Out

The BSI draws a clear line: From the end of 2031, the sole use of classical key agreement methods like RSA and ECC will no longer be recommended. For applications with very high protection needs, the deadline is already by the end of 2030. Digital signatures should be implemented in a hybrid manner by 2036 at the latest. TR-02102 thus effectively becomes the migration roadmap for Post-Quantum Cryptography (PQC).

This decision is not a precautionary exercise. It is a technical necessity.

Why RSA and ECC are Structurally Vulnerable

RSA is based on the difficulty of prime factorization of large integers. ECC relies on the discrete logarithm problem in elliptic curves. Both problems are only solvable with significant effort on classical computers using sub-exponential or exponential algorithms. With sufficiently scalable quantum computers, this assumption fundamentally changes.

Shor’s Algorithm solves both the factorization problem and the discrete logarithm problem in polynomial time. This means: As soon as a cryptographically relevant quantum computer is available, RSA-2048, RSA-3072, and common ECC curves like secp256r1 or Curve25519 are essentially compromised.

The risk is not hypothetical but systemic:

1. Harvest-now-decrypt-later: Attackers can record and archive encrypted traffic today. Once suitable quantum resources are available, this can be decrypted retroactively. Long-term confidentiality – such as in healthcare or government data – is already affected today.
2. Forward Secrecy breaks under quantum assumptions: Even if TLS offers ECDHE Perfect Forward Secrecy, this security is only as strong as the underlying discrete logarithm problem. With Shor, ephemeral key exchanges can also be reconstructed.
3. Signature infrastructures become vulnerable: RSA- and ECDSA-based root CAs, code-signing certificates, or firmware signatures are long-term compromisable. A quantum-capable attacker can reconstruct private keys and forge arbitrary certificate chains or updates.
4. Scaling limits of classical key extension: Increasing the RSA key length to 4096 bits or more increases security against classical attacks but offers no protection against quantum attacks. At the same time, computational effort, latency, and energy consumption increase significantly.
5. Implementation risks with ECC: Many ECC implementations are susceptible to side-channel attacks, faulty curve parameters, or timing leaks. The low fault tolerance in curve validation can lead to complete key loss. These risks remain even without a quantum attacker.

Why the BSI Demands Hybrid Methods

TR-02102 explicitly recommends hybrid key agreement methods: a combination of classical methods (e.g., ECDHE) and PQC mechanisms (e.g., ML-KEM, formerly Kyber). Both secrets are combined, for example, via KDF. Security exists as long as at least one component remains secure.

This addresses two uncertainties:

– Quantum computers are not yet practically deployable. – PQC algorithms are new and less time-tested.

Hybrid methods reduce migration risk. A pure replacement of RSA/ECC with PQC is not currently required by the BSI.

Concrete Impacts on Protocols and Infrastructures

TLS 1.2 does not support standardized hybrid key exchange mechanisms. The deprecation is therefore logical. TLS 1.3 with hybrid KEM extensions becomes the technical minimum requirement.

Affected are:

– Web servers and reverse proxies – VPN gateways (IPsec/IKEv2) – SSH infrastructures – PKI backends and HSMs – IoT devices with long-term update obligations

Especially embedded systems with limited memory face real challenges: PQC methods like ML-KEM or ML-DSA require larger keys and signatures than ECC. This affects protocol overhead, handshake size, and memory layout.

Technical Recommendations

1. Create a Crypto Inventory Identify where RSA and ECC are specifically used: TLS termination, internal mTLS connections, code-signing, firmware, VPN, smartcards. Without complete transparency, no migration is manageable.
2. Ensure Crypto-Agility Architectures must make algorithms interchangeable. Hard codings of curves or signature algorithms must be eliminated. Abstraction layers for KEM and signatures are mandatory.
3. Consistently Deploy TLS 1.3 Plan TLS 1.2 deprecation. Evaluate hybrid KEM implementations on a test basis. Conduct performance measurements under load.
4. Adapt PKI Strategy Root and intermediate CAs must become quantum-resistant in the long term. Prepare transition scenarios for hybrid certificates. Shorten certificate lifetimes to increase responsiveness.
5. Prioritize Long-term Confidentiality Data with protection needs >10 years should be protected early with quantum-secure methods or additionally secured with PQC.
6. Check Hardware Capabilities HSMs, smartcards, and TPMs must support PQC algorithms or be upgradeable. Otherwise, a structural bottleneck arises.
7. Build Test Environments Check interoperability between different PQC stacks. Errors in KEM integration can lead to subtle security vulnerabilities.

Strategic Context

The BSI’s decision is part of a European course. The EU Commission is working on a union-wide migration timeline. The technical guideline has a recommendatory character but unfolds factual normative effect through references – for example, in healthcare.

The time window until 2030/2031 is not a comfort buffer. It is the last phase in which migration is plannable before regulatory pressure and market dynamics force it.

RSA and ECC do not disappear abruptly. But their sole use will be isolated by regulation. Those who do not start the transition now will migrate later under time pressure – with higher risk, higher costs, and a larger attack surface.

The quantum threat is not a science fiction scenario. It is a planning parameter.