Harvest Now, Decrypt Never: How Thales is Quantum-Proofing the Automotive Ecosystem

Post-Quantum Cryptography (PQC) refers to cryptographic algorithms that are thought to be secured against a cryptanalytic attack by a quantum computer. The question of “if” and “when” there will be quantum computers is no longer in the foreground. Post-quantum cryptography will become standard in the long term (between 15 to 30 years depending on the experts). 

Talking about connected vehicles, they are no longer just futuristic concepts - they’re on our roads right now and will remain in service for 10–20 years. This long lifecycle means the cryptographic tools protecting them must withstand future threats, especially those from quantum computers. Data transmitted or stored in vehicles today can potentially be captured and decrypted by adversaries in the future when quantum capabilities become mainstream, jeopardizing driver privacy, vehicle operation control, and broader critical infrastructure. This is called the “Harvest Now Decrypt Later”.

PQC is therefore vital for ensuring lasting trust, safety, and privacy in automotive ecosystems.

PQC-Ready Security Solutions 

• Luna HSMs & High Speed Encryptors support quantum-safe algorithms and hybrid approach offer
• Post-Quantum-ready OS for electronic documents with hybrid approach offer
• Embedded Secure Element (eSE) supports quantum-safe algorithms for mobile services
• Cryptosmart Mobile securing data and mobile devices with hybrid and crypto-agile approach

Vehicles are more complex handling increasingly connected services (electrification, software updates, maintenance, vehicle management or edge computing). Quantum computing puts classical asymmetric cryptographic algorithms at risk, especially Digital Signature (RSA, ECDSA, EdDSA), and Key Establishment / Key Exchanges (Diffie-Hellman).

In the current automotive security landscape, quantum threats undermine the cornerstone of cryptography. Existing authentication protocols - such as those used by the Vehicle PKI, the firmware update and the vehicle to cloud- primarily depend on cryptographic algorithms like ECC or RSA, which are susceptible to quantum attacks. 

Since automotive devices and IoT units are difficult to replace or update once deployed, any data exchanged today - vehicle identities, driver data, V2X communications - could be harvested and stored by attackers to be decrypted in the quantum future. This risk is real and immediate, underlining the need for quantum-safe measures.

Automotive player could see the attackers compromise entire vehicle fleets,​ insert malicious firmware or bypass all existing authentication.

Being a global company involved in numerous critical technologies (Aerospace, Defense, Mobile communications, Cybersecurity), Thales is at the forefront of PQC innovation and standardization, partnering with industry leaders (Infineon, PQShield, Quantinuum, CryptoNext) and actively contributing to key organizations like NIST, PQC Alliance, OASIS PKCS 11, ETSI, or GSMA. 

Thales offers PQC-ready solutions such as Luna HSMs (Hardware Security Modules) and Certified Network Encryptors, supporting advanced algorithms like Kyber, Dilithium, LMS, and HSS. 

By championing crypto-agility and designing lifecycle-compatible systems, Thales ensures that automotive systems can adapt, rotate keys, and securely update protocols as PQC standards evolve.

Thales is enhancing security for remote connectivity in response to the growing PQC threat in two main areas: 

• For cellular connectivity, we support GSMA’s work on adapting Remote SIM Provisioning (SGP.32) and contribute to 3GPP efforts to strengthen 5G privacy protections (such as SUCI).
• For connected services, we promote a transition to TLS 1.3 with hybrid post-quantum key exchange to counter “Harvest Now, Decrypt Later” threats, with IoT Safe already available to secure sensitive data. 

In the future, we plan to adopt TLS using full post-quantum signatures and certificates as standards evolve.

We also deliver high-assurance solutions at every stage, from secure eSIM and embedded Secure Element (eSE), to PQC-enabled authentication protocols that future-proof vehicle trust. 

Moreover, Thales supports OTA (Over-the-Air) lifecycle processes, like remote software updates and key rotations - ensuring seamless integration with OEM FOTA Platforms. 

The result is a robust, quantum-resistant infrastructure capable of supporting vehicles throughout their entire life - spanning multiple upgrades, owners and years on the road.

Thales provides trusted, future-proof security solutions for automotive manufacturers and ecosystem partners, with proven global recognition by regulators, Mobile Network Operators (MNOs), and car OEMs. Drawing from decades of leadership in mobile cryptographic trust and SIM/eSIM lifecycle management, Thales is a pioneer in quantum-safe architectures for both telecom and automotive sectors.

Active Industry and Standards Engagement
Thales contributes significantly to global standardization and post-quantum cryptography (PQC) readiness. For example:

• Actively participation in the GSMA PQTN (Post-Quantum Telco Network) task force and engages in the GSMA PQC task force.
• Collaboration with Infineon and CryptoNext Security on quantum-safe e-passport standards and the PQC4eMRTD project.
• Protection of subscriber identity on SK Telecom’s regular 5G Stand Alone network, deploying Thales 5G PQC SIM technology to protect SUCI (Subscriber Concealed Identifier) and user location against “harvest now, decrypt later” quantum attacks.
• Integration of Ercom Cryptosmart with Thales 5G PQC SIM for secure phone communications, enabling government-grade security for mass-market devices and communications, covering local protection, communication protection and internet protection.
• Partnership as part of IBM’s Quantum-Safe 360 initiative.

Leadership in Global Standardization Organizations
Thales takes a leading role in PQC specification and technical adaptation, including:

• NIST: Co-designer of the Falcon algorithm selected by NIST, anticipated as the future FIPS 206 standard.
• PQC Alliance: Member delivering high-assurance software implementations and tools for standardized algorithms, aiding transition and adoption of post-quantum cryptography.
• OASIS OPEN PQC: Active contributor to enhancements of PKCS#11 for PQC support.
• ETSI CYBER/QCS: Contribution to the Quantum-Safe Cryptography working group.
• ETSI SET and GlobalPlatform: Leadership in adapting Secure Element technology specifications for post-quantum readiness.
• SOGIS Working Groups: Engagement with the JHAS Hardware-related Attacks Subgroup to adapt hardware attack assessment for smartcards, and contribution to Common Criteria and ENISA EUCC certification frameworks.

By partnering with Thales, automotive manufacturers and ecosystem partners gain tangible benefits such as:

• Guaranteed global cyber regulatory compliance (e.g., UNECE WP.29, ISO/SAE 21434, cybersecurity for e-mobility and EV charging infrastructure).
• Robust protection of digital key and protocol security.
• Enablement of quantum-safe communication and identity management for cars and vehicle platforms.
• Confidence in building connected vehicles, resilient against cryptographic attacks, including those emerging from quantum computing advances.

With Thales, automotive stakeholders are equipped to meet today’s and tomorrow’s cyber challenges, meeting the highest standards in security, trust and regulatory compliance - empowering the next generation of secure and connected vehicles.