ANSSI Position Paper on Post-Quantum Cryptography
- Effective date
- Jan 4, 2022
- Published date
- Jan 4, 2022
- Full text
- View full text →
Summary
France's ANSSI published a position paper recommending a hybrid cryptographic approach during the PQC transition period, combining classical algorithms with post-quantum algorithms to ensure security even if newly-standardised PQC algorithms later prove vulnerable. ANSSI supports migration to NIST PQC standards but advocates retaining classical protection until PQC algorithms have accumulated sufficient real-world operational validation.
PKI impact
ANSSI's position paper is advisory with no binding deadlines; its primary contribution is advocating for the hybrid approach rather than mandating specific migration timelines. PKI impact is lower than binding directives, but relevant for organizations under French national security regulatory oversight.
Migration hints
- Adopt ANSSI-recommended hybrid schemes for TLS/SSL (ML-KEM + ECDH) and signatures (ML-DSA + ECDSA) rather than pure PQC replacements, particularly for sensitive systems.
- Do not remove classical ECDH or ECDSA from certificates prematurely; ANSSI explicitly recommends retaining classical protection until PQC algorithms accumulate sufficient operational history.
- Monitor ANSSI and ENISA joint guidance for binding NIS2 implementation requirements that will supersede this advisory position with enforceable timelines.
- For systems subject to French national security classifications (PDIS, PRIS), consult ANSSI directly on whether sector-specific PQC certificate requirements apply.
Milestones (1)
| Deadline | Label | Type | Hard | Notes |
|---|---|---|---|---|
| Jan 1, 2026 | Organisations begin hybrid PQC adoption in sensitive systems | Begin Migration | ANSSI recommends sensitive systems begin deploying hybrid PQC schemes. This is a recommendation; statutory deadlines are set at EU level via NIS2. |
Algorithm references (2)
- ML-KEMFIPS 203Recommended
Replaces: RSA, ECDH
ANSSI recommends ML-KEM in hybrid mode with a classical KEM (e.g., ECDH) until PQC algorithms have established sufficient operational track record.
- ML-DSAFIPS 204Recommended
Replaces: RSA, ECDSA
ANSSI supports ML-DSA for post-quantum signatures, recommending hybrid schemes where possible during the transition period.
Changelog (2)
| Date | Type | Description |
|---|---|---|
| Sep 1, 2025 | Clarification | ANSSI updated PQC guidance to reflect finalization of NIST FIPS 206 and IR 8547, maintaining its position that hybrid schemes should remain the standard approach until PQC algorithms have accumulated further operational validation. |
| Jan 4, 2022 | New | ANSSI published its position paper on post-quantum cryptography, recommending a hybrid approach and supporting NIST PQC standardisation. |
Issuer
Agence nationale de la sécurité des systèmes d'informationANSSI
Type: GOVERNMENT
Region: France