BSI Migration Guide: Post-Quantum Cryptography
- Issuer
- Federal Office for Information Security(BSI)
- Effective date
- Jan 1, 2023
- Published date
- Jan 1, 2023
- Full text
- View full text →
Summary
The German Federal Office for Information Security (BSI) provides a comprehensive migration guide for transitioning to post-quantum cryptography. BSI endorses a hybrid approach combining classical and PQC algorithms during the transition period and recommends NIST-standardised algorithms. The BSI technical guidelines (BSI TR-02102) are updated to incorporate ML-KEM and ML-DSA as recommended algorithms for German federal systems and industry.
PKI impact
BSI TR-02102 explicitly specifies hybrid PQC scheme parameters for TLS/SSL and digital signatures, creating a de facto technical standard for German federal procurement. Organizations contracting with German federal agencies face indirect compliance pressure to match TR-02102 requirements, including hybrid Root CA issuance profiles for the CA hierarchy.
Migration hints
- Follow BSI TR-02102 hybrid scheme requirements: combine ML-KEM with ECDH in TLS/SSL and ML-DSA alongside ECDSA in certificate signing — pure PQC replacement is not the BSI-recommended approach during transition.
- BSI recommends minimum ML-KEM-768 for most applications; size TLS/SSL and key establishment configurations to this security level.
- Update your Certificate Policy and CPS documents to explicitly reference TR-02102 hybrid requirements if issuing certificates for German federal systems or clients.
- Verify CA and HSM vendor roadmaps support hybrid certificate profiles as specified in BSI TR-02102 and ETSI ISG QSC specifications.
- For Root CA re-keying, plan hybrid issuance profiles that support both classical and PQC algorithm paths during the transition period to maintain backward compatibility with non-PQC relying parties.
Milestones (2)
| Deadline | Label | Type | Hard | Notes |
|---|---|---|---|---|
| Jan 1, 2026 | Federal IT systems: complete PQC readiness assessment | Inventory | BSI recommends German federal IT systems complete quantum vulnerability assessments and cryptographic inventories by 2026. | |
| Jan 1, 2027 | New federal procurements must support hybrid PQC | Crypto Agility | BSI guidance recommends requiring hybrid PQC capability in new federal IT procurements from 2027. |
Algorithm references (3)
- ML-KEMFIPS 203Recommended
Replaces: RSA, ECDH
BSI TR-02102 recommends ML-KEM for post-quantum key encapsulation, preferably in hybrid mode with a classical KEM during transition.
- ML-DSAFIPS 204Recommended
Replaces: RSA, ECDSA
BSI recommends ML-DSA for post-quantum digital signatures in German government and critical infrastructure systems.
- SLH-DSAFIPS 205Recommended
Replaces: RSA, ECDSA
BSI recommends SLH-DSA as a conservative alternative signature algorithm with well-understood security properties.
Changelog (3)
| Date | Type | Description |
|---|---|---|
| Apr 1, 2025 | Amendment | BSI TR-02102 updated to include FN-DSA (FIPS 206) in the recommended algorithm set and to reference final NIST IR 8547 deprecation timelines as a reference framework for German federal systems. |
| Aug 1, 2024 | Clarification | BSI updated recommendations to reflect finalisation of NIST FIPS 203, 204, and 205, confirming ML-KEM and ML-DSA as primary recommended algorithms. |
| Jan 1, 2023 | New | BSI published updated PQC migration guidance and incorporated post-quantum algorithm recommendations into BSI TR-02102 technical guidelines. |
Issuer
Federal Office for Information SecurityBSI
Type: GOVERNMENT
Region: Germany