Post-Quantum Cryptography Migration at Meta: Framework, Lessons, and Takeaways

Meta 的后量子密码学迁移：框架、经验与启示

By Rafael Misoczki, Isaac Elbaz, Forrest Mertens 作者：Rafael Misoczki, Isaac Elbaz, Forrest Mertens

We’re sharing lessons learned from Meta’s post-quantum cryptography (PQC) migration to help other organizations strengthen their resilience as industry transitions to post-quantum cryptography standards. We’re proposing the idea of PQC Migration Levels to help teams within organizations manage the complexity of PQC migration for their various use cases. By outlining Meta’s approach to this work — from risk assessment and inventory through deployment and guardrails — we hope to contribute practical guidance that helps accelerate the broader community’s efforts to move toward a post-quantum future. 我们分享了 Meta 在后量子密码学（PQC）迁移过程中总结的经验，旨在帮助其他组织在行业向后量子密码学标准过渡时增强韧性。我们提出了“PQC 迁移等级”的概念，以帮助组织内部的团队管理各种用例中 PQC 迁移的复杂性。通过概述 Meta 在这项工作中的方法——从风险评估和资产盘点到部署和防护措施——我们希望提供实用的指导，帮助加速整个社区迈向后量子未来的进程。

Our goal is to help others navigate this transition effectively, efficiently, and economically so they can prepare for a future where today’s public‑key encryption methods may no longer be sufficient. Research indicates that quantum computers will eventually break conventional public-key cryptography, creating security risk for many digital systems across industry. Although experts estimate this could happen within 10–15 years, sophisticated adversaries could collect encrypted data today, anticipating a future where quantum computers can decrypt it — a strategy known as “store now, decrypt later” (SNDL). This means sensitive information could be eventually at risk even if quantum computers are still years away. 我们的目标是帮助各方有效、高效且经济地完成这一过渡，为未来做好准备，因为届时的公钥加密方法可能已不再足够。研究表明，量子计算机最终将破解传统的公钥密码学，从而对各行业的许多数字系统构成安全风险。尽管专家估计这可能在 10 到 15 年内发生，但老练的攻击者可能会在今天收集加密数据，并预见到未来量子计算机能够将其解密——这种策略被称为“先存储，后解密”（SNDL）。这意味着即使量子计算机距离我们还有数年之遥，敏感信息最终也可能面临风险。

Recognizing this threat, organizations like the US National Institute of Standards and Technology (NIST) and the UK’s National Cyber Security Centre (NCSC) have published migration guidance that discusses target timeframes (including 2030) for prioritizing post-quantum protections in critical systems. This guidance recognizes that complexity and missing or incomplete technical capabilities are important factors impacting PQC migration plans. For example, the first industry-wide PQC standards, such as ML-KEM (Kyber) and ML-DSA (Dilithium), have now been published by NIST, with additional algorithms like HQC on the way. Notably, Meta cryptographers are co-authors of HQC, one of the newly selected PQC algorithms, reflecting our commitment to advancing global cryptographic security. These standards provide organizations with robust options for defending against SNDL attacks, and Meta seeks to share relevant progress and insights to help the broader community navigate the transition to a PQC-secure future. 意识到这一威胁，美国国家标准与技术研究院（NIST）和英国国家网络安全中心（NCSC）等机构已发布了迁移指南，讨论了在关键系统中优先实施后量子保护的目标时间框架（包括 2030 年）。这些指南承认，复杂性以及缺失或不完整的技术能力是影响 PQC 迁移计划的重要因素。例如，NIST 现已发布了首批行业范围的 PQC 标准，如 ML-KEM (Kyber) 和 ML-DSA (Dilithium)，其他算法如 HQC 也正在制定中。值得注意的是，Meta 的密码学家是 HQC（新选定的 PQC 算法之一）的共同作者，这反映了我们致力于推进全球密码安全的承诺。这些标准为组织提供了防御 SNDL 攻击的有力选择，Meta 希望分享相关进展和见解，以帮助更广泛的社区顺利过渡到 PQC 安全的未来。

At Meta we have taken a proactive approach to ensure that we are prepared to meet the threat challenges posed by quantum computers and SNDL. With billions of people around the globe relying on our platforms and applications every day, we continue to maintain strong security and data protection standards. As part of this, we have already begun deploying and rolling out post-quantum encryption across our internal infrastructure over a multi-year process to ensure that we uphold our security and privacy commitments now and into the future. 在 Meta，我们采取了积极主动的方法，以确保我们已做好准备应对量子计算机和 SNDL 带来的威胁挑战。全球每天有数十亿人依赖我们的平台和应用程序，我们始终保持着强大的安全和数据保护标准。作为其中的一部分，我们已经开始在内部基础设施中部署和推广后量子加密，这是一个为期多年的过程，旨在确保我们现在及未来都能履行我们的安全和隐私承诺。

Meta’s PQC Migration Goals

Meta 的 PQC 迁移目标

We’ve adopted a robust and comprehensive PQC migration strategy that aspires to the following principles to ensure a seamless transition: 我们采取了一项稳健且全面的 PQC 迁移策略，旨在遵循以下原则以确保平稳过渡：

• Effectiveness: Withstanding quantum adversaries and protecting against potential threats. 有效性： 抵御量子攻击者并防范潜在威胁。
• Timeliness: Timely deploying of protection mechanisms aligned with evolving standards. 及时性： 及时部署与不断发展的标准相一致的保护机制。
• Performance: Minimizing overhead and ensuring that the new cryptographic solutions do not compromise system performance or user experience. 性能： 最小化开销，并确保新的加密解决方案不会损害系统性能或用户体验。
• Cost Efficiency: Avoiding unnecessary expenditure by adopting a strategic approach that balances investment with risk mitigation. 成本效益： 通过采取平衡投资与风险缓解的战略方法，避免不必要的支出。

PQC Maturity Levels – How Every Organization Can Assess Post-Quantum Readiness

PQC 成熟度等级——每个组织如何评估后量子就绪度

PQC migration is a gradual, complex, multi-year process. It can be helpful to think about PQC migration in terms of what we call PQC Migration Levels. The levels are laddered in terms of how rapidly they allow an organization to respond to a quantum threat. The shorter the time to react to a relevant quantum event the better. A relevant quantum event can be related to advancements in quantum computing development, standards publications, or the establishment of new industry practices. PQC 迁移是一个渐进、复杂且为期多年的过程。从我们所谓的“PQC 迁移等级”角度来思考 PQC 迁移会很有帮助。这些等级是分级的，反映了组织应对量子威胁的速度。对相关量子事件的反应时间越短越好。相关的量子事件可能与量子计算发展的进步、标准的发布或新行业实践的建立有关。

PQ-Enabled, the level at which full quantum protection is effectively achieved, is the platinum standard that organizations should aim for each one of its applications and use cases. However, any organization looking to increase its resilience to quantum threats can take steps on its way to PQ-Enabled. Even starting the migration process by setting the level of minimally acceptable success at PQ-Ready may have benefits. At this level companies that may not have budgeted for near-term enablement can feel motivated (and rewarded) for building the necessary building blocks to complete risk mitigation in the future. “PQ-Enabled”（后量子启用）是有效实现全面量子保护的等级，也是组织应为其每个应用程序和用例追求的最高标准。然而，任何希望提高对量子威胁韧性的组织都可以采取步骤迈向 PQ-Enabled。即使通过将最低可接受的成功等级设定为“PQ-Ready”（后量子就绪）来启动迁移过程，也会有所裨益。在这个等级上，那些尚未为近期启用做好预算的公司，可以通过构建未来完成风险缓解所需的必要基础模块而获得动力（并得到回报）。

• PQ-Enabled: The ultimate goal for every use case. Organizations succeed by implementing and deploying a post-quantum secure solution. At Meta, for example, we have begun deploying PQ protections across significant portions of our internal traffic. PQ-Enabled（后量子启用）： 每个用例的最终目标。组织通过实施和部署后量子安全解决方案取得成功。例如，在 Meta，我们已经开始在大部分内部流量中部署 PQ 保护。
• PQ-Hardened: Organizations succeed by implementing all post-quantum protections currently available in the literature, but due to the absence of PQ primitives in the literature, the team (and the industry in general) is not capable of fully mitigating the quantum threat. For instance, efficient post-quantum Oblivious Pseudorandom Functions (OPRFs) are not yet available and therefore use cases relying on this type of primitive could only achieve PQ Hardened level. PQ-Hardened（后量子加固）： 组织通过实施文献中当前可用的所有后量子保护措施取得成功，但由于文献中缺乏某些 PQ 原语，团队（以及整个行业）无法完全缓解量子威胁。例如，高效的后量子不经意伪随机函数（OPRFs）尚不可用，因此依赖此类原语的用例只能达到 PQ-Hardened 等级。
• PQ-Ready: Organizations start to succeed by implementing a post-quantum secure solution suitable to the use case. However, due to costs, prioritization, or other factors, its enablement is not currently feasible. This is not an desirable end goal given the fact it is not yet protecting the use case against quantum attacks, but it does reduce the time to react when compared to lower levels. PQ-Ready（后量子就绪）： 组织通过实施适用于该用例的后量子安全解决方案开始取得成功。然而，由于成本、优先级或其他因素，目前无法启用。鉴于它尚未保护用例免受量子攻击，这不是一个理想的最终目标，但与更低的等级相比，它确实缩短了反应时间。
• PQ-Aware: The organization has been made aware that quantum computers threaten their use case and have already completed an initial assessment of what it takes. PQ-Aware（后量子感知）： 组织已意识到量子计算机对其用例构成的威胁，并已完成了所需工作的初步评估。