
























Aarav Varshney, College of Computing and Data Science, Nanyang Technological University, Singapore, PQStation, Singapore
Prasanna Ravi, College of Computing and Data Science, Nanyang Technological University, Singapore, PQStation, Singapore
Sripal Jain, OCBC Bank, Singapore
Robin Foe, OCBC Bank, Singapore
Jorden Seet, OCBC Bank, Singapore
Huaxiong Wang, Digital Trust Centre, Nanyang Technological University, Singapore
Kwok-Yan Lam, Digital Trust Centre, Nanyang Technological University, Singapore
Anupam Chattopadhyay, College of Computing and Data Science, Nanyang Technological University, Singapore
Organisations are upgrading their cryptographic infrastructure to become quantum‑safe before large‑scale quantum computers materialise. Post‑quantum cryptography (PQC) standards now exist for key‑exchange and digital signatures, but the urgent question for adopters is how to operationalise PQC in complex environments with confidence. In banking, Transport Layer Security (TLS), for example, protects data‑in‑transit across public‑facing channels and internal services, and is terminated at many heterogeneous endpoints (web servers, API gateways, load balancers, reverse proxies), each a potential quantum‑vulnerable component and migration target. We argue that the bottleneck is operational rather than algorithmic: hybrid key exchanges such as X25519‑ML‑KEM‑768 are already available in mainstream libraries, but security teams lack precise visibility into TLS configurations and repeatable methods for enabling PQC‑compatible settings across a heterogeneous estate. This paper presents a configuration‑parsing methodology that automatically extracts and normalises TLS cryptographic posture across dominant enterprise web‑server stacks, producing a unified, provenance‑traced cryptographic inventory as a foundation for migration and compliance. We demonstrate the approach on 8,443 real‑world Nginx configurations from public repositories and in a proof‑of‑concept deployment at a financial institution, where ML‑KEM‑512 and X25519‑ML‑KEM‑768 are onboarded at TLS termination points (web server and API gateway) securing an internal application, with zero application‑layer changes and manageable performance overhead.
BibTeX
@misc{cryptoeprint:2026/959,
author = {Harish Balaji and Aarav Varshney and Prasanna Ravi and Sripal Jain and Robin Foe and Jorden Seet and Huaxiong Wang and Kwok-Yan Lam and Anupam Chattopadhyay},
title = {Operationalising Post‑Quantum {TLS}: Automated Configuration Profiling and Hybrid {PQC} Deployment in Financial Infrastructure},
howpublished = {Cryptology {ePrint} Archive, Paper 2026/959},
year = {2026},
url = {https://eprint.iacr.org/2026/959}
}
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。