Regulating the Future of Global Encryption: States and the Politics of Post-Quantum Cryptography.

Suggested for “P1 Regulating new technologies” This paper investigates the politics of the regulation and standardisation of post-quantum cryptography. Quantum computing is one of the technological domains having spiralled at the top of the agenda of both state and corporate actors over recent years. What characterises quantum computing is that it deviates from the deterministic nature of bits (that are by default binary, 0 or 1), to instead leverage the laws of quantum physics, allowing a bit to become more than either 0s and 1s, but also a combination of both. This is expected to exponentially increase the computing power made available by quantum computers. While expected to bring fundamental breakthroughs in various scientific fields, the advent of large-scale quantum computers has been a major source of concerns. Indeed, quantum computers could break the most common public key cryptographic systems currently in use (Bindel et al., 2024). For more than a decade, these concerns have triggered the emergence of a new field of research known as “post-quantum cryptography”, or PQC. Supported by state actors, such as the U.S NIST, mathematicians have been working on new cryptographic algorithms that would resist against attacks from quantum computers. PQC can be understood as a response to the “harvest now and decrypt later” threat, meaning that powerful state actors could now start intercepting data to decrypt it later. This threat is particularly true for very sensitive data, such as financial assets, industrial intellectual property or diplomatic secrets, which have to be protected over a long time period. The field of PQC is thus driven by states, both defensively and offensively, underlying once again the complex ways in which “law enforcement agencies are core actors in encryption debates” (Monsees, 2019). The other specificity of this area is that cryptography has long been a technological domain heavily controlled by states, as highlighted the long-standing control imposed on the export of cryptography at the global level. Our research provides a way to look at the capabilities of governments to direct, or nudge (Brown & Marsden, 2023), the standardisation of post-quantum encryption at the global scale. This research focuses in particular on the Internet Engineering Task Force (IETF), a global venue where corporate and state actors negotiate and compete over the formulation of Internet standards (Harcourt et al., 2020). Studying the dynamics of the IETF reveals the conditions and mechanisms though which different state actors (such as the U.S and Germany) can assert themselves and influence the IETF (Perarnaud & Rossi, 2024) – directly through their experts, but also indirectly by means of their national policies and regulations. In this paper, we thus aim at understanding how state actors have influenced the emerging field of post-quantum cryptography, and what it reveals of state powers’ repertoire of action in global technology standardisation processes. Our methodology builds on research fieldwork carried out in the IETF between 2022 and 2025, which comprised participant observation and twenty semi-structured interviews with PQC experts from large companies, public actors, academia and civil society.