Cryptographic agility

Cryptographic agility is the design property that lets a system replace cryptographic algorithms, parameters, and protocols without redesigning the system itself. Agile designs carry algorithm identifiers, negotiate versions, and keep key sizes and data formats configurable instead of hard-coding them; RFC 7696 collects the IETF guidelines for protocol designers.

Why the post-quantum migration made it essential

Earlier algorithm transitions, such as DES to AES and SHA-1 to SHA-2, took a decade or longer largely because algorithms were hard-wired into protocols, hardware, and certificate chains. The move to post-quantum cryptography repeats that swap across nearly every deployed system at once, and interim hybrid cryptography means algorithms will change at least twice. Standards from NIST Post-Quantum Cryptography Standardization are also expected to gain revisions and additions over time, so the ability to switch cheaply is now treated as a requirement rather than a nicety, especially in PKI migration to post-quantum.

Inventory and CBOM

Agility starts with knowing where cryptography lives. A cryptography bill of materials (CBOM), specified as part of CycloneDX, records the algorithms, keys, certificates, and libraries a system depends on, giving migration teams a machine-readable inventory to plan replacements against.

Sources

  1. RFC 7696: Guidelines for Cryptographic Algorithm Agility (IETF, 2015)
  2. CycloneDX Cryptography Bill of Materials (CBOM) (CycloneDX, 2024)
Cite this entry
"Cryptographic agility." postquantum.wiki. Updated July 11, 2026. https://postquantum.wiki/cryptographic-agility@misc{pqwiki-cryptographic-agility, title = {Cryptographic agility}, howpublished = {\url{https://postquantum.wiki/cryptographic-agility}}, year = {2026}, note = {postquantum.wiki, updated 2026-07-11} }