Sender Su, founder of CrossWise Infotech Limited (the author), attended the seminar titled “Quantum Resilient Finance – Hong Kong’s Next Frontier” jointly organized by the Hong Kong Institute of Bankers (HKIB) and the Hong Kong Computer Society (HKCS) on 27 March 2026.
Through this conference, the organizers deeply explored the transformative impact of quantum computing on the financial services industry, focusing on how it reshapes the cybersecurity landscape and emphasizing the importance of adopting Post-Quantum Cryptography (PQC) to ensure the future digital resilience of the banking sector. Speakers and guests came from government departments, statutory technical bodies, higher education institutions, banks, and industry enterprises.
According to the moderator, due to the critical nature of the topic, the total number of registrants exceeded 1,000. The author observed over 700 online participants, and combined with the offline attendance, the event was fully packed.
The session began with a speech by an HKIB representative, who pointed out that the banking sector is particularly concerned about quantum computing because financial security is built upon modern cryptography—specifically, the “traditional” asymmetric encryption systems. Emerging financial areas, including Bitcoin, are also based on asymmetric encryption and message digest technologies. The purported rapid decryption capability of quantum computing poses a severe threat to the security foundation of the financial system.
Subsequently, an HKCS representative used the recently high-profile OpenClaw incident as an entry point, stating that Q-Day (Note: The day when quantum computers develop sufficient computing power and stability to practically crack current mainstream public-key encryption systems. It is viewed as the “Doomsday Clock” for cybersecurity; once it arrives, existing digital trust infrastructures, including banking transactions, digital identities, and blockchains, will face collapse risks) is comparable to the Y2K problem but with more far-reaching and longer-lasting impacts. At the same time, the enactment and implementation of Hong Kong’s “Protection of Critical Infrastructure (Computer Systems) Ordinance” have also prompted the industry to pay further attention to cybersecurity and strengthen related responsibilities. Therefore, focusing on quantum computing is a key measure for advancing the implementation of cybersecurity and Critical Infrastructure regulations.
Following this, several speakers started with the basics of quantum computing, explaining the differences between quantum and classical computers, as well as concepts like Crypto Agility and Quantum Resilience, and sorted out the latest industry developments regarding PQC algorithms, standards, and compliance requirements.
The ingenuity of quantum algorithms lies in their potential to solve specific problems more efficiently than classical algorithms, as the quantum superposition and entanglement properties they utilize cannot be effectively simulated on classical computers. In the field of cybersecurity, quantum computing has already demonstrated strong positive application potential, with secure transmission during key exchange processes being one of the most mature application scenarios currently.
So-called post-quantum algorithms refer to algorithms specifically developed to resist the decryption capabilities of quantum computing. According to the author’s understanding, NIST has released three PQC standards (FIPS 203, FIPS 204, FIPS 205) and is advancing the standardization of subsequent algorithms, including FALCON (FIPS 206) and HQC (FIPS 207). Other countries and regions are also formulating related standards, mostly referencing and to a certain extent following these international frontier developments.
In terms of specific applications, the most prominent area currently is the CA industry. Regarding the validity period of TLS/SSL certificate issuance, the industry is formulating a strategy of gradual shortening. According to the CA/B Forum announcement, the industry consensus goal is to shorten the validity period of newly issued certificates to only 47 days by 2029 to counter the potential cracking capabilities of quantum computers at that time. This strategy appears radical but is actually conservative, aiming to shorten the attacker’s time window (conversely increasing the time cost) to compensate for the vulnerability during the algorithm transition period, without destroying the existing certificate issuance and verification system.
However, based on the author’s observation, if compatibility and security are to be balanced during the transition phase, the “Hybrid Mode”—running both traditional and PQC algorithms simultaneously in the system—is the inevitable transition solution. This situation is similar to the practice when the TLS/SSL certificate signature digest algorithm migrated from SHA-1 to SHA-256, where each signed program file carried certificates for both old and new algorithms.
A more aggressive strategy is to rebuild quantum-resistant information technology infrastructure from scratch. For resource-rich organizations or governments, this strategy can be implemented for specific use cases. For example, the Singapore Blockchain Ecosystem, led by the Singapore government, plans to adopt PQC algorithms.
However, generally speaking, quantum-resistant encryption algorithms are still in the research and development phase and are not yet fully mature.
Conference speakers also pointed out that feasible measures exist in practice to achieve transparent upgrades of traditional encryption systems, such as deploying encryption proxy mechanisms at the connection point between the system and the network: i.e., traditional asymmetric encryption is used between the system and the proxy, while the proxy provides quantum-resistant encryption connections to the external internet. This bridging method is a common means for information systems to cope with the transition between old and new technologies.
As a professional member of the HKCS with professional backgrounds including CISA, SA, and MSE, the author found the content of this conference quite familiar. Precisely because of this, the author was able to think from the perspective of HKIB attendees: as potential adopters of PQC, they inevitably face the difficulty of how to implement it. The core of implementation lies in fulfilling the most general requirement:
Focus on implementing countermeasures early and in a timely manner.
During the Q&A session, attendees raised similar questions, and guests shared their insights. In the author’s view, to concretely implement this, two questions must be clarified in the time dimension:
Early: How much time in advance?
Timely: What is the latest deadline?
The author believes there is currently no standard answer. This largely depends on the progress of quantum computers and PQC algorithms and their interplay. Since adopters are not R&D personnel or product manufacturers, they cannot practice earlier than the progress of these two factors. Therefore, “early” requires observers to broaden information channels and continuously track industry developments: on one hand through various IT news and vendor releases, and on the other hand, more importantly, by paying attention to the latest research papers in the field. arXiv is an important tool, and its information is often more cutting-edge than releases from government agencies like nist.gov.
Of course, NIST’s role as a PQC technology aggregator is not to be underestimated. For instance, the 6th PQC Standardization Conference held by NIST in 2025 has related PPTs available for download, which are beneficial to study. The first presentation, “NIST PQC Standardization Project,” reviewed the first batch of PQC standards and subsequent selection processes. Notably, the presentation mentioned SP 800-227 regarding Key Encapsulation Mechanisms, outlined the US government’s mandatory 2035 deadline for migration to PQC, and introduced the NIST IR 8547 transition guidelines and the NCCoE migration project.
Reading through the conference agenda, one can also find a presentation titled “Learn about the New NIST SP 800-53 Control Overlays for Securing AI Systems Project,” reminding readers to pay attention to AI system security while focusing on PQC.
In addition, as a “Super Connector” between mainland China and the world, it is a necessary measure for Hong Kong to reference various standards. Domestic commercial cryptography technology can follow the progress of units such as TC578 (National Technical Committee 578 on Quantum Computing and Metrology Standardization) and the Commercial Cryptography Standard Research Institute. It is worth noting that while Chinese national standards distinguish between mandatory and recommended standards, recommended standards should not be ignored; once incorporated into relevant laws and regulations, they become de facto mandatory standards and must be implemented.
As for “timely,” it requires grasping the timetables of various compliance requirements, such as the aforementioned 2035 deadline required by the US government. However, according to the latest analysis published by the Google Blog on 25 March 2026, based on its continuous investment and progress in quantum computing and PQC, Google believes that the final timeline for migrating to PQC algorithms to counter quantum computing has been moved forward to 2029.
Thus, regarding what is “timely,” one must maintain a concept of continuous follow-up and dynamic updating.
If observed from the perspective of gradual adaptation, the most suitable reference is the timetable for the adjustment of TLS/SSL certificate validity periods in the CA industry. As adopters, one should not only adjust internal certificate policies accordingly but also use this as a guide to reasonably arrange budgets, procure mature PQC systems or equipment in a timely manner, update traditional encrypted information systems, and guide the development and construction of new systems.
For the Hong Kong industry, although the Hong Kong Monetary Authority (HKMA) has not yet released a specific mandatory roadmap for PQC, continuously tracking compliance requirements promulgated by the government and industry and maintaining technological “Agility” will be the best strategy to cope with future uncertainties.
References:
https://quantumalgorithmzoo.org
https://csrc.nist.gov/events/2025/6th-pqc-standardization-conference
https://www.imda.gov.sg/how-we-can-help/blockchain-innovation/singapore-blockchain-ecosystem
https://blog.google/innovation-and-ai/technology/safety-security/cryptography-migration-timeline
