Post-Quantum Cryptography · BFSI · India

Quantum is 7 years away.
Your bank's PQC window is not.

A production-grade, 5-phase readiness roadmap for Indian banks navigating NIST 2024 compliance, RBI/SEBI regulatory pressure, and the harvest-now-decrypt-later threat that opened in 2020 — not 2030.

Dr. Nupur Mukherjee, JAQL NIST 2024 Aligned RBI / SEBI Framed Production-Tested
5–8 Years for full migration
2024 NIST standards published
15yr Bank data retention window
₹6000Cr India NQM commitment
The threat no one is talking about

Harvest now.
Decrypt later.

Nation-state actors don't need a quantum computer today. They need your encrypted data today — and patience. Every encrypted transaction, customer record, and interbank message your institution sends in 2025 is a candidate for future decryption. The attack started in 2020. The decryption window opens when quantum computing matures — which is closer than most board presentations admit.

⚠ The 15-year data retention problem

Indian banks operating under RBI's data retention mandates hold customer and transaction records for 10–15 years. Data encrypted today with RSA-2048 or ECC-256 — the current standards — will be within the cryptographic reach of fault-tolerant quantum computers before that retention period expires. The question is not whether quantum will break your current encryption. It is whether your migration will be complete before it does.

The 5-Phase Framework

PQC Readiness Roadmap
for Indian BFSI

A migration is not a product purchase. It is a phased architectural transformation. The sequence is non-negotiable — skipping phases creates gaps that become regulatory and security liabilities. Shortcut tools exist at every phase.

01
Cryptographic Asset Inventory Weeks 1–8

Systematically map every cryptographic key, certificate, algorithm, and encrypted data flow across the institution — core banking, payment rails, interbank messaging, cloud infrastructure, and third-party integrations. Most banks discover 40% more cryptographic surface than their IT register shows. This phase is the foundation. Every subsequent decision rests on its accuracy.

SandboxAQ Discovery IBM Crypto Agility Scanner Cryptosense Analyzer JAQL HIQTF Audit Layer
02
Quantum Risk Scoring Weeks 6–14

Prioritise the inventory by data sensitivity, retention period, and cryptographic vulnerability. Not all encrypted data carries equal risk. Payment settlement keys warrant faster migration than archived customer communications. Risk scoring creates the migration sequence — without it, teams waste resources protecting low-value assets first. QAOA-inspired optimisation can model the risk-priority surface across thousands of asset classes simultaneously.

PwC PennyLane IBM Qiskit Runtime Quantinuum Quantum Origin JAQL QAOA Risk Engine
03
Algorithm Selection & Architecture Months 3–6

Select NIST 2024-standardised algorithms for each use case — ML-KEM (CRYSTALS-Kyber) for key encapsulation, ML-DSA (CRYSTALS-Dilithium) for digital signatures, SLH-DSA (SPHINCS+) for stateless hash-based signatures. Design the hybrid cryptographic architecture that runs new and legacy algorithms in parallel through transition. HSM vendor roadmap review is mandatory at this phase — most legacy Hardware Security Modules require firmware upgrades or replacement.

NIST FIPS 203/204/205 Open Quantum Safe (liboqs) AWS KMS PQC Preview JAQL Hybrid Crypto Layer
04
Hybrid Deployment & Testing Months 6–18

Deploy new algorithms alongside existing ones — never as a hard cutover. Hybrid mode allows fallback during testing and satisfies regulators who require demonstrated backward compatibility. Performance testing is critical: post-quantum algorithms carry larger key sizes and computational overhead. Validate latency impact on payment processing, TLS handshakes, and API authentication before expanding deployment surface. The SWIFT network, UPI rails, and RBI RTGS each require separate validation cycles.

Open Quantum Safe Cloudflare PQTLS Bouncy Castle PQC JAQL StressTrace Crypto Monitor
05
Regulatory Attestation & Cutover Months 18–36

Formal documentation for RBI audit readiness — cryptographic inventory attestation, migration completion certificates per asset class, board-level risk sign-off, and evidence package for SEBI IT governance review. Cutover is asset-class by asset-class, not institution-wide on a single date. The institutions that complete attestation first become the regulatory benchmark — setting the standard that all laggards must follow.

RBI MD-IT 2023 Framework SEBI IT Governance Circular CERT-In Reporting JAQL Audit Trail Engine
Where Indian banks get stuck

Five real blockers.
Five specific shortcuts.

The roadmap is clear. The execution is where institutions stall. These are the five blockers we encounter in every engagement — and the precise intervention that moves each one.

Blocker 01
"We don't know what to protect first."
Shortcut: SandboxAQ's cryptographic discovery engine completes an institutional inventory in 4–6 weeks vs. the 18-month manual alternative. Pair with a data classification framework that maps retention period to risk tier.
Blocker 02
"Our HSMs don't support ML-KEM or ML-DSA."
Shortcut: Hybrid cryptography bridges the gap — new algorithms in software while hardware roadmaps catch up. Demand firmware upgrade timelines from Thales, Utimaco, and Entrust in writing. Most have PQC roadmaps through 2026.
Blocker 03
"We have no quantum expertise internally."
Shortcut: You don't need quantum physicists. You need crypto agility — the governance discipline to swap algorithms without rebuilding systems. PennyLane (open-source quantum-classical hybrid) lets existing engineering teams prototype migration paths without quantum hardware.
Blocker 04
"Regulators haven't mandated it yet."
Shortcut: RBI's 2023 Cybersecurity Directions reference cryptographic resilience explicitly. SEBI's IT governance framework points the same direction. The mandate is forming. First movers set the standard — and avoid the 6-month emergency compliance window when the circular drops.
Blocker 05
"We don't know what 'done' looks like."
Shortcut: Define attestation criteria at Phase 1, not Phase 5. The regulatory evidence package — inventory certification, algorithm selection rationale, hybrid deployment test results, board sign-off — should be the exit criteria that drives every phase milestone.
JAQL in Production

We didn't consult on this.
We built it.

The JAQL OS was designed from first principles for sovereign, regulated-enterprise deployment. Three components directly address the PQC migration stack for Indian banking.

Cryptographic Defense · Cyber
StressTrace
Cognitive-quantum cyber defense for banking SOCs. Spectral graph analysis, QAOA-inspired clustering, and S1–S7 cognitive load monitoring. Detects the human failure chain that PQC migrations expose — operator fatigue, misconfiguration, shadow credential use — before it becomes a breach.
76% MTTD reduction · 70%+ token efficiency
Quantum Transmission · Defence-Grade
HIQTF
Zero trusted-node quantum transmission framework. Graph-Laplacian eigensolvers, orbital untrusted relay, EMP-hardened beacons. The cryptographic resilience architecture we built for sovereign defence transmission — applicable at the banking infrastructure layer for interbank and payment rail security.
Patent-pending · SSRN published · Sovereign deployment
Banking Risk Intelligence · Finance
RiyaRisk
Quantum-spectral clustering for NPA prediction and fraud detection in Indian banks and NBFCs. The same quantum-classical hybrid architecture that powers PQC risk scoring — applied to credit and fraud risk. 72-hour NPA foresight, 96.2% fraud detection at less than 0.3% false positive rate.
4.8× Year-1 ROI · IFRS9/ECL aligned · RBI-native
About the author

Written from the inside
of the problem.

This framework is not academic. Every phase, every blocker, and every shortcut is drawn from production deployments inside regulated banking and sovereign defence environments.

NM
Dr. Nupur Mukherjee
Co-Founder & Chief Science Officer — Quantum and AI, JAQL · Certified Quantum Computing Expert · Top 3 Quantum India Scholar 2025
25+ years in banking, AI, and quantum engineering. Ex-MD Standard Chartered (Global Head Data/Analytics/ML), Ex-Director Global Agentic AI at GSK (£48M uplift), Ex-Barclays, HSBC, VMware. Architect of HIQTF, StressTrace, and the JAQL OS. SSRN-published across quantum governance, cognitive security, and sovereign AI.
KS
Kishan Sathyan
Co-Founder & CEO, JAQL · Enterprise GTM · Regulated-Industry Deployment
Founder-operator focused on shipping post-quantum and hybrid-intelligence systems into regulated production. Leads GTM, partnerships and customer delivery across BFSI, defence, healthcare and sovereign government programs. Owns the 90–180 day deployment cadence behind every JAQL engagement. Direct: kishan.sathyan@jumpstartquantumlabs.org
2-minute self-assessment

PQC Readiness Quiz

Six questions. Get an instant readiness score and a recommended next phase. No email required.

Start the conversation.

Whether you're at Phase 1 or stuck between phases, the roadmap is navigable. We've been there — in production.

Book a 30-min PQC review See StressTrace live