Post-Quantum Cryptographic Time Migration

The Y2Q Transition and Its Regulatory Frame

The expression Y2Q, by analogy to Y2K, names the deadline by which systems vulnerable to quantum cryptanalysis must be migrated to post-quantum algorithms. National Security Memorandum 10, issued in May 2022, directs U.S. federal agencies to inventory cryptographic systems and to plan migration to NIST-approved post-quantum algorithms; OMB Memorandum M-23-02 operationalizes the inventory and reporting cadence. CNSA 2.0, issued by the National Security Agency, sets out the algorithm requirements for national-security systems and a phased timeline running through 2035. The Federal Financial Institutions Examination Council and the Cybersecurity and Infrastructure Security Agency have issued aligned guidance for financial institutions and critical-infrastructure operators respectively, and ENISA has published equivalent guidance for the European Union.

NIST's standards trio is the technical anchor. FIPS 203 specifies ML-KEM, the lattice-based key-encapsulation mechanism derived from CRYSTALS-Kyber. FIPS 204 specifies ML-DSA, the lattice-based digital signature derived from CRYSTALS-Dilithium. FIPS 205 specifies SLH-DSA, the stateless hash-based signature derived from SPHINCS+. FALCON, standardized as FN-DSA, addresses use cases where signature size is the binding constraint. These four signature options span a tradeoff space across signature size, verification cost, and security assumption that operators must navigate per system rather than uniformly.

Timestamping sits squarely in the migration scope. RFC 3161 timestamps protect the integrity of signed records and are themselves signed by a timestamping authority; if the TSA's signature is forgeable in the future, the timestamps it produced today lose their evidentiary weight retroactively. The eIDAS regulation, in its qualified-timestamp form, imposes regulatory weight on TSA signatures across the EU, and the European Telecommunications Standards Institute has published policy and security requirements for TSAs that anticipate algorithm transitions. The store-now-decrypt-later threat model applies analogously to time: an adversary who captures TSA-signed timestamps today can, in a post-quantum future, forge replacements that appear to have been issued at the original time.

The Architectural Requirement

A timestamping infrastructure that is to survive the Y2Q transition must admit signature-algorithm change without requiring redeployment of the systems that consume its timestamps. The architectural requirement is that the relationship between an attester and its signature scheme be a credential-rotation concern rather than a protocol concern. Consumers must be able to verify timestamps produced under any combination of legacy and post-quantum schemes during the transition period and to verify timestamps produced under post-quantum schemes alone after the transition completes.

A second architectural requirement follows from the long-tail nature of evidentiary timestamps. A timestamp produced today may be inspected in a court proceeding fifteen years hence, by which time the legacy signature scheme will be retired and the keys may have been compromised. The infrastructure must therefore preserve the lineage of which scheme was in force when the timestamp was issued and must support re-attestation of legacy timestamps under post-quantum schemes before the legacy keys lose their integrity.

Why Procedural Migration Falls Short

The conventional migration approach for an RFC 3161 timestamping authority is to issue a new TSA certificate under a post-quantum signature scheme, deploy a parallel TSA service, and document a cutover date after which clients are expected to request timestamps from the new TSA. This works for newly-issued timestamps and fails for the installed base. Existing timestamps, signed under the legacy scheme, retain whatever evidentiary weight the legacy scheme can support and lose that weight on the schedule of the legacy scheme's retirement. Re-timestamping every legacy artifact under the new scheme is operationally enormous and, for documents held by third parties, often impossible.

Hybrid signature constructions, in which a signer produces both a legacy and a post-quantum signature over the same data, address part of the problem and impose their own. The hybrid signature is twice the size, and the verification path requires that the consumer know which combination of schemes the signer used. RFC drafts in the IETF LAMPS working group address hybrid certificate forms for X.509, but the path from a draft hybrid format to deployed verification in the long tail of clients that consume RFC 3161 timestamps is a multi-year exercise. During that exercise, the signer is committed to producing legacy signatures alongside post-quantum ones, which extends the window in which legacy keys must be protected.

A deeper failure of procedural migration is that it treats the signature as the trust anchor. When the trust anchor is a single TSA's signing key, the migration of that key is a singular event whose timing must be coordinated globally; when the trust anchor is the operator that runs the TSA, the migration is a contractual event that consumers must accept. Neither approach captures the property that downstream consumers actually need: that the time recorded was the time observed, by parties whose authority to observe it the consumer can verify under whatever cryptography is current at verification time.

What Mesh-Time Provides

Mesh-time treats each attester's contribution as a signed observation under that attester's credentials. The governance chain that binds attesters to the consensus is signature-scheme-agnostic; it specifies which attesters are admissible and under what authority, not which signature algorithm they must use. An attester running ML-DSA, an attester running SLH-DSA, and an attester still running ECDSA can contribute to the same consensus round, with admissibility profiles declaring which combinations the operator accepts. Migration from a legacy scheme to a post-quantum scheme proceeds attester by attester, on a rotation schedule that the operator chooses, without coordinated cutover.

Joint spacetime optimization produces a timestamp whose lineage is the attester set together with the per-attester signature evidence. A consumer verifying the timestamp checks the signatures of the attesters whose contributions were incorporated and applies the admissibility profile that was in force at the time. Re-attestation of legacy timestamps becomes a tractable operation: a new consensus round, run over the legacy timestamp as input, produces a post-quantum-signed re-attestation whose lineage points back to the original. Documents held by third parties can be re-attested without their cooperation, by attesters who hold copies or hashes of the original artifact.

Drift-bounded synchronization continues to operate over hybrid signature populations. The consensus does not require that all attesters share a signature scheme, and an attester whose key is compromised - whether by classical or by quantum attack - is excluded from the round in the same way a drift-divergent attester is excluded today. The exclusion is recorded in the consensus artifact, providing the audit trail that supervisory regimes increasingly require.

Mapping to NIST PQC Standards and Y2Q Mandates

Under NSM-10 and OMB M-23-02, the federal cryptographic inventory captures each system's signature algorithms and migration plan. A mesh-time deployment reports its inventory at the per-attester level, and migration is recorded as credential rotation against the existing governance chain rather than as system replacement. CNSA 2.0 alignment for national-security systems is achieved by configuring admissibility profiles that require CNSA-2.0-compliant signatures from the attester set, with hybrid configurations supported during transition windows specified in the standard.

For RFC 3161 and RFC 5816 timestamping, mesh-time can act as the substrate over which a TSA service is run, with the TSA's response carrying the consensus output and its lineage. Under eIDAS, the qualified-timestamp regime's requirements on issuer accountability and signature integrity are satisfied by the attester-set lineage, and the ETSI policy and security requirements for TSAs are met by the governance chain's documentation of admissible attesters and their authorities. FFIEC and CISA guidance for regulated operators is satisfied by the same mechanism that satisfies the federal mandates, with sector-specific admissibility profiles capturing sector-specific requirements.

Adoption Pathway for Operators

Operators of timestamping infrastructure can adopt mesh-time as the substrate for their RFC 3161 service before committing to a post-quantum signature transition. The first phase deploys mesh-time attesters running the operator's existing signature schemes, producing consensus timestamps that the TSA front-end signs and returns under its current key. This phase delivers the multi-attester evidentiary properties without disturbing the cryptographic posture and produces documentation aligned with the federal inventory requirements.

The second phase rotates a subset of attesters onto ML-DSA or SLH-DSA credentials, configuring admissibility profiles that accept hybrid attester sets. Consumers continue to receive timestamps under the existing TSA signature, but the underlying consensus has begun to incorporate post-quantum evidence. The third phase migrates the TSA front-end signature itself, at which point newly-issued timestamps carry a fully post-quantum lineage. The fourth phase, executable on a schedule the operator chooses, runs re-attestation rounds over the legacy timestamp corpus to extend its evidentiary weight beyond the retirement of the legacy schemes. At each phase, the operator's compliance posture under NSM-10, M-23-02, CNSA 2.0, eIDAS, FFIEC, and CISA guidance is documented by the governance-chain configuration, and the architecture at the end of the pathway provides a substrate that survives further algorithm transitions without rebuild.