Post-quantum passports may be technically possible on today’s secure chips, but the real engineering question is whether they can meet the speed and security requirements of border-control systems. In a new clip from Elektor Academy Pro’s Post-Quantum Cryptography conference, Nouri Alnahawi, a research assistant and PhD candidate at Hochschule Darmstadt, explains why upgrading an electronic passport is not simply a matter of replacing one algorithm with another.

Post-Quantum Passports on Today’s Chips

Alnahawi says post-quantum cryptography is generally feasible on current electronic machine-readable travel document (eMRTD) hardware. The problem is performance. A cryptographic operation that currently takes about 250 ms might take 1–2 s with a post-quantum implementation. That may sound like a minor delay, but multiplied across an automated border gate, it can affect throughput, usability, and certification by bodies such as Germany’s BSI and the International Civil Aviation Organization (ICAO), as Alnahawi explains in the clip below:

Speed Is Also a Security Property

The performance penalty is not only an inconvenience. Alnahawi argues that longer execution times can increase the observation window for side-channel analysis and fault-injection attacks. Passport readers at automated gates may be physically isolated, reducing some practical attack opportunities, but eMRTDs are used in more situations than airport gates. A slow implementation can therefore create a larger implementation-level attack surface.

The choice of algorithm also matters. NIST’s ML-KEM standard offers a comparatively practical balance of security, key size, and performance, but Alnahawi notes that Saber can be faster in some constrained implementations. FrodoKEM, which avoids the additional structure used by module-lattice schemes, proved too large for the team’s development board tests. In embedded security, mathematical elegance still has to fit in memory and finish before the traveler starts glaring at the gate.

Optimized hardware should improve matters. Alnahawi points to semiconductor suppliers such as NXP as they prepare secure devices with stronger post-quantum support. NXP has previously highlighted the larger keys and increased latency that can accompany these algorithms, as well as their effect on existing public-key infrastructure.

The Missing PACE Replacement

Digital signatures are only part of the passport security chain. ML-DSA can provide quantum-resistant signatures for certificates and public-key infrastructure, but the chip and reader still need to establish a protected session. Current eMRTDs commonly use PACE, or Password Authenticated Connection Establishment, for this stage.

Alnahawi’s concern is that there is not yet an agreed post-quantum password-authenticated key-establishment protocol ready to replace or extend classical PACE. If session establishment continues to depend on classical Diffie-Hellman, that part of the system remains exposed to the future quantum threat even if the certificates have moved to ML-DSA.

It’s not that “passports are broken,” but more that post-quantum passports appear feasible, although algorithms, protocols, hardware acceleration, side-channel resistance, interoperability, and certification all have to move together. A standardized primitive is necessary. It is not the finished system.

Subscribe
Tag alert: Subscribe to the tag Quantum computer and you will receive an e-mail as soon as a new item about it is published on our website!