Research Finder
Find by Keyword
Two Clocks for Post-Quantum Cryptography: Enterprise vs. Unpatchable Silicon
IBM's approach assumes patchable software; the embedded layer NXP addresses devices shipped with 20-year lifecycles that can't be easily patched, and that gap is now the real PQC story
04/22/2026
Key Highlights
- IBM argues that fault-tolerant quantum computers could approach cryptographic relevance by the end of the decade, reinforcing the case for immediate enterprise migration to post-quantum cryptography (PQC)
- IBM positions itself as having co-authored the PQC algorithms NIST standardized in FIPS 203, 204, and 205 in August 2024, and having worked with clients on quantum-safe transformations since 2019
- The company cites active engagements with Vodafone across network infrastructure and with Signal and Threema on messaging protocols, plus internal deployment inside its own CIO office
- IBM frames the transition as a two-phase journey: migration initiation (discovery, inventory, alignment) followed by migration execution (remediate, govern, embed crypto-agility)
- In our view, the more consequential parallel story is happening in silicon this week at ICMC 2026, where NXP is presenting embedded PQC migration strategies for devices that enterprise software playbooks simply cannot reach
The News
IBM published a perspective piece on April 17, 2026 arguing that hardware and algorithmic progress in quantum computing is compressing the timeline for cryptographic relevance, with fault-tolerant machines potentially approaching that threshold by the end of the decade. The piece, authored by Suja Viswesan (VP, Security and Runtime Products) and Mark Hughes (Global Managing Partner, Cybersecurity Services, IBM Consulting), positions IBM as a quantum-safe leader based on its NIST algorithm contributions, client engagements since 2019, and internal deployments via Guardium Cryptography Manager. IBM emphasizes that "harvest now, decrypt later" (HNDL) attacks already create present-day risk exposure, and that quantum risk will materialize asymmetrically across cryptographic estates rather than as a single Y2K-style cliff. Full piece available here.
Analyst Take
Our read on this piece is that it is less a cryptography announcement and more a call sheet for IBM's services pipeline, and that is not a criticism. The quantum-safe migration is a services problem before it is an algorithm problem, and IBM has spent seven years building the consulting scar tissue that most competitors have not. The piece is well timed. ICMC 2026 is happening this same week in Arlington, and NIST is publishing transition guidance alongside vendor and silicon updates. Here is the contrarian observation we keep coming back to: the IBM framing assumes a software-updatable world, which describes perhaps half of the problem. The other half sits in embedded silicon with 10 to 20-year lifecycles, and that is where companies like NXP are quietly doing the harder work. The enterprise IT layer can migrate on a schedule. Industrial controllers shipped in 2021 cannot.
What Was Announced
IBM has articulated a positioning piece versus product release, and it is worth reading as such. The company reiterates its role in the NIST PQC standardization effort, noting contributions to the three algorithms published in FIPS 203, 204, and 205 in August 2024 (ML-KEM, ML-DSA, and SLH-DSA, derived from CRYSTALS-Kyber, CRYSTALS-Dilithium, and SPHINCS+ respectively). IBM also references its Guardium Cryptography Manager product and IBM Consulting's quantum-safe services as the commercial vehicles that translate this research into delivery. The piece introduces a two-phase migration methodology that IBM positions as field-tested across its client base.
- Phase 1, migration initiation, focuses on cryptographic discovery, regulatory impact assessment, and resolving fragmented ownership across security, infrastructure, and application teams.
- Phase 2, migration execution, centers on remediation (migrating legacy cryptography to PQC where available), governance (observability and compliance reporting), and crypto-agility as a sustained architectural capability rather than a one-time swap.
On the client side, the piece names Vodafone (network infrastructure and Secure Net consumer service, demonstrated at MWC25 with Akamai support), Signal and Threema (messaging protocol redesign), and IBM's own CIO office as deployment references. Both IBM and Vodafone are founding members of the GSMA Post-Quantum Telco Network Taskforce, a group that is now over 50 telecom companies since its 2022 formation. The framing is deliberately non-Y2K, and this is a crucial factor many are missing in their PQC planning. IBM argues quantum risk materializes asymmetrically over years, not at a single moment. As a result, strategies must evolve across disciplined multi-year programs rather than emergency patches.
Market Analysis
The quantum-safe market is entering a phase where the center of gravity is shifting from algorithmic research to industrialized migration, and the competitive map is starting to sort into distinct layers. IBM is positioning at the enterprise software and services layer. Cloudflare, which announced on April 7, 2026 that it now targets 2029 for full post-quantum security including authentication, sits at the internet infrastructure layer. NXP, Synopsys, and PQShield anchor the silicon and embedded layer. According to Deloitte's PQC readiness framework, cryptographic discovery typically consumes twelve to eighteen months in large enterprises before any algorithm substitution begins, which is consistent with what IBM is describing in Phase 1. That discovery burden is where the services revenue concentrates. The embedded dimension deserves more attention than the IBM piece affords it. NXP launched the i.MX 94 applications processor family in November 2024 as its first processor to integrate post-quantum public key cryptography, targeting industrial control, programmable logic controllers, automotive gateways, and building and energy control. This matters because those devices ship into fleets with ten to twenty-year operational lifecycles, and they cannot be migrated by updating a TLS library. This week, NXP's Joost Renes is presenting "Post-Quantum Cryptography in Embedded Systems: Migration Strategies for 2030 Readiness" at ICMC 2026 in Arlington, while Marc Ireland is moderating two certification track sessions. The International Cryptographic Module Conference itself is the venue where FIPS 140-3 compliance meets PQC implementation reality, and the embedded track is notably crowded this year. McKinsey has noted in recent quantum readiness work that financial services and telecommunications lead early adoption, which aligns with IBM's named client base. What IBM's piece does not emphasize is that enterprise software migration and embedded device migration are running on two different clocks, and reconciling them is the real 2030 problem.
Looking Ahead
Based on what we are observing, the quantum-safe conversation is about to bifurcate in ways that matter for enterprise architects. The software and cloud layer is moving toward hybrid PQC deployments and crypto-agile architectures on timelines that look aggressive but manageable, with Cloudflare's April 2026 pull-forward to 2029 suggesting the top of market is compressing. The embedded and industrial layer is a different problem entirely, one where silicon shipped today has to remain secure against cryptographically relevant quantum computers that may arrive inside its operational life. Cryptographic inventory is becoming the strategic chokepoint. Whoever owns the discovery layer shapes the migration roadmap, and the roadmap shapes the vendor selection. HyperFRAME will be monitoring how IBM's services motion lands relative to Accenture, Deloitte, and the silicon-layer players whose work at ICMC this week suggests the embedded migration is further along than the software discourse acknowledges.
Stephen Sopko | Analyst-in-Residence – Semiconductors & Deep Tech
Stephen Sopko is an Analyst-in-Residence specializing in semiconductors and the deep technologies powering today’s innovation ecosystem. With decades of executive experience spanning Fortune 100, government, and startups, he provides actionable insights by connecting market trends and cutting-edge technologies to business outcomes.
Stephen’s expertise in analyzing the entire buyer’s journey, from technology acquisition to implementation, was refined during his tenure as co-founder and COO of Palisade Compliance, where he helped Fortune 500 clients optimize technology investments. His ability to identify opportunities at the intersection of semiconductors, emerging technologies, and enterprise needs makes him a sought-after advisor to stakeholders navigating complex decisions.