Lockheed Martin Post-Quantum Cryptography Migration for Defense Systems

A sufficiently large fault-tolerant quantum computer running Shor’s algorithm would render RSA and elliptic-curve cryptography obsolete overnight, since the mathematical problems underlying those systems, integer factorization and discrete logarithm, can be solved in polynomial time on a quantum processor. While such a machine does not exist today, the threat is not purely future-tense. Nation-state adversaries are likely collecting encrypted communications now with the intention of decrypting them once capable quantum hardware is available, a strategy known as “harvest now, decrypt later.” For most commercial organizations, this threat applies primarily to data that must remain confidential for five to ten years. For Lockheed Martin, the calculus is fundamentally different: classified design data, communications protocols, and authentication systems embedded in F-35s, satellites, and missile defense platforms must remain secure for 30 years or more.

The 2024 NIST post-quantum cryptography standards provided the reference framework for Lockheed’s migration. NIST standardized CRYSTALS-Kyber (now formally ML-KEM, FIPS 203) for key encapsulation and CRYSTALS-Dilithium (ML-DSA, FIPS 204) for digital signatures, both based on the hardness of lattice problems that have no known quantum speedup. Lockheed’s migration program spans three layers: internal enterprise IT systems, classified communication channels, and the supply chain that connects prime contractors with hundreds of subcontractors supplying components and software. The supply chain layer is the most complex because it requires coordinating cryptographic upgrades across organizations with widely varying technical capacity and update cycles. A small machined-parts supplier has neither the internal expertise nor the budget to independently execute a cryptographic migration, so Lockheed’s program includes technical assistance and mandated compliance timelines aligned with DoD guidance.

The approach inside Lockheed’s own systems is hybrid key exchange: rather than replacing classical key establishment outright, new handshakes combine a classical ECDH exchange with an ML-KEM encapsulation. The session key is derived from both classical and quantum-resistant components, so an attacker who harvests the ciphertext today would need to break both algorithms simultaneously to recover plaintext. This hybrid model also provides a hedge against the unlikely event of a classical break against ML-KEM, which is new enough that it lacks the decades of cryptanalytic scrutiny that RSA has accumulated. The more intractable challenge is updating firmware on deployed hardware with limited compute resources, fixed memory footprints, and no over-the-air update capability. Some legacy embedded processors in fielded systems simply cannot run ML-KEM as implemented in standard libraries, requiring either custom-optimized implementations or physical hardware replacement.

Lockheed’s 2024 program positioned the company ahead of most defense primes in executing an organization-wide PQC roadmap rather than treating the transition as a future IT project. Internal communication systems already carry PQC-protected traffic, and the supply chain compliance deadline of 2027 aligns with the DoD’s Quantum-Resistant Cryptography guidance. The program also feeds directly into Lockheed’s classified systems work, where the NSA’s Commercial National Security Algorithm Suite 2.0 mandates PQC for systems protecting national security information. The migration is less a single technical achievement than an organizational and engineering management challenge, requiring Lockheed to track, inventory, and systematically replace cryptographic primitives across millions of lines of code and thousands of hardware components while maintaining operational continuity.