Post-quantum cryptography for automotive and connected vehicles
A car sold today will be on the road well past 2035, and its security architecture is fixed at manufacture. Connected vehicles verify over-the-air firmware updates, authenticate to backend services, and increasingly exchange safety messages with other vehicles and infrastructure (V2X). Every one of those depends on signatures that must stay unforgeable for the vehicle’s entire life — a window that now overlaps the expected arrival of quantum computers.
OTA updates are the critical path
The most dangerous forgery in a connected car is a fake firmware update. If update verification uses ECDSA and that scheme is broken during the vehicle’s service life, an attacker could sign and deliver malicious firmware to safety-critical ECUs. Post-quantum code signing with ML-DSA (FIPS 204) — or stateless hash-based SPHINCS+ where the most conservative long-term assurance is required — must be built into the secure boot and update chain now, because it cannot be retrofitted across a fleet later.
V2X and the size trade-off
Vehicle-to-everything messaging demands frequent, tiny, low-latency signed messages, and post-quantum signatures are larger than ECDSA. This is a real engineering constraint, so V2X profiles balance signature size, verification speed and bandwidth carefully, often keeping hybrid schemes during transition. It illustrates the general PQC trade-off: security against quantum attack costs bandwidth and storage, which must be budgeted rather than ignored.
Honest scope
PQC secures the cryptographic layer of a broad automotive-security problem that also spans hardware roots of trust, network segmentation and physical access. The algorithms are resistant to known classical and quantum attacks per NIST, not unbreakable. The decisive factor is timing: crypto-agility and post-quantum update verification must ship in vehicles now, because the hardware you sell today will still be driving after the quantum horizon.
Try it yourself — live, free, verifiable in 30 seconds:
Explore the PQC API →