QUANTUM-RESISTANT INFRASTRUCTURE: LEGAL IMPERATIVES FOR POST- QUANTUM CRYPTOGRAPHY UNDER INDIA'S CYBER LAW FRAMEWORK
Keywords:
Post-Quantum Cryptography, Digital Signature Mandates, IT Act Quantum Gaps, DPDPA Security Practices, Neural Data Quantum Threats, Harvest-Decrypt AttacksAbstract
The progress in quantum computing technology creates a risk to India's digital security systems which depend on asymmetric cryptography because it enables attackers to collect encrypted Aadhaar and banking and critical infrastructure data for future decryption. The Information Technology Act, 2000 permits digital signature use under Section 5 but fails to require post-quantum cryptography (PQC) implementation which leaves systems exposed until NIST establishes quantum-resistant algorithm
standards. The Digital Personal Data Protection Act 2023 requires organizations to implement "reasonable security practices" but it does not provide protection against quantum threats which creates problems for evidence collection in Bharatiya Sakshya Adhiniyam 2023 because quantum-vulnerable records that have been tampered with will not be admitted as evidence. This article investigates the statutory deficiencies which exist in IT Rules 2021 and CERT-In directives while showing how India approaches cybersecurity protection differently from the EU NIS2 and US Quantum Computing Cybersecurity Preparedness Act systems. The article proposes three legislative changes which include (i) PQC migration timelines for critical sectors; (ii) risk-based audits; and (iii) liability for non-compliance. India can establish itself as a leader in quantum-resilient cyber law by combining neuro-technology data protection which is susceptible to quantum decryption with existing space cybersecurity regulations. Cybercrime conviction rates will remain low because they stay below 10% while cyber threats continue to rise unless legislators implement new cybercrime laws. This research connects doctrinal examination with policy support to create a quantum-secure digital ecosystem for India.
References
Peter W. Shor, Algorithms for Quantum Computation: Discrete Logarithms and Factoring, 35 Proc. 35th Ann. Symp.
on Foundations of Computer Science 124 (1994).
Peter W. Shor, Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum
Computer, 26 SIAM J. Computing 1484 (1997).
HashiCorp, Harvest Now, Decrypt Later: Why Today’s Encrypted Data Isn’t Safe Forever (May 21, 2025),
accessed on 22 Feb 2026, Time: 2.00 P.M.
Department of Science & Technology, Gov’t of India, Implementation of Quantum Safe Ecosystem in India 5–7 (Task
Force Report Feb. 4, 2026), https://dst.gov.in/sites/default/files/Report_TaskForce_PQMigration_4Feb26%20(v1).pdf,
accessed on 22 Feb 2026, Time: 2.00 P.M.
Protean eGov Techs., How Secure is Aadhaar Authentication (June 27, 2025),
https://www.proteantech.in/articles/aadhaar-authentication-data-security-27-06-2025/, accessed on 22 Feb 2026,
Time: 3.15 P.M.
Unique Identification Auth. of India, Aadhaar Authentication API v2.5 22–25 (2023)
Nat’l Crime Records Bureau, Crime in India 2024 145 (2025)
Information Technology Act, No. 21 of 2000, Section 5, India (as amended 2008)
Digital Personal Data Protection Act, No. 22 of 2023, § 8(5), India (effective 2025)
Bharatiya Sakshya Adhiniyam, No. 47 of 2023, § 63(4), sch. (India)
CERT-In, Advisory on Quantum Computing Threats to Encryption (Feb. 15, 2025)
See supra note 4
See supra note 1
Kudelski Sec. Team, Quantum Attack Resource Estimate: Using Shor's Algorithm to Break RSA vs DH/DSA vs ECC
(Aug. 24, 2021), https://kudelskisecurity.com/research/quantum-attack-resource-estimate-using-shors-algorithm-to-
break-rsa-vs-dh-dsa-vs-ecc, accessed on 25 Feb 2026, Time: 9.00 A.M.
National Institution of Standards & Technology, FIPS 186-5: Digital Signature Standard (DSS) 12–15 (2023).
National Institution of Standards & Technology, Post-Quantum Cryptography Frequently Asked Questions,
https://csrc.nist.gov/projects/post-quantum-cryptography/faqs. , accessed on 25 Feb 2026, Time: 9.15 A.M.
Information Technology Act, No. 21 of 2000, § 2(1)(f), (ta), India (defining asymmetric crypto system, digital
signature).
John Koetsier, IBM: ‘Verified Quantum Advantage’ By 2026, ‘Fault-Tolerant Quantum Computing By 2029, Forbes
(Nov. 12, 2025), https://www.forbes.com/sites/johnkoetsier/2025/11/12/ibm-verified-quantum-advantage-by-2026-
fault-tolerant-quantum-computing-by-2029/., accessed on 26 Feb 2026, Time: 5.00 A.M.
IBM Quantum Roadmap, IBM Quantum Development Roadmap (updated 2025)
Supra note 4
PKWARE, Harvest Now, Decrypt Later Cybersecurity Attack (Jan. 16, 2025), https://www.pkware.com/blog/harvest-
now-decrypt-later-cybersecurity-attack. , accessed on 26 Feb 2026, Time: 5.00 A.M.
National Institution of Standards & Technology, FIPS 203: Module-Lattice-Based Key-Encapsulation Mechanism
Standard (Aug. 13, 2024).
See supra note 15
Encryption Consulting, How ML-DSA Replaces ECC and RSA for Digital Signatures (Jan. 27, 2026),
https://www.encryptionconsulting.com/how-ml-dsa-replaces-ecc-and-rsa-for-digital-signatures/, accessed on 26 Feb
, Time: 8.00 A.M.
See supra note 8
ibid. § 2(1)(f) (asymmetric crypto system: "one key creates signature, paired key verifies").
Ibid. § 38(2)(b)–(c) (revocation grounds).
Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information)
Rules, 2011, r. 8, sch. (India) (ISO 27001 benchmark); superseded in part by 2021 Intermediary Guidelines.
See Supra note 8, § 79(2)(c)
See Supra note 11
Digital Personal Data Protection Act, No. 22 of 2023, § 8(5), India.
Ujjwal Ravindran, India's Quantum Risk: Data Retention Laws Exposed (LinkedIn Jan. 27, 2026),
https://www.linkedin.com/posts/ujjwal-ravindran-2278a91b_quantumsecurity-postquantumcryptography-
indianregulations-activity-7421., accessed on 26 Feb 2026, Time: 5.00 P.M.
Bharatiya Sakshya Adhiniyam, No. 47 of 2023, § 63(4), sch., India.
Anoop Kumar Middya, How to Prove Electronic Evidence Under BSA 2023, LawWeb.in (June 26, 2025),
https://www.lawweb.in/2025/06/how-to-prove-electronic-evidence-under.html, accessed on 28 Feb 2026, Time: 7.00
P.M.
Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 S.C.C. 1 (India)
ABC Live, Explained: India Space Cyber Sec. Framework 2026 (Feb. 26, 2026),
https://abclive.in/2026/02/26/explained-india-space-cyber-security-framework-2026/, accessed on 28 Feb 2026,
Time: 7.00 P.M.
Directive (EU) 2022/2555, of the European Parliament and of the Council of 14 December 2022 on Measures for a
High Common Level of Cybersecurity Across the Union (NIS2), art. 21(2)(h), 2022 O.J. (L 333) 80.
Commission Implementing Regulation (EU) 2024/2690 of 17 October 2024 Laying Down Rules for the Application
of Regulation (EU) 2019/881 as Regards Cryptographic Policies, art. 4
European Common, EU Post-Quantum Cryptography Coordinated Implementation Roadmap 4–6 (June 2025).
Supra note 37, art. 32
National Quantum Computing Cybersecurity Preparedness Act, Pub. L. No. 117-109, 136 Stat. 49 (2022) (codified at
U.S.C. §§ 7501–7505).
Supra note 22
White House, National Security Memorandum on Promoting United States Leadership in Quantum Computing While
Mitigating Risks to Vulnerable Cryptographic Systems (NSM-10) (May 4, 2022).
Cybersecurity & Infrastructure Sec. Agency, Binding Operational Directive 25-03: Post-Quantum Cryptography
Transition (2025).
Supra note 11
Supra Note 4
Convention on Cybercrime, Nov. 8, 2001, E.T.S. No. 185, art. 18 (Budapest Convention).
National Law School India, Modernizing E-Signature Laws in India, NLS Forum (Apr. 13, 2025),
https://forum.nls.ac.in/ijlt-blog-post/modernizing-e-signature-laws-in-india/, accessed on 02 Feb 2026, Time: 8.00
P.M
Digital Personal Data Protection Act, No. 22 of 2023, § 8(5), India; Digital Pers. Data Prot. Rules, 2025, r. 6(1)(a).
Hiten Panchal, DPDP Rules 2025: Quantum-Safe Security Mandate (LinkedIn Nov. 16, 2025).
C-DOT, Agreement with Synergy Quantum for PQC Detection Tool (PIB Nov. 20, 2025),
https://www.pib.gov.in/PressReleasePage.aspx?PRID=2227909. , accessed on 02 Feb 2026, Time: 8.00 P.M
ABC Live, India Space Cyber Sec. Framework 2026 (Feb. 26, 2026).
Annual Report, Ministry of MSME 2024-25, at 12 (Gov’t India).
Cf. NASSCOM, Digital India Report 2025 45.
UIDAI Annual Report 2024-25, at 28; NPCI UPI Stats Feb. 2026.
Bureau Indian Standards, PQC Certification Guidelines (Draft) (2026).
Nat’l Quantum Mission Guidelines, MeitY (2023), ₹6,003 Cr.
IPCA-DSCI, India Cybercrime Report 2025 15 (extrapolated).
World Bank, Cybersecurity Economics India 22 (2025).
OpenQuantumSafe, liboqs Integration Guide (2025).
