up:: In the Protocols MOC
PQC in Automotive and V2X
Automotive and V2X PQC is the work of moving vehicle security, which today rests on elliptic-curve signatures under the IEEE 1609.2 and ETSI ITS certificate standards, onto post-quantum algorithms before the cars carrying it outlive the cryptography inside them. Vehicle-to-everything (V2X) is the radio layer that lets a car broadcast its position, speed, and heading to other cars and to roadside infrastructure so the receivers can trust a safety message came from a real, authorized vehicle. Every one of those messages is signed, and the signature is the security.
A car built and type-approved this year is engineered to stay in service for 15 to 20 years, so its cryptographic identity has to keep verifying past the 2035 deadline NIST has set for disallowing classical public-key algorithms, on hardware that may never receive a security update. That gap between how long the vehicle lasts and how long its cryptography lasts is the whole reason automotive is one of the harder PQC migrations.
The short version:
- V2X messages (a car telling nearby cars and infrastructure where it is and how fast it’s moving) are authenticated with ECDSA P-256 signatures under IEEE 1609.2 in North America and ETSI TS 103 097 in Europe, so the signature is what makes a safety message trustworthy.
- Those elliptic-curve signatures are broken by Shor’s algorithm, which means a capable quantum computer could forge the safety messages a car acts on, and the replacement is a post-quantum signature like ML-DSA.
- The size jump is the engineering problem. An ECDSA P-256 signature is about 64 bytes, while an ML-DSA signature runs roughly 2,420 to 4,627 bytes, and V2X messages broadcast many times per second over a bandwidth-limited channel, so the new signatures strain the constrained radio and the small in-vehicle controllers.
- Vehicle field life runs 15 to 20 years, so a car type-approved today outlives NIST’s 2035 disallowment of classical public-key algorithms, which makes the up-front algorithm choice a decision that has to hold for two decades.
- The regulatory scaffolding already exists: UNECE R155 and R156 mandate a cybersecurity and a software-update management system for type approval, and ISO/SAE 21434 defines the engineering practice, so crypto-agility can be built in as a type-approval requirement rather than bolted on later.
Picture a fleet of delivery trucks that each carry a wax seal to stamp their paperwork, and every warehouse on the route recognizes the seal and trusts documents that bear it. The trucks are built to run for 20 years. If you learn that a forger will eventually be able to copy that seal, recalling every truck overnight is impossible, and leaving the old seal on the ones already delivering is unsafe. You have to hand out new seals that every warehouse learns to recognize, keep both seals valid while the fleet turns over, and make sure the trucks you build from now on can accept a new seal when the next forger appears. V2X migration is that seal-swap across a rolling population of long-lived vehicles that cannot all be updated at once.
What is V2X security and how does it work today?
V2X security is the certificate-and-signature system that lets vehicles and roadside units trust the safety messages they receive over a wireless channel, so a car can act on a warning from a stranger without being tricked by a forged or replayed one. A vehicle continuously broadcasts short safety messages, called Basic Safety Messages (BSM) in North America and Cooperative Awareness Messages (CAM) in Europe, several times a second. Each message carries the sender’s position, speed, and heading, and each is digitally signed so the receiver can confirm it came from a real, authorized vehicle rather than an attacker injecting false hazards.
The cryptography underneath is elliptic-curve. Both major standards sign V2X messages with ECDSA, the Elliptic Curve Digital Signature Algorithm, over the NIST P-256 curve, with SHA-256 as the hash. The North American standard is IEEE 1609.2, the European profile is ETSI TS 103 097, and the two are closely aligned, with the ETSI profile written as a subset of the IEEE base standard. Certificates are issued by a Security Credential Management System (SCMS), a purpose-built public key infrastructure that hands vehicles short-lived pseudonym certificates so they can prove authorization without being tracked across trips.
Source: ETSI, “Intelligent Transport Systems (ITS); Security; Security header and certificate formats,” TS 103 097 V2.1.1, October 2021, etsi.org.
The property to hold onto is that the signature is the trust. A V2X receiver has no independent way to confirm that the car ahead really is braking, so it relies entirely on the message being validly signed by a certificate that chains back to a trusted authority. Break the signature and you break the ability to tell a real safety warning from an injected one.
Why is V2X quantum-vulnerable?
Because the entire trust chain rests on elliptic-curve public-key cryptography, and elliptic-curve cryptography is exactly what a quantum computer breaks. Shor’s algorithm solves the discrete-logarithm problem that ECDSA depends on, so a cryptographically relevant quantum computer could recover a signing key from its public key and then forge any signature that key would have produced. In a V2X setting that means forging the safety messages a car brakes and steers on, or minting counterfeit certificates that receivers accept as authorized.
- Message forgery. With the signing key recovered, an attacker can broadcast fabricated Basic Safety Messages that appear to come from a legitimate vehicle, injecting phantom hazards or masking real ones. The receiver’s only defense, a valid signature, is precisely what has been defeated.
- Certificate forgery. The SCMS trust chain is elliptic-curve all the way up, so an attacker who can break the curve can forge the certificates that authorize a vehicle onto the network, reaching beyond individual messages to the authorization layer itself.
- The threat is real-time, so there’s no harvesting clock. V2X signatures are a Non-HNDL exposure: a forged safety message only helps an attacker at the moment it’s sent, so there’s nothing to record and decrypt later. That makes the V2X migration less about a running harvest-now-decrypt-later deadline and more about having quantum-safe signatures deployed across the fleet before a capable machine exists.
Source: NIST, “Report on Post-Quantum Cryptography,” NISTIR 8105, April 2016 (public-key algorithms including elliptic-curve schemes fall to Shor’s algorithm), csrc.nist.gov.
The confidentiality side is comparatively calm. V2X uses symmetric AES and elliptic-curve integrated encryption for the parts that need secrecy, and the symmetric layer only faces Grover’s algorithm, which a larger key answers. The urgent work in V2X is the signatures, because they carry the authorization the whole system trusts.
What makes automotive PQC harder than server-side migration?
The vehicle lifetime is the reason, and it collides with two other constraints: the messages are bandwidth-limited and the hardware is often unpatchable. A modern car is engineered to stay on the road for 15 to 20 years, and vehicles routinely remain in service past 20, so a car type-approved and sold this year has to keep verifying V2X messages well past NIST’s 2035 disallowment of classical public-key algorithms. On a data-center server, an algorithm swap is a library upgrade. On a vehicle, it may be a decision frozen at the factory.
| Constraint | The server case | The automotive case |
|---|---|---|
| Lifetime | Refreshed on a 3-to-5-year hardware cycle | 15-to-20-year field life, often longer, so today’s choice must hold past 2035 |
| Update path | Routine remote software update | Over-the-air update where UNECE R156 allows, but many older and embedded units cannot receive one |
| Bandwidth | Effectively unlimited on a wired link | V2X broadcasts many messages per second over a shared, congested radio channel |
| Signature size | Kilobyte signatures are a non-issue | An ECDSA signature is ~64 bytes; an ML-DSA signature is ~2,420 to 4,627 bytes, a large jump on a tight channel |
Source: NIST, “Module-Lattice-Based Digital Signature Standard,” FIPS 204, August 2024 (ML-DSA signature sizes 2,420 / 3,309 / 4,627 bytes across parameter sets), csrc.nist.gov.
Source: NIST IR 8547 (Initial Public Draft), “Transition to Post-Quantum Cryptography Standards,” November 2024 (classical public-key algorithms disallowed after 2035), csrc.nist.gov.
The signature-size jump matters most because V2X is a broadcast medium where every vehicle in range is transmitting many times a second. Replacing a 64-byte signature with a multi-kilobyte one on a congested safety channel raises real questions about channel load and message-processing time, which is why the industry standards bodies are studying phased and hybrid approaches rather than a flat swap. The full sizing story for these algorithms on small hardware is in Constrained-Device PQC.
What is the migration path for V2X to post-quantum?
The path is to move V2X signatures from ECDSA to a post-quantum signature, most likely ML-DSA, while running old and new in parallel long enough for a rolling fleet to turn over, and to build the agility to do it again for the next algorithm change. The standards work is already in motion. ETSI published TR 103 949 in May 2023, a technical report recommending a quantum-safe migration strategy for ITS and cooperative ITS, and the IEEE 1609 and ETSI ITS communities are studying how to fit post-quantum and hybrid signatures into the certificate formats without breaking the installed base.
Source: ETSI, “Quantum-Safe Cryptography (QSC); Quantum-Safe Cryptography Migration; Migration strategy for ITS,” TR 103 949 V1.1.1, May 2023, etsi.org.
Three moves define the migration:
- Introduce post-quantum certificate and signature formats. The current V2X certificate formats were defined for elliptic-curve signatures and don’t yet carry post-quantum ones by default, so the formats have to be extended to hold the larger keys and signatures. This is the standards-body work that TR 103 949 and the IEEE 1609 groups are advancing.
- Run a hybrid or dual-signature overlap. Because the fleet turns over slowly, old and new have to coexist. A dual-signature approach lets a message carry both a classical and a post-quantum signature so that both legacy and upgraded receivers can validate what they understand, which avoids the split-brain problem where a new certificate silently breaks old vehicles.
- Bake in agility for the vehicles built from now on. Cars entering production should be engineered so their V2X stack can accept a new algorithm later, ideally over the air where UNECE R156 software-update management allows, so the units built today don’t become the unpatchable long tail of the transition.
The honest framing is that this is a decade-scale program, sequenced against the slow reality of fleet turnover, not a single cutover. The vehicles already on the road at migration time are the hardest part, which is why the decisions made in current production runs carry so much weight.
How do UNECE R155, R156, and ISO/SAE 21434 shape the migration?
They supply the regulatory hooks that make cryptographic agility a type-approval obligation rather than an optional good practice, which is what lets a PQC transition be required rather than merely encouraged. UNECE Regulation No. 155 requires a certified Cyber Security Management System (CSMS) and a vehicle-level cybersecurity assessment before a new vehicle type can be approved, and it has applied to new vehicle types since July 2022 and to all newly produced vehicles in scope since July 2024. Its companion, UNECE Regulation No. 156, requires a Software Update Management System (SUMS), which is the regulatory basis for delivering security updates, including cryptographic ones, over the vehicle’s life.
Source: UNECE, “UN Regulation No. 155 – Uniform provisions concerning the approval of vehicles with regards to cyber security and cyber security management system,” unece.org.
ISO/SAE 21434, the cybersecurity engineering standard for road vehicles, published 31 August 2021, is the technical standard that operationalizes the regulation. Where R155 says a manufacturer must manage cybersecurity risk across the vehicle lifecycle, ISO/SAE 21434 defines how, through a risk-based engineering process spanning concept, development, production, operation, and decommissioning. It’s cited in R155 as an appropriate reference framework, so in practice the two work together.
Source: ISO/SAE, “Road vehicles, Cybersecurity engineering,” ISO/SAE 21434:2021, August 2021, iso.org.
The consequence for PQC is that the migration has statutory teeth. A manufacturer’s CSMS is supposed to account for evolving threats across the whole lifecycle, and a quantum-capable adversary is exactly such a threat, so post-quantum readiness folds into the cybersecurity risk management the regulation already demands. The R156 software-update mandate is what makes the “update it later” path plausible for the vehicles engineered to support it, which is why designing the V2X stack for agility now is the move that keeps a car compliant through 2035 and beyond.
Common misconceptions
- “V2X is encrypted, so quantum breaks the confidentiality of what cars broadcast.” V2X safety messages are broadcast to be heard by everyone nearby, so they’re signed for authenticity rather than kept secret. The quantum exposure is signature forgery, an attacker faking or altering the safety messages a car trusts, which is a different problem from eavesdropping.
- “There’s no rush because V2X signatures aren’t harvestable.” True that they’re Non-HNDL, with no recording clock, and still time-critical because the fleet turns over across 15 to 20 years. Getting quantum-safe signatures into vehicles built today is the only way the population is protected before a capable machine exists, so the deadline is the fleet’s, not the attacker’s.
- “Just push a software update when quantum arrives.” Many vehicles in the field cannot receive a secure over-the-air update, and even those that can face the size and channel-load limits of a broadcast safety radio. The choice made at type approval is frozen for a large share of the fleet’s life.
- “A post-quantum signature drops straight into the existing certificate.” An ML-DSA signature is roughly 40 to 70 times larger than the ECDSA one it replaces, and the current V2X certificate formats were built for elliptic-curve sizes, so the formats have to be extended and the channel impact managed before the swap is safe.
- “UNECE R155 already covers quantum, so there’s nothing new to do.” R155 mandates lifecycle cybersecurity risk management, which is the hook, and it names no algorithms and sets no PQC deadline. The manufacturer still has to translate the quantum threat into a concrete plan, choose post-quantum algorithms, and engineer the agility to deploy them.
Questions people ask
Is V2X quantum-safe today? No. Both IEEE 1609.2 and ETSI TS 103 097 sign V2X messages with ECDSA over the P-256 curve, which Shor’s algorithm breaks. The migration to a post-quantum signature like ML-DSA is being studied and standardized, and it isn’t deployed across production vehicles yet.
When do vehicles actually need post-quantum V2X? The driver is the vehicle’s 15-to-20-year field life against NIST’s 2035 disallowment of classical public-key algorithms. A car type-approved today is meant to stay trustworthy past 2035, so post-quantum readiness is a decision for current production runs, not a problem to defer until a quantum computer is announced.
Why is the signature size such a big deal in V2X? V2X is a broadcast medium where every vehicle transmits safety messages many times a second over a shared, congested radio channel. An ECDSA signature is about 64 bytes; an ML-DSA signature is 2,420 to 4,627 bytes, so replacing it multiplies the channel load and processing time, which is why the transition needs careful sizing rather than a flat swap. The device-side sizing story is in Constrained-Device PQC.
What standards govern automotive cybersecurity? UNECE R155 mandates a Cyber Security Management System for type approval, UNECE R156 mandates a Software Update Management System, and ISO/SAE 21434:2021 defines the cybersecurity engineering process. Together they make lifecycle cryptographic risk management, which includes the quantum transition, a condition of selling the vehicle.
Can the fix be delivered over the air? For vehicles engineered to support secure over-the-air updates under UNECE R156, in part. The catch is that many units in the field, especially older or deeply embedded ones, cannot receive one, and even updatable vehicles are limited by the size and channel constraints of the V2X radio, so agility has to be designed in up front.
What replaces ECDSA in V2X? The leading candidate is ML-DSA, NIST’s primary post-quantum signature standard, most likely run as a dual signature alongside classical ECDSA during the overlap so that legacy and upgraded receivers can each validate the part they understand while the fleet turns over.
Where is the standards work happening? ETSI’s TR 103 949 (May 2023) recommends a quantum-safe migration strategy for ITS and cooperative ITS, and the IEEE 1609 working groups and ETSI ITS committee are extending the certificate formats to carry post-quantum and hybrid signatures. It’s active standardization rather than a finished specification.
Everything here is the map, given freely. When your team needs its V2X and vehicle cryptography inventoried, its ECDSA signing surfaces sized against the post-quantum signatures that replace them, and the fixed-hardware fleet sequenced against 2035, that’s the work I do. Request an alignment briefing.
Last verified 2026-07-12 · Maintained by Addie LaMarr, LaMarr Labs.