up:: In the Protocols MOC
PQC in Satellites and Space
Satellite and space PQC is the work of moving spacecraft cryptography to post-quantum algorithms in an environment where the hardware cannot be swapped, the software is difficult and risky to change after launch, and missions run for a decade or more. A spacecraft uses cryptography to authenticate the commands it receives from the ground so it acts only on legitimate ones, and to protect the confidentiality and integrity of the telemetry and payload data it sends back. The command-and-control link is the sharpest safety concern, because a forged command can move a satellite, and the downlinked telemetry is the sharpest confidentiality concern, because it’s radiated over open air where anyone with an antenna can record it.
That recorded traffic is a textbook harvest-now-decrypt-later target: an adversary captures it today and decrypts it once a capable quantum computer exists, while the satellite that produced it is still in orbit running the cryptography it launched with. The CCSDS Space Data Link Security protocol is the standard that carries this cryptography, and the fixed-at-launch mission life is what makes the migration a design-time decision rather than a later upgrade.
The short version:
- Spacecraft use cryptography for two jobs: authenticating uplinked commands so a satellite acts only on real ones, and protecting downlinked telemetry and payload data, and the public-key parts of both are what a quantum computer breaks.
- Downlinked telemetry is radiated over open air, so it’s a clean harvest-now-decrypt-later target: an adversary records it today and decrypts it later, and the satellite producing it may stay in orbit for 15 or more years.
- The cryptography is fixed at launch. A spacecraft can’t be physically retrofitted, and even a software update is a constrained, high-risk operation over a bandwidth-limited link, so the algorithm choice is effectively frozen for the mission.
- The relevant standard is the CCSDS Space Data Link Security protocol (CCSDS 355.0-B-2, July 2022), whose baseline is authenticated encryption with AES-GCM using a 128-bit key, a symmetric layer that survives quantum with a larger key rather than a new algorithm.
- The urgent public-key work is the key establishment and the command-authentication signatures around that symmetric core, and the leverage sits in building crypto-agility into spacecraft designed now, because the missions launching today are the ones still flying when a quantum computer arrives.
Picture a deep-sea research station lowered to the ocean floor for a 15-year deployment, sealed and unreachable, communicating with the surface only by a thin cable. Whatever locks and codebooks you sealed inside at launch are the locks and codebooks it will use for its entire mission, because you can’t send a diver down to change them. Meanwhile every message it sends up the cable is copied by a rival ship that plans to crack the code years from now, once it has a better computer. Spacecraft cryptography is that sealed station: fixed at launch, radiating recordable traffic the whole time, and unreachable for a physical fix.
What cryptography do spacecraft use?
Spacecraft cryptography does two jobs, command authentication and data protection, and the standard that structures it for most civil and scientific missions is the Space Data Link Security (SDLS) protocol from the Consultative Committee for Space Data Systems (CCSDS). SDLS operates at the data link layer and adds authentication, encryption, and anti-replay protection to the CCSDS Telecommand, Telemetry, and Advanced Orbiting Systems link protocols, so it protects both the uplink (ground to spacecraft) and the downlink (spacecraft to ground).
The two jobs map to two exposures:
- Command authentication (uplink). The spacecraft has to confirm that a command came from its authorized ground station and wasn’t forged or replayed, because acting on a false command can reposition, misconfigure, or disable the vehicle. This is the integrity-and-authenticity half, and it’s the safety-critical one.
- Data protection (downlink). Telemetry, housekeeping data, and payload data (imagery, sensor readings, mission data) are protected for confidentiality and integrity on the way down. Because the downlink is a radio broadcast to a ground antenna, anyone within the beam or its sidelobes can record the raw transmission.
Source: CCSDS, “Space Data Link Security Protocol,” Recommended Standard CCSDS 355.0-B-2 (Blue Book), July 2022, ccsds.org.
The two jobs run on different quantum clocks, which is what sets the migration order:
| Job | Direction | Primary concern | Quantum clock |
|---|---|---|---|
| Command authentication | Uplink (ground to spacecraft) | Integrity: act only on real commands | Non-HNDL: forgery needs a live quantum computer, so nothing to record |
| Data protection | Downlink (spacecraft to ground) | Confidentiality of telemetry and payload | HNDL: recorded now, decrypted later, clock already running |
The baseline cryptography is symmetric. SDLS specifies authenticated encryption using AES in Counter Mode with a 128-bit key and a 128-bit authentication tag as its baseline algorithm. That symmetric core is the part that survives the quantum transition well, and the quantum exposure lives in the public-key machinery that establishes and manages the keys feeding it.
Why is satellite telemetry a harvest-now-decrypt-later target?
Because the downlink is a radio broadcast that anyone in range can record in full, and the data inside it stays sensitive for years, which is exactly the condition harvest-now-decrypt-later exploits. An adversary with a suitable antenna captures the encrypted downlink today, stores the raw bits, and waits. When a cryptographically relevant quantum computer exists, it breaks whatever classical public-key mechanism protected the session keys, and the stored traffic decrypts.
Three features make space an unusually clean HNDL case:
- The medium is open by nature. A terrestrial fiber link is at least physically contained, and a satellite downlink is radiated over a wide footprint, so recording it needs only a receiver in the coverage area rather than access to a cable. The interception step is nearly free for a capable adversary.
- The data has a long confidentiality horizon. Reconnaissance imagery, scientific measurements, and mission telemetry can retain their sensitivity for a decade or more, so traffic recorded now is still valuable when it decrypts later. The longer the confidentiality requirement, the more the harvesting clock matters.
- The producing satellite outlives the recording window. A spacecraft on a 15-year mission keeps radiating recordable traffic for its whole life, so the exposure isn’t a single captured session but a continuous stream from a platform that can’t have its cryptography swapped mid-mission.
Source: NIST IR 8547 (Initial Public Draft), “Transition to Post-Quantum Cryptography Standards,” November 2024 (harvest-now-decrypt-later motivates early migration of confidentiality-protecting key establishment; classical public-key algorithms disallowed after 2035), csrc.nist.gov.
So the confidentiality clock is already running on any long-lived satellite launched with classical key establishment. Whether or not a quantum computer arrives soon, the traffic being recorded today is a future liability the moment it’s captured, which is what makes the key-establishment side of space cryptography the piece to move first.
Why can’t a spacecraft just be updated later?
Because a spacecraft is the extreme case of fixed cryptography: the hardware is physically unreachable, and even a software update is a constrained, high-risk operation over a link that was designed for telemetry rather than large downloads. On a server, an algorithm swap is routine. On a satellite, the same change is a mission-risk decision.
- The hardware is unreachable. No one can physically retrofit a cryptographic module on a satellite in orbit, so any post-launch change has to be software-only, and hardware-accelerated crypto is frozen at whatever was integrated before launch.
- Software updates are bandwidth-limited and risky. Uploading new code to a spacecraft happens over a narrow command link inside tight power and timing budgets, and a failed update to a flight system can end a mission, so operators are conservative about changing flight software, especially the security-critical parts.
- The mission life outruns the deadline. Many spacecraft operate 15 years or longer, so a satellite launched today can outlive NIST’s 2035 disallowment of classical public-key algorithms while running the cryptography it launched with. The choice made before launch is the choice for the mission.
The consequence is that space is where crypto-agility has to be designed in before it’s needed, and where the absence of it is hardest to fix. A spacecraft built with the ability to load a new key-establishment mechanism or a new signature algorithm has a path forward, and one hardwired to a single classical algorithm becomes a platform that can only be replaced by launching another one.
How does a space system migrate to post-quantum cryptography?
The migration keeps the surviving symmetric core and moves the public-key machinery around it, prioritized by the harvest-now-decrypt-later clock, with agility engineered into the spacecraft that haven’t launched yet. The symmetric baseline of SDLS is already close to quantum-appropriate, so the work concentrates on key establishment, command authentication, and design-time flexibility.
- Strengthen the symmetric layer where needed. SDLS’s baseline is AES-GCM with a 128-bit key, which faces only Grover’s algorithm. Moving to a 256-bit key restores a wide quantum margin, and it’s a parameter change rather than a new algorithm, so it’s the easy part of the transition.
- Migrate key establishment first. The mechanism that establishes and distributes the session keys is the harvestable, HNDL piece, so it moves first, toward ML-KEM where key establishment is done with public-key cryptography. This is what closes the recording window on the downlink.
- Migrate command-authentication signatures. The signatures that authenticate uplinked commands and any ground-segment certificates move to a post-quantum signature such as ML-DSA, with the size of those signatures weighed against the narrow command link and the limited onboard memory.
- Design new spacecraft for agility. The highest-leverage move is building the spacecraft launching from now on so their algorithms are a configurable, updatable choice within the constraints of flight software, which is the only way a platform fielded today stays trustworthy across a mission that runs past 2035.
The realistic framing is that the ground segment can migrate on a normal IT clock, and the flight segment is the hard, slow part where decisions are frozen at launch. The size of the post-quantum signatures and keys against the bandwidth and memory of a spacecraft is a real constraint, which puts space firmly in the same engineering territory as other constrained devices, with the added severity that there’s no field visit to fall back on.
Common misconceptions
- “Satellites are too remote to be a realistic target.” The remoteness is what makes the downlink easy to record, because it’s a radio broadcast over a wide footprint rather than a contained cable. Recording the encrypted traffic for later decryption needs only a receiver in the coverage area, which is the whole premise of harvest-now-decrypt-later.
- “We can patch the crypto after launch if quantum becomes real.” A spacecraft’s cryptographic hardware is unreachable, and even a software update is a bandwidth-limited, high-risk operation over a command link, so the algorithm choice is effectively frozen at launch for the mission’s life.
- “SDLS uses AES, so satellites are already quantum-safe.” The symmetric AES-GCM core faces only Grover’s algorithm and stays strong at a larger key, which is the good news. The exposure is the public-key key establishment and command-authentication signatures around it, and those are what Shor’s algorithm breaks.
- “The urgent problem is forged commands.” Command forgery is a serious safety concern and it’s a real-time, Non-HNDL one, so there’s nothing to harvest. The harvest-now-decrypt-later exposure on recorded downlink telemetry is the clock that’s already running, which is why key establishment migrates first.
- “Post-quantum signatures drop into a spacecraft as easily as onto a server.” A post-quantum signature is far larger than the classical one, and a spacecraft has a narrow command link and limited onboard memory, so the size has to be engineered against the platform, the same constrained-device problem other embedded systems face.
Questions people ask
Is satellite communication quantum-safe today? Not on the public-key side. The symmetric AES-GCM baseline of the CCSDS SDLS protocol survives quantum with a larger key, and the key establishment and command-authentication signatures around it rest on classical public-key cryptography that Shor’s algorithm breaks, so those are the parts that need migration.
Why is space a harvest-now-decrypt-later problem? The downlink is a radio broadcast that anyone in range can record in full, and the data inside stays sensitive for years, so an adversary can capture encrypted telemetry today and decrypt it once a quantum computer exists. The producing satellite may stay in orbit for the whole recording window, radiating more traffic the entire time.
Why can’t a satellite’s cryptography be updated after launch? The hardware is physically unreachable, and even a software update is a constrained, high-risk operation over a bandwidth-limited command link, so operators change flight security software conservatively. The algorithm chosen before launch is effectively the algorithm for the mission.
What standard governs spacecraft link security? The CCSDS Space Data Link Security (SDLS) protocol, CCSDS 355.0-B-2 (July 2022), which adds authentication, encryption, and anti-replay protection to the CCSDS link protocols. Its baseline is authenticated encryption with AES-GCM using a 128-bit key.
Which part of space cryptography migrates first? Key establishment, because it’s the harvestable, HNDL piece protecting the recorded downlink, moving toward ML-KEM. Command-authentication signatures move to ML-DSA on a slightly slower clock, and the symmetric layer is strengthened to a 256-bit key.
Does the mission lifetime really outrun the quantum deadline? Often, yes. Many spacecraft operate 15 years or longer, so a satellite launched today can outlive NIST’s 2035 disallowment of classical public-key algorithms while running the cryptography it launched with, which is why post-quantum readiness belongs in current spacecraft design.
How is this different from a normal constrained-device migration? It shares the size-versus-bandwidth-and-memory bind of any constrained device, with the added severity that there’s no physical access and no low-risk update path, so agility has to be designed in before launch or the platform can only be replaced by flying a new one.
Everything here is the map, given freely. When your team needs its space and ground segments inventoried, its harvestable downlink key establishment prioritized, and crypto-agility engineered into the spacecraft you’re building now before they launch into a 2035-and-beyond mission, that’s the work I do. Request an alignment briefing.
Last verified 2026-07-12 · Maintained by Addie LaMarr, LaMarr Labs.