RSA & ECC nearing the finish line: Become crypto‑agile now

RSA and ECC have been the backbone of secure internet connections, data encryption, and electronic signatures for decades, but their time is running out. The reason is not a sudden bug or new mathematical methods that could break these algorithms, but physics: a sufficiently large quantum computer can use Shor’s algorithm to efficiently solve both the factoring problem (RSA) and discrete logarithms (ECC).

Therefore, anyone encrypting data today must assume that attackers may collect it now and decrypt it later (“harvest now, decrypt later”). The BSI is consequently introducing, for the first time, a concrete end‑of‑life date for the sole use of classical asymmetric methods. The details are provided as recommendations in the technical guideline TR-02102-1 from January 2026.

From 2032 onward, classical RSA and ECC methods should be used only in hybrid form together with post‑quantum cryptography (PQC). “Hybrid” here means that two methods are applied in parallel. In addition to the classical RSA/ECC methods, modern PQC methods are to be combined.

The BSI explicitly recommends the hybrid approach because PQC methods, while necessary, have been investigated less than RSA and ECC with respect to implementation security and potential weaknesses to side‑channel attacks.

This is precisely where the organizational challenge lies: migration affects not just a single algorithm but protocols, libraries, certificate chains, device firmware, and often external partners as well. Especially in PKI environments, long migration timelines are realistic because new certificates, policies, HSM support, and rollout windows must align.

The BSI has set a later but also fixed horizon for signatures. According to the current state of knowledge, the sole use of classic RSA/ECC signature processes will probably only be recommended until the end of 2035. The switch to quantum-safe signatures should be completed by 2035 at the latest. Here, too, the preferred variant is hybrid, for example by combining a classic ECC / RSA with a PQC signature, which only counts as valid together.

With electronically signed documents, the real “crypto question” is not just the signing today, but above all the subsequent verifiability over many years, often far beyond the life cycle of IT systems. The BSI therefore advises planning future PQC conversions promptly in the event of long-term requirements and, if necessary, securing old documents again by means of re-signing with updated procedures. For this long-term preservation of evidentiary value, the BSI refers to TR-03125, which regulates the preservation of evidentiary value of cryptographically signed documents.

The challenge lies not in the application of the new PQC procedures, but in the inventory of the affected applications and services and in the risk-based assessment of the respective protection requirements and migration complexity. A comprehensive migration project that includes the most important applications and services often takes several years due to dependencies and lifecycles and must therefore be planned at an early stage.

The procedure is called “cryptoagility”, which the BSI explicitly mentions in TR-02102-1. Cryptoagility describes the organizational, technical and procedural ability to flexibly replace or expand cryptographic mechanisms without having to make significant changes to the rest of the overall system. Based on this approach, organizations can meet these challenges formally, efficiently and in a targeted manner.