As post-quantum cryptography moves from theory into deployment, organizations need a clearer view of what is real today and what still requires time. In this episode of Shielded: The Last Line of Cyber Defense, Sofia Celi, Senior Cryptography and Security Researcher at Brave, breaks down the two-speed reality shaping PQC adoption. She explains why confidentiality is already protected at scale through TLS 1.3 and hybrid post-quantum key encapsulation, now used across major browsers, CDNs, and cloud providers to defend against harvest-now-decrypt-later threats. This shift is live, scaled, and part of today’s internet. However, authentication like signatures, PKI, eID systems, and privacy-preserving proofs remains early. Lattice-based signatures are large and costly, prompting NIST’s second call for signature schemes with new mathematical foundations and smaller communication sizes. Sofia’s work on MAYO, a compact multivariate signature scheme, offers a promising path for authentication, distributed signing, and environments where signature size matters. She also examines European digital identity plans, noting the gap between policy ambition and cryptographic readiness. Current timelines overlook the immaturity of zero-knowledge systems and the privacy risks hidden in their design. Sofia closes with two practical actions any organization can take now: migrate fully to TLS 1.3 and enable hybrid post-quantum key exchange. These steps strengthen confidentiality today while the ecosystem advances authentication.

What You’ll Learn

Sofia Celi is a Senior Cryptography and Security Researcher at Brave, where she focuses on practical deployment of privacy-preserving and post-quantum cryptography. Her work spans Private Information Retrieval (PIR), zero-knowledge proof integration, TLS attestation, and the real-world application of advanced cryptography beyond blockchain. She is a co-author of MAYO, a multivariate post-quantum signature scheme submitted to NIST’s second signature call, and has led efforts to bring privacy technologies such as PIR into production environments.

Sofia serves as WG/RG Chair and Ombudsperson at the IETF, where she co-chairs a working group shaping global post-quantum protocol standards. She is an IACR ePrint co-editor, a reviewer for BlackHat, a member of the Open Technology Fund Advisory Council, and previously worked as a Cryptography and Security Researcher at Cloudflare. Her career sits at the intersection of research, protocol design, and applied security, advancing cryptography from theory into widely deployed systems.

Sofia starts by drawing a line that many teams still blur: the confidentiality layer is already post-quantum, but authentication is not. At this point in the ecosystem, TLS confidentiality is protected through deployed hybrid post-quantum KEMs across major browsers and cloud providers. The motivation is clear: harvest-now-decrypt-later is possible today, and traffic that leaks in the future cannot be recovered. Authentication is a different story. TLS signatures, PKI, and privacy-preserving protocols still rely on classical schemes because PQ signatures remain large, slow, or difficult to compose. Treating these two domains as if they mature simultaneously creates the wrong expectations and timelines. A realistic roadmap begins with clarity on what needs immediate protection and what will evolve over several years.

Key Question: Which systems depend on long-term signature trust, and which only require encrypted traffic today?

Sofia discusses how the industry has already adopted hybrid KEMs, concatenating classical and PQ algorithms as a safety net. In theory, hybrid is temporary. In practice, she notes that once the industry migrates, many systems never fully transition again. We still see SHA-1 and TLS 1.2 in production for this exact reason. Hybrid provides resilience while researchers gain confidence in PQ schemes and watch for early attacks, but it also carries the risk of becoming the default state if teams do not set clear expectations. Proper planning requires acknowledging both realities: hybrid protects confidentiality today, but architecture leaders need a position on whether and when pure PQC becomes the long-term baseline.

Key Question: Is hybrid a waypoint in your roadmap, or is it quietly turning into your destination?

Referencing the TLS 1.3 rollout, Sofia explains how long real migrations take. TLS 1.3 required years of review, formal verification, and protocol hardening before large-scale deployment. Even now, many systems still use TLS 1.2 or older, and the IETF cannot enforce upgrades. This matters because TLS 1.3 is the prerequisite for PQC handshakes. If organizations have not completed their TLS 1.3 migration, PQC adoption stalls before it begins. Sofia highlights that the industry can only move as fast as the slowest dependency, and outdated protocol infrastructure remains a major blocker.

Key Question: Do you know exactly where TLS 1.2 still runs in your environment, and is there a plan to eliminate it?

Sofia explains why NIST opened a second call for PQ signatures: current lattice-based options are not enough. They are large, sometimes costly, and place all trust in a single mathematical family. If lattices were broken, both PQ key exchange and signatures would fall together. NIST now seeks independent mathematical foundations and smaller signatures that fit real-world authentication workflows. This includes bandwidth-limited clients, certificate chains, and protocols where signature size directly affects performance.

Key Question: Are you planning for an authentication ecosystem built on diverse algorithms, or is your strategy unintentionally tied to a single class?

Sofia introduces MAYO, a multivariate-quadratic signature scheme she co-authored. She details why the industry is watching multivariate candidates closely: they offer small public keys, compact signatures, and natural support for threshold cryptography. Threshold capability is particularly important as authentication workflows spread across distributed systems, cloud infrastructure, and delegated trust relationships. Rather than placing full control of a private key in one location, threshold schemes allow multiple parties to collaborate on a signature without exposing a complete key.

Key Question: Which of your authentication paths would benefit from compact signatures and built-in support for shared signing authority?

Sofia focuses on the two upgrades every organization can deploy immediately without waiting for the authentication ecosystem to mature. First, migrate fully to TLS 1.3, which is already supported across all major libraries. Second, enable hybrid KEMs to protect confidentiality against stored-traffic attacks. Authentication, signatures, and zero-knowledge tools need more time, more validation, and more stable standards. But confidentiality can be defended today with minimal cost and operational friction. Sofia frames this not as future-proofing, but as reducing an active risk window that grows every day organizations delay action.

Key Question: Do you have a scheduled project to deploy TLS 1.3 and hybrid PQC across your primary communication paths in the next 12 months?

Want exclusive insights on quantum migration?  Stay ahead of the curve. Subscribe to Shielded: The Last Line of Cyber Defense on Apple Podcasts, Spotify, or YouTube Podcasts.

✔ Get insider knowledge from leading cybersecurity experts.

✔ Learn practical steps to future-proof your organization.

✔ Stay updated on regulatory changes and industry trends.


Need help subscribing? Click here for step-by-step instructions.