Simulation Studies Show Falcon and ML-Dsa Maintain Payment Performance

Nazmus Salehin Sammo, Melbourne Institute of Technology, and colleagues investigated the vulnerability of Australia’s New Payments Platform (NPP) to quantum computing threats. Their Monte Carlo simulation study modelled the performance of NIST post-quantum cryptography (PQC) signature standards within the NPP’s real-time transaction processing system, which currently handles 5.2 million transactions daily. The study quantifies the potential impact of ‘Harvest Now, Decrypt Later’ attacks. It estimates the financial implications of migrating to quantum-resistant cryptography, projecting 9.56 billion records at risk by 2030 and peak migration costs of USD 21.4M in 2026. The team validated their findings across a multi-cloud testbed, identifying ML-DSA and Falcon as viable options for maintaining the platform’s stringent 2,000ms service level agreement.

Post-quantum cryptography successfully meets New Payments Platform performance requirements

ML-DSA and Falcon post-quantum signature algorithms achieved 100% Service Level Agreement (SLA) compliance for Australia’s New Payments Platform (NPP), a feat previously impossible with other tested algorithms. This breakthrough suggests the potential to upgrade the nation’s payment system against future quantum computer attacks without impacting transaction speeds. The worst-case p99 overhead observed was 1.57ms, representing 0.079% of the 2,000ms SLA budget. Detailed simulations, utilising a Monte Carlo approach with 80 million events, revealed SPHINCS+ failed to meet the SLA due to severe queue saturation, effectively functioning as a denial-of-service amplification surface.

By 2030, estimates suggest 9.56 billion NPP records are at risk from ‘Harvest Now, Decrypt Later’ attacks, with peak migration costs of USD 21.4 million in 2026. ML-DSA-87 achieved a peak 99.9th percentile (p99.9) latency of under 154 milliseconds, with a 95% confidence interval, across a seven-node multi-cloud testbed. This consistency across diverse microarchitectures, including Intel Xeon, AMD EPYC, and ARM Graviton3, highlights algorithm portability. Uniquely, Falcon-512 fits within the 2,048-byte SWIFT MT field limit, utilising just 1,563 bytes for both public key and signature combined, important for international messaging compatibility. A newly introduced Crypto Dilution Index (CDI) revealed all algorithms except SPHINCS+ maintained a CDI below 0.04, indicating minimal overhead beyond core signature operations. Long-term operational data is currently lacking however; real-world performance under sustained, peak-load conditions, and the impact of software updates, remain unquantified.

Modelling New Payments Platform performance using Monte Carlo and queuing theory

This work is underpinned by a Monte Carlo simulation technique, repeatedly running a computer model with randomised inputs to understand the likelihood of different outcomes, similar to rolling dice many times to determine the odds of each number appearing. This approach proved important for modelling the complex interactions within Australia’s New Payments Platform (NPP), accounting for variations in transaction volume and processing times. The simulation incorporated detailed modelling of M/M/c queues, a mathematical representation of waiting lines, to identify potential bottlenecks. These queues represent the flow of transactions through the system’s security hardware modules (HSMs). Simulating 80 million transactions allowed accurate prediction of how different post-quantum cryptographic algorithms would perform under real-world load, revealing critical performance limitations before implementation.

Quantum resilience in Australian finance balances projected threats with present security needs

Australia’s financial infrastructure now possesses viable pathways to withstand future quantum computing attacks, with algorithms like ML-DSA and Falcon demonstrably meeting stringent performance targets. The simulations, however, relied on projecting the capabilities of quantum computers, a changing target with inherent uncertainty. The precise moment when these machines become a credible threat remains unclear. This reliance on prediction introduces a key tension, as overestimating the threat could lead to premature and costly upgrades, while underestimating it leaves the system vulnerable.

Acknowledging the inherent uncertainty in predicting the arrival of cryptographically relevant quantum computers and the precise scale of the ‘Harvest Now, Decrypt Later’ threat is vital. While necessary for proactive planning, these projections do not invalidate the importance of immediate preparation. Australia’s financial system handles millions of transactions daily, and even a small disruption could have significant consequences. Therefore, identifying algorithms like ML-DSA and Falcon that demonstrably meet performance requirements is an important step.

With 100% compliance with Australia’s New Payments Platform service level agreement, ML-DSA and Falcon post-quantum signature algorithms offer a viable pathway to protect real-time transactions against future threats from quantum computing. Detailed Monte Carlo simulations confirm these algorithms can be integrated without disrupting current payment speeds, with the worst-case overhead recorded being minimal. Analysis revealed SPHINCS+ sharply impacted system performance, highlighting the importance of careful algorithm selection. This work establishes a foundation for proactive security measures, but opens questions regarding long-term operational stability and the evolving field of quantum computing capabilities.

The research demonstrated that ML-DSA and Falcon post-quantum signature algorithms can meet the performance requirements of Australia’s New Payments Platform, which processes 5.2 million transactions daily. These algorithms achieved 100% compliance with the 2,000ms service level agreement, with a maximum overhead of 1.57ms, suggesting they offer a viable pathway to protect financial transactions against future quantum computing attacks. Simulations utilising a multi-cloud testbed and 80 million events also identified SPHINCS+ as significantly impacting system performance. The study estimates 9.56 billion records are potentially at risk under a ‘Harvest Now, Decrypt Later’ scenario, reinforcing the need for proactive security measures.