Crypto migration is an operational problem.

// Mechanism

The algorithm belongs in policy.

QHx moves cryptographic selection into cluster and namespace policy so teams can test, stage, roll back, and modernize without rewriting every workload.

• ML-DSAFIPS 204 signatures for workload SVIDs, with selectable security levels.
• ML-KEMFIPS 203 key encapsulation for TLS, including hybrid classical-and-PQ modes.
• Algorithm diversityReduces single-algorithm dependency across the credential lifecycle.
• Implementation safetyNIST-standardized APIs reduce the surface for implementation error.
• Per-namespace policyDifferent namespaces can run different algorithm profiles during migration. Crypto choice is a policy decision, not a workload code change.
• CompatibilityConventional algorithms remain available where transition constraints require them.