Post-Quantum Cryptography Migration in Australian Real-Time Payment Infrastructure: A Monte Carlo Simulation Study of the New Payments Platform

TL;DR

This study evaluates post-quantum cryptography standards for Australia's real-time payment system using Monte Carlo simulations, validating performance, security, and migration costs across diverse hardware platforms.

Contribution

It provides a comprehensive simulation-based assessment of PQC algorithms' performance and security implications for Australian payment infrastructure, including a new Crypto Dilution Index metric.

Findings

ML-DSA and Falcon meet SLA with minimal overhead

SPHINCS+ causes queue saturation and SLA failure

Falcon-512 fits within SWIFT MT field limit

Abstract

Australia's New Payments Platform (NPP) processes 5.2 million real-time transactions per day under a 2,000 ms SLA. With cryptographically relevant quantum computers projected by 2030-2035 and the Harvest Now, Decrypt Later (HNDL) threat active, this paper presents a Monte Carlo simulation study of NIST FIPS 204/205/206 signature standards (ML-DSA, SLH-DSA/SPHINCS+, Falcon) in Australian payment infrastructure, jointly modelling M/M/c queue saturation, GEV tail bounds, and HNDL actuarial exposure across 1,000 seasonally-mixed simulation days (80 million events). Cross-platform validation used liboqs 0.15.0 on a seven-node multi-cloud testbed spanning four microarchitectures (Intel Xeon Ice Lake/Cascade Lake, AMD EPYC Milan, ARM Graviton3). ML-DSA and Falcon achieve 100% SLA compliance across all configurations; worst-case NPP p99 overhead is 1.57 ms (ML-DSA-87, 0.079% of SLA budget). We introduce the Crypto Dilution Index (CDI = delta-p99/p99_e2e), showing all non-SPHINCS+ algorithms achieve CDI < 0.04. GEV analysis yields p99.9 bounds below 154 ms (95% CI). Falcon-512 is the only NIST PQC signature fitting within the 2,048-byte SWIFT MT field limit (1,563 bytes combined). SPHINCS+ saturates HSM queues at NPP volumes (rho=1.8855, c=2 servers), achieving 0% NPP SLA compliance, characterised as a DoS amplification surface in hybrid deployments (utilisation ratio ~9,428x ECDSA). An HNDL actuarial model estimates 9.56 billion NPP records at risk under CRQC-2030. Migration costs peak at USD 21.4M in 2026, declining to USD 1.5M/year by 2028.