Industry Use Case · Cruise & Hospitality · Post-Quantum Ready, Continuously™
Post-Quantum Readiness for a Premium Cruise Line
A vendor-neutral readiness brief for cruise operators that hold long-life guest and loyalty data, process card payments at sea, and run vessel systems under international flag-state rules.
Company-reported · not independently audited
01 / Executive Summary
What a premium cruise operator buys, and why
A composite premium cruise operator we call Meridian Voyages carries the same quantum-cryptography exposure as every Fortune-1000 enterprise that holds long-life personal data, processes card payments, and runs vessels under international flag-state rules.1 The difference is that Meridian’s data does not age out. A passport scan or a loyalty record harvested today is still valuable when the guest sails again in 2035.
Qtonic Quantum Corp engages a cruise operator under a phased, vendor-neutral program that runs 12 to 18 months and begins with a scoped paid proof-of-concept. Deliverables include a cryptographic bill of materials, a hardware-backed demonstration and resource-estimate validation against the operator’s deployed primitives, a five-phase migration roadmap built around hybrid X25519+ML-KEM-768 deployment, and an independent attestation from the Qtonic Quantum Lab signed with ML-DSA, the NIST FIPS 204 signature family.
Regulatory pressure
PCI DSS v4.0 12.3.3 and USCG 33 CFR Part 101.600 are active today, and IMO Resolution MSC.428(98) is embedded in flag-state ISM audits. A cruise line touching U.S.-flagged tonnage or U.S. port calls is inside every frame.
Threat signal
A March 31, 2026 neutral-atom resource estimate places ECC P-256 discrete log within ~26,000 physical qubits at a fast-architecture point. A resource estimate, not demonstrated capability.
Field baseline
Qtonic Quantum company-reported Fortune-1000 PQC readiness averages 18/100 across its governed engagements. Not independently audited.
The compliance window is already closing.The cryptographic primitives protecting Meridian’s wearable identifiers, loyalty database, payment HSMs, ECDIS chart updates, and vendor remote-access PKI are inside the NIST 2030–2035 transition window. The engagement retires them in order of risk, on a sequence that respects dry-dock cycles and PCI assessor schedules.
1Meridian Voyages is a composite, illustrative cruise operator — not a real company and not based on any single operator. Industry incidents referenced relate to named, real organizations and are sourced solely to public reporting, SEC filings, regulator orders, and breach notifications. See Notices.
02 / The Signal
Three papers, three regulators, one calendar
The trigger for board-level urgency is not a single paper. It is independent signals against regulatory clocks already running. On March 30, 2026, Google Quantum research team and co-authors published a resource estimate cutting the cost of breaking ECDLP-256 to fewer than 500,000 physical qubits on a superconducting architecture. The next day, a neutral-atom estimate (Caltech / Oratomic) placed P-256 discrete logs within roughly 26,000 physical qubits under fast-architecture assumptions, with RSA-2048 one to two orders longer. Both are resource estimates, not demonstrated capability against production systems. Harvest-now, decrypt-later collection is pegged to that trajectory.
PCI DSS v4.0 Requirement 12.3.3 became mandatory on March 31, 2025. The USCG cyber rule (33 CFR Part 101.600) is effective, with Cybersecurity Plans due July 16, 2027. IMO Resolution MSC.428(98) has been embedded in flag-state ISM audits since 2021. NIST IR 8547 (initial public draft) describes deprecating quantum-vulnerable public-key cryptography after 2030 and broadening disallowance after 2035, and the NSA CNSA 2.0 procurement gate is dated January 1, 2027.2
Milestone 1 of 8· select a marker to advance the timeline
Mar 31, 2025
PCI DSS v4.0 Requirement 12.3.3 became mandatory on March 31, 2025.
Jul 16, 2025
USCG 33 CFR Part 101.600 became effective on July 16, 2025.
Since 2021
IMO Resolution MSC.428(98) has been embedded in flag-state ISM audits since 2021.
Jan 1, 2027
The NSA CNSA 2.0 procurement gate is dated January 1, 2027.
Jul 16, 2027
USCG Cybersecurity Plans are due July 16, 2027.
2029
Q-Day — a Qtonic Quantum planning assumption, not a NIST date and not a prediction.
After 2030
NIST IR 8547 (initial public draft) describes deprecating quantum-vulnerable public-key cryptography (112-bit deprecation) after 2030.
After 2035
NIST IR 8547 broadens disallowance of quantum-vulnerable public-key cryptography after 2035.
2 NIST IR 8547 is an initial public draft as of the document date; deprecation timing and scope are subject to change in final publication. The 2029 reference is a Qtonic Quantum planning assumption, not a NIST date and not a prediction. Sources: PCI SSC v4.0 (Apr 2025); USCG 33 CFR Part 101.600 (Jul 2025); IMO Res. MSC.428(98); NIST IR 8547 initial public draft; NSA CNSA 2.0; EU NIS Cooperation Group PQC Roadmap (Jun 2025). Market statistics: Verizon 2026 DBIR; Datadog State of DevSecOps 2026.
03 / Exposure
Where classical cryptography touches a cruise
Four cryptographic domains, every one running on classical RSA / ECC primitives today. A cryptographic bill of materials is the prerequisite for any defensible migration plan.
01Guest Data & LoyaltyWearable RFID identifiers · Mobile app & booking platform · Loyalty database (20-year retention) · Passport & biometric scans
A passport scan stored against a multi-decade loyalty record is the operative harvest-now, decrypt-later target. ShinyHunters published roughly 8.7M records tied to the Holland America Mariner Society loyalty program (per Have I Been Pwned, April 2026); three class actions were filed in the Southern District of Florida that month.
Public sources — Have I Been Pwned, court filings, public reporting. Not a Qtonic Quantum client.
02Payment SystemsPCI DSS 4.0 — 12.3.3 enforceable · HSM-anchored tokenization · Shore-excursion third parties · Multi-currency settlement
Payment systems run on classical RSA / ECC primitives inside an enforceable PCI scope. Carnival Corporation paid a $5M New York DFS penalty in June 2022 over four incidents from 2019 to 2021, including two ransomware events, plus a $1.25M multi-state settlement with 46 attorneys general.
Public sources — NY DFS consent order, state settlement, public reporting. Not a Qtonic Quantum client.
03Maritime OT & SATCOMLEO + VSAT backup connectivity · ECDIS chart updates (signed) · Engine & ballast telematics · Vendor remote-access PKI
Larger PQC signatures and ML-KEM key shares change the per-handshake byte budget on constrained maritime links, where VSAT backup carries roughly 600 ms geostationary latency. SpaceX Starlink Maritime is the primary link across major fleets, with VSAT retained as backup; the engineering implications are addressed in Section 7.
Public sources — operator disclosures, public reporting. Not a Qtonic Quantum client.
04Port & RegulatoryAPIS / CBP passenger feed · IMO MSC.428(98) flag-state audit · USCG Cybersecurity Plan · GDPR / UK GDPR / NIS2
The regulatory surface converges on one point: cryptographic primitives must be auditable, deprecation-aware, and forward-compatible. Public examples of scale include the Carnival August 2020 ransomware event (Form 8-K), a Royal Caribbean February 2021 access incident, and a Norwegian March 2020 portal exposure of roughly 27,000 agent credentials.
Public sources — SEC filing, public reporting. Not a Qtonic Quantum client.
04 / Counterparty
Why Qtonic Quantum
Qtonic Quantum Corp is a Florida profit corporation headquartered at 1000 Biscayne Blvd, Miami FL 33132, converted from Qryptonic LLC effective February 20, 2026. SAM.gov UEI FRYFAD3GW5W5. CAGE 14E99. A procurement officer can verify the counterparty in minutes. The company is vendor-neutral — no HSM, no PKI product, no TLS appliance for sale. Governance and defense adjacency are provided by the Defense Innovation Council, chaired by Lt. Gen. Mark E. Weatherington, USAF (Ret.), and the Allied Defense Council, founding-chaired by Lt. Gen. Roger L. Cloutier Jr., USA (Ret.).
“I spent my career in environments where encryption failure means mission failure. Qtonic Quantum applies that standard to enterprise systems.”
Four tools, one closed loop
QScout — Find
External-first cryptographic risk and vulnerability intelligence. CycloneDX 1.7 CBOM across 15 compliance frameworks. Tiers: QScout Free, Surface, Silver, Gold, Pulse. QScout is not a penetration test; paid tiers run under written authorization.
QStrike — Prove
Hardware-backed demonstration and resource-estimate validation against a bounded 2030–2031 quantum-equipped adversary model. It does not claim present-day RSA-2048 or ECC-256 break capability. $2M Challenge commercially underwritten.
QSolve — Fix
Five-phase migration roadmap (Inventory, Risk & Debt, Prioritization, Hybrid Deployment via X25519+ML-KEM-768, QStrike Validation). The hybrid primitive is already in production at Cloudflare, Google Chrome, and AWS KMS.
The QStrike quantum-cloud platform set
QStrike executes bounded validation workloads on commercial quantum hardware reached through the multi-vendor aggregator AWS Braket and direct provider clouds. The execution set is six platforms across four physical modalities — superconducting, trapped-ion, neutral-atom, and annealing.
| Platform | Modality | Access route | QStrike role |
|---|---|---|---|
| IBM Quantum | Superconducting | Direct (IBM Quantum Platform) | Gate-model adversary-circuit modeling on bounded instances; cross-vendor consistency |
| Rigetti | Superconducting | AWS Braket | Bounded gate-model workloads; superconducting cross-check |
| IonQ | Trapped-ion | AWS Braket; direct | High-fidelity bounded statistical validation and sampling verification |
| Quantinuum | Trapped-ion | Direct (Quantinuum Nexus) | High-fidelity bounded validation; trapped-ion cross-check |
| QuEra | Neutral-atom | AWS Braket | Analog Hamiltonian sampling for selected combinatorial attack-chain modeling |
| D-Wave | Annealing | D-Wave Leap (direct); AWS Marketplace | Combinatorial candidate prioritization and bounded search-space exploration |
Six platforms across four physical modalities, reflecting platforms commercially cloud-accessible as of June 2026, subject to provider access terms and engagement-specific availability. Google Quantum research team’s Willow and other non-commercial research processors are used only as published-benchmark calibration inputs to the adversary model; they are not part of the QStrike execution set, and QStrike does not run customer workloads on them.
Company-reported · not independently audited
05 / Engagement
Find → Prove → Fix → Credential
Each phase produces a discrete artifact the next phase consumes, usable as input for a USCG Captain of the Port, a flag-state surveyor, a PCI assessor, a cyber insurer, or a board. Continuous re-attestation feeds the cycle.
01 · Find — QScout
CycloneDX 1.7 CBOM · 15-framework compliance map · finding-level register.
02 · Prove — QStrike
Hardware-backed validation report against a bounded 2030–2031 adversary model; no present-day break claim.
03 · Fix — QSolve
Sequenced migration plan on hybrid X25519+ML-KEM-768, respecting dry-dock and refit windows.
04 · Credential — the Lab
Vendor-neutral score; ML-DSA-signed attestation; re-attestation cadence.
Premium cruise operator scale; four phases over 12 to 18 months from a scoped proof-of-concept. Scope drivers: fleet size, system scope, and vendor cooperation. Commercial terms are provided under NDA at scoping. The Lab’s assessment spans 215 reference implementations (company-reported).
06 / Outcomes
Business outcomes
The engagement produces a cryptographic inventory, a validated migration plan, and a signed attestation that support USCG Cybersecurity Plan submission, PCI DSS 4.0 12.3.3, flag-state ISM audits, cyber-insurance renewals, and board reporting against the 18-of-100 company-observed baseline. These artifacts are technical inputs; they do not determine compliance or guarantee any audit outcome. The business case is a comparison, not a promise.
$10.22M
Average U.S. data breach cost, a record high (IBM, 2025). Industry benchmark, not a Qtonic Quantum figure.
$5M
Carnival New York DFS penalty (2022) over four incidents. Public sources — NY DFS consent order; not a Qtonic Quantum client.
$1.25M
Carnival multi-state settlement with 46 attorneys general. Public sources — state settlement; not a Qtonic Quantum client.
The full engagement is a fraction of a single major breach. Exposure framing, not a savings guarantee.
07 / Honest Pushback
Devil’s advocate
The strongest version of QStrike is not that quantum computers can break production cryptography today. The defensible claim is narrower and more valuable: QStrike shows which current implementation defects, weak protocol choices, leakage patterns, and migration gaps are likely to matter first when quantum-capable adversaries arrive.
Vendor non-cooperation
Where a vendor cannot supply hybrid X25519+ML-KEM-768 in the window, QSolve sequences compensating controls and gives procurement the evidence to require a deprecation date in vendor contracts. The CBOM is the leverage instrument.
Scope creep in OT
ECDIS, ballast telematics, propulsion control, and HVAC can absorb budget if scope is unbounded. The engagement scopes OT explicitly at the Find phase, with QStrike validation focused where HNDL or signature-forgery risk is highest.
SATCOM bandwidth and latency
PQC primitives are larger (per FIPS 204, an ML-DSA-65 signature is 3,309 bytes with a 1,952-byte public key; per FIPS 203, an ML-KEM-768 public key is 1,184 bytes). Cloudflare's October 28, 2025 report notes the deployed X25519+ML-KEM-768 hybrid 'has already incurred a 4% slowdown in TLS handshake time.' This brief treats the maritime extrapolation as an engineering risk model, not a settled result; on VSAT backup with ~600 ms latency, signature-bearing handshakes that exceed a 1,500-byte MTU will fragment, so migration stages high-frequency endpoints on the LEO primary first.
Four questions to ask any post-quantum vendor
| Question | Qtonic Quantum answer |
|---|---|
| Do you sell the cryptography you assess? | No. The Lab scores what is on the market, not Qtonic Quantum products. |
| How does QStrike evidence the threat work? | QStrike uses controlled demonstrations and resource modeling. It does not claim present-day RSA-2048 or ECC-256 break capability. |
| Will I receive a signed, third-party-readable attestation? | The Lab issues attestations digitally signed using ML-DSA (NIST FIPS 204). |
| What is your scanner output format? | QScout produces CycloneDX 1.7 cryptographic bills of materials that ingest into existing SBOM tooling. |
08 / Next Step
Start with a scoped proof-of-concept
Scoped to a representative slice of corporate IT plus one vessel network. Commercial terms are provided under NDA at scoping. 30-day kickoff from countersignature.
Week 1 — Scoping & access
Scoping calls, NDA execution, dataroom access.
Weeks 2 & 3 — QScout deployment
NIST-aligned scan across agreed scope. CBOM generation.
Week 4 — Findings review
CycloneDX CBOM delivered. Decision point on the Find engagement.
Post-Quantum Ready. Continuously.™
Notices
Notices & disclaimers
Forward-looking statements. Future events, timelines, and capabilities are forward-looking and may differ materially. The 2029 reference is a Qtonic Quantum planning assumption, not a prediction. Cited resource estimates are resource estimates, not demonstrations against production systems.
Company-reported metrics.“100,000+ findings,” “99% HNDL exposure signal,” “PQC readiness average 18/100,” “no OpenSSL-verified false positives observed,” and “215 implementations evaluated” are company-reported, not independently audited. Request methodology before relying on them.
QStrike capability scope. QStrike provides hardware-backed demonstrations and resource-estimate validation against deployed primitives. It does not claim, and should not be interpreted as claiming, present-day capability to break, decrypt, or forge signatures against production RSA, ECDSA, ECDH, or related classical primitives at full parameter sizes.
Standards. NIST IR 8547 is an initial public draft. FIPS 203 (ML-KEM) and FIPS 204 (ML-DSA) are published standards. Use of ML-DSA for Lab attestations does not by itself imply FIPS 140-3 module validation.
Composite illustration; industry incidents. “Meridian Voyages” is a composite, illustrative cruise operator — not real, not based on any single operator, not a Qtonic Quantum client. Carnival, Royal Caribbean, Norwegian, Holland America, and Virgin Voyages incidents are described solely from public sources (SEC filings, regulator orders, state settlements, court records, Have I Been Pwned, and reputable trade media).
No public commercial terms; no binding offer. This page does not contain public commercial terms. Commercial terms are provided under NDA at scoping. No part constitutes a binding offer.
No warranty; no guarantee of compliance outcomes. Deliverables are advisory. They do not guarantee any PCI DSS, USCG, IMO, flag-state, cyber-insurance outcome, or breach prevention.
Third-party trademarks & sources. All third-party marks are the property of their owners; reference is descriptive, not endorsement. Market statistics are attributable to their publishers, not to Qtonic Quantum.
Export control. Products and services may be subject to the EAR and possibly ITAR depending on configuration; classifications are confirmed at scoping.
Governing law.Florida law; disputes per the executed engagement letter. © 2026 Qtonic Quantum Corp.