Role Definition
| Field | Value |
|---|---|
| Job Title | Cryptographer |
| Seniority Level | Mid-Senior (5-10 years) |
| Primary Function | Designs, implements, and analyzes cryptographic algorithms and protocols. Develops encryption systems, performs cryptanalysis, constructs security proofs, and validates cryptographic implementations against standards (FIPS 140-3, Common Criteria). Increasingly leads post-quantum cryptography migration — evaluating lattice-based and hash-based schemes, planning algorithm transitions, and ensuring quantum-resistant security postures. |
| What This Role Is NOT | Not a Security Software Developer (who builds security tools generally — scored 3.35 Green). Not a Penetration Tester (who finds vulnerabilities in applications). Not an Application Security Engineer (who reviews code for security flaws). The Cryptographer works specifically with mathematical primitives, formal proofs, and cryptographic protocol design — the foundational layer beneath all security tooling. |
| Typical Experience | 5-10 years. Often MS or PhD in mathematics, computer science, or cryptography. Deep knowledge of number theory, abstract algebra, probability theory, and information theory. May hold CISSP or CSSLP. Domain-specific standards knowledge: FIPS 140-3, NIST SP 800-series, Common Criteria. |
Seniority note: Junior cryptographers (0-3 years) who primarily implement established algorithms without design responsibility would score lower — likely Yellow (Urgent), as implementation is the most AI-accelerated portion of the work. Principal/research cryptographers who define new cryptographic standards and publish novel constructions would score higher Green (Stable).
Protective Principles + AI Growth Correlation
| Principle | Score (0-3) | Rationale |
|---|---|---|
| Embodied Physicality | 0 | Fully digital, desk-based work. No physical interaction required. |
| Deep Interpersonal Connection | 0 | Primarily mathematical and technical work. Collaboration with engineering teams exists but is technical, not relational — the value is in the mathematics, not the relationship. |
| Goal-Setting & Moral Judgment | 2 | Mid-senior cryptographers make significant judgment calls: which cryptographic primitives are "secure enough," how to balance security against performance, when to deprecate algorithms, and how to architect systems against unknown future threats. They don't just implement — they define what "secure" means in specific contexts. |
| Protective Total | 2/9 | |
| AI Growth Correlation | 1 | AI adoption creates new cryptographic challenges — homomorphic encryption for ML privacy, cryptographic watermarking for AI content (Cloudflare 2025), secure multi-party computation for federated learning, and the broader PQC migration. But cryptography predates AI and would exist without it. |
Quick screen result: Low protective score (2/9) but strong judgment component. AI Growth Correlation +1 suggests modest positive tailwind. Likely Green depending on evidence — the mathematical depth of the core work provides protection the protective principles don't fully capture.
Task Decomposition (Agentic AI Scoring)
| Task | Time % | Score (1-5) | Weighted | Aug/Disp | Rationale |
|---|---|---|---|---|---|
| Cryptographic protocol/algorithm design & analysis | 25% | 2 | 0.50 | AUGMENTATION | AI assists with literature review and parameter space exploration. Designing provably secure protocols requires mathematical creativity, formal reasoning about hardness assumptions, and novel proof construction — irreducibly human at current AI capability. BSI confirms AI assists but doesn't replace expert cryptographic design. |
| Cryptographic system implementation | 20% | 3 | 0.60 | AUGMENTATION | AI accelerates boilerplate and scaffolding. But cryptographic code is uniquely dangerous — side-channel vulnerabilities, timing attacks, and padding oracle flaws require constant-time implementations that AI cannot reliably produce. The security community explicitly warns against AI-generated crypto code. Human leads, AI assists. |
| Cryptanalysis & security proofs | 20% | 2 | 0.40 | AUGMENTATION | ML is increasingly used for side-channel analysis and pattern detection. But constructing novel mathematical proofs and identifying subtle cryptographic weaknesses requires deep human expertise. Best results require ML combined with expert knowledge about plausible attack vectors (BSI 2025). |
| Standards compliance & validation (FIPS, CMVP) | 15% | 2 | 0.30 | AUGMENTATION | FIPS 140-3 validation requires human-led testing through NVLAP-accredited labs with CMVP review and human sign-off at every stage. AI assists with documentation and test evidence gathering but cannot execute the validation process. Regulatory structure mandates human accountability. |
| Post-quantum cryptography migration | 10% | 2 | 0.20 | AUGMENTATION | Novel, unprecedented work — NIST FIPS 203/204/205 released August 2024, federal compliance by 2027. No established playbooks. Requires expert judgment on algorithm selection, migration timing, and hybrid scheme design. AI cannot lead this transition. |
| Documentation & knowledge sharing | 10% | 4 | 0.40 | DISPLACEMENT | AI generates routine technical documentation, API references, and migration guides. For template-driven documentation, AI output is the deliverable. Technical accuracy in cryptography demands human review, but the generation work is largely displaced. |
| Total | 100% | 2.40 |
Task Resistance Score: 6.00 - 2.40 = 3.60/5.0
Displacement/Augmentation split: 10% displacement, 90% augmentation, 0% not involved.
Reinstatement check (Acemoglu): Yes — AI creates new cryptographic tasks: designing cryptographic watermarking for AI-generated content, developing homomorphic encryption schemes for ML inference, building zero-knowledge proof systems for AI model verification, and leading the PQC migration that didn't exist 3 years ago. The role is gaining tasks faster than it's losing them.
Evidence Score
| Dimension | Score (-2 to 2) | Evidence |
|---|---|---|
| Job Posting Trends | +1 | 4,000+ live cryptography-related openings on LinkedIn (2025). BLS projects 33% growth for information security analysts broadly. Cryptography-specific demand growing with PQC migration — but absolute numbers remain small compared to broader cybersecurity. Pure "cryptographer" title postings are niche; demand often embedded within security engineer and research scientist roles. |
| Company Actions | +1 | NIST PQC mandate (FIPS 203, 204, 205 released Aug 2024) triggers worldwide migration. Every major tech company (Google, Apple, Signal, Cloudflare) actively migrating to post-quantum algorithms. No reports of cutting cryptographers citing AI. But cryptographer headcount per organization is tiny (typically 1-5), so hiring isn't a visible "surge" — it's a persistent, acute shortage in a small talent pool. |
| Wage Trends | +1 | Average $115K-$175K depending on title and source. Senior/specialized cryptographers $120K-$200K+. PQC specialization commands premium. Growing above market but not surging — the role has always been well-compensated due to mathematical depth requirements. |
| AI Tool Maturity | +1 | AI assists with side-channel analysis (ML classifiers), parameter exploration, and implementation scaffolding. But no AI tool designs or proves secure cryptographic protocols autonomously. PostQuantum.com: "AI cannot overcome the fundamental hardness assumptions that secure cryptographic systems." AI-generated crypto code is considered dangerous without expert review. Tools augment, don't replace. |
| Expert Consensus | +1 | Broad agreement that cryptographic design requires deep mathematical expertise AI cannot replicate. BSI (German Federal Office for IT Security): AI assists but doesn't replace. Quanta Magazine (Dec 2025): cryptographers actively studying AI limitations. Strong culture of peer review, formal proofs, and mathematical rigor that AI cannot substitute. No expert predicts displacement; all predict augmentation. |
| Total | 5 |
Barrier Assessment
Reframed question: What prevents AI execution even when programmatically possible?
| Barrier | Score (0-2) | Rationale |
|---|---|---|
| Regulatory/Licensing | 1 | FIPS 140-3 validation and Common Criteria certification require human-led processes through NVLAP-accredited labs with CMVP review. NIST PQC transition (IR 8547) mandates structured human oversight. Cryptographic modules in government, finance, and healthcare cannot be AI-validated. But no personal licensing required for cryptographers specifically. |
| Physical Presence | 0 | Entirely remote-capable. Fully digital work with no physical component. |
| Union/Collective Bargaining | 0 | No union representation for cryptographers. Academic and private sector, at-will employment. |
| Liability/Accountability | 1 | A flawed cryptographic implementation can compromise national security systems, financial infrastructure, or healthcare data. The PQC migration carries existential risk — choose the wrong algorithm or implement it incorrectly and everything encrypted today could be decrypted tomorrow. Someone must own these decisions. But personal criminal liability is rare; primarily organizational. |
| Cultural/Ethical | 1 | The cryptographic community has an extremely strong culture of peer review, formal mathematical proofs, and human verification. "Don't roll your own crypto" is a foundational principle — extending naturally to "don't let AI roll your crypto." Organizations handling classified data, financial systems, and critical infrastructure require human cryptographic judgment. |
| Total | 3/10 |
AI Growth Correlation Check
Confirmed at +1 (Weak Positive). AI adoption creates new cryptographic challenges that didn't exist before: homomorphic encryption enabling privacy-preserving ML, cryptographic watermarking for AI-generated content (Cloudflare deploying in 2025), secure multi-party computation for federated learning, and zero-knowledge proofs for AI model verification. The PQC migration — while driven by quantum computing rather than AI directly — intersects with AI timelines as quantum advantage accelerates. However, cryptography is a foundational discipline that would exist entirely without AI, so this is +1 not +2. Not Accelerated Green — the role isn't recursively dependent on AI growth.
JobZone Composite Score (AIJRI)
| Input | Value |
|---|---|
| Task Resistance Score | 3.60/5.0 |
| Evidence Modifier | 1.0 + (5 × 0.04) = 1.20 |
| Barrier Modifier | 1.0 + (3 × 0.02) = 1.06 |
| Growth Modifier | 1.0 + (1 × 0.05) = 1.05 |
Raw: 3.60 × 1.20 × 1.06 × 1.05 = 4.8082
JobZone Score: (4.8082 - 0.54) / 7.93 × 100 = 53.8/100
Zone: GREEN (Green ≥48, Yellow 25-47, Red <25)
Sub-Label Determination
| Metric | Value |
|---|---|
| % of task time scoring 3+ | 30% |
| AI Growth Correlation | 1 |
| Sub-label | Green (Transforming) — ≥20% task time scores 3+ |
Assessor override: None — formula score accepted.
Assessor Commentary
Score vs Reality Check
The 53.8 score places this role comfortably in Green, 5.8 points above the Green/Yellow boundary. The Task Resistance of 3.60 is protected by the mathematical depth of core tasks — 65% of time is spent on work scoring 2 (protocol design, cryptanalysis, proofs, standards, PQC migration) that requires formal mathematical reasoning AI cannot replicate. The evidence score (+5) is moderate rather than strong because the role is genuinely niche — there aren't tens of thousands of "cryptographer" postings the way there are for "software engineer." This is not a weakness; it reflects a small, highly specialized talent pool where demand consistently exceeds supply without dramatic posting spikes. The formula score accurately captures the reality: a deeply protected role that's transforming in how it works but not at risk of displacement.
What the Numbers Don't Capture
- Extreme talent scarcity. The cryptographer talent pool is tiny — most have PhDs in mathematics or theoretical CS. McKinsey estimates only half of future quantum-related jobs can be filled. This scarcity provides protection beyond what evidence scores capture, but it also means the role's "growth" is constrained by supply, not demand.
- PQC migration as a generational event. The NIST-mandated transition from RSA/ECC to lattice-based cryptography (federal compliance by 2027, full deprecation by 2035) is the largest cryptographic migration since DES-to-AES. This creates a decade of sustained, non-discretionary demand that current job posting data doesn't yet fully reflect.
- The "don't roll your own crypto" moat. The entire security community treats cryptographic design as a domain where amateur attempts — human or AI — are actively dangerous. This cultural barrier is stronger than the 1/2 Cultural/Ethical score suggests, because it's enforced by catastrophic failure consequences, not just preference.
Who Should Worry (and Who Shouldn't)
If you design cryptographic protocols, construct security proofs, or lead PQC migration — you are more protected than the Green (Transforming) label suggests. Your mathematical depth is the hardest possible work for AI to replicate, and NIST's PQC mandate guarantees a decade of demand. You are functionally Green (Stable).
If you primarily implement established cryptographic algorithms without design or analysis responsibility — you face more risk than this assessment implies. AI code generation is improving rapidly for structured implementation tasks, and the gap between "implement AES-256" and "design a secure protocol" is enormous. Junior implementers are closer to Yellow.
The single biggest separator: mathematical creativity versus implementation execution. The cryptographer who constructs novel proofs and evaluates hardness assumptions inhabits a different risk universe from one who integrates OpenSSL libraries into applications. Same job family, fundamentally different futures.
What This Means
The role in 2028: The mid-senior cryptographer uses AI to accelerate parameter searches, generate implementation scaffolding, and automate side-channel analysis — cutting routine work by 20-30%. But they still construct mathematical proofs by hand, design novel protocols on whiteboards, and make judgment calls about which PQC algorithms to trust with critical infrastructure. The PQC migration is in full swing, with federal agencies approaching their 2027 CNSA 2.0 deadline and private sector following. Cryptographers who understand both classical and post-quantum schemes are among the most sought-after specialists in cybersecurity.
Survival strategy:
- Lead PQC migration, don't just participate. NIST FIPS 203/204/205 are published — the organisations that move first need cryptographers who can evaluate schemes, plan transitions, and validate implementations. This is a decade-long demand driver.
- Deepen formal methods and proof construction. AI can search parameter spaces but cannot construct novel mathematical proofs. The cryptographer who publishes in IACR and presents at CRYPTO/Eurocrypt is the last one automated.
- Build expertise at the AI-crypto intersection. Homomorphic encryption, cryptographic watermarking, secure multi-party computation for federated learning — these are the growth areas where cryptographic expertise meets AI demand.
Timeline: 5+ years of strong demand with no displacement timeline. The PQC migration alone sustains the role through 2035. AI accelerates the workflow but cannot automate the mathematical core. The ceiling on AI-generated cryptographic design is structural — it's bounded by the same hardness assumptions that make cryptography secure in the first place.
