TL;DR - Key Takeaways
- Quantum computers will break RSA and ECC - The encryption protecting most of the internet today
- "Harvest now, decrypt later" - Adversaries are already collecting encrypted data to decrypt when quantum computers arrive
- NIST has approved 4 post-quantum algorithms - ML-KEM, ML-DSA, SLH-DSA, and FN-DSA
- Hybrid cryptography is the recommended transition approach
- Start preparing now - Even if quantum computers are years away, the migration takes time
What Is Post-Quantum Cryptography?
Post-quantum cryptography (PQC), also called quantum-resistant or quantum-safe cryptography, refers to cryptographic algorithms that are secure against attacks by both classical and quantum computers.
Definition
Post-Quantum Cryptography: Cryptographic systems designed to be secure even if a large-scale quantum computer exists, while still running efficiently on today's classical computers.
The Quantum Threat
Current public-key cryptography relies on mathematical problems that are hard for classical computers but easy for quantum computers:
| Algorithm | Security Basis | Quantum Vulnerable? |
|---|---|---|
| RSA | Integer factorization | Yes - Shor's algorithm |
| ECC | Discrete logarithm | Yes - Shor's algorithm |
| AES-256 | Symmetric encryption | Partially - Grover's (use larger keys) |
| SHA-256 | Hash functions | Partially - Grover's (use larger outputs) |
Why Should Developers Care Now?
The "Harvest Now, Decrypt Later" Attack
Nation-states and sophisticated attackers are already:
- Intercepting encrypted traffic today
- Storing it in massive data archives
- Waiting for quantum computers to decrypt it
This means sensitive data encrypted today could be exposed in the future:
| Data Type | Sensitivity Duration | Risk Level |
|---|---|---|
| Medical records | 50+ years | Critical |
| Government secrets | 25+ years | Critical |
| Financial records | 7-10 years | High |
| Business communications | 5+ years | High |
| Personal messages | Variable | Medium |
Quantum Computing Timeline
| Milestone | Estimated Timeline |
|---|---|
| Current largest quantum computers | ~1,000 qubits |
| Break simple encryption | 2028-2030 |
| Break RSA-2048 | 2030-2035 |
| Cryptographically relevant quantum computer | 2030-2040 |
The problem: Migrating cryptographic systems takes 5-15 years. If quantum computers arrive in 2030-2035, we need to start now.
NIST Post-Quantum Cryptography Standards
In 2024, NIST (National Institute of Standards and Technology) finalized the first post-quantum cryptographic standards after a 7-year evaluation process.
The Four Approved Algorithms
| Algorithm | Type | Purpose | Based On |
|---|---|---|---|
| ML-KEM (FIPS 203) | Key Encapsulation | Secure key exchange | CRYSTALS-Kyber |
| ML-DSA (FIPS 204) | Digital Signature | Signing/verification | CRYSTALS-Dilithium |
| SLH-DSA (FIPS 205) | Digital Signature | Stateless signatures | SPHINCS+ |
| FN-DSA (FIPS 206) | Digital Signature | Fast signatures | FALCON |
Algorithm Deep Dive
ML-KEM (Module-Lattice Key Encapsulation Mechanism)
Use case: Replacing RSA and ECDH for key exchange
Purpose: Establish shared secrets for symmetric encryption
Based on: Module Learning With Errors (MLWE) problem
Security levels: ML-KEM-512, ML-KEM-768, ML-KEM-1024Key sizes compared to current algorithms:
| Algorithm | Public Key | Secret Key | Ciphertext |
|---|---|---|---|
| RSA-2048 | 256 bytes | 256 bytes | 256 bytes |
| ECDH P-256 | 64 bytes | 32 bytes | 64 bytes |
| ML-KEM-768 | 1,184 bytes | 2,400 bytes | 1,088 bytes |
ML-DSA (Module-Lattice Digital Signature Algorithm)
Use case: Replacing RSA and ECDSA for digital signatures
Purpose: Sign and verify documents, code, certificates
Based on: Fiat-Shamir with Aborts over lattices
Security levels: ML-DSA-44, ML-DSA-65, ML-DSA-87SLH-DSA (Stateless Hash-Based Digital Signature Algorithm)
Use case: High-security applications where larger signatures are acceptable
Purpose: Signatures based only on hash functions
Advantage: Different mathematical basis than lattice schemes
Trade-off: Larger signature sizesFN-DSA (Fast-Fourier Lattice-Based Signatures)
Use case: Applications requiring smaller signatures
Purpose: Compact signatures with fast verification
Note: More complex to implement securelyPractical Implementation Guide
Step 1: Inventory Your Cryptographic Usage
Before migrating, understand what you're using:
# Find RSA usage in codebases
grep -r "RSA" --include="*.py" --include="*.js" --include="*.java"
# Find OpenSSL/crypto library usage
grep -r "crypto\|openssl\|bcrypt" --include="*.py"Common areas to check:
| Area | What to Look For |
|---|---|
| TLS/HTTPS | Certificate algorithms |
| API authentication | JWT signing (RS256, ES256) |
| Code signing | Package/binary signatures |
| Data encryption | Key exchange mechanisms |
| Password storage | Usually safe (symmetric) |
Step 2: Implement Hybrid Cryptography
Hybrid cryptography combines classical and post-quantum algorithms. If either one is broken, you're still protected by the other.
# Conceptual hybrid key exchange
def hybrid_key_exchange():
# Classical key exchange (still trusted today)
classical_shared_secret = ecdh_key_exchange()
# Post-quantum key exchange (future-proof)
pq_shared_secret = ml_kem_key_exchange()
# Combine both secrets
final_secret = kdf(classical_shared_secret + pq_shared_secret)
return final_secretStep 3: Use PQC Libraries
Python: liboqs-python
# Install: pip install liboqs-python
import oqs
# Key encapsulation with ML-KEM
with oqs.KeyEncapsulation("ML-KEM-768") as kem:
# Generate key pair
public_key = kem.generate_keypair()
# Encapsulate (create shared secret and ciphertext)
ciphertext, shared_secret_enc = kem.encap_secret(public_key)
# Decapsulate (recover shared secret)
shared_secret_dec = kem.decap_secret(ciphertext)JavaScript/Node.js: liboqs-node
// Install: npm install liboqs-node
const oqs = require('liboqs-node');
// Digital signature with ML-DSA
const sig = new oqs.Signature('ML-DSA-65');
// Generate key pair
const publicKey = sig.generateKeyPair();
// Sign a message
const message = Buffer.from('Important document');
const signature = sig.sign(message);
// Verify signature
const isValid = sig.verify(message, signature, publicKey);Go: Cloudflare's circl
// go get github.com/cloudflare/circl
import "github.com/cloudflare/circl/kem/mlkem/mlkem768"
// Generate ML-KEM key pair
publicKey, privateKey, _ := mlkem768.GenerateKeyPair(rand.Reader)
// Encapsulate
ciphertext, sharedSecret, _ := mlkem768.Encapsulate(rand.Reader, publicKey)
// Decapsulate
recoveredSecret, _ := mlkem768.Decapsulate(privateKey, ciphertext)Migration Strategy for Organizations
Phase 1: Assessment (Now)
-
Inventory all cryptographic assets
- TLS certificates
- VPN configurations
- API authentication
- Data-at-rest encryption
-
Classify data by sensitivity lifespan
- What data must remain confidential for 10+ years?
-
Identify high-priority systems
- External-facing services
- Systems handling sensitive data
Phase 2: Pilot (2026-2027)
- Implement hybrid TLS on non-critical systems
- Test PQC in development environments
- Measure performance impact
- Train development teams
Phase 3: Transition (2027-2030)
- Migrate high-priority systems to hybrid cryptography
- Update certificate infrastructure
- Implement quantum-safe key management
Phase 4: Full Deployment (2030+)
- Complete migration of all systems
- Retire classical-only cryptography
- Continuous monitoring for new threats
Performance Considerations
Post-quantum algorithms are larger and sometimes slower:
Key and Signature Size Comparison
| Algorithm | Public Key | Signature/Ciphertext | Speed |
|---|---|---|---|
| ECDSA P-256 | 64 B | 64 B | Fast |
| RSA-2048 | 256 B | 256 B | Moderate |
| ML-KEM-768 | 1,184 B | 1,088 B | Fast |
| ML-DSA-65 | 1,952 B | 3,293 B | Moderate |
| SLH-DSA-128s | 32 B | 7,856 B | Slow |
Performance Impact by Use Case
| Use Case | Impact | Mitigation |
|---|---|---|
| TLS handshakes | Moderate (larger keys) | Hardware acceleration |
| JWT tokens | Minimal | Use ML-DSA |
| Blockchain | High (larger signatures) | Batching, aggregation |
| IoT devices | Significant | Choose appropriate security level |
Tools and Resources
Testing Tools
| Tool | Purpose | Link |
|---|---|---|
| Open Quantum Safe | PQC library collection | github.com/open-quantum-safe |
| Cloudflare circl | Go crypto library | github.com/cloudflare/circl |
| PQC TLS Testing | Test PQC TLS support | pq.cloudflareresearch.com |
Industry Resources
- NIST PQC Project: csrc.nist.gov/projects/post-quantum-cryptography
- CISA PQC Guidance: cisa.gov/quantum
- Quantum-Safe Security Working Group: quantum-safe.org
Frequently Asked Questions
When will quantum computers break current encryption?
Expert estimates range from 2030-2040 for a cryptographically relevant quantum computer. The exact timeline is uncertain, but "harvest now, decrypt later" attacks mean data encrypted today is already at risk.
Can I just wait until quantum computers exist?
No. Migrating cryptographic infrastructure takes 5-15 years. Organizations need to start planning now to complete migration before quantum computers arrive.
Are symmetric algorithms like AES safe?
Mostly yes. Grover's algorithm provides only a quadratic speedup against symmetric encryption. AES-256 effectively becomes AES-128 security against quantum attacks—still considered secure.
Should I switch from RSA to ECC first?
If you haven't migrated to ECC, you might consider going directly to hybrid PQC. Both RSA and ECC are equally vulnerable to quantum attacks.
Will TLS 1.3 automatically become quantum-safe?
No. TLS 1.3 will need to incorporate post-quantum key exchange algorithms. Hybrid approaches (X25519 + ML-KEM) are being standardized.
What about Bitcoin and blockchain?
Bitcoin and most blockchains use ECDSA, which is quantum-vulnerable. These systems will need to migrate to post-quantum signatures—a significant challenge.
Action Items for Developers
This Week
- Learn the basics of post-quantum cryptography
- Review NIST's PQC standards documentation
- Inventory cryptographic usage in your projects
This Month
- Experiment with liboqs or similar PQC libraries
- Test ML-KEM and ML-DSA in development
- Measure performance impact on your applications
This Quarter
- Present PQC risks to your security team
- Identify highest-priority systems for migration
- Create a preliminary migration roadmap
Conclusion
Post-quantum cryptography isn't a future problem—it's a present concern. The "harvest now, decrypt later" threat means that sensitive data encrypted today could be exposed when quantum computers mature.
NIST has given us the standards (ML-KEM, ML-DSA, SLH-DSA, FN-DSA). Libraries exist. The path forward is clear:
- Understand what you're protecting and for how long
- Implement hybrid cryptography combining classical and PQC
- Migrate progressively, starting with highest-risk systems
The developers and organizations that start now will have a significant advantage. Don't wait for the quantum apocalypse—prepare for it.
Last Updated: January 2026