What Is Post-Quantum Cryptography (PQC) and Why Does It Matter in 2026?

The encryption protecting your bank account, medical records, and government secrets rests on one assumption: that no computer can factor enormous numbers fast enough to crack the code. That assumption held for 50 years. Quantum computers are now systematically dismantling it. As of 2026, nation-states are already harvesting encrypted internet traffic today—storing it to decrypt the moment a capable quantum machine arrives. The security community calls this "Harvest Now, Decrypt Later." The window to act is not measured in decades. It is measured in years.

Whatever you do — AI can make it smarter. Begin Here

TL;DR

• Quantum computers can break today's most-used encryption (RSA, ECC) using Shor's algorithm, threatening all data protected by those methods.

• Post-quantum cryptography (PQC) uses math problems that quantum computers cannot solve efficiently.

• NIST finalized the world's first official PQC standards in August 2024: FIPS 203, FIPS 204, and FIPS 205.

• The U.S. government mandated federal agencies begin migration by 2035, with classified systems moving faster.

• "Harvest Now, Decrypt Later" attacks mean data encrypted today is already at risk.

• Migration to PQC is complex, costly, and urgent—and is actively underway across banking, defense, and critical infrastructure in 2026.

What Is Post-Quantum Cryptography (PQC)

Post-quantum cryptography (PQC) is a set of encryption methods designed to resist attacks from quantum computers. Unlike today's widely used encryption (RSA and ECC), which quantum computers can break using Shor's algorithm, PQC relies on mathematical problems that even quantum machines cannot solve efficiently. NIST published the first official PQC standards in August 2024.

Bonus: AI in Cybersecurity: How Artificial Intelligence is Winning the War Against Hackers

Bonus Plus: AI in Business: Applications, Benefits & Implementation Guide

Bonus Plus Pro: AI Humanoid Robots: How They Work, Who's Building Them, and What's Next

Table of Contents

1. Background: How Encryption Works Today

2. The Quantum Threat: What Changes and When

3. What Is Post-Quantum Cryptography?

4. NIST's PQC Standardization: A Timeline

5. The Four NIST-Standardized Algorithms

6. Harvest Now, Decrypt Later: A Real and Present Danger

7. Real-World Case Studies

8. Who Is Most at Risk?

9. PQC Migration: A Step-by-Step Framework

10. Comparison: Classical vs. Post-Quantum Algorithms

11. Pros and Cons of PQC Migration

12. Myths vs. Facts

13. Regional and Industry Variations

14. Pitfalls and Risks to Avoid

15. Future Outlook

16. FAQ

17. Key Takeaways

18. Actionable Next Steps

19. Glossary

20. Sources & References

    
    

1. Background: How Encryption Works Today

Modern encryption keeps digital life private and safe. When you visit a bank website, send an email, or log into a government portal, encryption scrambles your data so only the intended recipient can read it. Two mathematical systems dominate this landscape:

RSA (Rivest–Shamir–Adleman): First published in 1977, RSA encrypts data using the product of two large prime numbers. Breaking RSA means factoring that product—a task so slow on classical computers that RSA-2048 would take longer than the age of the universe to crack by brute force.

Elliptic Curve Cryptography (ECC): More efficient than RSA, ECC secures most modern TLS connections (including HTTPS), mobile communications, and digital signatures. Breaking ECC requires solving the discrete logarithm problem—computationally infeasible on classical hardware.

These two families of algorithms underpin:

• HTTPS (TLS/SSL) — the padlock on every secure website

• SSH — remote server access

• PGP/GPG — encrypted email

• Code signing certificates — software authenticity

• VPNs — private network tunnels

• Blockchain and digital currency wallets

Both RSA and ECC are called public-key or asymmetric cryptographic systems. They work by generating a key pair: one public key (shared openly) and one private key (kept secret). The security of both rests entirely on classical computers being unable to reverse specific math operations at scale.

Quantum computers change that math completely.

2. The Quantum Threat: What Changes and When

What Is a Quantum Computer?

A classical computer processes information as bits—either 0 or 1. A quantum computer uses qubits, which exploit quantum superposition to exist in both states simultaneously. Combined with quantum entanglement and quantum interference, qubits allow quantum computers to explore vast solution spaces in parallel.

For most computing tasks, this provides no useful advantage. But for specific mathematical problems—particularly factoring large integers and computing discrete logarithms—quantum computers are exponentially faster.

Shor's Algorithm: The Core Threat

In 1994, mathematician Peter Shor published an algorithm that runs on a quantum computer and can factor large integers in polynomial time—a staggering improvement over classical algorithms. Shor's algorithm, when run on a sufficiently powerful quantum machine, can break:

• RSA of any key size (including RSA-4096)

• Elliptic Curve Cryptography (ECC)

• Diffie-Hellman key exchange

A second algorithm—Grover's algorithm (1996)—weakens symmetric encryption (like AES) by roughly halving its effective key length. AES-256 is reduced to the equivalent strength of AES-128, which remains secure—but AES-128 becomes effectively insecure. Doubling symmetric key lengths is the standard mitigation.

How Close Is a Cryptographically Relevant Quantum Computer?

The honest answer in 2026: closer than five years ago, but not yet here. Breaking RSA-2048 using Shor's algorithm requires roughly 4,000 logical (error-corrected) qubits. Current machines are still in the Noisy Intermediate-Scale Quantum (NISQ) era, where physical qubits are error-prone and error correction overhead is enormous.

Key milestones:

Despite these advances, no machine as of 2026 can run Shor's algorithm on cryptographically large numbers. The National Security Agency's 2022 guidance estimated a cryptographically relevant quantum computer (CRQC) could arrive between 2030 and 2035 (NSA CNSA 2.0, September 2022). Some private analysts put it earlier; some put it later. The specific date matters less than a crucial fact: data encrypted today can be stored and decrypted later.

3. What Is Post-Quantum Cryptography?

Post-quantum cryptography (PQC)—also called quantum-resistant cryptography or quantum-safe cryptography—is the field of designing cryptographic algorithms that classical and quantum computers cannot break efficiently.

PQC does not require quantum hardware to implement. It runs on today's classical computers, servers, smartphones, and chips. The "quantum resistance" comes from the underlying math, not from using quantum technology.

PQC algorithms are built on mathematical problems believed to be hard for both classical and quantum computers. The leading mathematical families are:

1. Lattice-Based Cryptography

The most mature and widely adopted PQC family. Security relies on the Learning With Errors (LWE) or Module-LWE problem: given a system of linear equations with intentional small errors, recovering the original values is computationally intractable—even for quantum machines. All three of NIST's primary 2024 PQC standards are lattice-based.

2. Hash-Based Cryptography

Security derived entirely from the properties of cryptographic hash functions (like SHA-256). Hash functions are resistant to both classical and quantum attacks at appropriate sizes. The downside: signature sizes are large. NIST standardized SLH-DSA (SPHINCS+) as a hash-based signature scheme.

3. Code-Based Cryptography

Based on error-correcting codes. The McEliece cryptosystem (1978) is the oldest known PQC candidate. The math: decoding a random linear code is NP-hard. Code-based systems have survived decades of cryptanalysis. NIST selected HQC (Hamming Quasi-Cyclic) as a fourth standard in 2024, based on codes.

4. Multivariate Cryptography

Security based on solving systems of multivariate polynomial equations over finite fields—a problem in the NP-hard complexity class. Generally fast for signatures but produces large key sizes. None of NIST's final 2024 selections are multivariate, though research continues.

5. Isogeny-Based Cryptography

Based on mathematical relationships between elliptic curves (isogenies). SIKE, a leading candidate, was broken by classical computers in 2022 in under an hour using a new mathematical attack—demonstrating the importance of cryptanalysis vetting. NIST removed SIKE from consideration as a result.

4. NIST's PQC Standardization: A Timeline

The National Institute of Standards and Technology (NIST) launched the most important standardization effort in modern cryptographic history in 2016. The process was deliberately public, transparent, and global—inviting researchers worldwide to submit and attack candidates.

Sources: NIST PQC Project webpage (nist.gov/pqcrypto); NIST press releases August 2024 and November 2024.

The eight-year process involved over 200 research teams globally, thousands of cryptanalysis papers, and the elimination of multiple candidates (including SIKE and Rainbow) due to newly discovered vulnerabilities. The result is a set of standards that have survived more public scrutiny than any cryptographic standard in history.

5. The Four NIST-Standardized Algorithms

FIPS 203 — ML-KEM (Module Lattice Key Encapsulation Mechanism)

Previously known as: CRYSTALS-Kyber

Use case: Key encapsulation — establishing a shared secret key over an insecure channel (replaces RSA/Diffie-Hellman in TLS and similar protocols)

Math basis: Module Learning With Errors (MLWE)

Performance: Fast key generation and encapsulation; small key/ciphertext sizes; excellent for most deployment scenarios

Standard published: August 13, 2024 (NIST FIPS 203)

FIPS 204 — ML-DSA (Module Lattice Digital Signature Algorithm)

Previously known as: CRYSTALS-Dilithium

Use case: Digital signatures — authenticating documents, code, certificates, and identity

Math basis: Module Learning With Errors / Short Integer Solution (SIS)

Performance: Fast signing and verification; recommended as the primary PQC signature standard

Standard published: August 13, 2024 (NIST FIPS 204)

FIPS 205 — SLH-DSA (Stateless Hash-Based Digital Signature Algorithm)

Previously known as: SPHINCS+

Use case: Digital signatures — particularly where long-term signature security is critical

Math basis: Hash functions only (no lattice assumptions)

Performance: Larger signatures and slower than ML-DSA; serves as a backup standard relying on entirely different math assumptions

Standard published: August 13, 2024 (NIST FIPS 205)

HQC — Hamming Quasi-Cyclic (Fourth Standard, Selected November 2024)

Use case: Key encapsulation (backup to ML-KEM with different math assumptions)

Math basis: Error-correcting codes (code-based cryptography)

Purpose: Diversification — if lattice-based math is ever compromised, code-based alternatives are ready

Status: Standard publication expected 2025–2026

6. Harvest Now, Decrypt Later: A Real and Present Danger

"Harvest Now, Decrypt Later" (HNDL)—also called a "store-now, decrypt-later" attack—is one of the most serious and immediate threats in cybersecurity. The attack works in two stages:

Stage 1 (Now): An adversary intercepts and stores encrypted internet traffic in bulk. This traffic is protected by RSA or ECC encryption and is unreadable today. The data—government communications, financial transactions, medical records, intellectual property—is stored in massive archives.

Stage 2 (Later): Once a cryptographically relevant quantum computer exists, the adversary decrypts all stored data retroactively, exposing years of secrets.

The attack requires no current quantum capability. Any nation-state or well-resourced actor with passive interception capability (which several have) can execute Stage 1 right now. HNDL is specifically dangerous for:

• Long-lived secrets (national security, diplomacy, state intelligence)

• Data with long shelf-lives (health records, financial records, infrastructure blueprints)

• Communications between 2020–2030 that may still be sensitive in 2035

The NSA acknowledged this threat explicitly in its September 2022 CNSA 2.0 advisory, noting that adversaries "may be" already collecting data for future decryption (NSA CNSA 2.0, September 22, 2022). The German Federal Office for Information Security (BSI) issued a similar warning in its PQC migration guide (BSI, 2021, updated 2023).

No public evidence of large-scale HNDL operations has been confirmed by Western governments as of 2026—but classified threat assessments obtained by Congressional briefings have reportedly indicated concern. Several intelligence experts have publicly stated the assumption should be that HNDL is occurring.

7. Real-World Case Studies

Case Study 1: The U.S. Government's Mandatory Migration (2022–2026)

Background: In May 2022, the White House issued National Security Memorandum 10 (NSM-10), directing federal agencies to migrate to quantum-resistant cryptography. The memo set a deadline of 2035 for full migration of all federal systems, with sensitive national security systems required to begin migration "immediately."

Action taken: CISA (Cybersecurity and Infrastructure Security Agency) published its Post-Quantum Cryptography Initiative roadmap in 2022, updated in 2023, mandating that agencies complete cryptographic inventories (identifying every system and protocol using vulnerable encryption) by the end of 2023. NIST published FIPS 203/204/205 in August 2024. By late 2024, the Office of Management and Budget issued supplementary guidance requiring federal civilian agencies to publish transition plans.

As of 2026: Multiple federal agencies—including the Department of Defense, Department of Treasury, and Department of Homeland Security—have published or submitted their PQC transition roadmaps. The National Security Agency has mandated CNSA 2.0 adoption (which includes ML-KEM and ML-DSA) for all national security systems by 2030.

Outcome (in progress): This represents the largest mandated cryptographic migration in U.S. government history—estimated to touch tens of thousands of systems across 24 major agencies.

Sources: White House NSM-10 (May 4, 2022); CISA PQC Initiative (cisa.gov/quantum); NSA CNSA 2.0 (September 2022); OMB Memorandum M-23-02 (December 2022).

Case Study 2: Cloudflare's Large-Scale PQC Deployment in TLS

Background: Cloudflare, which processes approximately 20% of global internet traffic as of 2024, began experimenting with PQC in TLS as early as 2019. By 2022, Cloudflare deployed X25519Kyber768 (a hybrid key exchange combining classical and post-quantum methods) on its edge network for testing.

What they did: In collaboration with Google Chrome and Mozilla Firefox teams, Cloudflare ran a large-scale hybrid PQC experiment measuring real-world performance. Published results (Cloudflare blog, September 2023) showed that ML-KEM-based hybrid TLS added approximately 0.5 milliseconds of latency on average—a negligible overhead for most users.

By 2024: Cloudflare enabled post-quantum hybrid key exchange by default for all TLS 1.3 connections. Google Chrome enabled X25519MLKEM768 by default in Chrome 131 (released November 2024). Mozilla Firefox followed with similar support.

Significance: This marked the first mass-scale deployment of PQC in internet infrastructure—protecting billions of daily connections against both classical and quantum adversaries.

Sources: Cloudflare blog "Post-Quantum for All" (September 2023, blog.cloudflare.com); Google Security Blog on Chrome PQC (November 2024); Mozilla Firefox 132 release notes (November 2024).

Case Study 3: IBM's Quantum-Safe Financial Infrastructure Initiative

Background: IBM has worked with major financial institutions through its IBM Quantum Safe program to help banks and payment processors assess and migrate cryptographic exposure. IBM partnered with financial institutions including BNY Mellon and major European banks as part of its IBM Quantum Network.

What they did: IBM developed the IBM Quantum Safe Explorer, a scanning tool that inventories cryptographic assets in complex enterprise codebases—identifying every use of RSA, ECC, and other vulnerable algorithms. The tool maps dependency chains so organizations understand which systems must migrate first.

IBM also integrated post-quantum algorithms (ML-KEM, ML-DSA) into its z16 mainframe (announced 2022), which processes 87% of global credit card transactions and runs trillions of dollars in financial transactions daily. The z16's on-chip cryptographic co-processor was the first commercial mainframe with PQC hardware acceleration.

By 2025–2026: IBM's OpenSSL PQC fork and Quantum Safe SDKs are in active use at financial institutions globally. IBM reported in its 2024 annual report that over 200 enterprise clients had completed initial cryptographic inventories using IBM tooling.

Sources: IBM Quantum Safe (ibm.com/quantum-safe); IBM z16 announcement (April 2022, ibm.com); IBM 2024 Annual Report.

8. Who Is Most at Risk?

Not all organizations face equal exposure to the quantum threat. Risk scales with two factors: the sensitivity and longevity of the data being protected, and the time required to migrate to PQC.

Highest Risk Sectors

Lower-Risk but Still Affected

• Consumer retail transactions (shorter data shelf-life, but authentication still matters)

• Social media platforms (shorter-lived data, but account security matters)

• Cloud SaaS providers (must migrate backend infrastructure regardless)

  
  

9. PQC Migration: A Step-by-Step Framework

Migrating to post-quantum cryptography is not a single patch or update. It is a multi-year organizational program. Here is a practical, phased framework based on CISA's guidance and NIST's migration guidelines:

Phase 1: Cryptographic Inventory (Months 1–6)

Goal: Know what you have before you can fix it.

1. Catalog every system, application, API, and device that uses cryptography.

2. Identify which algorithms are in use: RSA, ECC, Diffie-Hellman, DSA, ECDSA, etc.

3. Flag systems using asymmetric cryptography as quantum-vulnerable.

4. Prioritize by data sensitivity and system longevity.

5. Use automated tools (IBM Quantum Safe Explorer, Veracode, Entrust nShield, or open-source tools like pqc-analysis).

Phase 2: Risk Prioritization (Months 3–8)

1. Assess data longevity: How long must this data remain confidential?

2. Assess system replacement cycles: How soon can hardware/software be updated?

3. Identify "long-lived" asymmetric keys (certificates valid for 5+ years are especially vulnerable).

4. Map HNDL exposure: What communications are being transmitted over public networks today?

   
   

Phase 3: Hybrid Deployment (Months 6–18)

Hybrid cryptography combines a classical algorithm (RSA/ECC) with a PQC algorithm. Both must be broken to compromise the encrypted data. Hybrid approaches are the current industry best practice—they provide quantum resistance without abandoning classical security.

Key actions:

1. Deploy hybrid TLS for all external-facing web and API servers (ML-KEM + X25519).

2. Update certificate authority infrastructure to support ML-DSA for code signing.

3. Pilot hybrid VPN solutions using IKEv2 with PQC extensions.

   
   

Phase 4: Full PQC Deployment (18–48 Months)

1. Replace all RSA/ECC key exchange with ML-KEM.

2. Replace all RSA/ECDSA digital signatures with ML-DSA (primary) and SLH-DSA (backup/long-lived).

3. Update certificate infrastructure—reissue all TLS certificates using PQC algorithms.

4. Update hardware: HSMs (Hardware Security Modules) must support PQC natively.

5. Establish crypto-agility: design systems so algorithms can be swapped without architectural changes.

   
   

Phase 5: Long-Tail Hardware and Embedded Systems (3–10 Years)

• Operational Technology (OT) and Industrial Control Systems (ICS) often have 15–30 year lifecycles.

• Embedded cryptographic processors in satellites, medical devices, and infrastructure may require physical replacement.

• Coordinate with vendors on firmware updates and replacement timelines.

  
  

10. Comparison: Classical vs. Post-Quantum Algorithms

Sources: NIST FIPS 203, 204, 205 (August 2024); NIST PQC Project documentation.

11. Pros and Cons of PQC Migration

Pros

• Quantum resistance: Protects data against future quantum attacks, including retroactive HNDL decryption.

• Standards-backed: FIPS 203/204/205 are official, vetted, globally recognized standards.

• No quantum hardware required: PQC runs on existing classical infrastructure.

• Regulatory compliance: Required by U.S. federal mandate; increasingly required by financial regulators globally.

• Crypto-agility foundation: Building PQC-ready systems forces architectural improvements that benefit long-term security.

• Public key diversity: PQC adds mathematical diversity—if one math family is broken, others remain.

  
  

Cons

• Larger key/signature sizes: Increases memory, bandwidth, and processing overhead.

• Migration complexity: Cryptography is embedded everywhere; full migration takes years and significant resources.

• Cost: CISA estimates the U.S. government PQC migration will cost billions of dollars. Enterprise migration costs are also substantial.

• Immaturity of tooling: Developer libraries, HSM support, and integration toolkits are still maturing as of 2026.

• Risk of implementation errors: New algorithms require new code; poorly implemented PQC can introduce vulnerabilities.

• Uncertain timelines: If the quantum computer threat is further away than estimates, migration costs are incurred early.

  
  

12. Myths vs. Facts

13. Regional and Industry Variations

United States

The most aggressive government posture globally. NSM-10 (May 2022) mandated migration; OMB M-23-02 followed with specific timelines; NSA CNSA 2.0 governs classified systems. CISA runs active guidance and tooling programs. The National Cybersecurity Strategy (March 2023) named quantum-resilient cryptography as a national priority.

European Union

The European Union Agency for Cybersecurity (ENISA) published its PQC guidance in 2022, recommending hybrid approaches. Germany's BSI (Bundesamt für Sicherheit in der Informationstechnik) has been among the most proactive, publishing detailed migration recommendations since 2021. France's ANSSI recommends hybrid deployment now, full PQC migration by 2030.

The EU's 2023 Cyber Resilience Act and ongoing NIS2 Directive implementation implicitly require quantum-resilient cryptography for critical infrastructure operators, though explicit PQC timelines lag behind the U.S.

China

China has been running its own PQC standardization process through the State Cryptography Administration (SCA). China is also the world's most active investor in quantum computing research, with significant government funding. Chinese academic institutions have published extensive cryptanalysis of Western PQC candidates—including theoretical lattice attacks that remain below practical threat thresholds.

United Kingdom

The UK National Cyber Security Centre (NCSC) published PQC migration guidance in 2023, aligning closely with NIST's standards but adding UK-specific risk assessments. The NCSC recommends organizations begin migration planning "now" and highlights HNDL as a primary concern for defense and government contractors.

Financial Sector

The Bank for International Settlements (BIS) and Financial Stability Board (FSB) published joint guidance in 2023 warning that the financial sector's interconnected infrastructure creates systemic risk from a successful quantum attack. SWIFT, which processes international bank messaging, has published its own quantum readiness roadmap. In the U.S., the Financial Industry Regulatory Authority (FINRA) added PQC to its 2025 annual risk report as an emerging cybersecurity threat.

14. Pitfalls and Risks to Avoid

1. Skipping the Cryptographic Inventory

Organizations that jump to implementing PQC without first auditing their cryptographic exposure will miss vulnerabilities. Hidden cryptography in third-party libraries, SDKs, and legacy code is the most common source of missed exposure.

2. Ignoring the Supply Chain

Your PQC migration is only as strong as your vendors'. If a third-party payment processor, cloud provider, or SaaS tool still uses RSA-2048 in its API, your data is exposed through that interface. Vendor questionnaires and contractual PQC readiness requirements are becoming standard in enterprise procurement.

3. Deploying PQC Without Hybrid Protection

Deploying a new, unproven PQC algorithm alone—without retaining classical algorithm protection—is risky. If a new attack against the PQC algorithm is discovered, you have no fallback. The current best practice is hybrid cryptography until PQC algorithms have accumulated more real-world deployment history.

4. Neglecting Performance Engineering

PQC key sizes are larger. For IoT devices, embedded systems, and mobile networks with constrained bandwidth, this is not a minor issue. TLS certificates using ML-DSA are significantly larger than ECDSA certificates. Teams must benchmark and optimize—not just swap algorithms.

5. Treating This as a One-Time Project

Cryptographic agility means designing systems to change algorithms without rebuilding architecture. The lesson from PQC standardization is that cryptographic assumptions change. Organizations that hard-code algorithm choices into architecture will face this migration pain again.

6. Waiting for Vendor Defaults

Major cloud providers (AWS, Azure, GCP) and CDN/TLS providers (Cloudflare, Fastly) have begun rolling out PQC hybrid support. However, waiting for vendors to handle everything is not a migration strategy—internal systems, databases, APIs, and hardware must be addressed independently.

15. Future Outlook

2026: The Migration Year

The PQC migration has moved from planning to active execution in 2026. Key developments underway:

• Federal agencies are executing cryptographic inventories and beginning hybrid TLS deployments per CISA guidance.

• Major browsers (Chrome, Firefox, Safari) support hybrid PQC key exchange by default.

• Cloud providers (AWS, Azure, Google Cloud) have released or are releasing PQC-enabled TLS endpoints, SDKs, and key management services.

• PKI providers (DigiCert, Sectigo, Entrust) are offering pilot programs for PQC-signed certificates.

  
  

2027–2030: The Critical Window

The NSA's CNSA 2.0 timeline requires national security systems to complete migration by 2030. This window is when most large enterprise and government migrations will need to be complete. The risk: if a CRQC emerges unexpectedly before 2030, HNDL-harvested data becomes readable.

Beyond 2030: Crypto-Agile Infrastructure

Long-term, the industry is moving toward cryptographic agility—the architectural principle that algorithms can be swapped without redesigning the system. This is now a design requirement in CISA's guidance and NIST's framework recommendations. Future standards may evolve further as quantum computing advances, and organizations built for crypto-agility will adapt at low cost.

The Wild Card: Quantum Computing Acceleration

Progress in quantum error correction (demonstrated by Google's Willow chip in December 2024 and Microsoft's topological qubit announcement in February 2025) suggests the timeline for a CRQC may compress. Neither announcement changes the current threat calculus—but both demonstrate that progress is accelerating faster than many predicted five years ago.

16. FAQ

Q1: What is post-quantum cryptography in simple terms?

Post-quantum cryptography (PQC) is encryption that quantum computers cannot break. It uses math problems that remain hard even for quantum machines. Today's most common encryption (RSA, ECC) can be broken by quantum computers using Shor's algorithm, so PQC replaces those with safer alternatives.

Q2: Why is post-quantum cryptography important right now if quantum computers can't break encryption yet?

Because of Harvest Now, Decrypt Later (HNDL) attacks. Adversaries can collect encrypted data today and decrypt it once a capable quantum computer exists. Data with long shelf-lives—government secrets, health records, financial contracts—is already at risk.

Q3: What algorithms did NIST finalize as post-quantum standards?

NIST published three standards in August 2024: FIPS 203 (ML-KEM, for key exchange), FIPS 204 (ML-DSA, for digital signatures), and FIPS 205 (SLH-DSA, a hash-based backup signature scheme). A fourth code-based standard (HQC) was selected in November 2024.

Q4: Can I keep using AES with post-quantum cryptography?

Yes. AES-256 is quantum-resistant. Grover's algorithm halves the effective key strength of symmetric ciphers, so AES-256 remains at the equivalent of 128-bit classical security—still considered safe. AES-128 should be phased out in favor of AES-256.

Q5: Does post-quantum cryptography require quantum computers to implement?

No. PQC algorithms run on ordinary classical computers—laptops, servers, smartphones. The "quantum" in the name refers to what the algorithms resist, not what they require.

Q6: How long does PQC migration take?

For a large enterprise or government agency, 3–10 years. Simple internet-facing services can be updated within months. Embedded systems, operational technology, and legacy mainframes take much longer. Starting early is essential.

Q7: What is cryptographic agility and why does it matter for PQC?

Cryptographic agility is designing systems so that encryption algorithms can be changed without rebuilding the architecture. It matters for PQC because cryptographic standards may evolve as quantum computing advances—organizations need the flexibility to update algorithms without incurring full system rewrites.

Q8: What happened to SIKE, and does it undermine confidence in PQC?

SIKE (Supersingular Isogeny Key Encapsulation) was a PQC candidate that was broken by two researchers in 2022 using a classical computer in under an hour. This is not a failure of the PQC field—it demonstrates that rigorous public cryptanalysis works. The finalized NIST standards (lattice-based and hash-based) survived this and all other attacks over 8 years of scrutiny.

Q9: Are there performance costs to using post-quantum algorithms?

Yes, but they are manageable. ML-KEM adds roughly 0.5ms of latency to TLS handshakes (per Cloudflare's 2023 benchmark). Key and signature sizes are larger than ECC equivalents, requiring more bandwidth and storage. For most applications, these costs are acceptable. Constrained IoT devices require more careful engineering.

Q10: Is hybrid cryptography the right approach during migration?

Yes, for most applications. Hybrid cryptography combines a classical and a PQC algorithm, so both must be broken to compromise data. This provides quantum resistance while retaining classical security as a fallback if a PQC algorithm's math is later found vulnerable.

Q11: What U.S. law governs PQC migration for federal agencies?

The primary instruments are White House NSM-10 (May 2022), OMB Memorandum M-23-02 (December 2022), and the Quantum Computing Cybersecurity Preparedness Act (signed December 2022), which directed CISA and NIST to facilitate federal migration. NSA CNSA 2.0 governs national security systems specifically.

Q12: Which industries face the highest risk from quantum attacks?

Defense and intelligence (classified data), banking and finance (transaction integrity, long-lived contracts), healthcare (decades-long record retention), critical infrastructure (embedded systems with long replacement cycles), and government PKI (identity infrastructure).

Q13: How does a quantum computer break RSA?

Shor's algorithm, running on a quantum computer with sufficient logical qubits, can factor the large numbers that form the basis of RSA security in polynomial time. Classical computers would take longer than the age of the universe to perform the same factoring task at cryptographic key sizes.

Q14: What is a cryptographically relevant quantum computer (CRQC)?

A CRQC is a quantum computer powerful and reliable enough to run Shor's algorithm on real-world cryptographic key sizes (e.g., RSA-2048). Breaking RSA-2048 requires approximately 4,000 logical qubits. No CRQC exists as of 2026, but leading quantum researchers estimate one could emerge between 2030 and 2040.

Q15: Can small businesses ignore PQC for now?

Only if their data has a very short shelf-life and they use no long-lived certificates or keys. For any business handling healthcare, financial, or legal data—or using signing keys with multi-year validity—PQC planning is already relevant. Migrating TLS to hybrid PQC is low-risk and should begin now.

17. Key Takeaways

• Quantum computers can break RSA and ECC using Shor's algorithm; this is mathematically proven, not speculative.

  
  

• Post-quantum cryptography uses lattice-based, hash-based, and code-based math that quantum computers cannot efficiently attack.

  
  

• NIST published the first official PQC standards (FIPS 203, 204, 205) in August 2024 after 8 years of global vetting.

  
  

• Harvest Now, Decrypt Later attacks are happening now—data encrypted with RSA today could be readable in 2035.

  
  

• The U.S. government mandates full federal PQC migration by 2035; national security systems by 2030.

  
  

• Hybrid cryptography (classical + PQC together) is the current best practice during the transition period.

  
  

• Migration is complex, multi-year, and expensive—but the cost of inaction is far higher for sensitive data.

  
  

• The PQC field survived the SIKE break—the NIST standards have been battle-tested by thousands of researchers.

  
  

• Cryptographic agility should be a design requirement in any new system built in 2026 and beyond.

  
  

• Companies should start with a cryptographic inventory today—you can't migrate what you haven't mapped.

  
  

18. Actionable Next Steps

1. Complete a cryptographic inventory. Use automated tools (IBM Quantum Safe Explorer, open-source cbomkit, or commercial alternatives) to catalog every use of RSA, ECC, Diffie-Hellman, and related algorithms in your systems, dependencies, and third-party integrations.

   
   

2. Classify your data by sensitivity and longevity. Any data that must remain confidential beyond 5–10 years is HNDL-exposed. Prioritize this data for immediate protection.

   
   

3. Deploy hybrid TLS on all external services. Enable X25519MLKEM768 hybrid key exchange on TLS 1.3 connections. Most major CDN providers (Cloudflare, Fastly) and cloud providers support this now.

   
   

4. Audit your certificate infrastructure. Identify all certificates using RSA or ECC, their expiry dates, and issuance authorities. Plan a phased reissuance to PQC-capable certificates as the CA ecosystem matures.

   
   

5. Assess your hardware security modules (HSMs). Verify whether HSMs support ML-KEM and ML-DSA natively. If not, obtain vendor roadmaps. Hardware replacement timelines are often the longest lag in any migration.

   
   

6. Establish a PQC governance program. Assign ownership, budget, and timelines. PQC migration is not an IT project—it requires executive sponsorship and cross-functional coordination (security, legal, finance, operations).

   
   

7. Engage your supply chain. Issue PQC readiness questionnaires to critical vendors. Include quantum readiness clauses in new contracts for SaaS providers, cloud services, and third-party APIs.

   
   

8. Train your development team. Ensure developers integrating cryptographic libraries understand the PQC algorithm choices, hybrid approaches, and the risks of improper implementation.

   
   

9. Monitor NIST and CISA guidance. NIST's PQC project is ongoing. Additional standards (HQC formal FIPS, Falcon FIPS) are being finalized. Subscribe to NIST CSRC and CISA alerts.

   
   

10. Plan for crypto-agility. In all new system design and architecture reviews, require that cryptographic algorithms are configurable—not hardcoded. This investment pays dividends in every future migration.

    
    

Glossary

1. Algorithm: A mathematical procedure or set of rules for solving a problem. In cryptography, algorithms define how data is encrypted and decrypted.

2. Asymmetric Cryptography: Encryption using a key pair: one public key (shared) and one private key (secret). RSA and ECC are asymmetric. Also called public-key cryptography.

3. Cryptographic Agility: The design principle of building systems so that encryption algorithms can be updated or replaced without changing the core architecture.

4. CRQC (Cryptographically Relevant Quantum Computer): A quantum computer powerful and accurate enough to run Shor's algorithm against real-world cryptographic keys. Does not yet exist as of 2026.

5. ECC (Elliptic Curve Cryptography): A public-key cryptography system based on the algebraic structure of elliptic curves. More efficient than RSA; used widely in TLS, mobile, and modern certificates.

6. FIPS (Federal Information Processing Standard): Standards published by NIST that U.S. federal agencies and contractors must follow.

7. Grover's Algorithm: A quantum algorithm that searches an unsorted database in O(√N) time. Relevant to symmetric cryptography: it effectively halves the key length of symmetric ciphers against a quantum computer.

8. Harvest Now, Decrypt Later (HNDL): A threat model in which an adversary stores encrypted data today to decrypt it once a capable quantum computer becomes available.

9. Hybrid Cryptography: Combining a classical algorithm and a PQC algorithm so that both must be broken to compromise security. Current best practice during PQC migration.

10. Key Encapsulation Mechanism (KEM): A cryptographic method for securely establishing a shared secret between two parties. ML-KEM replaces RSA and Diffie-Hellman for this purpose.

11. Lattice-Based Cryptography: PQC algorithms based on the hardness of problems in high-dimensional mathematical lattices, such as Learning With Errors (LWE). The basis of ML-KEM and ML-DSA.

12. ML-DSA: Module Lattice Digital Signature Algorithm (FIPS 204). NIST's primary PQC standard for digital signatures. Formerly CRYSTALS-Dilithium.

13. ML-KEM: Module Lattice Key Encapsulation Mechanism (FIPS 203). NIST's primary PQC standard for key exchange. Formerly CRYSTALS-Kyber.

14. NIST: National Institute of Standards and Technology. U.S. federal agency responsible for cryptographic standards.

15. NISQ (Noisy Intermediate-Scale Quantum): The current era of quantum computing, characterized by 50–1,000+ physical qubits that are error-prone and not yet capable of large-scale fault-tolerant computation.

16. Post-Quantum Cryptography (PQC): Cryptographic algorithms designed to be secure against both classical and quantum computers. Run on classical hardware.

17. Qubit: The basic unit of quantum information. Unlike a classical bit (0 or 1), a qubit can exist in superposition—effectively both simultaneously—until measured.

18. RSA: Rivest–Shamir–Adleman. The most widely deployed public-key cryptosystem. Security relies on the difficulty of factoring large integers. Broken by Shor's algorithm on a quantum computer.

19. Shor's Algorithm: A quantum algorithm published in 1994 that factors large integers in polynomial time, breaking RSA and ECC.

20. SLH-DSA: Stateless Hash-Based Digital Signature Algorithm (FIPS 205). NIST's backup PQC signature standard based solely on hash functions. Formerly SPHINCS+.

21. Symmetric Cryptography: Encryption using a single shared key for both encryption and decryption. AES is symmetric. Quantum-resistant at sufficient key lengths (AES-256).

22. TLS (Transport Layer Security): The protocol that encrypts internet communications (HTTPS). Currently uses RSA or ECC; migrating to hybrid PQC key exchange.

Sources & References

1. NIST. "Post-Quantum Cryptography Standardization." NIST CSRC. Updated 2024. https://csrc.nist.gov/projects/post-quantum-cryptography

2. NIST. "FIPS 203: Module-Lattice-Based Key-Encapsulation Mechanism Standard." August 13, 2024. https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.203.pdf

3. NIST. "FIPS 204: Module-Lattice-Based Digital Signature Standard." August 13, 2024. https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.204.pdf

4. NIST. "FIPS 205: Stateless Hash-Based Digital Signature Standard." August 13, 2024. https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.205.pdf

5. NSA. "Commercial National Security Algorithm Suite 2.0 (CNSA 2.0)." September 22, 2022. https://media.defense.gov/2022/Sep/07/2003071836/-1/-1/0/CSA_CNSA_2.0_ALGORITHMS_.PDF

6. White House. "National Security Memorandum 10 (NSM-10): Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems." May 4, 2022. https://www.whitehouse.gov/briefing-room/statements-releases/2022/05/04/national-security-memorandum-on-promoting-united-states-leadership-in-quantum-computing-while-mitigating-risks-to-vulnerable-cryptographic-systems/

7. OMB. "Memorandum M-23-02: Migrating to Post-Quantum Cryptography." December 2022. https://www.whitehouse.gov/wp-content/uploads/2022/11/M-23-02-M-Memo-on-Migrating-to-Post-Quantum-Cryptography.pdf

8. CISA. "Post-Quantum Cryptography Initiative." 2022–2024. https://www.cisa.gov/quantum

9. Cloudflare. "Post-quantum cryptography for all." Blog. September 2023. https://blog.cloudflare.com/post-quantum-for-all/

10. Google Research. "Willow Quantum Chip: Below-Threshold Error Correction." December 2024. https://research.google/blog/making-quantum-error-correction-work/

11. Microsoft. "Microsoft's Topological Qubit Announcement." February 2025. https://news.microsoft.com/source/features/innovation/microsoft-quantum-computing-topological-qubit/

12. IBM. "IBM z16: On-Chip AI Accelerator and Quantum-Safe Cryptography." IBM Research. April 2022. https://research.ibm.com/blog/z16-quantum-safe

13. IBM. "IBM Quantum Safe." 2024. https://www.ibm.com/quantum-safe

14. BSI. "Migration to Post-Quantum Cryptography." Federal Office for Information Security, Germany. 2021, updated 2023. https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Quantentechnologien-und-post-quantenKryptografie/Post-Quanten-Kryptografie/post-quanten-kryptografie_node.html

15. ENISA. "Post-Quantum Cryptography: Current State and Quantum Mitigation." European Union Agency for Cybersecurity. 2022. https://www.enisa.europa.eu/publications/post-quantum-cryptography-current-state-and-quantum-mitigation

16. UK NCSC. "Guidance on Post-Quantum Cryptography." 2023. https://www.ncsc.gov.uk/collection/post-quantum-cryptography

17. U.S. Congress. "Quantum Computing Cybersecurity Preparedness Act." Signed December 21, 2022. https://www.congress.gov/bill/117th-congress/house-bill/7535

18. Shor, Peter W. "Algorithms for Quantum Computation: Discrete Logarithms and Factoring." Proceedings of the 35th Annual Symposium on Foundations of Computer Science. IEEE. 1994. https://ieeexplore.ieee.org/document/365700

19. Castryck, Wouter, and Thomas Decru. "An Efficient Key Recovery Attack on SIDH." IACR Cryptology ePrint Archive. July 2022. https://eprint.iacr.org/2022/975

20. Google / Nature. "Quantum supremacy using a programmable superconducting processor." Nature. October 23, 2019. https://www.nature.com/articles/s41586-019-1666-5