What every organisation needs to know about post-quantum cryptography.
Almost everything we trust online is secured by public key cryptography. When you send an email, complete a financial transaction, connect to a VPN, or authenticate a user, public key cryptography is doing the work. It generates the keys that lock and unlock data, and it relies on mathematical problems that are effectively impossible for today’s computers to solve.
Quantum computers work differently. Rather than testing one answer at a time, they process multiple possibilities simultaneously. For certain mathematical problems, including the ones that underpin RSA, elliptic curve cryptography, and Diffie-Hellman key exchange, a sufficiently powerful quantum computer could find the answer in hours or minutes rather than millions of years.
When that happens, the encryption protecting your network, your data, and your customers’ information stops working. Not gradually. All at once.
|
Cryptographically relevant quantum computers are expected within this decade. |
|
The US, UK, and EU have all set mandatory migration deadlines in response. |
The risk is not limited to what happens when quantum computers arrive. It starts today.
State-sponsored actors and sophisticated criminal groups are harvesting encrypted data now, storing it with the intention of decrypting it once quantum capability becomes available. This is known as Harvest Now, Decrypt Later, or Store Now, Decrypt Later. It does not require a quantum computer to execute. It only requires the ability to intercept and store data, which is well within the capability of multiple nation-states right now.
The data most at risk is data that retains value over time. That includes pharmaceutical and medical research, genomic and health records, financial transaction histories, legal and diplomatic communications, and intellectual property. If any of this data has been in transit over a public network in the past decade, it should be treated as potentially harvested.
There is no reliable way to know whether data has been intercepted passively. Standard security monitoring identifies known intrusions and observable exfiltration. It does not detect passive collection of encrypted traffic. The absence of a breach alert is not evidence of safety.
|
The question is not whether your data has been harvested. The question is what happens to your organisation when it becomes readable. |
The most common mistake organisations make when they first engage with this problem is treating it as a cryptography upgrade, something that can be handled by swapping one algorithm for another and moving on.
That framing is wrong, and acting on it will create serious problems.
Cryptography is not a discrete component. It is embedded throughout modern infrastructure. It lives in network protocols, application code, firmware, certificates, key management systems, hardware security modules, cloud platforms, and third-party integrations. Many of these dependencies are undocumented. Some are invisible to the teams responsible for security.
|
You cannot replace what you cannot see. Most organisations cannot currently answer three basic questions: where is cryptography used, which algorithms are deployed, and what systems depend on them. |
Lack of visibility
Cryptographic usage is rarely fully documented. Legacy systems, inherited infrastructure, and third-party services all introduce dependencies that are not tracked in a central inventory
Fragmented ownership
No single team owns all cryptographic decisions. Security, IT, networking, application development, and procurement all make choices that affect the cryptographic estate. Coordinating a migration across all of them is a programme management challenge as much as a technical one.
Hidden dependencies
Changing a cryptographic algorithm or protocol can break systems in ways that are not immediately obvious. Applications that rely on specific certificate formats, key lengths, or protocol handshakes may fail silently or stop functioning entirely.
Operational risk
Migration cannot simply be switched on. It requires staged deployment, testing, fallback planning, and coordination with vendors and partners. Poorly planned migrations have caused outages in critical systems.
|
History shows how long this takes. Algorithm transitions have a long and instructive history. MD5 was shown to be cryptographically weak in 2005. It was still present in production systems more than fifteen years later. SHA-1 was deprecated by NIST in 2011 and remained in Microsoft solutions until 2020. NIST has set 2030 as the deadline for phasing out legacy algorithms, and has acknowledged that complex systems will need more time. The organisations now completing SHA-1 migration started years ago. The organisations that leave PQC migration until the threat becomes visible will find they do not have the time. 6.5 years is the average gap between where organisations currently are and where they need to be for PQC migration, according to a BSI (German Federal Office for Information Security) survey. |
This is not a voluntary exercise. Governments across the US, UK, and EU have set legally binding timelines for migration to post-quantum cryptography. For organisations in regulated sectors, or those supplying government contracts, compliance is not optional.
|
Jurisdiction |
Near-term requirement |
Final deadline |
|
United States |
Annual cryptographic inventories required from 2023. TLS 1.3 mandated by January 2030. RFC 8784 mandatory for classified VPN vendors. |
Mitigate as much quantum risk as feasible by 2035 (NSM-10 / OMB M-23-02). |
|
United Kingdom |
NCSC advises starting high-priority upgrades by 2028. |
Full PQC migration completed by 2035. |
|
European Union |
Transition begins under coordinated EU roadmap from end-2026. High-risk systems migrated by end-2030. |
Full migration completed by end-2035. |
|
Australia |
ASD committed to dropping SHA-256, RSA, ECDSA and ECDH by 2030. |
Full transition aligned to global PQC standards. |
Beyond these mandates, the NIS2 Directive and DORA in the EU both have direct implications for cryptographic resilience. Organisations in financial services, healthcare, energy, and critical infrastructure should treat quantum-safe migration as part of their existing compliance obligations, not as a separate workstream.
Three main approaches exist, each with different strengths, limitations, and appropriate use cases. Most organisations will need to use a combination.
In August 2024, NIST standardised its first post-quantum algorithms, including ML-KEM (also known as CRYSTALS-Kyber) for key encapsulation and ML-DSA (CRYSTALS-Dilithium) for digital signatures. These are designed to resist attacks from quantum computers and will form the backbone of most long-term migration efforts.
What to know: PQAs are an important and necessary part of the solution. However, they come with caveats that any organisation should understand before treating them as the complete answer.
Security analysis is still maturing. Three algorithms were broken or compromised during the NIST standardisation process itself, including SIDH, which was broken by a classical computer in 2022. The algorithms now standardised are considered strong, but independent academic scrutiny is still ongoing.
Key sizes are significantly larger than RSA or ECC, which increases bandwidth and compute requirements. This matters for high-throughput network environments and resource-constrained devices.
Migration complexity is high. PQAs are not drop-in replacements. Protocols and services need to be re-engineered, because PQA typically places greater demands on devices and networks than traditional public key cryptography.
Deployment takes time. History shows that even after standardisation, algorithm transitions take years or decades to complete across complex infrastructure.
Symmetric encryption, the kind used in AES-256, is already quantum-resistant. Unlike public key cryptography, it does not rely on mathematical problems that quantum computers can efficiently solve. Quantum computers can attack symmetric encryption using Grover's algorithm, but this only halves effective key length. AES-256 withstands this with significant margin.
The challenge with symmetric encryption has always been key distribution: how do two parties securely agree a shared key without meeting in person or using public key methods? Historically, this required manual key couriering, which is secure but completely impractical at scale.
Symmetric Key Agreement platforms solve this problem by enabling endpoints to dynamically agree symmetric encryption keys on demand, without public key cryptography and without manual distribution. The NSA has stated that pre-shared symmetric keys in a standards-compliant implementation represent a better near-term post-quantum solution than experimental post-quantum asymmetric algorithms.
QKD uses quantum physics to distribute encryption keys in a way that makes eavesdropping theoretically detectable. It is theoretically very strong.
In practice, QKD has significant limitations for most organisations. It requires dedicated, expensive hardware and specialist infrastructure. It cannot be deployed at scale across large distributed networks. Both the NSA and Germany's BSI have expressed reservations about QKD as a primary solution for most organisations, noting that its practical limitations outweigh its theoretical advantages in most deployment scenarios.
|
Most authoritative guidance, including from NIST, NSA, NCSC, and the joint paper from France, Germany, Sweden, and the Netherlands, recommends a hybrid approach: combining symmetric key methods with PQAs to provide defence in depth and reduce reliance on any single approach. |
Every major guidance body, including CISA, NIST, NCCoE, the NCSC, and ENISA, converges on the same basic migration structure. The details vary, but the sequence does not. You cannot skip stages.
Discover
Crypto-agility is the ability to change cryptographic algorithms and key management approaches without disrupting the systems that depend on them. It is not a product. It is a design principle that needs to be built into infrastructure decisions from now on.
Without crypto-agility, every algorithm change becomes a major programme. With it, updates can be made at policy level, without hardware replacement or system re-engineering. Given that PQC standards will continue to evolve and that some algorithms standardised today may need replacing in the future, crypto-agility is not optional. It is the foundation of a sustainable long-term approach.