Quantum computers will eventually break the encryption that protects the internet. Discover why organizations are migrating to quantum-safe cryptography now, what NIST's new standards mean, and how to start preparing.
For key exchange and encryption (ML-KEM), performance is comparable to RSA and often faster than ECC. For digital signatures (ML-DSA), signature sizes are larger (2-4 KB vs 256 bytes for ECDSA), which adds some bandwidth overhead. Key generation and verification speeds are comparable. For most applications, the performance impact is negligible.
Quantum-safe cryptography is not a future concern. It is a present-day migration that organizations must begin now. The NIST standards are published, major browsers and messaging platforms have deployed hybrid PQC in production, and the "Harvest Now, Decrypt Later" threat makes every day of delay a day of increased risk. For development teams, the practical first step is a cryptographic inventory: identify every system that uses RSA, ECC, or Diffie-Hellman, prioritize based on data sensitivity and longevity, implement crypto agility, and begin deploying hybrid PQC for the highest-priority systems.
Every time you load a website, send an encrypted message, or make a bank transfer, your data is protected by mathematical problems that classical computers cannot efficiently solve. RSA encryption relies on the difficulty of factoring large prime numbers. Elliptic Curve Cryptography (ECC) relies on the discrete logarithm problem. These problems have protected digital communication for decades because no classical computer can solve them in any reasonable timeframe.
Quantum computers change this equation entirely.
"Quantum computing is a profound shift. It is not faster classical computing. It is a fundamentally different kind of computing that will break the cryptographic foundations we have relied on for 50 years." -- Peter Shor, mathematician who created Shor's algorithm
Shor's algorithm, published in 1994, proved mathematically that a sufficiently powerful quantum computer can factor large numbers and solve discrete logarithm problems exponentially faster than any classical computer. When (not if) quantum computers reach enough stable qubits, RSA, ECC, and Diffie-Hellman key exchange will be breakable in hours instead of billions of years.
The question is not whether this will happen, but when, and whether your systems will be ready.
| Milestone | Status (2026) | Implications |
|---|
Key Insights
Powered by Rune AIExpert estimates vary, but the consensus is between 2030 and 2040 for a Cryptographically Relevant Quantum Computer (CRQC). However, the "Harvest Now, Decrypt Later" threat means the timeline for starting migration is now. Data encrypted today with RSA or ECC can be stored and decrypted later when quantum computers become available.
ES-256 is considered quantum-safe. Grover's algorithm reduces its effective security from 256 bits to 128 bits, which is still computationally infeasible to break. The concern is with public-key cryptography (RSA, ECC, Diffie-Hellman) used for key exchange and digital signatures. If your systems use TLS, HTTPS, or digital certificates, which virtually all systems do, you are affected.
Crypto agility is designing systems so that cryptographic algorithms can be swapped without major code changes. It matters because the post-quantum landscape is still evolving. New algorithms may be discovered, existing ones may be broken (SIKE, a NIST PQC candidate, was broken in 2022), and compliance requirements will change. Systems with crypto agility can adapt quickly.
| IBM's 1,121-qubit Condor processor | Achieved (2023) | Demonstrates qubit scaling is accelerating |
| Google's quantum error correction breakthrough | Achieved (2024) | Makes practical quantum computing more feasible |
| First logical qubit with error correction | Achieved (2025) | The path from noisy qubits to useful computation is clearer |
| Cryptographically Relevant Quantum Computer (CRQC) | Estimated 2030-2040 | The machine that can break RSA-2048 and ECC |
| NIST Post-Quantum Cryptography standards finalized | Published (2024) | Industry now has approved replacement algorithms |
| "Harvest Now, Decrypt Later" attacks | Happening now | Encrypted data stolen today can be decrypted when quantum arrives |
The "Harvest Now, Decrypt Later" threat is why migration cannot wait. Nation-state actors are already collecting encrypted communications and storing them. When quantum computers become powerful enough, every piece of data intercepted today becomes readable. If your data needs to remain confidential for 10+ years, the quantum threat is already active.
Not all cryptography is vulnerable to quantum attacks. Understanding which algorithms are at risk guides the migration strategy.
| Algorithm Type | Current Examples | Quantum Vulnerability | Replacement Status |
|---|---|---|---|
| Public-key encryption | RSA, ECC | Broken by Shor's algorithm | NIST standards published (ML-KEM, ML-DSA) |
| Key exchange | Diffie-Hellman, ECDH | Broken by Shor's algorithm | NIST standards published (ML-KEM) |
| Digital signatures | RSA, ECDSA | Broken by Shor's algorithm | NIST standards published (ML-DSA, SLH-DSA) |
| Symmetric encryption | AES-128, AES-256 | Weakened but not broken (Grover's algorithm) | AES-256 remains secure (effectively AES-128 post-quantum) |
| Hash functions | SHA-256, SHA-3 | Weakened but not broken (Grover's algorithm) | SHA-256 remains secure with doubled output length |
| Message authentication | HMAC-SHA-256 | Not significantly affected | Remains secure |
The critical insight is that symmetric cryptography and hash functions survive quantum computing with minor adjustments (doubling key lengths). It is the public-key infrastructure, the foundation of TLS, HTTPS, digital signatures, and certificate authorities, that must be completely replaced.
In August 2024, the National Institute of Standards and Technology (NIST) published the first three finalized post-quantum cryptography standards. These algorithms are designed to resist both classical and quantum attacks.
| Standard | Algorithm | Purpose | Based On |
|---|---|---|---|
| FIPS 203 (ML-KEM) | Module-Lattice Key Encapsulation | Secure key exchange | CRYSTALS-Kyber |
| FIPS 204 (ML-DSA) | Module-Lattice Digital Signature | Digital signatures | CRYSTALS-Dilithium |
| FIPS 205 (SLH-DSA) | Stateless Hash-Based Digital Signature | Digital signatures (backup) | SPHINCS+ |
These standards replace RSA, ECC, and Diffie-Hellman for new implementations. NIST has set 2030 as the target date to deprecate RSA-2048 and ECC for federal systems, with full phase-out expected by 2035.
| Property | RSA-2048 | ML-KEM-768 (Post-Quantum) | Comparison |
|---|---|---|---|
| Public key size | 256 bytes | 1,184 bytes | PQC keys are larger |
| Ciphertext size | 256 bytes | 1,088 bytes | PQC ciphertext is larger |
| Key generation speed | Fast | Fast (comparable) | No significant performance penalty |
| Encapsulation speed | Fast | Fast (comparable) | Negligible difference for most applications |
| Quantum resistance | None | Full | The entire point |
| Classical security | 112 bits | 192 bits | PQC is also stronger against classical attacks |
Migrating to quantum-safe cryptography is a multi-year project. The NSA and CISA have published guidance recommending organizations start now.
Document every place cryptography is used in your systems: TLS certificates, API authentication, database encryption, stored credentials, signed packages, and communications. Many organizations discover cryptographic dependencies they did not know existed.
Prioritize systems based on data sensitivity and longevity. Healthcare records, financial data, government communications, and intellectual property that must remain confidential for 10+ years are the highest priority.
Crypto agility means designing systems so the encryption algorithm can be swapped without rebuilding the entire system. Abstract cryptographic operations behind interfaces so that switching from RSA to ML-KEM requires a configuration change, not a complete rewrite.
Deploy hybrid cryptography that uses both classical and post-quantum algorithms simultaneously. This ensures security against both current and future threats during the transition period. Google Chrome and Signal have already implemented hybrid PQC in production.
Work with your certificate authority to transition to quantum-safe certificates. The CA/Browser Forum is developing standards for PQC certificates that will begin implementation in 2026-2027.
Major technology companies and government agencies are not waiting for quantum computers to arrive. Migration is already underway.
| Organization | Migration Status | Approach |
|---|---|---|
| Google (Chrome) | Hybrid PQC in production since 2024 | X25519Kyber768 for TLS key exchange |
| Apple (iMessage) | PQ3 protocol deployed (2024) | Hybrid post-quantum encryption for all messages |
| Signal | PQXDH protocol deployed (2023) | Post-quantum key agreement for new sessions |
| Cloudflare | Hybrid PQC for TLS | ML-KEM key exchange available for all customers |
| AWS | Post-quantum TLS options | Hybrid TLS for S3, KMS, and other services |
| US Government | CNSA 2.0 mandate | All national security systems must migrate by 2030-2035 |
| Dimension | Classical Cryptography (RSA/ECC) | Quantum-Safe Cryptography (ML-KEM/ML-DSA) |
|---|---|---|
| Quantum computer resistance | None | Designed to resist quantum attacks |
| Key sizes | Compact (256-512 bytes) | Larger (1-2 KB for public keys) |
| Performance | Well-optimized over decades | Comparable for most operations, larger signatures |
| Standardization | Mature (decades of deployment) | NIST standards published 2024, ecosystem maturing |
| Browser support | Universal | Chrome and Firefox implementing, others following |
| TLS integration | Native and default | Hybrid mode available, becoming default |
| Library support | Every language and platform | Growing rapidly (liboqs, PQClean, AWS-LC) |
| Migration effort | N/A (current state) | Significant (crypto inventory, agility, testing) |
| "Harvest Now, Decrypt Later" protection | Vulnerable | Protected (even today's communications secure) |
By 2028, hybrid post-quantum TLS will become the default for all major browsers and web servers. Organizations that have not begun their migration will face increasing compliance pressure and customer concerns. The cost of migration increases the longer organizations wait, as cryptographic dependencies become more deeply embedded in systems.
The most impactful near-term development will be the availability of PQC-enabled certificate authorities and automated certificate management tools. When Let's Encrypt and similar CAs offer PQC certificates with the same ease as current certificates, adoption will accelerate dramatically.
Quantum-safe cryptography will also intersect with zero-trust architecture as organizations realize that identity verification and mutual TLS need quantum-safe foundations to remain trustworthy long-term.