The Quantum Clock Is Ticking — Your Encryption Has an Expiration Date
Here's the uncomfortable truth that most organizations are ignoring: every piece of data encrypted with RSA or ECC today can be stored by adversaries and decrypted later when sufficiently powerful quantum computers arrive. This is called the "harvest now, decrypt later" attack, and intelligence agencies from China, Russia, and others are already doing it at scale. The data you're protecting today with 2048-bit RSA may be readable within 5-8 years.
NIST finalized its post-quantum cryptography (PQC) standards in August 2024, selecting ML-KEM (formerly CRYSTALS-Kyber) for key encapsulation and ML-DSA (formerly CRYSTALS-Dilithium) for digital signatures. These are no longer theoretical — they're production-ready standards that organizations should be migrating to now. The migration window is closing faster than most security teams realize.
Understanding the Quantum Threat
What Quantum Computers Break
Shor's algorithm, running on a sufficiently large quantum computer, can factor large integers and compute discrete logarithms in polynomial time. This directly breaks RSA (based on integer factorization), ECC (based on elliptic curve discrete logarithm), and Diffie-Hellman key exchange. Essentially, every public-key cryptosystem currently in widespread use becomes trivially breakable.
What quantum computers don't break: symmetric encryption (AES) and hash functions (SHA-256) retain their security with a caveat — Grover's algorithm provides a quadratic speedup, effectively halving the security level. AES-256 becomes AES-128 equivalent, which is still considered secure. AES-128, however, drops to 64-bit security — insufficient.
Timeline Estimates
IBM's roadmap targets a 100,000-qubit system by 2033. Google's Willow chip demonstrated 105 qubits with error correction in December 2024. Current estimates for a "cryptographically relevant quantum computer" (CRQC) range from 2029 to 2035. The responsible assumption is the earlier end of that range. If your data has a confidentiality requirement beyond 2030, you should be migrating now.
NIST Post-Quantum Standards: What You Need to Know
ML-KEM (Key Encapsulation)
ML-KEM replaces RSA and ECDH for key exchange. It's based on the Module Learning with Errors (MLWE) problem, which is believed to be resistant to both classical and quantum attacks. Three parameter sets: ML-KEM-512 (128-bit security), ML-KEM-768 (192-bit), and ML-KEM-1024 (256-bit). Key sizes are larger than RSA — public keys range from 800 bytes to 1.5 KB — but performance is actually faster than RSA-2048 for key generation and encapsulation.
ML-DSA (Digital Signatures)
ML-DSA replaces RSA and ECDSA for digital signatures. Same mathematical foundation as ML-KEM. Signature sizes are significantly larger — 2.4 KB to 4.6 KB versus 256 bytes for ECDSA — which impacts bandwidth for protocols that transmit many signatures. Verification speed is competitive with classical algorithms.
SLH-DSA (Stateless Hash-Based Signatures)
SLH-DSA (formerly SPHINCS+) provides a conservative backup option based purely on hash function security — arguably the most conservative cryptographic assumption possible. Slower and larger than ML-DSA, but its security rests on the oldest and most studied cryptographic primitive. Use this for long-term document signing where performance isn't critical.
Migration Roadmap: A Practical 5-Step Plan
Step 1: Cryptographic Inventory (Months 1-3)
You can't migrate what you can't find. Conduct a complete inventory of every cryptographic algorithm, key, certificate, and protocol in your infrastructure. This includes TLS configurations, VPN tunnels, code signing certificates, database encryption, API authentication, and embedded device firmware. Tools like Keyfactor Command and Venafi TLS Protect can automate discovery.
Step 2: Risk Prioritization (Months 3-4)
Not all data has the same confidentiality timeline. Classify your encrypted assets by how long they need to remain confidential. Government secrets, medical records, and financial data with 10+ year requirements are highest priority. Session keys for web traffic that expire in hours are lowest priority. Focus migration efforts on long-lived secrets first.
Step 3: Hybrid Deployment (Months 4-12)
Don't rip and replace. Deploy hybrid cryptography that combines classical and post-quantum algorithms. For example, use both ECDH and ML-KEM for key exchange — even if one is broken, the other provides security. Chrome, Firefox, and most TLS libraries already support hybrid key exchange. This approach eliminates the risk of deploying PQC algorithms that might later be found vulnerable.
🔒 Protect Your Digital Life: NordVPN
VPN providers implementing post-quantum encryption are rare but critical for future-proofing your privacy. NordVPN has begun rolling out hybrid post-quantum tunneling protocols, combining NordLynx with ML-KEM key exchange to protect against harvest-now-decrypt-later attacks.
Step 4: Testing and Validation (Months 12-18)
PQC algorithms have different performance characteristics. Larger key sizes impact TLS handshake times, certificate chain validation, and bandwidth. Test thoroughly in staging environments. Measure the impact on latency, throughput, and resource consumption. Some embedded devices and IoT hardware may not have sufficient memory or processing power for PQC — identify these devices early.
Step 5: Full Migration (Months 18-36)
Transition from hybrid to PQC-only as confidence in the new algorithms matures. Update all certificates, reconfigure all protocols, and retire classical algorithms. Maintain the ability to roll back to hybrid mode if vulnerabilities are discovered in any PQC algorithm.
Industry-Specific Considerations
Financial services: PCI DSS 5.0 (expected 2027) will likely mandate PQC readiness. Start now to avoid a scramble. Healthcare: HIPAA-protected data has indefinite confidentiality requirements, making it the highest-priority migration target. Government: CNSA 2.0 mandates PQC for National Security Systems by 2030 — contractors must comply. Critical infrastructure: SCADA and ICS systems have 20-30 year lifecycles. Upgrading firmware for PQC on operational technology is a multi-year project.
The Bottom Line
Post-quantum migration isn't a future problem — it's a current one. The "harvest now, decrypt later" threat means data encrypted with RSA and ECC today is already at risk. NIST's standards are finalized, libraries are production-ready, and early adopters are already deploying. The organizations that start now will have a smooth, methodical migration. The ones that wait will face a chaotic, expensive scramble when the quantum deadline arrives. Don't be in the second group.
