Quantum computers will eventually break today's public key cryptography. The migration to quantum-safe algorithms has already begun.
Quantum computing is no longer science fiction. While practical cryptographically relevant quantum computers are still years away, the threat they pose to current public key cryptography is concrete enough that governments and security agencies are urging migration now. Post-quantum cryptography is the set of algorithms designed to resist attacks from both classical and quantum computers, and transitioning to them is one of the largest cryptographic undertakings in computing history.
The Quantum Threat
Today's internet relies on public key algorithms like RSA and elliptic curve cryptography for key exchange, digital signatures, and authentication. These algorithms are secure against classical computers because the mathematical problems they rest on, like factoring large numbers and computing discrete logarithms, are believed to be hard. Quantum computers running Shor's algorithm can solve these problems exponentially faster, which would break the security of widely deployed cryptographic protocols.
The date when cryptographically relevant quantum computers will exist is uncertain. Estimates range from five years to several decades. What is certain is that defenders cannot wait for quantum computers to appear before acting. Sensitive data encrypted today with vulnerable algorithms may be captured now and decrypted later, once quantum computers are available. This "harvest now, decrypt later" threat is already motivating migration, especially for data with long confidentiality requirements.
The New Algorithms
After years of evaluation, standards bodies have selected a set of post-quantum algorithms built on different mathematical foundations than current public key systems. The main categories include:
- ▸Lattice-based algorithms like ML-KEM and ML-DSA, which rely on the hardness of problems in high-dimensional lattices
- ▸Hash-based signature schemes like SLH-DSA, which derive security from hash function properties
- ▸Code-based algorithms that rely on the difficulty of decoding random linear codes
- ▸Isogeny-based schemes, though recent attacks have reduced confidence in some of them
The first standardized post-quantum algorithms are now available. Organizations can begin integrating them into their systems, typically in hybrid modes that combine classical and post-quantum algorithms for defense in depth.
Hybrid Is the Pragmatic Path
Rather than flipping a switch from classical to post-quantum cryptography, most deployments are using hybrid schemes that combine both. A hybrid key exchange performs both a classical ECDH and a post-quantum key encapsulation, combining the results. If either algorithm is broken, the other still protects the session. This approach provides a safety net during the transition and hedges against the discovery of weaknesses in the new algorithms.
Hybrid schemes have landed in major protocols including TLS 1.3 and SSH. They come with performance costs, including larger key sizes and increased handshake data, but those costs are manageable for most use cases.
Inventory Your Cryptography
The first step of any post-quantum migration is knowing what cryptography you use. Many organizations have no idea. Cryptographic inventory includes:
- ▸Protocols used for network traffic, API authentication, and data protection
- ▸Libraries that implement cryptographic operations in your code
- ▸Certificates and keys managed by PKI systems
- ▸Hardware security modules that protect sensitive key material
- ▸Third-party services that rely on cryptography you consume
- ▸Long-lived data encrypted with today's algorithms
Without this inventory, you cannot prioritize migration or understand your exposure.
Prioritizing the Migration
Not everything needs to move at once. Sensible prioritization includes:
- ▸Long-lived secrets first, because they are most at risk from harvest-now-decrypt-later
- ▸Internet-facing protocols before internal ones
- ▸High-value systems before lower-risk environments
- ▸Regulated data that has compliance implications
- ▸Vendor dependencies that may drive timelines beyond your control
A phased plan spreads the work, reduces risk, and lets you learn from early deployments before tackling the hardest parts.
Crypto Agility
The bigger lesson from the post-quantum transition is the need for crypto agility: the ability to change cryptographic algorithms without rewriting your systems. Organizations with crypto agility can adopt new algorithms quickly, respond to discovered weaknesses, and support hybrid schemes during transitions. Organizations without it face painful multi-year projects every time the cryptographic landscape shifts.
Crypto agility is an architectural property. It requires abstractions that let you swap algorithms, configuration-driven selection rather than hardcoding, and testing that covers multiple algorithm choices. Building it retroactively is hard. Building it into new systems from the start is much easier.
Practical Steps Now
For most organizations, the near-term priorities are:
1. Build a cryptographic inventory of systems, protocols, and data 2. Identify long-lived secrets most exposed to harvest-now-decrypt-later 3. Track standards and library support for post-quantum algorithms 4. Test hybrid implementations in non-production environments 5. Engage with vendors about their post-quantum roadmaps 6. Begin building crypto agility into new systems
These steps do not require waiting for a specific milestone. They can start today and will pay off regardless of when quantum computers actually arrive.
A Generational Shift
The post-quantum migration is not a single project. It is a generational shift in how the internet is secured. Some parts will happen quickly, like updates to major browsers and cloud services. Others will take a decade or more, like embedded devices and legacy systems. The organizations that start planning now will move through the transition gracefully. Those that ignore it will face urgent, disruptive migrations when the threat finally becomes acute.