Every time you authorize a wire transfer, access a medical record, or open an encrypted channel, an invisible mathematical shield stands between your data and the world. Since 1977, standards like RSA have been that shield. What’s changing is not the shield itself — it’s the nature of the weapon being built to bypass it.
We are inside a transition window. Not a future one. This one, right now.
The Mathematical Foundation That’s Expiring
RSA and Elliptic Curve Cryptography (ECC) derive their strength from computational hardness: factoring large integers or solving discrete logarithm problems takes classical computers an astronomically long time. That intractability is the entire bet.
In 1994, Peter Shor published an algorithm that makes that bet lose on a quantum computer. Shor’s algorithm solves integer factorization and discrete logarithms in polynomial time — problems that would take classical machines millions of years to crack become tractable. The algorithm itself is not new. What’s new is that the hardware to run it is being actively built and tested at scale.
IBM’s quantum systems have crossed the 1,000-qubit threshold with the Condor processor. Google’s 105-qubit Willow chip performed a specific benchmark computation in minutes that would take today’s fastest supercomputers an estimated 10,000 years. Neither machine is yet a cryptographically relevant quantum computer (CRQC) — breaking RSA-2048 requires millions of fault-tolerant logical qubits, not hundreds of noisy physical ones. But the trajectory is clear, and the error-correction problem that once seemed intractable is being solved methodically.
Mosca’s Theorem: The Equation That Makes the Threat Immediate
The cleanest framing of quantum risk comes from cryptographer Michele Mosca. Track three variables:
- x — how long your data must remain confidential (its security shelf-life)
- y — how long it will take your organization to fully migrate to quantum-safe cryptography (migration time)
- z — the estimated time remaining before a CRQC can break current public-key schemes (collapse time)
If x + y > z, you already have a problem.
This isn’t an abstract future concern. Consider an organization that needs 15 years of confidentiality on sensitive data and realistically needs 8 years to complete a full cryptographic migration. If a CRQC arrives in 2033 — well within the range of serious estimates — that organization’s exposure window opened years ago.
The categories of data that routinely carry multi-decade shelf-lives include personal health information, financial records, intellectual property, and government communications. For any of these, the migration clock is not theoretical — it’s already running.
Harvest Now, Decrypt Later: The Breach That’s Already in Progress
The most operationally urgent dimension of the quantum threat doesn’t require a CRQC to exist today. It requires only that one exists before your long-lived data loses its sensitivity.
The attack pattern is straightforward: adversaries intercept and archive encrypted traffic now, at scale, then wait. When quantum capability matures, they decrypt the archive. The data stolen in a 2025 interception becomes readable in 2034.
Intelligence agencies in multiple countries have issued explicit warnings that this strategy — known as Harvest Now, Decrypt Later (HNDL) — is not theoretical. Nation-state actors are already stockpiling encrypted data with exactly this playbook. Palo Alto Networks characterizes HNDL as the mechanism that transforms a future computing problem into an immediate operational crisis for any organization holding data with long-term value.
The implication is uncomfortable: data encrypted today under RSA or ECC may already be compromised — not because the encryption was broken, but because the ciphertext is sitting in an adversary’s storage waiting for a key that doesn’t exist yet.
What the Standards Bodies Have Done About It
The international response to this threat has been systematic and is now concrete. In August 2024, after an eight-year global competition that evaluated 82 candidate algorithms from cryptographers around the world, NIST finalized its first three post-quantum cryptographic standards:
- FIPS 203 — ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism): the primary replacement for RSA and ECDH in key exchange, used in protocols like TLS
- FIPS 204 — ML-DSA (Module-Lattice-Based Digital Signature Algorithm): replaces ECDSA for digital signatures, certificates, and authentication
- FIPS 205 — SLH-DSA (Stateless Hash-Based Digital Signature): a hash-based alternative providing a conservative security fallback if lattice-based assumptions are later weakened
NIST’s guidance on these standards is unambiguous: there is no need to wait for future standards — start using these three now. In March 2025, NIST selected HQC as a fourth algorithm to provide diversity and reduce systemic risk if a weakness is discovered in ML-KEM.
On the governance side, the NSA’s Commercial National Security Algorithm Suite 2.0 (CNSA 2.0) mandates PQC deployment for new national security systems by 2027 and full transition by 2035. CISA and NSA have jointly issued advisories calling for immediate crypto-agile migration planning. These are not aspirational timelines — for US government vendors, they are compliance deadlines.
PQC vs. QKD: Two Different Tools
A persistent source of confusion in this space is the conflation of Post-Quantum Cryptography with Quantum Key Distribution. They are distinct technologies solving different problems.
Post-Quantum Cryptography (PQC) replaces vulnerable mathematical problems with new ones — lattice problems, hash functions, error-correcting codes — that are believed to resist both classical and quantum attacks. Critically, PQC algorithms run on classical hardware and integrate with existing protocols. This is why FIPS 203–205 can be deployed in TLS today without rebuilding network infrastructure.
Quantum Key Distribution (QKD) is a physics-based approach that uses the properties of quantum mechanics to detect eavesdropping during key exchange. It does not replace the encryption of data — it only secures the distribution of the keys used to encrypt it. QKD is proven technology but requires specialized hardware and dedicated fiber infrastructure, making it impractical as a general-purpose migration path.
For the vast majority of organizations, PQC is the migration target. QKD may have a role in specific high-assurance contexts, but it is not a substitute for algorithmic transition.
The Implementation Gap: Math Isn’t Enough
Adopting quantum-safe algorithms is necessary but not sufficient. The history of classical cryptography shows that mathematically sound schemes fail at the implementation and hardware layer with regularity.
Side-channel attacks remain a material concern regardless of which algorithm is in use. These attacks extract secret key material not by breaking the math, but by measuring physical properties of the hardware performing the computation:
- Timing variations that correlate with key bits
- Power consumption patterns during encryption operations
- Electromagnetic emissions from cryptographic hardware
- Acoustic signals from processors under load
Early implementations of Kyber (the algorithm that became ML-KEM) were found to exhibit timing side-channels that could leak key material if not carefully mitigated in software. The Oracle security team has noted that symmetric key security ultimately depends on Hardware Security Modules (HSMs) maintaining confidentiality of master keys — a requirement that carries through unchanged into the post-quantum era.
Beyond side-channels, hardware supply chain risk — counterfeit components, hardware trojans, and recycled devices — represents a layer of exposure that cryptographic algorithm selection cannot address. A deployment of ML-KEM on a compromised hardware platform is not a secure deployment.
The lesson from Meltdown and Spectre applies here directly: architectural vulnerabilities in commodity hardware can undermine cryptographic guarantees made at the software layer. Post-quantum migration must account for the full stack.
The Migration Is Multi-Year. Start the Clock.
The technical complexity of a cryptographic migration is frequently underestimated. Affected surface area includes TLS endpoints, VPNs, code signing infrastructure, PKI, email encryption, embedded firmware, and every protocol that touches key exchange or digital signatures. NIST guidance recommends starting with a complete cryptographic inventory — a Cryptographic Bill of Materials (CBOM) — that maps every system, library, and protocol currently relying on vulnerable algorithms.
NIST projects five to ten year adoption cycles for critical infrastructure. The NSA’s CNSA 2.0 roadmap reflects a similar assumption: hybrid deployments as an interim measure, pure PQC by 2035. Realistic timelines for large organizations fall in the 2027–2030 range for critical systems, 2030–2033 for broader infrastructure.
A key architectural principle throughout this transition is crypto-agility: designing systems so that cryptographic primitives can be swapped without rewriting application logic. Organizations that hardcode algorithm choices will face significantly higher migration costs than those that abstract cryptographic operations behind agility-compatible interfaces.
Hybrid deployments — combining a classical algorithm like ECDHE with ML-KEM — are the recommended interim approach. Oracle’s database team describes this as layered security: if ML-KEM is later found to have a weakness, ECDHE still provides protection; when quantum computers eventually threaten ECDHE, ML-KEM carries the load. Cloudflare has already deployed ML-KEM + X25519 hybrids protecting a material percentage of its network traffic.
The Compliance Pressure Is Already Here
For organizations in regulated industries or with US government exposure, this is no longer a future planning exercise. CNSA 2.0 compliance is required for new national security system acquisitions by January 1, 2027. PCI DSS 4.0 is beginning to reference quantum-safe practices. NIST IR 8547 formalizes transition guidance that will increasingly underpin procurement requirements.
Beyond regulatory pressure, early movers in the quantum readiness space are explicitly treating PQC posture as a trust signal. Palo Alto Networks observes that a visible lack of preparation is already eroding customer and partner confidence in some sectors — independent of whether a CRQC exists.
The migration is complex. It is expensive. It touches every part of the cryptographic surface area of an organization. None of that changes the timeline calculus established by Mosca’s theorem: if your data has to remain secret longer than the time it takes you to migrate, the window is already closing.
What to Do Now
The NIST guidance on starting points is clear and practical:
- Build your cryptographic inventory. Identify every system, protocol, and library using public-key cryptography — TLS endpoints, VPNs, signing infrastructure, HSMs, firmware.
- Prioritize by data shelf-life. Long-lived sensitive data (health records, IP, financial records) is already HNDL-exposed and should move first.
- Design for crypto-agility. Treat algorithm selection as a configurable parameter, not a hardcoded constant.
- Begin hybrid deployments. ML-KEM + X25519 for key exchange is deployable today and provides immediate HNDL risk reduction.
- Plan for the full stack. Cryptographic security at the algorithm layer is undermined by side-channel vulnerabilities and hardware supply chain risks. Audit both.
The tools being built to break our current cryptographic infrastructure are advancing in laboratories and cloud platforms around the world. The standards to replace that infrastructure exist, have been finalized, and are ready to deploy.
The question is not whether to migrate. The question is whether you start before the window closes.