Your encrypted files are already being stolen. State-sponsored hackers and criminal organizations are vacuuming up encrypted traffic from VPNs, government networks, and corporate communications. They cannot read it yet, but they are storing it, waiting for quantum computers powerful enough to crack today’s encryption.
This strategy is called Harvest Now, Decrypt Later (HNDL). It transforms quantum computing from a distant concern into an active threat against any data with a shelf life longer than a decade.
In May 2025, Google Quantum AI demonstrated that RSA-2048 could be broken by a quantum computer with fewer than one million noisy qubits in approximately one week. That’s a twentyfold reduction from 2019 estimates. Your medical records, intellectual property, and financial data face retroactive exposure when that milestone arrives.
This guide provides the technical blueprint for Post-Quantum Cryptography (PQC) migration.
The Quantum Mechanics That Break Your Security
Before diving into countermeasures, you need to understand exactly why quantum computers pose an existential threat to modern cryptography. Three core concepts explain the physics behind this breach.
Superposition and Qubits: Computing in Parallel Dimensions
Technical Definition: Classical computers process information using bits, binary switches that exist as either 0 or 1 at any given moment. Quantum computers use qubits, which exploit a quantum mechanical property called superposition to exist in multiple states simultaneously until measured.
The Analogy: Imagine a classical computer as a mouse navigating a maze. It must try each path sequentially, backtracking from dead ends until it eventually discovers the exit. A quantum computer operates like water flooding the maze. It explores every possible path simultaneously, reaching the solution instantly by parallel evaluation of all routes.
Under the Hood: Quantum computers harness two additional phenomena to achieve computational supremacy:
| Quantum Property | Classical Equivalent | Security Implication |
|---|---|---|
| Superposition | Sequential bit processing | Evaluates all encryption key possibilities simultaneously |
| Entanglement | No classical equivalent | Links qubits for coordinated computation across massive state spaces |
| Interference | No classical equivalent | Amplifies correct answers while canceling incorrect results |
Through quantum interference, these systems amplify correct probabilistic outcomes while destructively interfering with incorrect ones. This allows them to solve problems in polynomial time that would require exponential time on classical hardware.
Shor’s Algorithm: The Master Key to Modern Encryption
Technical Definition: Developed by mathematician Peter Shor in 1994, Shor’s Algorithm is a quantum procedure that finds the prime factors of integers exponentially faster than any known classical algorithm. Since RSA encryption depends on the computational difficulty of factoring large prime products, Shor’s Algorithm represents a complete bypass of RSA’s security model.
The Analogy: Classical computers attempt to crack encryption through brute force, like a thief systematically guessing every possible combination on a vault lock. Shor’s Algorithm functions like an X-ray machine that reveals the internal tumblers directly, making the combination visible without any guessing.
Under the Hood:
| Attack Method | Resource Requirements | Practical Timeline |
|---|---|---|
| Classical Brute Force | Billions of years on supercomputers | Never achievable |
| Shor’s (2019 Estimate) | ~20 million noisy qubits, 8 hours | Distant future |
| Shor’s (2025 Estimate) | <1 million noisy qubits, ~1 week | Potentially 2030-2035 |
| Optimized Logical Qubits | ~1,730 logical qubits (theoretical) | Requires error correction advances |
Shor’s Algorithm solves the period-finding problem, the mathematical operation that underpins factoring difficulty. Classical computers struggle because it requires checking exponentially many possibilities. Quantum computers evaluate all possibilities simultaneously, reducing billion-year computations to days.
Asymmetric Encryption: The Foundation Under Attack
Technical Definition: Modern internet security relies on asymmetric (public-key) cryptography, which uses mathematical problems that are computationally easy to create but extraordinarily difficult to reverse. RSA depends on integer factorization. Elliptic Curve Cryptography (ECC) depends on the discrete logarithm problem. Both problems become trivial for sufficiently powerful quantum computers.
The Analogy: Think of asymmetric encryption as a puzzle that takes one minute to construct but would require one million years for any human or classical computer to solve by working backward. Quantum computers collapse that million-year timeline to mere minutes.
Under the Hood:
| Encryption Type | Mathematical Foundation | Quantum Vulnerability |
|---|---|---|
| RSA-2048 | Integer Factorization | Completely broken by Shor’s Algorithm |
| RSA-4096 | Integer Factorization | Broken (larger keys only double attack time) |
| ECC (P-256) | Elliptic Curve Discrete Log | Broken faster than RSA due to smaller key sizes |
| ECDSA (secp256k1) | Elliptic Curve Discrete Log | Bitcoin signatures vulnerable |
| AES-256 | Symmetric Block Cipher | Secure (Grover reduces to 128-bit equivalent) |
| AES-128 | Symmetric Block Cipher | Vulnerable (reduced to 64-bit equivalent security) |
The critical insight is that every TLS handshake, SSH connection, VPN tunnel, and digital signature protecting internet traffic relies on these vulnerable mathematical foundations.
The Threat Landscape: Why Your Data Is Already Compromised
Understanding technical vulnerabilities is half the equation. You must also recognize why the threat demands immediate action.
Harvest Now, Decrypt Later: The Attack Already Underway
Nation-state adversaries and criminal organizations are actively intercepting encrypted communications today. Intelligence agencies maintain massive data storage facilities designed to archive encrypted traffic for future decryption. The NSA’s Utah Data Center possesses exabyte-scale storage capacity.
The HNDL strategy operates on simple logic: any data valuable for longer than the expected Q-Day timeline is effectively already compromised. Government secrets (25-50+ years), medical records (patient lifetime), corporate IP (10-20 years), financial transactions (7+ years), and defense contractor data face critical exposure risk. If your organization handles data retaining value for a decade or more, that data faces retroactive exposure when cryptographically-relevant quantum computers become operational.
Updated Q-Day Timeline: What 2026 Intelligence Reveals
Expert consensus places the probability of a Cryptographically Relevant Quantum Computer (CRQC) at greater than 50% by 2035. NSA and CISA warn Q-Day could arrive as early as 2030. Three factors accelerate the timeline: hardware scaling (IBM targets 100,000+ qubits by 2033), error correction breakthroughs (Google’s 2025 paper achieves fault-tolerant thresholds), and state-sponsored investment from China, the US, and the EU.
The Federal Response: Mandates You Cannot Ignore
In June 2025, the White House ordered all federal agencies to transition to quantum-resistant cryptography by 2030. Key requirements: CBOM by December 2026, Hybrid PQC by June 2028, Full PQC by June 2030. If you work with federal agencies, defense contractors, or HIPAA-covered healthcare organizations, these mandates apply through contract obligations.
Post-Quantum Cryptography Standards
In August 2024, NIST released three finalized Post-Quantum Cryptography standards. These algorithms survived rigorous cryptanalysis and represent the best available defense against quantum threats.
ML-KEM: Your New Key Exchange Protocol
Technical Definition: ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism), standardized as FIPS 203, replaces Diffie-Hellman and ECDH for establishing shared secrets. It uses lattice-based mathematics that remain computationally hard even for quantum computers.
The Analogy: Traditional key exchange is like two people agreeing on a secret meeting location by shouting encoded messages across a crowded room. ML-KEM is like handing your partner a locked box where only they possess the key.
Under the Hood: NIST recommends ML-KEM-768 (1,184-byte keys, 1,088-byte ciphertext) as the default security level, matching AES-192 equivalent protection. Computational overhead is minimal (1-2ms), but larger key sizes require network protocol adjustments. ML-KEM public keys exceed 1500-byte MTU limits, so implement TLS fragmentation support and configure IKEv2 for large packets.
ML-DSA: Your Digital Signature Standard
Technical Definition: ML-DSA (Module-Lattice-Based Digital Signature Algorithm), standardized as FIPS 204, replaces RSA and ECDSA signatures. It provides authentication and non-repudiation using lattice problems resistant to quantum attacks.
The Analogy: Traditional signatures are like signing your name with ink that fades over time. ML-DSA uses permanent, unforgeable ink that quantum computers cannot replicate.
Under the Hood: ML-DSA-65 (recommended) uses 1,952-byte public keys and 3,309-byte signatures with approximately 0.8ms signing speed, matching AES-192 equivalent security. The signature sizes are significantly larger than ECDSA (64-96 bytes), requiring adjustments to certificate storage and transmission protocols.
SLH-DSA: Stateless Hash-Based Signatures for Constrained Devices
Technical Definition: SLH-DSA (Stateless Hash-Based Digital Signature Algorithm), standardized as FIPS 205, provides an alternative to ML-DSA using hash function security rather than lattice assumptions. It requires minimal computational resources, making it ideal for IoT and embedded systems.
The Analogy: If ML-DSA is a complex lock with multiple tumblers, SLH-DSA is a simple deadbolt that achieves security through fundamental design.
Under the Hood: SLH-DSA offers variants optimized for speed (SLH-DSA-128s: 7,856-byte signatures, 5ms signing) or size (SLH-DSA-128f: 17,088-byte signatures, 1ms signing). The tradeoff is signature size. Use SLH-DSA for firmware updates, certificate signing, and applications where verification frequency matters more than signature size.
The Hybrid Approach: Migration Strategy
You cannot replace RSA and ECC overnight. Legacy systems, third-party dependencies, and interoperability requirements demand a phased transition. The hybrid approach combines classical and post-quantum algorithms for backward compatibility while adding quantum resistance.
How Hybrid Cryptography Works
Technical Definition: Hybrid key exchange performs both a classical key agreement (ECDH) and a post-quantum key encapsulation (ML-KEM) simultaneously. The final shared secret derives from both algorithms. An attacker must break both components to decrypt the traffic.
The Analogy: Hybrid cryptography is like locking your door with two different locks using two different keys. A burglar must pick both locks simultaneously. If one lock proves vulnerable, the other still protects you.
Under the Hood: The process exchanges ECDH P-256 and ML-KEM-768 keys separately, computes independent shared secrets (32 bytes each), combines them via HKDF key derivation (XOR or concatenation), then derives final session keys. If researchers discover lattice weaknesses, your traffic remains protected by ECDH. If quantum computers break ECDH, ML-KEM maintains security.
Practical Hybrid Implementation
Modern software already supports hybrid PQC. Google Chrome, Firefox, and Microsoft Edge support hybrid X25519+ML-KEM-768 in TLS connections. OpenSSH 9.8+ includes hybrid ECDH+ML-KEM key exchange. WireGuard, OpenVPN, and IPsec implementations are adding hybrid support, with StrongSwan 6.0+ supporting IKEv2 with ML-KEM encapsulation.
Implementation Command:
# OpenSSH 9.8+ client configuration
Host *
KexAlgorithms ecdh+mlkem768@openssh.com,ecdh-sha2-nistp256
PubkeyAcceptedAlgorithms ssh-ed25519,rsa-sha2-512This configuration attempts hybrid quantum-resistant key exchange first, falling back to classical algorithms for older servers.
Step-by-Step Migration Roadmap
Transitioning to post-quantum cryptography requires methodical planning. Follow this phased approach:
Phase 1: Cryptographic Inventory (Months 1-3)
Create a Cryptographic Bill of Materials (CBOM) documenting every component that touches encryption: software libraries (OpenSSL, BoringSSL, cryptography.io), network protocols (TLS versions, SSH, VPNs, CAs), hardware components (HSMs, TPMs, smart cards), and third-party services (cloud providers, SaaS vendors, payment processors).
CISA recommends Automated Cryptographic Discovery and Inventory (ACDI) tools to scan networks and code repositories. Manual audits miss dependencies buried in container images and compiled binaries.
Phase 2: Vendor Assessment (Months 2-4)
Evaluate every vendor for quantum readiness. Ask: When will you support NIST FIPS 203/204/205? Will you offer hybrid classical+PQC options? How will you handle ML-KEM’s larger key sizes? What legacy system support will you maintain? Are you tracking federal PQC requirements?
Document responses and establish vendor scorecards. If critical vendors lack PQC roadmaps, identify alternative suppliers. CISA’s December 2025 PQC category list will establish which vendors meet federal procurement standards.
Phase 3: Pilot Deployment (Months 4-8)
Select a non-critical system for initial PQC deployment. Internal development environments make ideal testing grounds. Measure performance impact (latency, CPU overhead, memory, bandwidth), compatibility (client failures, MTU fragmentation, library conflicts), and operational complexity (certificate management, key rotation, logging integration). Deploy hybrid configurations first for backward compatibility.
Phase 4: Production Rollout (Months 8-24)
Prioritize systems based on HNDL risk: external APIs and web services (customer data, authentication, payments), internal communications (executive email, legal correspondence, strategic planning), data storage (backups, archives, databases with long-lived sensitive information), and remote access (VPNs, SSH gateways, privileged access management).
Implement gradual rollouts with canary deployments. Monitor error rates and performance metrics. Establish rollback procedures before proceeding.
Phase 5: Legacy System Mitigation (Months 12-36)
Some systems cannot support PQC due to computational constraints or vendor abandonment. Implement compensating controls: cryptographic proxies (PQC-capable gateways handling encryption externally), network segmentation (isolate legacy systems on encrypted VLANs with PQC-protected perimeters), data minimization (reduce or eliminate long-lived sensitive data), and hardware refresh (budget for replacing devices that cannot be upgraded).
Common Implementation Mistakes
Mistake 1: Retaining AES-128 – Grover’s Algorithm halves symmetric cipher security. AES-128 reduces to 64-bit equivalent security, within brute-force range for well-resourced attackers. Upgrade to AES-256 immediately. NIST SP 800-131A Rev. 3 mandates deprecating AES-128 by 2030.
Mistake 2: Ignoring IoT Devices – Small devices often cannot support lattice-based cryptography’s memory and computational requirements. These systems require specialized implementations (hash-based signatures) or external cryptographic proxies. Budget for hardware refresh cycles.
Mistake 3: Assuming Compliance Equals Security – Regulatory frameworks lag behind cryptographic threats. Meeting current compliance does not guarantee quantum readiness. Build security ahead of regulatory mandates.
Mistake 4: Ignoring Forward Secrecy – Generate fresh ML-KEM keypairs for each session rather than reusing static keys. Reused keypairs do not provide protection against future compromise.
Legal Considerations: Retroactive Liability Risk
An emerging legal theory poses significant risk: retroactive liability. Companies could face legal consequences for future breaches of data encrypted today if courts determine they failed to protect long-term data with reasonable foresight. Consider this: A healthcare organization suffers a 2026 breach. Attackers exfiltrate encrypted patient records. In 2036, quantum computers decrypt that stolen data. Plaintiffs argue the organization knew quantum threats existed and should have implemented PQC. Federal mandates (NSM-10, June 2025 EO) establish that quantum threats are foreseeable, strengthening such arguments.
Quick Reference Matrix
| Problem | Root Cause | Solution |
|---|---|---|
| Future data vulnerability | Harvest Now, Decrypt Later (HNDL) | Implement Forward Secrecy and Hybrid PQC |
| Network latency increases | Large PQC key sizes (1-1.5KB) | TLS offloading, hardware accelerators |
| Legacy system incompatibility | Lack of math co-processors | Proxy wrappers for external encryption |
| Supply chain exposure | Vendor quantum unreadiness | Vendor assessment, alternative sourcing |
| Compliance uncertainty | Regulatory lag | Document due diligence, exceed current requirements |
| IoT device constraints | Limited RAM/CPU | Hash-based signatures (SLH-DSA), hardware refresh |
| MTU fragmentation | ML-KEM exceeds 1500 bytes | IKEv2/TLS fragmentation support |
Conclusion: Start Now
Q-Day is a moving target. Current expert estimates place a cryptographically relevant quantum computer (CRQC) at 50% probability by 2035, with some agencies warning it could arrive as early as 2030. But the HNDL threat operates now. Every day you delay PQC migration is another day adversaries collect encrypted data they will eventually read.
The primary danger is not the quantum computer itself. It is procrastination. Start your CBOM audit today. Assess your vendors. Enable hybrid mode on systems that support it. Your timeline should match federal agencies: complete transition by 2030.
Frequently Asked Questions (FAQ)
Will quantum computers break Bitcoin?
Eventually, yes. Bitcoin uses ECDSA with secp256k1 for transaction signatures. Once quantum computers run Shor’s Algorithm at scale, attackers could derive private keys from publicly-visible Bitcoin addresses. The Bitcoin community is researching quantum-resistant signatures, but no migration timeline exists yet.
How long until Q-Day actually arrives?
Current expert consensus places CRQC probability by 2035 at greater than 50%. NSA and CISA warn Q-Day could arrive as early as 2030 if hardware development accelerates. The May 2025 Google research demonstrates how quickly estimates change, so plan for the lower end of these projections.
Is AES encryption safe from quantum computers?
Yes, but only with AES-256. Grover’s Algorithm halves bit security, so AES-256 reduces to 128-bit equivalent (still computationally infeasible). AES-128 drops to 64-bit equivalent and should be deprecated immediately. NIST mandates this deprecation by 2030.
What should a CISO prioritize first?
Create a Cryptographic Bill of Materials (CBOM). Catalog every library, protocol, certificate, and third-party service touching encryption, including operational technology. CISA recommends Automated Cryptographic Discovery and Inventory (ACDI) tools. This inventory drives all subsequent prioritization decisions.
Why does PQC slow down network connections?
ML-KEM-768 public keys are 1,184 bytes versus 64 bytes for ECDH P-256. These larger keys increase bandwidth during TLS handshakes and may require packet fragmentation when exceeding 1500-byte MTU limits. Computational overhead also adds processing time on resource-constrained devices.
Can I wait for my vendors to handle PQC migration?
No. Begin your CBOM audit independently and assess vendor roadmaps directly. CISA’s December 2025 PQC category list will establish compliance requirements for federal procurement. Vendors without PQC support may lose contract eligibility, so use this leverage in negotiations now.
What is HQC and why was it selected in 2025?
HQC (Hamming Quasi-Cyclic) is a code-based encryption algorithm NIST selected in March 2025 as a backup for ML-KEM. Unlike lattice-based ML-KEM, HQC uses error-correcting code theory, providing cryptographic diversity. If researchers discover lattice weaknesses, HQC offers an alternative path. Final standardization is expected in 2027.
Sources & Further Reading
- NIST FIPS 203: Module-Lattice-Based Key-Encapsulation Mechanism Standard (August 2024) – https://csrc.nist.gov/pubs/fips/203/final
- NIST FIPS 204: Module-Lattice-Based Digital Signature Standard (August 2024) – https://csrc.nist.gov/pubs/fips/204/final
- NIST FIPS 205: Stateless Hash-Based Digital Signature Standard (August 2024) – https://csrc.nist.gov/pubs/fips/205/final
- NIST IR 8547: Transition to Post-Quantum Cryptography Standards – https://csrc.nist.gov/pubs/ir/8547/ipd
- Gidney, C. “How to factor 2048 bit RSA integers with less than a million noisy qubits” (arXiv, May 2025) – https://arxiv.org/abs/2505.xxxxx
- Gidney, C. & Ekerå, M. “How to factor 2048 bit RSA integers in 8 hours using 20 million noisy qubits” (2019) – https://arxiv.org/abs/1905.09749
- Shor, P.W. “Algorithms for Quantum Computation: Discrete Logarithms and Factoring” (1994) – https://ieeexplore.ieee.org/document/365700
- Grover, L.K. “A Fast Quantum Mechanical Algorithm for Database Search” (1996) – https://arxiv.org/abs/quant-ph/9605043
- NSA CNSA 2.0 Algorithm Suite Guidance – https://media.defense.gov/2022/Sep/07/2003071834/-1/-1/0/CSA_CNSA_2.0_ALGORITHMS_.PDF
- CISA Post-Quantum Cryptography Initiative Resources – https://www.cisa.gov/quantum
- Global Risk Institute Quantum Threat Timeline Report (2024) – https://globalriskinstitute.org/publication/2024-quantum-threat-timeline-report/
- Open Quantum Safe Project (liboqs) Documentation – https://openquantumsafe.org/
- IETF Draft: Post-quantum Hybrid Key Exchange with ML-KEM in IKEv2 – https://datatracker.ietf.org/doc/draft-ietf-ipsecme-ikev2-multiple-ke/
- Cloudflare Blog: Post-Quantum Cryptography Implementation Guides – https://blog.cloudflare.com/post-quantum-cryptography/
- Google Security Blog: Hybrid Post-Quantum Key Exchange in Chrome – https://security.googleblog.com/2023/08/toward-quantum-resilient-security-keys.html
