Your encrypted files are already being stolen. State-sponsored hackers and sophisticated criminal organizations are vacuuming up terabytes of encrypted traffic from VPNs, government networks, and corporate communications. They cannot read any of it—yet. But they are storing it, waiting for quantum computers powerful enough to crack today’s encryption.
This strategy is called Harvest Now, Decrypt Later (HNDL). It transforms quantum computing from a distant theoretical concern into an active threat against any data with a shelf life longer than a decade.
“Q-Day” represents the moment quantum computers achieve sufficient power to bypass current encryption standards. In May 2025, Google Quantum AI published research demonstrating that RSA-2048 could theoretically be broken by a quantum computer with fewer than one million noisy qubits running for approximately one week—a twentyfold reduction from their 2019 estimates. Your medical records, intellectual property, and financial data face retroactive exposure the moment that milestone arrives. This guide provides the technical blueprint for Post-Quantum Cryptography (PQC) migration.
The Quantum Mechanics That Break Your Security
Before diving into countermeasures, you need to understand exactly why quantum computers pose an existential threat to modern cryptography. Three core concepts explain the physics behind this breach.
Superposition and Qubits: Computing in Parallel Dimensions
Technical Definition: Classical computers process information using bits—binary switches that exist as either 0 or 1 at any given moment. Quantum computers use qubits, which exploit a quantum mechanical property called superposition to exist in multiple states simultaneously until measured.
The Analogy: Imagine a classical computer as a mouse navigating a maze. It must try each path sequentially, backtracking from dead ends until it eventually discovers the exit. A quantum computer operates like water flooding the maze—it explores every possible path simultaneously, reaching the solution instantly by parallel evaluation of all routes.
Under the Hood: Quantum computers harness two additional phenomena to achieve computational supremacy:
| Quantum Property | Classical Equivalent | Security Implication |
|---|---|---|
| Superposition | Sequential bit processing | Evaluates all encryption key possibilities simultaneously |
| Entanglement | No classical equivalent | Links qubits for coordinated computation across massive state spaces |
| Interference | No classical equivalent | Amplifies correct answers while canceling incorrect results |
Through quantum interference, these systems amplify correct probabilistic outcomes while destructively interfering with incorrect ones. This allows them to solve problems in polynomial time that would require exponential time on classical hardware—including the mathematical foundations of modern encryption.
Shor’s Algorithm: The Master Key to Modern Encryption
Technical Definition: Developed by mathematician Peter Shor in 1994, Shor’s Algorithm is a quantum procedure that finds the prime factors of integers exponentially faster than any known classical algorithm. Since RSA encryption depends on the computational difficulty of factoring large prime products, Shor’s Algorithm represents a complete bypass of RSA’s security model.
The Analogy: Classical computers attempt to crack encryption through brute force—like a thief systematically guessing every possible combination on a vault lock. Shor’s Algorithm functions like an X-ray machine that reveals the internal tumblers directly, making the combination visible without any guessing.
Under the Hood:
| Attack Method | Resource Requirements | Practical Timeline |
|---|---|---|
| Classical Brute Force | Billions of years on supercomputers | Never achievable |
| Shor’s (2019 Estimate) | ~20 million noisy qubits, 8 hours | Distant future |
| Shor’s (2025 Estimate) | <1 million noisy qubits, ~1 week | Potentially 2030-2035 |
| Optimized Logical Qubits | ~1,730 logical qubits (theoretical) | Requires error correction advances |
Shor’s Algorithm solves the period-finding problem—the mathematical operation that underpins the difficulty of factoring large numbers. Classical computers struggle with period-finding because it requires checking exponentially many possibilities. Quantum computers evaluate all possibilities simultaneously, reducing a billion-year computation to days of processing.
Pro-Tip: The 2025 Google research achieving the million-qubit estimate combined three breakthrough techniques: approximate residue arithmetic, yoked surface codes for efficient qubit storage, and magic state cultivation instead of distillation. Track these specific research areas to monitor Q-Day timeline compression.
Asymmetric Encryption: The Foundation Under Attack
Technical Definition: Modern internet security relies on asymmetric (public-key) cryptography, which uses mathematical problems that are computationally easy to create but extraordinarily difficult to reverse. RSA depends on integer factorization. Elliptic Curve Cryptography (ECC) depends on the discrete logarithm problem. Both problems become trivial for sufficiently powerful quantum computers.
The Analogy: Think of asymmetric encryption as a puzzle that takes one minute to construct but would require one million years for any human—or classical computer—to solve by working backward. Quantum computers collapse that million-year timeline to mere minutes.
Under the Hood:
| Encryption Type | Mathematical Foundation | Quantum Vulnerability |
|---|---|---|
| RSA-2048 | Integer Factorization | Completely broken by Shor’s Algorithm |
| RSA-4096 | Integer Factorization | Broken—larger keys only double attack time |
| ECC (P-256) | Elliptic Curve Discrete Log | Broken faster than RSA due to smaller key sizes |
| ECDSA (secp256k1) | Elliptic Curve Discrete Log | Bitcoin signatures vulnerable |
| AES-256 | Symmetric Block Cipher | Secure—Grover reduces to 128-bit equivalent |
| AES-128 | Symmetric Block Cipher | Vulnerable—reduced to 64-bit equivalent security |
The critical insight is that every TLS handshake, SSH connection, VPN tunnel, and digital signature protecting internet traffic relies on these vulnerable mathematical foundations.
The Threat Landscape: Why Your Data Is Already Compromised
Understanding technical vulnerabilities is half the equation. You must also recognize why the threat demands immediate action.
Harvest Now, Decrypt Later: The Attack Already Underway
Nation-state adversaries and criminal organizations are actively intercepting encrypted communications today. Intelligence agencies maintain massive data storage facilities specifically designed to archive encrypted traffic for future decryption. The NSA’s Utah Data Center, for example, possesses exabyte-scale storage capacity—enough to store decades of global internet traffic.
The HNDL strategy operates on simple logic: any data that remains valuable for longer than the expected timeline to Q-Day is effectively already compromised. Consider what this means in practice:
| Data Type | Typical Sensitivity Window | HNDL Risk Level |
|---|---|---|
| Government Secrets | 25-50+ years | Critical |
| Medical Records (HIPAA) | Patient lifetime | Critical |
| Corporate IP/Trade Secrets | 10-20 years | High |
| Financial Transactions | 7+ years (regulatory) | High |
| Defense Contractor Data | Classified indefinitely | Critical |
| Personal Communications | Variable | Moderate to High |
| Session Cookies | Hours to days | Low |
If your organization handles data that retains value for a decade or more, that data faces retroactive exposure regardless of when Q-Day actually arrives. The encryption protecting it today becomes transparent the moment cryptographically-relevant quantum computers become operational.
Updated Q-Day Timeline: What 2026 Intelligence Reveals
The Global Risk Institute’s 2024 Quantum Threat Timeline Report consolidates expert estimates: within 5-15 years, a cryptographically relevant quantum computer (CRQC) could break standard encryption in under 24 hours. U.S. government agencies including NIST and NSA have issued warnings that Q-Day could arrive as early as 2030, particularly if hardware development accelerates unexpectedly.
| Timeline Estimate | Source | Probability Assessment |
|---|---|---|
| 2030 (aggressive) | NSA/CISA warnings | Possible with breakthrough |
| 2030-2035 | Industry consensus | >50% probability of CRQC existence |
| 2035-2040 | Conservative estimate | High confidence |
| 2045-2050 | Chinese Academy of Sciences | Based on current error rates |
The June 2025 Executive Order mandated that federal agencies support PQC-ready protocols (TLS 1.3 or successors) by 2030. The NSA’s CNSA 2.0 directive requires National Security Systems to exclusively use PQC algorithms by 2030. These are not theoretical precautions—they reflect classified threat assessments unavailable to the public.
The Vulnerability Scorecard: What Breaks and What Survives
Not all cryptographic systems face equal risk from quantum attacks. Understanding this hierarchy helps prioritize your migration efforts:
Completely Broken (Priority: Immediate Migration)
- RSA (all key sizes): Shor’s Algorithm provides complete factorization capability. Increasing key size from 2048 to 4096 bits only doubles attack time—meaningless against quantum speedup.
- Elliptic Curve Cryptography (ECC): Actually more vulnerable than RSA because smaller key sizes require fewer qubits to attack. P-256 falls faster than RSA-2048.
- Diffie-Hellman Key Exchange: Based on discrete logarithm problem—fully vulnerable to Shor’s Algorithm.
- DSA/ECDSA Signatures: Digital signature schemes share the same vulnerable mathematical foundations. This includes Bitcoin’s secp256k1 curve.
Weakened But Survivable (Priority: Upgrade Key Sizes)
- AES-256: Grover’s Algorithm provides a quadratic speedup for symmetric key search, effectively halving the bit security. AES-256 reduces to 128-bit equivalent security—still computationally infeasible.
- SHA-256/SHA-3: Hash functions experience some weakening but remain secure for most applications with appropriate output lengths.
Quantum-Resistant (Priority: Migration Target)
- NIST PQC Standards: ML-KEM, ML-DSA, SLH-DSA, and upcoming FN-DSA and HQC algorithms designed specifically to resist quantum attacks.
Post-Quantum Cryptography: Your Shield Against Q-Day
The solution to quantum threats is not abandoning encryption—it is migrating to mathematical foundations that quantum computers cannot efficiently attack. Post-Quantum Cryptography (PQC) provides exactly that.
NIST Standardization: The Complete 2026 Landscape
The National Institute of Standards and Technology (NIST) completed a multi-year competition to identify quantum-resistant cryptographic algorithms. After rigorous analysis by the global cryptographic community, NIST finalized the first PQC standards on August 13, 2024, with additional algorithms in development.
Finalized Standards (Effective August 14, 2024):
| Standard | Algorithm | Purpose | Mathematical Basis |
|---|---|---|---|
| FIPS 203 | ML-KEM (CRYSTALS-Kyber) | Key Encapsulation/Encryption | Module Learning With Errors |
| FIPS 204 | ML-DSA (CRYSTALS-Dilithium) | Digital Signatures | Module Learning With Errors |
| FIPS 205 | SLH-DSA (SPHINCS+) | Digital Signatures (Backup) | Hash Functions |
Standards In Development:
| Expected Standard | Algorithm | Purpose | Status |
|---|---|---|---|
| FIPS 206 | FN-DSA (FALCON) | Digital Signatures (Compact) | Draft expected late 2024/2025 |
| TBD | HQC | Key Encapsulation (Backup) | Selected March 2025, standardization by 2027 |
The selection of HQC in March 2025 provides a critical backup for ML-KEM using code-based cryptography rather than lattice mathematics. This diversification protects against the possibility that a mathematical breakthrough could weaken all lattice-based schemes simultaneously.
Lattice-Based Cryptography: The Mathematics of Quantum Resistance
PQC algorithms derive their security from mathematical problems that quantum computers cannot efficiently solve. The dominant approach uses lattice-based cryptography—problems involving multi-dimensional geometric structures called lattices.
Technical Definition: A lattice is a regular arrangement of points in n-dimensional space. Lattice problems ask you to find the shortest vector, the closest vector to a target point, or to solve systems of equations with intentional errors added. These problems become exponentially harder as dimensions increase.
The Analogy: Traditional encryption hides your key among prime numbers—a haystack that Shor’s Algorithm can systematically search. Lattice-based encryption hides your key in a 500-dimensional geometric grid. Even a quantum computer lacks any known shortcut for navigating such massive dimensional spaces—it effectively gets lost in the complexity.
Under the Hood:
| Lattice Problem | Security Basis | Why Quantum-Resistant |
|---|---|---|
| Learning With Errors (LWE) | Solving noisy linear equations | No quantum algorithm provides significant speedup |
| Module-LWE (ML-KEM basis) | Structured variant of LWE | Balances security with performance |
| Short Integer Solution (SIS) | Finding short vectors | Fundamentally different from factoring/discrete log |
| NTRU Lattice (FN-DSA basis) | Ring-based lattice operations | Compact signatures with strong security |
The critical difference is structural: Shor’s Algorithm exploits specific algebraic patterns in factoring and discrete logarithm problems. Lattice problems lack these exploitable patterns. No known quantum algorithm provides more than marginal speedup against properly-implemented lattice cryptography.
ML-KEM Key Sizes: The Performance Reality
Understanding the concrete specifications helps with implementation planning:
| Parameter Set | Security Level | Public Key | Ciphertext | Use Case |
|---|---|---|---|---|
| ML-KEM-512 | NIST Level 1 (AES-128 equivalent) | 800 bytes | 768 bytes | Low-security, high-performance |
| ML-KEM-768 | NIST Level 3 (AES-192 equivalent) | 1,184 bytes | 1,088 bytes | Recommended general use |
| ML-KEM-1024 | NIST Level 5 (AES-256 equivalent) | 1,568 bytes | 1,568 bytes | Maximum security requirements |
Compare this to RSA-2048 (256-byte keys) or ECDH P-256 (64-byte keys). The size increase is significant but manageable for most applications.
Strategic Implementation: Your Migration Roadmap
Understanding the threat and the solution means nothing without a concrete implementation plan. The following workflow provides a structured approach to quantum-readiness aligned with current federal guidance.
Step 1: Cryptographic Inventory (CBOM)
You cannot secure what you cannot see. The first priority is creating a comprehensive Cryptographic Bill of Materials (CBOM)—a complete catalog of every cryptographic dependency in your software supply chain. CISA now recommends Automated Cryptographic Discovery and Inventory (ACDI) tools to accelerate this process.
Inventory Targets:
| Category | What to Document | Discovery Tools |
|---|---|---|
| Libraries | OpenSSL version, crypto libraries | Microsoft Application Inspector, CodeQL |
| Protocols | TLS versions, cipher suites | Network scanners, configuration audits |
| Certificates | RSA/ECC key sizes, expiration | Certificate inventory tools |
| Key Management | HSM configurations, key types | Vendor documentation review |
| Third-Party APIs | External service cryptography | Vendor security questionnaires |
| Operational Technology | SCADA, ICS cryptographic dependencies | OT-specific scanning tools |
Pro-Tip: Do not overlook operational technology (OT) environments. CISA specifically warns that organizations “forget a lot about operational technology” while focusing on IT systems. OT often has the longest upgrade cycles and may contain cryptographic dependencies invisible to standard IT discovery tools.
Discovery Process:
- Deploy static analysis tools (Application Inspector, CodeQL) against your codebase
- Audit network configurations for TLS/SSL cipher suite preferences
- Inventory all certificates and their underlying key algorithms
- Document HSM configurations and supported algorithms
- Survey third-party vendors for PQC readiness timelines
- Map data lifecycle to identify assets requiring immediate PQC protection
The CBOM provides the foundation for all migration planning. Skip this step and you risk leaving vulnerable cryptography undiscovered.
Step 2: Hybrid Implementation Strategy
Transitioning overnight to untested algorithms carries risk. The security community recommends a hybrid approach that combines classical cryptography with PQC layers simultaneously. Major browsers (Chrome, Firefox) and platforms (Cloudflare, AWS) already support hybrid TLS with ML-KEM.
Hybrid Mode Benefits:
| Scenario | Classical Layer | PQC Layer | Overall Security |
|---|---|---|---|
| PQC flaw discovered | Provides fallback protection | Disabled | Secure (classical) |
| Quantum attack occurs | Broken | Holds firm | Secure (PQC) |
| Both layers intact | Active | Active | Defense in depth |
Implementation Architecture:
- Deploy ML-KEM alongside existing ECDH key exchange (X25519MLKEM768 is the common hybrid)
- Both algorithms contribute to the session key derivation
- Attacker must break both layers simultaneously to compromise the connection
- Maintains backward compatibility with non-PQC-enabled systems
Pro-Tip: Chrome and Cloudflare have deployed hybrid X25519MLKEM768 key exchange in production. Test your applications against these endpoints now to identify compatibility issues before your own migration.
Step 3: Vendor Assessment and Supply Chain Audit
Your security posture extends only as far as your weakest vendor. Audit your entire software supply chain for quantum readiness.
Assessment Script for Vendors:
“What is your roadmap for Post-Quantum Cryptography integration? Do you currently support NIST’s finalized standards (ML-KEM/ML-DSA)? What is your expected timeline for full PQC migration? Will you support hybrid mode during the transition period?”
Evaluation Criteria:
| Readiness Level | Indicators | Action Required |
|---|---|---|
| PQC-Ready | Ships ML-KEM/ML-DSA support | Verify configuration, enable hybrid mode |
| In Development | Published PQC roadmap | Schedule upgrade timeline, monitor progress |
| No Plan | No PQC mention | Escalate risk, evaluate alternatives |
| Legacy/EOL | No active development | Immediate replacement planning |
Document vendor responses and incorporate PQC readiness into procurement decisions. CISA’s December 2025 PQC category list will formalize vendor compliance requirements for federal contracts.
Practical Considerations: Tools, Costs, and Common Pitfalls
Theoretical understanding must translate into operational reality. This section addresses the practical challenges of PQC implementation.
Available Tools and Implementation Options
Open Source Resources:
- OpenQuantumSafe (liboqs): Primary open-source library for PQC algorithm implementations. Integrates with OpenSSL via oqs-provider. Requires Linux proficiency and cryptographic development experience. Supports ML-KEM, ML-DSA, and SLH-DSA.
- BoringSSL (Google): Includes production ML-KEM support used in Chrome.
- AWS-LC: Amazon’s cryptographic library with PQC support.
Enterprise Solutions:
- SandboxAQ: Enterprise-grade PQC migration platform with policy management and automated cryptographic discovery.
- QuSecure: Orchestration layer for hybrid PQC deployment across complex enterprise environments.
- IBM Quantum Safe: Integrated tooling for IBM ecosystem customers.
- DigiCert PQC Toolkit: Certificate authority with PQC-ready certificate issuance.
The Hidden Cost: Performance Impact
PQC algorithms carry significant performance overhead compared to classical cryptography. The primary factor is key size—lattice-based keys are measured in kilobytes rather than bits.
| Algorithm | Public Key Size | Ciphertext Size | TLS Handshake Impact |
|---|---|---|---|
| ECDH (P-256) | 64 bytes | 64 bytes | Baseline |
| RSA-2048 | 256 bytes | 256 bytes | ~2x ECDH |
| ML-KEM-768 | 1,184 bytes | 1,088 bytes | ~4-5x RSA |
| ML-KEM-1024 | 1,568 bytes | 1,568 bytes | ~6x RSA |
| X25519MLKEM768 (Hybrid) | 1,216 bytes | 1,120 bytes | ~5x RSA |
Operational Implications:
- TLS Handshakes: Increased packet sizes mean longer connection establishment times. ML-KEM-768 and ML-KEM-1024 may exceed typical 1500-byte MTU, requiring packet fragmentation.
- IoT/Embedded Systems: Resource-constrained devices may lack RAM or CPU for lattice operations. Consider SLH-DSA (hash-based) for signature-only requirements.
- High-Frequency Trading: Microsecond latency increases may impact time-sensitive applications.
- Bandwidth Costs: Larger key exchanges increase data transfer volumes across high-traffic systems.
Mitigation Strategies:
- Deploy TLS offloading to dedicated hardware accelerators
- Use ML-KEM-512 for lower-security applications where performance matters
- Consider proxy wrappers that handle PQC externally for legacy systems
- Plan for IKEv2 fragmentation when deploying ML-KEM in IPsec VPNs
Common Implementation Mistakes
Mistake 1: Retaining AES-128
Grover’s Algorithm halves the effective bit security of symmetric ciphers. AES-128 reduces to 64-bit equivalent security—within brute-force range for well-resourced attackers. Upgrade to AES-256 immediately for all new deployments. NIST SP 800-131A Rev. 3 mandates deprecating weak algorithms including AES-128 by 2030.
Mistake 2: Ignoring IoT and Embedded Systems
Small devices often cannot support the memory and computational requirements of lattice-based cryptography. These systems require specialized PQC implementations (like hash-based signatures) or external cryptographic proxies. Budget for hardware refresh cycles in your migration plan.
Mistake 3: Assuming Compliance Equals Security
Regulatory frameworks lag behind cryptographic threats. Meeting current compliance requirements does not guarantee quantum readiness. Build your security posture ahead of regulatory mandates—the June 2025 Executive Order demonstrates that mandates arrive quickly once agencies assess the threat.
Mistake 4: Ignoring Forward Secrecy
Even with PQC, ensure your key exchange protocols implement forward secrecy. Generate fresh ML-KEM keypairs for each session rather than reusing static keys. Reused keypairs do not provide protection against future compromise.
Legal Considerations: Retroactive Liability Risk
An emerging legal theory poses significant risk to organizations that fail to implement HNDL protections: retroactive liability. Companies could face legal consequences for future breaches of data encrypted today if courts determine they failed to protect long-term data with reasonable foresight.
Consider: A healthcare organization suffers a breach in 2026. Attackers exfiltrate encrypted patient records. In 2036, quantum computers decrypt that stolen data. Plaintiffs argue the organization knew quantum threats existed and should have implemented PQC. The existence of federal mandates (NSM-10, June 2025 EO) establishes that quantum threats are known and foreseeable—strengthening such arguments.
Problem, Cause, Solution: Your Quick Reference Matrix
| Problem | Root Cause | Solution |
|---|---|---|
| Future data vulnerability | Harvest Now, Decrypt Later (HNDL) | Implement Forward Secrecy and Hybrid PQC |
| Network latency increases | Large PQC key sizes (1-1.5KB) | TLS offloading, hardware accelerators |
| Legacy system incompatibility | Lack of math co-processors | Proxy wrappers for external encryption |
| Supply chain exposure | Vendor quantum unreadiness | Vendor assessment, alternative sourcing |
| Compliance uncertainty | Regulatory lag | Document due diligence, exceed current requirements |
| IoT device constraints | Limited RAM/CPU | Hash-based signatures (SLH-DSA), hardware refresh |
| MTU fragmentation | ML-KEM exceeds 1500 bytes | IKEv2/TLS fragmentation support |
Conclusion: Your Security Clock Is Already Ticking
Q-Day is a moving target. Current expert estimates place a cryptographically relevant quantum computer (CRQC) at 50% probability by 2035, with some agencies warning it could arrive as early as 2030. But the HNDL threat operates now—every day you delay PQC migration is another day adversaries collect encrypted data they will eventually read.
The primary danger is not the quantum computer itself. It is procrastination. Start your CBOM audit today. Assess your vendors. Enable hybrid mode on systems that support it. Federal agencies have until 2030 to complete their transitions—your timeline should be no less aggressive.
Frequently Asked Questions (FAQ)
Will quantum computers break Bitcoin?
Eventually, yes. Bitcoin uses ECDSA with secp256k1 for transaction signatures. Once quantum computers run Shor’s Algorithm at scale, attackers could derive private keys from publicly-visible Bitcoin addresses that have broadcast transactions. The Bitcoin community is researching quantum-resistant signatures, but no migration timeline exists.
How long until Q-Day actually arrives?
Current expert consensus places CRQC probability by 2035 at greater than 50%. NSA and CISA warn Q-Day could arrive as early as 2030 if hardware development accelerates. The May 2025 Google research reducing qubit requirements twentyfold demonstrates how quickly estimates change. Plan for the lower end of estimates.
Is AES encryption safe from quantum computers?
Yes, with AES-256. Grover’s Algorithm halves bit security—AES-256 reduces to 128-bit equivalent, still computationally infeasible. AES-128 drops to 64-bit equivalent and should be deprecated. NIST SP 800-131A Rev. 3 mandates this deprecation by 2030.
What should a CISO prioritize first?
Create a Cryptographic Bill of Materials (CBOM). Catalog every library, protocol, certificate, and third-party service touching encryption—including operational technology. CISA recommends Automated Cryptographic Discovery and Inventory (ACDI) tools. This inventory drives all subsequent prioritization.
Why does PQC slow down network connections?
ML-KEM-768 public keys are 1,184 bytes versus 64 bytes for ECDH P-256. These larger keys increase bandwidth during TLS handshakes and may require packet fragmentation when exceeding 1500-byte MTU limits. Computational overhead also adds processing time on resource-constrained devices.
Can I wait for my vendors to handle PQC migration?
No. Begin your CBOM audit independently and assess vendor roadmaps directly. CISA’s December 2025 PQC category list will establish compliance requirements for federal procurement—vendors without PQC support may lose contract eligibility. Use this leverage in negotiations.
What is HQC and why was it selected in 2025?
HQC (Hamming Quasi-Cyclic) is a code-based encryption algorithm NIST selected in March 2025 as a backup for ML-KEM. Unlike lattice-based ML-KEM, HQC uses error-correcting code theory—providing cryptographic diversity. If researchers discover lattice weaknesses, HQC offers an alternative path. Final standardization expected 2027.
Sources & Further Reading
- NIST FIPS 203: Module-Lattice-Based Key-Encapsulation Mechanism Standard (August 2024)
- NIST FIPS 204: Module-Lattice-Based Digital Signature Standard (August 2024)
- NIST FIPS 205: Stateless Hash-Based Digital Signature Standard (August 2024)
- NIST IR 8547: Transition to Post-Quantum Cryptography Standards
- Gidney, C. “How to factor 2048 bit RSA integers with less than a million noisy qubits” (arXiv, May 2025)
- Gidney, C. & Ekerå, M. “How to factor 2048 bit RSA integers in 8 hours using 20 million noisy qubits” (2019)
- Shor, P.W. “Algorithms for Quantum Computation: Discrete Logarithms and Factoring” (1994)
- Grover, L.K. “A Fast Quantum Mechanical Algorithm for Database Search” (1996)
- NSA CNSA 2.0 Algorithm Suite Guidance
- CISA Post-Quantum Cryptography Initiative Resources
- Global Risk Institute Quantum Threat Timeline Report (2024)
- Open Quantum Safe Project (liboqs) Documentation
- IETF Draft: Post-quantum Hybrid Key Exchange with ML-KEM in IKEv2
- Cloudflare Blog: Post-Quantum Cryptography Implementation Guides
- Google Security Blog: Hybrid Post-Quantum Key Exchange in Chrome
