Have you ever thought of what will happen to cryptography(your passwords, encryptions, rsa tokens, auth tokens etc.) when Quantum Computing comes into hands of state actors? My plain-English guide for security teams on what post-quantum cryptography means, what you need to do now, and the NIST standards that define the path forward.
What You’ll Learn
Why quantum computers threaten current encryption
What “harvest now, decrypt later” attacks are and why they’re happening now
The NIST post-quantum cryptography standards and what they mean
How to assess your organisation’s quantum risk exposure
The practical migration steps security teams need to start now
⏱️ 12 min read
Post-Quantum Cryptography — Security Team Guide 2026
Post-quantum cryptography is a Gartner Top Cybersecurity Trend for 2026 and the subject of active government mandates globally. For the AI acceleration of this threat, see the Nation-State AI Cyberwarfare guide. The broader cryptography fundamentals are in the Ethical Hacking series.
Why Quantum Computers Threaten Current Encryption
My plain-English explanation for security teams who haven’t followed the quantum cryptography narrative closely — and there’s no shame in that, it’s been a niche topic until recently: the threat isn’t that quantum computers will brute-force your encryption password. It’s that they can efficiently solve the mathematical problems that make current public-key encryption secure. RSA encryption is secure today because factoring a large number into its prime factors is computationally infeasible for classical computers. A sufficiently powerful quantum computer running Shor’s algorithm can solve that factoring problem efficiently in polynomial time — making RSA breakable.
QUANTUM THREAT TO CRYPTOGRAPHY — PLAIN ENGLISH
# Vulnerable algorithms (quantum-breakable)
RSA: broken by Shor’s algorithm (factoring large integers)
ECC (Elliptic Curve): broken by Shor’s algorithm (discrete logarithm)
DH (Diffie-Hellman): broken by Shor’s algorithm
Used in: TLS/HTTPS, SSH, VPN, email encryption, certificate infrastructure
Symmetric encryption generally: weakened by Grover’s algorithm but not broken — key length doubling mitigates this
# The timeline
Current quantum computers: too small and error-prone to break real encryption
Expert estimates: 10–15 years before cryptographically relevant quantum computers exist
Critical point: Palo Alto notes “AI has dramatically accelerated this timeline”
For long-lived data: the threat is now — not in 10 years
Harvest Now, Decrypt Later — The Immediate Threat
The reason I tell security teams to act now rather than waiting for quantum computers to arrive: harvest now, decrypt later (HNDL) attacks are already happening. State actors are collecting encrypted communications today — TLS sessions, VPN traffic, encrypted files — storing them, and waiting until quantum computers are powerful enough to decrypt them. My firm assessment: any organisation handling data that needs to remain confidential for more than a decade should treat HNDL as an active, present threat, not a future one.
HARVEST NOW DECRYPT LATER — THE THREAT MODEL
# Who is doing this
Nation-state actors with long-term intelligence objectives
Primary targets: government comms, defence contractors, critical infrastructure, pharma R&D
US CISA confirmed: multiple nation-states are actively conducting HNDL collection
# What they’re harvesting
TLS/HTTPS traffic captured at internet exchange points or via network taps
Encrypted files exfiltrated from breached organisations
VPN session captures from government and corporate networks
Encrypted email archives
# AI’s role in accelerating the threat
AI accelerates quantum computer development timelines (ML for error correction)
AI optimises collection strategies — which traffic to prioritise harvesting
Palo Alto: AI has “dramatically accelerated” the timeline for this threat
# Your data that’s at risk
Any encrypted data that needs to remain confidential beyond 2035
Trade secrets, patents, long-term contracts, medical records, state secrets
Authentication credentials and keys used to protect long-lived assets
NIST PQC Standards — What Got Standardised
NIST finalised its first post-quantum cryptography standards in August 2024 after a multi-year evaluation process. My summary of what was standardised and what it practically means for security teams and organisations beginning migration planning.
NIST PQC STANDARDS — FINALISED AUGUST 2024
# FIPS 203 — ML-KEM (Kyber)
Purpose: key encapsulation mechanism — replaces RSA/ECC for key exchange
Use cases: TLS handshake, SSH key exchange, VPN connections
Status: finalised — primary recommendation for key exchange
# FIPS 204 — ML-DSA (Dilithium)
Purpose: digital signatures — replaces RSA/ECDSA for signing
Use cases: code signing, certificate signing, document signing
Strength: based on different mathematical assumptions than ML-DSA
Status: finalised
# What this means for your organisation
Standards are done — vendors are now implementing them in products and libraries
Migration target: FIPS 203 for key exchange, FIPS 204 for signatures
Hybrid approach: many vendors deploying classical + PQC simultaneously during transition
securityelites.com
Post-Quantum Migration Priority — By Algorithm and Use Case
Current Algorithm
Quantum Risk
PQC Replacement
Priority
RSA-2048 (key exchange)
Breakable
ML-KEM (FIPS 203)
Urgent
ECDSA signatures
Breakable
ML-DSA (FIPS 204)
Urgent
TLS 1.3 (ECDH)
Breakable
Hybrid TLS (PQC+classical)
High
AES-128
Weakened
AES-256
Medium
SHA-256
Resistant
No change needed
Low
📸 Post-quantum cryptography migration priority matrix. RSA and ECC-based algorithms used for key exchange and signatures are the highest priority because they’re directly breakable by Shor’s algorithm on a sufficiently powerful quantum computer. These are used in TLS, SSH, VPN, and certificate infrastructure — the backbone of secure communications. AES-256 and SHA-256 are quantum-resistant with appropriate parameters. My migration planning recommendation: start with the Urgent items in any system storing data that needs to remain confidential beyond 2035.
Assessing Your Quantum Risk
Gartner recommends starting by identifying, managing, and planning to replace traditional encryption methods — and specifically prioritising “cryptographic agility.” My practical framing: cryptographic agility means building systems that can swap encryption algorithms without a full rebuild. If every system in your organisation has RSA hardcoded in without abstraction, your migration will be extremely painful. If algorithms are abstracted and swappable, migration is much more manageable.
QUANTUM RISK ASSESSMENT — WHERE TO LOOK
# High-priority systems (long-lived sensitive data)
Data with confidentiality requirements beyond 2035: patents, trade secrets, medical records
Communications: anything interceptable at network level (HNDL exposure)
# Cryptographic inventory questions
What algorithms does your TLS implementation use? (Check: ssl_protocols in server config)
What are your code signing certificates using? (RSA-2048? ECC P-256?)
Are any algorithms hardcoded in application code? (grep for RSA, ECDSA, DH)
Do you have VPN or SSH connections carrying long-lived sensitive data?
# Government sector immediate action
US federal agencies: NSM-10 (2022) mandates PQC migration planning
UK NCSC: published PQC migration guidance for critical national infrastructure
EU: NIS2 directive driving PQC adoption in critical sectors
The Migration Roadmap
PQC MIGRATION ROADMAP — PRACTICAL STEPS
# Now (2026): inventory and planning
Cryptographic inventory: document all algorithms in use across your systems
Risk assessment: identify long-lived sensitive data and HNDL-exposed communications
Vendor audit: which vendors support PQC? What are their migration timelines?
# 2026–2028: early migration
Deploy hybrid TLS: many vendors now supporting classical + ML-KEM in parallel
Code signing: migrate to ML-DSA for new certificate issuance
High-priority systems: migrate long-lived sensitive data to PQC-protected storage
# 2028–2033: full migration
Complete TLS infrastructure migration to PQC-only key exchange
Retire RSA and ECC certificates
Validate all third-party integrations support PQC
# Cryptographic agility — build it in now
New system design: abstract algorithm selection — configurable not hardcoded
This is the single architectural decision that makes migration manageable
EXERCISE — THINK LIKE A SECURITY ARCHITECT (15 MIN)
Build Your PQC Migration Priority List
Step 1: Identify your “long-lived sensitive data”
What data in your organisation needs to remain confidential for 10+ years?
Examples: product development IP, patient records, financial agreements, personnel records
Step 2: Map the encryption protecting it
What encrypts data at rest? (AES-256? AES-128? Something else?)
What encrypts data in transit? (TLS version? Key exchange algorithm?)
What authenticates access? (RSA certificates? ECC? Hardware tokens?)
Step 3: HNDL exposure assessment
Which of these communications are transmitted over networks that could be captured?
(VPN traffic, HTTPS connections, inter-datacenter links?)
How likely is a state-level adversary to have captured this traffic historically?
Step 4: Cryptographic agility assessment
Can you swap the key exchange algorithm in your TLS implementation without rebuilding?
Is algorithm selection abstracted from business logic in your applications?
Do you use a certificate management platform that supports PQC certs?
✅ Most organisations completing this exercise find their Tier 1 is smaller than expected — the genuinely long-lived sensitive data is a limited category — but that it includes some high-value targets like executive communications, M&A planning data, and R&D IP. The actionable output is targeting those specific systems for early PQC migration rather than trying to migrate everything simultaneously. The cryptographic agility assessment in Step 4 often reveals the real migration blocker: hardcoded algorithms that require application changes rather than configuration changes.
Vendor and Library Support — What’s Available Now
My practical implementation update as of May 2026: the NIST standards are finalised, and vendor implementation is moving faster than most security teams expect. My direct message to every security architect planning migration timelines right now: the tooling now exists to start hybrid TLS deployments without waiting for full ecosystem migration. You don’t have to wait for full ecosystem migration before beginning.
PQC IMPLEMENTATION STATUS — 2026
# TLS/HTTPS (highest priority deployment)
Cloudflare: ML-KEM hybrid TLS deployed to global network
Google Chrome: supports X25519Kyber768 hybrid key exchange
AWS: post-quantum TLS option available for KMS and other services
Status: hybrid deployment (classical + ML-KEM) is deployable today
# Certificate infrastructure
Let’s Encrypt and commercial CAs: beginning ML-DSA certificate issuance pilots
PKI migration: longer-term project — certificate chain validation requires full ecosystem support
# Cryptographic libraries
OpenSSL 3.x: FIPS 203 (ML-KEM) and FIPS 204 (ML-DSA) support available
BoringSSL (Google): ML-KEM deployed in Chrome hybrid TLS
liboqs (Open Quantum Safe): reference implementations for all NIST PQC standards
# What security teams can do today
Enable hybrid TLS (ML-KEM + classical) on edge infrastructure via Cloudflare or CDN
Inventory: run openssl s_client checks to identify which TLS configurations use quantum-vulnerable key exchange
Plan: new systems designed with algorithm abstraction for future migration
Post-Quantum Cryptography — Key Points
RSA and ECC are quantum-breakable — Shor’s algorithm breaks them efficiently
HNDL: state actors collecting encrypted data NOW to decrypt when quantum computers arrive
NIST finalised first PQC standards Aug 2024: ML-KEM (key exchange), ML-DSA (digital signatures)
Immediate priority: long-lived sensitive data + HNDL-exposed communications
Cryptographic agility: abstract algorithm selection now — makes migration manageable later
PQC — Start Your Cryptographic Inventory
The inventory is the necessary first step. Document what algorithms you use and where. That single activity will identify your Tier 1 migration priorities and show whether you have cryptographic agility or hardcoded algorithm debt to resolve. For the state actor threat context, the Nation-State AI Cyberwarfare guide covers who is conducting HNDL collection and why.
Quick Check
A company’s CISO says: “We don’t need to worry about post-quantum cryptography for another 10 years — quantum computers powerful enough to break encryption don’t exist yet.” What is the critical flaw in this reasoning?
Frequently Asked Questions
What is post-quantum cryptography?
Post-quantum cryptography (PQC) refers to cryptographic algorithms designed to be secure against attacks from quantum computers. Current public-key algorithms (RSA, ECC, Diffie-Hellman) are vulnerable to Shor’s algorithm running on a sufficiently powerful quantum computer. NIST standardised the first PQC algorithms in August 2024: ML-KEM (FIPS 203) for key encapsulation and ML-DSA (FIPS 204) for digital signatures. These are based on mathematical problems believed to be hard for both classical and quantum computers.
What is a harvest now, decrypt later attack?
A harvest now, decrypt later (HNDL) attack involves collecting and storing encrypted communications or data today, with the intention of decrypting it once quantum computers become powerful enough to break the encryption protecting it. State actors are documented as conducting these collections, targeting government communications, defence contractors, and critical infrastructure. The attack is relevant today because any data that needs to remain confidential for more than 10 years is already at risk from this collection strategy.
Which algorithms are quantum-safe?
The NIST-standardised PQC algorithms — ML-KEM, ML-DSA, and SLH-DSA — are designed to be quantum-resistant. Among existing algorithms, AES-256 provides adequate quantum security (quantum computing weakens it to 128-bit effective security, which remains strong). SHA-256 and SHA-3 are resistant to known quantum attacks. The algorithms that are specifically vulnerable are RSA, ECC (ECDSA, ECDH), and traditional Diffie-Hellman — these should be replaced for long-lived sensitive applications.
Further Reading
Nation-State AI Cyberwarfare 2026— The geopolitical context for HNDL attacks. Which nation-states are conducting these collections, what they’re targeting, and the broader AI cyberwarfare picture.
NIST — Post-Quantum Cryptography Standardisation— The primary source. All three finalised PQC standards (FIPS 203, 204, 205) with full specifications, implementation guidance, and the rationale for algorithm selection.
CISA — Post-Quantum Cryptography Initiative— US government guidance on PQC migration, including the roadmap for federal agencies and recommended migration priorities for critical infrastructure sectors.
Palo Alto — Cybersecurity Predictions 2026— The source for the “largest and most complex cryptographic migration in history” framing and AI acceleration of the quantum timeline cited above.
ME
Mr Elite
Owner, SecurityElites.com
My message to security teams asking about post-quantum cryptography priorities: the urgency depends entirely on your organisation’s data classification and retention requirements. If you’re protecting transaction data with a 30-day relevance window, you have time. If you’re protecting R&D intellectual property, long-term contracts, or medical records with decades of confidentiality requirements, the HNDL threat makes this a current-year priority. The cryptographic inventory is the highest-value first step regardless of where you sit on that spectrum — you can’t make rational migration decisions without knowing what you have. That inventory typically takes one experienced engineer about two weeks of dedicated effort and produces the foundational input to every other PQC migration decision the organisation will make — which algorithms to prioritise, which systems to migrate first, and where cryptographic agility needs to be built in before migration can even begin.
Founder of Securityelites and creator of the SE-ARTCP credential. Working penetration tester focused on AI red team, prompt injection research, and LLM security education.
