Cryptographers are engaged in a race against a computer that doesn't fully exist yet. Quantum computers will, when sufficiently large and reliable, break the public-key cryptography that secures most internet communications today — HTTPS, SSH, PGP, Signal, and more. NIST finalized post-quantum replacement standards in August 2024. The migration has started. Here's what's actually at stake and where things stand.
The security of RSA and elliptic-curve cryptography (ECC) rests on mathematical problems that are computationally hard on classical computers. RSA relies on the difficulty of factoring large integers. ECC relies on the hardness of the elliptic-curve discrete logarithm problem. Both problems are efficiently solvable by a quantum computer running Shor's algorithm — a quantum algorithm published by Peter Shor in 1994.
"Efficiently solvable" means polynomial time rather than exponential time. A 2048-bit RSA key that would take classical computers longer than the age of the universe to factor could theoretically be broken by a sufficiently large quantum computer in hours. The word "theoretically" is doing heavy lifting here — the quantum computer required doesn't exist yet — but the mathematical vulnerability is not in dispute.
What's Actually Vulnerable
Not all cryptography is equally affected by quantum computing. The threat splits cleanly:
| Algorithm | Purpose | Quantum Threat | Replacement |
|---|---|---|---|
| RSA-2048/4096 | Key exchange, signatures | Broken by Shor's | ML-KEM (Kyber) |
| ECDH / X25519 | Key exchange | Broken by Shor's | ML-KEM (Kyber) |
| ECDSA / Ed25519 | Digital signatures | Broken by Shor's | ML-DSA (Dilithium) |
| AES-256 | Symmetric encryption | Weakened by Grover's (128-bit effective) | Keep using AES-256 |
| SHA-256 / SHA-3 | Hashing | Weakened by Grover's (128-bit effective) | Keep using SHA-256+ |
The key insight: symmetric cryptography is weakened but not broken by quantum computing. Grover's algorithm halves the effective key length of symmetric ciphers. AES-256 becomes effectively AES-128 against a quantum adversary — still computationally expensive to break, not broken in principle. The algorithms that are actually broken are the asymmetric ones: the key exchange and signature algorithms used in TLS handshakes, SSH key exchange, PGP encryption, and the initial key agreement in messaging protocols.
Harvest Now, Decrypt Later: The Immediate Threat
The practical concern isn't waiting for a quantum computer to arrive before worrying. State actors almost certainly began collecting encrypted internet traffic years ago under the assumption that they'll be able to decrypt it retroactively once a capable quantum computer becomes available. This strategy is called "harvest now, decrypt later" — and it's the reason the post-quantum migration matters even before quantum computers can break encryption in real time.
Why This Matters Now: Any data encrypted today using RSA or ECC key exchange — classified government communications, medical records, financial transactions, journalist-source communications — may already be in adversarial hands, stored for future decryption. The relevant question is not "when will quantum computers arrive?" but "how long does my data need to remain confidential?"
Perfect forward secrecy helps mitigate this in theory — ephemeral session keys mean captured traffic can't be decrypted even if a long-term key is later compromised. But forward secrecy doesn't help if the ephemeral key exchange itself (using ECDH) is broken by a quantum computer. The traffic captured today can be retroactively decrypted once the ephemeral keys are reconstructed via Shor's algorithm.
NIST's Post-Quantum Standards
The National Institute of Standards and Technology ran a multi-year post-quantum cryptography competition starting in 2016. After multiple rounds of evaluation and cryptanalysis by the global research community, NIST finalized three primary standards in August 2024:
- ML-KEM (FIPS 203) — Module-Lattice Key Encapsulation Mechanism, based on CRYSTALS-Kyber. Replaces RSA and ECDH for key encapsulation/exchange. Based on the hardness of the Module Learning With Errors (MLWE) problem.
- ML-DSA (FIPS 204) — Module-Lattice Digital Signature Algorithm, based on CRYSTALS-Dilithium. Replaces ECDSA/Ed25519 for digital signatures.
- SLH-DSA (FIPS 205) — Stateless Hash-Based Digital Signature Algorithm, based on SPHINCS+. A hash-based signature scheme that provides a mathematically independent backup to the lattice-based ML-DSA — its security rests on the security of hash functions rather than lattice problems.
These algorithms are based on different mathematical structures than RSA/ECC — primarily lattice problems and hash functions — which are believed to be resistant to both classical and quantum attacks. This is why hybrid schemes (combining classical and post-quantum algorithms) are currently preferred — you need both to be broken to break the hybrid.
Who Has Already Migrated
Migration is happening faster than most public discussion acknowledges.
Signal deployed PQXDH (Post-Quantum Extended Diffie-Hellman) in September 2023, combining X25519 with CRYSTALS-Kyber for key agreement. A session protected by PQXDH requires an adversary to break both the classical ECDH exchange and the post-quantum ML-KEM exchange — providing security against harvest-now-decrypt-later attacks even if one algorithm is eventually broken.
Apple deployed PQ3 in iMessage in February 2024, also using a hybrid scheme combining ECC with Kyber. iMessage's PQ3 provides post-quantum security for initial key establishment and ongoing rekeying, so that even if device keys are compromised in the future, the conversation history remains protected.
Major browsers (Chrome and Firefox) added support for hybrid X25519+ML-KEM key exchange in TLS 1.3 during 2023-2024. Cloudflare and other major TLS intermediaries began offering post-quantum TLS connections. OpenSSH 9.0 (released April 2022) added ML-KEM-based key exchange.
The Timeline Question
A Cryptographically Relevant Quantum Computer (CRQC) — one large and stable enough to run Shor's algorithm against RSA-2048 — requires on the order of 4,000 logical qubits. Due to quantum error correction requirements, logical qubits require hundreds to thousands of physical qubits each. Current quantum computers (as of mid-2026) operate in the thousands of noisy physical qubits range and are far from the millions of stable physical qubits needed.
Estimates for when a CRQC might exist range from 5 years (optimistic) to 20+ years (common among independent cryptographers) to "never with current architectural approaches." The honest answer is that no one knows. What is known is that the harvest-now-decrypt-later threat is real regardless of timeline, and that migration takes years to complete across global infrastructure.
What You Should Do Today
- Keep software updated. Post-quantum upgrades are being shipped silently in operating systems, browsers, and apps. Staying current is the primary action available to most users.
- Prefer apps that have announced PQC migration. Signal's PQXDH and Apple's PQ3 are publicly documented. Others are in progress.
- For long-lived sensitive documents, consider additional symmetric encryption with AES-256. Symmetric encryption is quantum-resistant at 256-bit key lengths.
- Evaluate your data's required confidentiality horizon. Information that needs to stay secret for 20+ years faces a different risk profile than information relevant for 2 years.
- Don't panic about current communications. The infrastructure migration is underway, and for most users, the most important action is simply running up-to-date software from providers who are actively migrating.
The cryptographic transition underway is the largest infrastructure-level security migration since the introduction of TLS itself. It's happening gradually and mostly invisibly — which is exactly how large infrastructure migrations should happen. The threat is real, the solutions are standardized, and the work is in progress.
Originally published at havenmessenger.com
Top comments (0)