The Clock Is Already Running
On August 13, 2024, the U.S. National Institute of Standards and Technology published three finalized post-quantum cryptography (PQC) standards: FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA). This capped an eight-year standardization process that began in 2016. The standards exist. The algorithms are proven. The migration path is documented.
So why is almost no one doing it?
The honest answer is not technical. The standards arrived ahead of institutional capacity, not ahead of institutional need. The enemy is not a missing algorithm — it is a systematic incentive failure compounded by legacy lock-in, regulatory fragmentation, and a threat that is catastrophically non-linear: one day the risk is theoretical, the next day your encrypted archives from 2019 are legible to an adversary. There is no gradual onset. There is no warning shot.
This article makes the case that the migration window is narrower than it appears, that damage is accumulating right now through Harvest-Now, Decrypt-Later (HNDL) operations, and that the organizations most exposed — large financial institutions, government contractors, critical infrastructure operators — are also the ones least structurally capable of moving fast.
Part I: The Quantum Compute Timeline — What We Actually Know
Understanding the threat requires disentangling hype from engineering reality.
Where the Hardware Stands
Google's Willow chip, announced in a Nature paper on December 9, 2024, is the most discussed recent milestone. Willow runs on 105 physical qubits and demonstrated exponential error suppression as qubit count scaled — the first time a quantum processor cleared the "below threshold" bar for quantum error correction on a meaningful benchmark. It also performed a synthetic computation in under five minutes that would take a classical supercomputer 10 septillion (10²⁵) years.
That headline obscures the crucial caveat: Willow is not a cryptographically relevant quantum computer (CRQC). Factoring RSA-2048 using Shor's algorithm requires not just many qubits, but fault-tolerant logical qubits — a category Willow does not occupy. Google itself has stated that a CRQC remains "years away."
IBM's roadmap is more structured and arguably more credible as a timeline signal. Their published path targets the Quantum Starling system by 2029: 200 logical qubits capable of executing over 100 million quantum operations. A successor, "Blue Jay," is planned for 2033 at roughly 2,000 logical qubits (~100,000 physical). IBM is also delivering Nighthawk and Loon in 2025 as architectural stepping stones toward quantum error correction using LDPC codes.
The Physical Qubit Floor Is Dropping Fast
For years, the canonical estimate to break RSA-2048 was roughly 20 million physical qubits (Gidney & Ekerå, 2021). That number has been revised downward sharply by recent research. A 2025 paper from Google Quantum AI suggests fewer than one million noisy qubits could suffice using more efficient circuit constructions. Another research group, using LDPC codes rather than surface codes, published estimates below 100,000 physical qubits — an order-of-magnitude reduction from the 2021 baseline.
This trajectory matters. The logical qubit count required — roughly 1,400 to 1,730 by current estimates — is stable. What is collapsing is the physical qubit overhead needed to implement those logical qubits reliably. As error correction improves, the hardware threshold for a CRQC falls. The window between "this is theoretical" and "this is urgent" compresses non-linearly.
Q-Day: Not a Date, a Distribution
Experts almost universally reject claims of a specific Q-Day date. The realistic consensus clusters at: a 5–10% probability of a CRQC by 2030, rising to 50%+ in the 2035–2040 range, with some credible scenarios extending to 2050. But this probability distribution is not symmetric. A single algorithmic breakthrough — equivalent in magnitude to what LDPC codes did to the physical qubit estimate — could compress that distribution toward the near end faster than any institutional migration can respond.
The NSA's guidance in CNSA 2.0 requires National Security Systems to be fully quantum-resistant by 2035. The EU's quantum roadmap mandates that high-risk financial systems complete PQC transition by 2030. These are not aspirational targets — they are bureaucratic acknowledgments that the physics is closing in.
Part II: The Standards That Exist and What They Actually Do
FIPS 203 — ML-KEM (Module-Lattice Key Encapsulation Mechanism)
ML-KEM, derived from CRYSTALS-KYBER, is the primary replacement for RSA and Diffie-Hellman in key exchange. It operates on module lattice problems — specifically the Module Learning With Errors (MLWE) hardness assumption. Security levels map to ML-KEM-512 (~AES-128), ML-KEM-768 (~AES-192), and ML-KEM-1024 (~AES-256).
ML-KEM is already shipping in production. Chrome 131 (November 2024) switched from the experimental Kyber draft to the finalized ML-KEM, deploying the hybrid X25519MLKEM768 key exchange by default across Chrome's global user base. Cloudflare reported that by March 2025, over a third of human HTTPS traffic on its network used hybrid post-quantum handshakes. This is not a pilot — it is mass deployment.
FIPS 204 — ML-DSA (Module-Lattice Digital Signature)
ML-DSA, derived from CRYSTALS-Dilithium, replaces RSA and ECDSA for digital signatures. It is the algorithm most critical for code signing, certificate issuance, and authentication workflows. Key and signature sizes are larger than classical alternatives: ML-DSA-65 (the ~128-bit security variant) produces 3,293-byte public keys and 2,420-byte signatures, versus ECDSA P-256's 64-byte signatures. This size increase is not trivial in constrained environments.
FIPS 205 — SLH-DSA (Stateless Hash-Based Digital Signature)
SLH-DSA, derived from SPHINCS+, is the conservative backup signature scheme. Its security rests entirely on hash function security — no new mathematical assumptions. Trade-off: significantly larger signatures (7,856 bytes at SL-1) and slower signing. SLH-DSA is appropriate where conservative security assumptions are paramount (e.g., root CAs, firmware signing).
FIPS 206 — FN-DSA (coming)
FALCON, now being standardized as FN-DSA in FIPS 206, offers significantly smaller signatures than ML-DSA (666 bytes at Level 1) making it attractive for IoT and constrained hardware, at the cost of implementation complexity and sampler-timing attack risk.
NIST additionally selected HQC as a backup KEM for standardization in March 2025 — a code-based alternative providing algorithmic diversity should lattice problems be broken.
Part III: Engineering Reality — What Migration Actually Looks Like
The Hidden Scale of Cryptographic Surface Area
The first obstacle any organization faces is discovery. Almost universally, enterprises find 3–5× more cryptographic assets than they estimated when they begin formal inventory. TLS certificates in load balancers, embedded key pairs in IoT firmware, HSM-pinned RSA keys in payment terminals, hardcoded algorithm identifiers in COBOL batch processes — these are not tracked in any CMDB, and they do not break audibly when they fail.
The U.S. government's own July 2024 report estimated the total federal migration cost at $7.1 billion over ten years (in 2024 dollars). Private-sector migration at aggregate scale is expected to be considerably higher, and unlike federal agencies, enterprises face no statutory mandate with real enforcement teeth.
Crypto-Agility: The Concept Organizations Claim to Have But Don't
Crypto-agility — the capacity to swap cryptographic algorithms across a system without rebuilding core infrastructure — is universally acknowledged as the correct architectural posture. It is almost universally absent in production systems.
Legacy TLS stacks, particularly pre-TLS 1.3 deployments, hardcode algorithm identifiers at the cipher suite level. HSM firmware must be updated or replaced to support new key types. PKI trust chains are built on certificate templates that encode specific algorithm parameters. Payment terminals running TLS 1.2 against pinned leaf certificates do not gracefully negotiate ML-KEM key exchange. The remediation path for these systems is not a config change — it is a hardware refresh cycle that takes 3–5 years minimum.
The NIST NCCoE has published detailed PQC migration practice guides specifically addressing these bottlenecks, but guides do not move legacy firmware.
The TLS Handshake Migration Problem
The concrete engineering challenge for TLS is well-understood. A TLS 1.3 handshake with ML-KEM-768+X25519 (hybrid mode) increases the initial ClientHello flight significantly — the ML-KEM public key alone is 1,184 bytes versus 32 bytes for X25519. In environments with strict MTU constraints, fragmentation behavior changes. Load balancers that terminate TLS must understand the new algorithm identifiers; those that don't will either fail closed (breaking connections) or fail open (falling back to classical crypto, defeating the purpose).
The hybrid approach — running classical and post-quantum algorithms in parallel, deriving shared secrets from both — is the safe migration path because it maintains classical security guarantees while adding quantum resistance. AWS, Cloudflare, and Google Cloud all support hybrid PQC TLS in 2025. The enterprise middleware between those cloud edges and internal applications frequently does not.
Timeline Reality Check
Migration timelines by organization size:
- Small enterprises: 5–7 years for complete PQC migration
- Medium enterprises: 8–12 years
- Large enterprises (banks, utilities, government contractors): 12–15+ years
If large enterprises need 12–15 years and NIST standards were finalized in August 2024, the math is unflinching: organizations that started in 2024 may not complete before 2037–2039. The EU mandates financial sector PQC completion by 2030. The U.S. mandates NSS completion by 2035. The timelines and the institutional capacity are structurally misaligned.
Part IV: The Threat That Won't Wait — HNDL Operations
The Harvest Is Already Underway
Harvest-Now, Decrypt-Later is not a hypothetical future attack — it is a present-tense operation. The strategy is straightforward: intercept and store encrypted traffic today; decrypt it when quantum capability arrives. Nation-state actors do not need a CRQC to begin the collection phase. They need only storage and access.
The U.S. DHS, UK NCSC, EUISA, and Australian Cyber Security Centre have all published guidance explicitly premised on the assumption that adversaries are currently exfiltrating and archiving sensitive, long-lived encrypted data. This is not a theoretical warning — it is a statement of operational intelligence consensus.
The data most at risk is not what is encrypted today with weak algorithms. It is data that has a long confidentiality shelf life: diplomatic cables, trade negotiations, weapons systems documentation, proprietary financial algorithms, patient health records, and merger & acquisition communications. The Federal Reserve has published direct research on HNDL risk to distributed ledger networks. This is financial infrastructure research, not academic speculation.
Why HNDL Breaks the Standard Threat Model
Traditional cryptographic threat models assume that an adversary must compromise the system at the time of the data's sensitivity. HNDL invalidates this temporal boundary. Data encrypted in 2020 with RSA-2048 and classified confidential for 20 years is now under threat of decryption by 2030–2035. The confidentiality window and the quantum compute timeline overlap.
The organizations most exposed are not those with weak current security posture. They are those that produce data with long confidentiality requirements and have not yet migrated their encryption stacks. In other words: governments, financial institutions, defense contractors, and healthcare systems. Precisely the organizations with the longest migration timelines.
Part V: Financial Sector Exposure — The Liability Surface
Payment Rails and Settlement Infrastructure
SWIFT processes over $5 trillion in daily flows. SWIFT's Customer Security Programme has begun incorporating PQC readiness guidance, but its mandate covers security baselines for member institutions, not the protocol itself. SWIFT messaging uses AES-256 for symmetric encryption (quantum-resistant) but RSA/ECC for key establishment and digital signatures. The certificate and signing infrastructure underpinning financial messaging is the attack surface.
Central bank RTGS systems — Fedwire, TARGET2, CHAPS — face similar exposure. A retroactive decryption of even a single day of settlement records represents catastrophic liability for any institution whose trades become readable to competitors or regulators.
The Asymmetric Liability Structure
There is no financial incentive for early movers. A bank that spends $400M migrating its cryptographic infrastructure to PQC today gets no competitive advantage because its counterparties are not yet quantum-resistant either. The HNDL attack captures traffic in transit; a unilaterally quantum-resistant sender still exposes plaintext if their receiving counterparty uses a quantum-vulnerable server hello.
Migration therefore has positive externalities that the migrating institution cannot capture. This is the classic underinvestment trap for public goods — and it will persist until regulation creates mandatory timelines with real liability exposure or material insurance consequences.
Regulatory Fragmentation Makes It Worse
- U.S. NSM-10 (2022): Mandates federal agencies to complete PQC migration by 2035. Does not directly bind private financial institutions.
- U.S. CNSA 2.0: Mandates NSS migration. Defense contractors covered; commercial banks, not explicitly.
- EU PQC Roadmap: Critical financial systems by 2030. Binding for EU member states, unclear cross-border enforcement for global banks.
- PCI DSS v4.0: Effective March 2025. Does not yet mandate PQC specifically.
- SWIFT CSP: Guidance only; no enforcement mechanism for PQC.
A global bank faces five regulatory frameworks with zero consistent PQC mandates between them. The absence of mandate becomes the rationale for deferral.
Part VI: The Policy and Workforce Gap
The Skills Deficit
Post-quantum cryptography is a specialized subdiscipline. Implementing ML-KEM correctly — particularly avoiding timing side-channels in the number-theoretic transform operations — requires expertise that most enterprise security teams do not have and cannot hire quickly. The workforce to do this at scale does not exist in sufficient quantity.
The NSM-10 Compliance Machine
NSM-10 (May 2022) and OMB M-23-02 (November 2022) established mandatory cryptographic inventory requirements for federal civilian agencies. The trajectory: TLS 1.3 required on federal systems by January 2030; quantum-vulnerable algorithms deprecated for <112-bit security by 2031; all quantum-vulnerable algorithms disallowed by 2035.
Federal contractors serving agencies must also migrate. The supply chain effect is one of the few real forcing functions for private sector migration in the U.S. context.
What Actually Creates Urgency
The early movers are not waiting for regulators. JPMorgan Chase, HSBC, and Mastercard have all publicly acknowledged active PQC programs as of 2024–2025. These organizations have concluded — correctly — that their HNDL exposure window is already open.
Everyone else is waiting.
The Cliff, Not the Slope
The migration isn't difficult because quantum computers are coming. It's difficult because:
- The data being harvested today won't wait. HNDL operations archive ciphertext that will outlive current institutional planning cycles.
- Migration timelines exceed the threat window. Large enterprises need 12–15 years; the CRQC probability mass concentrates in the 2030–2040 window.
- Incentive structures favor inaction. No single institution benefits enough from unilateral migration without counterparty pressure or regulatory mandate.
- Discovery is the hardest step. You cannot migrate what you haven't inventoried.
- Regulation is fragmented. The absence of a consistent global mandate for financial institutions is a policy failure with compounding consequences.
NIST did its job. The window is not closing because of a missing algorithm. It is closing because organizations treating PQC migration as a five-year infrastructure program are still treating it as a two-year planning exercise that starts next quarter.
The cryptographic cliff is not ahead of us. We are standing at its edge. The harvest is in progress.
Quick-Reference: Migration Decision Framework
| Factor | High Urgency | Moderate | Low Urgency |
|---|---|---|---|
| Data shelf life | >10 years | 5–10 years | <5 years |
| Regulatory jurisdiction | NSS / EU critical | U.S. federal | Unregulated |
| System scale | Large enterprise | Mid-market | Small org |
| Current crypto stack | RSA/ECC ubiquitous | Mixed | Already hybrid |
| HNDL exposure | High-value traffic | Standard commercial | Low-value |
First steps: Run a cryptographic asset discovery scan using CISA's recommended inventory tooling. Prioritize systems with RSA/ECC key exchange handling data with >5-year confidentiality requirements. Begin hybrid TLS deployment (X25519+ML-KEM) on public-facing endpoints — this costs almost nothing and removes a significant portion of your HNDL exposure immediately.
The standards are ready. The clock is running.
Sources: NIST FIPS 203/204/205 (August 2024); NSM-10 (May 2022); OMB M-23-02 (November 2022); Gidney & Ekerå (2021); Google Quantum AI Willow (December 2024); CISA/NSA/NIST Joint Guidance on PQC Migration (2023); Federal Reserve FEDS Note on HNDL; Mastercard PQC White Paper (2025); EU PQC Roadmap; IBM Quantum Roadmap 2025–2029.
Top comments (0)