At last week's
Keyfactor Tech Days conference in Miami Beach, the predominant theme was
post-quantum cryptography and how to go about achieving it. Two panel discussions and several smaller talks dealt with the issue, and their common consensus was: We're in trouble.
Why so? Because fast, reliable
quantum computers will probably become real between 2030 and 2035. No one's sure
exactly when "Q-day" will arrive, but when it does, several
encryption standards that we currently rely on to secure online communications and transactions will immediately become useless.
"Unfortunately, the two algorithms that drop to absolute zero strength, that are unrecoverable, are RSA and ECC [elliptic-curve cryptography], which literally underpin the entire internet and life as we know it, more or less, in a digital sense," Keyfactor CTO Ted Shorter told us before the conference. "Every single software update, every single web connection that ever gets made, anything with HTTPS."
The transition to newer, quantum-safe encryption standards that can withstand cracking attempts by quantum computers will likely take longer than five or 10 years. That's longer than we've probably got.
"In some respects, we're already too late," said Russ Housley, founder of Vigil Security LLC, in a panel discussion at the conference.
Housley and other speakers at the conference brought up the lesson from the
SHA-1 to SHA-2 hashing-algorithm transition, which began in 2005 and was supposed to take five years but took about 12 to complete — "and that was a fairly simple transition," Housley noted.
In a different panel discussion, InfoSec Global Vice President of Cryptographic Research & Development Vladimir Soukharev called the upcoming move to post-quantum cryptography a "much more complicated transition than we've ever seen in cryptographic history."
"The post-quantum cryptography migration has two tracks: algorithms and implementation," Soukharev added. "It's a bigger deal than just the algorithms."
In the U.S., the U.S. National Institute of Standards and Technology (NIST) in November 2024 declared that five "quantum-vulnerable" encryption algorithms will be
deprecated by 2030 and disallowed after 2035:
- DH (1976), the Diffie-Hellman cryptographic system
- RSA (1977), the well-known Rivest-Shamir-Adleman cryptosystem
- ECDSA (mid-1990s), or elliptic-curve digital signature algorithm
- ECDH (mid-2000s), the elliptic-curve variant of Diffie-Hellman
- EdDSA (2011), the Edwards-curve digital signature algorithm that uses specific types of elliptic curves
To replace them, NIST has
already approved the following post-quantum encryption algorithms:
- ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism), aka CRYSTALS-Kyber
- ML-DSA (Module-Lattice-Based Digital Signature Algorithm), aka CRYSTALS-Dilithium
- SLH-DSA (Stateless Hash-Based Digital Signature Algorithm), aka Sphincs+
A fourth algorithm, FN-DSA (FFT (fast-Fourier transform) over NTRU-Lattice-Based Digital Signature Algorithm), aka FALCON, is in the process of being finalized and approved.
"It's going to take vendors a long time to be able to support these things," Shorter told us. "To support the transition, you're gonna have to update everything, basically, and that has to happen before Q-day."
What's vulnerable to quantum computing, and what's not
The good news is that not all encryption algorithms will immediately be toast when quantum computing becomes available. Shorter explained to us that there are three basic types of encryption widely used today, but there's only one type you have to worry about.
Symmetric encryption, in which both the encoder and the decoder of a piece of information use the same encryption key. This kind of encryption is ancient — Julius Caesar used it — yet if the key is large and complicated enough, a quantum computer can't crack it. Symmetric-encryption algorithms secure most online communications and transactions, but to do so, they must first use...
Asymmetric encryption, in which the encoder uses one key to encrypt information and the decoder uses a different key to decode it. Importantly, they don't need to know each other's keys. Asymmetric encryption is ideal for two parties that don't initially trust each other — like your web browser and Amazon.com — to transmit sensitive information, such as the symmetric encryption keys that establish a secure HTTPS session.
One-way hashing algorithms, like the SHA-1 and SHA-2. These reduce large strings of information to bite-sized gibberish of standard length. You can't (in theory) "reverse" the hash to get the original data. These algorithms are used to quickly match datasets, as even one byte of difference will result in a totally different hash output. For example, when you log into a website, the website hashes your password and then compares it to the hash of the password you entered when you set up the account. Like symmetric encryption, hashing algorithms are thought to be generally quantum-safe.
Why post-quantum cryptography matters
You may wonder why, beyond the initial server-client handshake, asymmetric encryption isn't used to secure the entire web session. It's because asymmetric encryption is more resource-hungry and slows down computers.
It's based on complicated math that we won't get into, but suffice it to say that the strength of asymmetric encryption rests on the fact that it would take regular computers thousands of years to "crack" an asymmetric encryption key.
And that's where quantum computers come into the picture. In theory, they'll be able to solve some very complicated math problems in a matter of minutes, or even seconds. The asymmetric algorithms that NIST is phasing out are thought to be vulnerable to this. The new ones that NIST is introducing use even more complicated math that quantum computers probably can't crack (yet).
Today, an attacker could watch you log into Amazon and capture the asymmetrically-encrypted exchange of the symmetric key that secures your shopping session. But that would be pointless because the attacker couldn't decrypt that key exchange.
In five or 10 years, it'll be a different story. The attacker will be able to decrypt the key exchange and then use that stolen key to reveal your shopping session, including the credit-card number you used to buy whatever it is you buy on Amazon.
In fact, security experts are worried that well-funded adversaries — we're looking at you, North Korea — are already collecting vast amounts of data from online transactions in the anticipation that they'll be able to decrypt them when quantum computers become available. This is referred to as "harvest (or capture) now, decrypt later."
We're not sure whether this is happening, but if we can think of it, someone's probably doing it. Because of this, the risk of compromising your online banking and shopping transactions, your secure communications, and your
digitally-signed software updates isn't something that's five or 10 years down the road. It's right now.
"If we don't know when the quantum computer is coming, you're going to have to protect the software update regardless," said Housley. "We need to start signing now with a quantum-secure algorithm. Then when the quantum computer comes, you'll have a base to start with."
The problem with transitioning to post-quantum cryptography
It's not like you can just swap out one encryption algorithm with another, at least not in most cases. Standards have to be formalized, processes and procedures have to be laid out, and everyone has to be on the same page.
"The standard arrives, and then vendors have to create all the support for the algorithms," Shorter told us. "Your customers can't move to the new stuff until most of the things in your environment actually support the new algorithm. Otherwise, you're going to just break a whole bunch of stuff."
We brought up the fact that
Apple began to implement post-quantum cryptography in its iMessage system in mid-2024, but Shorter told us that it was a poor example.
"If you control both ends of anything, if you control the entire ecosystem, you can move much more quickly because you don't have to wait for anybody else," he said. "You don't have to have standard protocols."
In the open internet, with countless parties setting up billions of secure communications with each other daily, it's much more difficult to get every party to coordinate encryption-algorithm upgrades even after a standard is agreed upon.
Other big problems, security experts are finding, are ignorance and apathy. Many organizations aren't aware that this so-called "cryptopocalypse" is drawing near, and even if they are, many don't believe it affects them.
During one panel discussion, Jaime Gomez-Garcia, Head of Quantum Technologies at Spain's Santander Bank, said that in a recent survey of 100 important German companies, 30% of respondents thought the post-quantum migration would not apply to their organizations.
Sadly, that's just not true. As Shorter told us, "anything that communicates on a network or signs code or receives code updates or encrypts things using asymmetric cryptography is going to have to get updated."
Panelists in a later conference discussion agreed that among some organizations they had worked with, the projected estimate for "Q-day" didn't seem immediate enough for them to begin moving now. Some wanted to leave the project for the next CISO or CIO; others assumed it would be a easy jump.
"The biggest problem that people face initially is that they thought there was a simple solution," said panelist Ray Harishankar, Vice President & Fellow at IBM. "Communicating the strategy is important. You've got to start now and do it in a very measured manner over the next four or five years."
Even organizations that are early movers and have begun the transition find that the process is more difficult than anticipated, said session panelist Ryan Thomas, Director at Lightship Security.
"Everyone thought they had their hands around the requirements, but once you start testing, you realize how long the process is, especially with the government certifications," Thomas said. "The devil is in the details."
What you need to be doing now
Despite the dire warnings, there's quite a lot you can do to begin the migration to post-quantum cryptography. Even if your organization doesn't quite have it all finished by the time the cryptopocalpse arrives, it will be in better shape than many of its peers and rivals.
In a session called "Taking Your First Steps Toward the Quantum Future," Vice President of Technical Engineering at M&T Bank Kevin Ha compared the situation to the adage about campers being chased by a bear: "You don't have to be the fastest runner. Just not the slowest."
Here's how you can prepare your organization for the advent of what Ha cheerfully called "quantum supremacy."
Inventory all your cryptographic assets.
You need to know exactly what's running on your systems and what kind of encryption protocols they use. Determine what's outdated, what can be thrown out, what needs to be upgraded or updated, and which systems take priority over others. Be prepared to find things you may have forgotten about.
"You've got old crypto, you've got custom crypto in your organization," said Blair Canavan, Director of Alliances at Thales, in a panel discussion at the conference. "We've seen things we've never seen before, and we're astonished by what we've found. You've got to clean up your act before you get going on this post-quantum computing journey."
Implement TLS 1.3 where you can.
Unlike the TLS 1.2 secure internet communications protocol, which is still supported, its successor TLS 1.3 was made to be quickly updated to a post-quantum asymmetric encryption algorithm, likely to be ML-KEM.
"If you move to TLS 1.3 now, at some point there'll be an update to your TLS from whichever vendor's TLS 1.3 stack you're using," Shorter told us.
Once that happens, your clients or servers will still be able to establish secure connections with networked devices that haven't yet moved to a post-quantum algorithm. Your end will just downgrade to the older standards for those sessions.
But "if both ends of the connection actually will support ML-KEM, then you just made that connection quantum-resistant," Shorter said. "That is the first defense against capture now, decrypt later."
Develop "crypto agility."
As much as possible, you want to prepare your systems to quickly upgrade encryption algorithms. That may take some reconfiguration and redesigning, but the ability to move fast is paramount.
"You should view crypto agility as the goal," said Ha. "Post-quantum cryptography is a side quest."
Make a transition plan and stick to it.
Because this could take more than a decade, your organization needs to get all the stakeholders on board and make a long-term migration plan with a clearly defined roadmap and timetable. That way, the team in charge of the transition will keep following the same plan even as individual staffers come and go.
Start testing.
See which of your systems adjust well to the new encryption algorithms and devote more time to the ones that don't.
Educate your team — and the top brass.
Quantum computing is hard to understand and explain, and post-quantum cryptography even more so. Learn from your peers in similar organizations, send your security and encryption staffers to seminars, and translate the basics into plain English so that you can get the full backing of the C-suite for the transition.
"Invest in your team," said Ha. "Send them to training and conferences and help your company stay informed about what other companies are doing."
Seek help from outside experts.
No one expects any but the biggest organizations to complete this transition alone. It will be worth it to get advice from consultants or security vendors who have more experience and expertise in this field. Ha recommended partnering with a company (like Keyfactor) that handles public-key infrastructure, essential to asymmetric encryption, as part of its core business.
Survey your vendors and suppliers.
Find out where they are on the road to post-quantum cryptography. You don't want them left out in the cold when the cryptography world suddenly changes.
"Any vendor that has a web interface is going to have to update something," Shorter told us. "Understand what their roadmaps are, because you can't move until they do."
Automate as much as you can.
Migrating your systems to post-quantum cryptography will be a painstaking, repetitive process. Let the machines handle the grunt work, and you'll both make the transition faster and free up the humans to tackle the tricky stuff.
"You're not going to do all this stuff manually," said Shorter. "You need to be able to automate the replacement and update of every single certificate, every single key."
Develop for post-quantum cryptography.
Now that the NIST-approved quantum-safe algorithms are out, there's no excuse to not include them in your current software development, or to not be able to update your products to them later. Doing so will future-proof your products. Otherwise, they may become relics very quickly.
"If you're making things that that can't be updated, and they're expected to be out there forever but the cryptography isn't updatable, then you have a real problem," said Shorter. "You're probably going to wish you had a different crypto on that thing within five years."
Be prepared for surprises.
Despite the general consensus predicting somewhere between 2030-2035, quantum computing could arrive tomorrow. How ready will you be?
"Two words:
DeepSeek," said Canavan, referring to the cheap, fast Chinese large-language model that unexpectedly shook up the AI industry in January 2025. "We didn't see that coming."
"You need to be moving as fast as you can now," Shorter told us, "because you're not going to make 2030 already."
