WHAT IS POST-QUANTUMCRYPTOGRAPHY
Post-quantum cryptography (PQC) is the next generation of encryption algorithms designed to resist attacks from both classical and quantum computers. With NIST finalizing its first PQC standards in 2024 and NSA mandating migration by 2035, every organization handling sensitive data needs a transition plan today.
Why Post-Quantum Cryptography Matters Now
Today's public-key cryptography (RSA, ECC, Diffie-Hellman) relies on mathematical problems that quantum computers will solve exponentially faster than classical machines. Shor's algorithm, running on a sufficiently powerful quantum computer, breaks RSA-2048 and 256-bit ECC in hours rather than billions of years.
The threat is not theoretical. Nation-state adversaries are already executing harvest-now-decrypt-later (HNDL) attacks -- intercepting and storing encrypted traffic today so they can decrypt it once quantum hardware matures. If your encrypted data has value beyond 2035, it is effectively at risk right now.
Post-quantum cryptography solves this by replacing vulnerable algorithms with new ones built on mathematical problems that resist both classical and quantum attack. Unlike quantum key distribution (QKD), which requires specialized fiber-optic hardware, PQC runs on existing computers and networks -- making it the practical path for most organizations.
The National Institute of Standards and Technology (NIST) published its first three PQC standards in August 2024 after an eight-year evaluation involving global cryptographic researchers. These standards -- FIPS 203, FIPS 204, and FIPS 205 -- are now the foundation for every federal agency and defense contractor migration plan, and the private sector is expected to follow.
Securing Infrastructure Against Quantum Threats
Watch how quantum computing changes the cybersecurity landscape and what steps organizations should take to prepare their encryption infrastructure.
The NIST PQC Algorithms Explained
NIST selected four primary algorithms across two categories: key encapsulation mechanisms (KEMs) for secure key exchange, and digital signature algorithms (DSAs) for authentication and integrity.
ML-KEM (Kyber)
Module-Lattice-Based Key Encapsulation Mechanism, formerly known as CRYSTALS-Kyber. ML-KEM replaces RSA and ECDH key exchange in TLS handshakes, VPN tunnels, and secure messaging. It uses the hardness of the Module Learning With Errors (MLWE) problem. Key sizes range from 800 bytes (ML-KEM-512) to 1,568 bytes (ML-KEM-1024), with encapsulation completing in microseconds on modern hardware. Google Chrome and Cloudflare already support ML-KEM in TLS 1.3 hybrid mode.
ML-DSA (Dilithium)
Module-Lattice-Based Digital Signature Algorithm, formerly CRYSTALS-Dilithium. ML-DSA is the primary replacement for RSA and ECDSA signatures used in X.509 certificates, code signing, document authentication, and secure boot chains. It offers three security levels (ML-DSA-44, ML-DSA-65, ML-DSA-87) with signature sizes between 2,420 and 4,627 bytes. Signing and verification are both fast, making ML-DSA suitable for high-throughput certificate validation.
SLH-DSA (SPHINCS+)
Stateless Hash-Based Digital Signature Algorithm, formerly SPHINCS+. SLH-DSA serves as a conservative fallback that relies entirely on hash function security rather than lattice mathematics. If a breakthrough ever compromises lattice-based schemes, SLH-DSA remains secure. The tradeoff is larger signatures (up to 49,856 bytes) and slower signing. It is best suited for firmware signing, root certificates, and applications where signature size is less critical than long-term security assurance.
FN-DSA (Falcon)
FFT over NTRU-Lattice-Based Digital Signature Algorithm, formerly Falcon. FN-DSA produces the smallest signatures among the PQC signature algorithms (as low as 666 bytes), making it ideal for constrained environments like IoT, smart cards, and embedded systems. Its draft standard was published in 2024, with final publication expected in 2025. FN-DSA's compact signatures come at the cost of more complex key generation involving floating-point arithmetic.
HQC (Hamming Quasi-Cyclic)
Selected in 2025 as a backup KEM to ML-KEM, HQC uses error-correcting codes rather than lattices for its security foundation. This provides algorithm diversity -- if a vulnerability is found in lattice-based schemes, HQC offers an independent fallback for key exchange. HQC is based on the Quasi-Cyclic Syndrome Decoding problem, which has been studied for over 40 years. Its standardization is expected around 2027.
Why Lattice Problems Are Hard
Most NIST PQC algorithms rely on lattice-based cryptography -- specifically, the difficulty of finding short vectors in high-dimensional lattices (the Shortest Vector Problem). Unlike integer factoring and discrete logarithms, no efficient quantum algorithm exists for lattice problems. Lattice cryptography has been studied since the 1990s, giving researchers decades of confidence in its security foundations.
PQC Migration Timeline and Deadlines
Multiple government mandates now set firm deadlines for cryptographic migration. Organizations that delay face compliance gaps and growing exposure to harvest-now-decrypt-later attacks.
NSA CNSA 2.0 (September 2022)
The NSA's Commercial National Security Algorithm Suite 2.0 mandates that National Security Systems (NSS) adopt PQC. Software and firmware signatures must use ML-DSA or SLH-DSA by 2025. Web browsers, servers, and cloud services must support ML-KEM by 2025. Legacy algorithms must be fully deprecated by 2033, with complete PQC-only operation required by 2035.
NIST IR 8547 (November 2024)
NIST's transition guidance establishes that RSA and ECC should be deprecated by 2030 and disallowed entirely after 2035. All new systems should incorporate PQC from the start. Existing systems should begin hybrid (classical + PQC) deployments immediately, then transition to PQC-only as confidence grows.
OMB M-23-02 (2023)
The White House Office of Management and Budget requires federal agencies to submit a cryptographic inventory identifying systems vulnerable to quantum attack. Agencies must prioritize migration of their most sensitive systems and report progress annually. This mandate cascades to federal contractors through updated acquisition requirements.
Defense Contractors (CMMC)
Organizations handling Controlled Unclassified Information (CUI) under CMMC Level 2 will face PQC requirements as NIST 800-171 updates incorporate quantum-resistant algorithms. Contractors should begin cryptographic inventories now to avoid compliance gaps when updated requirements take effect.
Healthcare (HIPAA)
Electronic protected health information (ePHI) has a regulatory retention requirement of at least 6 years, and medical records often retain value for decades. HIPAA's Security Rule requires encryption "appropriate to the risk" -- once PQC standards exist, continuing to use quantum-vulnerable encryption becomes a defensible gap that auditors will flag.
Financial Services
Banking regulators (OCC, FFIEC, PCI DSS) require encryption of financial data in transit and at rest. With PCI DSS 4.0 already mandating strong cryptography reviews, financial institutions should expect quantum-readiness to appear in future examination guidance. Harvest-now-decrypt-later is especially dangerous for long-lived financial records.
How PQC Migration Works
Cryptographic migration is a multi-year program, not a one-time upgrade. These six phases provide a structured path from assessment through full transition.
Cryptographic Inventory
Catalog every system, library, protocol, and certificate that uses public-key cryptography. Identify RSA, ECC, DH, and DSA dependencies across TLS, VPN, SSH, code signing, PKI, and API authentication.
Risk Prioritization
Classify data by sensitivity and retention period. Data with value beyond 2035 (medical records, trade secrets, CUI, financial records) gets the highest priority for migration.
Hybrid Deployment
Deploy hybrid key exchange (classical + ML-KEM) in TLS, VPN, and messaging systems. Hybrid mode provides quantum resistance while maintaining backward compatibility with existing infrastructure.
PKI and Certificate Migration
Migrate certificate authorities, X.509 certificates, and trust chains to ML-DSA or SLH-DSA signatures. This is typically the most complex step due to certificate lifecycle management and cross-signing requirements.
Code Signing and Supply Chain
Update software signing, firmware verification, and supply chain integrity mechanisms. Use ML-DSA for high-throughput signing and SLH-DSA for root-of-trust and long-lived firmware signatures.
Classical Deprecation
Once PQC algorithms are validated in production, phase out classical-only cipher suites. Target full deprecation of RSA and ECC for key exchange and signatures before 2035 per NIST IR 8547 guidance.
Which Industries Face the Greatest Quantum Risk
Any organization with long-lived sensitive data faces quantum risk, but four sectors are especially exposed due to regulatory requirements and data retention periods.
Healthcare and Life Sciences
- ePHI under HIPAA has minimum 6-year retention, but patient records are often kept for 25+ years
- Genomic data is permanently sensitive -- once decrypted, it cannot be re-encrypted
- Clinical trial data, pharmaceutical IP, and research collaborations are high-value HNDL targets
- HHS OCR breach penalties average $1.5M+ per incident -- the cost of inaction far exceeds migration cost
Defense and Government Contractors
- Controlled Unclassified Information (CUI) under CMMC requires FIPS-validated encryption
- NSA CNSA 2.0 requires PQC adoption for all National Security Systems by 2035
- DFARS 252.204-7012 and NIST 800-171 will incorporate PQC requirements as standards update
- Foreign adversaries are the primary HNDL threat actors targeting defense supply chain communications
Financial Services
- PCI DSS 4.0 requires annual cryptographic cipher suite reviews -- PQC gaps will surface during audits
- SWIFT, ACH, and wire transfer authentication relies on RSA/ECC signatures that quantum computers break
- Long-term financial records, loan documents, and contractual obligations retain value for decades
- FFIEC, SEC, and OCC guidance will increasingly address quantum risk in examination procedures
Critical Infrastructure and Energy
- SCADA and ICS systems have 15-25 year lifecycles with firmware signed using RSA or ECC
- NERC CIP standards for power grid operators will adopt PQC as NIST standards propagate
- TSA cybersecurity directives for pipeline and rail operators already require encryption upgrades
- Embedded systems and OT environments require FN-DSA (Falcon) due to constrained signature sizes
PTG's Quantum-Ready Security Services
Petronella Technology Group helps organizations assess quantum risk, plan migration, and deploy post-quantum cryptography across their infrastructure.
Cryptographic Inventory Audit
We map every cryptographic dependency across your environment: TLS configurations, VPN tunnels, SSH keys, code signing certificates, PKI infrastructure, API authentication, and database encryption. You receive a prioritized risk report showing which systems are vulnerable to quantum attack and which data is most exposed to harvest-now-decrypt-later threats.
Algorithm Migration Roadmap
Based on your inventory, we build a phased migration plan aligned with NIST IR 8547 guidance and NSA CNSA 2.0 deadlines. The roadmap prioritizes your highest-risk systems, identifies vendor dependencies, estimates budget and timeline, and maps compliance requirements (CMMC, HIPAA, PCI DSS) to specific migration milestones.
Hybrid Encryption Implementation
We deploy hybrid (classical + PQC) configurations in your TLS, VPN, and messaging infrastructure. Hybrid mode provides immediate quantum resistance while maintaining backward compatibility. This includes configuring ML-KEM hybrid key exchange in TLS 1.3, updating cipher suite policies, and validating interoperability with your existing systems.
Quantum Risk Monitoring
Cryptographic agility requires continuous monitoring. We track NIST standard updates, vendor PQC support timelines, and quantum computing milestones so your organization stays ahead of compliance deadlines. This includes quarterly cryptographic posture reviews and proactive alerts when your systems need updates.
"The organizations that start their PQC migration now will have a 5-to-10-year competitive advantage over those that wait. Cryptographic transitions are the largest, most complex infrastructure changes most companies will ever undertake -- starting late means finishing too late."
Craig Petronella -- Founder, Petronella Technology Group
With 24+ years in cybersecurity and IT infrastructure, Craig leads PTG's quantum readiness practice. His team has helped defense contractors, healthcare organizations, and financial services firms build security assessment programs that address both current and emerging threats.
Harvest Now, Decrypt Later: The Urgency Behind PQC
The quantum threat is not a future problem. Adversaries are collecting your encrypted data today, banking on quantum decryption tomorrow.
Harvest-now-decrypt-later is the primary reason PQC migration cannot wait until quantum computers arrive. Intelligence agencies and advanced persistent threat (APT) groups intercept encrypted communications and store them in bulk. The storage cost is trivial compared to the intelligence value of eventually decrypting years of diplomatic cables, defense communications, trade secrets, and personal health records.
The timeline math is straightforward: if your data retains value for 10 years, and quantum computers capable of breaking RSA-2048 arrive in 8 years, then your data encrypted today is already compromised in a harvest-now-decrypt-later scenario. The only mitigation is deploying quantum-resistant encryption before adversaries capture the data -- which means starting migration now. Learn more about this threat in our dedicated harvest-now-decrypt-later guide.
Organizations subject to CMMC, HIPAA, or PCI DSS face additional urgency because regulators will eventually require quantum-resistant encryption. Early movers avoid the compliance scramble and demonstrate due diligence to auditors, clients, and insurance underwriters. A quantum readiness consultation with PTG takes the first step toward closing this gap.
Frequently Asked Questions
What is post-quantum cryptography in simple terms?
Post-quantum cryptography is a set of encryption algorithms designed to be secure against attacks from both today's computers and future quantum computers. Current encryption methods like RSA and ECC will be broken by quantum computers, so PQC replaces them with algorithms based on mathematical problems that quantum computers cannot solve efficiently. NIST finalized the first three PQC standards in 2024, and organizations should begin adopting them now.
Are quantum computers decades away?
Cryptographically relevant quantum computers (those capable of breaking RSA-2048) may arrive between 2030 and 2035, though some experts predict earlier breakthroughs. But the timeline for quantum computer arrival is less important than the timeline for your data's sensitivity. Harvest-now-decrypt-later attacks mean adversaries are collecting your encrypted data today. Migration takes 18 to 36 months for most organizations, so starting now is essential to protect data that will still be valuable when quantum computers arrive.
What is harvest now, decrypt later and why should I care?
Harvest now, decrypt later (HNDL) is an attack strategy where adversaries intercept and store encrypted data today, waiting for quantum computers to break the encryption in the future. If your organization handles data that will remain sensitive for more than 5 to 10 years -- medical records, defense contracts, trade secrets, financial records -- that data is effectively at risk right now. The only defense is deploying quantum-resistant encryption before adversaries capture the traffic.
Does our cloud provider handle PQC for us?
Cloud providers (AWS, Azure, Google Cloud) are beginning to support PQC in their infrastructure-level encryption, but this only covers data in transit between their data centers. Your applications, APIs, VPN connections, certificates, code signing, database encryption, and internal communications are your responsibility. You need a cryptographic inventory to identify every system that requires migration, regardless of where it is hosted.
Is AES-256 quantum-safe?
AES-256 symmetric encryption is considered quantum-resistant because Grover's algorithm only reduces its effective security to 128 bits, which is still infeasible to brute-force. However, the key exchange mechanisms (RSA, ECDH) used to distribute AES keys are completely vulnerable. If an attacker breaks the key exchange, they get the AES key and can decrypt everything. PQC addresses this by replacing vulnerable key exchange with ML-KEM.
Are PQC algorithms too new to trust?
NIST spent 8 years evaluating PQC candidates through multiple rounds of peer review involving hundreds of cryptographic researchers worldwide. The finalized algorithms are based on mathematical problems studied for 20+ years. Hybrid mode -- combining PQC with classical algorithms -- provides a safety net: even if a PQC algorithm were somehow broken, the classical algorithm still provides protection, and vice versa. This is the recommended deployment approach during the transition period.
What does PQC migration cost?
Cost varies widely based on organizational complexity. A cryptographic inventory and risk assessment for a mid-sized organization typically takes 2 to 4 weeks. Hybrid TLS deployment can begin immediately with minimal infrastructure changes. Full PKI and certificate migration is the most expensive phase and may require 12 to 24 months. The cost of not migrating -- regulatory penalties, breach liability, and lost contracts -- far exceeds the investment. Contact PTG for a scoped assessment.
How does PQC affect CMMC compliance?
CMMC Level 2 requires FIPS-validated encryption for protecting CUI (NIST 800-171 control 3.13.11). As NIST PQC standards become the validated encryption baseline, organizations will need to adopt them to maintain compliance. Starting a CMMC compliance program today should include quantum readiness planning to avoid a second major migration effort when PQC requirements become mandatory.
Start Your PQC Migration Today
The transition to post-quantum cryptography is the largest cryptographic change in computing history. Start with a quantum readiness assessment to identify your exposure and build a phased migration roadmap.