NIST has already selected post-quantum cryptography standards. How will the internet transition to quantum-resistant encryption before quantum computers arrive?
🔐 Why Today's Encryption Is Vulnerable
Every time you make an online purchase, send an email, or log into your bank account, your data is protected by cryptographic algorithms like RSA and Elliptic Curve Cryptography (ECC). These algorithms rely on mathematical problems that are practically impossible for classical computers to solve — factoring enormous numbers or computing discrete logarithms.
The reason for concern? Shor's algorithm, discovered in 1994 by mathematician Peter Shor, proves that a sufficiently powerful quantum computer can solve these problems in polynomial time. This means a quantum computer with enough qubits could break RSA-2048 in hours instead of billions of years.
The “Harvest Now, Decrypt Later” Threat
State actors and hackers are already collecting encrypted data today with the intention of decrypting it in the future, once they gain access to quantum computers. This strategy — known as “harvest now, decrypt later” — means the threat is not hypothetical: it is already here. Sensitive data with long shelf lives (state secrets, medical records, industrial designs) is at risk right now.
🛡️ NIST's New Post-Quantum Cryptography Standards
The U.S. National Institute of Standards and Technology (NIST) launched a global competition in 2016 to select post-quantum cryptographic algorithms. After 8 years of evaluation, cryptanalysis, and testing, the final standards were published in August 2024:
ML-KEM (formerly CRYSTALS-Kyber) is the primary algorithm for key exchange. It is already being used in TLS 1.3 to establish secure connections across the internet. ML-DSA (formerly CRYSTALS-Dilithium) serves as the primary digital signature algorithm, while SLH-DSA (SPHINCS+) relies exclusively on hash functions and provides a backup option in case lattice-based systems prove vulnerable.
🔷 Lattice-Based Cryptography: The Foundation of New Security
Three of the four new algorithms are based on lattice-based cryptography. The underlying idea is deceptively simple: imagine a grid of points spread across many dimensions. Given a random point near the lattice, the task is to find the closest lattice point.
In two or three dimensions, this is trivial. But in hundreds or thousands of dimensions, the problem becomes computationally intractable — for both classical and quantum computers alike. This is known as the Learning With Errors (LWE) problem, and it forms the mathematical foundation of ML-KEM and ML-DSA.
The beauty of this approach is that lattice-based systems have been extensively studied since the 1990s, and no one — using either classical or quantum algorithms — has managed to break them efficiently.
"The migration to post-quantum cryptography is the largest cryptographic infrastructure upgrade in the history of the internet. We cannot wait for the first quantum computer that breaks RSA — we need to be ready well before that."
— Dustin Moody, Post-Quantum Cryptography Project Lead, NIST🌍 The Transition Has Already Begun
Major technology companies did not wait for the standards to be finalized. The migration to post-quantum cryptography is already well underway:
Google Chrome: Since August 2023, Chrome has supported hybrid post-quantum key exchange (X25519Kyber768) in TLS 1.3. This means every HTTPS connection can already use quantum-resistant encryption.
Apple iMessage PQ3: Apple introduced the PQ3 protocol for iMessage in March 2024, making it one of the first consumer messaging applications with "Level 3″ post-quantum security — unprecedented protection in a consumer product.
Signal: The Signal app integrated the PQXDH (Post-Quantum Extended Diffie-Hellman) algorithm in September 2023, providing post-quantum protection to over 40 million users.
Cloudflare: Cloudflare enabled hybrid post-quantum TLS across its entire network, protecting over 20% of global web traffic.
⏳ Timeline and Urgency
When will the first quantum computer capable of breaking RSA be ready? Estimates vary: some experts predict 10 to 15 years, while others believe it could happen sooner. IBM plans to unveil a 100,000-qubit system by 2033. Google announced the Willow chip with 105 qubits in December 2024.
Regardless of the exact timeline, the cybersecurity community agrees on one thing: the transition must begin now. The U.S. National Security Agency (NSA) requires migration to post-quantum algorithms for all national security systems by 2035. The European Union, through ENISA, has issued guidelines for post-quantum readiness.
The transition is not a simple software upgrade. It requires protocol revisions, certificate renewals, hardware updates, and hundreds of hours of compatibility testing. That is why every organization needs to develop its own “crypto-agile” strategy — the ability to quickly replace cryptographic algorithms without redesigning the entire system.