Post-Quantum Cryptography

Quantum Security

Quantum computing does not just threaten encryption it invalidates the mathematical foundations that entire security architectures are built upon. NIST has finalised the standards. The migration window is open. State actors are already collecting.

SHOR'S ALGORITHM GROVER'S ALGORITHM NIST FIPS 203/204/205 ML-KEM / ML-DSA CRYPTO-AGILITY

⚠ THREAT INTEL

NIST FIPS 203, 204, 205 published August 2024 post-quantum migration is a current obligation ◆ Shor's algorithm (1994): polynomial-time quantum factorisation breaks all RSA and ECC regardless of key length ◆ Every RSA-encrypted communication transmitted today can be stored and decrypted when quantum hardware arrives ◆ IBM 2024: new error-correcting code 10x more efficient than prior methods quantum at scale is accelerating ◆ NIST IR 8547: all quantum-vulnerable algorithms deprecated from all standards by 2035 ◆ AES-128 provides only 64-bit effective security under Grover's algorithm upgrade to AES-256 for long-lived data ◆ NIST FIPS 203, 204, 205 published August 2024 post-quantum migration is a current obligation ◆ Shor's algorithm (1994): polynomial-time quantum factorisation breaks all RSA and ECC regardless of key length ◆ Every RSA-encrypted communication transmitted today can be stored and decrypted when quantum hardware arrives ◆ IBM 2024: new error-correcting code 10x more efficient than prior methods quantum at scale is accelerating ◆ NIST IR 8547: all quantum-vulnerable algorithms deprecated from all standards by 2035 ◆ AES-128 provides only 64-bit effective security under Grover's algorithm upgrade to AES-256 for long-lived data ◆

Documented Timeline

Key Milestones in the Quantum Threat

These are not projections. They are documented events, published standards, and announced roadmaps from NIST and IBM.

1994

Shor's Algorithm Published

Mathematical proof that quantum computers break RSA and ECC. The threat has been known for 30 years. The hardware is what has been pending.

2024

NIST PQC Standards Finalised

FIPS 203, 204, 205 published in August. Post-quantum migration is now an obligation with standards to migrate to, not a research question.

2026

IBM: Quantum Advantage Forecast

IBM expects first practical quantum advantage over all classical methods by late 2026. The engineering roadmap is precise and funded.

2035

NIST Deprecation Deadline

RSA, DSA, ECDSA, ECDH removed from all NIST standards (NIST IR 8547). High-risk systems protecting long-lived data must migrate years earlier.

Effective Bits: AES-128 Under Quantum

Grover's algorithm halves symmetric key strength. AES-128 becomes equivalent to 64-bit security under quantum attack. AES-256 retains ~128-bit.

Quantum Resistance of RSA & ECC

All RSA and elliptic-curve cryptography provides zero protection against Shor's algorithm. There is no key length that provides quantum resistance.

The Quantum Threat Explained

How Quantum Computing Breaks Modern Cryptography

Two algorithms published in 1994 and 1996 define the entire quantum threat landscape. Understanding them precisely is the foundation of any quantum security program.

Shor 1994

Integer Factorisation in Polynomial Time RSA Is Broken

RSA security rests on the computational hardness of factoring large integers. Classically, factoring a 2048-bit number would take longer than the age of the universe. Shor's algorithm (1994) factors the same number in polynomial time on a quantum computer. There is no RSA key length that provides quantum resistance RSA-4096 is as broken as RSA-1024.

Source: Shor, P.W. (1994) FOCS Proceedings, Bell Labs

Shor 1994

Discrete Logarithm Solved All ECC Is Broken

Elliptic-curve cryptography (ECDSA, ECDH, P-256, P-384, Curve25519, secp256k1) relies on the hardness of the elliptic curve discrete logarithm problem. Shor's algorithm also solves this in polynomial time. All ECC is broken. This affects HTTPS, TLS 1.3 key exchange, SSH, code signing, Bitcoin, and every system using elliptic-curve primitives.

Source: Shor, P.W. (1994); NIST SP 800-186

Grover 1996

Symmetric Key Strength Halved Not Eliminated

Grover's algorithm provides quadratic speedup for unstructured search. Impact: AES-128 becomes equivalent to ~64-bit security; AES-256 retains ~128-bit (still adequate). SHA-256 preimage resistance reduced to ~128-bit. Symmetric cryptography is weakened, not broken outright. Symmetric key sizes must increase for long-lived sensitive data.

Source: Grover, L.K. (1996) STOC, Bell Labs

FIPS 203

ML-KEM: The Post-Quantum Key Encapsulation Standard

Module-Lattice Key Encapsulation Mechanism (ML-KEM, formerly CRYSTALS-Kyber), published as NIST FIPS 203 in August 2024. Replaces RSA and ECDH for key exchange. Based on the Module-LWE hardness problem with no known quantum attack. Three security levels: ML-KEM-512, ML-KEM-768 (recommended), ML-KEM-1024. Deploy immediately for TLS key exchange.

Source: NIST FIPS 203 August 2024

FIPS 204 & 205

ML-DSA and SLH-DSA: Post-Quantum Signature Standards

FIPS 204 (ML-DSA / CRYSTALS-Dilithium) replaces RSA-PSS and ECDSA for digital signatures using lattice problems. FIPS 205 (SLH-DSA / SPHINCS+) provides hash-based signatures with conservative, lattice-independent security assumptions. Both published August 2024. Deploying both provides hedged security against different future cryptanalytic advances.

Source: NIST FIPS 204, 205 August 2024

Active Threat

Harvest-Now-Decrypt-Later: The Present Threat

Shor's algorithm does not need to run today. NSA and CISA characterise harvest-now-decrypt-later as an active state-sponsored collection strategy. Adversaries intercept and archive encrypted communications for future decryption. Every RSA-encrypted TLS session transmitted today has zero long-term confidentiality against a quantum-capable adversary. The collection is ongoing now.

Source: NSA CNSA 2.0; CISA Post-Quantum Guidance

The Problem Space

Quantum computing is not simply "faster cryptography breaking." It is a fundamental shift in computational capability that renders certain mathematical problems and the entire security architecture built upon them invalid. Systems designed with the assumption that large integer factorisation is computationally infeasible face a direct, documented change in their threat model.

The question is not whether cryptographically relevant quantum computers will exist. IBM's roadmap, documented error-correction advances, and sustained national-scale investment make the trajectory clear. The question is the planning horizon and for data with multi-year confidentiality requirements, that planning horizon is already past.

Y2Q Assessment: The 2035 NIST deprecation deadline is not the risk threshold it is the regulatory final deadline. High-risk systems protecting long-lived sensitive data face harvest-now-decrypt-later exposure today. The effective migration deadline for those systems is now.

The NIST Post-Quantum Standards

NIST completed its seven-year post-quantum cryptography standardisation process in August 2024. The published standards are:

FIPS 203 (ML-KEM) Key encapsulation mechanism replacing RSA and ECDH. Based on the Module-LWE hardness problem. Three parameter sets for different security levels. This is the primary algorithm for quantum-safe key exchange in TLS and other protocols.
FIPS 204 (ML-DSA) Digital signature algorithm replacing RSA-PSS and ECDSA. Based on Module-LWE and Module-SIS. Deterministic signing, fast verification. This is the primary algorithm for quantum-safe digital signatures.
FIPS 205 (SLH-DSA) Stateless hash-based signature algorithm. Security based only on hash function properties entirely independent of lattice assumptions. Larger signatures, more conservative security basis. Recommended as a hedge alongside ML-DSA.
FN-DSA (FIPS 206, in progress) NTRU lattice-based signature algorithm (FALCON). Compact signatures suitable for constrained environments. Standardisation ongoing.

NIST guidance: begin deploying ML-KEM for key exchange immediately. Plan ML-DSA and SLH-DSA migration for signing applications. NSA CNSA 2.0 sets specific timelines for National Security System migration.

Harvest-Now-Decrypt-Later: Why the Threat Is Present

The most important and most misunderstood aspect of quantum security is the harvest-now-decrypt-later threat vector. It changes the threat model in a fundamental way:

The collection does not require quantum capability Adversaries need only the ability to intercept and store encrypted traffic, which they already have
Long-lived sensitive data is the primary target State secrets, intellectual property, legal and financial records, diplomatic communications, and medical data with multi-decade sensitivity
The attack is retroactive Data encrypted years or decades ago becomes decryptable when quantum hardware arrives. There is no patching of historical communications.
Nation-state actors have the infrastructure and patience NSA and CISA have explicitly characterised HNDL as an active collection strategy by state-sponsored adversaries
The effective breach has already occurred for high-risk data If this data was transmitted using classical cryptography and could have been intercepted, it should be treated as potentially compromised against a future quantum-capable adversary

Migration Uncertainty and the Crypto-Agility Imperative

Post-quantum cryptography carries its own uncertainties that responsible analysis must acknowledge:

Unproven at enterprise scale Post-quantum algorithms have not been deployed at the scale of RSA/ECC; implementation vulnerabilities remain possible
Potential future cryptanalysis Mathematical techniques could weaken lattice-based algorithms; this is why multiple distinct algorithm families (lattice, hash-based) have been standardised
Performance and protocol impact ML-KEM ciphertexts and ML-DSA signatures are larger than classical equivalents; protocol-level changes and performance testing are required
Transition period exposure During hybrid classical/PQC deployment, systems must handle both; hybrid key exchange mitigates exposure during this window
Migration complexity at scale Enterprise cryptographic migration requires a complete C-BOM as the starting inventory; without it, migration is ungoverned and incomplete

Crypto-Agility: Design cryptographic systems so algorithms can be replaced without architectural redesign. The quantum transition will not be the last forced migration. Systems built for crypto-agility today will be far less costly to maintain across future cryptographic transitions.

Know your quantum exposure before the window closes.

The Y2Q C-BOM Tool gives you a complete inventory of quantum-vulnerable cryptographic assets, NIST-aligned risk scores, and prioritised migration recommendations.

ASSESS YOUR QUANTUM READINESS

Research Status: Post-quantum cryptography has transitioned from standardisation to deployment. NIST FIPS 203, 204, and 205 are final standards. NSA CNSA 2.0 sets migration timelines for National Security Systems. NIST NCCoE is publishing migration guides for specific deployment scenarios. The standards are ready. The challenge is enterprise-scale inventory, prioritisation, and execution which is exactly what the Y2Q C-BOM Tool addresses.