Migrating to Post-Quantum Security: Why Asymmetric Is the Practical Path Forward Today

Key Takeaway for Busy Readers 

Post-quantum security is fundamentally an opportunity to enable cryptographic agility – the ability to evolve cryptography over time without breaking trust, identity, or global interoperability. Any solution that requires specialized hardware, pre-established secrets, or redesigning internet infrastructure cannot scale, no matter how strong it appears on paper. Asymmetric post-quantum cryptography represents the most practical migration strategy available today. 

A Quantum Wake-Up Call 

Quantum computing is no longer a purely theoretical concept. As progress accelerates, it carries a profound implication for cybersecurity: today’s public-key cryptography will eventually fail.  

Why Today’s Public-Key Cryptography Will Eventually Fail 

Algorithms such as RSA and elliptic-curve cryptography (ECC), which underpin secure communication across the internet, can be efficiently broken by large-scale quantum computers using Shor’s algorithm. This has accelerated global investment in quantum-resistant algorithms designed to withstand both classical and quantum attacks. 

The Real Challenge: Deploying Quantum-Resistant Cryptography At Scale 

The challenge is not only finding algorithms that are secure, but also deploying them at global scale without disrupting existing systems. This tension has driven the exploration of multiple approaches to post-quantum security—some promising in theory, others less practical in reality. 

The question, then, is not whether change is required, but which migration strategies can realistically meet this challenge. 

Paths Considered for Post-Quantum Migration 

Over the past decade, three broad approaches have been explored to address the post-quantum threat. Each offers valuable insights, but also comes with significant limitations that prevent it from serving as a universal solution. 

Why The Internet Relies On Asymmetric Encryption 

At a high level, the asymmetric cryptographic pattern that underpins today’s internet has proven to be both scalable and resilient. Public-key cryptography enables secure key exchange, identity verification, and trust establishment across billions of devices without prior coordination. As quantum threats emerge, the challenge is migrating to quantum-resistant algorithms while preserving this operational model. 

In practice, this means adopting the latest standardized post-quantum primitives within familiar asymmetric workflows, rather than abandoning the model entirely. 

ML-KEM represents this path forward. Before examining why alternative approaches fall short, it’s worth understanding what a practical solution looks like—and why asymmetric post-quantum cryptography is not just theoretically sound, but operationally viable today. 

ML-KEM: A Practical Foundation for Post-Quantum Security 

ML-KEM (Module-Lattice-Based Key Encapsulation Mechanism) is a post-quantum asymmetric key exchange algorithm based on hard problems in lattice cryptography. It has been selected through extensive public scrutiny as part of global post-quantum standardization efforts. 

ML-KEM Alignment With Post Quantum Standards

A strong signal of its practical relevance is its inclusion in the Commercial National Security Algorithm Suite 2.0 (CNSA 2.0) — the NSA’s set of quantum-resistant algorithms for National Security Systems. CNSA 2.0 explicitly lists ML-KEM as the quantum-secure mechanism for key establishment in general-purpose cryptographic use cases. 

Why ML-KEM Preserves Asymmetric Trust Model

Unlike symmetric-only solutions or hardware-bound approaches, ML-KEM enables true asymmetric key exchange that: 

• Preserves the open trust and identity model of today’s internet 

• Operates on classical hardware without exotic infrastructure 

• Scales to billions of endpoints 

• Provides quantum-resilient security built on hard lattice problems 

This aligns directly with crypto agility – preserving existing trust frameworks while enabling evolution of cryptographic primitives underneath them. 

Why ML-KEM Stands Out 

ML-KEM offers a compelling balance of security, performance, and deployability: 

• Quantum resistance: Based on lattice problems for which no efficient quantum attacks are known. 

• Asymmetric key exchange: Enables secure key establishment between parties with no prior shared secrets. 

• Efficient performance: ML-KEM is fast enough for real-world use, including TLS handshakes and secure messaging.  

• Reasonable key sizes: While larger than ECC, its keys and ciphertexts are manageable and compatible with modern networks.  

• Drop-in migration path: ML-KEM can be deployed in hybrid modes alongside classical algorithms, allowing gradual and low-risk transition. 

Achieving True Crypto Agility

However, adopting ML-KEM itself is not enough. Simply deploying the latest algorithm does not automatically yield long-term resilience. To achieve true crypto agility — the ability to swap and evolve cryptographic primitives over time — organizations must adopt a thoughtful implementation strategy that anticipates updates, hybrid handshakes, and lifecycle management. This often means designing systems to support parameter negotiation and a framework for rolling updates. 

Why Alternative Approaches Fall Short

Three approaches have been explored as alternatives to asymmetric post-quantum cryptography: quantum key distribution (QKD), symmetric key agreement protocols, and pre-shared keys. While each offers theoretical benefits, none can operate at internet scale without either specialized hardware, pre-established trust relationships, or exponential key management overhead. 

Limitations of Alternative Post-Quantum Approaches 

Quantum Key Distribution (QKD)

Quantum Key Distribution leverages the laws of quantum mechanics to enable two parties to establish a shared secret key with provable security guarantees. In theory, any attempt by an adversary to eavesdrop on the quantum channel disturbs the system in a detectable way, alerting the communicating parties. 

Drawbacks of QKD

Despite its elegant theoretical foundations, QKD faces major practical obstacles: 

• Specialized hardware requirements: QKD requires dedicated quantum communication equipment, such as photon sources, detectors, and often fiber-optic or free-space optical links. 

• Limited range and scalability: Quantum signals degrade rapidly, making long-distance communication difficult without trusted repeaters, which reintroduce trust assumptions. 

• Limited to key distribution: QKD can securely distribute symmetric keys between endpoints, but it does not provide authentication, identity, or trust establishment on its own, nor does it replace asymmetric cryptography for open, multi-party systems. 

• High deployment cost: The infrastructure required for QKD is expensive and incompatible with most existing network architectures. 

• Operational complexity: Maintaining and managing quantum hardware at scale is far beyond the capabilities of most organizations. 

As a result, QKD is best suited for niche, high-assurance environments rather than global internet-scale deployment. Hence QKD as well as associated quantum random number generation is not a recommended approach for securing the post-quantum era, as also discussed in a recent memo published by the US government.

Symmetric Key Agreement Protocols

Symmetric key agreement protocols attempt to establish shared secrets without relying on traditional public-key cryptography. In some cases, these protocols assume an initial shared secret or use trusted intermediaries to bootstrap secure communication. Because symmetric cryptographic primitives such as block ciphers and hash functions are comparatively resilient to quantum attacks, this approach has been considered as a possible path toward post-quantum security. 

Limitations of Symmetric Key Agreement

Despite their quantum resilience at the primitive level, symmetric key agreement protocols face fundamental challenges: 

• Initial trust requirement: Most symmetric key agreement schemes require some form of pre-established trust or secret material, making them unsuitable for open networks where parties have no prior relationship. 

• Key distribution problem remains unsolved: Without asymmetric cryptography, there is no scalable mechanism to securely distribute or refresh symmetric keys over untrusted channels. 

• Poor scalability: Large systems require managing a rapidly growing number of shared secrets, creating operational and administrative complexity. 

• Lack of forward secrecy: compromising long term keys poses a significant security risk to past communications. 
   

As a result, while symmetric cryptography remains essential for high-performance data encryption after keys are established, symmetric key agreement protocols alone cannot replace public-key cryptography as the foundation of secure communication. However adding or mixing in symmetric keys into asymmetric protocols remains a valid approach to strengthen overall communication security.

Pre-Shared Keys (PSKs)

Pre-shared keys represent the simplest possible solution: keys are exchanged securely ahead of time and reused for encrypted communication. 

Drawbacks of Pre-Shared Keys

While PSKs avoid quantum-vulnerable public-key operations, they introduce significant challenges: 

• Poor scalability: Each communicating pair requires a unique secret, leading to exponential key management complexity. 

• Operational overhead: Securely provisioning, rotating, and revoking keys becomes unmanageable in large or distributed systems.  

• Single point of failure: Compromise of a key compromises all communications protected by it. 

Pre-shared keys work in constrained environments but fundamentally contradict the open, dynamic nature of the internet. In the absence of asymmetric post-quantum secure key agreement they may however represent the only viable way forward. 

The Optimal Migration Strategy 

The transition to post-quantum security is not an overnight event. The most practical strategy is incremental migration and crypto-agility, using hybrid protocols that combine classical and post-quantum algorithms until confidence in post-quantum schemes is fully established. 

ML-KEM fits perfectly into this model. Additional post-quantum secure asymmetric key-exchange algorithms such as HQC are still being standardized and will be added to the list in the future. They enable organizations to begin protecting data today against future quantum attacks, including “harvest now, decrypt later” threats, without sacrificing interoperability or performance.

Without crypto agility, transitioning to future algorithms or responding to newly discovered vulnerabilities becomes complex, disruptive, and costly. 

Conclusion 

Quantum computing poses a fundamental challenge to traditional public-key cryptography, creating an urgent need for new, quantum-resistant solutions. While approaches such as quantum key distribution, symmetric-only systems, and pre-shared keys offer partial answers, each falls short as a universal solution. 

Asymmetric post-quantum cryptography – and the ability to replace it seamlessly over time – emerges as the most practical and scalable path forward. It preserves the core advantages of public-key systems while providing strong resistance to quantum attacks, making it the optimal foundation for secure communication in the post-quantum era. 

The quantum future may still be unfolding, but the time to migrate cryptography deliberately and with agility is now.