Key Takeaways

• Quantum computers will be able to break today’s existing public-key encryption systems. 
• Post-quantum cryptography migration is vital now to safeguard sensitive data from SNDL attacks and potential future data breaches. 
• Federal mandates are driving the adoption of quantum-secure cryptography, ensuring compliance with NIST standards. 
• AES is quantum-resistant, but the method that enables us to use AES securely is quantum-vulnerable.
• A solution designed to minimize cost and support cryptographic agility is crucial. 

What is Post-Quantum Cryptography (PQC)?

Post-quantum cryptography (PQC), also known as quantum-resistant cryptography (QRC), refers to algorithms and cryptosystems believed to be resistant to both classical and quantum computation. Although symmetric cryptographic primitives such as Advanced Encryption Standard (AES) fall into this category, the term PQC usually refers specifically to public-key algorithms meant to replace current public-key algorithms such as Rivest-Shamir-Adelman (RSA), Diffie-Hellman (DH) key exchange, and Elliptic Curve Diffie-Hellman (ECDH) key exchange that are vulnerable to a quantum computer of sufficient size. Post-quantum cryptography does not require a quantum computer to run; the algorithms are all implementable on general-purpose classical computing devices. If you’re already familiar with PQC and are ready to start your organization’s migration journey, sign up for our free PQC Ideation Workshop with our team of experts.

What is a quantum computer? What can it do?

A classical computer uses a “bit” as the fundamental unit of information. A bit can store a value of either a 0 or a 1. By contrast, a quantum computer operates on “qubits,” which can exist in a state that is simultaneously a 0 and a 1. This mind-bending ability is enabled by the principles of quantum mechanics and means that a quantum computer can efficiently solve certain classes of problems that would take a classical computer millions of years. This is referred to as “quantum advantage” or sometimes “quantum supremacy” and is found in problems such as modeling atoms to develop new materials, solving optimization problems, searching databases, or testing new proteins. In the future, these uses will help advance research and technology. Quantum computers, however, will not surpass classical computing capabilities for all tasks, and indeed, will operate in concert with classical computers. 

How does current cryptography work?

Cryptography ensures that sensitive data remains secure from unauthorized access and during transmission. There are two main types of cryptography: symmetric and asymmetric. Symmetric uses one shared secret key for both encryption and decryption. In asymmetric cryptography, a public key is used for encryption and a private key for decryption. The security of asymmetric cryptography is based on a one-way function: deriving a public key from the private key is easy, but deriving the private key from the public key is computationally infeasible. One of the most widely used forms of asymmetric cryptography is RSA. RSA uses the properties of prime numbers to securely encrypt and decrypt information. 

Why is quantum computing a threat?

One of the many applications of quantum computers is breaking current cryptography. Though quantum computers do not surpass classical computers for all tasks, it turns out that quantum computers can efficiently solve the mathematical problems underlying much of the public-key cryptography in use today. These include RSA, Diffie-Hellman (DH) key exchange, and Elliptic Curve Diffie-Hellman (ECDH) key exchange.

Shor’s Algorithm

Discovered in 1994 by Peter Shor, “Shor’s algorithm” is the quantum algorithm that poses an existential threat to these public-key cryptography schemes by efficiently finding the prime factors of large numbers. Traditional algorithms select two large prime numbers and multiply them to get a larger number. While the easy part is multiplying the prime numbers, the difficulty lies in determining which two prime numbers were multiplied together.

Though it would take a modern supercomputer millions of years to crack an RSA key of sufficient size, it would only take a quantum computer with around 4,000 qubits a few hours. On “Q-Day,” the day when such a “cryptographically relevant quantum computer” can use Shor’s algorithm to crack RSA, DH, or ECDH, bad actors will be able to decrypt most of the encrypted data sent across computer networks. This includes national security secrets, financial transactions, and health records.

What are SNDL attacks?

Though Q-Day is potentially still a decade away, this timeline does not mean data is necessarily safe from quantum computers, even today. There is an increasing prevalence of “Store Now, Decrypt Later” (SNDL) attacks, sometimes referred to as Harvest Now, Decrypt Later (HNDL). In this case, hackers or foreign nation-states steal encrypted data without being able to decrypt it. They plan to store the data until quantum computers are available and powerful enough to decrypt it. This is a serious threat because most data has a lifetime of more than ten years. For example, information such as national security secrets, bank records, or health information needs to be kept private for the next 30 or more years. Store now, decrypt later attacks will allow hackers to see today’s data decrypted in the next decade. These attacks are going on every day.

Luckily, once data is protected by quantum-resistant encryption, it is no longer vulnerable to store now, decrypt later attacks, as hackers with quantum computers will still be unable to decrypt it. 

What is vulnerable?

All public-key cryptography is vulnerable. 

Why is PQC important?

To defend against attacks from quantum computers, existing encryption algorithms are no longer secure. Organizations must migrate to post-quantum encryption algorithms. These algorithms contain mathematical problems that are more difficult for conventional and quantum computers to solve. These algorithms are designed for two main tasks:

• General encryption – protecting data exchanged across a public network
• Digital signatures – authenticating identity and ensuring data integrity

What is the quantum timeline?

As of early 2026, publicly available data indicates that quantum computers capable of breaking public-key cryptography in widespread use today do not exist. Due to the geopolitically strategic promise of quantum computers, there is significant government investment in quantum research programs. However, it is unlikely that the public will be made aware of government-led breakthroughs in quantum computing. That being said, to date, 6,100 neural-atom qubits from a Caltech device exist. Even just two years ago, the largest quantum computer was around 1000 qubits, and two years before that, only 100 qubits, a mere fraction of today’s number. The pace of development has only accelerated in recent years, with many industry experts now predicting that Q-Day could be in the next 5-10 years. Concretely, this timeline means that powerful quantum computers will likely be able to break today’s encryption methods in the next decade. 

Related: Qubit Count

What is the government doing about quantum threats? Is there regulatory oversight on this?

The U.S. government recognizes the serious threat quantum computing poses. In 2022, the White House published a National Security Memorandum that requires federal agencies to start switching to quantum-secure cryptography. Additionally, there is bipartisan support for action in Congress. In December of 2022, the Quantum Computing Cybersecurity Preparedness Act passed into law and lays a plan to mitigate the quantum threat. From a 2024 White House Report, the White House Office of Management and Budget (OMB) estimates that between 2025 and 2035, the total cost for federal agencies to migrate to PQC will be approximately $7.1 billion.

U.S. federal policy also establishes a clear migration timeline:

• By January 1, 2027: All National Security Systems (NSS) purchases must be compliant with post-quantum cryptography standards under the Commercial National Security Algorithm Suite 2.0 (CNSA 2.0). 
• 2030: U.S. federal agencies are to begin PQC migration of high-risk systems. 
• 2035: U.S. federal agencies are expected to achieve full quantum resistance.

Additionally, the National Institute of Standards and Technology (NIST) completed an eight-year search for algorithms to use as the standard for post-quantum cryptography, publishing the first standards in 2024. These will replace current cryptography algorithms, such as RSA. The search gives guidance towards future cybersecurity efforts, which will have to comply with NIST post-quantum cryptography standards.

The first three published standards include:

• FIPS 203 ML-KEM – for key agreement
• FIPS 204 ML-DSA – for digital signatures 
• FIPS 205 SLH-DSA – for stateless hash-based digital signatures

Two additional algorithms, FIPS 206 FN-DSA/FALCON and FIPS 207 HQC-KEM, remain under evaluation. These are also compatible with QuProtect R3, QuSecure’s quantum security solution. 

Related: US Government Quantum Timeline 

How do we know NIST’s algorithms work if we can’t test them with quantum computers?

Although we don’t have quantum computers capable of breaking modern cryptography as of early 2026, this limitation does not prevent researchers from deducing whether new or existing quantum algorithms (e.g., Shor’s algorithm) can break the proposed cryptographic schemes. This process is known as “quantum cryptanalysis” and is a vital component of the NIST Post-Quantum Cryptography selection process. Quantum computing, however, is a relatively young field, meaning that there are likely many quantum algorithms yet to be discovered.

What is the future of current post-quantum cryptography algorithms? Will cryptographic upgrades become cyclical?

More broadly, new cryptanalysis, side channel attacks, and software bugs have prompted PQC submission teams to respond with algorithm tweaks, larger key sizes, and software patches. In several dramatic cases, researchers completely broke a candidate algorithm. To react to this shifting landscape, any PQC solution must be able to rapidly restore secure communications. This includes supporting the ability to swap out a vulnerable algorithm, increase key sizes, or patch vulnerable implementations. If vulnerabilities are found in the new PQC standards, all IT systems will need to migrate again to a different set of cryptographic algorithms. QuSecure recognizes this reality and is designed to support cryptographic agility. This permits a network or security operator to easily swap out a vulnerable algorithm without disruption to their networks. Thus, leaving behind obsolete algorithms and adopting new and more secure solutions.

If AES is resistant to quantum attacks, why do organizations need quantum-safe solutions from QuSecure?

AES is known as a “symmetric” cryptographic primitive and is used primarily for encrypting data between two entities. Experts do not believe quantum computers pose a major threat to symmetric primitives such as block ciphers (e.g., AES) or hash algorithms (e.g., SHA).

Grover’s Algorithm

This is largely due to Grover’s algorithm, a quantum algorithm for unstructured search or database search problems. By accelerating brute-force attacks, it provides “quadratic speedup” against forms of symmetric cryptography such as AES. In other words, Grover’s algorithm speeds up the solution to data searches by reducing the number of bits in the key space by about half.  Unlike the exponential speedup of Shor’s algorithm, which can break asymmetric encryption, Grover’s algorithm isn’t enough to break symmetric systems. It only weakens the levels of security slightly. As of now, the difficulty of breaking AES-256 using a quantum computer is approximately as difficult as breaking AES-128 with a classical computer. Due to this, the use of AES still maintains strong security, especially with larger key sizes such as AES-256.

Key Distribution and Quantum Vulnerability

However, to secure data transmissions using AES, the two communicating entities must first securely establish a shared, secret key. This is the “key distribution” problem. Most secure channel protocols, such as TLS and IPsec, use public-key (aka “asymmetric”) cryptographic primitives such as Diffie-Hellman (DH) key exchange and Elliptic Curve Diffie-Hellman (ECDH) key exchange to establish this AES key. It is this initial asymmetric key exchange that is most vulnerable to quantum attack by Shor’s algorithm.

In summary, AES may be secure from a quantum attack. However, the broader protocol or system is vulnerable to a quantum attack if the AES keys cannot be established in a quantum-resistant manner. 

Related:  AES 256 is Quantum-Resistant, Capable of Withstanding Brute-Force Attack, Are RSA and AES Both at Risk From the Quantum Threat?

Do I need a quantum computer to protect myself?

No, quantum computers or specialized hardware devices are not needed to protect your data from the threat of quantum computers. Post-quantum cryptography can run on any general-purpose (classical) computing platform. As such, QuProtect has zero dependencies on quantum computers to operate. All the necessary technology is available today and integrates with existing networks and IT infrastructure. See product tour for more information. 

What can we be doing now to get ready for cryptographically relevant quantum computers (CRQC)? What does PQC readiness look like?

Compliance readiness starts with visibility. Step one towards post-quantum readiness is knowing what to protect. Organizations need to identify their High Value Assets (HVAs). These are systems that move the most sensitive data and carry the most regulatory and operational risk. Without quantum-resilient encryption, organizations are vulnerable to SNDL attacks now and potentially catastrophic data breaches in the future. This puts heavy impetus on organizations to solve their quantum-security vulnerabilities.

QuSecure offers the easiest and most comprehensive quantum security solution on the market, with a variety of selling points. QuProtect R3 is orchestrated, lightweight, and backwards-compatible, allowing our single solution to fit the needs of any client. This solution identifies where cryptography truly matters, assesses exposure, and prioritizes action. It is also crypto-agile, which allows QuProtect to use whichever encryption algorithm is best in any given situation. Lastly, QuProtect is proven, having been chosen as the U.S. government’s default PQC provider. As a trusted, non-invasive, flexible solution, QuSecure is the easy button for post quantum cryptography.

Related: DHS Post-Quantum Cryptography Roadmap