.png)
What is Post-Quantum Cryptography?
Post-quantum cryptography uses algorithms resistant to quantum computer attacks. Learn what it means for your data, when to start planning, and what NIST has standardized.
Why Quantum Computing Threatens Current Encryption
The encryption systems that protect the majority of digital communication and data storage today — RSA, Elliptic Curve Cryptography (ECC), and Diffie-Hellman key exchange — rely on mathematical problems that classical computers cannot solve in practical timeframes. RSA encryption, for example, depends on the difficulty of factoring very large numbers into their prime components. A classical computer factoring a 2,048-bit RSA key would require longer than the age of the universe. A sufficiently powerful quantum computer running Shor's algorithm could factor the same key in hours or days.
This is not speculative. Shor's algorithm has been proven correct. The only open question is when quantum computers will reach the capability — measured in stable, error-corrected qubits — required to execute it against real-world key sizes. Current estimates from NIST, the NSA, and independent research groups place 'cryptographically relevant' quantum computers (CRQCs) approximately 10-15 years away, with meaningful uncertainty on both sides.
The 'Harvest Now, Decrypt Later' threat makes the timeline more urgent than it appears. Nation-state adversaries are believed to be actively collecting encrypted communications and data today with the intention of decrypting them when CRQC capability is achieved. Communications that need to remain confidential for 10-15+ years — classified information, long-term contracts, strategic plans, intellectual property — are already at risk from this strategy.
Post-Quantum Cryptographic Algorithms: The NIST Standards
NIST completed its post-quantum cryptography (PQC) standardization process in August 2024, finalizing three algorithms that are resistant to attacks from both classical and quantum computers.
ML-KEM (CRYSTALS-Kyber) — a key encapsulation mechanism for establishing shared secrets and encrypting data. This is the primary replacement for RSA and ECC in encryption applications.
ML-DSA (CRYSTALS-Dilithium) — a digital signature algorithm for authentication and code signing. This is the primary replacement for RSA and ECDSA signatures.
SLH-DSA (SPHINCS+) — a hash-based signature algorithm providing an alternative signature scheme based on different mathematical assumptions, providing cryptographic diversity.
These algorithms are based on mathematical problems — primarily lattice problems and hash functions — that are believed to be resistant to both classical and quantum attacks. NIST is continuing to evaluate additional algorithms to provide further cryptographic diversity.
The Migration Challenge: Why PQC Transition Is a Multi-Year Program
Replacing cryptographic algorithms is not a software update. Cryptography is embedded in virtually every layer of digital infrastructure — TLS/SSL certificates, VPN protocols, code signing, email security (S/MIME, PGP), disk encryption, hardware security modules, PKI infrastructure, and custom application encryption implementations. Identifying all cryptographic dependencies in a complex enterprise environment is the first challenge. Many organizations do not have a complete picture of where cryptography is used in their systems.
Cryptographic agility — building systems that can swap cryptographic algorithms without architectural redesign — is the architectural principle that makes PQC migration feasible. Organizations that built rigid cryptographic dependencies into their systems face the hardest migration paths. Organizations that built cryptographic interfaces that can be updated independently have a more tractable migration ahead.
The US federal government issued NSM-10 in 2022, directing federal agencies to develop PQC migration plans and prioritize the transition of high-value assets. CISA, NSA, and NIST have published a joint advisory recommending that organizations begin inventory of cryptographic dependencies and migration planning now, ahead of standardization completion — which occurred in 2024.
PQC for Boards and PE Operating Partners
For boards, the relevant horizon question is: what data does the organization handle that needs to remain confidential for 10+ years? Financial institutions, healthcare organizations, defense contractors, law firms, and companies with valuable IP all have categories of data with long-term confidentiality requirements. These organizations are already within the 'Harvest Now, Decrypt Later' threat window.
For PE due diligence, PQC maturity is not yet a standard checklist item at most firms. It should be on the horizon, particularly for portfolio companies in regulated industries with long data confidentiality requirements. The question is not whether the portfolio company has deployed PQC — almost none have. The question is whether the organization is aware of the requirement and has begun the cryptographic inventory that is the prerequisite to migration planning.
The organizations that will face the most disruptive PQC transitions are those that begin planning late. The organizations that begin inventory and architectural planning now — even before deployment is operationally required — will have 3-5 year head starts on the migration challenge.
The Practical Steps for PQC Readiness
An organization beginning PQC readiness follows three phases. First: cryptographic inventory. Identify all uses of cryptography in systems, applications, and infrastructure. Which algorithms are in use? What key sizes? What data is being protected? Which systems and communications have long-term confidentiality requirements? This inventory does not require immediate action — it creates the foundation for prioritized migration planning.
Second: prioritization. Systems protecting data with long-term confidentiality requirements or those exposed to nation-state threat actors should be prioritized for early migration. Internal systems with short-lived data or low sensitivity can be migrated later. The harvest-now-decrypt-later threat applies specifically to data that needs to remain confidential for years, not to data that has short-term sensitivity.
Third: vendor assessment. Ask cloud providers, security vendors, and software suppliers for their PQC migration timelines. Major providers — AWS, Google, Microsoft, Cloudflare — have published PQC support roadmaps. The enterprise transition depends in part on vendor ecosystem support, and organizations should understand their dependencies.
Related Reading
NSM-10 and Federal Government's PQC Mandate
In May 2022, President Biden signed NSM-10 (National Security Memorandum 10), directing federal agencies to develop quantum-resistant cryptography migration plans and prioritize the transition of high-value assets. The NSA subsequently directed defense contractors and national security system operators to begin PQC planning immediately. The US federal government's urgency reflects the intelligence community's assessment of adversary quantum computing programs — specifically, the belief that nation-state adversaries (particularly China) are executing harvest-now-decrypt-later strategies against high-value US government and defense communications. For PE operating partners with defense, aerospace, or government contracting portfolio companies, NSM-10 creates direct regulatory compliance timelines. For all other organizations, it signals the direction of regulatory travel.
The estimated window before cryptographically relevant quantum computers (CRQCs) can break current RSA and ECC encryption at scale, according to NIST and NSA assessments. Nation-state adversaries are collecting encrypted data today — the harvest-now, decrypt-later strategy means the threat window is already open for data with long-term confidentiality requirements.