Your bank uses encryption. Your email uses encryption. Every time you see the padlock icon in your browser, encryption is protecting you.
That encryption was designed to be unbreakable. And for classical computers, it is. But quantum computers play by completely different rules — and the math that protects everything you do online will eventually collapse against them.
The unsettling part? Attackers aren’t waiting for quantum computers to arrive. They’re stealing your encrypted data right now, storing it, and waiting.
TL;DR
- Today’s standard encryption (RSA, ECC) is mathematically vulnerable to quantum computers
- Quantum computers capable of breaking encryption don’t exist yet — but the timeline is ~2030–2035
- “Harvest now, decrypt later” is already happening: state-level attackers are collecting encrypted traffic today
- NIST finalized new quantum-safe encryption standards in August 2024 (ML-KEM, ML-DSA, SLH-DSA)
- Signal, Chrome, and Cloudflare already use post-quantum cryptography
- If your data needs to stay secret for more than 5–10 years, you need to act now
Why This Matters to You — Even If You’re Not a Security Expert
You don’t need to understand mathematics to understand the stakes.
Think of today’s encryption like a combination lock with a trillion possible combinations. A regular computer would take billions of years to try every combination. A quantum computer, using fundamentally different physics, could try all combinations simultaneously — potentially cracking it in hours or days.
Every secure website, every encrypted message, every VPN connection relies on this “combination lock” being unbreakable. When that changes, the entire digital infrastructure of modern life becomes vulnerable.
This isn’t science fiction. Governments, intelligence agencies, and major technology companies are spending billions of dollars preparing for this right now. NIST (the US National Institute of Standards and Technology) finalized new quantum-resistant encryption standards in August 2024. The race is on.
The Foundation: How Encryption Works Today
Before we can understand why quantum computers are dangerous, we need to understand what they’d be breaking.
Public-Key Cryptography: The Padlock That Anyone Can Close, But Only You Can Open
Modern encryption relies on a clever mathematical trick. Every secure connection uses two keys:
- A public key — shared with everyone, like your mailing address. Anyone can use it to lock a message for you.
- A private key — kept secret, only you have it. Only you can unlock messages locked with your public key.
The most common algorithm doing this is RSA (Rivest–Shamir–Adleman). It’s based on a simple fact: multiplying two large prime numbers together is easy, but factoring the result back into those two primes is computationally hard.
For example: 17 × 19 = 323. Easy. But if someone hands you 323 and asks “which two primes multiply to this?” — that requires work. Now scale that to 2048-bit numbers with hundreds of digits, and classical computers would need millions of years to factor it.
That’s the lock. It works because factoring big numbers is hard for classical computers.
The Other Common Algorithm: Elliptic Curve Cryptography (ECC)
ECC (Elliptic Curve Cryptography) is the other major standard, used in TLS (HTTPS), SSH, and many modern systems. Instead of factoring, it relies on the difficulty of the “discrete logarithm problem” on elliptic curves — a different mathematical problem, but similarly hard for classical computers.
ECC is what your phone uses when connecting to a Wi-Fi network. It’s in your SSH keys. It’s in Signal and WhatsApp.
Both RSA and ECC are vulnerable to quantum computers.
Enter Quantum Computing: A Completely Different Kind of Machine
A classical computer stores information as bits — either 0 or 1. Every calculation follows a step-by-step path.
A quantum computer uses qubits, which can be 0, 1, or both at the same time — a property called superposition. Combined with entanglement (two qubits whose states are linked regardless of distance), quantum computers can explore many possible solutions simultaneously.
For breaking encryption, the key algorithm is Shor’s Algorithm (published in 1994). On a sufficiently powerful quantum computer, Shor’s algorithm can factor large numbers — and solve the elliptic curve discrete logarithm problem — exponentially faster than any classical algorithm.
In practical terms: a quantum computer running Shor’s algorithm could crack RSA-2048 in hours. The math that protects your bank connection would become trivial.
But Quantum Computers Don’t Exist Yet… Right?
Correct — for now. Today’s most powerful quantum computers have crossed the 1,000-qubit threshold, but they’re noisy, error-prone, and nowhere near capable of running Shor’s algorithm against real-world encryption.
Breaking RSA-2048 would require an estimated 20 million stable qubits with very low error rates. We’re orders of magnitude away from that.
Expert consensus for a cryptographically relevant quantum computer:
- Conservative estimate: 2030–2035
- Some analysts: as early as 2028
- A 2025 Google Quantum AI paper reduced the estimated qubit requirements significantly, suggesting the timeline may be shorter than previously thought
The window is narrowing.
The Threat That’s Already Here: Harvest Now, Decrypt Later
Here’s the part that most people miss — and it’s the reason this matters today, not in 2030.
What Is “Harvest Now, Decrypt Later”?
Imagine a spy intercepting encrypted letters between two embassies. They can’t read them now — the encryption is unbreakable today. But they photograph every single letter and store them in an archive. Then they wait for the day when the encryption can be broken.
That’s exactly what Harvest Now, Decrypt Later (HNDL) is. State-sponsored attackers are passively intercepting and storing encrypted internet traffic today — banking communications, government emails, military data, corporate secrets — with the intention of decrypting it when quantum computers mature.
Why This Makes the Timeline Irrelevant for Some Data
If you encrypt something today that must remain secret for the next 10–15 years (medical records, legal documents, classified communications, financial data), a quantum computer arriving in 2032 is already a problem for you right now.
The data you protect today determines what’s at risk then.
Known actors conducting HNDL-style collection include state-level APT groups — most prominently from nation-states with significant quantum computing investment programs. The FBI and CISA have both issued warnings about this activity.
The Solution: Post-Quantum Cryptography (PQC)
Post-quantum cryptography refers to cryptographic algorithms that are designed to be secure against both classical and quantum computers. These aren’t quantum algorithms — they run on today’s hardware. They just use mathematical problems that even quantum computers struggle to solve.
Why Quantum Computers Can’t Break These
The new algorithms rely on mathematical problems in a completely different family than RSA or ECC:
| Algorithm Family | Based On | Quantum Resistant? |
|---|---|---|
| RSA | Integer factoring | ❌ No (Shor’s algorithm) |
| ECC | Elliptic curve discrete log | ❌ No (Shor’s algorithm) |
| ML-KEM (Kyber) | Lattice problems (MLWE) | ✅ Yes |
| ML-DSA (Dilithium) | Lattice problems (MLWE/MSIS) | ✅ Yes |
| SLH-DSA (SPHINCS+) | Hash functions | ✅ Yes |
Lattice-based cryptography is based on the difficulty of finding short vectors in high-dimensional mathematical lattices. Picture trying to find the shortest path through a tangled web of thousands of dimensions. Even quantum computers don’t have an efficient algorithm for this.
Hash-based signatures rely on the one-way nature of cryptographic hash functions — a completely different mathematical foundation that quantum computers provide only a modest speedup against.
NIST’s New Standards: The Official Answers
In August 2024, after an eight-year evaluation process, NIST finalized the first three post-quantum cryptographic standards. These are now Federal Information Processing Standards (FIPS):
FIPS 203 — ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism)
What it does: Establishes shared encryption keys between two parties. This replaces ECDH and RSA key exchange in TLS, VPNs, and other protocols.
Based on: CRYSTALS-Kyber algorithm.
Analogy: Instead of two people agreeing on a secret handshake by exchanging public information (vulnerable to quantum attacks), they use a lattice-based method that’s safe even if a quantum computer watches the entire exchange.
Already deployed: Cloudflare uses ML-KEM in hybrid TLS connections. Chrome 124+ supports it. Signal uses a variant.
FIPS 204 — ML-DSA (Module-Lattice-Based Digital Signature Algorithm)
What it does: Creates and verifies digital signatures. This replaces ECDSA and RSA signatures used to authenticate websites (TLS certificates), software updates, code signing, and identity verification.
Based on: CRYSTALS-Dilithium algorithm.
Why signatures matter: When your browser downloads a software update, a digital signature proves it came from the real developer and wasn’t tampered with. If signatures can be forged, an attacker could sign malware and your computer would trust it.
FIPS 205 — SLH-DSA (Stateless Hash-Based Digital Signature Standard)
What it does: Another digital signature standard, but based on hash functions rather than lattices. Serves as a backup if lattice cryptography is later found to have weaknesses.
Based on: SPHINCS+ algorithm.
Trade-off: Larger signature sizes than ML-DSA, but relies on completely different mathematics — providing diversity against unknown future attacks.
FIPS 206 — FN-DSA (Falcon) — Coming Soon
NIST is also finalizing FN-DSA based on the Falcon algorithm, which produces much smaller signatures than ML-DSA. Expected finalization in 2026.
What’s Already Implemented (Right Now)
This isn’t theoretical future work. PQC deployment is already underway:
In Your Browser
Chrome (since version 124, April 2024) supports X25519Kyber768 — a hybrid approach that combines classical ECDH with ML-KEM. Your Chrome browser may already be using post-quantum key exchange for some connections without you knowing.
Firefox has PQC code in Nightly builds. Safari and Apple devices will support it in iOS 26 and macOS Tahoe 26 (fall 2025).
The “hybrid” approach matters: it combines classical and post-quantum algorithms. This means connections are protected by both — so even if PQC has an undiscovered weakness, classical crypto still applies. And vice versa for quantum attacks.
In Signal
In September 2023, Signal upgraded to PQXDH (Post-Quantum Extended Diffie-Hellman), adding Kyber-1024 to their key exchange protocol. In October 2025, Signal announced SPQR (Sparse Post-Quantum Ratchet) and the Triple Ratchet — extending post-quantum protection to ongoing message chains, not just initial key exchanges.
If you use Signal, your messages are already protected against harvest-now-decrypt-later attacks on future quantum computers.
WhatsApp also uses the Signal protocol internally, though PQC deployment details there are less transparent.
At Cloudflare
As of early 2024, roughly 2% of TLS 1.3 connections through Cloudflare were using post-quantum cryptography — a number growing rapidly as browser support expands.
The Migration Timeline: What Needs to Happen
The transition from classical to post-quantum cryptography isn’t a single update — it’s a fundamental change to internet infrastructure affecting billions of devices, certificates, and protocols.
Government Deadlines
- 2025: CISA and NSA must publish quantum-safe product category lists
- 2027: All new US National Security Systems acquisitions must be CNSA 2.0 compliant (post-quantum)
- 2030: TLS 1.3+ required across US federal systems
- 2033: Final mandatory PQC compliance for most National Security Systems
- 2035: NIST will deprecate quantum-vulnerable algorithms from all standards (RSA, ECC effectively end-of-life in federal use)
What Organizations Need to Do
1. Cryptographic inventory — Know where classical cryptography lives in your systems. TLS connections, VPNs, code signing, certificate authorities, hardware security modules, SSH keys, cloud storage encryption. This is often a larger discovery project than expected.
2. Prioritize long-lived data — Data that must remain confidential for 10+ years needs protection now. Medical records, IP, legal documents, government communications.
3. Test hybrid deployments — Start with hybrid classical+PQC implementations (like X25519Kyber768) that give quantum protection without removing classical security as a fallback.
4. Update certificate infrastructure — X.509 certificates (the foundation of HTTPS) will need to migrate to ML-DSA or FN-DSA signatures.
5. Plan for larger key sizes — PQC algorithms have larger keys and signatures than ECC. ML-KEM public keys are ~1184 bytes; RSA-2048 public keys are 256 bytes. This impacts bandwidth, storage, and performance — especially on constrained devices (IoT, embedded systems).
For the Security Professional: What This Changes Technically
TLS 1.3 PQC Hybrid in Practice
The current browser deployment uses X25519Kyber768Draft00 — a hybrid of X25519 ECDH and ML-KEM-768. The client sends both a classical and a post-quantum key share; the server responds with both. The final session key is derived from both contributions.
ClientHello:
supported_groups: x25519_kyber768draft00, x25519, secp256r1, ...
key_share: [X25519 pubkey || Kyber768 pubkey]
ServerHello:
key_share: [X25519 shared_secret || Kyber768 ciphertext]
Session key = HKDF(X25519_shared || Kyber768_shared)
If either component is broken (classically or quantumly), the other still provides security.
Signature Migration Complexity
Replacing RSA/ECDSA signatures is harder than replacing key exchange. Signatures appear in:
- TLS certificates (the chain from root CA to leaf cert)
- Code signing (OS updates, software packages, drivers)
- SSH host keys and user keys
- JWT tokens (if using RS256/ES256)
- PGP/GPG keys
- PKI infrastructure (CRLs, OCSP)
ML-DSA signatures are ~2420 bytes (level 2) vs. ECDSA P-256 at 64 bytes. This is a 38× size increase. For high-frequency signing operations or bandwidth-constrained environments, this matters.
FN-DSA (Falcon) will offer smaller signatures (~666 bytes at level 512) but implementation complexity is higher — particularly around the requirement for high-quality randomness and side-channel resistance.
Tools Available Now
# OpenSSL 3.2+ supports PQC via OQS provider
openssl list -kem-algorithms | grep kyber
openssl genpkey -algorithm kyber768
# liboqs - Open Quantum Safe reference implementation
# https://github.com/open-quantum-safe/liboqs
# Test PQC TLS with curl (built with OQS-OpenSSL)
curl --curves kyber768 https://pq.cloudflare.com/
# Check if your Go version supports PQC
# Go 1.23+ has experimental ML-KEM support in crypto/internal/mlkem768
CRYSTALS-Kyber (ML-KEM) Security Levels
| FIPS Variant | Security Level | Classical Equivalent | Public Key Size | Ciphertext Size |
|---|---|---|---|---|
| ML-KEM-512 | 1 | AES-128 | 800 bytes | 768 bytes |
| ML-KEM-768 | 3 | AES-192 | 1184 bytes | 1088 bytes |
| ML-KEM-1024 | 5 | AES-256 | 1568 bytes | 1568 bytes |
For most applications, ML-KEM-768 is the recommended default — security level 3 with reasonable performance characteristics.
What You Can Do Today
If You’re a Regular User
1. Use Signal for sensitive communications. Signal already implements post-quantum cryptography in its key exchange and ratchet protocol. Your messages are protected against harvest-now-decrypt-later attacks.
2. Keep your browser updated. Chrome 124+ already uses hybrid PQC for TLS key exchange automatically. No configuration needed — just stay current.
3. Be cautious about long-lived sensitive documents. If you’re storing documents that must remain confidential for 10+ years, encrypt them with current best practices (AES-256) and plan to re-encrypt with PQC-based tools as they mature.
4. Understand that your VPN traffic today may be recorded. If you rely on a VPN for sensitive communications, ask whether your provider supports PQC — or assume that state-level adversaries may eventually be able to decrypt your traffic history.
If You’re a Security Professional
1. Run a cryptographic inventory. Find every place in your organization that uses RSA or ECC — certificates, SSH keys, VPN configurations, code signing, HSMs, cloud KMS.
2. Prioritize your TLS modernization. Upgrade to TLS 1.3 everywhere as a prerequisite. Most major load balancers and CDNs already support hybrid PQC options.
3. Test ML-KEM in non-production. The OQS (Open Quantum Safe) project provides drop-in libraries for OpenSSL, BoringSSL, and more. Get familiar now before it’s mandated.
4. Monitor NIST IR 8547. This document defines the official deprecation timeline for classical algorithms. Your compliance framework will eventually require adherence.
5. Consider crypto-agility in new systems. Build systems that can swap cryptographic algorithms without full rewrites. This is the single most important design decision for any new infrastructure today.
The Bigger Picture
Post-quantum cryptography isn’t a niche concern for cryptographers. It’s a scheduled infrastructure upgrade for the entire internet — on a timeline shorter than many organizations’ technology refresh cycles.
The good news: the standards are ready. NIST has done the hard work. The algorithms have been tested for years. Reference implementations exist. Major vendors are deploying.
The challenge is scale. There are billions of devices, millions of certificates, and countless legacy systems that need updating — and most organizations haven’t started their inventories.
The harvest-now-decrypt-later threat makes this urgency real today, not theoretical tomorrow. The data you protect with outdated cryptography today is already in someone’s archive.
The padlock in your browser will keep working. The question is whether it will keep meaning anything.
Related Posts
- GitHub Secrets Management Crisis 2026 — how exposed secrets compound the problem of compromised encrypted data
- Identity-First Attacks in the Cloud — why strong cryptography is only one layer of a complete security posture
- Zero Trust vs. Real Attacks — how zero trust architecture aligns with the post-quantum transition
- AV vs EDR vs XDR — endpoint protection context for understanding layered security
Sources
- NIST Releases First 3 Finalized Post-Quantum Encryption Standards (August 2024)
- NIST IR 8547: Transition to Post-Quantum Cryptography Standards
- Cloudflare: The State of the Post-Quantum Internet (2024)
- Signal: SPQR — Sparse Post-Quantum Ratchet (October 2025)
- Google Quantum AI: Reducing RSA-2048 break requirements (May 2025)
- Harvest Now, Decrypt Later — Palo Alto Networks
- Post-Quantum Cryptography Standardization — NIST CSRC
- BleepingComputer: When Will Quantum Decryption Become Practical?
- F5 Labs: The State of PQC on the Web