Post-Quantum Cryptography: Why It Matters Now
Quantum computers will break today's encryption. NIST's post-quantum standards, the threat timeline, and what developers should do about it.
When quantum computers become powerful enough, the encryption protecting most of the internet breaks. That sounds like science fiction, but the security industry has been preparing for years. After NIST finalized post-quantum cryptography standards in 2024, this stopped being a distant future problem.
Why Current Encryption Is Vulnerable
RSA and ECC (Elliptic Curve Cryptography) are the backbone of internet security. Both rely on mathematical problems that are computationally hard — for classical computers.
RSA depends on the difficulty of factoring large numbers. Multiplying two big primes is easy; finding those primes from their product is essentially impossible with current hardware. Breaking a 2048-bit RSA key on a classical supercomputer would take longer than the age of the universe.
ECC is similar. It relies on the elliptic curve discrete logarithm problem, which is equally intractable on classical machines.
The problem: quantum computers have algorithms that solve both of these efficiently.
Shor's Algorithm — The Theory Already Exists
In 1994, mathematician Peter Shor published an algorithm that can factor integers and solve discrete logarithm problems in polynomial time on a quantum computer. What takes classical computers billions of years, a quantum computer could finish in hours.
Why hasn't this been a problem since 1994? Because no quantum computer powerful enough to run Shor's algorithm on real-world key sizes exists yet. Breaking RSA-2048 requires thousands of stable logical qubits, and as of 2026, the most advanced quantum computers fall short of that.
But "not yet" doesn't mean "safe."
Harvest Now, Decrypt Later
There's an attack scenario called Harvest Now, Decrypt Later (HNDL). Adversaries intercept and store encrypted data today, planning to decrypt it once quantum computers mature.
Government secrets, military communications, medical records, corporate IP — this data stays sensitive for decades. If nation-state actors are collecting internet traffic in bulk right now (and intelligence agencies certainly have the capability), it could all be cracked at once when quantum computing reaches the threshold.
This is why "quantum computers are still years away" isn't a valid reason to wait. Security transitions take time, so moving early is the only responsible option.
NIST's Post-Quantum Standards
The U.S. National Institute of Standards and Technology started its PQC standardization process in 2016. Starting with 69 complete candidate algorithms (from 82 total submissions), they ran multiple evaluation rounds and published final standards in 2024.
CRYSTALS-Kyber (ML-KEM)
A key encapsulation algorithm. Officially FIPS 203, ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism).
It replaces ECDHE in TLS handshakes. It's based on lattice math problems that are believed to be resistant to quantum attacks.
The downside is key size. ECDHE public keys are 32 bytes; Kyber-768 public keys are 1,184 bytes. But performance is solid — key generation and encapsulation speeds are competitive with current algorithms.
CRYSTALS-Dilithium (ML-DSA)
A digital signature algorithm. FIPS 204, ML-DSA (Module-Lattice-Based Digital Signature Algorithm).
It takes over from RSA and ECDSA for certificate signing, code signing, and document signing. Also lattice-based, sharing mathematical structure with Kyber — which means implementations can be optimized together.
Signature sizes are larger: Dilithium-3 signatures are 3,293 bytes versus ECDSA's 72 bytes. In certificate chains, this size increase can affect handshake performance.
SPHINCS+ (SLH-DSA)
A hash-based signature scheme. FIPS 205, SLH-DSA.
This is the backup standard — insurance in case an unexpected vulnerability is found in lattice-based cryptography. Since it only depends on hash function security, it provides a fundamentally different mathematical foundation.
The tradeoff: much larger signatures and slower speeds. It's a safety net, not the everyday option.
When Is Q-Day?
Experts disagree on when quantum computers will be able to break RSA-2048 — the so-called Q-Day.
Optimistic estimates say 2035-2040. Quantum error correction still has a long way to go, and even with exponential progress, a decade seems necessary.
Pessimistic estimates put it around 2030. IBM, Google, and Microsoft are all publishing aggressive quantum roadmaps, and China's investment in the space is enormous. Unexpected breakthroughs could accelerate timelines.
Either way, the critical point is that security transitions take 5-10 years. Think about how long the SSL-to-TLS migration took, or the SHA-1-to-SHA-256 shift. Starting now is arguably already behind schedule.
What's Already Deployed
Chrome has been supporting hybrid key exchange with Kyber in TLS handshakes since 2024. Called X25519Kyber768, it combines classical X25519 (ECDHE) with Kyber-768. If either algorithm is broken, the other still provides protection — a safety bridge during the transition.
Signal adopted the PQXDH protocol in 2023 to protect conversations against future quantum threats. Cloudflare and AWS have been expanding PQC support as well.
As of 2026, most modern browsers and major cloud services support hybrid PQC. Users won't notice the difference, but the transition is happening behind the scenes.
What Developers Can Do Now
Nobody needs to replace everything with PQC tomorrow. But a few things are worth addressing now.
Build crypto agility — Don't hardcode encryption algorithms. Design systems so algorithms can be swapped without rebuilding everything. When the time comes to switch, you don't want a six-month refactor.
Update TLS libraries — OpenSSL 3.x, BoringSSL, and other major TLS libraries now support PQC algorithms. Check that you're on current versions and understand what PQC support is available.
Classify data sensitivity — Figure out which data in your organization needs protection for 10+ years. If such data exists, HNDL defense should start sooner rather than later.
Test hybrid mode — Try hybrid key exchange in new projects. Cloudflare and AWS PQC-enabled services make experimentation possible without dedicated infrastructure.
# Check PQC algorithms in OpenSSL 3.x
openssl list -kem-algorithms
openssl list -signature-algorithms
Performance Impact
Larger PQC keys and signatures do affect performance. TLS handshakes involve more data, adding some latency.
In practice, the impact is smaller than you'd expect. Hybrid key exchange (X25519Kyber768) adds less than 1ms to handshake time. Dilithium signature verification is actually faster than RSA.
A size comparison:
| Algorithm | Public Key | Signature/Ciphertext | Comparison |
|---|---|---|---|
| Kyber-768 | 1,184B | 1,088B | ECDHE: 32B |
| Dilithium-3 | 1,952B | 3,293B | ECDSA: 64B |
| SPHINCS+-SHA256-128f | 32B | 17,088B | RSA-2048: 256B |
The numbers look dramatic, but in typical web environments a few extra KB per handshake doesn't affect user experience. Bandwidth-constrained IoT devices are a different story, but for standard web traffic, the overhead is negligible.
What About AES and SHA?
Quantum computers primarily threaten asymmetric cryptography (RSA, ECC). Symmetric algorithms (AES) and hash functions (SHA) are affected too, but differently.
Grover's algorithm speeds up symmetric key searches by a square root factor. AES-128's security effectively drops to 64 bits. The fix is simple: use AES-256, which retains 128-bit security post-quantum.
SHA-256 similarly loses half its security strength but maintains 128-bit resistance — still safe for the foreseeable future.
Only asymmetric cryptography needs a full PQC replacement. Symmetric and hash algorithms just need longer key/hash lengths. The entire cryptographic ecosystem doesn't need to be rebuilt from scratch, which is the good news in all of this.
The goal is completing the transition before quantum computers become a real threat. Accepting a small performance overhead now is more rational than delaying and risking exposure on Q-Day. Network speeds and hardware keep improving anyway — PQC overhead will only shrink over time.