The Post-Quantum Crisis
Something wonderful happened.
It’s the 13 Aug 2024, and the National Institute of Standards and Technology (NIST) published three new algorithm standards 1. These standards represent the first real attempt to protect our entire digital infrastructure from quantum computers.
Here’s what’s happening: Quantum computers can break the encryption that secures everything today. Michele Mosca estimates a 50% probability this will happen by 2031, with some experts predicting earlier timelines 2. When that happens, every credit card number, every encrypted email, every state secret will suddenly become readable.
The concerning part is that the threat already exists. Experts warn of “Harvest Now, Decrypt Later” attacks, where intelligence agencies collect encrypted data today to decrypt it later with quantum computers 3.
The Problem is Bigger Than You Think
Cryptography has long been considered a slow field. Algorithms like RSA have lasted for decades. But quantum computers completely change the rules.
In 1994, Peter Shor proved that quantum computers could factor large numbers exponentially faster than classical computers 4. That was theory. Today, Google, IBM, and others are building real quantum computers. Google’s Willow chip has 105 physical qubits, still orders of magnitude away from the scale needed for cryptographic attacks 5.
Craig Gidney from Google has shown that RSA-2048 could be cracked with approximately one million physical qubits running continuously for about a week. This represents a dramatic reduction from his earlier 2019 estimate of 20 million physical qubits over eight hours 6. Google itself confirms that Willow “can’t break modern cryptography” due to the massive scale gap 7.
The distinction between physical and logical qubits is crucial. Physical qubits are the actual quantum bits in hardware, but they’re error-prone. Logical qubits are error-corrected versions that require hundreds or thousands of physical qubits each. Current quantum computers like Willow are still in the physical qubit era, far from the fault-tolerant logical qubits needed for cryptographically relevant attacks.
Michele Mosca from the University of Waterloo estimates a 50% chance that our current encryption will be broken by 2031, only seven years away. Large companies need 5-10 years to migrate their systems, creating a dangerous overlap 2.
The New Standards
The NIST standards FIPS 203, 204, and 205 (ML-KEM, ML-DSA, and SLH-DSA) are based on completely different mathematical problems. Instead of prime factorization, they use lattice problems and hash functions, which remain computationally hard even for quantum computers because no polynomial-time quantum algorithms are known for solving them 8.
ML-KEM (formerly CRYSTALS-Kyber) is for key exchange. An RSA-2048 key is 256 bytes. An ML-KEM-768 key is 1,184 bytes. Nearly five times larger.
ML-DSA (formerly CRYSTALS-Dilithium) is for digital signatures. An RSA signature is 256 bytes. An ML-DSA signature can be 3,309 bytes. Thirteen times larger.
SLH-DSA (formerly SPHINCS+) is the conservative option. It’s based only on hash functions, but signatures can be 49,856 bytes. That’s 194 times larger than RSA.
Key Size Comparison (in bytes):
| Algorithm | Public Key | Private Key | Signature/Ciphertext |
|---|---|---|---|
| RSA-2048 | 256 | 256 | 256 |
| ML-KEM-512 | 800 | 1,632 | 768 |
| ML-KEM-768 | 1,184 | 2,400 | 1,088 |
| ML-KEM-1024 | 1,568 | 3,168 | 1,568 |
| ML-DSA-44 | 1,312 | 2,560 | 2,420 |
| ML-DSA-65 | 1,952 | 4,032 | 3,309 |
| ML-DSA-87 | 2,592 | 4,896 | 4,627 |
| SLH-DSA-128s | 32 | 64 | 7,856 |
| SLH-DSA-128f | 32 | 64 | 17,088 |
Note: SLH-DSA uses compact 32-byte public keys (derived from a seed) but produces much larger signatures. The “f” (fast) variant is NIST’s recommended choice for long-term applications due to better performance characteristics.
These numbers matter. Larger keys mean more data transmission, more storage space, more computing time. The impact on existing systems is significant.
The signature size increases are particularly problematic for PKI infrastructure, where certificate chains multiply the overhead. A single TLS handshake might involve multiple certificates, amplifying the bandwidth impact well beyond the raw signature sizes. Many enterprises will initially deploy hybrid modes that combine classical and post-quantum algorithms, providing protection against both current and future threats during the transition period.
Why This Affects Everyone
Understanding of post-quantum cryptography isn’t widespread yet, even in the tech industry. Yet awareness of this threat is crucial.
The irony is that the quantum threat is both real and abstract. Real because the physics works—we know Shor’s algorithm can break RSA. Abstract because nobody knows exactly when sufficiently large quantum computers will be available.
This uncertainty makes everything harder. Companies hesitate to start expensive migrations when the threat might be years away. But if they wait until the threat is obvious, it’s too late.
The Costs Are Real
Migration costs vary widely but are significant. Industry estimates suggest large companies may need to spend 50 to 200 million USD, though the global PQC market is projected to reach only 1.88 billion USD by 2029, implying per-company costs may vary dramatically based on complexity and approach 9. This isn’t just software. It’s hardware, training, testing, coordination with partners.
The complexity of PQC migration goes far beyond simply swapping algorithms. It requires fundamental changes to existing systems, protocols, and infrastructure. Many organizations lack complete inventories of their cryptographic implementations, making migration planning and execution particularly challenging. This discovery phase alone can take months or years for large enterprises with distributed, legacy-heavy environments.
Studies show that 60% of enterprise systems need hardware updates 10. But the broader context is sobering: large enterprises already spend up to 80% of their IT budgets maintaining legacy systems, and legacy systems cost U.S. companies an estimated 1.14 USD trillion annually in productivity losses 11. Medical devices, industrial controls, embedded systems—they all use encryption and are hard to update.
The timelines are ambitious but necessary. With Y2K, we knew the exact date. Here we only know the threat is coming.
The Timelines Are Getting Tight
Governments understand the problem. The U.S. NSM-10 requires complete migration by 2035. The UK NCSC has similar timelines: discovery by 2028, critical systems by 2031, everything by 2035 12.
China, Russia, and others are investing heavily in quantum computers. This is a race, and the winner can spy on everyone else.
A Critical Thinking Perspective
While the quantum threat is real, effective risk assessment requires examining the full picture objectively. The timeline uncertainty creates both urgency and the potential for premature action.
The most fundamental uncertainty is when cryptographically relevant quantum computers (CRQCs) will actually emerge. Current quantum computers like Google’s Willow chip are millions of qubits away from breaking real encryption 5. The gap between laboratory demonstrations and practical attacks is substantial.
Organizations should carefully assess their specific exposure to quantum threats. A company handling 30-year mortgages faces different risks than one processing daily transactions. Data with long confidentiality requirements (medical records, state secrets) justifies immediate investment. Short-lived data may not require such urgency.
The implementation landscape presents additional challenges. Many proposed solutions aren’t fully mature. Hybrid implementations (mixing classical and post-quantum algorithms) may be necessary during transition periods. Early adopters will face compatibility issues, performance degradation, and potentially obsolete implementations if standards evolve.
Economic realities also demand careful consideration. The estimated migration costs (Remember 50 to 200 million USD for large companies) should be weighed against probability-adjusted risk. Spending 100 million USD today to defend against a 30% chance of a 2030 threat may be premature for some organizations, while essential for others.
The optimal approach combines healthy skepticism with prudent preparation: start with cryptographic discovery and planning, but scale investment intensity based on your actual risk profile and timeline requirements.
And What Do the CISOs and CIOs Think?
The executive perspective is telling. Chief Information Security Officers (CISOs) are under unprecedented pressure to demonstrate quantum readiness, with quantum threats becoming a top agenda item for enterprise boards. Many CISOs view this as a massive undertaking that will require the largest global cryptographic transition in computing history—potentially taking 20 years, similar to how long it took AES to completely replace DES and 3DES 13.
From the CIO perspective, the challenge is equally daunting but different. CIOs are grappling with the operational reality that most organizations have legacy systems that weren’t built with crypto-agility in mind 14. The technical debt is enormous: retrofitting decades-old industrial control systems, medical devices, and embedded hardware that may run for 15-20 years without updates.
CIOs are particularly concerned about solutions that lack PQC transition plans, making procurement policy changes an immediate priority. Unlike other technology transitions, this one has a hard deadline imposed by physics, not business cycles.
Expert Opinions
Vadim Lyubashevsky from IBM, who worked on the new standards: “People have been trying to build post-quantum-secure cryptography for 20 years. This was already a mature field” 15.
But Michele Mosca warns: “The chance of it happening in five, ten, or twenty years is not a risk you can accept. It’s a systematic threat to the global economy” 2.
The optimal approach combines healthy skepticism with prudent preparation: start with cryptographic discovery and planning, but scale investment intensity based on your actual risk profile and timeline requirements.
What You Can Do
If you’re a developer, learn the new algorithms. The NIST standards are publicly available 16. Libraries like liboqs make implementation easier 17.
If you’re an entrepreneur, develop a post-quantum strategy. Start with an inventory: Where do you use encryption? What needs to be updated?
If you’re an investor, look at companies building solutions. The post-quantum cryptography market is estimated to reach $3.2 billion by 2030 9.
And if you’re like most people and think this doesn’t affect you? Every time you shop online, send an email, or unlock your phone, you’re using encryption. When that breaks, everything breaks.
The Moment Between
The NIST standards are an important step forward. Companies like IBM, Google, and many startups are building migration tools. The problem is solvable, but it requires coordinated effort.
The timeline remains uncertain, but the trend is clear. Quantum computers were theory for decades. Then they became real. Post-quantum cryptography was academic research. Now it’s industry standard.
We’re living in the moment between. Current quantum computers like Willow are still millions of qubits away from cryptographic relevance. But the gap is narrowing, and migration takes years to complete. Organizations with long-lived data or extended system lifecycles face the greatest risk and should begin planning now.
The NIST standards mark a turning point. They’re not perfect, but they provide a foundation for organizations to assess their specific risks and plan accordingly. The key is proportional response, not panic, but not complacency either.
References
Footnotes
-
HP Wolf Security: Anticipating the Quantum Threat to Cryptography ↩
-
Google Quantum AI: Meet Willow, our state-of-the-art quantum chip ↩ ↩2
-
Google Security Blog: Tracking the Cost of Quantum Factoring ↩
-
The Verge: Google’s Willow quantum chip can’t break RSA encryption ↩
-
NIST FIPS 203: Module-Lattice-Based Key-Encapsulation Mechanism Standard ↩
-
Markets and Markets: Post-Quantum Cryptography Market ↩ ↩2
-
Booz Allen: From the Frontlines of Post-Quantum Cryptography ↩
-
RTS Labs: Legacy System Modernization Costs; Red River: Legacy System Modernization ↩
-
White House: National Security Memorandum 10; UK NCSC: PQC Migration Timelines ↩