Attackers play the long game. They steal ciphertext today and wait. That tactic harvest-now-decrypt-later (HNDL) turns long-lived secrets into future breaches. If your records must stay private for years, you face a present problem, not a sci-fi scenario. Ask yourself: which files in your world still need secrecy in 2030 or 2035?
What quantum computers actually break
Shor’s algorithm targets RSA and ECC. When scalable machines arrive, keys that protect TLS, VPNs, and code signing fail. Grover’s algorithm hurts symmetric crypto less; it gives only a quadratic speedup. That’s why AES-256 and SHA-2/-3 still stand strong. Translate that into a plan: replace public-key pieces; keep robust symmetric building blocks. Strategy beats panic.
Standards you can use in 2025
You don’t need custom math. Use post-quantum cryptography (PQC) that’s now standardized:
- FIPS 203 – ML-KEM for key establishment.
- FIPS 204 – ML-DSA for digital signatures.
- FIPS 205 – SLH-DSA (SPHINCS+) for stateless hash-based signatures.
These step in where RSA/ECDSA fall short. Build new systems on them. Plan migrations for old ones.
Timelines shaping real deployments
Defense and national-security buyers push the pace with CNSA 2.0. Their milestones ripple across vendors, clouds, and devices. Watch those dates. They quietly decide when your toolchain, your load balancers, and your firmware must speak PQC.
Transport security during the transition
You can protect traffic today with hybrid TLS 1.3. Combine classical ECDHE (like X25519) with ML-KEM in one handshake—e.g., X25519MLKEM768, SecP256r1MLKEM768, SecP384r1MLKEM1024. If either side remains strong, the session key stays safe. Roll hybrids where you terminate TLS, QUIC, or mTLS.
Where to start: a practical cutover plan
- Inventory cryptography. Map algorithms, key sizes, libraries, endpoints. Label flows by lifetime and impact. Prioritize anything that must stay secret 5–15 years: patient files, trade secrets, legal archives, long-term contracts, firmware trust chains.
- Adopt crypto agility. Make algorithms swappable. Keep room in X.509, JWT, and SSH for PQC identifiers. Avoid hard-coded curves or OIDs.
- Pilot hybrid first. Pair ML-KEM with your current key exchange. Try ML-DSA or SLH-DSA for signatures on test endpoints. Measure latency, message size, handshake success, and edge failures.
- Upgrade HSM and KMS. Confirm firmware support for PQC, strong entropy, backup/restore for larger keys. Test OCSP, CT logs, and short-lived cert issuance at scale.
- Rotate code-signing. Move build pipelines to ML-DSA or SLH-DSA. Sign firmware, containers, and packages. Keep a parallel classical signature during overlap to preserve legacy verification.
- Map VPN and email paths. Update IPsec/IKEv2, WireGuard, OpenVPN, S/MIME, and PGP with hybrid or PQC when available. Stage by region and partner risk.
Cloud, mobile, and edge details you shouldn’t skip
- Cloud. Check TLS offload for hybrid suites. Review service meshes (mTLS) and ingress controllers. In microservices, watch handshake sizes and CPU spikes in high fan-out paths.
- Mobile. Measure battery and radio impact from larger handshakes. Cache session tickets. Trim certificate chains.
- Edge/IoT. Track MTU limits and path MTU discovery. Bigger keys stress spotty links. Prefer compact parameter sets when possible. Schedule over-the-air updates for crypto stacks long before cutover.
What stays the same and what changes
You still rotate keys. You still log handshakes. You still test fail-open risks. You now manage bigger artifacts, stricter inventories, and dual stacks for a while. Treat the transition like any major migration: milestones, owners, budgets, dashboards. Small wins compound.
| Area | One-line takeaway | Do now (copy-paste) | Terms to track |
|---|---|---|---|
| HNDL risk | Attackers hoard ciphertext now; decrypt later. | Tag data that must stay private 5–15 years; prioritize those flows. | HNDL, data lifetime |
| What breaks | Shor kills RSA/ECC at scale; Grover barely dents AES-256/SHA-2/-3. | Plan to replace public-key pieces; keep strong symmetric crypto. | RSA, ECC, AES-256, SHA-3 |
| PQC standards | Use FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), FIPS 205 (SLH-DSA). | Require PQC support in new builds; schedule legacy migrations. | PQC, ML-KEM, ML-DSA, SLH-DSA |
| Timelines | CNSA 2.0 drives adoption across vendors and clouds. | Align internal milestones to CNSA dates; brief leadership monthly. | CNSA 2.0, roadmap |
| Transport (now) | Ship hybrid TLS 1.3 to protect sessions today. | Enable suites: X25519MLKEM768, SecP256r1MLKEM768, SecP384r1MLKEM1024. | TLS 1.3, QUIC, mTLS |
| Crypto agility | Swap algorithms without rewrites. | Add pluggable crypto; reserve OIDs in X.509/JWT/SSH. | Agility, OIDs, profiles |
| HSM/KMS | Bigger keys and new ops need firmware support. | Verify PQC APIs; test entropy, backup/restore, OCSP/CT throughput. | HSM/KMS, OCSP, CT logs |
| Code signing | Sign firmware and builds with PQC. | Add ML-DSA or SLH-DSA; keep a parallel classical signature during overlap. | Supply chain, SBOM |
| VPN & email | Upgrade tunnels and mail security. | Stage IPsec/IKEv2, WireGuard, OpenVPN, S/MIME/PGP with hybrid/PQC. | Suites, certificate size |
| Cloud | Offload points must speak hybrid. | Check ingress, service mesh (mTLS); watch handshake CPU. | Load balancers, sidecars |
| Mobile | Larger handshakes hit battery and radio. | Cache tickets; trim chains; measure power per session. | Tickets, chain length |
| Edge/IoT | MTU limits break large packets. | Test PMTUD; pick compact params; plan OTA crypto updates. | MTU, OTA |
| Governance | Auditors want proof, not promises. | Maintain a live inventory; track SP 800-131A dispositions. | Inventory, evidence |
| Bottom line | Replace public-key plumbing steadily. | Start with long-lived secrets; deploy hybrid; document everything. | Program metrics |
Governance and proof
Auditors want receipts. Maintain a living inventory of algorithms, key lengths, libraries, endpoints, and expiration dates. Track SP 800-131A dispositions—acceptable, deprecated, legacy, disallowed—as guidance evolves. Tie the PQC program to your risk register and board updates. Evidence builds trust.
Questions to ask every vendor
Which PQC algorithms do you support today? How do you implement hybrid key exchange? What is your plan for certificate chains with PQ signatures? Do your HSMs and SDKs expose stable APIs for ML-KEM / ML-DSA / SLH-DSA? What are the latency and size deltas at peak load? How long will you support parallel classical validation?
Glossary for busy teams
PQC, ML-KEM (CRYSTALS-Kyber), ML-DSA (CRYSTALS-Dilithium), SLH-DSA (SPHINCS+), CNSA 2.0, Hybrid TLS 1.3, X25519MLKEM768, Crypto agility, HSM/KMS, X.509, OCSP, QUIC, DNSSEC, BGP RPKI, WebAuthn/FIDO2, S/MIME, IPsec/IKEv2, JWT, CT logs.
Bottom line
Quantum threats matter because data outlives today’s keys. You don’t need a moonshot. You need steady replacement of public-key plumbing. Start with long-lived secrets. Ship hybrid where you can. Prove crypto agility in production. Keep symmetric primitives strong. Document every step. That path keeps your data safe in 2025 and still safe when scalable quantum arrives.
