The Evidence Pack: How Global Infrastructure is Migrating to Post-Quantum Cryptography

For decades, the security of the global internet has rested on a mathematical assumption: that certain problems, like factoring massive prime numbers, are simply too difficult for computers to solve. This assumption underpins the RSA and elliptic curve cryptography (ECC) algorithms that protect everything from banking transactions to classified military communications. But the rapid advancement of quantum computing is turning that assumption into an expiration date. A sufficiently powerful quantum machine—known as a cryptographically relevant quantum computer (CRQC)—running Shor's algorithm will be able to break these foundational encryption methods entirely. The threat is no longer a theoretical physics problem; it is an engineering reality with a shrinking timeline.[4][5]

The urgency of the transition is driven by a specific, ongoing threat known as "Harvest Now, Decrypt Later" (HNDL). Adversaries and nation-state actors are currently intercepting and storing vast quantities of encrypted data. While they cannot read this data today, they are stockpiling it with the expectation that a future quantum computer will unlock it. This fundamentally alters the risk calculus for national security and enterprise leaders. If a piece of data—such as a weapons schematic, a diplomatic cable, or a long-term financial instrument—needs to remain secret for twenty years, it is already vulnerable if it is transmitted over classical encryption today.[6][8]

The global response to this threat reached a definitive turning point in August 2024. After an exhaustive eight-year evaluation process that began with 82 candidate submissions from cryptographers worldwide, the National Institute of Standards and Technology (NIST) finalized the first three post-quantum cryptography (PQC) standards. This milestone marked the official end of the research phase and the beginning of the deployment phase. Organizations that depend on public-key cryptography—which encompasses virtually every modern digital enterprise—now have the concrete mathematical tools required to secure their infrastructure against both classical and quantum attacks.[1][7]

Claim 1: The primary cryptographic standards are finalized and ready for deployment. The cornerstone of the new NIST framework is FIPS 203, which standardizes the Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM). Derived from the CRYSTALS-Kyber submission, ML-KEM is designed to replace the Diffie-Hellman and elliptic curve key exchanges currently used to establish secure connections in protocols like TLS. When a user's browser connects to a secure website, a key encapsulation mechanism is what allows the two parties to agree on a shared secret without exposing it to eavesdroppers. ML-KEM relies on the mathematical complexity of lattice problems, which remain unsolvable even for quantum algorithms.[1][7]

Alongside key exchange, the digital signatures that authenticate identities and verify software integrity must also be upgraded. NIST addressed this with FIPS 204, standardizing the Module-Lattice-Based Digital Signature Algorithm (ML-DSA). Because security planning requires contingencies, NIST also finalized FIPS 205 (SLH-DSA), a stateless hash-based signature scheme. While lattice-based cryptography is highly efficient, SLH-DSA relies on entirely different mathematical foundations, serving as a conservative fallback. If a future cryptanalytic breakthrough were to compromise lattice assumptions, the hash-based alternative ensures that the global digital infrastructure does not suffer a single point of cryptographic failure.[1][6]

Claim 2: Hardware milestones are accelerating the timeline for quantum risk. Estimating exactly when a CRQC will come online—often referred to as "Q-Day"—is inherently uncertain, but the window is narrowing. A March 2026 report from Forrester Research assessed that practical quantum utility is feasible within five years, characterizing Q-Day as a plausible risk by 2030. This assessment is grounded in recent, tangible hardware achievements. IBM has successfully demonstrated its 1,121-qubit Condor processor, while Google's Willow chip has achieved below-threshold error correction, a critical prerequisite for fault-tolerant quantum operations.[4][5]

However, the precise arrival date of Q-Day is secondary to the immediate risk management imperative. This is formalized in Mosca's Theorem, an inequality that states: if the time your data must remain secure, plus the time it takes to migrate your systems, is greater than the time until a quantum computer is built, your system is already compromised. Because migrating the cryptographic foundations of a massive enterprise can take a decade, and sensitive data often requires decades of confidentiality, the risk is present today. Federal guidance explicitly urges organizations to begin migration immediately, regardless of the uncertainty surrounding exact hardware timelines.[6][8]

Claim 3: Federal mandates are forcing immediate, structured action. The United States government has recognized PQC migration as a critical national security priority. National Security Memorandum 10 (NSM-10), signed in 2022, mandates the most significant cryptographic transformation in federal history. It establishes a hard deadline of 2035 for widespread adoption of post-quantum cryptography across all federal systems. This directive acknowledges that CRQCs pose a direct threat to the public-key systems protecting both classified and unclassified government data, creating a legal and operational framework that agencies must follow.[3][8]

For the most sensitive networks, the timeline is even more aggressive. The National Security Agency's Commercial National Security Algorithm Suite 2.0 (CNSA 2.0) provides a concrete implementation schedule for National Security Systems. Under this framework, software and firmware signatures must transition to the new ML-DSA standard by 2027. Networking and key establishment protocols must adopt ML-KEM by 2030. By 2033, the exclusion of legacy, quantum-vulnerable algorithms must be complete. These strict deadlines are forcing defense contractors and technology vendors to accelerate their PQC roadmaps to remain eligible for federal procurement.[3][8]

The Cybersecurity and Infrastructure Security Agency (CISA) is coordinating this massive effort across civilian agencies and critical infrastructure sectors. The first, and arguably most difficult, step mandated by the Office of Management and Budget is a comprehensive cryptographic inventory. Organizations cannot protect what they do not know they have. CISA has directed agencies to deploy automated discovery tools to map every algorithm, key length, certificate authority, and cryptographic library hidden within their networks. This macro-level assessment allows the government to identify where the greatest quantum risks reside and prioritize migration efforts accordingly.[2][8]

Claim 4: The migration is structurally complex and requires fundamental architectural shifts. Transitioning to post-quantum cryptography is not a simple software update or a one-to-one algorithm swap. Unlike the historical transitions from SHA-1 to SHA-2, or from TLS 1.2 to TLS 1.3, the move to PQC introduces significant operational friction. The new algorithms require larger parameter sizes, more computational overhead, and unprecedented coordination across the global technology ecosystem. Hardware security modules (HSMs), load balancers, and embedded IoT devices with 15-year lifecycles must all be evaluated and potentially replaced to support the new standards.[1][7]

The most immediate technical challenge is the dramatic expansion in signature sizes. For example, the recommended security level for the new ML-DSA standard produces digital signatures that are approximately 3,309 bytes. In contrast, the current ECDSA P-256 standard produces signatures of just 64 bytes—a fifty-fold increase. This massive expansion impacts bandwidth-constrained environments, high-volume signing operations, blockchain systems, and secure boot chains. Network engineers must redesign protocols to accommodate these larger payloads without introducing unacceptable latency or breaking legacy systems that enforce strict packet size limits.[1]

To manage this complexity and mitigate the risk of implementation flaws in the new standards, the industry is adopting a "hybrid cryptography" approach. During the transition period, systems will not simply abandon classical encryption. Instead, they will run a classical algorithm (like elliptic curve) and a post-quantum algorithm (like ML-KEM) simultaneously. For an attacker to compromise the connection, they would need to break both the classical mathematics and the new lattice-based cryptography. This hybrid model provides a vital safety net, ensuring that security is not inadvertently downgraded while the new standards are battle-tested in the wild.[6][7]

Beyond the immediate implementation of FIPS 203, 204, and 205, the ultimate goal of the transition is to achieve "crypto-agility." Historically, cryptographic algorithms have been hardcoded deep into software applications, making them incredibly difficult to locate and replace. The PQC migration is forcing enterprises to decouple their cryptography from their core application logic. By building crypto-agile architectures, organizations ensure that when future algorithms are deprecated or compromised, they can swap in new standards via centralized policy controls rather than embarking on another decade-long engineering overhaul.[6][7]

The success of this global migration ultimately depends on the commercial vendor ecosystem. Federal mandates have created the demand, but enterprise security leaders must enforce it through procurement. Organizations are increasingly requiring that vendor product roadmaps include explicit commitments to FIPS 203, 204, and 205 compliance, backed by contractual service-level agreements. Vendors who cannot provide a credible, timeline-bound PQC roadmap are being classified as migration risks. This market pressure is accelerating the integration of quantum-resistant algorithms into the commercial off-the-shelf software that powers the modern economy.[4]

The transition to post-quantum cryptography represents one of the most ambitious and proactive security initiatives in the history of the internet. Rather than waiting for a catastrophic breach to force action, the global cryptographic community, standards bodies, and national security agencies have collaborated to solve a civilization-scale vulnerability before it can be exploited. While the engineering challenges are immense and the migration will take years to complete, the foundational tools are now in place. The digital infrastructure of the future is actively being fortified against the quantum horizon.[4][9]