Post-quantum cryptography: The encryption upgrade you can't see but desperately need

Your bank connection is encrypted. Your messaging app uses end-to-end encryption. Your password manager stores everything behind encryption. All of it relies on mathematical problems that today's computers can't solve in any reasonable timeframe.
Quantum computers change that calculation.
Not today. Not next year. But eventually, quantum computers will break the public-key cryptography that protects most of the internet. The timeline is uncertain , researchers estimate anywhere from 10 to 30 years before a cryptographically relevant quantum computer exists , but the threat is real enough that NIST has already standardized post-quantum cryptographic algorithms, and major tech companies have started deploying them.
This isn't science fiction. It's infrastructure replacement happening right now, mostly invisible to you, but critical to the security of everything you do online.
The quantum threat is about harvesting now, decrypting later
Quantum computers don't make all encryption obsolete. They specifically threaten public-key cryptography , the asymmetric encryption that protects your HTTPS connections, authenticates software updates, and secures email.
Here's the mechanism: public-key cryptography relies on mathematical problems that are easy in one direction but hard in reverse. RSA encryption, for example, depends on the difficulty of factoring large numbers. Elliptic curve cryptography relies on the discrete logarithm problem. Classical computers take thousands of years to solve these problems for sufficiently large keys.
Quantum computers running Shor's algorithm can solve both problems in polynomial time. That's not just faster , it's a fundamental shift from infeasible to trivial.
The immediate risk isn't that someone will decrypt your bank session tomorrow. The immediate risk is that adversaries are capturing encrypted traffic today, storing it, and waiting for quantum computers powerful enough to decrypt it later. This "harvest now, decrypt later" strategy makes sense for any data with long-term value: state secrets, medical records, financial transactions, personal communications.
If your encrypted data matters in 15 years, it's vulnerable now.
What post-quantum cryptography actually is
Post-quantum cryptography (PQC) refers to cryptographic algorithms designed to resist attacks from both classical and quantum computers. These aren't quantum algorithms , they run on today's hardware. They're classical algorithms built on mathematical problems that remain hard even for quantum systems.
NIST spent eight years evaluating submissions from cryptographers worldwide, testing them against known attacks, analyzing performance, and stress-testing the math. In 2024, NIST standardized four algorithms:
CRYSTALS-Kyber for key encapsulation. This is the algorithm that will replace RSA and Elliptic Curve Diffie-Hellman for establishing secure connections. It's based on lattice problems , imagine trying to find the shortest path through a multidimensional grid where each point connects to many others. Quantum computers offer no meaningful advantage in solving these problems.
CRYSTALS-Dilithium for digital signatures. This replaces RSA and ECDSA signatures used to verify software authenticity, sign documents, and authenticate messages. Also lattice-based.
SPHINCS+ as a backup signature scheme. Hash-based signatures, mathematically simpler than lattice schemes but with larger signature sizes. The fallback if lattice-based signatures encounter unexpected vulnerabilities.
FALCON as an alternative signature scheme, also lattice-based but optimized for situations where signature size matters more than signing speed.
These algorithms solve the same problems as RSA and elliptic curves , key exchange and digital signatures , but they rely on different mathematical foundations. The security doesn't come from quantum mechanics. It comes from choosing problems that quantum computers can't shortcut.
The math behind lattice-based cryptography
Lattice-based cryptography builds on the Learning With Errors (LWE) problem. Here's the simplified version:
Imagine a system of linear equations where each equation has been corrupted by adding a small random error. Given enough equations, you can usually solve for the unknowns by averaging out the errors. But if the errors are chosen carefully, and the system is large enough, finding the exact solution becomes computationally infeasible.
The LWE problem asks: given a set of approximate linear equations, can you find the original values before the errors were added?
Classical computers struggle with this. Quantum computers don't do much better. The best known quantum algorithms for LWE offer only modest speedups , not the exponential advantage Shor's algorithm provides for factoring.
Kyber and Dilithium build cryptographic schemes on top of structured variants of LWE, using polynomial rings to make the math more efficient. The details get dense fast, but the core insight is simple: these problems remain hard even when you throw quantum computing at them.
The tradeoff is size. Post-quantum keys and signatures are larger than their classical equivalents. A Kyber public key is around 1,184 bytes compared to 294 bytes for an elliptic curve key. A Dilithium signature is around 2,420 bytes compared to 64 bytes for ECDSA. That's manageable for most applications, but it matters for constrained devices and high-throughput systems.
The migration is already happening
You won't install post-quantum cryptography yourself. It's happening in software updates, operating system patches, and protocol upgrades.
Google Chrome started experimenting with post-quantum key exchange in 2023. Apple added post-quantum cryptography to iMessage in 2024. Signal followed shortly after. These aren't pilot programs , they're production deployments protecting real user traffic.
The transition follows a hybrid approach: systems use both classical and post-quantum algorithms during the migration period. Your browser negotiates a connection using both X25519 (elliptic curve) and Kyber (lattice-based). If either algorithm gets broken, the other still protects the session. This buys time to respond to unexpected cryptanalytic advances without leaving users exposed.
CISA published guidance in 2024 recommending that federal agencies begin inventorying systems that use public-key cryptography and planning migration timelines. The recommendation isn't "wait and see." It's "start now, because this takes years."
The complexity isn't in the algorithms themselves. It's in the infrastructure. Every certificate authority needs to support post-quantum certificates. Every TLS library needs to implement the new key exchange. Every code-signing tool needs to generate post-quantum signatures. Every hardware security module needs firmware updates. And all of this has to happen without breaking backward compatibility with systems that haven't upgraded yet.
That's why the migration started before quantum computers pose an immediate threat. By the time a cryptographically relevant quantum computer exists, the internet needs to have already moved to post-quantum cryptography.
What breaks and what doesn't
Quantum computers threaten asymmetric cryptography. Symmetric cryptography , AES, ChaCha20, and similar algorithms , remains secure with larger key sizes.
Here's the distinction: symmetric encryption uses the same key for encryption and decryption. You and I share a secret key, and we both use it to encrypt and decrypt messages. The security comes from keeping that key secret.
Asymmetric encryption uses two keys: a public key anyone can know, and a private key only you control. I encrypt a message with your public key; only your private key can decrypt it. The security comes from the mathematical relationship between the keys being one-way: easy to go from private to public, infeasible to reverse.
Quantum computers break the one-way property of RSA and elliptic curves. They don't break the secrecy of symmetric keys.
Grover's algorithm provides a quantum speedup for brute-force search, effectively halving the security level of symmetric encryption. AES-128 becomes roughly as strong as AES-64 against a quantum computer. The fix is simple: use AES-256 instead of AES-128. That's it. No algorithm replacement needed.
Password hashing also survives. Algorithms like Argon2 and bcrypt remain secure because they're built on symmetric primitives and designed to be computationally expensive. Quantum computers don't change the fundamental difficulty of password cracking , they just make it slightly faster, and the defense is the same: use longer, more complex passwords and increase iteration counts.
What breaks: HTTPS key exchange, digital signatures, certificate authorities, PGP email encryption, SSH keys, code signing, blockchain signatures, and anything else relying on RSA, DSA, or elliptic curve cryptography.
What doesn't break: AES-encrypted files, password managers, disk encryption, VPN tunnels (once the initial key exchange switches to post-quantum), and symmetric authentication schemes.
The Severance problem: trusting infrastructure you can't see
In Severance, employees undergo a procedure that splits their consciousness between work and personal life. Inside the office, they have no memory of the outside world. Outside, they have no memory of what happens at work. The system depends on trusting that the separation is real, that the infrastructure works as described, even though neither version of you can verify it.
Post-quantum cryptography operates on a similar trust model. You can't see the encryption. You can't audit the math yourself. You depend on infrastructure maintained by organizations you'll never interact with, using algorithms you'll never inspect, protecting data you can't verify is actually protected.
The difference is transparency. The cryptographic community operates openly. NIST's post-quantum standardization process was public. Researchers worldwide analyzed the algorithms, published attacks, and forced revisions. The final standards emerged from years of adversarial collaboration, not corporate secrecy.
That's the mechanism that makes trust possible. You don't need to understand lattice-based cryptography to benefit from it. You need to trust that the process selecting it was rigorous, transparent, and adversarial. The same process that gave us AES, SHA-3, and the cryptographic primitives securing the internet today.
But the trust isn't blind. If a flaw emerges in Kyber or Dilithium, the hybrid deployment model means classical algorithms still protect the connection. If a breakthrough in quantum computing happens faster than expected, researchers will know because the academic community tracks progress openly. If an implementation vulnerability appears, CISA and other agencies publish advisories.
The infrastructure is invisible, but it's not opaque. The question is whether you're comfortable with that level of abstraction , trusting systems you can't directly verify, maintained by experts you'll never meet, protecting you from threats that don't exist yet.
Why this matters now when quantum computers don't
The timeline disconnect is the hardest part to communicate. Quantum computers capable of breaking RSA don't exist. They might not exist for decades. So why is the migration happening now?
Three reasons:
Harvest now, decrypt later. Adversaries with long-term interests are already capturing encrypted traffic. Medical records, financial data, state secrets, and personal communications encrypted today could be decrypted in 15 years when quantum computers mature. The data you're protecting isn't just valuable now , it's valuable for as long as it remains sensitive.
Infrastructure takes time. Cryptographic migration isn't a software update. It's replacing the foundation of how the internet establishes trust. Certificate authorities need to issue post-quantum certificates. Browsers need to support them. Servers need to deploy them. Hardware security modules need firmware updates. Legacy systems need compatibility layers. This process takes years, and it has to finish before quantum computers arrive, not after.
Unknown unknowns. Cryptographic standards assume adversarial analysis, but they can't predict every attack. Deploying post-quantum cryptography now gives the research community time to find weaknesses while classical algorithms still provide backup protection. Waiting until quantum computers exist means deploying untested algorithms under pressure with no fallback.
The threat model isn't "quantum computers break everything tomorrow." It's "we need post-quantum infrastructure in place before quantum computers exist, and building that infrastructure takes longer than we'd like."
What you actually need to do
For most people: nothing.
Post-quantum cryptography will arrive through the same mechanism that delivered every other security improvement , automatic updates to browsers, operating systems, and apps. You won't configure it. You won't choose algorithms. You'll just benefit from it.
If you run an organization, the calculus changes. You need to inventory systems that use public-key cryptography, identify which vendors have published post-quantum migration plans, and start testing compatibility. CISA's guidance recommends prioritizing systems that handle long-term sensitive data or depend on digital signatures for authentication.
If you're a developer, you need to follow library updates and understand how your dependencies are handling the transition. Most cryptographic libraries already support post-quantum algorithms experimentally. The question is when they become the default and how your code needs to change.
If you're genuinely paranoid about long-term data security, you can start using post-quantum encryption now. Signal and iMessage already support it. Some VPN providers offer post-quantum key exchange. But for most threat models, this is overkill. The hybrid deployment model means you're already getting post-quantum protection alongside classical algorithms.
The biggest mistake is assuming this doesn't matter because quantum computers don't exist yet. The second biggest mistake is panicking because quantum computers will eventually exist. The reality is boring: infrastructure is being upgraded, standards are being deployed, and the transition is happening on a timeline measured in years, not months.
The uncertainty that remains
Post-quantum cryptography isn't a solved problem. It's a bet on mathematical hardness.
Lattice-based cryptography has been studied for decades, but it hasn't faced the same level of adversarial scrutiny as RSA or elliptic curves. Cryptanalytic techniques improve. Unexpected mathematical breakthroughs happen. The algorithms NIST standardized are the best available options based on current knowledge, but "current knowledge" is a moving target.
That's why NIST is already running a second round of post-quantum standardization, focusing on alternative mathematical approaches. Hash-based signatures, code-based cryptography, and multivariate cryptography offer different security assumptions. If lattice-based schemes encounter unexpected vulnerabilities, these alternatives provide fallback options.
The hybrid deployment model also hedges this uncertainty. By using both classical and post-quantum algorithms during the transition, systems remain secure even if one approach fails. It's defense in depth applied to cryptographic infrastructure.
The other uncertainty is quantum computing itself. Progress has been slower than early predictions suggested. Building a cryptographically relevant quantum computer requires maintaining quantum coherence across millions of qubits while performing billions of operations with near-perfect accuracy. Every research milestone reveals new engineering challenges.
But uncertainty cuts both ways. A breakthrough in error correction or qubit stability could accelerate timelines dramatically. Cryptographic infrastructure can't be built reactively. It has to be in place before the threat materializes, which means acting on incomplete information.
The migration to post-quantum cryptography is happening now because waiting for certainty means waiting too long.
Post-quantum cryptography is the least visible, most critical security upgrade happening on the internet right now. You won't see it. You won't configure it. But over the next several years, the mathematical foundation protecting your connections, your messages, and your data will quietly shift to algorithms designed to resist computers that don't exist yet.
The transition is boring, technical, and essential. It's infrastructure work , the kind that only becomes visible when it fails. And if the migration succeeds, you'll never notice it happened at all.

