September 2025

EXECUTIVE SUMMARY: The cryptography as we know and use today is under threat from quantum computing, a new technology that promises to create computers that operate on entirely different principles. Should a cryptographically-relevant quantum computer [footnote 1] be built—if such a thing doesn't already exist—it will be able to break today's most popular cryptographic algorithms literally overnight. Urgent action is needed to understand the threat and migrate to safe encryption algorithms before it is too late.

Post-quantum cryptography is a field that changes at a fast pace. We will keep this guide up to date as the situation develops; check for updates from time to time.

Quantum computing is on the way, with cryptography expected to be severely impacted. Not everything will be equally affected, but some of our most critical primitives—public key cryptography—will be completely broken. Shor's algorithm, which requires a quantum computer to run, will break the currently most popular primitives, for example the RSA and Elliptic Curve encryption, and the Diffie-Hellman key exchange [footnote 2]. Another, Grover's algorithm, is thought to be effective against symmetric encryption and hashing, but on a much smaller scale, making it less dangerous. These algorithms were devised in 1994 and 1996, respectively.

High profile organizations with significant intellectual property and anyone handling state secrets are the likely first targets. If you belong to this high-risk group, you are not only affected, but you have to act immediately. This is probably not news to you, because chances are you are already engaged in intense cyberwarfare using conventional means; quantum computers are just another thing to worry about.

Everyone will be affected, although not at the same timescale. In the long term, when quantum computers become commonly available, today's cryptography may be completely insecure against even less capable adversaries. For now, however, it's a question of risk management. You will need to ask yourself three questions:

1. Do you have secrets you'll need to protect for decades,
2. Are you a likely target?
3. When are you likely to be targeted?

The US National Security Agency (NSA), kicked off the migration to post-quantum cryptography with an update to NSA Suite B Cryptography in August 2015. The US National Institute of Standards and Technology (NIST) officially started its project in 2016, with a focus on working with the cryptographic community and organizing competitions to find the best quantum-safe algorithms.

In October 2020, NIST standardized two stateful hash-based signature algorithms, LMS and XMSS. These are specialist-use algorithms whose security is derived from the properties of cryptographic hash functions. They were chosen first because the underlying concepts were well understood. Because they require careful state management, these algorithms are suitable for lower-volume and higher-value use cases, for example code signing.

In August 2024, NIST standardized the next batch of new primitives, designed for general-purpose applications:

• ML-KEM. Formerly known as CRYSTALS-Kyber, it's a new standard for key encapsulation (a new and improved mechanism for key exchange). 
• ML-DSA. Formerly known as CRYSTALS-Dilithium, it's a new standard for digital signatures.
• SLH-DSA. Formerly known as Sphincs+, it's a new standard for digital signatures. Based on a different math, it's intended as a backup for ML-DSA.

More standards are expected to follow:

• FN-DSA. Formerly known as FALCON, a new standard for digital signatures. Currently expected to be adopted as standard in 2025.
• Additional signature schemes are being evaluated, with the next steps expected in 2026.
• HQC. A backup algorithm for ML-KEM, based on different math, was selected for standardization in March 2025. The process is expected to be completed in 2027.

Separately, the International Organization for Standardization (ISO), is considering the Classic McEliece and FrodoKEM algorithms, both for key encapsulation. These two are seen as more conservative and thus safer than the algorithms adopted by NIST.

Many of the post-quantum algorithms are brand new, which means that not enough time has been available to test their robustness. Because we need to act quickly, algorithms based on different underlying maths have been selected for diversity and backup. If they survive, the acronyms from this section will become as familiar as RSA, ECDSA, DH, and ECDHE are today.

Another possibility is to proceed with hybrid designs, which incorporate classical and post-quantum cryptography primitives in the same package. In this way, a failure of a brand new post-quantum primitive won't reduce security past what we already have today.

In TLS 1.3, a hybrid key exchange called X25519MLKEM768, based on a combination of ECDHE and ML-KEM algorithms, has been adopted (or is being adopted) by all major browsers and some early adopters server-side. It's currently protecting significant amounts of Internet traffic.

X.509 certificates will be more difficult to update, mainly because the new post-quantum algorithms use signatures that are considerably longer. If we transitioned with a simple change of algorithms, it is thought that TLS handshakes would take ten times more network traffic. This is seen as excessive for use by browsers, although it may be acceptable in private Public Key Infrastructures (PKIs). Updating the Internet and Web PKIs, in particular, will be challenging due to its deeply decentralized nature.

Some of the leading messaging platforms—for example, Apple and Signal—have already updated their protocols to defend against quantum computers. As users, we only need to update our apps to the latest releases to take advantage of the improvements.

Many other standards are currently under development by IETF working groups. There are a variety of challenges involved with the transition. For example, the new algorithms will have different performance characteristics and space requirements, which may, in some circumstances, require protocols to be redesigned. It will take time for the conversations to take place and, after that, for the new standards to make their ways into libraries and software.

Although many countries are aligned around NIST, ISO is pursuing a separate standardization path, as are some countries such as China, Russia, and South Korea.

Ephemeral (short-term) use of public key encryption is still safe and will remain safe until we observe a breakthrough. And, even then, it is expected that it will take some time until the new technology becomes widely available. 

Unfortunately, if you're in the urgent category, it may already be too late. That's one of the main reasons for everyone to hurry with the transition. To understand why, consider the following scenarios:

• Powerful adversaries can capture your encrypted data today. Although they can't break it yet, they can wait patiently until a quantum computer becomes available, then break the encryption to uncover your secrets. This attack is often referred to as "harvest now, decrypt later" or, if you prefer, "store now, decrypt later". State actors have a history of recording network traffic for analysis. In the past that used to be plaintext and metadata, but encrypted traffic too. Some important encrypted traffic—for example email—is relatively small in volume and might be captured today so that it is decrypted at a later date. In 2021, analysts at Booz Allen Hamilton, a consulting firm, published a report claiming that Chinese threat groups have started to record encrypted traffic as early as 2020. Google has been protecting its internal network traffic with post-quantum cryptography since 2022. Encrypted backups are another obvious target. So are centralized cryptographic architectures where breaking a central key might unlock a deep hierarchy of encryption keys.
• Digital signatures created today have to remain in use for decades. Although these signatures are secure today, they may become worthless some years later. Take contracts, for example. Using a quantum computer, someone could, in the future, forge a document signed with today's cryptography in a way that's indistinguishable from the original. Or they could repudiate the digital signature. Long-term private keys and code signing also fall in this category.
• Physical systems that are difficult or expensive to update. There are some platforms, for example industrial Internet-of-things (IoT) devices, that are deployed with an expected lifetime measured in years and even decades. They might be difficult, expensive, or simply impossible to update. For example, post-quantum algorithms could have different performance requirements that cannot be fulfilled by the available hardware. Such devices may become vulnerable in the subsequent years.

For most organizations, it is recommended to start working on the mitigations as soon as possible. Small organizations might be able to move faster, but in complex environments the transition is estimated to take anywhere from 5 to 10 years. In addition, many governments have published migration timelines; you should check with yours if you are affected and what are the steps you need to follow.

Your first step should be to gather sufficient information to perform a risk assessment and determine if, for you, post-quantum migration requires urgent action. Depending on the size of your organization, this could be a fair amount of work. More likely than not, you'd benefit from performing a quick and shallow initial exercise to understand the scope of the entire task better. The process should include the following steps:

1. Inventory data: find every type of data under your control, stored either on your premises or handled by third-parties. Understand the data and their sensitivity.
2. Inventory cryptographic assets: interview your developers and DevOps personnel to uncover your cryptographic assets, such as encryption keys, certificates, and cryptographic primitives. Trawl your systems and monitor your network traffic to uncover useful signals.
3. Inventory suppliers: make a list of third parties that handle your data on your behalf. You will want to communicate your post-quantum needs to them early in the process.
4. Inventory applicable regulations: find all laws and regulations that apply to you. Make note of the requirements and timelines. 
5. Assess risk: establish how much risk you're exposed to. Establish if you're where you need to be, and what gaps exist.

You will be in the urgent category if you're handing the type of sensitive data that might be of interest to state actors. When deciding, take into account the type of data you're holding as well as how long it needs to stay protected. Anything related to state secrets, military activity, crypto currencies, and high-value intellectual property will fall into this group. If you're looking at timeframes beyond ten years, you're definitively in the urgent category. If you're providing services to other organizations, chances are that you're going to need to act sooner rather than later.

As you go through the discovery process, it's likely that you will find out that you are not prepared well enough to deal with this situation. Most organizations are not. You can take this opportunity to improve your processes in the following areas:

• Asset management: keep constant track of what needs protecting, from whom, and for how long.
• Cryptographic governance: establish policies, processes, and controls that ensure the proper use and management of cryptographic keys and algorithms. Map them to the assets.
• Cryptographic discovery and inventory: establish policies, processes, and controls that ensure you always have an up-to-date inventory of your cryptographic assets, such as encryption keys and algorithms.
• Cryptographic agility: establish policies, processes, and controls that ensure that, when you discover inadequate controls in the previous step, you know how to act quickly to remediate.

Once you have a sufficient understanding of your environment, you can focus on the specific technical details, which we outline in the next section.

By now, governments of larger countries have all released their advice for post-quantum migration. Although there are some differences among what is recommended, there is a rough consensus about what needs to happen and when:

1. Start to plan and triage immediately.
2. Commence migration as soon as possible or by 2026.
3. Complete high priority work by 2030.
4. Complete all migration work by 2035.

On the technical side, the advice is as follows:

• Adopt standardized post-quantum cryptography as it becomes available.
• Phase out RSA, EC, DH, and ECDH public key algorithms.
• Upgrade to 256-bit symmetric encryption (e.g., AES-256).
• Upgrade to 384-bit hash functions.

There is an active discussion about whether hybrid approaches (combination of old and new algorithms) is a necessary intermediary step or something we can continue to use in perpetuity. Some organisations, such as the NSA, seem to have confidence in post-quantum cryptography and argue that the increased complexity of combining approaches is not worth it in the long run.

Cryptographic agility is the ability to rapidly and easily switch between cryptographic algorithms and primitives without disrupting operations. Conversations about post-quantum migration often discuss cryptographic agility, mostly because this is the first time in history that such a big shift is happening. Also, there is an expectation that we will need to do this again in the future.

Cryptography is a new field; public key cryptography is barely fifty years old. It's reasonable to expect that what we learn in the future will impact the security of the cryptographic systems of today. With the post-quantum shift, there is a feeling that we're entering a new era of uncertainty, and that we need to achieve agility in order to stay ahead of our adversaries.

Cryptographic discovery is the first necessary step to building an inventory of cryptographic assets, which is in itself a necessary step to achieve cryptographic agility. Some aspects of the inventory management can be automated, but some will require manual work, which will be much slower.

Cryptographic discovery largely relies on good tooling. For public infrastructure, this usually means monitoring of vast amounts of global data to detect relevant cryptographic assets. Red Sift Certificates is designed for this exact purpose. It's built to monitor global public infrastructure and build an inventory of customer domains, subdomains, certificates, and networks. The discovery process is automated and operates continuously. Public services running anywhere on the detected infrastructure are continuously inspected to determine their configuration, including the cryptographic aspects such as protocols, cipher suites, key exchange, private key algorithms, and certificates. The result is a comprehensive and always up-to-date inventory of public cryptographic assets, with little work beyond the initial configuration. A quick deployment of Red Sift Certificates provides near-instant visibility into your public post-quantum posture.

When it comes to internal network communication, some information can be obtained via network traffic monitoring, which may be able to provide some information about negotiated protocols and associated cryptographic parameters. Unless already in place, deploying comprehensive network traffic monitoring is a large project in itself.

The remainder of the work is to discover the aspects that cannot be detected from the outside, meaning understanding internal system architecture and trawling the source code repositories to understand where cryptography is used and establish where the related cryptographic assets, such as encryption keys, are stored.