The Quantum Threat
Quantum computers can break RSA and ECC using Shor's algorithm. When large-scale quantum computers exist, current public-key cryptography becomes useless.
Harvest Now, Decrypt Later: Adversaries are storing encrypted data today, waiting to decrypt it when quantum computers are available. Long-term secrets need post-quantum protection NOW.
NIST Standards (2024)
ML-KEM (Kyber)
Key encapsulation based on lattices
Key ExchangeML-DSA (Dilithium)
Digital signatures from lattices
SignaturesSLH-DSA (SPHINCS+)
Hash-based signatures
SignaturesApproach Categories
Lattice-basedMost promising, basis for Kyber/Dilithium
Hash-basedWell-understood security (SPHINCS+)
Code-basedMcEliece - large keys but proven
Isogeny-basedSIKE broken in 2022, research continues
MultivariateBased on solving polynomial equations
Migration Strategy
- Inventory cryptographic dependencies
- Use hybrid approaches (classical + PQ)
- Signal already supports PQXDH
- Chrome/Firefox testing PQ in TLS
- Prioritize long-term secrets first
- Test performance impacts
Symmetric Crypto Status
Good News
AES-256: Safe (Grover's algorithm halves security) SHA-256: Safe with 256-bit output ChaCha20-256: Safe Just double key sizes for equivalent security!