Quantum Computing and Cryptography: Preparing for Q-Day

Q-Day — the day a quantum computer can break RSA-2048 and ECC in practical time — is not here yet. Estimates range from 2030 to 2040, with considerable uncertainty. But if you wait for Q-Day to start preparing, you are already too late. The threat is "harvest now, decrypt later" — adversaries are collecting encrypted data today, storing it, and will decrypt it once quantum computers are capable. If your secrets need to remain secret for more than five years, the quantum threat is relevant now.

Quantum computers running Shor's algorithm will break RSA, DSA, ECDSA, and ECDH — the asymmetric cryptography that underpins TLS, SSH, VPNs, digital signatures, and key exchange. Grover's algorithm weakens symmetric cryptography (AES) by halving the effective key length, but AES-256 remains secure (it becomes equivalent to AES-128, which is still strong).

Hashing algorithms (SHA-256, SHA-3) are minimally affected. Grover's algorithm provides a square-root speedup for collision finding, but this is manageable by increasing hash lengths.

NIST finalized its first post-quantum cryptography standards in 2024: ML-KEM (Kyber) for key encapsulation and ML-DSA (Dilithium) for digital signatures. These are lattice-based algorithms that are believed to be resistant to both classical and quantum attacks. SLH-DSA (SPHINCS+) provides an alternative hash-based signature scheme.

These standards are not theoretical — they are production-ready. Google, Cloudflare, and Apple have already deployed ML-KEM in their TLS implementations. The transition has begun.

Inventory your cryptography. You cannot migrate what you do not know about. Catalog every system that uses public-key cryptography: TLS certificates, VPN configurations, SSH keys, code signing, API authentication, encrypted storage, and email encryption. This inventory is the foundation of your migration plan.

Prioritize by data sensitivity and lifetime. Systems that protect long-lived secrets (healthcare records, government classified data, intellectual property) should migrate first. Systems that protect transient data (web session encryption) have more time.

Start with hybrid mode. Most implementations will transition through a hybrid phase where both classical and post-quantum algorithms run in parallel. This provides quantum resistance while maintaining interoperability with systems that have not yet migrated. TLS 1.3 hybrid key exchange is already supported in major browsers and libraries.

The quantum transition will take 5-10 years industry-wide. Starting now gives you time to test, validate, and migrate incrementally. Waiting creates a crisis that may coincide with the worst possible time — when quantum computers actually arrive.