If you have been following cybersecurity news lately, you have probably started seeing the term post-quantum cryptography appear more and more. It shows up in NIST announcements, in bank security bulletins, in government guidance documents. And if you are wondering what all the fuss is about — the short answer is that most of the encryption protecting the internet today is mathematically broken. Not practically broken yet. But broken in theory, and the clock is ticking.

The encryption that secures your bank connection, your email, your company VPN — it is all built on mathematical problems that classical computers cannot solve in any reasonable amount of time. Specifically, the hardness of factoring large numbers and computing discrete logarithms. Those two problems are the foundation of RSA, Diffie-Hellman, and elliptic curve cryptography. Take them away, and the entire edifice falls.

In 1994, a mathematician named Peter Shor published an algorithm that can solve both of those problems efficiently — on a quantum computer. The algorithm has been known for over thirty years. The only reason it has not broken anything yet is that building a quantum computer powerful enough to run it at real-world scale turns out to be extraordinarily difficult. But the difficulty is engineering, not physics. The physics says it is possible.

That is the core of the problem. We are not waiting to find out whether quantum computers can break current encryption. We already know they can. We are waiting to find out when.

So what is post-quantum cryptography?

Post-quantum cryptography — PQC — is the field developing cryptographic algorithms that remain secure even against quantum attacks. The key thing to understand is that PQC does not use quantum mechanics. It runs on ordinary classical computers — your server, your laptop, your phone. What makes it post-quantum is that the underlying mathematical problems are believed to be hard even for quantum computers.

The main approach that has emerged from years of research is lattice-based cryptography. Lattice problems are genuinely hard to solve, and as far as anyone can tell, quantum computers do not provide a meaningful advantage in attacking them. Other approaches include hash-based signatures, which rely only on the properties of hash functions, and code-based cryptography, which has been studied since the 1970s.

Where things stand today

In August 2024, after eight years of evaluation, NIST published the first post-quantum cryptographic standards. Three of them. FIPS 203 defines ML-KEM — the algorithm that replaces Diffie-Hellman and ECDH in protocols like TLS and SSH. FIPS 204 defines ML-DSA — the algorithm that replaces RSA and ECDSA for digital signatures. FIPS 205 defines SLH-DSA — a more conservative signature scheme based on hash functions, recommended for long-lived signatures and root certificate authorities.

These are not draft standards or proposals. They are finished, published, ready to deploy. Major cryptographic libraries including OpenSSL and BoringSSL already support them. Google Chrome and Cloudflare have deployed hybrid post-quantum TLS in production. The migration has started. The question is whether your organisation is part of it.

Why the urgency — if the quantum computer is not here yet

This is the part that catches people off guard. The threat is not just about what happens when a quantum computer eventually arrives. There is an attack strategy called harvest now, decrypt later. Adversaries — nation-state intelligence agencies, primarily — intercept and store encrypted network traffic today, with the intention of decrypting it once a quantum computer becomes available. The collection is happening now. The data being harvested today may be readable in ten years.

If your organisation handles data that needs to remain confidential for a decade or more — financial records, health data, intellectual property, government communications — that data is already at risk. Not from a future threat. From a current one.

Migration also takes time. Large organisations typically need three to seven years to fully replace their cryptographic infrastructure. If the best estimates put a cryptographically relevant quantum computer somewhere between 2030 and 2035, and you start planning in 2028, you are already behind.

The honest position is simple: the algorithms that need replacing are known, the replacements are standardised, and the window to migrate before the problem becomes acute is not infinite. The question is not whether to migrate. It is whether to start now or later.