The encryption systems securing the world’s digital infrastructure today were built on mathematical assumptions that have held for decades. RSA, elliptic curve cryptography, and Diffie-Hellman key exchange all derive their security from problems that are computationally intractable for classical computers. Quantum computing threatens to render those assumptions obsolete, with consequences for enterprise data security that would be systemic and irreversible.
Post-quantum cryptography is the discipline of developing and deploying cryptographic algorithms that remain secure against both classical and quantum computers. It represents the most significant transition in the history of public-key cryptography, and it is now underway. Organizations that begin the migration early will be in a substantially stronger position than those that wait.
The Threat That Makes Post-Quantum Cryptography Necessary
The need for post-quantum cryptography stems directly from the capabilities of Shor’s algorithm, a quantum computing procedure published in 1994 that can solve the prime factorization and discrete logarithm problems in polynomial time. These are the mathematical foundations on which RSA and elliptic curve cryptography are built. When quantum hardware reaches sufficient scale to run Shor’s algorithm against real-world key sizes, asymmetric cryptography as currently deployed will offer no meaningful protection.
This is not a distant theoretical concern. The harvest now, decrypt later strategy means adversaries are already capturing encrypted communications with the intention of storing them for future decryption once quantum computing becomes capable. Data whose confidentiality must extend beyond the anticipated timeline for quantum computers relevant to cryptography is already at risk, regardless of when those computers actually materialize.
The post-quantum cryptography standards for enterprise adoption that organizations need to evaluate and deploy are defined by a body of work developed over nearly a decade through an international standardization effort led by the US National Institute of Standards and Technology. The finalization of those standards in August 2024 gives enterprises a concrete technical foundation to begin migration.
What Post-Quantum Cryptography Is and What It Is Not
Post-quantum cryptography refers to classical mathematical algorithms designed to resist attacks from both conventional and quantum computers. These algorithms run on existing hardware and network infrastructure without requiring specialized quantum technology. They are software implementations that can be integrated into existing security protocols, certificate infrastructure, and application code through a migration process.
It is important to distinguish post-quantum cryptography from quantum key distribution, a separate approach that uses the physical properties of quantum particles to establish cryptographic keys. Quantum key distribution offers certain theoretical security guarantees but requires dedicated quantum optical networking hardware, limiting its practical applicability to specialized high-security environments. For the vast majority of enterprise environments, post-quantum cryptography is the only realistic path to quantum-resistant security.
Post-quantum cryptography also does not replace symmetric encryption algorithms like AES, which are not directly threatened by Shor’s algorithm. The primary quantum threat to symmetric encryption comes from Grover’s algorithm, which reduces effective security by half the key bit length, a weakness addressed by moving from AES-128 to AES-256. The more complex and transformational work of the post-quantum migration concerns the asymmetric cryptographic systems that must be replaced with entirely new algorithms.
The NIST Post-Quantum Cryptography Standards
The algorithmic foundation for enterprise post-quantum cryptography migration is provided by the standards finalized by the National Institute of Standards and Technology in August 2024. These followed an eight-year international evaluation process involving cryptographers from governments, universities, and industry across dozens of countries. The process subjected dozens of candidate algorithms to intensive cryptanalysis, including several rounds that eliminated previously believed strong candidates.
The three finalized standards center on lattice-based mathematics. ML-KEM, standardized in FIPS 203 and based on the CRYSTALS-Kyber framework, provides key encapsulation and encryption for protecting data in transit. ML-DSA, standardized in FIPS 204 and based on CRYSTALS-Dilithium, provides digital signatures for identity authentication. SLH-DSA, standardized in FIPS 205 and based on SPHINCS+, provides an alternative hash-based digital signature scheme that does not rely on lattice mathematics, offering algorithmic diversity in the event that vulnerabilities emerge in the lattice-based approaches.
In March 2025, NIST added HQC as a fifth algorithm, selecting it specifically because it is built on error-correcting code mathematics rather than lattices. This diversity is deliberate: the history of cryptographic standardization includes unexpected breaks of algorithms believed to be secure, and the NIST post-quantum portfolio is designed to remain resilient if any single mathematical approach is compromised.
The practical scale of post-quantum cryptography adoption is already significant, as demonstrated by major technology platforms deploying these protocols to protect communications at scale. As Computerworld’s coverage of post-quantum cryptography real-world deployment details shows, leading technology organizations have begun integrating post-quantum cryptographic protocols into production systems, with Apple’s PQ3 implementation in iMessage and Signal’s PQXDH protocol representing among the earliest large-scale deployments, both aimed explicitly at countering the harvest now, decrypt later threat at a global scale.
How Post-Quantum Algorithms Protect Data
The security of lattice-based post-quantum algorithms rests on computational problems in high-dimensional geometry that are believed to be intractable for both classical and quantum computers. The core problems, including the learning with errors problem and its variants, involve finding approximate solutions to systems of linear equations over high-dimensional lattices where a small amount of random noise has been introduced. Even with access to quantum computing, no algorithm is known that provides an exponential speedup for solving these problems.
For key encapsulation, ML-KEM uses these lattice problems to enable two parties to establish a shared secret over a public channel without requiring either party to transmit the secret itself. A sender uses the recipient’s public key to encapsulate a randomly generated symmetric key, and the recipient uses their private key to decapsulate it. The security of this process depends on the difficulty of recovering the encapsulated key without knowing the private key, which is equivalent to solving the underlying lattice problem.
For digital signatures, ML-DSA and SLH-DSA allow a signer to generate cryptographic proof that a message was signed by the holder of a specific private key. Verifiers can check this proof using the corresponding public key without being able to forge signatures or recover the private key. The security guarantees hold against quantum adversaries because the underlying mathematical problems resist quantum speedup.
These algorithms are designed to integrate with existing security protocols including TLS, certificate infrastructure, and key management systems, though in most cases integration requires updates to the protocols themselves, which are underway across standards bodies including the IETF.
The Migration Challenge for Enterprise Organizations
The transition to post-quantum cryptography is among the most technically and operationally complex cryptographic migrations ever undertaken. The scale of asymmetric cryptography embedded across enterprise infrastructure is immense and often poorly inventoried. RSA and elliptic curve cryptographic operations underpin TLS connections, securing web and API traffic, digital certificates, validating identity across enterprise systems; VPN infrastructure, connecting distributed sites; code signing, protecting software supply chains; email security protocols; database encryption; and hardware security modules, anchoring identity at the enterprise level.
Migrating all of these systems simultaneously is not feasible. The practical approach is a phased, risk-based program that begins with inventory, moves through prioritization, and executes migration across systems in order of their sensitivity and exposure.
As detailed in Dark Reading’s coverage of NIST post-quantum cryptography standards finalized and the enterprise migration guidance that followed, experts across the cryptographic community are aligned on the urgency of beginning migration immediately. The NSA’s Commercial National Security Algorithm Suite 2.0 mandates quantum-safe algorithms for all new national security systems by January 2027, with full application migration by 2030 and complete infrastructure migration by 2035. Federal agencies and their contractors and partners face the most pressing timelines, but the cascading effect of these mandates will drive adoption broadly across regulated industries.
Key Components of an Enterprise Post-Quantum Migration Program
A structured post-quantum cryptography migration program covers several interconnected workstreams that must proceed in parallel rather than sequentially.
Cryptographic Inventory and Discovery
The foundation of any migration program is a comprehensive inventory that documents every system, application, protocol, integration, and third-party service using cryptographic functions, with specific identification of all asymmetric cryptographic operations. This inventory is the prerequisite for risk-based prioritization. Without it, organizations cannot identify their highest-exposure systems, evaluate vendor readiness, or develop a realistic migration roadmap. Most enterprises discover during this process that their cryptographic footprint is significantly larger and more complex than anticipated.
Risk-Based Prioritization
Not all systems carry equal urgency for migration. Priority should be assigned based on two factors: the sensitivity lifetime of the data being protected and the difficulty of migrating the system in question. Data that must remain confidential for ten or more years is already exposed to the harvest now, decrypts later threats and should be prioritized immediately. Systems that are difficult to update, such as embedded devices, operational technology, and legacy applications, should be identified early so that compensating controls or replacement planning can proceed alongside the migration of more accessible systems.
Hybrid Cryptography for Transitional Protection
During the migration period, hybrid key exchange provides a practical intermediate posture by combining a classical asymmetric algorithm with a post-quantum key encapsulation mechanism. A hybrid approach requires an attacker to break both the classical and post-quantum components simultaneously, protecting against both current classical attacks and future quantum attacks during the transition. Hybrid TLS configurations and hybrid certificate schemes are already supported in major browsers and are being tested in enterprise deployments as a bridge to full post-quantum adoption.
Public Key Infrastructure Modernization
Enterprise PKI must be updated to support post-quantum algorithms, including updating certificate authorities to issue certificates using ML-DSA or SLH-DSA signatures, updating certificate profiles to accommodate the larger key and signature sizes of post-quantum algorithms, and validating that revocation and chain validation work correctly across mixed-algorithm environments. PKI modernization is one of the more technically complex aspects of the post-quantum migration and typically requires early engagement with PKI vendors and testing in non-production environments before broad deployment.
Cryptographic Agility as an Architectural Principle
One of the most durable lessons from the post-quantum standardization process is that cryptographic agility must be built into system architecture from the beginning. Several candidate algorithms evaluated during the NIST process were broken not by quantum computers but by classical mathematical advances that were not anticipated at the time they were submitted. The SIKE algorithm, once a finalist, was broken in minutes using a standard laptop by a researcher who identified an unexpected mathematical shortcut.
Cryptographic agility means designing systems so that algorithms can be updated through configuration rather than code rewrites, establishing clear organizational ownership of cryptographic decisions, and maintaining the operational processes required to execute rapid algorithm updates when needed. Organizations that develop this capability as part of the post-quantum migration will be better positioned to respond to future cryptographic discoveries throughout the lifecycle of their systems.
Vendor and Supply Chain Engagement
Enterprise cryptographic security extends to every vendor, cloud provider, software platform, and technology partner that handles sensitive data or provides cryptographic services. Post-quantum cryptography readiness must be incorporated into procurement processes, vendor assessments, and existing contractual relationships. Cloud providers, security hardware vendors, and software platform operators all have post-quantum roadmaps at different stages of development, and understanding these timelines is essential for realistic migration planning.
The Regulatory and Compliance Dimension
The post-quantum cryptography migration is increasingly a compliance matter, not just a security best practice. The NSA’s CNSA 2.0 mandates are cascading through defense contractors, federal agencies, and regulated industries. The US government’s 2035 deprecation deadline for quantum-vulnerable algorithms in federal systems creates a compliance floor that many industries will need to meet as a condition of doing business with government entities. Financial services, healthcare, and critical infrastructure sectors all face regulatory scrutiny on cryptographic posture that will only intensify as post-quantum migration becomes an established industry expectation.
Frequently Asked Questions
How is post-quantum cryptography different from quantum cryptography?
Post-quantum cryptography refers to classical mathematical algorithms running on conventional hardware that are designed to resist attacks from quantum computers. Quantum cryptography, more precisely quantum key distribution, uses the physical properties of quantum particles to establish cryptographic keys in a way that is theoretically tamper-evident based on the laws of quantum physics. Post-quantum cryptography is deployable on existing infrastructure without specialized hardware, making it the practical standard for enterprise adoption. Quantum key distribution is limited to specialized high-security deployments due to its requirement for dedicated quantum optical networking equipment.
Why should enterprises begin post-quantum migration before quantum computers capable of breaking encryption exist?
Two factors make early migration essential. First, the harvest now, decrypt later threat means data transmitted today under quantum-vulnerable encryption may already be captured and stored by adversaries for future decryption. For data whose sensitivity extends beyond the anticipated timeline for cryptographically capable quantum computers, that exposure is active now. Second, cryptographic migration at enterprise scale is a multi-year program requiring inventory, risk assessment, PKI modernization, vendor engagement, and application updates across hundreds or thousands of systems. Organizations that begin only when quantum computers demonstrate cryptographic capability will have insufficient time to complete a transition that requires years of sustained effort.
What is the most difficult part of post-quantum cryptography migration for enterprise IT teams?
The most consistently cited challenge is cryptographic inventory: identifying every system, application, and integration using asymmetric cryptographic operations across a complex enterprise environment. Most large organizations have cryptographic functions embedded in systems that were never designed with migration in mind, including legacy applications, embedded devices, third-party services, and operational technology with long replacement cycles. Without a complete and accurate inventory, risk prioritization and migration planning cannot proceed meaningfully. Establishing the organizational ownership, tooling, and processes required to maintain this inventory on an ongoing basis is the foundational work that makes everything else in the migration program possible.
