Q-Day — the point at which a quantum computer can break current public-key cryptography — is no longer a theoretical distant future. The timeline estimates from serious researchers have compressed significantly over the past three years, and the threat isn’t waiting for Q-Day to materialize. It’s happening now, in a different form.
What Quantum Computing Actually Threatens
The cryptographic algorithms at risk from quantum computing are specifically the ones based on problems that quantum algorithms can solve efficiently:
RSA and ECC (Elliptic Curve Cryptography) — These underpin the majority of public-key cryptography currently in use: TLS/HTTPS, SSH, VPNs, code signing, certificate authorities. Shor’s algorithm, running on a sufficiently capable quantum computer, breaks both by solving integer factorization (RSA) and elliptic curve discrete logarithm (ECC) in polynomial time. Classical computers cannot do this in practical time; quantum computers eventually will.
Symmetric cryptography (AES, ChaCha20) and hash functions (SHA-256, SHA-3) are much less affected. Grover’s algorithm provides a quadratic speedup for symmetric key search, but doubling key length (AES-128 → AES-256) restores the original security margin. These don’t need to be replaced.
What this means practically: everything that relies on RSA or ECC key exchange — which is most encrypted internet communication, most VPNs, most code signing infrastructure — is eventually vulnerable.
Harvest Now, Decrypt Later
The most immediate threat doesn’t require a quantum computer to exist yet. Harvest Now, Decrypt Later (HNDL) attacks are documented, ongoing operations — primarily attributed to nation-state actors — that collect encrypted network traffic today with the intent of decrypting it when quantum capability is available.
If an adversary has recorded your TLS session today, they have the ciphertext. If they break the key exchange algorithm in ten years, they read the session in ten years. For data that needs to remain confidential for more than the expected Q-Day timeline — which, depending on your source, ranges from 5 to 15 years — this is a present risk, not a future one.
The specific categories of data most exposed: state secrets, long-term intellectual property, attorney-client communications, medical records, financial information that retains value over time.
NIST Post-Quantum Cryptography Standards
NIST finalized its first set of post-quantum cryptographic (PQC) standards in 2024:
- ML-KEM (CRYSTALS-Kyber) — Key encapsulation mechanism; replaces RSA and ECC for key exchange
- ML-DSA (CRYSTALS-Dilithium) — Digital signatures
- SLH-DSA (SPHINCS+) — Hash-based digital signatures, conservative backup option
These are the standards to migrate to. They’re based on mathematical problems (lattice problems, hash functions) that are believed to be hard for both classical and quantum computers.
What to Do Now
The migration to PQC is not a one-day project. It requires finding every place RSA and ECC are used in your infrastructure — which is harder than it sounds — and replacing those implementations. The correct sequence:
1. Cryptographic inventory. Where in your infrastructure, codebase, and vendor dependencies are RSA or ECC keys used? This includes: TLS certificates, SSH keys, code signing certificates, VPN configurations, JWT implementations, certificate authorities, IoT device firmware, and third-party vendor integrations. Most organizations don’t have a complete answer.
2. Prioritize by data sensitivity and time horizon. Systems handling data that must remain confidential for 10+ years need to move first. Public websites with no long-lived sensitive data can wait.
3. Implement cryptographic agility. Applications should be designed so that the cryptographic algorithm can be swapped without rewriting core logic. This means abstracting cryptographic operations behind interfaces rather than hardcoding algorithm choices.
4. Test hybrid schemes. Major TLS implementations (OpenSSL 3.x, BoringSSL) support hybrid key exchange combining current algorithms with PQC algorithms. Hybrid mode protects against current classical attacks while adding quantum resistance — appropriate for production deployment before full PQC migration is complete.
5. Monitor vendor timelines. Your TLS library, HSM vendor, cloud provider, and PKI infrastructure vendor all need to support PQC. Most major vendors have roadmaps; align your internal timeline with theirs.
The organizations that start this process now — inventory, prioritization, cryptographic agility architecture — will complete the migration in manageable phases. Organizations that wait until Q-Day pressure is immediate will find themselves facing a rushed, high-risk migration under adverse conditions.
Further Reading: Post-quantum cryptography books on Amazon — understand the mathematics and migration strategies before they become urgent.