Post-Quantum Cryptography: What Is PQC and Why Does It Matter?

The threat quantum computers pose depends greatly on the type of cryptography and hardware being used, as well as the information being protected. For example, if your information needs to be protected for decades, then the cryptography must be updated as soon as possible. More importantly, changing cryptography across real-world systems takes years, and the process should be started now. Organizations must discover where cryptography is used, migrate Public Key Infrastructure (PKI), update software and devices, and validate changes across complex environments.  

What Is Post-Quantum Cryptography?

Post-quantum cryptography consists of cryptographic algorithms designed to resist attacks from quantum-enabled adversaries. Unlike quantum cryptography, which relies on quantum physics and extremely expensive specialized hardware, PQC is designed to run on classical computers and be deployed using existing infrastructure. 

In practical terms, PQC: 

• runs on standard servers, devices, and cloud platforms, 

• does not require quantum communication channels or new physical hardware, and 

• can be introduced through software, protocol, and cryptographic updates. 

PQC is also known as quantum-safe or quantum-resistant cryptography. These terms all reflect the goal of ensuring cryptographic protections deployed today remain effective as computational capabilities evolve. 

What Problem Is PQC Solving?

Cryptography serves different security objectives depending on how it is used. Most commonly, it provides: 

• confidentiality through key establishment mechanisms and symmetric encryption, and 

• integrity and authenticity through digital signatures. 

Key establishment mechanisms and digital signature algorithms are common types of public-key cryptography, also known as asymmetric cryptography. Quantum computing affects these functions in different ways: 

• For key establishment, sufficiently capable quantum computers could allow adversaries to break the key establishment mechanism which in turn allows decryption of previously captured communications, breaking confidentiality retroactively. 

• For digital signatures, the system remains secure until large-scale quantum computers exist, but then CRQCs enable forgery and impersonation if the digital signatures are not upgraded to be quantum resistant. 

Post-quantum cryptography addresses both risks by replacing public-key algorithms whose security depends on mathematical problems that quantum computers are expected to solve efficiently, with newer algorithms that are designed to resist quantum enabled attacks. The threat quantum cryptography poses to traditional cryptography is not an implementation flaw—it is a limitation of the underlying mathematics. 

Why Current Public-Key Cryptography Is Vulnerable to Quantum Computers

Today’s public-key cryptography relies on mathematical problems that are extremely difficult for classical computers, but potentially tractable for large-scale quantum computers. These algorithms underpin secure communications, digital identity, and trust infrastructures across the internet and enterprise environments. 

How Quantum Algorithms Break Public-Key Cryptography

Quantum algorithms—most notably Shor’s algorithm—are expected to break the mathematical foundations of widely used public-key algorithms, including: 

• Diffie-Hellman (DH) key exchange 
• RSA 
• Elliptic Curve Cryptography (ECC) algorithms 

Early stages may weaken security before eventually making these algorithms unreliable. Upgrading the security parameters of traditional cryptography to those given in CNSA 1.0 is a practice recommended by the NSA. Once sufficiently powerful quantum computers exist, however, the security assumptions of the public-key algorithms for any parameter no longer hold. 

Is Elliptic Curve Cryptography Quantum Secure?

Short answer: No. 

Elliptic curve cryptography is efficient and secure against classical attacks, but its security relies on mathematical problems that quantum algorithms are expected to solve efficiently. Performance advantages do not translate to quantum resistance, and implementation improvements cannot mitigate this fundamental vulnerability. 

Why Symmetric Encryption Is Affected Differently

Symmetric cryptography is impacted differently than public-key cryptography. The primary quantum threat is Grover’s algorithm, which reduces effective security strength rather than breaking algorithms outright. 

In practice, this means existing standardized symmetric algorithms with sufficiently large key sizes—such as AES-256—remain appropriate for long-term use. Post-quantum cryptography migration is therefore focused on public-key systems, not replacing all cryptography. 

How Post-Quantum Cryptography Works

How Post-Quantum Algorithms Differ From DH, RSA, and ECC

Post-quantum cryptography mitigates quantum risk by replacing vulnerable public-key algorithms with alternatives based on different mathematical assumptions. These algorithms are designed to run on existing, classical computing infrastructure, and resist both classical and quantum attacks. 

Traditional public-key systems rely on mathematical problems that quantum computers will eventually solve efficiently. Post-quantum algorithms rely on different mathematical foundations that currently have no known efficient quantum attacks. 

The goal is resilience against future quantum capabilities, while acknowledging that some confidentiality risks already exist today due to harvested data. 

Why Post-Quantum Cryptography Focuses on Algorithm Replacement 

Quantum risk is tied to the mathematics behind current algorithms and cannot be mitigated through better software or implementation. When the security assumption itself is broken, replacement is the only viable response. There are no parameter changes that can fix the security of traditional public-key cryptography.  

Post-Quantum Cryptography Works Alongside Existing Systems 

Post-quantum adoption is not a single switch. Systems, vendors, and partners will not update simultaneously, and organizations must plan for phased transitions. 

During this period: 

• classical and post-quantum cryptography may coexist, and 

• different migration strategies may be used based on policy, interoperability, and risk tolerance. 

Hybrid approaches—that combine classical and post-quantum mechanisms so that the system remains secure as long as at least one mechanism is secure—are sometimes used.However, they introduce additional complexity, which can also provide security risks, and follow-on migrations (one migration from traditional to hybrid cryptography, and then a second from hybrid to PQC). They are not universally recommended and represent a tradeoff between added assurance against a break in PQC and added operational burden. 

Post-Quantum Cryptography Is About Preparation

Quantum computing is often framed as an imminent disruption, but post-quantum cryptography is fundamentally a planning and risk management challenge. There is no precise or reliable timeline for when large-scale quantum computers will be able to break today’s public-key cryptography. 

At the same time, uncertainty does not mean safety. Some confidentiality risks already exist today due to harvest now, decrypt later attacks, where adversaries collect encrypted data now and decrypt it later once quantum capabilities mature. 

Delayed preparation is especially risky for organizations that rely on: 

• long-lived data that must remain confidential for decades, 

• systems with multi-year design, certification, and deployment cycles, and 

• long-lived hardware in hard-to-reach locations that cannot be easily replaced or updated. 

The danger is not yet of sudden cryptography failure due to quantum computers. The danger is in balancing risks in a large-scale cryptographic update in complex systems. 

What Is “Harvest Now, Decrypt Later”? 

In a harvest now, decrypt later scenario, adversaries capture encrypted data today and store it. Once quantum computers become capable of breaking current public-key cryptography, that data can be decrypted retroactively. 

This threat is especially serious for data that must remain confidential for many years, such as: 

• health and medical records, 

• trade secrets and proprietary designs, and 

• sensitive government or critical infrastructure information. 

It is believed that large amounts of data that is transmitted over the internet is currently being intercepted and stored for future decryption. 

PKI Migration 

Post-quantum readiness will require a large-scale PKI migration. Adopting a post quantum PKI is not a simple algorithm swap—it requires coordinated changes across certificates, trust anchors, validation paths, and dependent systems. Organizations must discover cryptographic usage, prioritize systems and data, update PKI and trust chains, test interoperability, and deploy changes safely at scale. 

In many environments, migrating PKI is the most complex and time-consuming aspect of post-quantum preparation because it directly affects identity, trust, and operational stability.  

Hardware Security and Mosca’s Rule 

For long-lived systems, cryptographic decisions must account for both system lifetime and time to quantum capability. Mosca’s Rule states if a system’s design time plus operational lifetime exceeds the expected arrival of CRQCs, cryptographic risk must be addressed before the design phase. 

This is particularly relevant for automotive systems, satellites, industrial equipment, and medical or biological implants. Factors that increase the difficulty of maintaining device securityinclude long-life, hard-to-reach location, and large-scale deployment over a large area. 

Government Timeline Regulations 

Some environments already face defined timelines. For example, National Security Systems (NSS) must follow the timelines given in CNSA 2.0 requirements, which influence cryptographic planning, algorithm selection, and migration strategies well ahead of CRQC availability. According to CNSA 2.0, with exception to niche equipment, custom applications and legacy equipment, all the cryptography for NSS systems should support and prefer PQC by 2027. 

Why “Later” Is Too Late for Cryptographic Migration 

It is important to keep in mind that the transition to PQC for most medium to large organizations will take years, not months. Due to these risks to long-term confidentiality and hardware security, as well as the huge task of updating large-scale PKI, in many cases, it is particularly dangerous to delay planning the migration to post-quantum cryptography.  

 However, even in less extreme cases, waiting until cryptographically relevant quantum computers exist removes the margin for controlled transition. At that point, organizations face compressed timelines, limited options, and elevated operational risk. In cryptography, “later” often means “too late.”  

Why PQC Matters Before Quantum Computers Exist

Since PQC, as with any security measure, needs to be in place well before an attack, cryptographic risk must be managed before the new capability becomes a viable option. 

As mentioned in the last section, data often needs to remain confidential or trustworthy for decades. Harvest now, decrypt later attacks mean adversaries can benefit from future quantum capabilities even if systems are secure today. Long system lifecycles and large PKI estates further slow the pace of change, while regulatory constraints may impose added pressure to advance the PQC migration. 

Preparing early preserves flexibility. Waiting compresses risk into a crisis. 

Post-Quantum Cryptography Is a Transition, Not a Switch 

Post-quantum cryptography is a multi-year transition, not a one-time upgrade. There is no single moment when an organization becomes “quantum-safe.” 

Progress in successful transitions are characterized by capabilities rather than dates, including: 

• Visibility into cryptographic usage, so organizations understand where cryptography exists across applications, infrastructure, and devices before change is required. 

• Planned  migration, with  the most-time sensitive and critical cryptography to replace identified. 

• Support for multiple algorithms concurrently, allowing classical and post-quantum cryptography to coexist as systems are upgraded at different speeds. 

• Controlled rollout and rollback mechanisms, which reduce operational risk by enabling phased deployment and recovery if issues arise. 

• Governance that adapts as standards evolve, ensuring cryptographic policies and controls remain aligned with changing guidance and requirements. 

Treating post-quantum cryptography as a transition rather than a switch reduces risk and helps organizations avoid disruptive, last-minute change. 

The Role of Standards in Post-Quantum Cryptography

Standards turn post-quantum cryptography from theory into something organizations can deploy with confidence. 

• Enable deployable, real-world adoption 
  Standards translate research and cryptographic theory into algorithms and guidance that organizations can realistically implement. 

• Define security parameters 

Set security parameters, like key sizes, block sizes, and state the expected security level. They give specifications that implementations must satisfy, and doing so enable interoperability. 

• Provide trusted evaluation through NIST 
  NIST leads the evaluation and standardization of post-quantum algorithms, giving organizations confidence that selected approaches have undergone extensive public review. 

• Move beyond algorithms 

Standards move beyond algorithms to how applications should utilize the algorithms in certificates, schemes and protocols. 

• Influence adoption through certification and compliance 
  Certification and compliance programs such as FIPS shape when and how organizations can adopt post-quantum cryptography in regulated environments. 

• Support interoperability and ecosystem alignment 
  Standards allow vendors, platforms, and partners to adopt post-quantum cryptography in a coordinated and compatible way. 

• Offer a stable reference point despite ongoing change 
  While standards do not guarantee permanence, they provide a consistent foundation for planning, interoperability, and regulatory alignment as cryptography continues to evolve. 

Types of PQC Algorithms 

Post-quantum cryptography algorithms fall into several families, each based on different mathematical problems. These families exist because cryptography serves multiple purposes, and no single foundation is optimal for every use case. Additionally, the redundancy of having standardized PQC algorithms from multiple families means that if one algorithm is broken, another algorithm can take its place without needing to wait for another multi-year standardization process. 

Common families include: 

• Lattice-based cryptography, which supports both key establishment and signatures, and is widely considered practical for deployment. 

• Hash-based cryptography, which offers conservative security assumptions for digital signatures. 

• Code-based cryptography, which has strong security foundations, but large key sizes. 

• Multivariate cryptography, an active research area with mixed historical results. 

• Isogeny-based cryptography, which offers small keys, but has seen recent cryptanalytic challenges. 

Organizations should use standardized versions of these algorithms and follow any governmental advice or regulations. ML-KEM and ML-DSA are considered the best all-round candidates for most cases. 

What Makes PQC Hard in Practice

In real-world environments, the difficulty of post-quantum cryptography is rarely about algorithms alone. The most significant challenges are operational and organizational. 

• Limited visibility into cryptographic usage 
  Many organizations lack a complete inventory of where cryptography is used, which makes it difficult to assess exposure or plan changes confidently. 

• Legacy systems and embedded devices 
  Older platforms and embedded systems may not support modern cryptographic updates, limiting upgrade options once they are deployed. 

• Long-lived certificates and credentials 
  Certificates and credentials often remain valid for extended periods, which can delay cryptographic transitions if not managed proactively. 

• Full PKI hierarchy dependencies 
  Cryptographic changes frequently require updates across entire certificate chains, not just individual certificates, increasing coordination and risk. 

• Fixed algorithms A lack of flexibility from antiquated systems where crypto agility – the ability to transition cryptography without disruption – was not incorporated in the design. 
  
• Cross-team ownership and coordination challenges 
  Cryptography spans security, infrastructure, and application teams, making coordinated planning and execution more complex. 

Together, these factors explain why post-quantum cryptography is as much an operational challenge as it is a technical one. 

Who Is Responsible for Post-Quantum Readiness?

Post-quantum readiness is not the responsibility of a single team or role. Cryptography spans identity, infrastructure, applications, devices, and compliance, which means responsibility must be shared across the organization. 

In practice, several groups play distinct but interdependent roles: 

• Security and risk leadership are responsible for defining long-term risk tolerance, prioritizing data and systems that require extended protection, and ensuring post-quantum planning is aligned with broader security strategy rather than treated as a standalone initiative. 

• PKI and identity teams sit at the center of post-quantum readiness because certificates, trust chains, and authentication mechanisms are directly affected by cryptographic change. These teams are often responsible for managing certificate authorities, enforcing cryptographic policy, and coordinating changes across certificate lifecycles. 

• Infrastructure and platform owners ensure that operating systems, cloud platforms, network components, and devices can support updated cryptographic libraries and configurations. Their involvement is critical to validating compatibility, performance, and operational stability during transitions. 

• Application and engineering teams embed cryptography into software and services. Post-quantum readiness often requires updating dependencies, libraries, and protocols, which makes application teams essential participants rather than downstream consumers of cryptographic decisions. 

Because cryptography touches so many layers of the technology stack, post-quantum readiness cannot be delegated to a single function. Organizations that succeed treat it as a coordinated, cross-functional effort, with clear ownership, shared accountability, and executive visibility to keep long-term preparation from being displaced by short-term priorities. 

How to Prepare for Post-Quantum Cryptography

Preparing for post-quantum cryptography does not mean rushing to deploy new algorithms. Instead, it means building the foundational capabilities required to manage cryptographic change safely and deliberately as standards mature and guidance evolves. 

A practical preparation approach typically includes the following steps: 

1. Inventory cryptographic assets 
Preparation begins with visibility. Organizations must understand where cryptography is used across applications, infrastructure, devices, and services, including which algorithms, certificates, keys, and protocols are in place. This inventory provides the baseline needed to assess exposure and plan future changes. 

2. Set priorities based on risk and longevity 
Not all data and systems face the same level of quantum risk. Organizations should prioritize assets based on factors such as data sensitivity, required confidentiality lifespan, system longevity, and difficulty of replacement. Prioritization ensures effort is focused where delayed action would have the greatest impact. 

3. Plan migration strategies 
With priorities defined, organizations can evaluate transition strategies that fit their environment. This may include phased adoption of post-quantum algorithms, coexistence with classical cryptography during transition periods, or selective use of hybrid approaches where appropriate. The goal is not to select a single “right” path, but to understand available options and tradeoffs. 

4. Prepare certificate and PKI infrastructure 
Because PKI underpins identity and trust, it must be capable of supporting post-quantum algorithms as they become available. This includes ensuring certificate authorities, validation paths, and trust stores can evolve without disrupting dependent systems. PKI readiness is often a gating factor for broader post-quantum adoption. 

5. Design for crypto agility 
Crypto agility—the ability to change cryptographic algorithms without redesigning systems—is a critical long-term capability. History shows that cryptographic assumptions evolve over time, and post-quantum cryptography will not be the last transition. Designing for adaptability reduces future risk and operational disruption. 

Taken together, these steps allow organizations to move from awareness to readiness. Preparation preserves flexibility, reduces the likelihood of rushed decisions, and ensures that when post-quantum standards are ready for deployment, organizations are positioned to adopt them on their own terms. 

How Keyfactor Supports Post-Quantum Readiness

Post-quantum readiness is not just about selecting new cryptographic algorithms. In practice, it is about managing cryptographic change at scale—across certificates, keys, applications, devices, and infrastructure—over a multi-year transition. 

Keyfactor helps organizations plan their migration to PQC and supports their post-quantum readiness by helping organizations address the foundational challenges that make cryptographic change difficult in the first place. 

• Comprehensive cryptographic visibility 
  Organizations cannot plan for post-quantum migration without first understanding where cryptography exists. Keyfactor’s automated discovery tool helps organizations inventory cryptographic assets to provide visibility into cryptographic assets such as certificates, keys, algorithms, and their relationships across applications, devices, cloud environments, and infrastructure. This visibility forms the baseline for risk assessment and prioritization. 

• Centralized certificate and key lifecycle management 
  Post-quantum transitions often require coordinated changes across entire PKI hierarchies, not isolated certificate updates. By centralizing certificate and key lifecycle management, Keyfactor helps reduce fragmentation and supports controlled, repeatable changes as post-quantum standards mature. 

• Policy-driven cryptographic change 
  As cryptographic guidance evolves, organizations need the ability to update algorithms and configurations consistently, without redesigning systems each time. Keyfactor enables policy-driven crypto agile approaches to cryptographic management, allowing teams to adapt to new standards while maintaining governance and control. 

• Support for phased and mixed environments 
  Because post-quantum cryptography is a transition rather than a single cutover, organizations must operate environments where classical and post-quantum cryptography coexist. Keyfactor supports phased transitions and mixed environments, helping organizations manage complexity while maintaining operational stability. 

Rather than treating post-quantum cryptography as a one-time upgrade, Keyfactor helps organizations build the long-term cryptographic management capabilities required to adapt to quantum risk and future cryptographic change.

FAQs