Quantum computers capable of breaking RSA and ECDSA are expected within a decade. NIST finalised three post-quantum cryptographic standards in August 2024. This article explains the threat, the standards, and how cloud environments should begin the migration.
Sign in to mark this article as read and track your progress.
Public key cryptography — the foundation of TLS, SSH, code signing, and every PKI system — relies on mathematical problems that classical computers cannot solve in any reasonable time. RSA and ECDSA depend on the difficulty of integer factorisation and elliptic curve discrete logarithm respectively.
In 1994, mathematician Peter Shor demonstrated that a sufficiently powerful quantum computer could solve both problems in polynomial time — rendering RSA-2048, RSA-4096, and all elliptic curve key sizes effectively zero-security.
The question is not whether cryptographically relevant quantum computers (CRQCs) will exist, but when. Current estimates from the US National Security Agency (NSA), the BSI (German Federal Office for Information Security), and NCSC-UK converge on 2030–2040 as the likely range. For long-lived infrastructure — root CA certificates, HSMs, encrypted archive data — migration must begin now.
Even before CRQCs exist, adversaries can conduct harvest-now-decrypt-later (HNDL) attacks:
For data that must remain confidential for 10+ years — government secrets, financial records, personally identifiable data under DPDP Act retention periods — HNDL is a current, active threat. Migration to quantum-safe encryption for data in transit should begin immediately for high-sensitivity data.
In August 2024, NIST finalised three post-quantum cryptographic standards:
| Standard | FIPS Number | Algorithm | Type | Use Case |
|---|---|---|---|---|
| ML-KEM | FIPS 203 | Module-Lattice Key Encapsulation Mechanism (Kyber) | Key Encapsulation | TLS key exchange, encrypted email |
| ML-DSA | FIPS 204 | Module-Lattice Digital Signature Algorithm (Dilithium) | Digital Signature | Code signing, certificate signing |
| SLH-DSA | FIPS 205 | Stateless Hash-Based Digital Signature Algorithm (SPHINCS+) | Digital Signature | High-assurance code signing (slower but conservative) |
A fourth standard (FN-DSA / FALCON) is in final review. All four algorithms are based on mathematical problems believed to be hard for both classical and quantum computers.
ML-KEM and ML-DSA are built on the Learning With Errors (LWE) and Module Learning With Errors (MLWE) problems — computational problems involving noisy linear equations over lattices. Despite decades of cryptanalytic effort, no polynomial-time algorithm (quantum or classical) is known for these problems.
Organisations should not switch directly from classical to post-quantum algorithms. The recommended approach is hybrid mode: use both classical and post-quantum algorithms simultaneously, combining their outputs. Security is maintained even if one of the two is broken.
In TLS 1.3, hybrid key exchange is already standardised: the client and server perform both X25519 (classical ECDH) and ML-KEM-768 simultaneously. The session key is derived by XOR-ing both outputs. If ML-KEM is broken in the future, X25519 still protects the session. If X25519 is broken by a quantum computer, ML-KEM still protects it.
AWS, Google Cloud, and Azure have announced timelines to support hybrid post-quantum TLS in their managed services. AWS KMS began accepting ML-KEM key material in experimental mode in 2024.
| Layer | Current State | Migration Step | Timeline |
|---|---|---|---|
| TLS handshakes | ECDHE + AES-256-GCM | Enable hybrid X25519+ML-KEM in load balancers | Begin now |
| Certificate PKI | RSA-2048 or ECDSA P-256 | Move to ML-DSA for root/intermediate CAs | When support available in ACM, Azure Key Vault |
| Code signing | RSA-2048 or ECDSA | Adopt SLH-DSA for infrastructure signing | Medium-term |
| Data-at-rest encryption | AES-256-GCM | AES-256 is already quantum-resistant (Grover's algorithm reduces to 128-bit, still secure) | No immediate change needed |
| SSH host keys | Ed25519 / RSA | Add ML-DSA host keys when supported | Follow OS vendor timeline |
| VPN / IPSec | ECDHE | Hybrid mode in IKEv2 | When supported by vendor |
Key insight: Symmetric encryption (AES-256) is relatively quantum-safe — Grover's algorithm halves the effective key length, reducing AES-256 to AES-128-equivalent against a quantum adversary. It is public key cryptography (RSA, ECDSA, ECDH) that requires urgent migration.
India's National Cyber Security Policy 2013 is being updated. CERT-In and NCIIPC have both issued guidance acknowledging the quantum threat. For organisations handling data under the DPDP Act 2023 with retention periods extending beyond 2030, HNDL risk assessment should be part of the data protection impact assessment (DPIA).
MeitY's Quantum Computing National Mission (2023, ₹6,003 crore budget) includes a cryptography workstream, indicating that government procurement and standards will include post-quantum requirements within the policy horizon.