The cryptographic algorithms protecting our digital world, RSA and elliptic curve cryptography, are based on mathematical problems that are practically unsolvable for classical computers. Quantum computers change that equation. Using Shor's algorithm, a sufficiently powerful quantum computer can break these algorithms in polynomial time. The question is not whether this will happen, but when.
In August 2024, NIST published the first three post-quantum cryptographic standards: ML-KEM (FIPS 203) for key encapsulation, ML-DSA (FIPS 204) and SLH-DSA (FIPS 205) for digital signatures. The transition to quantum-resistant cryptography has formally begun.
Why act now?
There are two reasons organizations should begin preparing now, even though large-scale quantum computers are not yet operational. The first is harvest now, decrypt later. Attackers can intercept and store encrypted traffic today, to decrypt it later when quantum computers become available. Data encrypted today with RSA or ECDH that must remain confidential for ten years is potentially already vulnerable.
The second reason is transition lead time. Replacing cryptographic algorithms across an organization is a multi-year effort. Certificates, VPN connections, TLS configurations, code signing, database encryption, and numerous other components must be updated. Organizations that begin when quantum computers actually arrive will be too late.
The three NIST standards
ML-KEM (formerly CRYSTALS-Kyber) is a key encapsulation mechanism based on module lattice-based cryptography. It is used for secure key exchange, similar to how RSA or Diffie-Hellman are currently used in TLS handshakes. ML-KEM is fast, has relatively small keys, and is the primary choice for key exchange.
ML-DSA (formerly CRYSTALS-Dilithium) is a digital signature standard, also lattice-based. It is used for authentication and integrity verification, similar to RSA or ECDSA signatures. ML-DSA is the primary choice for most signature applications.
SLH-DSA (formerly SPHINCS+) is a hash-based signature standard. It provides an alternative to ML-DSA based on a fundamentally different mathematical problem. The signatures are larger and slower than ML-DSA, but the algorithm provides a safety net in case unexpected vulnerabilities in lattice-based cryptography are discovered.
Preparation steps
The first step is a cryptographic inventory. Map which cryptographic algorithms you use, where in your infrastructure they are applied, and what data they protect. This includes not only your own systems but also those of your suppliers.
The second step is a risk assessment. Not all cryptographic applications have the same urgency. Data that must remain confidential for long periods (medical records, trade secrets, intellectual property) takes priority over data with a short lifespan. Systems that are difficult to update (embedded systems, IoT) need more lead time than cloud services.
The third step is developing a migration strategy. This includes selecting post-quantum algorithms, planning implementation per system, testing compatibility and performance, and training staff.
The fourth step is beginning with hybrid implementations. A hybrid approach uses both the classical and post-quantum algorithm side by side. This provides protection against both classical and quantum attacks and enables a gradual migration. Major browsers and operating systems already support hybrid key exchange with ML-KEM.
Relevance for audits and compliance
ISO 27001:2022 control A.8.24 (use of cryptography) requires organizations to keep their cryptography policy current. The transition to post-quantum cryptography is a concrete example of how that policy must evolve with emerging threats. During audits, we assess whether organizations are aware of the quantum threat and whether they are taking steps to ensure their cryptographic resilience.
Secure Audit helps organizations perform cryptographic inventories and develop post-quantum migration strategies. Contact us for a quantum readiness assessment.
About the author
Partner | IT Auditor