// cryptography·EDIT · DATE·8 min read

Post-quantum crypto in plain language

A useful quantum computer does not break "encryption." It breaks one specific, load-bearing assumption. Here is which one, and what to do before it falls.

Post-QuantumLatticesML-KEMMigration
// 02

Most discussion of quantum computing and security collapses into one of two unhelpful claims: either quantum computers will break everything tomorrow, or they are decades away so relax. Both are wrong in the same way. They treat cryptography as a single thing. It is not, and understanding the seam is the whole point.

01What actually breaks

Today's public-key cryptography, the part that lets two strangers agree on a secret over an open channel, rests on a small number of math problems we believe are hard. RSA depends on factoring large numbers. Elliptic-curve cryptography depends on a discrete-logarithm problem. Classical computers cannot solve either at the sizes we use.

A sufficiently large quantum computer can, using Shor's algorithm, which factors and computes discrete logs efficiently. That is the entire threat to public-key crypto: not raw speed, but one algorithm that dissolves the specific structure RSA and ECC are built on.

Symmetric cryptography, like AES, and hash functions are far less affected. The best quantum attack there is Grover's algorithm, which roughly halves the effective key strength. The fix is mundane: use bigger keys. AES-256 stays comfortable.

Quantum does not break encryption. It breaks key exchange and signatures, which is more than enough to matter.

02Why the clock already started

The standard reassurance is that no one has a cryptographically relevant quantum computer yet. True, but it misses the threat model. An adversary does not need the machine today to attack data today. They can harvest now and decrypt later: record encrypted traffic now, store it, and decrypt it the day the hardware arrives.

So the real question for anything with a long confidentiality lifetime, medical records, state secrets, intellectual property, is not "when will quantum computers exist" but "how long does this data need to stay secret." If that number plus the time to migrate exceeds the time until capable hardware, you are already exposed.

03The replacement: hard problems quantum cannot shortcut

Post-quantum cryptography swaps the broken assumptions for problems with no known efficient quantum attack. The most successful family is built on lattices, and specifically on Learning With Errors, which asks you to recover a secret from many noisy linear equations. Add enough noise and the problem is believed hard for classical and quantum computers alike.

Lattice schemes have a practical virtue too: they are fast, because their core operation is polynomial multiplication, which the Number Theoretic Transform turns into something close to a fast Fourier transform. That efficiency is a large part of why lattices won. It is also where my own work lives, since fast does not mean correct, and protecting these computations against faults is its own problem.

04What to actually do

This is no longer research-only. In 2024 NIST published the first finished standards, and they are what you should be planning around:

  • ML-KEM (FIPS 203, formerly Kyber) for key encapsulation, the replacement for classical key exchange.
  • ML-DSA (FIPS 204, formerly Dilithium) and SLH-DSA (FIPS 205, hash-based) for digital signatures.

Concrete steps that hold up:

  • Inventory your cryptography. You cannot migrate what you cannot find. Know where key exchange and signatures live across your systems.
  • Go hybrid first. Run a classical and a post-quantum algorithm together, so you stay secure if either is later weakened. This is already standard in modern TLS deployments.
  • Prioritize by data lifetime. Long-lived secrets and anything subject to harvest-now-decrypt-later move first.
  • Build for agility. Treat the algorithm as a swappable component, because it will be swapped again.
// bottom line

You do not need to fear a machine that does not exist yet. You need to migrate the small set of primitives it would break, starting with the data whose secrecy outlives the migration. The standards are here. The remaining work is engineering.

Ali Mohammadi Ruzbahani · Post-Quantum Cryptography · Calgary