Over the course of 2025, virtually everyone (in IT) started talking about Post-Quantum Cryptography (PQC) and the Q-Day. In this article, we will cut through the headlines, explain to you what all this is about, and provide recommendations on how to deal with it.
Table of contents
The Rise of Post-Quantum Fears
In 2025, if the talk was not about AI, it was about Post-Quantum Cryptography or the so-called Q-Day. Quantum computing allows for fundamentally different operations that are not possible with our normal (classical) processors. Although algorithms that can basically break all asymmetric cryptography methods currently used have already been devised for such quantum computers, humanity does not yet have the capabilities to build quantum computers that are large and stable enough to actually execute these algorithms on real-world cryptography. Current quantum computing breakthroughs are still (by several orders of magnitude) below anything that would be useful to break real-world cryptography, but as research and engineering continues, they will only get better. The day when quantum computers that can break real-world cryptography become feasible or available is commonly referred to as the “Q-Day”. However, no one knows when that day will come – whether in 1 year (very unlikely), 5 years, 10 years, or even later. Nevertheless, it is widely accepted and expected that it will eventually come.
Introduction: Post-Quantum Cryptography
Post-Quantum Cryptography refers to cryptographic algorithms that have been specifically designed to be hard to break with quantum and classical computers. After an 8-year international research, cryptoanalysis, and standardization process, the first three government approved PQC standards were released in August 2024 by the US NIST – FIPS 203 to 205[1]. This marked the start of a widespread jump in adoption, especially with so-called hybrid protocols that use trusted and proven classical algorithms, such as elliptic curves, along with one of the new PQC algorithms to achieve maximum security and trust.
Post-Quantum Cryptography Adoption in Practice
Since the release of the PQC standard, many libraries, tools, and products announced support (or plans for support) of PQC (mostly the ML-KEM key exchange algorithm – FIPS 203) to protect communications. These include Windows, OpenSSL, Java, AWS-LC, Red Hat, Thales, and many more. Some of them even provided experimental support for PQC for years.[2]
Actually, there is a good chance that you have already used PQC without noticing it – software such as Chrome, Firefox, Edge, OpenSSH, Signal, or iMessage are using hybrid PQC protocols and algorithms whenever possible. If you have accessed some niche sites 😉 such as Google, YouTube, or anything hosted by Cloudflare or Akamai using a recent browser, you will have used a quantum-secure key exchange (look for something like “X25519MLKEM768” in the connection details).[2]
This trend will increase, and more and more solutions will use or at least support PQC out-of-the-box.
How Governments Are Preparing for Post-Quantum Security
Similarly, governments around the world have been putting out plans for post-quantum security for years (US NSM-10, EU Roadmap, BSI TR-02102-1, Swiss NCSC, New Zealand Information Security Manual, etc.), which have now become much more tangible and reachable with the new algorithms, so they are gaining much more attention.[3]
Most of these policies share some major commonalities, such as a preference for hybrid approaches and a rough timeline. The timelines more or less unanimously state that preparations should start immediately, critical infrastructure or high security applications should be migrated to post-quantum security by 2030 and general migration should be completed by 2035.
Harvest Now, Decrypt Later
One of the main concerns is “Harvest Now, Decrypt Later” (HNDL) – a concept known to be employed by nation-state actors. While a lot of data will quickly age and actors other than nation states are unlikely to collect large amounts of data, there are cases where private, corporate, or government data can be valuable over a long period of time – you may have nothing to hide now, but those medical records or text messages to a lover might become very relevant in 10 to 20 years if you become president of a country or head of a company!
What Companies Should Do Now
Aligning with governmental recommendations or requirements is crucial for companies and organizations, and they should start preparing for post-quantum security immediately (if not already underway). The following checklist outlines the key steps to get started:
- Inventory of used cryptographic algorithms and protocols (what, where, how)
- Inventory/analysis of information and flows that could be a target for HNDL (“Harvest Now, Decrypt Later”)
- Risk assessment on inventories
- Awareness (management and technical)
- Monitoring of regulatory compliance requirements and industry standards
- Requirements/requests for PQC to suppliers
- Planning (strategic and quick wins)
As many of these points can result in extensive projects depending on the size of your organization, and since there are a number of different aspects to be considered, it is recommended to use a risk-based approach to guide your efforts from the get-go. The immediate focus should be to identify any HNDL-relevant data that is transmitted over public networks (wired or wireless). Key exchanges for session or data encryption using elliptic curve algorithms are most vulnerable to attacks related to quantum computing[4]. In general, any communication over public networks (remote work, email, web, cloud, etc.) should be considered first. With the increasing availability of PQC support, this should also be reasonably easy to implement.
What Else is Post-Quantum Safe (For Now)?
Where possible, symmetric cryptography with 128-bit security, especially AES128, which will also be weakened by quantum computers, should be replaced with 256-bit variants if an algorithm upgrade is implemented anyway. However, this should not be considered an immediate priority, as practical attacks are expected to require significantly larger quantum computers than those required for RSA 4096[5].
Similarly, authentication mechanisms such as certificates are also not an immediate concern, as breaking them would only allow impersonating systems or forging signatures with (hopefully) long-expired certificates. Thus, the only issue that needs to be addressed would be to cut down the certificate validity times, but this should already be on your list of good practices anyway.
If you have further questions or are looking for help to get started or execute any projects regarding PQC, feel free to get in touch.
[1]: US NIST Releases: FIPS 203 (ML-KEM), FIPS 204 (ML-DSA) and FIPS 205 (SHL-DSA)
[2]: See Appendix for references
[3]: See Appendix for references
[4] Nature Scientific Report: Resource analysis and modifications of quantum computing with noisy qubits for elliptic curve discrete logarithms
[5] UK NCSC Report: On the practical cost of Grover for AES key recovery
Appendix – Additional Links and References
Post-Quantum Encryption Product Announcements
Incomplete, alphabetical list of PQC announcements:
- Akamai
- AWS-LC
- Chrome
- Cloudflare
- Edge
- Firefox
- GCP
- iMessage
- Java
- OpenSSH
- OpenSSL
- Red Hat
- Signa
- Thales
- Windows
Post-Quantum Encryption Policies and Guidelines
Selected government policies and guidelines:
