What is post-quantum cryptography?

Post-quantum cryptography (PQC) refers to cryptographic algorithms designed to resist attacks from quantum computers. NIST finalized three PQC standards in 2024 — ML-KEM (FIPS 203), ML-DSA (FIPS 204), and SLH-DSA (FIPS 205) — to replace quantum-vulnerable algorithms.

What is Harvest Now, Decrypt Later?

Harvest Now, Decrypt Later (HNDL) is a strategy where adversaries collect encrypted data today with the intent to decrypt it once quantum computers become available. Data with long-term sensitivity — financial, health, government, IP — is already at risk.

When should organizations start preparing for PQC?

Now. NIST estimates the transition will take 10-15 years for most organizations. The NSA's CNSA 2.0 guidance requires national security systems to begin transitioning by 2025 and complete by 2033. Larger RSA key sizes do not solve the problem — fundamentally different algorithms are needed.

Post-Quantum Cryptography: Is Your Organization Ready for the Encryption Transition?

Post-quantum cryptography (PQC) refers to cryptographic algorithms designed to resist attacks from quantum computers. The encryption standards that protect virtually all digital communication today — RSA, ECC, Diffie-Hellman — will be broken by sufficiently powerful quantum computers. The transition to quantum-resistant encryption is not a future problem. It is happening now.

In short: a PQC encryption review evaluates your organization’s cryptographic exposure and readiness for the transition to quantum-resistant algorithms.

Why Does PQC Matter Today?

Quantum computers capable of breaking current encryption do not exist yet. But two factors make this an urgent concern today:

Harvest Now, Decrypt Later (HNDL)

Adversaries — including nation-states — are collecting encrypted data today with the intention of decrypting it once quantum computers become available. If your data has long-term sensitivity (financial records, health data, intellectual property, government communications), it is already at risk.

The Transition Takes Years

Migrating cryptographic systems is one of the most complex infrastructure changes an organization can undertake. NIST estimates the transition will take 10-15 years for most organizations. With NIST’s post-quantum standards finalized in 2024, the clock is running.

What Are the New Standards?

In August 2024, NIST published three post-quantum cryptographic standards:

Standard	Algorithm	Purpose
FIPS 203	ML-KEM (CRYSTALS-Kyber)	Key encapsulation (replacing RSA/ECDH for key exchange)
FIPS 204	ML-DSA (CRYSTALS-Dilithium)	Digital signatures (replacing RSA/ECDSA for signing)
FIPS 205	SLH-DSA (SPHINCS+)	Stateless hash-based digital signatures (alternative to ML-DSA)

A fourth standard, FN-DSA (FALCON), is expected to be finalized in 2025 for applications requiring smaller signature sizes.

These standards are the foundation for the global transition to quantum-resistant cryptography.

What Is a PQC Encryption Review?

A PQC encryption review evaluates your organization’s current cryptographic posture and readiness for the PQC transition:

1. Cryptographic Inventory

Identify where cryptography is used across your environment:

TLS/SSL certificates and configurations
VPN and remote access encryption
Data-at-rest encryption (databases, file systems, cloud storage)
Code signing and software integrity
Email encryption (S/MIME, PGP)
API authentication and token signing
Hardware security modules (HSMs)

2. Risk Assessment

Evaluate which cryptographic systems are most exposed:

Data sensitivity — How long does the data need to remain confidential?
Algorithm vulnerability — Which algorithms in use are quantum-vulnerable?
Migration complexity — How difficult will it be to upgrade each system?
Vendor dependency — Which systems depend on vendor-driven cryptographic updates?

3. Readiness Evaluation

Assess your organizational readiness:

Awareness of PQC requirements among IT and security leadership
Vendor roadmaps for PQC support in critical systems
Existing cryptographic agility (ability to swap algorithms without major rearchitecture)
Budget and resource planning for the transition

4. Transition Roadmap

Deliver a prioritized migration plan:

Systems requiring immediate attention (HNDL-exposed data)
Systems that can transition as part of normal refresh cycles
Vendor engagement recommendations
Timeline aligned with NIST and regulatory expectations

Who Should Be Thinking About PQC?

Any organization that:

Handles long-lived sensitive data (financial, healthcare, government, legal)
Operates in a regulated industry with cryptographic requirements
Has government or defense contracts (CNSA 2.0 timelines are aggressive)
Uses custom cryptographic implementations (higher migration complexity)
Wants to demonstrate forward-looking security maturity to boards, auditors, or clients

The NSA’s CNSA 2.0 guidance requires national security systems to begin transitioning to PQC algorithms by 2025 and complete the transition by 2033.

Common Misconceptions

“Quantum computing is decades away.” Breaking RSA-2048 may require 5-15 years. But the transition itself takes a decade, and HNDL attacks are happening now.

“Our vendors will handle it.” Vendors will update their products, but you need to know what you have, prioritize the migration, and manage the transition. Vendors do not manage your cryptographic risk for you.

“We just need to increase key sizes.” Larger RSA keys do not solve the problem. Quantum attacks on RSA scale polynomially — doubling the key size does not meaningfully delay a quantum attacker. You need fundamentally different algorithms.

Genesis IT Solutions provides PQC encryption reviews to help organizations assess their cryptographic exposure and plan the transition to quantum-resistant algorithms. Contact us to discuss your PQC readiness.