Post-Quantum Cryptography – The Tempest Begins

by Steven J. Schuchart Jr., posted in Communicate, Secure
S. Schuchart

Summary Bullets:

  • Governments have issued advisories as to when and how enterprises, institutions, and government agencies should begin their journey to PQC.
  • While there is much speculation as to when quantum computing will advance to become a threat, the time to act is NOW.

While the AI trend has made a lot of noise dominating headlines, the world of quantum computing has been moving forward much more quietly. More qubits, new error correction, and in general just more improvements in the field as fundamental research continues to point the way. Quantum computing will provide the means to crack some of the hardest problems in the world and will lead to advances in healthcare, chemistry, materials science, and so much more.

But that power serves as the foundation for a problem that needs addressing across all information technology. Quantum computers could very well render today’s encryption security useless. Algorithms that are in wide use today, such as AES-256, would take literally billions of years for classical computers to decrypt through brute force techniques. Quantum computing could reduce that to days, months, or even hours. The implications are clear: From every angle, national security, enterprise security, personal data security, and of course infrastructure security, could all be compromised. Worse yet, there is fear of what is called ‘harvest now, decrypt later’ in which encrypted data is captured and stored today… to be decrypted when quantum computers become able.

Post-quantum cryptography, commonly referred to as PQC, is the term used to designate the point when quantum computers gain enough power to break today’s encryption. Governments have been preparing for PQC, with the most notable example from the American National Institute of Standards and Technology (NIST), which put out calls to cryptographers to create new quantum-resistant encryption standards that are also resistant to classical brute-force decryption. As of August 2024, NIST finalized and approved three standards for PQC: FIPS 203, FIPS 204, and FIPS 205, based on submissions it has received and tested. As of March 2025, NIST has also selected a fourth candidate for standardization.

Governments have issued advisories as to when and how enterprises, institutions, and government agencies should begin their journey to PQC. While there is much speculation as to when quantum computing will advance to become a threat, the time to act is NOW. There are two main factors driving the need to begin the journey immediately. First is the ‘harvest now, decrypt later’ threat to existing data. Second is the time and effort necessary to move to new cryptography across information technology. NIST says that the last time a full-scale change in cryptographic standards was necessary, it took a decade. Governments, including the US, the UK, and the European Commission all have a set completion date of 2035 to implement PQC standards. There are also broad steps listed by all three entities that show the order in which this should be done. CIOs, CISOs, CEOs, and board of directors all need to be brought up to speed, and the first stages should be undertaken as soon as possible.

GlobalData has delved deeper into the entire PQC quandary as part of a series entitled, “Tempest Alert – Race to Post Quantum Cryptography (PQC) Starts Now PT. 1,” March 31, 2025, is available to GlobalData subscribers, with subsequent installments coming in the coming weeks and months.

Leave a Reply