Picture the encrypted database backup your team shipped to cold storage last quarter. The customer records, the source code, the merger memos, the genomic data, the diplomatic cables. You consider that data safe because it is wrapped in RSA-2048 or elliptic-curve cryptography, the same math that secures most of the internet. Here is the part nobody put in the runbook: a copy of that ciphertext may already be sitting on a foreign intelligence server, untouched and patient, waiting for the one event that turns it into plaintext.
The attack has a name. It is called harvest now, decrypt later, and it does not require breaking your encryption today. It requires only copying it today. The decryption happens later, on a machine that does not exist yet but is being engineered in public, on a funded timeline, by every major government and cloud provider on earth. As far back as August 2021, the US National Security Agency stated the obvious in writing: adversaries may be collecting encrypted data now, waiting for the day quantum computers can decrypt it. When your own signals-intelligence agency describes an adversarial strategy in plain text, that is not a forecast. It is a status report.
NIST already shipped the countermeasure. On August 13, 2024, it finalized the first three post-quantum cryptography standards. The deadlines to retire RSA and ECC are published. And according to a 2025 industry study, only 5 percent of enterprises have actually deployed quantum-safe encryption. The fix exists. The clock is running. Almost nobody has moved.
The threat is a subtraction problem, not a prediction
Most executives file quantum risk under "someday" because the breakthrough that breaks RSA has not happened. That framing is the mistake. The relevant question is not when the quantum computer arrives. It is whether the data you are encrypting today will still be sensitive when it does.
Michele Mosca, a founder of the field, turned this into a single inequality that every security leader should be able to recite. Mosca's theorem says: if X plus Y is greater than Z, you have a problem. X is how long your data must stay confidential. Y is how long your migration to post-quantum cryptography will take. Z is how long until a cryptographically relevant quantum computer exists. If the time your secrets need protection, added to the years you need to re-engineer your stack, exceeds the runway until Q-Day, then the data you generate today is already exposed. You are minting plaintext-in-waiting.
Run the arithmetic with honest numbers. A typical large-enterprise crypto migration is measured in years, not quarters, because asymmetric cryptography is embedded in billions of devices and most internet communications. If your trade secrets, identities, or regulated records must stay confidential for a decade or more, then X plus Y already runs into the 2030s. And the 2030s is precisely the window the experts are pointing at.
Q-Day is a probability distribution, and it is moving toward you
Nobody can name the exact date a quantum computer factors a 2048-bit key. That uncertainty is not comfort. It is the trap. The serious work treats Q-Day as a probability distribution, and the distribution keeps shifting earlier.
The Global Risk Institute's 2024 Quantum Threat Timeline Report, built from a survey of 32 specialists, estimates a 17 to 34 percent probability that a machine capable of breaking RSA-2048 within 24 hours exists by 2034. A roughly one-in-three chance of catastrophic cryptographic failure inside a decade is not a tail risk you defer. No board would accept those odds on data-center fire suppression or financial controls.
The engineering bar is also collapsing faster than the timelines assumed. The landmark 2019 estimate from Gidney and Ekera put the cost of breaking RSA-2048 at roughly 20 million noisy physical qubits running for about 8 hours. In May 2025, Gidney published a revised analysis arguing the same job could be done with under 1 million qubits in under a week, a 20-fold reduction in the qubit requirement from his own earlier number. The target is not standing still while we debate whether it is reachable. Researchers are walking it toward us.
The market analysts have stopped hedging. Gartner forecasts that by 2029, advances in quantum computing will make most conventional asymmetric cryptography unsafe to use, and fully breakable by 2034. 2029 is not a generation away. It is roughly the length of one enterprise hardware refresh cycle.
The deadlines are already on the calendar
This is where the "someday" framing falls apart entirely. The migration is not a vague aspiration. It is a sequenced set of dates with mandates attached, and the United States government has published the schedule.
The NSA's Commercial National Security Algorithm Suite 2.0 defines a hard transition for national security systems. NIST has signaled it will begin deprecating RSA and ECDSA at the 112-bit security level by 2030 and disallow them entirely by 2035. Vendors and integrators that sell into the federal supply chain inherit these dates whether they planned for them or not.
| Year | Milestone | Authority |
|---|---|---|
| August 2024 | FIPS 203, 204, 205 finalized as official standards | NIST |
| 2025 | NSA stops approving new national-security systems using RSA, DH, ECC for key establishment or signatures | NSA CNSA 2.0 |
| 2027 | New national security systems must follow CNSA 2.0 | NSA CNSA 2.0 |
| By 2029 | Conventional asymmetric cryptography projected unsafe to use | Gartner forecast |
| 2030 | RSA and ECDSA (112-bit security) deprecated; national-security designs PQC-only | NIST / NSA |
| 2035 | RSA, ECDSA, EdDSA, DH, ECDH fully disallowed | NIST / NSA |
Read the table as a runway, not a reading assignment. If full removal is mandated by 2035 and a serious crypto-inventory-plus-migration takes a large organization several years, the honest start date for that work was last year.
The replacement algorithms exist and have real names
One reason teams stall is the belief that post-quantum cryptography is still experimental. It is not. NIST ran an eight-year open competition and named the winners. They are standardized, documented, and shipping in production libraries today.
Three standards anchor the transition, all issued in the August 2024 Federal Register notice:
- FIPS 203 (ML-KEM), the Module-Lattice-Based Key-Encapsulation Mechanism, derived from CRYSTALS-Kyber. This is the workhorse that replaces RSA and ECDH for the key exchange protecting every TLS session.
- FIPS 204 (ML-DSA), the Module-Lattice-Based Digital Signature Algorithm, derived from CRYSTALS-Dilithium. The default replacement for ECDSA and RSA signatures.
- FIPS 205 (SLH-DSA), the Stateless Hash-Based Digital Signature Standard, derived from SPHINCS+. A conservative signature fallback whose security rests only on hash functions, useful where lattice assumptions feel too new.
The mapping from your current stack to the post-quantum stack is mechanical, which removes the last excuse for paralysis:
| Classical algorithm | Function | Post-quantum replacement |
|---|---|---|
| RSA key transport / ECDH | Key establishment | ML-KEM (FIPS 203) |
| ECDSA / RSA-PSS | Digital signatures | ML-DSA (FIPS 204) |
| Long-term code / firmware signing | High-assurance signatures | SLH-DSA (FIPS 205) |
The recommended deployment is hybrid: run a classical and a post-quantum algorithm together so a flaw in either one alone does not break the channel. Cloudflare reports that over 45 percent of human-generated traffic to its network is already protected by post-quantum cryptography, up from roughly 2 percent of TLS 1.3 connections in 2024. The infrastructure layer is migrating in real time. The application and data-at-rest layers, where your most sensitive long-lived secrets actually live, are not.
The Devices You Will Never Be Able to Patch
Servers get patched. Browsers ship a new build and the fix reaches a billion machines in a weekend. The hard part of this migration is none of that. The hard part is the hardware already in the field with its cryptography fused in: equipment with service lives measured in decades, no realistic update path, and a key exchange that a future machine will break long before the warranty expires. This is precisely where harvest-now-decrypt-later inflicts permanent damage, because the device cannot be rescued after the fact.
Start with what is already on the road. The average car and light truck in the United States is now 12.6 years old, a record, across a fleet of 286 million vehicles, and a car sold today will still be driving in the mid-2040s. Look up and the math is worse: a GPS III satellite carries a 15-year design life, and the constellation overhead right now averages roughly 13 years old with half of the birds past their engineered lifespan. Implanted cardiac devices run five or more years inside a patient on wireless protocols that already lack adequate authentication and encryption. Industrial controllers, smart meters, and aerospace platforms routinely outlast the engineers who specified their crypto.
The standards bodies have said the quiet part out loud. NIST's crypto-agility report (CSWP 39) reframes the ability to swap algorithms as a design requirement, naming PKI, code and firmware signing, IoT, industrial control systems, and medical devices as the highest-risk long-lived trust models. The NSA's CNSA 2.0 timeline tells acquisition teams to prefer quantum-resistant firmware and software signing by 2025 and use it exclusively by 2030, with national security systems fully transitioned by 2035, because anything signed with classical keys today is a liability the moment those keys fall. ENISA reaches the same place from Europe, warning that a migration of this kind historically takes 10 to 15 years and that constrained, embedded environments are the laggards least able to absorb the larger key and signature sizes post-quantum algorithms demand.
Here is the operator argument, stripped of comfort. For anything with a 10-plus year service life that ships today without crypto-agility or a path to ML-KEM and ML-DSA, you are not deferring the problem. You are manufacturing tomorrow's breach and bolting it shut at the factory. The traffic it emits is being captured now, the exposure is invisible because nothing has visibly failed, and the debt compounds silently until Q-Day turns a warehouse of recorded ciphertext into plaintext. A device you cannot patch is a decision you cannot take back. Make crypto-agility a procurement gate today, or inherit a fleet you can only retire.
Why almost nobody has started
The gap between awareness and action is the real story, and the numbers are stark. In the same DigiCert and Propeller Insights study of 1,042 senior cybersecurity managers across the US, UK, and Australia, 69 percent recognized quantum as a threat to their encryption and 46.4 percent reported substantial encrypted data already at risk, yet only 5 percent had deployed quantum-safe encryption. Awareness is near-universal. Execution is near-zero.
The causes are familiar to anyone who lived through a major platform migration:
- No cryptographic inventory. Most organizations cannot answer the first question: where is asymmetric cryptography used across our systems, vendors, and embedded devices? You cannot migrate what you have not mapped. This is exactly why CISA, NSA, and NIST jointly urge organizations to build a quantum-readiness roadmap and a cryptographic inventory now.
- The threat is invisible. Harvest now, decrypt later produces no alert, no breach notification, no ransom note. The exfiltration already happened, quietly, and the damage detonates years later. There is no incident to react to, so the work never reaches the top of the queue.
- It is mistaken for an IT refresh. Gartner warns the transition will require more work than Y2K because crypto is woven through far more systems and dependencies. Treating it as a routine certificate rotation guarantees you miss the deadline.
The European Telecommunications Standards Institute named the capture-and-store threat model a near-term concern years ago, moving it from academic curiosity to a recognized standards-body category. The institutions are aligned. The dates are set. The only variable left is whether your organization treats this as a multi-year program starting now or a fire drill starting in 2032.
What a serious operator does this quarter
The reframe is the whole point. Stop asking when quantum breaks encryption and start asking which of your secrets are already harvested and how long they need to stay secret. That question is answerable today, and it drives a concrete program:
- Build the cryptographic inventory first. Catalog every place RSA, ECC, and Diffie-Hellman protect data in transit, data at rest, signing, and authentication, across your code, vendors, and devices. This is the migration's critical path.
- Triage by data lifespan. Apply Mosca's inequality per data class. Anything that must stay confidential past roughly 2032 and travels or rests over public or untrusted networks is your harvest-now exposure. Migrate it first.
- Demand crypto-agility from vendors. Make ML-KEM and ML-DSA support a procurement requirement now. The contracts you sign this year should not lock you into algorithms that are disallowed by 2035.
- Deploy hybrid where you can today. Turn on hybrid post-quantum TLS at the edge and in your zero-trust layer. The technology is in production, not in a lab.
The comfortable lie is that encryption either works or it doesn't, and yours works. The truth is that encryption has a shelf life, and for your longest-lived secrets that shelf life may already have expired the moment the ciphertext left your network. You will not get a notification. You will not see the breach. The only signal you will ever get is the one you are reading right now: the standards are final, the deadlines are set, the replacement algorithms have names, and the 5 percent who moved early will be the only ones who were never exposed. The other 95 percent are betting their most sensitive data against a probability distribution that is moving the wrong way.
The window to migrate quietly, on your own schedule, before a mandate forces a scramble, is open now and closing on a published calendar. Treat it that way.
Strategia-X helps operators turn signals like this into sequenced, board-ready execution plans before the deadline becomes a crisis: strategia-x.com.
-Rocky
#PostQuantumCryptography #QuantumComputing #Cybersecurity #Encryption #NIST #HarvestNowDecryptLater #PQCMigration #DataSecurity #EngineeringDreams #StrategiaX
