Cryptographically relevant quantum computers will break RSA and ECC — the algorithms underpinning virtually all enterprise PKI today. NIST finalized four post-quantum standards in 2024. The migration window is open. Here is what you need to know.
Nation-state actors are collecting encrypted traffic today with the intent to decrypt it once cryptographically relevant quantum computers exist. Data with long-term sensitivity — classified information, health records, financial data, IP — is at risk even before quantum computers exist.
Certificates with 5–10 year lifetimes issued today using RSA or ECDSA may still be valid when quantum computers capable of breaking them become available. Root CA certificates are the highest-risk category.
Software signed with RSA/ECDSA today could be retroactively forged once quantum computers can break the signing key. This affects firmware, OS updates, and any software with long deployment lifetimes.
Certificate-based authentication credentials (smart cards, client certificates) captured today could be used to forge authentication tokens in a post-quantum world.
The Timeline Question
Most estimates place cryptographically relevant quantum computers (CRQCs) capable of breaking 2048-bit RSA at 10–15 years away. That sounds distant — but PKI migrations at enterprise scale take 5–8 years. The "Harvest Now, Decrypt Later" threat means the risk is present today for any data with long-term sensitivity. NIST, NSA, and CISA all recommend beginning migration planning immediately.
NIST finalized four post-quantum cryptography standards in August 2024. These are the algorithms to build your migration around.
Key Encapsulation
Module Lattice (CRYSTALS-Kyber)
Key Size
800 – 1568 bytes (pub)
Use Case
TLS key exchange, encrypted email, VPN tunnels
Notes
Primary replacement for RSA/ECDH key exchange. Three security levels: ML-KEM-512, ML-KEM-768, ML-KEM-1024.
Digital Signature
Module Lattice (CRYSTALS-Dilithium)
Key Size
1312 – 2592 bytes (pub)
Use Case
Code signing, certificate signatures, document signing
Notes
Primary replacement for RSA and ECDSA signatures. Drop-in for most PKI certificate signing use cases.
Digital Signature
Stateless Hash-Based (SPHINCS+)
Key Size
32 – 64 bytes (pub)
Use Case
Root CA signing, firmware signing, long-lived certificates
Notes
Conservative choice based on hash functions only. Larger signatures but minimal security assumptions. Ideal for root CAs.
Digital Signature
NTRU Lattice (FALCON)
Key Size
897 – 1793 bytes (pub)
Use Case
Constrained devices, IoT certificates, smart cards
Notes
Compact signatures. More complex implementation than ML-DSA — use ML-DSA unless size is a hard constraint.
Key Encapsulation
Code-Based (Hamming Quasi-Cyclic)
Key Size
2249 – 7245 bytes (pub)
Use Case
Backup KEM if lattice assumptions are broken
Notes
NIST selected as backup KEM alongside ML-KEM. Different mathematical basis provides algorithm diversity.
A phased approach that maintains backward compatibility while progressively hardening your cryptographic posture.
Now — 2025
2025 — 2027
2027 — 2029
2029 — 2030
A hybrid certificate carries two signatures — one classical (RSA or ECDSA) and one post-quantum (ML-DSA). A system that understands PQC validates the ML-DSA signature. A legacy system that doesn't falls back to the classical signature.
This approach lets you begin deploying PQC-capable certificates immediately without breaking any existing infrastructure. It's the recommended transition strategy from NIST, NSA, and IETF.
The cost is larger certificate sizes — hybrid certs are roughly 2–3× the size of classical-only certs. For most enterprise PKI use cases, this is acceptable. For constrained environments (IoT, smart cards), evaluate FN-DSA (FALCON) for its compact signature size.
InsecurePlanet offers PKI and cryptographic inventory assessments that identify your current RSA/ECC exposure and produce a prioritized PQC migration roadmap specific to your environment.