Why Post-Quantum Cryptography?

This page provides a deeper look at the urgency of migrating to post-quantum cryptography, the strategies for doing so, and the global standards landscape. For a broader introduction to PQC concepts, see What is Post-Quantum Cryptography?.

The “Harvest Now, Decrypt Later” Threat

The most immediate quantum threat does not require a quantum computer to exist today. Adversaries – including state-level actors – can record encrypted network traffic now and store it indefinitely. Once a cryptographically relevant quantum computer (CRQC) becomes available, they can decrypt everything they collected.

This means that data encrypted today with RSA or ECDH is only as safe as the time it takes for a CRQC to be built. For data that must remain confidential for 10, 20, or 50 years – classified government communications, medical records, trade secrets, financial data – the threat is already real.

The timeline for action is not “when quantum computers arrive” but rather “now, minus the confidentiality lifetime of your data.”

Timeline Considerations

There is no consensus on exactly when a CRQC will exist. Estimates from researchers and government agencies range broadly:

Optimistic estimates: Early-to-mid 2030s, based on current rates of progress in superconducting and trapped-ion qubit systems.
Conservative estimates: 2040 or later, accounting for the engineering challenges of building fault-tolerant quantum computers at scale.
NIST guidance: NIST recommends that organizations begin migrating to post-quantum algorithms now and complete the transition by 2030-2035. NIST has announced the deprecation of 112-bit security (RSA-2048, P-224) by 2030 and disallowed status by 2035.

Regardless of the exact date, cryptographic migrations are historically slow processes. The transition from SHA-1 to SHA-2 took over a decade. Moving from RSA to elliptic curve cryptography took even longer. Starting the PQC migration early is a risk management decision, not a prediction about quantum computing timelines.

Hybrid Approaches

During the transition period, many organizations are adopting hybrid schemes that combine a classical algorithm with a post-quantum algorithm. The security guarantee is that the system remains secure as long as at least one of the two algorithms is unbroken.

Common hybrid configurations include:

Key exchange: ECDH + ML-KEM (the TLS handshake negotiates both, and the shared secrets are combined)
Signatures: ECDSA + ML-DSA (both signatures are attached; verifiers check both)
Certificates: X.509 certificates with dual signatures or composite keys

Hybrid approaches are recommended by NIST, ETSI, and the BSI (German Federal Office for Information Security) as a transition strategy. They protect against the possibility that a newly standardized PQC algorithm has an unforeseen weakness, while also protecting against quantum threats to the classical algorithm.

MetaMUI’s Approach

MetaMUI Crypto Primitives supports both classical and post-quantum algorithms to enable hybrid deployments:

Post-quantum algorithms are first-class citizens: ML-KEM, ML-DSA, SLH-DSA, Falcon, and KPQC algorithms are all implemented with the same rigor and optimization as classical algorithms.
Classical algorithms (Ed25519, RSA-2048, ECDSA) are provided for backward compatibility and transitional use.
RSA-2048 is explicitly marked as transitional, with a recommended deprecation date of 2030, consistent with NIST guidance.
Ed25519 remains a strong choice for classical signatures during the hybrid transition period.

Applications can use MetaMUI to deploy hybrid schemes where a post-quantum signature or key exchange is paired with a classical one, ensuring security regardless of which threat model proves correct.

Global Standards Landscape

Post-quantum standardization is not a single effort but a parallel set of processes across multiple jurisdictions:

NIST (United States)

NIST’s Post-Quantum Cryptography Standardization is the most widely referenced process globally. Published standards:

FIPS 203: ML-KEM (key encapsulation)
FIPS 204: ML-DSA (digital signatures)
FIPS 205: SLH-DSA (hash-based signatures)
FIPS 206 (pending): FN-DSA / Falcon (FFT-based signatures)

Additional algorithms (HQC, BIKE, Classic McEliece) are under evaluation for future standardization.

KPQC (South Korea)

The Korean Post-Quantum Cryptography competition has selected algorithms tailored to Korean government and industry requirements:

SMAUG-T for key encapsulation
HAETAE for digital signatures
AIMer for signatures (MPC-in-the-head based)
NTRU+ for key encapsulation

Korean organizations subject to domestic regulations may need to implement KPQC algorithms alongside or instead of NIST algorithms.

ETSI (Europe)

The European Telecommunications Standards Institute (ETSI) Quantum-Safe Cryptography working group publishes guidance on quantum-safe migration. ETSI recommends hybrid approaches during the transition period and has published technical reports on integration with existing protocols (TLS, IKEv2, S/MIME).

Other Efforts

China (CACR): Has announced its own PQC standardization process.
ISO/IEC: Working on international standards that reference NIST PQC algorithms.
IETF: Drafting RFCs for PQC integration into TLS, DNSSEC, S/MIME, and other internet protocols.

How to Start Migrating

Inventory your cryptographic dependencies. Identify where RSA, ECDSA, ECDH, and other quantum-vulnerable algorithms are used in your systems.
Assess data sensitivity and lifetime. Data that must remain confidential for 10+ years is the highest priority for migration.
Choose algorithms. Use the Algorithm Selector to pick the right algorithms for your use cases.
Deploy hybrid schemes first. Combine classical and PQC algorithms during the transition to manage risk.
Integrate MetaMUI Crypto Primitives. See the Getting Started guide for platform-specific installation and usage instructions.
Test interoperability. If your system spans multiple platforms, verify cross-language compatibility using MetaMUI’s shared test vectors.