Post-Quantum Cryptography: Anticipating the Quantum Threat and Successfully Transitioning to Sustainable Cybersecurity
*Q-Day: the estimated date when a CRQC (Cryptographically Relevant Quantum Computer) will be able to break classical asymmetric cryptography.
Definition: Post-Quantum Cryptography
Post-quantum cryptography refers to a new generation of encryption methods designed to protect data against the future capabilities of quantum computers. Unlike today's computers, quantum machines will be able to break some of the encryption systems currently used to secure digital communications. Post-quantum cryptography introduces new algorithms that are resistant to these emerging threats. By adopting them early, organizations can ensure that sensitive information remains protected both today and in the years to come.
The Quantum Threat: Why Enterprises Need to Act Now
A quantum computer is not simply a faster supercomputer. It operates on a fundamentally different logic: where a classical bit is either 0 or 1, a qubit can exist in multiple states simultaneously. Quantum computers leverage three key properties, superposition, entanglement, and interference, which unlock unprecedented computing capabilities. With sufficient resources, such a computer would notably be able to run Shor's and Grover's algorithms, the main threats to classical cryptography, targeting asymmetric and symmetric encryption respectively.
Shor's algorithm can solve complex mathematical problems, such as integer factorization or the discrete logarithm problem, far faster than any classical computer. For factorization, this means going from sub-exponential to polynomial time. Yet it is precisely on the hardness of these problems that today's classical cryptographic algorithms rely for key exchange and digital signatures. These two mechanisms are the foundations of modern cybersecurity: without them, the confidentiality, authentication, and integrity of data can no longer be guaranteed, leaving many entry points open to attackers.
As a result, all algorithms based on these mathematical problems, such as RSA, ECDH, or ECDSA, would no longer be considered secure against a sufficiently powerful quantum computer. Experts estimate that a practical use of Shor's algorithm, requiring resources on the order of several million physical qubits, could become possible around 2030-2035.
Grover's algorithm, for its part, poses a more indirect threat: it cannot directly break symmetric algorithms like AES, but it quadratically reduces the complexity of searching an unstructured space, allowing an attacker to brute-force an encryption key faster than with a classical computer.
One way to guard against this threat is to double the key size. AES-256 thus becomes comparable in security level to AES-128 under a Grover attack. Since this reinforcement is enough to maintain a strong level of security, attention today is focused mainly on asymmetric encryption, which requires a complete change of algorithm.
HNDL: Why does the exposure start today?
The most imminent danger today is the "Harvest Now, Decrypt Later" paradigm. It relies on the idea that attackers are already collecting encrypted data today, with the intent of decrypting it later, once Q-Day arrives.
This risk primarily affects organizations whose data has a long lifespan and high strategic value. In the financial sector, interbank messaging flows, M&A data, financial agreements, and KYC/AML records containing critical customer information are prime targets. But the threat extends far beyond: sovereign and government environments, military infrastructure, deep tech players, and critical infrastructure operators such as energy and telecommunications networks are just as exposed.
The common exposure vector for all these organizations is transit over the Internet. As soon as sensitive data leaves the internal network and travels across public infrastructure, it can potentially be captured and stored by an attacker. It is therefore essential to conduct a data inventory: where data is stored, its sensitivity level, its lifespan, and its exposure to public networks, in order to determine which data is likely to be targeted in a "Harvest Now, Decrypt Later" scenario.
Post-Quantum Cryptography: Future-Proof Your Business Against Tomorrow’s Cyber Threats
Post-quantum cryptography is the answer to the threat posed by quantum computers. It consists of cryptographic algorithms based on mathematical problems that no known algorithm, even a quantum one, can solve efficiently to date.
NIST has standardized five algorithms so far. ML-KEM (Kyber) and ML-DSA (Dilithium) are the two main ones, for key exchange and digital signatures respectively. Both are lattice-based algorithms.
As a backup to Kyber, there is HQC, which relies on error-correcting codes. As alternatives to Dilithium, there are Falcon, also lattice-based, and SPHINCS+, whose security relies on hash functions. To date, candidates are still in the running for an additional signature algorithm to be standardized by NIST.
However, these newly standardized algorithms differ from today's classical algorithms in terms of performance and key/signature sizes. Key sizes, in particular, are significantly larger. Key management, network traffic congestion, and data storage may therefore be affected by these size differences. Before any migration, performance and storage capacity testing will need to be carried out, especially in sensitive environments.
On the mathematical side, these algorithms, and more specifically the problems they rely on, have been studied for years by the research community. There is therefore little doubt about the soundness of their mathematical foundations. However, since these algorithms are still recent, they have not yet undergone long-term testing in production or across a wide range of real-world configurations, so we do not yet have sufficient hindsight. This is why issues remain today, particularly with side-channel attacks, which exploit implementation or hardware flaws rather than the underlying mathematical problem itself. The adoption of these algorithms must therefore be gradual and cautious.
Governance, Standards, and Regulations: Building the Foundations of Cyber Resilience
o drive the transition toward quantum-resistant environments, governance and standards organizations have set several deadlines. NIST, for instance, has set 2030 as the deprecation date for ECDSA, EdDSA, and RSA for digital signatures, as well as finite-field Diffie-Hellman, ECDH, and RSA for key exchange, with 2035 as the date for their definitive disallowance.
President Trump recently signed an executive order aimed at securing the nation against cryptographic attacks. The text tasks the Department of Commerce, the NSA, and the DHS with providing agencies with clear, actionable guidance, and each agency must appoint a dedicated migration leader. Sensitive data must be migrated by 2030 for confidentiality and by 2031 for authentication, with a pilot project expected by the end of 2027. Beyond the federal perimeter, agencies are also tasked with supporting the transition of national critical infrastructure, as well as foreign critical infrastructure and governments, with the goal of positioning the United States as a global leader on this front.
At the European level, DORA — the Digital Operational Resilience Act — came into force in January 2025. An initial document published in 2022 stated that financial organizations had to protect the cryptography used in their architecture. The Delegated Regulation (EU) 2024/1774, published in June 2024, this time explicitly cites the danger that quantum advances pose to the cryptographic threat landscape. DORA's concrete requirements include conducting a cryptographic inventory, identifying the various protocols using cryptography, implementing encryption policies, reporting major cryptography-related incidents, and monitoring the PQC roadmaps published by the vendors and suppliers organizations work with. Failure to comply can result in heavy administrative penalties, the level of which is set by each Member State, with the regulation requiring that they be effective, proportionate, and dissuasive. Documenting and preparing a migration is therefore becoming far more than just good practice: it is now a regulatory requirement.
Beyond the sector-specific framework imposed by DORA, the entire European ecosystem is getting organized. ENISA recommends a risk-based approach, combining the use of symmetric mechanisms with appropriate key lengths and the adoption of hybrid cryptographic schemes. The European Commission, with ENISA's support, has launched a coordinated implementation roadmap aimed at securing high-risk systems by the end of 2030 and achieving a full transition to post-quantum cryptography by 2035. The first deliverable of this roadmap, produced by the PQC work stream of the NIS Cooperation Group, was published in June 2025.
ANSSI published two position papers on the subject in 2022 and 2023, recommending a three-phase migration approach. The first phase consists of deploying hybrid schemes as an additional layer of defense, while keeping classical security as the primary guarantee. The second phase marks a paradigm shift: the post-quantum algorithm becomes the primary security guarantee, with the classical algorithm remaining in place to prevent any regression. Finally, the third phase, feasible from 2030 at the earliest, makes hybridation optional: systems can then run on pure post-quantum cryptography. The agency explicitly recommends hybridization for security products intended to provide long-term protection beyond 2030, or likely to be used after 2030 without updates. In line with this, it has published guidance on adopting hybrid modes for SSHv2, TLS 1.3, and IKEv2/IPsec. Very recently, at the France Quantum 2026 conference, ANSSI announced that from 2027 onwards, it will no longer certify security products lacking quantum-resistant cryptographic mechanisms, an obligation applying to at least certain product categories.
Post-Quantum Cryptography Migration: Preparing for the Challenges Ahead
Hybrid Migration: A Strategy for the Post-Quantum Era
Before considering a full migration to post-quantum cryptography, a hybrid transition phase will be necessary, combining classical and post-quantum algorithms. For a key establishment protocol, this means using both types of algorithms to derive at least one shared key with each of them. For digital signatures, it means signing the same message with at least one classical algorithm and one post-quantum algorithm. This approach serves a dual purpose: maintaining compatibility with existing communications, and guarding against potential flaws that could be discovered in production on these new algorithms, particularly through side-channel attacks. It is therefore preferable to go through a dual-security phase rather than switching over directly. However, these hybrid schemes introduce computational and implementation overhead that may prove unsuitable in certain contexts. This is why test environments prior to real-world deployment will be essential in some cases.
Crypto-Agility: Building a More Flexible Cryptographic Infrastructure
Crypto-agility is the ability of a system to switch cryptographic suites without overhauling the entire architecture. Hard-coded algorithms, outdated libraries, or HSMs with no available firmware update are all blocking points that prevent such rapid change. PKIs are also a critical point, since a change of algorithm involves a complete redistribution of trust certificates and of the certificates in use. Systems must therefore be designed to allow these transitions to happen quickly. This also involves verifying that the network equipment in use can switch algorithms for IPsec, SSH, and TLS 1.3 tunnels, among other protocols. Beyond the company's internal architecture, crypto-agility is therefore also a matter of vendor choice: the vendors and software providers organisations work with must be able to deliver these updates within the required timeframes. Crypto-agility is particularly important in the current context, where governance standards can evolve quickly. As mentioned earlier, we do not yet have sufficient hindsight on the new algorithms in production, and hybrid schemes themselves are bound to evolve. Organizations must therefore be able to adapt quickly, without waiting for the launch of a large-scale migration project.
The migration to post-quantum cryptography cannot be treated as a simple algorithm swap. It must be approached as a technical, organizational, and governance challenge, the scale of which is often underestimated. The example of SHA-1 speaks for itself: after its deprecation, it took nearly ten years to migrate to SHA-256, and that was just a hash function. Now imagine the scale of the work required to replace all the key exchange, signature, and authentication algorithms that form the backbone of a modern infrastructure's security. Organizations should therefore not wait for vendors to integrate these new solutions and deploy them as they come: the time to act is now.
The first challenge is visibility. Before migrating anything, organizations first need to know what they are using, this is what is known as the CBOM, Cryptographic Bill of Materials. Within an organization, cryptography is present in TLS certificates, VPN tunnels, SWIFT connections, HSMs, PKIs, APIs, and embedded firmware, often without any centralized inventory. Mapping these assets, understanding their dependencies, and identifying which ones are exposed to "Harvest Now, Decrypt Later" attacks is, in itself, a program spanning several months.
Then comes the complexity of the transition itself. Replacing an algorithm is not like updating a piece of software. Each component has its own constraints, and numerous dependencies can surface along the way. Before taking action, a clear order of priority must therefore be established to avoid redundancies and roadblocks: identifying sensitive data, its lifespan, and its exposure, in order to build a coherent migration sequence. This sequence should proceed in layers, starting with the systems most exposed to the Internet, while ensuring at every step that crypto-agility is built in as an architectural principle.
Post-quantum migration is an unprecedented, cross-functional, and complex undertaking that involves far more than the technical dimension alone. The scale of the dependencies, the diversity of the constraints, and the rapid evolution of standards make it an exercise that demands particular attention, the right expertise, and a serious investment of time and energy.
Conclusion
Faced with a quantum threat that is now tangible and drawing closer, transitioning to architectures incorporating post-quantum cryptography is no longer an option: it is an obligation. Organizations must invest in upgrading their infrastructure, conduct thorough assessments of their sensitive data and systems, call on specialized cryptographic expertise, and closely monitor their vendors' roadmaps. With cryptography being ubiquitous in modern infrastructure, this transition is a meticulous, long-term effort that cannot be improvised. The immediate priority remains protection against the "Harvest Now, Decrypt Later" paradigm. Waiting exposes organizations not only to future risks, but to present ones as well.
Organizations that plan ahead will be able to approach the migration in a structured, progressive, and controlled manner, testing, adjusting, and incorporating evolving standards as they go. Those that delay will find themselves migrating under regulatory and competitive pressure, with tight deadlines, higher costs, and a greater risk of leaving gaps in their architecture. At Proximus NXT, we are actively working on this topic to offer solutions and support tailored to these challenges. In a field where security leaves no room for approximation, time is the one asset you can never get back.