Post-Quantum Cryptography is a SORE!

Spoiler Alert:

Making the necessary transition from the cryptography that protects today’s electronic commerce to so-called Post-Quantum Cryptography (PQC) that aims to counter the inevitable emergence of Quantum Computers, is not primarily a scientific nor fully a technology exercise but a good old management problem of how to manage a complex, cross-business ‘Post-Quantum Change Program’, to an agreed schedule at the highest level of quality.

Such a change program differs only(?) to similar large programs, in its scope - cross-business and cross-industry - and the need for a highly disciplined, carefully planned, and rational approach to the Post-Quantum Transition.  But unfortunately, all firms across an industry will be undertaking the same sorts of programs, big and small, at the same time, making access to the skills required difficult to say the least.

Keep Calm, Do it Once and Do it Right!

Quantum Computing

Experts believe that sometime in the next 5 to 15/20 years it is probable, but not certain, that one or more technology companies will develop a so-called Quantum Computer (QC), which can be programmed to break most (but not all) of the Cryptographic Algorithms (CAs) that are used today to secure sensitive communications and information across the Internet!

Just consider if all of a firm’s communications with its customers, suppliers and industry partners suddenly became visible to anyone who had access to a quantum computer[1]! And consider the chaos, if many firms around the world encountered the same problem, at the same time?

At that point in time, sensitive information, which has not yet been protected by a new generation of cryptographic algorithms, could be made available to hackers and competitors. In particular, communications between financial institutions, their customers and suppliers will be severely compromised, for example in the worst case, payment messages may be able to be changed or deleted in mid-flight.

The problem is that we do not know when, and some argue ‘if’, such a computer will arrive.  But we know that, if such a quantum computer arrives, then there will be chaos across the financial and other industries.

If the reader wishes to delve into Quantum Computing in a little more detail, appendices ‘A Brief Primer on Quantum Computing’ and ‘A Brief Primer on Post-Quantum Cryptography’ give short introductions.

However, there is a known solution to this particular problem!

The solution is for firms to employ security algorithms that cannot be broken by what has been called a Cryptographically Relevant Quantum Computer (CRQC). [Note in this paper the terms QC and CRQC are used interchangeably.]

Luckily, such so-called Post-Quantum Cryptographic (PQC) algorithms do exist to reduce the risk of widespread chaos. However, to protect a firm, every ‘at risk’ algorithm in its technology systems will have to be replaced, not only within a firm but within every firm or for every individual that a firm communicates with! 

At this point, it is a relief to know that it is not necessary to understand the complex science of Quantum Computing in detail (it is phenomenally difficult) but merely to believe that changing widely-used current technology used in communications to achieve Post-Quantum Computing Compliance (PQCC) will help solve the problem.

However, to fully protect a company, every ‘at risk’ algorithm will have to be replaced not only within a firm but also within every firm or for every individual that a firm communicates with! 

Post-Quantum Cryptography then deals with what has been called a SORE – a Systemic Operational Risk Event!

• It is Systemic, because all firms in an industry will have to change at roughly the same time.  Being the only firm that is Post-Quantum compliant is of little use, if firms cannot for example communicate with all of suppliers, their banks, and their customers.
• It involves Operational Risk, particularly but not restricted to Information Technology Risk and impacts Operational Resilience at the systemic level - what if a major bank were to fail because its security has failed?
• It is an Event because it is driven by some concrete, not hypothetical occurrence in time – the announcement of a working Quantum Computer that can break existing widely used security algorithms.  

Systemic

The implementation of Post-Quantum Cryptography clearly poses a systemic problem because it deals not only with how firms organize themselves and operate but how firms communicate with customers, suppliers, service providers, regulators and third parties of all types, around the world.

As a simple example, when a customer buys goods from a merchant even in the same country, then typically, a payment has to be made through the customer’s bank to pay the merchant’s bank, often through third parties, such as credit card companies. The banks must then communicate not only amongst themselves but importantly with a central bank to ‘settle’ the payment. On the other side, the merchant will have to organize the delivery of goods to the customer, often through a complex and widely distributed supply chain.  To replenish their inventories, merchants then must communicate with their own suppliers to update their inventories, and, in turn, those suppliers must communicate with manufacturers to provide parts and raw materials. And so on and so on, through a ‘world wide web’ of electronic communications.

Today, commerce is conducted through large, complex global supply chains with multiple parties communicating with one another, most often oblivious to the very many other parties involved in a transaction. Think of Post-Quantum Cryptography as similar to COVID but not disabling people nor knocking out computers but closing out some vital communications between them. During COVID-19 supply chains around the world were disrupted by people not being available. In future, with the advent of practical Quantum Computers but without Post-Quantum Cryptography, many computers, and therefore firms, will not be able to communicate with one another.

Post-Quantum Cryptography is also a Strategic Risk problem, requiring that boards of directors understand why taking action to mitigate PQC risks is important. While such an understanding is necessary, the topic is extremely difficult at the detailed level.  Luckily, however, board members do not need to understand the minute details of Quantum Mechanics merely to understand and manage the risks in and the costs to their businesses.  Importantly, the full extent these risks will become apparent over the next 5-10 years which typically aligns with corporate strategic planning, particularly technology strategic planning.

In particular, boards and management will have to upgrade their Enterprise Risk Management (ERM) protocols to ensure execution of a very risky technology change program which will not necessarily require superior technical skills but will require a very disciplined managerial approach to detecting and eliminating errors. Boards will get only one chance to get this complex change program right and therefore must be extremely diligent in executing it.

Operational Risk

The emergence of Post-Quantum Cryptography clearly will create technology risks, across a firm and across industry. In fact, the Operational Risks of PQC will predominantly involve a firm’s existing Information Technology assets, in particular its communications and cyber-security assets. In addition, there may some ‘people related’ risks such as the need to upgrade skills and processes as part of a comprehensive cybersecurity strategy but mitigating such ‘people risks’ are a normal part of staff upskilling.

What exactly will a PQC-related operational risk look like?

Today, a firm will communicate with its customers, suppliers, and other parties, through a variety of communications technologies, predominantly but not exclusively via the open Internet. Basic communications over the Internet today are predominantly, but again not exclusively, protected by a security standard called Transport Layer Security/Secure Sockets Layer (TLS/SSL)[2].

As one can imagine, the details of what goes on behind the scenes in such situations are arcane and obscure[3], understanding of which is absolutely necessary for cybersecurity experts but suffice to say that current cryptographic methods will be at risk if/when quantum computing capabilities become readily available.

The key point is that unless both sides of TLS/SSL (or other security protocol) conversations, the details of which are conveniently hidden, use the same algorithms and importantly agreed public/private keys (see Appendix B), then NO communication will take place.  And operational losses will occur as a result of ‘going blind’ such as, for example, payments not being made or goods not being delayed.  The cumulative impact of failure to communicate with multiple parties could prove to be enormous.

Note is highly likely that some form of Quantum Safe TLS/SSL will be developed in future to make transition easier for standard websites.  However, under the covers, systemic changes will still be needed, for example to change encryption keys (a non-trivial undertaking). Nonetheless, these changes will require a high degree of sophisticated planning.  This also means that it is likely, because not all parties will upgrade at the same time, that firms will have to change their systems so that they can support both new and old algorithms at the same time, to communicate with partners who have not yet changed their systems.

Between certain parties, such as financial traders and securities settlement agencies or Foreign Exchange providers, losing contact could result in failure to complete ‘chains’ of financial transactions and, in extremis, the financial systems could freeze up. For example, imagine the chaos that would ensue if a financial institution were unable to connect to the SWIFT network. In 2025, the World Quantum Summit, a gathering of leading academics and technology firms, dedicated to considering the impact QC on business, wrote that:

“The quantum threat to SWIFT messaging represents a defining challenge for the global financial system—one that requires coordinated action across technical, operational, and strategic dimensions. While quantum computers capable of breaking current cryptographic standards may still be years away, the complexity of the SWIFT ecosystem necessitates proactive preparation today.”

Of course, the SWIFT organization will undoubtedly be working on how Post-Quantum threats may be addressed but little on the fine detail of their plans for PQC transition is currently forthcoming. Hopefully sometime soon, the SWIFT organization will unveil a detailed plan for providing access to the SWIFT network that is quantum-ready. Inevitably, such a plan will concentrate on how the mechanism for communicating with the SWIFT network will be protected and less on how, and importantly when, Swift’s over 11,000 participants can connect and crucially run comprehensive tests on their links to the upgraded SWIFT network.

The SWIFT organization is expert at upgrading its networks such as, for example, the recent successful upgrades to support ISO 20022 messaging standards for payments. But they do so from a position where SWIFT decides on a way forward and participants are expected to follow.

Going forward, however, firms will have to balance demands from SWIFT and other key partners, such as central banks and other systems. For example, in Australia such integration is already underway with the ‘AES Migration’ program due to run until 2030/2031 (see Australia below). Such complex interactions will inevitably make overall PQC transition programs difficult to plan and to execute.

Furthermore, it should be recognised that regulatory timetables will ultimately drive SWIFT’s programs. For example, SWIFT will undoubtedly be considered critical infrastructure for all financial jurisdictions and therefore MUST implement appropriate transition programs to the schedule determined by the jurisdictions. For example, see the section on “What needs to be done to Implement a Post-Quantum Cryptography Transition PROGRAM?” below, where transition of critical infrastructure must be completed for Australia and Canada by 2031 – only 6 years away from a standing start!

In late 2025, Cisco, a leading communications provider, announced new products that are designed to protect firms’ internal Wide Area Networks (WANs) using “NIST compliant post-quantum cryptography” (see Appendix B). Undoubtedly, other network systems providers will introduce new products to compete. Such initiatives are to be welcomed but implementation will still require a large, disciplined installation program and it must be remembered that this effort will only be one part of, and must dovetail with, a larger implementation Post-Quantum program.

In practice, such initiatives mean that for individual firms, planning to transition their legacy systems and infrastructure will be driven by their selected suppliers and the detailed plans that they make.

Event

The greatest problem facing business and regulators in this area is that none of us know exactly WHEN the Post-Quantum SORE will occur (or even if such an event will indeed occur)! For the purposes of planning and risk management we will assume that such an event will occur at some unknown time in the future. The date on which the event will occur is colloquially called ‘Q-Day’ which is generally agreed to be the date on which a technology company will demonstrate a quantum computer (QC) that can quickly and reliably break a very specific cryptographic algorithm – RSA 2048, see Appendix B for some more detail.

Note this formulation, of course, implies that there will be more than one Q-Day. For example, in the global logistics industries Q-Day could mean a date on which a firm can demonstrate that a quantum computer can  quickly and reliably solve a substantial subset of the so-called ‘Travelling Salesman Problem’ (TSP) which searches for the most efficient route to visit a series of locations once in the shortest time possible[4].

Likewise, there are problems in Finance such as Portfolio Optimization which require enormous conventional computing to approximate the optimal portfolio of selected investments to meet specific risk appetites. It is believed that a specifically design QC may solve that problem allowing better management of investment risks.

Here we will focus solely on Q-Day as relating to breaking of RSA 2048.

Q-Day or Q-Day(s)?

While it may be useful to think of Q-Day as being a single point in time, such as Y2K[5], inevitably Q-Day will only be the very start of the Post-Quantum world. Most likely, the mere announcement of a useful QC will trigger consternation across many industries, but it must be remembered the initial proclamations will be for a machine that will not yet be production ready and it will take some time (e.g. 12/24/36? months) before production-ready models roll off the assembly lines.

Nonetheless, it is worth using the term-Q-Day to indicate the start of the final lap of a very long, very tough marathon.

However, that gets us no closer to identifying when Q-Day might arrive!

Where is Quantum Computing in 2025?

As noted in Appendix A, in mid-2025, Chinese researchers have already used a ‘D-Wave’ quantum computer linked to conventional computers to factor a very large integer into its prime components ‘in an extremely short time’. D-Wave is a US and Canadian company that does not build generic quantum computers but machines that specialise in ‘quantum annealing’, a process which attempts to solve categories of optimization problems using native quantum properties.  So, there is at least one albeit small quantum computer that can solve a subset of the RSA-2048 universe.

Also in 2025, the influential US Defense Advanced Research Projects Agency (DARPA) selected eleven companies to enter the Stage B of the agency’s Quantum Benchmarking Initiative (QBI). This mega-project “aims to rigorously verify and validate whether any quantum computing approach can achieve utility-scale operation — meaning its computational value exceeds its cost — by the year 2033”. It is envisaged that in a third and final Stage (C) that will follow quickly on Stage (B) ,the selected finalists (plural) will work with DARPA to “Verify and Validate that their utility-scale quantum computer concept can be constructed as designed and operated as intended” and, if all goes to plan, go on to build their designed quantum computer. It is interesting that DAPRA is not picking a winner but “in pursuing all viable approaches for which there is available funding [author’s emphasis]”.

So, if one assumes that Stage C of the DARPA program is successful and at least one of the companies does develop and build a “utility-scale quantum computer” then 2033 would be a reasonable but far from a definite year for the Q-Day event.

When will Q-Day arrive?

There are many ‘experts’ of various degrees of plausibility that have made, and continue to make, estimates of when Q-Day will arrive. 

The diagram below is from a report that summarises some of the estimates. Note some estimates are more plausible than others and readers should be very wary of any ‘point’ estimates and even period/line estimates that do not show some form of probability!

Figure 1 – Various Estimates of Q-Day (Secureworks)

It is interesting to note that in this chart, the Global Risk Institute (GRI) is a definite outlier, which is a real problem as G,RI is a very highly respected research organization in this field. Some of this uncertainty results from the fact that this research paper is using data published by GRI in 2023. Reflecting the speed of innovation in this field, the 2024 version of the GRI report, authored by two of the leading experts in the field, Mosca and Mulholland (2025), developed ‘An Updated Methodology For Quantum Risk Assessment’ which contains a more detailed assessment.

Figure 2 –  Updated Estimate of Q-Day (Mosca and Mulholland 2025)

Figure 2 estimates that there is a 50% probability that a CQRC will arrive by 2039, which on the face of it would not be an immediate call to action. 

However, that estimate is not the complete story, which is why Mosca and Mulholland (2025), enhanced their methodology to estimate so-called ‘quantum risk’ or the recognition that critical assets will be at risk not least from so-called Harvest-Now-Decrypt-Later (HNDL) attacks, which NIST explains as

“Some secrets remain valuable for many years. Even if an adversary can’t crack the encryption that protects our secrets at the moment, it could still be beneficial to capture encrypted data and hold onto it, in the hopes that a quantum computer will break the encryption down the road. This idea is sometimes expressed as “harvest now, decrypt later” — and it’s one of the reasons computers need to start encrypting data with post-quantum techniques as soon as possible.”

In Figure 3, Mosca and Mulholland (2025) explain that HNDL “radically changes the timeline for the quantum threat. Sensitive information with long lifetimes in- transit today over public networks is at risk in this scenario”.

Figure 3 – Updated Estimate of Quantum Risk (Mosca and Mulholland 2025)

In short, Mosca and Mulholland, estimate that given the likelihood that while there it may be a 50% chance of a quantum computer being developed by about 2039, there is an 80% likelihood of some of a firm’s most sensitive resources being compromised by 2035!

It is hard to envisage the consequences of an ‘Harvest Now, Decrypt Later’ (HDNL) attack since it will be specific to each firm’s internal processes. For example, today, the most highly sensitive of information about a firm’s most important clients will be stored on computer files protected by some form of encryption, especially if that information is stored on the Cloud.  One can imagine how a firm’s most important clients would feel if the firm’s internal evaluation of the client’s viability and/or perceptions of its board and management governance were to be made public? Or imagine if clients of a firm could compare sensitive information about the profit margins of their respective deals with a client.

Some information really is ‘company confidential’.

So, in short, a cryptographically relevant quantum computer (CRQC) is likely to be developed some time in the second half of the 2030s by which time efforts to counteract threats, using Post-quantum Cryptography, ideally should be in place.

How Long will it take to Mitigate the Risks of a Quantum Computer?

The serious risks created by development of a CRQC will, of course, raise the obvious question – how long it will take to put in place the necessary Post-Quantum Cryptographic mitigation?

Unfortunately, the answer is ‘We do not know! Yet another piece of string!’ 

Figure 4 shows a depiction of some of those ‘pieces of string’, specially three ‘projects’ (more properly ‘programs’), the durations of which are unknown:

• Project A[6] – the time needed to complete the projected effort to develop a CRQC, which will ‘take as long as it takes’, and the end (i.e. Q-Day) is an external event outside of any control by individual firms;
• Project B – the time needed to complete an IDEAL Post-Quantum Cryptography Project; and
• Project C – the time needed to complete an UNACCEPTABLE Post-Quantum Cryptography Project.

We can see that ideally the time to complete Project B will be less than time for A, i.e. the Post-Quantum Cryptography transition project will be shorter than the time to build a CRQC and there will be some form of ‘Buffer’ to be- in changed systems before Q-Day. Hopefully, but not guaranteed, the longer the Buffer the lower the likelihood and severity of significant Operational Risk Losses will be.

On the other hand, the diagram shows Project C still incomplete when Q-Day occurs and will keep running until complete, all the time giving rise to unknown Operational Risks and threats to systemic Operational Resilience with such risks increasing until Project C runs to completion. And there will be not one, but many such unacceptable project across industries.

Figure 4 – Post-Quantum Project Transition Timetable and Risks

So, we can see that any Post-Quantum Cryptography Transition Project actually turns into a large, long but manageable Program Management problem and not one particularly dependent on either a deep knowledge of quantum mechanics nor the detail of Post-Quantum Cryptography and its algorithms.

What does a Post-Quantum Cryptography Transition Program look like?

Though terminology differs widely between regulators and interested parties, it is generally agreed that any Post-Quantum Transition Program will consist of three major phases:

1)     Analysis: during which the systems that need to be migrated are identified and the risks identified and quantified;

2)     Planning: based on the initial analyses, detailed plans for Post-Quantum Transition are developed and agreed by board and management; and

3)     Execution: during which detailed Post-Quantum solutions are implemented according to the agreed plan.

However, other parties also identify the need for two further phases:

4)     Understanding: the need for a Post-Quantum Transition Program involving extensive education of directors, management and staff, especially technology AND operational staff; and

5)     Reporting: of details of the transition program’s progress against agreed plans and updates on the status of risk limits to senior management and possibly regulators.

It should be noted in passing that these phases align closely with management standards, such as ‘ISO 31000 - Risk Management Process’ and the author argues that an appropriate standard should be adopted by management and integrated into the firm’s existing risk management organizational and reporting structures.

What needs to be done to Implement a Post-Quantum Cryptography Transition PROGRAM?

Again, the answer is that the time needed to implement Post-Quantum Cryptography Transition Program is ‘as long as a piece of string’!

But to give a flavour of some thinking by leading government and industry associations!

European Commission

In late 2025, the European Commission (2025) published a “Coordinated Implementation Roadmap for the Transition to Post-Quantum Cryptography” which recommended an approach across the European Union to “start using a more complex form of cybersecurity, the so-called post-quantum cryptography (PQC).” The Commission laid out some targets not least:

By the end of 2026

• “All Member States initiate a national PQC transition strategy following First Steps by the end of 2026 and coordinate their efforts at the EU level.
• National PQC transition roadmaps [should] have been established by all Member States.
• PQC transition planning and pilots for high- and medium-risk use cases [should] have been initiated.”

And by the end of 2030:

• “The PQC transition for high-risk use cases has been completed.
• PQC transition planning and pilots for medium-risk use cases have been completed.
• Quantum-safe software and firmware upgrades are enabled by default.”

And by the end of 2035:

• “The PQC transition for medium-risk use cases has been completed.
• The PQC transition for low-risk use cases has been completed as much as feasible”.

In short, all of the high-risk Post-Quantum issues should be addressed across the European Union by 2030 and the medium-risks by 2035!

Canada

In 2025, the Canadian Government published its high Level framework and plan  for “Migrating the Government of Canada to Post-Quantum Cryptography” mandating that for all government IT infrastructure and systems under the control of SSC (Shared Services Canda), especially

• By April 2027, all departments including SSC must “develop a high-level PQC transition plan for to guide Phase 1 of the PQC transition of systems that use cryptography”;
• By April 2028, all departments including SSC “must Identify systems that are a high priority for migrating to PQC, such as those that are susceptible to a “harvest now, decrypt later” (HNDL) threat”;
• By April 2028, all departments including SSC “begin transitioning systems for which SSC is responsible to quantum-safe cryptography”.
• By the end of 2031, all departments and agencies, including SSC, must “Complete the PQC migration of high-priority systems.”
• By the end of 2035, all departments and agencies, including SSC, must “complete the PQC migration of remaining systems.”

In short, all of the high-risk Post-Quantum issues should be addressed across the Canadian government by 2031 and the remaining risks by 2035!

Note both of these high-level plans and objectives encompass an enormous amount of effort by multiple organizations across a decade – 2026 to 2035!

Australia

In 2023, he Australian Payment Network  (AusPayNet) the “self-regulatory body and industry association for payments” in Australia consisting of more than 150 members and participants commenced an “AES Migration Program” to

“design, development, and delivery of an industry-wide program to migrate the Australian card payments system from Triple Data Encryption Standard (TDES) to AES (Advanced Encryption Standard) cryptography standards.”

It should be noted that it is believed that the existing the TDES encryption standard used by AusPayNet can/will be broken by a Cryptographically Relevant Quantum Computer (CRQC).  However, it is also believed that the AES standard which although the algorithm uses similar symmetric algorithms BUT with a larger key length (256 bits) is considered secure (at least for now and long into the future). While this may not be in the spirit of PQC it is however is practical alternative, given that around 1 million ATMs and payment terminals have to be migrated across Australia. It is envisaged that the migration will take until 2030/2031.

A Bucket of Cold Water

Before moving on it is worth considering a few takeaways from the previous sections.

First, both the European Commission and the Canadian Government have announced plans to transition their most at-risk systems to Post-Quantum Cryptography compliance by 2031 and all but their least risky of their many thousands of systems by 2035!

On the other hand, in Australia, a focused effort in a small subset of the banking industry in a medium sized country, has estimated that a transition to a subset of the Post-Quantum problem for symmetric not asymmetric cryptographic algorithms will be completed by 2030/2031!

Is the Australian AusPayNet being very much overly cautious or are the European Commission and the Canadian government being overly optimistic?

Does it matter?

If it believed that some form of Cryptographically Relevant Quantum Computer will be available around 2035 or soon thereafter, then the answer will be YES, it does matter!

Something has to give!

Summary

It is just not known when a practical Quantum Computer will be built and made available to industry.  There is much work remaining to be done but progress, slow but spectacular, to that goal is apparent.

It is obvious however that, with the advent of such technology, many of the security and privacy protections that are today built into commercial systems will be inadequate as the ‘cryptographic algorithms’ that protect communications between firms can be broken by so-called Cryptographically Relevant Quantum Computers (CRQCs). And as a result, extremely sensitive information could be made available to adversaries, hackers, competitors and customers.

There are solutions, however – transitioning all existing ‘at-risk’ cryptographic algorithms in systems throughout a firm to use what is called Post-Quantum Cryptography (PQC).

However, this is much easier to say than to do!

For example, if a firm were to choose not to transition to new PQC standards but their customers and suppliers do make the transition, then, at some point, at the discretion of their partners, the firm will just cease to be able to communicate electronically and do business with them.  Furthermore, if a firm does choose to transition their systems to PQC standards but screws up the implementation, then again communications with customers and suppliers may go blind!

In short, transitioning to Post-Quantum Cryptography is a commercial imperative! 

And imagine the chaos that could ensue, if one or more of the world’s leading financial institutions go offline, even temporarily, and essential market functions such as payments and securities, cease to work, It could cause a systems-wide crisis.

So, transitioning to Post-Quantum Cryptography is a systemic and highly-risky imperative! 

But transitioning to Post-Quantum Cryptography within a firm and across an industry, such as Finance, is, because the downsides of operational error are so high, a highly risky project that must be approached with extreme diligence.

So, if a board of directors accepts that a useful Quantum Computer is inevitable, within or just outside their ‘strategic planning horizon’ and that workable solutions are indeed available, then they have little alternative but to initiate a Post-Quantum Transition Program.

 And arguably, since there is little downside to undertaking such a program, other than screwing it up, it is better for firms and regulators to begin the process sooner rather than later.

It has to be done, so delay, for the sake of delay, may be costly!

Appendix A – A Very Brief Primer on Quantum Computing

2025 was the 100th anniversary of the founding of the discipline of Quantum Mechanics (QM) by German theoretical physicist Werner Heisenberg, but 100 years later, while much of the theory has been validated by extensive experimentation, what it ‘means’ remains unclear.

The theories of quantum mechanics that underly Quantum Computing can lead extremely quickly down a very deep and very confusing rabbit hole which is hard to escape from. It is an Alice and Wonderland world which is bewilderingly counterintuitive: with sub-atomic particles or appearing to be:

• in multiple states at the same time (Quantum Superposition);
• or communicating across vast distances (Quantum Entanglement);
• or phenomena disappearing when measured (Quantum Decoherence);
• or phenomena amplifying the likelihood of correct answers (Quantum Interference).

Einstein famously called quantum mechanics, especially quantum entanglement, ‘spooky’, but it not at all ghostly as many of the theoretical predictions have been proven, albeit that there is little agreement about what it all actually means. Richard Feynman, a Nobel laurate for his work in the field, in discussing the counter-intuitive nature of QM said, "I think I can safely say that nobody understands quantum mechanics" and that comment remains relevant. For example, in 2025, the science magazine, Nature, asked 1,100 physicists to describe their favoured interpretation of Quantum Mechanics (i.e. what does it all mean?)  and “they disagreed wildly”!

However, it is the already proven combination of Quantum Superposition and Quantum Entanglement that enables the opportunities for massive parallelism that underpins the incredible potential of a quantum computer. Such a computer, and small ones have already been built, will consist of multiple circuits, called ‘qubits’, that when ‘entangled’ together can perform calculations at speeds exponentially higher than is possible with conventional computers, which are based on ‘bits’ that represent only two values 0 and 1[7].

However, building a workable QC runs slap bang into the phenomenon of Quantum Decoherence which makes any QC extremely sensitive to the minutest disturbance in the environment, such as changes in heat or electrical or magnetic interference. Any such disturbance will instantly ‘collapse’ or destroy any calculations that are in progress across a group of qubits. And importantly, as the number of connected qubits increases, the potential/likelihood of decoherence also increases, effectively putting a limit on the number of qubits that can be connected in a practical QC.

Nevertheless, in 2025, it is believed that the problem of decoherence can be solved by allocating some of the qubits in an QC as ‘error detection and correction’ circuits. For example, in conventional computing, the concept of a ‘check digit’, such as the final digit in a credit card number, is used to detect information that has been entered incorrectly.  However, correcting, as opposed to detecting errors, will require more qubits, such that the overall number of useful computing qubits in a QC will be, possibly significantly, reduced. However, leading researchers continue to actively advance initiatives in QC fault tolerance.

Thus, we can see that in 2025, there remains an enormous amount of work to do to build a single reliable quantum computer, never mind hundreds.  Although hundreds of potential quantum computers have been designed and some even built and operating at low levels, it is obvious that we are still some way off building a really useful quantum computer.

But there is considerable room for optimism such as the work of Microsoft in designing an integrated circuit that they claim will , one day in the future, contain 1 million qubit, although whether that particular approach will work remains an open question.

And, in mid-2025, Chinese researchers used a special type of quantum computer (a ‘D-Wave’), linked to conventional computers, to factor a very large integer, from a special class of such integers,  into its prime components ‘in an extremely short time’.  However, this breakthrough would not yet qualify as constituting ‘Q-Day’ but does indicate some progress in breaking RSA-2048 and illustrates the potential for combining the strengths of quantum and conventional computing to advance research in the field, bringing the solution of some classes of problems a little closer.

Appendix B – A Very Brief Primer on Post-Quantum Cryptography

Cryptography is the science of ‘hiding information’, with the word coming from ancient Greek – ‘kryptós’ meaning hidden or secret, and ‘graphein’ meaning to write.

Why would anyone want to hide writing? To keep secrets from adversaries or competitors, of course! 

Cryptography has a long history, back at least to the ancient Egyptians and later to the Romans where one of the first rudimentary ‘encryption[8]’ algorithms was used by Julius Caesar to communicate orders to his generals. An ‘algorithm’ is a set of rules for exchanging communications agreed between a ‘sender, such as Julius Caesar, and a receiver, such as Mark Antony, such that when encrypting a message replacing a letter (e.g. A) by the letter three places on in the alphabet (i.e. ‘C’).  This is the famous ‘Caesar’ algorithm, which is not good as it is very easy to break!

However, Instead of fixing the offset as ‘3’ one could agree to use a variable number N, which is called the ‘key’, that could be changed easily, for example using the day of the week, e.g. Sunday as 1 and so on or the birthday of the sender.  These are, of course, very trivial (if early real) examples and over the centuries many much more complex schemes have been devised to encrypt messages and have invariably been broken by clever ‘cryptanalysts’.

It goes without saying that, to be effective, any encryption algorithm, especially details of the ‘key’, must be kept secret between senders and receivers, for, if exposed, adversaries will be able to decrypt and act upon supposedly secret message, without senders nor receivers knowing.

For almost 20 centuries, more and more complicated encryption algorithms have been devised to keep military and diplomatic messages safe from being decoded by adversaries. Arguably, the high point of so-called ‘Classical’ encryption came during World War II when the supposedly unbreakable Enigma Code. This extremely complex code, used by the German High Command to communicate with their armies and navies around the world, was broken by cryptanalysts, at Bletchley Park in the UK, under the leadership of the pioneering information technologist Alan Turing[9].

Before discussing Modern Cryptography, it is worth noting the ideal characteristics of any cryptographic scheme, include:

• It must be relatively easy to encrypt long secret messages, so that that few errors occur;
• Given knowledge of the correct key(s), it must be relatively easy to decrypt long secret messages;
• However, without the correct key(s), it must be very difficult and time consuming to decrypt long secret messages;
• In short, encryption algorithms should be a simple as possible but not so simple that they can be broken easily – a very tough condition to meet;
• Keys should be kept securely and should ideally be exchanged between senders and receivers using mechanisms that are different to the algorithms used (e.g. diplomatic post);
• Those who encrypt messages (so-called ‘ciphers’) should ideally be kept physically distant from the so-called ‘cryptanalysts’, who decrypt messages so that no collusion can take place;
• Ideally, for the highest security, messages should be broken up into distinct ‘chunks’ and encryption and decryption undertaken independently;
• Encrypted text maintained for historical purposes should be kept separately to the original so-called ‘plain text’ and both should be stored securely so that historical data cannot be mined to detect patterns;
• It should be assumed that algorithms WILL be broken (by for example by ‘brute force’ analysis of multiple encrypted messages) so keys must be capable of being changed quickly and securely.

The key to all cryptography is to keep ‘keys’ and, as far as possible, algorithms, as secure, as possible!

However, in practice it is extremely difficult to achieve all of these ideal conditions at the same time. For example, in wartime messages must be encrypted and decrypted quickly under extreme pressure, for example under fire.

As with almost everything else, cryptography was revolutionized by the emergence of electronic computers and since the 1950s, new, faster and more secure methods of encryption, often based on complex mathematics, have been developed. One of the most important new, purely electronic cryptographic mechanisms developed was so-called ‘public/private’ or ‘asymmetric’ cryptography where a sender may encrypt a secret message using a receiver’s ‘public key’, in such a way that the receiver is the only one that can decrypt the message using their own ‘private key’. Although the receiver’s private key is created from the public key (via a ‘back door’ calculations) it is derived using complex mathematics, such as determining the prime factors of a very large number which, as it turns out, cannot be determined using ‘brute force’ by a conventional computer in a reasonable time.

In the 1970s, three US mathematicians Ron Rivest, Adi Shamir, and Leonard Adleman (RSA) invented the so-called RSA Algorithm using public/private key cryptography. This algorithm, using a ‘key length’ of 2048 bits (so-called RSA 2048) has become the most widely used and most successful standard for encrypting data that is communicated over the Internet because it cannot be broken by conventional computers in a reasonable time (taking centuries rather than minutes).

However, if RSA-2048 could be broken, then theoretically much of the data transmitted between, or held within, the world’s financial institutions and encrypted by RSA-2048, could become visible to competitors and adversaries.  The ability to break RSA-2048 encryption has become an industry benchmark for declaring a quantum computer to be ‘cryptographically relevant’, ushering in what has been called ‘Q-Day’.

In 1994, a US mathematician, Peter Shor, developed an algorithm for finding the prime factors of a large integer using a (yet to be built) quantum computer. Since algorithms such as RSA, rely on the difficulty of finding such prime factors, Shor’s algorithm would find such factors relatively easily and reliably, using a quantum computer and the phenomenon of ‘constructive interference’ to quickly home in on the ‘correct answer’. Shor’s algorithm can also be used to solve a related set of so-called discrete logarithm problems, which are embedded in other cryptographic algorithms, such as the Elliptic Curve Cryptography (ECC) algorithms used, for example, in Bitcoin.

This means that whenever a practical cryptographically relevant quantum computer is (eventually?) developed it will theoretically be capable of breaking algorithms such as RSA 2048 and ECC, quickly[10].

Such an announcement which is at the root of the Post-Quantum security problem with today’s Internet will likely be sudden and newsworthy, but the transition to reality will take some time.

There is however a solution, or set of solutions, to help resolve this problem! Stop using cryptographic algorithms that are capable of being broken by Shor’s algorithm and replace them by algorithms that cannot be broken by that algorithm.

Luckily, such so-called Post-Quantum algorithms do exist and, to their credit, the US National Institute of  Standards and Technology (NIST) have taken the lead in identifying possible so-called ‘quantum-resistant public-key cryptographic algorithms’[11].  In late 2016, the NIST initiated a formal  public process to solicit “nominations from any interested party for candidate algorithms to be considered for public-key post-quantum standards”.

In 2024, after an exhaustive and exhausting four rounds of submissions with extensive analysis and testing by industry experts, NIST selected three candidates for encryption and digital signature standardisation and, in 2025, added a fourth candidate for standardisation of a so-called Key Encapsulation Mechanism (KEM). Note all of these algorithms are ‘open source’ and can be inspected and tested by any interested party (including adversaries!).

For encryption and creating digital signatures, NIST has selected so-called ‘Lattice-based’ algorithms which are based on the problem of finding the ‘shortest vector’ in a large group of numbers arranged in a multi-dimensional ‘lattice’. It is known that such a problem is ‘NP hard’, i.e. difficult to solve using conventional and quantum computers.

Having determined that such algorithms should be standardised for ‘quantum-resistant public-key cryptographic algorithms’, NIST is also leading the charge on standardising how these algorithms may be implemented securely.

But what if someone, in the future, discovers an algorithm that can break Lattice algorithms using a quantum or even a conventional computer?

Will we have to go through this whole process again? The answer of course is Yes, it is a possibility and, in the future, a near certainty!

A partial answer to that on-going and very real problem is to ensure that the changes being made to introduce the first round of PQC algorithms are implemented in such a way that they are sufficiently isolated from the computer systems that use the algorithms and that switching in a new set of Post-Post-Quantum algorithms in future will be easier. This means, in effect, separating the USE of cryptographic algorithms from the cryptographic algorithms themselves. This is an IT architectural and technical problem known as Cryptographic Agility which must be addressed as part of the implementation of any Post-Quantum program.

References

Buchanan, W. J., 2017, Cryptography (Gistrup, Denmark: River Publishers)

Government of Canada, 2025, “Migrating the Government of Canada to Post-Quantum Cryptography: Security Policy Implementation Notice.” https://www.canada.ca/en/government/system/digital-government/policies-standards/spin/migrating-government-canada-post-quantum-cryptography.html

European Commission, 2025, “A Coordinated Implementation Roadmap for the Transition to Post-Quantum Cryptography | Shaping Europe’s Digital Future.” https://digital-strategy.ec.europa.eu/en/library/coordinated-implementation-roadmap-transition-post-quantum-cryptography/

Kohno, T., N. Ferguson and B. Schneier, 2010, Cryptography Engineering: Design Principles and Practical Applications (Indianapolis, IN: Wiley)

McConnell, P.J. 2025, Digital Money: Operational Risks and the Threats to Operational Resilience. Risk Books, Infopro Digital Services Limited, London.

Michael W. , 2021, TLS Mastery. IT Mastery Series. Tilted Windmill Press.

Mosca, M, and J. Mulholland., 2025, “An Updated Methodology for Quantum Risk Assessment.” https://globalriskinstitute.org/publication/an-updated-methodology-for-quantum-risk-assessment/

Murphy, S. and F. C. Piper, 2002, Cryptography: A Very Short Introduction (Oxford: Oxford University Press).

National Institute of Standards and Technology, 2024, “What Is Post-Quantum Cryptography?” https://www.nist.gov/cybersecurity/what-post-quantum-cryptography.

National Institute of Standards and Technology, 2025, “Migration to Post-Quantum Cryptography | NCCoE.” https://www.nccoe.nist.gov/crypto-agility-considerations-migrating-post-quantum-cryptographic-algorithms.

Turing, D., 2018, X, Y & Z: The Real Story of How Enigma Was Broken (Cheltenham, England: History Press).

[1] And note adversaries need not own a QC merely be able to purchase computer time on such a service.

[2] You can see TLS/SSL in action. if you use the option HTTPS protocol to access a web-site. This can be detected by clicking on the ‘Lock’ symbol alongside the HTTPS address which will give details of the security mechanisms employed to protect information exchanged between your browser and the owner of the site being accessed.

[3] If needed, a detailed but fairly readable description of TLS/SSL can be found in Lucas (2021).

[4] It should be noted that exact solutions to the TSP for some known topographies already exist, running on conventional super computers, but more general and larger routes are still elusive.

[5] The famous Y2K event was when computers around the world were supposed to fail at EXACTLY at midnight on 31st December 1999, but the event turned out to be a damp squib as there were few reported instances of failures. Arguably, Y2K hype was driven by a failure to properly identify just what risks would be triggered by such an event and some will use Y2K to downplay the very real risks of Q-Day.

[6] The terms A, B and C are analogous to term terms used in used as in Mosca’s Inequality X+Y > Z where A=Z, (i.e. ‘time to delivery of a CRQC’) and A and B are variants of Y (‘time to complete mitigation’.  The X term is assumed in practice to be equal to Y as some transition will always be needed.

[7] Think of a ‘qubit’ as being like one of today’s fastest supercomputers (but faster because they operate at the sub-atomic level) with hundreds (eventually thousands) of super-fast qubits linked together to work on a single calculation.

[8] Encryption is where a piece of secret text, such as a military order, is scrambled (encrypted) using a pre-agreed shared ‘key’ and ‘algorithm’ and which is (hopefully) unknown to anyone but the receiver who can unscramble (decrypts) it, using the shared secret key.

[9] For a short history of both Classical and Modern Cryptography see Chapters 14 and 15 of McConnell (2025).  For a good history of Bletchley Park see Turing, D., 2018, X, Y & Z: The Real Story of How Enigma Was Broken (Cheltenham, England: History Press).

[10] Cryptography is an enormous and complex discipline and there are numerous books that explain the topic in detail, including – Buchanan (2017), Kohno, Ferguson and Schneier (2010) and Murphy and Piper (2002)

[11] There is an enormous amount of information on Post-Quantum Cryptography (PQC) maintained by the NIST at https://csrc.nist.gov/projects/post-quantum-cryptography