Understanding Post-Quantum Technology

🔐Word o’ the Day | Year | Decade: Crypto-agility, Baby! Yesterday morning, I did a fun fireside chat with Bethany Gadfield - Netzel at the FIA, Inc. Expo in Chicago. We talked about cyber resilience, artificial intelligence, Rubik’s cubes, and that thing called quantum! A question came up at the end, “What can firms actually do today to begin transitioning to post-quantum cryptography?” So thought I would take the opportunity to share my thoughts more broadly on this important, but not super well understood, topic: 1. Don’t wait. The clock for quantum-safe cryptography is already ticking. NIST released its first set of post-quantum standards last year (https://lnkd.in/esTm8uPw) and CISA put out a “Strategy for Migrating to Automated Post-Quantum Discovery and Inventory Tools” last year as part of its broader Post Quantum Cryptography (PQC) Initiative (https://lnkd.in/evpF4umv). h/t Garfield Jones, D.Eng.! 2. Inventory & prioritize. Map all cryptographic usage: what keys, certificates, protocols, and data streams exist today? Which assets hold long-lived value and are at risk of “harvest-now, decrypt-later”? Build a migration roadmap that prioritizes highest-risk systems (e.g., financial settlement platforms, inter-bank links, legacy encryption). 3. Establish crypto-agility. Ensure your architecture supports swapping algorithms, updating certificates, & layering classical + post-quantum primitives without a full system rebuild. This kind of flexibility is key for resilience. 4. Pilot and migrate. Use the new NIST-approved algorithms; experiment first on less time-sensitive systems, validate performance and interoperability, then scale to mission-critical applications. NIST’s IR 8547 report provides a framework for this transition. 5. Vendor & supply-chain alignment. Ask your vendors & service providers: “What’s your PQC transition plan? When will you support NIST-approved post-quantum algorithms? Are your update paths crypto-agile?” If the answer isn’t clear or (as a former boss of mine used to say) they look at you like a “pig at a wristwatch,” you’ve got a potentially serious third-party risk. 6. Board and Exec engagement. Position this not as an IT problem but a fiduciary risk and resilience imperative. The transition to quantum-safe cryptography is multi-year and multi-layered—waiting until it’s urgent means it will be too late.

Post-Quantum Cryptography (PQC): Why We Must Prepare Before Quantum Computers Arrive What exactly is PQC? Is it a tool? An attack? A new policy? Let’s make it clear. PQC (Post-Quantum Cryptography) is not a product or software you install. It’s a new generation of cryptographic algorithms designed to protect our data from the power of future quantum computers. Every secure connection we make today from online banking to VPNs relies on mathematical problems like RSA or Elliptic Curve Cryptography (ECC). These are strong today because even the world’s fastest supercomputer would take years to break a 2048-bit RSA key. But a quantum computer doesn’t work like a traditional one. It doesn’t calculate with just 1s and 0s. Instead, it uses qubits capable of existing in multiple states at once. This means quantum computers can process massive parallel calculations that our current machines can’t. That’s where the concern begins. Algorithms like RSA and ECC can be broken in hours or days using quantum algorithms such as Shor’s algorithm. I give you example, imagine your bank’s SSL certificate that secures online transactions today. It uses RSA-2048. If a threat actor records that encrypted traffic today and in a few years gets access to a quantum computer they could decrypt that communication easily. This is called “Harvest Now, Decrypt Later”. It means attackers can steal your encrypted data now, store it and decrypt it in the future once they have quantum power. For organisations like banks, government agencies or healthcare providers this is a huge risk. Sensitive data must remain confidential for decades. So what is PQC really? PQC is the next wave of encryption standards that are resistant to quantum attacks. Instead of relying on problems like factorisation, PQC algorithms use lattice-based, code-based or hash-based methods that even a quantum computer can’t easily solve. In fact, NIST has already announced its first three official PQC standards this year a sign that the transition is already happening globally. Quantum computing will change everything. It’s not about fear it’s about readiness. PQC is our way of ensuring that even when quantum arrives, our communications, banking, healthcare and national data remain protected. The future of cybersecurity will not just be about detecting attacks, but about securing cryptography before it becomes breakable.

NIST – Migration to Post-Quantum Cryptography Quantum Readiness outlines a comprehensive framework for transitioning cryptographic systems to post-quantum cryptography (PQC) in response to the emerging threat of quantum computers. Quantum technology is advancing rapidly and poses a significant risk to current public-key cryptographic methods like RSA, ECC, and DSA. This guide aims to assist organizations in preparing for and implementing PQC to safeguard sensitive data and critical systems. Key Points  The Quantum Threat Quantum computers are expected to disrupt cryptography by efficiently solving mathematical problems that underpin widely used encryption and key exchange methods. This would render current public-key systems ineffective in protecting sensitive data, emphasizing the need for cryptographic agility.  NIST PQC Standards NIST is spearheading efforts to standardize quantum-resistant algorithms through an open competition and evaluation process. These algorithms, designed to withstand quantum attacks, focus on two primary areas: 1. Key Establishment: Protecting methods like Diffie-Hellman and RSA key exchange. 2. Digital Signatures: Securing authentication processes.  Migration Framework The document provides a phased approach to migrating cryptographic systems to PQC: 1. Assessment Phase:    - Inventory cryptographic dependencies in current systems.    - Evaluate systems at risk from quantum threats based on sensitivity and lifespan. 2. Preparation Phase:    - Conduct pilot testing of candidate PQC algorithms in existing infrastructure.    - Develop a hybrid approach that combines classical and post-quantum algorithms to ensure interoperability during transition. 3. Implementation Phase:    - Replace vulnerable cryptographic methods with PQC in a phased manner.    - Ensure scalability, performance, and compatibility with existing systems. 4. Monitoring and Updates:    - Continuously monitor the effectiveness of implemented solutions.  Challenges in PQC Migration - Performance Impact: PQC algorithms often have larger key sizes, increased latency, and greater computational demands compared to classical algorithms. - Interoperability: Ensuring smooth integration with legacy systems poses significant technical challenges.  Best Practices - Use hybrid encryption to maintain compatibility while testing PQC algorithms. - Engage in collaboration with vendors, industry groups, and government initiatives to align with best practices and standards. Conclusion The transition to post-quantum cryptography is a proactive measure to secure data and communications against future threats. NIST emphasizes the importance of starting preparations immediately to mitigate risks and ensure a smooth, efficient migration process. Organizations should focus on inventorying dependencies, piloting PQC solutions, and developing cryptographic agility to adapt to this transformative technological shift.

Three weeks ago, our Devsinc security architect, walked into my office with a chilling demonstration. Using quantum simulation software, she showed how RSA-2048 encryption – the same standard protecting billions of transactions daily – could theoretically be cracked in just 24 hours by a sufficiently powerful quantum computer. What took her classical computer billions of years to attempt, quantum algorithms could solve before tomorrow's sunrise. That moment crystallized a truth I've been grappling with: we're not just approaching a technological evolution; we're racing toward a cryptographic apocalypse. The quantum computing market tells a story of inevitable disruption, surging from $1.44 billion in 2025 to an expected $16.22 billion by 2034 – a staggering 30.88% CAGR that signals more than market enthusiasm. Research shows a 17-34% probability that cryptographically relevant quantum computers will exist by 2034, climbing to 79% by 2044. But here's what keeps me awake at night: adversaries are already employing "harvest now, decrypt later" strategies, collecting our encrypted data today to unlock tomorrow. For my fellow CTOs and CIOs: the U.S. National Security Memorandum 10 mandates full migration to post-quantum cryptography by 2035, with some agencies required to transition by 2030. This isn't optional. Ninety-five percent of cybersecurity experts rate quantum's threat to current systems as "very high," yet only 25% of organizations are actively addressing this in their risk management strategies. To the brilliant minds entering our industry: this represents the greatest cybersecurity challenge and opportunity of our generation. While quantum computing promises revolutionary advances in drug discovery, optimization, and AI, it simultaneously threatens the cryptographic foundation of our digital world. The demand for quantum-safe solutions will create entirely new career paths and industries. What moves me most is the democratizing potential of this challenge. Whether you're building solutions in Silicon Valley or Lahore, the quantum threat affects us all equally – and so does the opportunity to solve it. Post-quantum cryptography isn't just about surviving disruption; it's about architecting the secure digital infrastructure that will power humanity's next chapter. The countdown has begun. The question isn't whether quantum will break our current security – it's whether we'll be ready when it does.

Most quantum boardroom conversations end without an agenda. They end with a posture — "we're monitoring quantum developments," "we're taking it seriously". Neither statement produces a plan. The distinction matters because quantum creates three problem classes, each with a different urgency and a different cost of inaction. A generic posture misaddresses all three at once. The right response, for most leadership teams, has three parts. The first is to defend now. Post-quantum cryptography belongs on the enterprise risk agenda as a current priority. That means building visibility into cryptographic dependencies across the enterprise, identifying migration priorities, and mapping third-party exposure. This is the part of the quantum agenda that cannot wait. The second is to explore selectively. Most leadership teams do not need a wide portfolio of quantum pilots. They need a small number of focused efforts on high-value problems where the workload aligns with quantum's actual strengths — evaluated against the strongest available classical alternative. Each effort should be a targeted test: one specific problem, one clear classical benchmark, one honest evaluation. The third is to build options. For companies in simulation-relevant sectors — pharmaceuticals, advanced materials, energy — the right posture is modest investment in partnerships and early hardware collaborations. The goal is R&D workflows that are ready to integrate quantum subroutines when the technology matures. The companies that benefit most will not necessarily be those spending the most today. They will be the ones best positioned to move when the moment arrives. The most common failure on quantum is conflating the urgency of the three classes — treating all three as equally distant or equally immediate, when each has a different clock running. The organizations that get this right understand early which problem classes matter to their business, which ones to set aside, and what the distinction demands of them starting Monday morning. https://lnkd.in/gkymW7Xm

𝗗𝗮𝘆 𝟴: 𝗗𝗮𝘁𝗮 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗮𝗻𝗱 𝗣𝗼𝘀𝘁 𝗤𝘂𝗮𝗻𝘁𝘂𝗺 𝗥𝗲𝗮𝗱𝗶𝗻𝗲𝘀𝘀 In today’s hyper-connected world, data is the new currency and the perimeter, and it is essential to safeguard them from Cyber criminals. The average cost of a data breach reached an all-time high of $4.88 million in 2024, a 10% increase from 2023. Advances in 𝗾𝘂𝗮𝗻𝘁𝘂𝗺 𝗰𝗼𝗺𝗽𝘂𝘁𝗶𝗻𝗴 further threaten traditional cryptographic systems by potentially rendering widely used algorithms like public key cryptography insecure. Even before large-scale quantum computers become practical, adversaries can harvest encrypted data today and store it for future decryption. Sensitive data encrypted with traditional algorithms may be vulnerable to retrospective attacks once quantum computers are available. As quantum technology evolves, the need for stronger data protection grows. Google Quantum AI recently demonstrated advancements with its Willow processors, which 𝗲𝗻𝗵𝗮𝗻𝗰𝗲𝘀 𝗲𝗿𝗿𝗼𝗿 𝗰𝗼𝗿𝗿𝗲𝗰𝘁𝗶𝗼𝗻 𝘂𝘀𝗶𝗻𝗴 𝘁𝗵𝗲 𝘀𝘂𝗿𝗳𝗮𝗰𝗲 𝗰𝗼𝗱𝗲. These breakthroughs underscore the growing efficiency and scalability of quantum computers. To address these threats, Enterprises are turning to 𝗮𝗴𝗶𝗹𝗲 𝗰𝗿𝘆𝗽𝘁𝗼𝗴𝗿𝗮𝗽𝗵𝘆 to prepare for Post Quantum era. Proactive Measures for Agile Cryptography and Quantum Resistance: 1. 𝗔𝗱𝗼𝗽𝘁 𝗣𝗼𝘀𝘁-𝗤𝘂𝗮𝗻𝘁𝘂𝗺 𝗔𝗹𝗴𝗼𝗿𝗶𝘁𝗵𝗺𝘀 Transition to NIST-approved PQC standards like CRYSTALS-Kyber, CRYSTALS-Dilithium, Sphincs+. Use hybrid cryptography that combines classical and quantum-resistant methods for a smoother transition. 2. 𝗗𝗲𝘀𝗶𝗴𝗻 𝗳𝗼𝗿 𝗔𝗴𝗶𝗹𝗶𝘁𝘆 Avoid hardcoding cryptographic algorithms. Implement abstraction layers and modular cryptographic libraries to enable easy updates, algorithm swaps, and seamless key rotation. 3. 𝗔𝘂𝘁𝗼𝗺𝗮𝘁𝗲 𝗞𝗲𝘆 𝗠𝗮𝗻𝗮𝗴𝗲𝗺𝗲𝗻𝘁 Use Hardware Security Modules (HSMs) and Key Management Systems (KMS) to automate secure key lifecycle management, including zero-downtime rotation. 4. 𝗣𝗿𝗼𝘁𝗲𝗰𝘁 𝗗𝗮𝘁𝗮 𝗘𝘃𝗲𝗿𝘆𝘄𝗵𝗲𝗿𝗲 Encrypt data at rest, in transit, and in use with quantum resistant standards and protocols. For unstructured data, use format-preserving encryption and deploy data-loss prevention (DLP) tools to detect and secure unprotected files. Replace sensitive information with unique tokens that have no exploitable value outside a secure tokenization system. 5. 𝗣𝗹𝗮𝗻 𝗔𝗵𝗲𝗮𝗱 Develop a quantum-readiness strategy, audit systems, prioritize sensitive data, and train teams on agile cryptography and PQC best practices. Agile cryptography and advanced data devaluation techniques are essential for protecting sensitive data as cyber threats evolve. Planning ahead for the post-quantum era can reduce migration costs to PQC algorithms and strengthen cryptographic resilience. Embrace agile cryptography. Devalue sensitive data. Secure your future. #VISA #PaymentSecurity #Cybersecurity #12DaysofCyberSecurityChristmas #PostQuantumCrypto

Last week, the first mandatory post-quantum cryptography (#PQC) deadline took effect in the United States. Not for #defense contractors. Not for intelligence agencies. But for the blockchain and digital asset sector to implement Post-Quantum Cryptography (PQC) standards (specifically FIPS203 and 204). And most companies did not notice. This is the first sector-wide mandatory enforcement of quantum-resistant standards, aimed at neutralizing "Harvest Now, Decrypt Later" risks. That is the pattern I have watched repeat across six countries and three technology waves over thirty years. The compliance mandate never arrives where you expect it. It starts in an adjacent sector. Then it cascades through supply chain requirements until it reaches your procurement office with a deadline you never planned for. The technology is never the bottleneck. The bridge to the factory floor is. If your B2B payment systems, automated procurement platforms, or intellectual property repositories touch digital infrastructure governed by FIPS 203 and 204 standards, the compliance clock is already running (and we need to have a chat). This is not a #cybersecurity story. It is a supply chain qualification story. The economic question every company should be asking right now: what is the cost of being disqualified from a prime contractor’s approved vendor list because your cryptographic infrastructure did not meet standards that already exist? For a USD $200M manufacturer with 40% of revenue from a single prime, that is a USD $60M revenue protection question. The economics of inaction are no longer theoretical. #QuantumEconomics #ComplianceCascade #ManufacturingLeadership #SupplyChainSecurity #PostQuantum #Y2Q

Quantum risk will not break the network first. It will break trust first. The OSI model still explains how data moves. In a post-quantum world, it also becomes a useful lens for understanding where trust dependencies are embedded across protocols, identities, endpoints, applications, firmware, and management planes. Most leaders still look at the OSI stack as a classroom model. I look at it as an exposure map. Quantum computing does not pressure every layer equally. The most immediate pressure falls on quantum-vulnerable public-key mechanisms used for key establishment and digital signatures, including PKI, certificates, TLS handshakes, VPN key exchange, software signing, and related trust services. NIST finalized its first three post-quantum cryptography standards in 2024 and is encouraging organizations to begin transitioning now. That matters because long-lived sensitive data is already exposed to a harvest now, decrypt later risk models. NIST’s migration work specifically calls out TLS as one of the most widely deployed security protocols and a prime target for that threat. When you map that back to the OSI model, the message is clear: The problem is not Layer 1 cabling. It is the cryptographic trust fabric spanning protocols, identities, endpoints, applications, firmware, and management planes that still depends on quantum-vulnerable public-key cryptography. That is why this is not just a cryptography discussion. It is an enterprise architecture discussion. A PKI discussion. A certificate lifecycle discussion. A software signing discussion. A vendor governance discussion. An OT and IoT lifecycle discussion. NIST guidance and CISA’s OT-focused post-quantum materials both point organizations toward first identifying where quantum-vulnerable cryptography exists across hardware, software, services, firmware, PKI, IT, OT, and vendor dependencies before trying to migrate. For boards and executive teams, the real questions are straightforward: Do we know where we use quantum-vulnerable public-key cryptography? Do we know which data must remain confidential longer than our migration window? Do we know which OT, IoT, and embedded assets are not crypto-agile enough to adapt? Do our vendors have a credible roadmap for PQC in certificates, TLS, VPNs, browsers, firmware, and signing? The OSI model still explains how data moves. In 2026, it can also help explain where trust dependencies may fail first if cryptographic migration is delayed. Quantum readiness is not about hype. It is about rebuilding the trust layer before the threat catches up. #Cybersecurity #PostQuantumCryptography #EnterpriseArchitecture

What Is Post-Quantum Cryptography (PQC) — and What It Is Not Post-Quantum Cryptography (PQC) refers to cryptographic algorithms designed to remain secure even if large-scale quantum computers become practical. Let’s clarify something important: PQC is not quantum cryptography. It does not require quantum hardware. It runs on classical computers, just like RSA and ECC do today. The difference lies in the mathematics. RSA and ECC rely on problems like factoring and discrete logarithms — which Shor’s algorithm can solve efficiently on a quantum computer. PQC shifts to different hard problems. Instead of number theory, it uses structures like lattices, error-correcting codes, hash functions, and multivariate equations — problems for which no efficient quantum attacks are known. So PQC is not futuristic science fiction. It’s a proactive redesign of digital trust. The goal is simple: Keep today’s systems running — while making sure they remain secure tomorrow. PQC is not about panic. It’s about preparation. #PostQuantum #PQC #Cryptography #QuantumComputing #CyberSecurity

I've given talks about Post Quantum Cryptography the past few years and pretty much everyone has appreciated the heads up, for those that haven't made it to a talk here are the highlights of what you need to do to prepare for Quantum Computers. 1) Build organizational readiness: • Educate and align the C-suite on the urgency of quantum risk and make the business case for a multi-year investment, i.e. get budget. • Identify personnel responsible for migration execution across different teams, i.e. assign a point person for this project. 2) Discover what you have and assess if the systems are ready: • Get an inventory of you hardware and software assets to identify encryption protocols and categorize them (PQ ready, depreciated, really old). • Assess whether hardware assets have sufficient compute to support PQC algorithms (most systems will but the OS might not be ready) • Figure out which systems will require upgrades or replacements. • Identify vendors and partners that you use and discuss their PQC roadmaps, migration support capabilities. [This one is key, talk to your vendors, find out what they are doing, or not doing!] 3) Begin getting Quantum ready • Buy the hardware / software and replace or upgrade whatever does not support PQ cryptography • Test things! Run proof-of-concept deployments in controlled environments (i.e. your test environment) and use a hybrid approach that combine current and post-quantum algorithms. 4) Deploy Quantum ready solutions • Roll out your solutions / new hardware & software in phases, starting with your high priority systems (Duh). • Ensure configurations enforce quantum-safe algorithms by default and automatically block deprecated algorithms when possible (this will be harder than you might think). • Update your security policies to manage both current and quantum-safe network traffic as you transition. • For the old stuff you can't get rid of, use proxy solutions to make IoT devices (like hospitals, manufacturing, etc.) quantum-ready until they can be updated directly. Last but not least, be prepared to change encryption schemes going forward, what we call, Crypto Agility. 5) Keep patching your stuff • Now that you have a list of your hardware and software and what kind of encryption is uses, do this: • Monitor your inventory for vulnerabilities or new threats. Keep in mind that PQ standards are new and they will likely change over time. • Establish a process to replace or update vulnerable algorithms There, you've now just read my talk, but you missed all my jokes and fun stories, but you got the details / important take aways. 😃 😁 😀 If you want the Internal Control Questionnaire (#ICQ) I put together for some auditor friends, message me here and I'll send it to you.