CinexTech
Technology

Post-Quantum Cryptography 2026: The Timeline That Matters

The post-quantum cryptography transition in 2026 — NIST's finalized standards (ML-KEM, ML-DSA, SLH-DSA), why current encryption is at risk from quantum computers, the harvest-now-decrypt-later threat, and what organizations need to do.

R

By Rashid Ali

Technology & Digital Trends Writer

Technology Evaluator & Pet Research Writer | Hands-on product testing focus

Updated June 15, 2026

9 min read

Quantum computer visualization with cryptography symbols — post-quantum cryptography 2026
Quantum computer visualization with cryptography symbols — post-quantum cryptography 2026

Expert Summary

  • NIST finalized its first post-quantum cryptography standards in August 2024 — ML-KEM (key encapsulation), ML-DSA (signatures), and SLH-DSA (hash-based signatures) are now the recommended algorithms for quantum-resistant encryption.
  • The "harvest now, decrypt later" (HNDL) attack is an immediate threat even though cryptographically-relevant quantum computers don't exist yet — adversaries are collecting encrypted data today to decrypt it once quantum capabilities arrive.
  • CISA and NSA have issued directives for US federal agencies to begin PQC migration by 2027; most enterprise migrations will take 3–5 years.

Post-quantum cryptography (PQC) is transitioning from a research problem to an operational reality. NIST has finalized its standards, government agencies have issued migration directives, and the window for "planning" is closing. Here is what the threat actually is and what the practical migration looks like.

Why Current Encryption Is at Risk

Most internet security relies on two mathematical problems that are computationally hard for classical computers:

  1. RSA (and similar): Factoring the product of two large prime numbers. Hard for classical computers; a sufficiently powerful quantum computer using Shor's algorithm can solve it efficiently.

  2. Elliptic curve cryptography (ECDH, ECDSA): Solving the elliptic curve discrete logarithm problem. Also vulnerable to Shor's algorithm.

These algorithms protect HTTPS connections, SSH keys, digital certificates, VPNs, file encryption, and code signing.

What "break" means in practice: An attacker with a cryptographically-relevant quantum computer (CRQC) could:

  • Decrypt historical TLS traffic that was recorded in passive collection
  • Forge code signing certificates, making malware appear legitimate
  • Compromise PKI infrastructure — the root of trust for the internet
  • Break encrypted storage if the private keys are accessible

The Current Quantum Computer Reality

It is important to separate marketing from engineering reality:

What exists in 2026:

  • Google's Willow chip (2024): 105 physical qubits with sub-threshold error correction
  • IBM Condor (2023): 1,121 physical qubits
  • Multiple systems from IonQ, Quantinuum, PsiQuantum

What is needed to break RSA-2048:

  • Approximately 4,000 error-corrected logical qubits (Preskill estimate)
  • Each logical qubit requires hundreds to thousands of physical qubits for error correction
  • Current best systems: dozens of error-corrected logical qubits

The gap: We are many years from a CRQC. IBM's publicly stated roadmap shows 100,000+ physical qubits by 2033, which may enable hundreds of logical qubits — still short of what's needed to break RSA-2048.

Why act now:

  1. Harvest now, decrypt later — adversaries are collecting data today
  2. Migration takes years — replacing cryptography in all systems is a 3–5 year project
  3. Regulatory requirements — US federal mandates are driving timelines

NIST's Post-Quantum Standards (August 2024)

NIST finalized three PQC standards in August 2024, addressing the two primary cryptographic functions:

Key Encapsulation (replacing ECDH/RSA for key exchange)

ML-KEM (Module Lattice Key Encapsulation Mechanism, FIPS 203)

  • Based on CRYSTALS-Kyber algorithm
  • Replaces ECDH in TLS, VPNs, and encrypted messaging key exchange
  • Already deployed in Chrome (X25519Kyber768), CloudFlare, Signal

Digital Signatures (replacing ECDSA/RSA for signing)

ML-DSA (Module Lattice Digital Signature Algorithm, FIPS 204)

  • Based on CRYSTALS-Dilithium
  • Replaces ECDSA in code signing, certificate authorities, document signing
  • Recommended for most signature applications

SLH-DSA (Stateless Hash-Based Digital Signature Algorithm, FIPS 205)

  • Based on SPHINCS+
  • Hash-based signatures with different security assumptions than lattice algorithms
  • Recommended as a backup/alternative when algorithm diversity is prioritized

Additional algorithm (FIPS 206, early 2025):

  • FN-DSA (FALCON-based) — compact signature sizes, optimized for constrained environments

The Migration Roadmap

Federal Government Timeline (US)

MilestoneDeadline
Complete cryptographic inventory2024 (past)
Begin PQC testing in non-critical systems2025
Deploy hybrid PQC/classical for high-priority systems2027
Complete migration for national security systems2030
Full migration for all federal systems2035

CISA's "Post-Quantum Cryptography Initiative" provides specific guidance for each agency, tied to the sensitivity and longevity of data they protect.

Enterprise Migration Steps

Step 1: Cryptographic inventory Map all public-key cryptography in your environment:

  • TLS certificates (internal and external)
  • SSH keys for server access
  • Code signing certificates
  • VPN infrastructure
  • Encrypted storage with public-key derived keys
  • Hardware security modules (HSMs)

Tools: CyberArk Certificate Manager, Venafi, open-source tools like cryptograph and certigo

Step 2: Prioritize by risk High priority: Systems holding data that must remain confidential beyond 5–10 years Medium priority: Authentication systems (where a quantum break would require active exploitation, not passive decryption) Lower priority: Short-lived ephemeral keys

Step 3: Deploy hybrid TLS For TLS connections (HTTPS, VPN): deploy hybrid key exchange — combine classical ECDH with ML-KEM. This protects against HNDL attacks on current traffic without breaking compatibility with non-PQC clients.

Chrome 124+ supports X25519Kyber768 by default. CloudFlare has deployed hybrid PQC across its edge network.

Step 4: Migrate certificate infrastructure Most enterprises have 3–5 year timelines for full PKI migration. Start with internal certificate authorities. External-facing certificates depend on CA/Browser Forum adoption timelines for ML-DSA in publicly trusted certificates.

Important note

CISA specifically warns that "harvest now, decrypt later" attacks represent an immediate threat to classified and sensitive government data. Organizations handling data requiring confidentiality beyond 2030 should treat PQC migration as a current priority, not a future one.

Source: CISA Post-Quantum Cryptography Initiative, 2025

AI cybersecurity trends 2026: attacks, defenses and what to do →

When will quantum computers be able to break current encryption?

Most cryptographers estimate a CRQC capable of breaking RSA-2048 requires approximately 4,000 error-corrected logical qubits. Current state-of-the-art systems have hundreds of physical qubits with limited error correction. CISA's official planning timeline assumes CRQC capability by 2030–2035.

What is 'harvest now, decrypt later' and why does it matter now?

HNDL is an attack where adversaries capture encrypted traffic today intending to decrypt it using future quantum computers. It matters now because data captured in 2026 could be decrypted in 2033 — still valuable for classified data, long-term financial records, and intellectual property that must remain confidential for years.

What should organizations do about post-quantum cryptography today?

Start with a cryptographic inventory — identify all systems using public-key cryptography. Prioritize systems handling sensitive long-lived data. Begin testing ML-KEM and ML-DSA in non-production environments. Adopt hybrid TLS (combining ECDH with ML-KEM) in key communications infrastructure. Federal contractors should comply with CISA migration guidance timelines.