We are at a tipping point for quantum computing, which is on the verge of becoming a reality. While its potential is tantalizing, it also represents an unprecedented threat to the traditional data security infrastructure and the cryptographic algorithms that protect it. Post-quantum cryptography – algorithms designed to be secure against classical and quantum computer attacks – is the response.
Quantum computers exploit the principles of quantum mechanics to solve complex problems that classic computers cannot feasibly tackle. Quantum computers use the principles of quantum mechanics to process information in a way that uses qubits, which can exist in multiple states, as opposed to normal computers, which only use "zeros" and "ones". This creates an exponential scale, which is what gives them their computational power.
VP of Portfolio Marketing at Commvault.
Of particular concern is their ability to crack widely used public key encryption algorithms such as RSA and ECC (elliptic curve cryptography). By the time a sufficiently powerful quantum computer becomes available, these encryption methods, which protect virtually all current digital communications, will be obsolete.
The date when cryptographically-relevant quantum computers will appear remains uncertain: estimates range from five to 10 years. However, the risk is immediate due to the "harvest now, decrypt later" attacks that are already taking place, especially for data with a longer lifetime.
If an organization retains sensitive data for the long term, such as financial information, personal data or even trade secrets, this represents a significant and growing risk.
What is at stake is nothing less than the most valuable digital assets: intellectual property, private and sensitive data, authentication systems and secure communications.
The financial, operational and reputational damage from such exposures could be catastrophic, and unavoidable without proactive measures.
What is post-quantum cryptography?
Post-quantum cryptography (PQC) refers to cryptographic algorithms designed to be secure against attacks by classical and quantum computers. These algorithms are based on mathematical problems that remain difficult to solve even for quantum computers.
In 2024, the National Institute of Standards and Technology (NIST) published its first set of standardized post-quantum cryptographic algorithms, including CRYSTALS-Kyber, CRYSTALS-Dilithium, SPHINCS+ and FALCON. In March 2025, NIST selected a new algorithm, Hamming Quasi-Cyclic (HQC), which will serve as a backup to the existing Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM) algorithms recommended by FIPS 203 to protect against quantum attacks.
HQC is based on error-correcting codes, a concept that has been fundamental to information security for decades. Unlike ML-KEM, which relies on structured networks, HQC's unique mathematical basis offers a robust alternative that can help combat the potential threats posed by future quantum computers. This shift in mathematical approaches is crucial for maintaining the integrity of encrypted data.
The time for change is now
The time when currently encrypted data can be decrypted using quantum technology is closer than many people think. However, while most organizations are actively working on cyber resilience strategies, including their core IT infrastructure and components of the supply chain, the risk to quantum computing is not as widely considered.
Changing cryptography in a complex IT environment is not something that can be done overnight. It can take years, especially for large organizations with complex IT environments. Historical precedent shows that major cryptographic transitions typically take 5-10 years to complete.
Beginning the transition
To begin a transition to post-quantum cryptography, a number of steps must be followed:
1. Cryptographic inventory: Not all data is equally important, and not all data needs to be encrypted in the same way. It is therefore necessary to identify where cryptography should be used in the digital heritage. This should include the most sensitive data, applications, networks, identity systems, and third-party connections.
2. Risk assessment: Given the cost of post-quantum cryptography, it makes sense to prioritize protecting the most sensitive data rather than trying to protect everything. Evaluate your data in terms of its sensitivity and longevity. Information that must remain confidential for more than five years should receive immediate attention. For less sensitive data, standard encryption methods will suffice in keeping it secure.
3. Crypto-agility implementation: Being crypto-agile – having the ability to switch between different cryptographic algorithms in response to new threats – will be essential in the post-quantum era. Develop frameworks that allow you to quickly replace cryptographic algorithms without the need for extensive system redesign. Crypto-agility also requires employee training, so invest time and resources to bring your employees on this journey with you.
4. Prioritized migration: Start with your most sensitive systems and data, particularly those that protect intellectual property or personally identifiable information.
5. Supplier engagement: Confirm that all suppliers in your ecosystem are aligned with emerging standards to ensure end-to-end protection and agility.
In summary
By starting your post-quantum transition today, you can help protect your organization's most valuable data as we enter the quantum era. The alternative is to wait for quantum computers to break existing encryption – by then, it will be too late for data that has already been compromised. The future is quantum and the time to future-proof your data is now.
We list the best performance management software.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.