The encryption protecting your data right now — the same technology securing your bank transfers, health records, corporate emails, and government communications — was built on a simple assumption: that no computer on Earth could break it in a reasonable amount of time. That assumption is running out of runway.
Quantum computing is advancing faster than most organizations realize, and the cybersecurity community is sounding the alarm. Gartner predicts quantum computers will render current asymmetric encryption unsafe by 2030. The more chilling news? Adversaries don't need to wait until then. The attack is already underway — it just hasn't been completed yet.
What Is Post-Quantum Cryptography?
Post-quantum cryptography (PQC) refers to cryptographic algorithms designed to resist attacks from quantum computers. Today's most widely used encryption standards — RSA, Elliptic Curve Cryptography (ECC), and Diffie-Hellman key exchange — rely on mathematical problems that classical computers find practically impossible to solve. Quantum computers, using a technique called Shor's algorithm, can theoretically crack these same problems exponentially faster.
PQC replaces these vulnerable algorithms with new mathematical structures — lattice-based, hash-based, and code-based schemes — that quantum computers cannot efficiently attack, even with the processing power of a fully realized quantum machine.
The critical distinction: PQC does not require quantum hardware to run. It operates on today's classical infrastructure, which means organizations can begin migrating now.
The "Harvest Now, Decrypt Later" Threat — And Why It's Already Happening
Here's what makes the quantum threat uniquely dangerous: you don't need a quantum computer to start the attack.
Nation-state intelligence agencies and sophisticated threat actors are already intercepting and storing encrypted data today — financial transactions, healthcare records, diplomatic communications, corporate trade secrets, and VPN traffic. That data is encrypted with RSA or ECC, so it's unreadable now. But storage is cheap. And adversaries are betting that within a decade, a quantum computer will be able to decrypt everything they've collected.
This strategy is known as "Harvest Now, Decrypt Later" (HNDL) — and it transforms what sounds like a future problem into a present-day breach.
Any sensitive data transmitted over a network today that must remain confidential for five, ten, or twenty years is already at risk. Medical records. Legal communications. Financial archives. Intellectual property. Government secrets. If it was intercepted in transit in 2024 or 2025, it may be readable by 2030 or 2035.
The window to act is not measured in decades. It is measured in years — and for many organizations, those years are almost up.
The Timeline: How Close Are We?
There is no consensus on the exact date a Cryptographically Relevant Quantum Computer (CRQC) will exist. But the leading estimates are sobering:
- Gartner predicts current asymmetric encryption will be unsafe by 2030
- The Global Risk Institute's 2026 Quantum Threat Timeline estimates a CRQC is "quite possible" within 10 years and "likely" within 15
- NIST's own transition guidance targets full migration away from vulnerable algorithms by 2035, citing the harvest-now-decrypt-later threat as a key driver of urgency
- Google, following the unveiling of its Willow quantum processor in late 2024, publicly called on governments and industry to "prepare now" — citing accelerating breakthroughs that are compressing earlier timelines
- Canada has set federal deadlines requiring departments to submit PQC migration plans by April 2026, prioritize critical systems by 2031, and complete full migration by 2035
Mosca's Theorem frames the urgency mathematically: if the time required to complete your organization's cryptographic migration (Y) plus the sensitivity window of your data (X) exceeds the number of years until a viable quantum computer exists (Z), you are already behind. For most enterprises handling long-lived sensitive data, that calculation leads to one conclusion — the time to start is now.
The NIST Standards: The Foundation Is Ready
After an eight-year global evaluation process involving 69 candidate submissions and four rounds of rigorous peer review, the National Institute of Standards and Technology (NIST) published the world's first finalized post-quantum cryptography standards in August 2024:
- FIPS 203 — ML-KEM (Module-Lattice-Based Key Encapsulation Mechanism): The primary standard for quantum-safe key exchange, replacing RSA and ECC in protocols like TLS
- FIPS 204 — ML-DSA (Module-Lattice-Based Digital Signature Algorithm): For quantum-resistant digital signatures
- FIPS 205 — SLH-DSA (Stateless Hash-Based Digital Signature Algorithm): A hash-based backup signature scheme
In March 2025, NIST selected HQC as an additional key encapsulation mechanism — a backup algorithm designed to ensure resilience if vulnerabilities are ever discovered in the primary lattice-based approaches.
The cryptographic foundation is no longer theoretical. The standards are published, vetted, and ready to implement.
What's Most Vulnerable Right Now?
Not all systems face equal risk. Organizations should prioritize based on data sensitivity and longevity:
Highest Risk (Act Immediately)
- Long-lived encryption keys and certificates
- TLS/HTTPS traffic carrying sensitive data in transit
- VPN tunnels protecting classified or confidential communications
- Archived encrypted records with multi-year sensitivity windows (health, legal, financial)
- Code signing certificates
High Risk (Plan Migration Now)
- PKI infrastructure and certificate authorities
- Encrypted database backups
- Email encryption (S/MIME, PGP)
- Authentication systems using RSA or ECC
Moderate Risk (Include in Roadmap)
- Internal encrypted communications
- Device authentication and IoT credentials
- Short-lived session tokens
The Path Forward: Practical Steps for Organizations
1. Build a Cryptographic Inventory
You cannot protect what you cannot see. Map every place encryption is used across your environment: applications, APIs, network devices, cloud services, and third-party integrations. Identify which algorithms are in use and where.
2. Prioritize Data with Long Confidentiality Requirements
Any data that must remain confidential for five or more years should be considered at risk today. These systems and datasets should lead your migration effort.
3. Adopt Crypto-Agility
Design systems to support swapping cryptographic components without rewriting application logic. Hardcoded algorithms will dramatically slow your migration. Crypto-agility is the architectural principle that makes PQC transitions manageable.
4. Start with Hybrid Deployments
A hybrid approach combines classical algorithms (like X25519) with post-quantum algorithms (like ML-KEM) during the transition period. If either component is secure, the communication is secure. This reduces risk while preserving compatibility with systems that haven't yet migrated.
5. Engage Your Vendors and Supply Chain
Your PQC posture is only as strong as your weakest vendor. Begin conversations with software vendors, cloud providers, and third-party partners about their PQC roadmaps. Regulatory pressure from government supply chain mandates is already cascading into private sector requirements.
6. Shorten Data Retention Where Possible
Data that no longer exists cannot be decrypted later. Review archival policies and delete data that no longer serves a business purpose. Minimizing your exposure window is a legitimate risk reduction strategy.
The Canadian Context
For Canadian organizations, the timeline carries specific weight. The Canadian Centre for Cyber Security (CCCS) has issued formal guidance encouraging organizations to begin PQC planning immediately. The federal government has set concrete migration milestones for departments, and given how government procurement requirements typically cascade into private sector suppliers, Canadian businesses in regulated industries — financial services, healthcare, critical infrastructure — should treat this as a near-term compliance issue, not a distant research topic.
The .ca regulatory environment is evolving in lockstep with NIST and EU frameworks. Organizations that build PQC readiness into their security programs now will be ahead of mandatory requirements that are almost certainly coming.
The Bottom Line
Post-quantum cryptography is not a future problem with a future solution. It is a present problem with available solutions and a tightening window to implement them.
The "harvest now, decrypt later" strategy is not a theoretical attack vector. It is an active, ongoing collection effort by sophisticated adversaries who are betting that quantum computing will eventually deliver the decryption capability they're waiting for. Every day that sensitive data travels over a network protected by RSA or ECC is another day that data could be collected and held.
NIST has published the standards. The algorithms are ready. The migration path is clear. What's missing in most organizations is the urgency to start.
The organizations that treat this as a 2030 problem will find that 2030 arrives faster than expected — and that by then, some of their most sensitive data has already been compromised in ways they may never even detect.
Build Your Quantum-Ready Security Program
At Nocturne, we help organizations understand and address their cryptographic risk exposure — from initial inventory and gap assessment through to PQC migration planning. Contact us to learn how quantum-readiness fits into your security roadmap.