BCS MEMBERSHIP

Lady Smiling Nav

Join the global and diverse home for digital, technical and IT professionals.

CHARTERED IT PROFESSIONAL

CITP Logo (1)

CITP validates technical expertise and professional behaviours in the tech industry

STARTING YOUR IT CAREER

Girl With Braids Nav

Kick-start a career in IT, whether you're starting out or looking for a career change.

SOFTWARE TESTING CERTIFICATION

Man Writing

Over 100,000 professionals worldwide are certified with BCS.

ESSENTIAL DIGITAL SKILLS

Lady In Green Hijab Nav (1)

Improve your digital skills so you can get on in today's workplace.

EVENTS CALENDAR

Group Of People Smiling

View all of our upcoming events.

ARTICLES, OPINION AND RESEARCH

Man On Tablet

The latest insights, ideas and perspectives.

In focus

BCS MEMBERSHIP

CHARTERED IT PROFESSIONAL

STARTING YOUR IT CAREER

SOFTWARE TESTING CERTIFICATION

ESSENTIAL DIGITAL SKILLS

EVENTS CALENDAR

ARTICLES, OPINION AND RESEARCH

In focus

Edgar Ter Danielyan FBCS CITP explores how to take your first steps towards post-quantum safe encryption.

Summary:

  • Preparing for post-quantum cryptography (PQC) is no longer a theoretical exercise: it should be done now
  • Current quantum computers struggle with qubit fidelity, noise and complex error-correction, but continuous improvements mean that organisations should prepare now
  • While it’s widely believed that only asymmetric cryptography is threatened, this is false and symmetric cryptography is not immune
  • Some view PQC as simply a software update, but it is the largest cryptographic migration in the history of the internet and taking steps early will make it far more manageable

While quantum computing promises massive leaps in scientific and computational capabilities, it also poses an existential threat to the cryptographic foundations of modern digital security. Preparing for post-quantum cryptography (PQC) is no longer a theoretical exercise: it is something that should be done now.

A prevalent myth is that a practical, cryptographically relevant quantum computer is just around the corner. In reality, many predictions are biased and overstate the timeline for quantum advancements, often coming from those who stand to benefit financially or otherwise from overstating the timing of the threat.

A quantum computer capable of breaking modern public-key cryptography requires millions of stable physical qubits and they are still years away — at least if we discount the remote possibility that the NSA or suchlike have already overcome the fundamental physical challenges and built a practically usable, cryptographically-relevant quantum computer, which would be very big news indeed.

Current quantum computers struggle with immense challenges regarding qubit fidelity, noise and complex error-correction requirements. However, continuous improvements mean that while a quantum computer isn't arriving tomorrow, it is reasonable to assume it will arrive eventually. Planning must be based on this eventuality rather than immediate panic.

Why act now?

The answer lies in the primary risk to non-PQC cryptography: the ‘harvest now, decrypt later’ (HNDL) threat. It is important to acknowledge that the primary threat actors that may be executing this strategy are well-resourced nation states, rather than individual hackers or even organised crime groups.

Only very well resourced threat actors such as nation states have the vast storage and network traffic interception infrastructures, as well as the incentives, necessary to intercept and hoard heavily encrypted, highly sensitive data for decryption at some unknown time in the future.

Once a quantum computer becomes available, they could retroactively decrypt this stored data (subject to certain technical limitations). If your organisation handles information that must remain secret for many years, such as state secrets, confidential financial transactions, trade secrets, or health records, that data is fundamentally at risk the moment it is captured, even if it is not decryptable straight away.
Another common misconception is that post-quantum cryptography requires quantum computers to run. In reality, PQC algorithms are classical algorithms designed to run on the standard computers we use today, and are engineered to withstand attacks from both quantum and classical computers.

It is widely but falsely believed that only asymmetric cryptography is threatened. While asymmetric, or public-key, cryptography such as RSA and elliptic curve cryptography (ECC) will be completely broken by Shor’s algorithm running on a quantum computer, symmetric cryptography is not entirely immune.

Quantum computers can brute-force symmetric keys at an exponentially faster rate, effectively halving their security strength. Fortunately, the fix for symmetric cryptography is straightforward: simply doubling the key size addresses the problem. Upgrading from AES-128 to AES-256, for example, restores the necessary security margin against quantum threats.

Some view PQC as simply a software update, assuming it is easy and low-risk. In truth, transitioning to PQC is arguably the largest cryptographic migration in the history of the Internet and is far from a simple ‘plug-and-play’ software patch. For instance, PQC keys and ciphertexts are significantly larger than their RSA or ECC counterparts. They also have different computational requirements, which can impact CPU and memory usage.

Practical challenges and solutions

A concrete, practical example of these migration challenges and solutions can be seen in the transport layer security (TLS) protocol that underpins HTTPS, which accounts for approximately 95% of all web traffic (the rest being unsecured HTTP).

To make TLS 1.3 post-quantum safe, the underlying key exchange mechanism must be post-quantum safe; a practical approach involves hybrid key exchange, which combines a traditional elliptic curve algorithm with a new post-quantum algorithm. 

For you

Be part of something bigger, join BCS, The Chartered Institute for IT.

X25519MLKEM768 is the most-widely deployed hybrid choice:  it combines X25519, the dominant classical TLS 1.3 key agreement on the web, with ML-KEM-768, the NIST-standardised PQ key exchange mechanism.

By using a hybrid approach the connections secured by X25519MLKEM768 remain secure even if a vulnerability is later discovered in the quantum-resistant mathematics, as the classical encryption layer would still require a full-scale quantum computer to break.

This transition is already well underway; according to Cloudflare Radar, about 66% of the internet's HTTPS traffic is already using post-quantum key exchange and you can use tools such as Radar or https://pqscan.io to easily check if any particular HTTPS endpoint supports PQC or not.

Beyond TLS, the current versions of SSH (OpenSSH 10.0+) have implemented post-quantum hybrid key exchange support. To confirm whether a remote SSH server supports these post-quantum key exchanges, you can initiate a connection with the -v (verbose) option and look out for key exchange information strings containing ‘kex: algorithm:’ in the output, in the following example host.com supports post-quantum safe key exchange using sntrup761x25519-sha512@openssh.com:

ssh -v user@host.com 2>&1 | grep 'kex: algorithm:'

debug1: kex: algorithm: sntrup761x25519-sha512@openssh.com

The current list of pure and hybrid post-quantum key exchange algorithms is:

  • TLS pure and hybrid post-quantum key exchange algorithms: MLKEM512, MLKEM768, MLKEM1024, X25519MLKEM768, SecP256r1MLKEM768, SecP384r1MLKEM1024
  • SSH pure and hybrid post-quantum key exchange algorithms: mlkem512-sha256, mlkem768-sha256, mlkem1024-sha384, mlkem768x25519-sha256, mlkem768nistp256-sha256, mlkem1024nistp384-sha384, sntrup761x25519-sha512, sntrup761x25519-sha512@openssh.com

Conclusion and recommendations

Organisations should start now with moving to post-quantum safe algorithms in the widely used protocols such as TLS and SSH. Taking these steps early makes the eventual migration far more manageable and reduces the risk of being caught unprepared.

Google's recent announcement setting a 2029 deadline for migrating its authentication services to post-quantum cryptography has injected fresh urgency into the industry. The timeline reflects advances in quantum hardware, error correction, and updated estimates of how quickly a quantum machine could break today's encryption.

Google is already embedding NIST-standardised PQC algorithms into its products building on existing PQC support in Chrome and Google Cloud for example. In March 2026, shortly after the 2029 deadline announcement, Google's quantum computing research team published a paper demonstrating that a quantum computer with fewer than 500,000 qubits would be able to break the 256-bit elliptic curve system used in blockchains in a few minutes, with potentially unprecedented consequences not just for cryptocurrencies but also other systems implemented on blockchains.

The paper discusses the various challenges and concludes that: ‘The root cause of the numerous quantum vulnerabilities discussed in this whitepaper lies in the widespread use of cryptographic protocols, especially digital signatures, based on ECDLP — a computational problem believed to be hard for classical computers that is known to be efficiently solvable on quantum machines. Therefore, the only durable long-term solution to these vulnerabilities lies in upgrading the underlying schemes to post-quantum alternatives.’

Edgar Ter Danielyan FBCS CITP is director and principal consultant at Danielyan Consulting Ltd, a London-based specialist consultancy providing security engineering, incident investigation, and penetration testing services since 2013: https://danielyan.com

Take it further

Interested in this and similar topics? Explore BCS' books and courses:

Related

Article

Driving digital transformation in financial services

6 hours ago
Article

The internet of bandages: digitising the chemical signal

Yesterday
Article

What software engineering taught us about problems

Yesterday