Executive Summary

Quantum computers powerful enough to shatter today’s public-key crypto aren’t on next quarter’s CAPEX sheet—but with Shor-quality qubits projected inside the 2030s, data harvested today could be decrypted tomorrow (“store-now, crack-later”). In July 2022 NIST selected four post-quantum (PQ) algorithms for standardization; by the end of 2025 draft FIPS documents will push them toward production.

This report demystifies the math, scopes the risk windows, inventories software/hardware readiness, and delivers a playbook for CISOs, solution architects, and protocol maintainers who must migrate without breaking legacy integrations or compliance mandates.

Table of Contents

  1. Threat Horizon “Harvest Now, Decrypt Later” Economics
  2. Timeline: From NIST Round 3 to Draft FIPS (2016 → 2025)
  3. Algorithm Primer
  4. Software & Hardware Readiness
  5. Hybrid & Transition Patterns
  6. PKI, Certificate Lifecycles & Governance
  7. Performance, Payload & Bandwidth Impacts
  8. Regulatory & Compliance Landscape
  9. Migration Checklist & Risk Heat-Map
  10. Common Failure Modes & Mitigations
  11. Looking Ahead: 2026 → 2035 Outlook
  12. Key Takeaways

1 · Threat Horizon “Harvest Now, Decrypt Later” Economics

VectorWhy It MattersTypical Time-Value Window
State SecretsDiplomatic cables, defense schematics≥ 25 years
Healthcare RecordsPII + genomic data, immutable once leaked≥ 75 years life span
Financial TransactionsM&A drafts, SWIFT archives10 – 30 years
Long-Lived IoTGrid controllers, avionics, satellites15 – 40 years

Cost curves: Quantum volume doubles ~ 12 months (faster than Moore’s Law slowdown), while tape/cloud cold-storage cost per GB < $0.004. Result: adversaries can feasibly exfiltrate petabytes today on the cheap and “queue” decryption.

2 · Timeline: From NIST Round 3 to Draft FIPS

YearMilestone
2016NIST PQC competition launched (82 submissions)
2020Round 3 finalists announced
2022 (July)KEM winners: CRYSTALS-Kyber; Signature: CRYSTALS-Dilithium, Falcon, SPHINCS+
2023“Additional Signature” call (lattice-free) begins
2024 Q4Draft SP 800-208 (transition) update published
2025 H2Draft FIPS 203/204/205 expected (Kyber, Dilithium, Falcon)
2027Anticipated final FIPS; TLS, SSH, IPsec default cipher-suites updated
2030 ± 2Large-scale fault-tolerant quantum plausible (2–5 million logical qubits)

3 · Algorithm Primer

ClassRepresentativeSecurity BasisKey SizeCiphertext / Signature
Lattice (KEM)Kyber-768Module-LWR, worst-case lattice hardness1.1 KB1.1 KB
Lattice (Sig)Dilithium-3Module-LWE, Fiat–Shamir1.6 KB pub / 2.8 KB sig2.4 KB
Hash-BasedSPHINCS+ -128sHash collision resistance32 B pub8–17 KB sig
Code-BasedBIKE/NewHope (alt KEM)QC-MDPC codes1–2 KB pub1–2 KB ciphertext
MultivariateRainbow (broken), GeMSS (cryptanalyzed)MPKCNot selected

Takeaway: Key/Sig bloats 2–5× vs ECDSA/Ed25519, but still far smaller than early code-based contenders (several MB).

4 · Software & Hardware Readiness (2025 Snapshot)

LayerSupport Notes
OpenSSL 3.3OQS-provider merges; Kyber & Dilithium available under -pqc flag
BoringSSL / TinkExperimental Kyber512+X25519 hybrid in Canary builds
LibreSSLRoad-map acknowledges PQ but awaits FIPS draft
TLSDraft RFC 9433 (hybrid KEM) shipping in Chrome/Firefox Nightly behind flags
SSHOpenSSH 9.5 adds sntrup761x25519-sha512@openssh.com hybrid
Hardware HSMsEntrust nShield XC & Thales Luna V offer FW update paths; true PQ instructions pending FPGA refresh
Smart CardsISO/IEC 7816 supports 4 KB keys; PQ roll-outs target 2026+
BrowsersChrome 119, Firefox 118 include CECPQ2b (X25519 + Kyber768)

5 · Hybrid & Transition Patterns

ApproachWhere UsedProsCons
KEM Hybrid (X25519 + Kyber)TLS 1.3, QUICBackward compatible; PQ padding optionalDouble handshake payload
Signature Hybrid (ECDSA + Dilithium)Code signing, firmwareSmooth fallback for legacy verifiersDoubles signature size
Dual-Key HierarchyPKI root PQ, leaf ECDSAPhased device refreshOperational complexity
Agile Crypto NegotiationJOSE-PQC, COSE-PQC draftsFine-grained per-messageLibrary ecosystem lag

Rule of thumb: Start hybrid in 2025; move to pure PQ once browsers, OS keystores, and HSMs finish FIPS validation (~2027).

6 · PKI, Certificate Lifecycles & Governance

  • Root Rotation Windows – Typical X.509 roots live 15–25 years; generate PQ roots before 2027 to avoid mega-reissue scramble.
  • Intermediate Diversity – Maintain parallel classic & PQ ICAs; cross-sign to smooth revocation boundaries.
  • CRL/OCSP Payloads – Dilithium signatures enlarge responses; budget CDN egress accordingly.
  • Certificate Transparency – CT logs must handle larger signed_entry. Google’s pilot CT-v3 shards at 64 KB leaf cap.

7 · Performance, Payload & Bandwidth Impacts

Handshake Overhead: TLS 1.3 full handshake grows by ≈ 3–4 KB; TTFB increase < 4 ms on 100-Mbps links.

CPU Cycles: Kyber768 decaps < 0.1 ms on Skylake; embedded Cortex-M55 ~ 15 ms. Signature verify (Dilithium) 1.25× RSA-2048.

Database Storage: Certificate tables swell; estimate +10 GB per 1 B short-lived certs. Column-store compression recovers 45 %.

8 · Regulatory & Compliance Landscape

RegulationPQ Mandate / Guidance (Status — May 2025)
US NSA CNSA 2.0Requires PQC (Kyber) for NATSEC systems starting 2026 impact analysis
EU Cyber Resilience Act (draft)Calls for “crypto-agile design”; PQ considered “state-of-the-art” by 2027
ISO/IEC 18033-6PQC working draft in ballot
PCI-DSS v4.1No explicit PQ yet; scoping task team formed
HIPAA / GDPR“Appropriate encryption” may map to PQ for >15 year retention data

9 · Migration Checklist & Risk Heat-Map

Technical Work-Streams

  • Inventory cryptographic libraries, handshake protocols, signed binaries.
  • Flag data at rest with confidentiality horizon > 2030.
  • Prototype hybrid TLS on staging edge; measure handshake & CDN cache hit rates.
  • Generate PQ root-CA keys in offline HSM; store metadata in CMDB.
  • Update CSR templates (subjectAltName, pqcKeyAlg) and automation (ACME, EST).

Risk Heat-Map

AxisLowMediumHigh
Quantum arrival before 2030☑︎
Long-lived firmware (no OTA)☑︎
Supply-chain PKI hard-coded☑︎
Legal / compliance penalty☑︎

10 · Common Failure Modes & Mitigations

FailureSymptomFix
Payload Bloat Breaks MTUTLS handshake fragmentation → resetEnable TCP MSS clamping or QUIC
Interop CollapseLegacy client rejects unknown SigAlgNegotiate hybrids; maintain cipher-suite allow-list
Side-Channel RegressionChosen-ciphertext leaks (Kyber decap)Use constant-time ref impl; enable compiler hardening
Unsized BuffersPKCS#11 slot overflow in HSMApply firmware patch; allocate ≥ 6 KB key slots

11 · Looking Ahead: 2026 → 2035 Outlook

HorizonProjection
2026First FIPS-validated PQ HSMs ship; ACME issues hybrid leaf certs by default
2027–2028Major OS/browser trust-stores add PQ roots; SSH, TLS default to pure PQ in bleeding-edge distros
2029SaaS vendors forced by EU CRA to show crypto-agility attestations
2030–2032Cloud KMS APIs deprecate RSA/ECC key creation in favor of PQ
2033–2035Retire last RSA root CAs; classic crypto relegated to legacy containment zones

12 · Key Takeaways

  • Start hybrid now. Waiting for final FIPS risks massive cert-renewal debt.
  • Inventory beats intuition. Map every protocol, every handshake—especially embedded firmware with no OTA.
  • PQ impacts more than TLS. Think code-signing, database encryption, blockchain consensus, VPNs, email, and S/MIME.
  • Governance & automation trump one-off patches; bake crypto-agility into CI/CD, PKI workflows, and supply-chain SBOMs.
  • Budget for size & CPU spikes. Handshakes grow, HSM slots need firmware, and CDNs must absorb fatter CRLs.

Compiled May 2025 for security architects, compliance officers, and software engineers preparing for a post-quantum future. All algorithm names and marks belong to their respective owners; examples are illustrative of industry trends.