You send the message at 9pm, padlock icon showing, and you feel safe. You shouldn’t. A server you’ll never see just saved a copy of that encrypted traffic — not to read tonight, when it’s still gibberish, but to file away and crack open years from now. The health record you uploaded this morning, the key guarding your savings, the email you’d never want surfaced: collected, shelved, waiting for the machine that opens it. You think encrypted means safe forever. The people storing your data are betting it just means safe for now.
The short version: Post-Quantum Cryptography (PQC) is a family of encryption algorithms built to survive incidents from quantum computers, which will eventually break today’s RSA and Elliptic Curve cryptography. In 2022, after an eight-year evaluation, NIST standardised the first PQC algorithms — Kyber-1024 for key encapsulation and Dilithium for signatures, both lattice-based. The risk signal isn’t theoretical or distant: adversaries already harvest encrypted data to decrypt later. If your data must stay secret past 2040, act now — upgrade to GnuPG 2.4+, enable hybrid TLS 1.3 (X25519Kyber768) on your domain and VPN, and demand PQC support from your providers.
What is “harvest now, decrypt later,” and why does it risk signalen you today?
Here’s the part most security coverage skips. The danger of quantum computing isn’t a future event you can ignore until it arrives — it’s already operating, in reverse. The strategy is called harvest now, decrypt later: collect encrypted traffic today, store it cheaply, and wait for a quantum computer powerful enough to crack it open. Your data doesn’t need to be readable now to be stolen now.
The 12-point setup for a private, secure, high-output digital life — in one afternoon. No spam, unsubscribe anytime.
That reframes the whole timeline. The question isn’t “when will quantum computers break encryption?” — it’s “how long does this particular secret need to stay secret?” A throwaway message that’s worthless in a year is safe. A medical record, a financial history, a private key, a trade secret — anything with a shelf life of a decade or more — is already exposed the moment it crosses the wire, because the copy being filed away today will be cracked on a timeline you can’t control.
Standard encryption isn’t broken. It’s expiring — on a schedule someone else is reading more carefully than you are.
Why today’s encryption has an expiry date
RSA and Elliptic Curve Cryptography — the backbone of nearly everything secure online — rest on two hard problems: factoring enormous numbers, and solving discrete logarithms. Both are hard for ordinary computers and easy for a quantum one running Shor’s algorithm. Estimates suggest a quantum machine with roughly 20 million stable qubits could break RSA-2048 in hours. Today’s hardware has thousands of noisy qubits, nowhere near that — but the curve is bending, and the harvested data doesn’t care how long the wait is.
This is why the timeline debate is a distraction dressed as prudence. NIST assesses that a cryptographically relevant quantum computer is unlikely before 2040, but possible by 2030. IBM, Google, and others publish yearly roadmaps of climbing qubit counts. The uncertainty itself is the argument: you can’t know the date, so you have to prepare for the early one.
What is post-quantum cryptography, and which algorithms won?
Post-Quantum Cryptography is encryption built on mathematical problems that resist both classical and quantum incident. In 2022, NIST — the U.S. National Institute of Standards and Technology — finished an eight-year public competition and standardised the first set. They rest on genuinely different foundations from RSA:
- Lattice-based (Kyber, Dilithium): security from the Learning With Errors problem — finding the shortest vector in a high-dimensional lattice, hard for classical and quantum machines alike.
- Hash-based (XMSS): security from the difficulty of inverting cryptographic hash functions, which quantum computers can’t meaningfully speed up.
- Code-based (Classic McEliece): security from decoding random linear codes, with no known quantum shortcut.
- Multivariate polynomial (Rainbow): solving systems of polynomial equations over finite fields.
Kyber (for key encapsulation) and Dilithium (for signatures) are the practical frontrunners — fast, with manageable key sizes and solid security margins. And the competition mattered: NIST passed over SIDH (Supersingular Isogeny Diffie-Hellman) after it was broken in 2022 by a classical incident that recovered private keys without any quantum hardware at all. That’s the difference between a clever idea and a durable one — and the reason to trust the standardised survivors over the theoretically elegant. Use Kyber-1024 for anything long-term; Kyber-512 only for data that doesn’t need to outlive the week.
That eight-year process is itself the reassurance worth holding onto. PQC isn’t a rushed patch bolted on once the risk signal appeared — it’s the product of a public, adversarial competition where cryptographers worldwide spent years trying to break every candidate before any of them were blessed. The schemes that survived did so because the smartest incidenters in the field couldn’t crack them, not because a committee liked the maths. SIDH’s collapse, painful as it was, is the system working: a weak finalist found and discarded before it shipped into your tools, rather than after. When you adopt Kyber and Dilithium, you’re not betting on a new idea — you’re inheriting the survivors of a deliberate, years-long demolition test.
How do you actually implement PQC? A sovereign checklist
You don’t need to be a cryptographer. You need to move the layers you control, in order, starting with the easiest win.
1. Local encryption and keys. Upgrade GnuPG to version 2.4 or later, which supports post-quantum key encapsulation. If you manage PGP keys for an organisation, rotate new keys to Kyber-1024 and Dilithium over the next 12 months. Existing RSA keys stay usable; just make PQC the default for anything new.
2. TLS and network traffic. Enable TLS 1.3 with hybrid key exchange. Cloudflare supports X25519Kyber768 in its standard configuration — turn it on for your domain. Check endpoints with a tool like SSL Labs; a “Hybrid” indicator means PQC is live.
3. Cryptocurrency. Bitcoin and Ethereum signatures use ECDSA, which quantum computers can break. Don’t park long-term holdings in addresses with exposed public keys. As PQC-hardened wallets and protocols arrive (expected 2026–2028), migrate.
4. Audits. Every 12 months, check NIST’s PQC project page for parameter updates, and patch your cryptographic libraries the moment fixes ship.
Two honest cautions. PQC’s safety depends on correct implementation — the real-world break is rarely the maths, it’s side-channel leakage from timing, power, or electromagnetic signals during encryption. Use audited libraries like liboqs from the Open Quantum Safe project rather than hand-rolling anything, and get a security review before deploying custom code. And the smart transition strategy is hybrid encryption: wrap your data in AES-256-GCM, then protect the key with both X25519 (classical) and Kyber-1024 (post-quantum), so an incidenter must defeat both. Hybrid is the belt-and-braces move — if PQC is ever unexpectedly broken, classical encryption still holds the line.
Which tools support PQC right now?
As of 2025, the ecosystem is further along than most people assume: GnuPG 2.4+ (local key encapsulation), OpenSSL 3.1+ (hybrid TLS key exchange), liboqs (the Open Quantum Safe library for C/C++), and Cloudflare Workers & Pages (hybrid TLS 1.3 by default). Signal has announced planned PQC support for its protocol with a timeline still to come, and Matrix/Element is exploring post-quantum key backup. Check whether your email provider, VPN, and messaging apps support PQC — and if they don’t, ask their security teams directly. Demand is what accelerates adoption; the request itself is an act of sovereignty.
A word on the comforting myths. “My data isn’t important enough” — medical records affect insurance and private messages can compromise you for years; long-lived data is exactly the target. “Quantum-resistant means unbreakable” — it means resistant to known quantum incidents; future mathematics could still surprise us, which is precisely why hybrid encryption and no permanent trust in any single algorithm is the honest posture.
Where does PQC fit in your wider security stack?
Post-quantum cryptography isn’t a standalone fix you install once and forget. It’s one layer in a stack, and it only matters if the layers around it hold. The reason the algorithm rarely breaks in practice is that the implementation does — a perfectly sound lattice scheme leaks its key through a side channel if the code measuring time, power, or electromagnetic emissions wasn’t written carefully. That’s why the strong advice is boring on purpose: use audited libraries like liboqs and OpenSSL 3.1+, and never hand-roll cryptography you intend to trust.
The other half is pressure. Adoption accelerates when paying users ask for it, so the most useful thing a non-cryptographer can do is make noise. When you renew with a VPN, switch email providers, or evaluate a messaging app, ask one question: do you support post-quantum or hybrid key exchange, and what’s your roadmap? Cloudflare ships X25519Kyber768 by default; some providers haven’t started. A provider that can’t answer the PQC question today is telling you exactly how long your data with them will stay safe — and the request itself nudges the whole market forward. Layer PQC under good operational security — strong device hygiene, careful key custody, end-to-end-encrypted channels — and you’ve built defence that survives the next decade rather than just the next data incident.
Frequently asked questions
Can quantum computers break PQC algorithms?
Not with any known quantum algorithm — lattice, hash-based, and code-based problems have no efficient quantum solution. New mathematics could theoretically emerge, which is why hybrid encryption is recommended as a hedge.
How long are PQC keys, and will they slow things down?
Kyber-1024 public keys run about 1.5 KB and private keys about 2.4 KB — larger than RSA, but encryption and decryption still finish in microseconds on a modern CPU. The network overhead is minimal.
Should I immediately replace all my RSA keys?
No. Rotate gradually. Use PQC for new keys — new GPG identities, new TLS certificates — and keep existing keys in use, but migrate anything with long-term sensitivity before 2030.
What if I use Signal or ProtonMail — are they PQC-ready?
Signal has not yet deployed PQC and is still evaluating approaches. ProtonMail supports PGP, so if you generate PQC-compatible GPG keys you can encrypt with PQC today. Ask each provider about its roadmap.
Your data was already on a shelf somewhere, waiting for a key that doesn’t exist yet but will. The harvest is happening; the only variable is whether what’s collected stays gibberish when the machine finally arrives. You don’t need to understand lattices to change that — you need to upgrade GnuPG, flip on hybrid TLS, and stop trusting a lock with a known expiry date. Do that, and you stop being the person whose secrets are quietly counting down. You become the one who built the next wall before anyone needed to climb it.
📚 More in Digital Sovereignty
Join the Inner Circle
Weekly dispatches. No algorithms. No surveillance. Just sovereign intelligence.