In August 2024, the United States National Institute of Standards and Technology finalised the world's first post-quantum cryptographic standards — three algorithms designed to resist attacks from quantum computers. The announcement was greeted with cautious relief in cybersecurity circles. It was also, in a quiet way, the opening of a clock.
From that moment, organisations that handle sensitive data over long timeframes — banks, insurers, government agencies, healthcare providers — began calculating how long it would take to migrate their encryption infrastructure to the new standards. For most, the honest answer was: longer than they would like, and potentially longer than they have.
Why Cryptographers Are Concerned
The threat stems from a property of quantum computers known as Shor's algorithm, which can factorise large integers exponentially faster than any classical computer. This matters because the RSA and elliptic-curve cryptography systems that protect most of today's internet traffic, VPNs, digital signatures, and financial transactions derive their security from precisely that computational difficulty. A sufficiently powerful quantum computer running Shor's algorithm could break a 2048-bit RSA key in hours, compared to the estimated billions of years it would take a conventional machine.
Current quantum hardware is nowhere near that capability. The most advanced commercial systems from IBM and Google operate with a few hundred to a few thousand "noisy" qubits — error-prone and far from the millions of fault-tolerant logical qubits required for cryptographic attacks. But the field is advancing faster than most experts predicted five years ago, and the relevant planning horizon is not today's machines but the machines of 2030 to 2035.
There is also the "harvest now, decrypt later" problem. Sophisticated adversaries — nation-state intelligence agencies foremost among them — are believed to be intercepting and archiving encrypted communications today, with the intention of decrypting them once quantum capability arrives. For data that must remain confidential for ten or twenty years — sealed bids, medical records, national security communications, long-term contracts — the threat is not hypothetical. It is already in motion.
NIST's Four Algorithms
The three finalised NIST standards — ML-KEM (formerly CRYSTALS-Kyber) for key exchange, ML-DSA (formerly CRYSTALS-Dilithium) for digital signatures, and SLH-DSA (formerly SPHINCS+) for hash-based signatures — were selected after an eight-year public competition involving submissions from cryptographers worldwide. A fourth algorithm, FALCON, received standardisation as FN-DSA. These are not theoretical constructs; they are now being integrated into libraries like OpenSSL and are appearing in the latest versions of TLS, SSH, and other protocols.
The Australian Signals Directorate has encouraged organisations to begin planning for migration, and the Australian Cyber Security Centre's 2024 guidance on quantum risk flags financial services, critical infrastructure operators, and anyone handling information with long-term sensitivity requirements as priority cases.
What Migration Actually Involves
The challenge is not obtaining the algorithms — they are freely available and increasingly built into commercial software. The challenge is the breadth of cryptographic exposure in a modern organisation. Every TLS certificate, every VPN connection, every digital signature workflow, every encrypted database, every hardware security module, every payment terminal potentially needs to be assessed and updated.
Sandra Petrova, who leads the cryptographic risk practice at Sydney-based consultancy CipherEdge, estimates that a mid-sized Australian financial institution with a moderately complex IT environment has cryptographic dependencies in 200 to 400 distinct systems. "The discovery phase alone — just cataloguing where cryptography is used and what algorithm is in play — typically takes three to six months," she says. "Most organisations are genuinely surprised by how embedded this stuff is."
The migration itself is complicated by the fact that post-quantum algorithms are computationally heavier than their classical counterparts. ML-KEM key sizes are roughly ten times larger than comparable RSA keys. For most applications the performance difference is negligible, but for constrained environments — IoT devices, embedded systems, legacy hardware with limited processing capacity — it can be a genuine obstacle.
The Hybrid Approach
The interim solution, recommended by NIST and adopted by most serious implementations, is hybrid cryptography: running classical and post-quantum algorithms in parallel so that a message is secure if either scheme holds. This provides protection today against classical attacks while building in quantum resistance, without requiring a full cutover to unproven new algorithms. The approach adds overhead but eliminates the all-or-nothing risk of premature migration.
For Australian businesses working with managed service providers, the most immediately practical step is to ensure that any new system deployments and significant upgrades are specifying crypto-agile architectures — designs that treat cryptographic algorithms as configurable parameters rather than hardwired choices. Renegotiating a software contract to require NIST post-quantum readiness costs nothing at the time of signature. Retrofitting a production system two years into its lifecycle costs considerably more.
The window between now and when quantum computers become genuinely threatening is probably a decade, possibly less. That sounds comfortable until you account for the time needed to migrate, the regulatory requirements that will almost certainly mandate it before the threat fully materialises, and the harvest-now adversaries who have already started the clock.