Breaches to data security are almost an everyday occurrence. Yet much worse could lie ahead: Cryptologists agree that quantum computers will be able to crack current encryption systems that now protect e-commerce transactions, mobile-device conversations, personal identifiers such as social security numbers, national security and industrial secrets, and other confidential information. And much of that information that already exists on networks could be saved and decrypted whenever quantum-decryption capabilities do arrive.

There’s no consensus on when quantum computers will render current encryption obsolete. In a 2022 survey by the Global Research Institute and evolutionQ, a Canadian quantum security consulting firm, 20 of 40 academic and industry quantum computing leaders said they considered it more than 5% likely to happen within 10 years, while 9 respondents indicated that the likelihood was 50% or greater. For 20 years from now, 14 said there would be a 70% chance, and all but 5 gave the same odds within 30 years.

And if such computers become available within the next couple decades, much of the sensitive information that is being shared over networks today may be vulnerable. “Imagine you have classified information you want to keep safe for 30 years,” says Dustin Moody, a NIST computer-security mathematician. “It is safe for now, but if a quantum computer comes in 15 years, someone can break [into] it and they will have access to it 15 years before you wanted them to.”

Many experts are all but certain that intelligence agencies in the US and other nations have been harvesting and storing massive amounts of data they can’t currently decode, waiting for future decryption by quantum computers. In September 2022, China’s National Computer Virus Emergency Response Center claimed that it had uncovered spyware from the US National Security Agency on the computer network of Northwestern Polytechnical University in Xi’an. The ministry accused the NSA of conducting a 10-year campaign to covertly gather information from China, Russia, and other nations on military secrets, scientific research, telecommunications, energy, and other topics.

For its part, the US and many of its allies have banned the use of telecom products from Huawei out of concerns that the Chinese company has built spyware backdoors into its cellphones, telecommunications, and internet network equipment. People outside of classified circles don’t know what’s actually happening, says John Schanck, a cryptography engineer at Mozilla, but “that’s kind of the point for cryptographers in the risk assessment business: If someone can be doing something, you assume that they are doing it.”

The debut of a quantum computer may well be kept under wraps, says Peter Schwabe, of the Max Planck Institute for Security and Privacy in Bochum, Germany. “Once this computer gets built, when will we know about it? Who will build it?” If a government acquires one, he asks, “are they going to say?”

In December 2022, President Biden signed into law a measure instructing federal agencies to hasten their adoption of postquantum cryptography (PQC). NIST is now on the verge of standardizing three algorithms that are aimed at protecting network data from quantum decryption and spoofing. A fourth is slated to be proposed next year in draft form.

Whereas the material that encryption algorithms protect is often secret, the process of developing the algorithms is fully open. That contrasts with the secret ciphers such as Germany’s Enigma, which the Allies had to break during World War II. “The interesting thing about modern cryptography is you don’t assume that anything is secret from your attacker,” says Moody. “You assume they have the complete specifications for how your security system works and you still want to be secure if they know all of that.”

NIST’s postquantum effort dates to 2016, when it invited the world’s cryptographic experts to submit PQC candidates. Teams from academia and industry responded with 69 proposals, which were evaluated internally and released to the outside community to analyze and crack if they could. Through three elimination rounds, NIST winnowed the proposals to seven finalists and eight alternate schemes.

NIST selected three algorithms for postquantum cryptography. A fourth is expected next year. They are based on module lattices and hash functions, two families of math problems that could resist a quantum computer’s assault.


NIST selected three algorithms for postquantum cryptography. A fourth is expected next year. They are based on module lattices and hash functions, two families of math problems that could resist a quantum computer’s assault.


Close modal

In August NIST posted for public comment drafts of the three postquantum encryption algorithms it plans to issue next year as federal information processing standards, data security and computer systems criteria to which federal agencies must adhere; businesses and other organizations that interact with federal agencies must also be compliant. A fourth algorithm is due to receive its draft standard in 2024. Many other governments, including the European Union, are expected to follow the NIST standards rather than develop their own.

Evaluating a PQC algorithm using classical computers is tricky, says Moody. You have to try to estimate how a quantum computer would work. “We don’t know how fast it will be or how expensive it will be. So we extrapolate the best we can and set the parameters high enough.”

Two NIST hopefuls were broken in 2022 in the later stages of the process. An IBM team defeated Rainbow, which had made it to the penultimate elimination round, on a laptop in 53 hours. SIKE, which made it to the final round, employed a relatively new mathematical approach of maps between elliptical curves. It was taken down by a desktop in one hour.

Moody says NIST had already decided to hold SIKE back for further evaluation. The algorithm’s failure showed the selection process worked as intended, that “the strongest ones survive.” Schwabe, who contributed to three of the four draft standards, though not to SIKE, says the defeat was “very dramatic” and unexpected. But he adds that it doesn’t necessarily rule out other schemes employing similar mathematics.

Encryption can be either asymmetric or symmetric. In asymmetric encryption systems, also known as public-key encryption systems, the string of numbers or letters that constitute the encryption key is published for anyone to use to encode their messages. Only the receiving party has access to the decryption key that allows the messages to be read. In symmetric encryption, the same key is used to encode and decode the message. Once the sender and receiver make contact using public encryption, they exchange a symmetric-encryption key that they use for subsequent messages.

By their nature, asymmetric systems are less secure than symmetric ones, says Schanck. “They are public-key systems, meaning that the server you connect to can publish the key and anyone can see it, and anyone can encrypt to it. That’s not something you can do with perfect security.”

All encryption algorithms are fundamentally mathematical problems. Today’s widely used public-key encryption algorithms typically provide 128 bits of security. That means it would take a computer 2128 operations to break the encryption key using a brute-force attack. For comparison, it’s estimated that there are 2166 atoms on Earth. National security data requires stronger, 256-bit encryption.

The RSA public-key algorithm is based on the difficulty of factoring large integers—NIST recommends more than 600 digits, and more starting in 2030—into their prime numbers. Defactoring through a brute-force attack is theoretically not impossible using today’s high-performance computers, but a conservative estimate is that it would take a supercomputer 16 million years. Similar levels of security are embodied in the other currently used encryption approaches that use a different computationally difficult problem.

Yet experts agree that a three-decade-old algorithm developed by mathematician Peter Shor will enable cryptologists to break current asymmetric encryption systems in minutes if it is run on a sufficiently powerful quantum computer. Shor’s is a simple quantum algorithm, they say, and decryption should be one of the easiest tasks for a quantum computer to perform.

For symmetric-key encryption, the 256-bit version of the Advanced Encryption Standard first approved by NIST in 2001 is already considered quantum resistant. Although quantum computers won’t be able to break symmetric encryption, a slightly longer key may be required. “But we don’t have to replace the whole crypto system,” Moody says.

NIST’s PQC choice for general encryption purposes is Kyber, part of the Cryptographic Suite for Algebraic Lattices (CRYSTALS). Schanck, one of the many coauthors, is working to incorporate it into the Firefox web browser. He says network protocols, such as Transport Layer Security, that establish secure connections between browsers and web servers have already been adjusted to accommodate experimentation with Kyber. Many businesses, including IBM, Google, Amazon Web Services, and Cloudflare, have deployed a version of Kyber in their networks, and once NIST formalizes the standard, Transport Layer Security will likely be tweaked a bit further.

Quantum computers capable of decrypting messages protected using today’s encryption algorithms are still likely a decade or more away. But experts warn that they could easily decode sensitive information that is being collected and stored right now.


Quantum computers capable of decrypting messages protected using today’s encryption algorithms are still likely a decade or more away. But experts warn that they could easily decode sensitive information that is being collected and stored right now.


Close modal

Two of the draft standards are for digital signatures, used for authenticating identities and denying fake web pages and malicious software updates. Like Kyber, Dilithium is part of CRYSTALS and uses a mathematical framework known as module lattices. SPHINCS+ implements a stateless hash-based signature scheme.

The standards-setting Internet Engineering Task Force recommends that a PQC scheme such as Kyber be combined with prequantum encryption to ensure that deploying the newly developed algorithm won’t degrade security. The Chrome web browser is now packaging Kyber together with an existing prequantum algorithm.

“When the standards come out in 2024 they still have to be implemented and tested, and auditors will have to write guidelines for certification,” says Andreas Hülsing, a cryptographer at Eindhoven University of Technology in the Netherlands who codeveloped SPHINCS+. “Getting them deployed in critical infrastructure sectors will easily take another three to four years.”

NIST is considering two other algorithms for standardization, Moody says. Both are for general-purpose encryption, and both are based on error-correcting codes that apply the underlying principle that errors constantly occur in transmission and storage of data and in mobile-communication networks. In the encryption schemes, errors are deliberately inserted before transmission and are later corrected during decoding.

Kyber runs faster on some platforms than the prequantum algorithms in wide use today, but the Transport Layer Security message containing the Kyber public-key algorithm is large—approximately a kilobyte, while schemes currently use double-digit bytes. Google and Cloudflare have demonstrated that web servers can easily handle the larger size, the companies say. But some web “middlebox” devices, such as firewalls, that haven’t been updated will reject Kyber-encoded messages. For now, Chrome offers affected network administrators the ability to disable Kyber.

One question yet to be resolved is how PQC will affect the “internet of things,” the networked microprocessor devices that control such things as automobile functions and the sensors and switches that govern many industrial and infrastructural processes, including electricity transmission, water treatment, and oil and gas pipeline operations. While laptops and cellphones can easily handle the larger postquantum encryption, many smaller internet-of-things devices can’t, says Moody. “There’s a lot of research going on in that direction.”

“Some [internet-of-things] systems will need to be replaced, other systems will get software updates, and still others will be insecure until their end of life,” says Schanck.