If your only takeaway from a 20-module quantum track is from this one module, that’s fine — this is the answer to “why should I care?” The threat model is concrete, the timeline is uncertain but bounded, and the migration is a multi-year program that needs to start before the threat is realised.
What breaks — the inventory
A cryptographically-relevant quantum computer (CRQC) running Shor’s algorithm breaks any cryptosystem whose security rests on:
- Integer factorisation — RSA. Affects: HTTPS certificates, code signing certificates, S/MIME, PGP/GPG, JWT RS256 signatures, SSH RSA host keys, Kerberos pkinit certs.
- Discrete logarithm modulo prime — Diffie-Hellman, DSA. Affects: legacy TLS DHE cipher suites, IPsec IKE classical mode, some VPN configurations.
- Elliptic-curve discrete logarithm — ECDSA, ECDH, EdDSA. Affects: modern TLS ECDHE, SSH ed25519 host keys, Bitcoin/Ethereum transaction signing, JWT ES256, modern certificate authorities.
What survives Shor (but degrades under Grover):
- Symmetric ciphers — AES, ChaCha20. Grover’s algorithm halves their effective security: AES-128 becomes 64-bit-equivalent (broken), AES-256 becomes 128-bit-equivalent (still secure for decades).
- Hash functions — SHA-256, SHA-3. Same Grover-driven halving: SHA-256 becomes 128-bit collision resistance (still acceptable for most uses).
What’s already PQ-resistant (built differently, no factoring/DLP dependency):
- Lattice-based — ML-KEM (Kyber), ML-DSA (Dilithium) — NIST standards as of 2024.
- Hash-based signatures — XMSS, LMS, SLH-DSA (SPHINCS+) — also standardised.
- Code-based — Classic McEliece — alternative for special use cases.
Timeline — when is this real?
The honest answer is “we don’t know exactly.” Credible estimates from NIST, US National Academies, the UK’s NCSC, and academic groups cluster around 2030-2040 for a CRQC capable of breaking RSA-2048. Some bodies (China’s QuICS) suggest sooner; some (independent academics) suggest later.
For planning purposes:
- 2025-2027: PQ migration urgent for high-sensitivity data with long lifetime (medical records, classified information, banking secrets, intellectual property).
- 2027-2030: Standard PQ migration window for most enterprise data (employee PII, customer accounts, IT infrastructure).
- 2030+: Mass-market PQ deployment expected. SaaS vendors will be on PQ-by-default by then.
“Store now, decrypt later” — the present-day threat
Adversaries with strategic patience are recording encrypted traffic today and storing it. When CRQCs exist, they decrypt the stored traffic. This is not speculation — it’s documented in NSA-adjacent literature, in Chinese state policy, and in technical-detail publications from European intelligence services.
Data with relevance horizon ≥ 10 years should be considered already at risk. Examples:
- Medical records (lifetime relevance).
- Genetic data (lifetime, multigenerational).
- Indian Aadhaar / PAN data (decades-long sensitivity).
- Banking transaction history (10+ year retention requirements).
- Classified government communications.
- Trade secrets and IP filings.
If you protect any of the above, the migration urgency is now, not later.
What the board needs to hear
A board-friendly framing of the risk:
- Confidentiality of long-lived data is at risk today via store-now-decrypt-later. Adversaries don’t need quantum computers right now; they just need to record traffic.
- Authenticity (digital signatures) become forgeable when CRQC arrives. Today’s signed software updates, audit reports, contracts may be forged in 2035-2040.
- The migration itself is a 5-10 year program. Inventorying every cryptographic dependency in your stack, replacing across vendors, validating performance — this takes time. Starting now is calibrated, not premature.
- Crypto-agility is the engineering objective. Even after PQ migration, the algorithms may need replacement again. Build systems that swap algorithms via configuration, not via re-architecture.
- Cost is moderate. PQ algorithms have larger key/signature sizes (Kyber-768 ciphertext is ~1KB vs RSA-2048 ciphertext of ~256B). Performance impact on TLS handshake: ~2-5x slower in early implementations, expected to optimise. Bandwidth impact: real but tractable for modern networks.
What India-specific compliance frameworks say
As of late 2025:
- RBI — Cyber Security Framework requires “appropriate cryptographic controls” but does not yet specify PQ migration. Expected guidance update 2026-2027.
- SEBI CSCRF — same posture; cryptographic controls required, PQ not yet specified.
- DPDP §8(5) — “reasonable security safeguards.” A future Data Protection Board ruling could find that not migrating to PQ for long-retention personal data is unreasonable. The ruling has not happened; the risk exists.
- CERT-In — has issued informational advisories on PQ but no binding directives.
- NIST (US) — published the final PQ standards in August 2024. US Federal agencies are required to migrate by 2035.
Indian regulators will follow NIST, with a lag. Multinationals operating in India should align to NIST timelines (2030-2035 migration window) to avoid being out of compliance with their global posture.
What to do this quarter
- Inventory cryptographic dependencies. What algorithms are in use across TLS endpoints, SSH, code signing, PKI, S/MIME, JWT, JWE, IPsec, VPN, database TDE, application-layer encryption? Vendor-by-vendor.
- Identify long-retention data — anything kept ≥10 years. Quantify the store-now-decrypt-later exposure.
- Engage strategic vendors. Microsoft, AWS, Cisco, Cloudflare, F5 all have PQ roadmaps. Get yours.
- Pilot hybrid PQ. Start with one production TLS endpoint. CloudFlare and AWS already support hybrid Kyber-x25519. Learn what breaks.
- Brief the board annually on PQ-readiness status. Treat as standing risk, like ransomware or supply-chain.
FAQ
Is the threat overhyped?
The migration is real and necessary. The timing is uncertain. Vendor marketing inflates urgency for selling. The technical truth is that we should migrate ahead of the threat because data has long lifetime — that’s the unhyped, calibrated position.
Will quantum break Bitcoin?
Eventually, yes — Bitcoin uses ECDSA. Funds in addresses where the public key has been revealed (most spent transactions) are vulnerable to Shor. Bitcoin governance is debating PQ-signature transitions; it’s a 5-10 year migration with backwards compatibility complexity. Other cryptocurrencies (Ethereum) have similar issues.
What about HTTPS browsing?
Modern browsers (Chrome 124+, Firefox 132+) ship hybrid X25519+Kyber-768 for TLS 1.3. As of 2025, Cloudflare-fronted sites and Google services already negotiate this. Migration is happening invisibly underneath users.
Should we delay TLS-cert renewals waiting for PQ-CA support?
No. Continue normal cert hygiene. PQ-PKI is a separate migration that will happen on its own timeline; current ECDSA/RSA certs remain secure for their typical 13-month lifespan.
What’s the cost of being wrong on the timeline?
Wrong-too-early: spent budget on PQ migration before strictly necessary. Cost: marginal.
Wrong-too-late: long-lived data exposed when CRQC arrives, regulatory penalty under DPDP §8(5), reputational damage. Cost: catastrophic.
Asymmetry: the cost of late far exceeds the cost of early. Bias toward starting now.
⚖️ Module 2 of 20 in the Quantum Computing track. Foundational risk-framing content. Modules 3-5 cover the specific algorithms that drive the threat.
Get a free attack-surface review
We check what an attacker would see about your business — leaked credentials, exposed services, dark-web mentions. 30 minutes, no obligation.