Quantum Security: A Complete Guide for Security Leaders

This is the capstone article in the Quantum Security Reference Deep Dive series.

Introduction

Quantum security is the discipline of protecting digital systems, data, and cryptographic infrastructure against threats from quantum computing, while also harnessing quantum technologies for defense. It encompasses three interconnected domains: defending against quantum attacks through post-quantum cryptography (PQC), using quantum physics itself as a security tool through methods like quantum key distribution (QKD), and securing quantum computing systems from classical threats.

If you are a CISO, CTO, or security leader reading this for the first time, here is the sentence you can forward to your board: quantum computers will eventually break the public-key cryptography that protects virtually all digital communications, and the migration to quantum-resistant alternatives is a multi-year program that regulators, standards bodies, and major technology vendors are already forcing into motion; with hard deadlines starting in 2026.

This guide maps the complete quantum security landscape, connects each concept to the deeper technical analyses I have published on PostQuantum.com, and focuses on the questions that matter most to security practitioners: what is actually at risk, when does it matter, and what should you do about it.

The Quantum Threat to Cryptography

The threat is specific and well-understood. A sufficiently powerful quantum computer running Shor’s algorithm can break RSA, Elliptic Curve Cryptography (ECC), and Diffie-Hellman key exchange — the three families of public-key cryptography that underpin TLS, digital signatures, VPNs, code signing, PKI, and essentially every secure digital transaction on the planet. This is not speculation. The mathematics has been proven since 1994. What remains uncertain is when a quantum computer capable of executing this attack will exist.

That machine is called a Cryptographically Relevant Quantum Computer (CRQC), and the engineering path to building one is the subject of my CRQC Quantum Capability Framework, which tracks ten distinct capabilities, from quantum error correction to engineering scale and manufacturability, that must converge before a CRQC becomes operational.

The resource estimates for building a CRQC have been dropping at a pace that should concern every security professional. In 2021, the best published estimate for breaking RSA-2048 required approximately 20 million physical qubits. By May 2025, Craig Gidney’s updated analysis brought that figure below one million physical qubits — a 20× reduction achieved purely through algorithmic and error correction improvements, not hardware breakthroughs. In early 2026, the Pinnacle architecture proposal pushed the theoretical floor below 100,000 qubits under certain assumptions. And in March 2026, Google’s quantum team published research showing that ECC-256 could potentially be broken with fewer than 500,000 superconducting qubits in under nine minutes.

No one has built a machine with anywhere near these capabilities today. The largest gate-based quantum computers operate in the low thousands of physical qubits, with error rates still far above what cryptanalysis requires. But the trajectory is moving in one direction, and the gap is closing faster than most security planners expected even two years ago.

Grover’s algorithm poses a separate, less severe quantum threat to symmetric cryptography: it effectively halves key lengths, meaning AES-256 would offer roughly AES-128 equivalent security against a quantum attacker. This is significant but manageable – doubling symmetric key lengths is a well-understood mitigation. The existential threat is to public-key systems, and that is where the urgency lies.

The Threat Is Active Today

The most common misconception in quantum security is that the threat begins when a CRQC exists. It does not.

Harvest Now, Decrypt Later (HNDL) is the practice of intercepting and storing encrypted data today with the intention of decrypting it once quantum computing matures. Nation-state intelligence agencies have the storage capacity, the collection infrastructure, and the strategic patience to execute this at scale. Any data that needs to remain confidential for more than a decade, such as state secrets, medical records, financial data, intellectual property, long-lived personal identifiers, is already at risk under HNDL, regardless of how far away a CRQC might be.

The less discussed but potentially more disruptive analog is Trust Now, Forge Later (TNFL), a concept I introduced in 2018. Where HNDL attacks confidentiality, TNFL attacks trust: digital signatures made today using RSA or ECC could be forged retroactively once a CRQC exists. The implications cascade through software supply chains (forged code-signing certificates), legal instruments (forged digital signatures on contracts), identity systems (forged authentication tokens), and any domain where we rely on digital signatures to establish trust.

As I argued in my analysis of why signature migration should precede encryption migration, the TNFL threat may actually demand more urgent action than HNDL, because the trust infrastructure underpinning digital signatures is harder to migrate and the consequences of compromise are more systemic.

Post-Quantum Cryptography: The Primary Defense

Post-quantum cryptography (PQC) refers to cryptographic algorithms designed to resist attacks from both classical and quantum computers. Unlike quantum cryptography (which uses quantum physics), PQC runs on existing classical hardware — it is a software and protocol change, not a hardware upgrade.

In August 2024, NIST finalized its first set of post-quantum standards:

• ML-KEM (FIPS 203, formerly CRYSTALS-Kyber): a lattice-based key encapsulation mechanism for encryption and key exchange
• ML-DSA (FIPS 204, formerly CRYSTALS-Dilithium): a lattice-based digital signature algorithm
• SLH-DSA (FIPS 205, formerly SPHINCS+): a hash-based digital signature algorithm, serving as a conservative fallback

A fourth standard, FN-DSA (formerly FALCON), is expected to be finalized in 2025. NIST has also selected HQC as a backup key encapsulation mechanism in case lattice-based approaches encounter unexpected vulnerabilities.

These standards are not experimental. Browser vendors, cloud providers, hardware security module manufacturers, and enterprise security platforms are already shipping implementations. The question for organizations is no longer whether PQC algorithms exist, but how quickly they can be deployed.

Quantum Cryptography: The Physics-Based Alternative

Quantum cryptography takes a fundamentally different approach from PQC. Rather than designing algorithms that resist quantum attack, it uses the principles of quantum physics to detect eavesdropping on communication channels.

The most mature quantum cryptographic technology is Quantum Key Distribution (QKD), which enables two parties to share encryption keys with information-theoretic security guaranteed by physics rather than computational hardness. The foundational BB84 protocol has been refined into a family of next-generation protocols including entanglement-based and device-independent variants.

QKD offers a theoretically elegant guarantee, but it comes with practical constraints: it requires dedicated optical fiber or satellite links, operates over limited distances without quantum repeaters, and remains expensive to deploy at scale. More importantly, as I have covered extensively, countries differ significantly on QKD’s role in their quantum security strategies. China has invested heavily in operational QKD networks. The United States and United Kingdom have been more skeptical, focusing their mandates on PQC.

For most organizations, PQC is the primary defense and the one that regulatory mandates require. QKD is a complementary technology relevant to specific high-security, point-to-point use cases — not a replacement for PQC migration.

The Scale of Migration

If the quantum threat is the “why,” then PQC migration is the “what” — and it is enormous. I have described it as the largest, most complex cryptographic overhaul in IT history, and nothing I have seen since writing that has changed my assessment. For a large enterprise, migration involves upwards of 120,000 discrete tasks spanning network infrastructure, application code, key management systems, PKI hierarchies, vendor contracts, embedded devices, and operational technology.

The migration challenge is compounded by several factors that distinguish it from previous cryptographic transitions:

PQC algorithms use significantly larger key sizes and signature sizes than their classical counterparts. ML-KEM ciphertexts are roughly 32 times larger than ECDH key exchanges. ML-DSA signatures are approximately 50 times larger than ECDSA signatures. These differences ripple through bandwidth-constrained protocols, certificate chains, IoT devices, and any system designed around compact classical cryptography. I have detailed these infrastructure challenges and their network connectivity implications separately.

Crypto-agility — the architectural ability to swap cryptographic algorithms without rebuilding systems — should have been standard practice for decades, but most organizations have never needed it. PQC migration is the forcing function. As I have argued, crypto-agility is an architecture problem, not a library swap, and organizations that treat it as a one-time algorithm replacement will find themselves in the same position again when (not if) standards evolve.

The first step in any migration is knowing what you have. A comprehensive cryptographic inventory — ideally formalized as a Cryptographic Bill of Materials (CBOM) — is the foundation of every credible migration program. Without one, you are prioritizing blind.

For organizations ready to begin, the Applied Quantum PQC Migration Framework provides a structured, open-source methodology, and my practical steps guide maps the first concrete actions.

The Deadlines Are Already Set

I have argued repeatedly that debating Q-Day predictions is becoming irrelevant because the ecosystem has moved. Regulators, standards bodies, and major technology vendors are not waiting for a CRQC to exist before imposing quantum security requirements.

The timeline is concrete. NSA’s CNSA 2.0 requires all new National Security System acquisitions to use quantum-resistant algorithms by January 2027. Software and firmware signing must migrate by 2030. Legacy systems that cannot be upgraded must be retired by 2030. Full enforcement of quantum-resistant cryptography across all NSS is targeted by 2035. These deadlines cascade through the defense industrial base and into any organization that supplies or connects to US government systems.

NIST’s draft guidance (IR 8547) goes further: RSA, ECDSA, EdDSA, Diffie-Hellman, and ECDH will be deprecated for federal systems by 2030 and disallowed by 2035. Google has set a 2029 internal deadline for PQC migration. Cloudflare has published a phased roadmap to full post-quantum security by 2029. The EU’s NIS2 and DORA frameworks impose ICT risk management obligations that increasingly encompass quantum-related cryptographic risk.

The practical implication: if your organization begins serious migration planning in 2026, you are on schedule. If you begin in 2028, you are likely behind. If you wait until 2030, you will miss the first wave of hard deadlines and face compressed timelines, vendor bottlenecks, and regulatory exposure. NIST estimates that a large agency migration takes three to five years once fully resourced. Enterprise estates with legacy complexity should plan for the upper end of that range.

This is why I frame quantum security as an ecosystem-driven imperative, not a threat-driven one. Whether a CRQC arrives in 2032 or 2040, the deadlines for migration are already locked in.

Beyond Encryption: The Full Scope of Quantum Security

Quantum security extends beyond the cryptographic threat. The field also encompasses the security of quantum computing systems themselves. As quantum computers become operational infrastructure — accessible through cloud services, integrated into hybrid classical-quantum workflows, and processing sensitive data — they introduce a new attack surface at the quantum-classical interface that security teams will need to defend.

Quantum sensing presents both opportunities and risks for security. Quantum magnetometers, gravimeters, and timing systems have applications in defense, navigation, and surveillance that fall outside traditional cybersecurity but within the broader security landscape.

The geopolitical dimension of quantum security (what I cover extensively in my forthcoming book Quantum Sovereignty) adds another layer. National quantum programs are strategic investments with direct implications for intelligence capability, military advantage, and technological independence. As I have detailed in my China’s Quantum Ambition series, the countries investing most aggressively in quantum technology are doing so with national security as a primary driver.

Where to Start

If you are approaching quantum security for the first time, here is the sequence I recommend:

Understand the threat. Read through this guide and follow the links into the specific areas most relevant to your organization. The CRQC Quantum Capability Framework provides the analytical structure for evaluating how close the field is to a cryptographically relevant machine. The Q-Day Knowledge Center collects my analysis of timeline predictions and why I believe debating the exact date misses the point.

Assess your exposure. Use the PQC Readiness Self-Assessment Scorecard to benchmark where your organization stands. A Quantum Readiness Assessment provides a structured evaluation framework.

Begin discovery. Start with a cryptographic inventory of your most sensitive systems. You do not need to inventory everything before you can begin acting — risk-driven strategies allow you to prioritize the systems with the highest HNDL and TNFL exposure.

Build the program. Structure your migration using the PQC Migration Framework and the practical steps guide. My first-year planning guide covers how to scope, resource, and govern a quantum readiness program.

Engage your vendors. Vendor readiness is critical because most organizations depend on third-party products and services for their cryptographic infrastructure. Start asking vendors for their PQC roadmaps now. Include PQC requirements in new procurement.

For a comprehensive treatment of organizational quantum readiness, my forthcoming book Quantum Ready covers the strategic, operational, and technical dimensions of preparing an enterprise for the post-quantum era.

The Quantum Security Reference Series

This guide is the capstone of my Quantum Security Reference series, which provides concise explanations of every concept discussed here. Each article is designed as an accessible entry point that links into PostQuantum.com’s deeper technical analyses:

• What Is Post-Quantum Cryptography (PQC)?
• What Is Quantum Cryptography?
• What Is Quantum Computing Security?
• What Is Quantum Safe?
• What Is Quantum Cyber Security?
• What Is Shor’s Algorithm?
• What Is Grover’s Algorithm?
• What Is a CRQC?
• What Is Harvest Now, Decrypt Later (HNDL)?
• What Is Q-Day?
• What Is Quantum Error Correction?
• What Is a Logical Qubit?
• What Is Crypto-Agility?
• What Is Quantum Key Distribution (QKD)?
• What Is PQC Migration?
• What Is Trust Now, Forge Later (TNFL)?