Your “Latest” Guide to PQC Readiness

NIST launched the Post-Quantum Cryptography project in 2016, inviting global cryptography experts to submit algorithms resistant to both classical and quantum attacks. By the deadline, 69 algorithms had been submitted and released for open evaluation. Today, NIST has released the first five quantum-safe algorithms.

The importance of using the selected NIST algorithms can be depicted by Dustin Moody’s remarks: “There is no need to wait for future standards,” he said. “Go ahead and start using these three. We need to be prepared in case of an attack that defeats the algorithms in these three standards, and we will continue working on backup plans to keep our data safe. But for most applications, these new standards are the main event.” 

Even though we don’t have powerful quantum computers today, it is important to start working on post-quantum encryption now. The reason is that changing encryption across the world takes a long time, often 10 to 20 years. Businesses need time to update their systems and ensure that everything continues to function smoothly with the new encryption methods. If we wait until quantum computers are ready, it might be too late to protect our sensitive data.

Cheers to Progress! NIST Finalizes the Fifth Quantum-Safe Algorithm

On March 11, 2025, the National Institute of Standards and Technology (NIST) announced the selection of HQC (Hamming Quasi-Cyclic) as the latest addition to its suite of post-quantum cryptography (PQC) standards. This decision underscores NIST’s commitment to enhancing cybersecurity measures against the emerging threats posed by quantum computing.

HQC is not intended to take the place of ML-KEM, which will remain the recommended choice for general encryption, said Dustin Moody, a mathematician who heads NIST’s Post-Quantum Cryptography project. 

“Organizations should continue to migrate their encryption systems to the standards we finalized in 2024,” he said. “We are announcing the selection of HQC because we want to have a backup standard that is based on a math approach different from ML-KEM. As we advance our understanding of future quantum computers and adapt to emerging cryptanalysis techniques, it’s essential to have a fallback in case ML-KEM proves to be vulnerable.”

Why Was HQC Selected After the Fourth Round? HQC was chosen as the fifth post-quantum cryptography (PQC) standard after the fourth round of NIST’s evaluation. While its encapsulation keys are approximately 41–47% larger than those of BIKE, and its ciphertexts are about three times larger, NIST prioritized factors beyond just key and ciphertext sizes.

Let’s understand the PQC algorithms in detail:

NIST Post-Quantum Cryptographic Algorithm Standards and Guidelines

NIST Special Publication (SP) 800-131A, IR 8457, IR 8454 provides a set of rules from NIST that helps U.S. government agencies decide which cryptographic methods (algorithms and key lengths) are safe to use for protecting sensitive but unclassified information.

This means organizations will get a step-by-step plan on:

• Which encryption methods will no longer be safe
• When they should switch to new, quantum-resistant algorithms
• How to make the transition smoothly without security risks

Since quantum computers will eventually break today’s encryption, NIST is working on new quantum-resistant algorithms. As part of this transition, NIST will update SP 800-131A with clear guidelines on when and how to switch to these new algorithms.

NIST traditionally uses bit-length security strengths (like 128-bit, 192-bit, and 256-bit) to describe how secure an algorithm is against classical attacks. However, with post-quantum cryptography (PQC), security is measured in broader categories instead of fixed bit-lengths.

Each security category is based on a reference primitive, a well-understood cryptographic function that serves as a baseline for evaluating how resistant an algorithm is to different attack methods. Instead of focusing only on bit-lengths, these categories provide a more practical and flexible way to measure security against quantum threats. The following tables in the document provide a breakdown of the vulnerable algorithms that organizations might recognize in their cryptographic infrastructure right now and which quantum-safe algorithms would come in place, showing how they compare to traditional security strengths.

Post-quantum digital signature algorithms

Whether anyone believes quantum computers are powerful enough to crack encryption is 10 or 100 years away is irrelevant. When ciphers are deprecated, they become everyone’s problem and must be replaced.

The following table highlights the algorithms that need to be transitioned to quantum-resistant alternatives to ensure long-term security.

Organizations may continue using these algorithms and parameter sets as they migrate to the post-quantum signatures identified in following table.

Key Encapsulation Mechanism

The following table highlights the algorithms that need to be transitioned to quantum-resistant alternatives to ensure long-term security.

Here are the post-quantum algorithms, including ML-KEM and HQC

NIST determined that HQC would provide a good complement to ML-KEM since it is based on a different underlying security problem and still retains reasonable performance characteristics for general applications. The only other fourth-round candidate that could potentially serve this purpose was BIKE, which relies on code-based assumptions like those of HQC. Compared to BIKE, HQC has larger public key and ciphertext sizes but cheaper key generation and decryption.

Please note that NIST plans to issue a draft standard incorporating the HQC algorithm in about a year, with a finalized standard expected in 2027.

Quantum-Readiness Roadmap

As of today, most critical assets, systems, and applications within an organization use cryptographic methods like RSA and ECC for securing digital signatures, software updates, and data protection. However, once Quantum Computers become powerful enough, they will be able to break these cryptographic algorithms. This is why organizations need to identify and replace these vulnerable cryptographic methods with Post-Quantum Cryptography (PQC).

Why is the Quantum-Readiness Roadmap important?

Organizations might not even be aware of all the places where public-key cryptography is being used in their systems, applications, and supply chains. If they don’t have a list (inventory) of vulnerable systems, they won’t know where to start the migration to PQC.

To fix this, organizations need to:

• Cryptographic Discovery: Identify systems and applications that rely on quantum-vulnerable cryptography.
• Cryptographic Inventory: Engage with vendors to understand where encryption is used inside products they buy.
• Data Classification: Prioritize which systems need urgent updates based on their importance and risk.

Now, let’s discuss each step in detail:

Cryptographic Discovery

Cryptographic discovery is the process of finding out where and how cryptography is being used in an organization’s IT and OT (Operational Technology) systems. Organizations can use automated tools to scan for quantum-vulnerable algorithms in:

• Network protocols (to check if encrypted communication is at risk).
• Applications and software (to check if software updates are using weak encryption).
• Development pipelines (to find cryptographic dependencies in the codebase).

However, some cryptography might be hidden inside products, making it difficult to detect. In such cases, organizations should ask vendors for details.

Cryptographic Inventory

A cryptographic inventory is a list of all quantum-vulnerable cryptographic assets in an organization. It should include:

• Where cryptographic algorithms are used?
• What kind of data do they protect?
• How long the data needs to remain secure (e.g., sensitive government data might need security for decades)?
• Which systems, protocols, and services rely on these cryptographic protections?

This inventory helps organizations plan for a smooth transition to PQC by identifying and addressing risks before quantum computers become a real threat.

Data Classification in the Quantum Era

Data classification means categorizing data based on its sensitivity and criticality. For quantum readiness, organizations should:

• Identify high-risk sensitive data that, if decrypted in the future, could cause harm.
• Categorize data based on security requirements and how long it needs to stay protected.
• Map cryptographic inventory with existing asset management systems (like Identity and Access Management, Endpoint Detection, etc.).

By doing this, organizations can prioritize where PQC migration needs to happen first.

Hybrid Approach- Bridge Between Classical and Post-Quantum Cryptography

PQC-classical hybrid Protocols are transitional cryptographic solutions that use both quantum-resistant and traditional (quantum-vulnerable) cryptographic algorithms together in key establishment or digital signatures.

These hybrid solutions are typically designed to remain secure if at least one of the component algorithms is secure. 

To put it simply, traditional locks (classical cryptography) might become weak over time, so you may decide to install smart locks (post-quantum cryptography – PQC) as well. But there’s a problem with not all doors and users being ready for smart locks yet. So, the best possible approach is to use both locks together for now, ensuring that if one fails, the other still provides security.

This is exactly what hybrid cryptographic protocols do in the transition to post-quantum cryptography (PQC). Hybrid cryptographic protocols combine quantum-resistant and quantum-vulnerable algorithms when generating digital signatures or establishing encryption keys.

Hybrid Key-Establishment Techniques

Two different key-establishment methods work together, and the final key is secure as long as at least one method remains strong.

• Part 1 is generated using a classical method, which could become weak in the future (ECDH)
• Part 2 is generated using PQC, designed to be quantum safe (ML-KEM)

Hybrid Digital Signature Techniques

A hybrid digital signature (also called a composite signature) is a cryptographic technique where two or more digital signatures are applied to a single message. This ensures that the verification of the message requires all signatures to be validated successfully.

• Part 1: A classical digital signature algorithm (e.g., RSA or ECDSA).
• Part 2: A post-quantum digital signature algorithm (e.g., ML-KEM).

A current TLS cipher suite, such as TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, when progresses to a post-quantum cipher, might look like TLS_KYBER_DILITHIUM_WITH_AES_256_GCM_SHA384.

Major Use cases that will be affected by post-quantum cryptography (PQC)

Post-quantum cryptography (PQC) will gradually impact various use cases that rely on asymmetric cryptography, as quantum threats directly target public key cryptography. Preparing for the quantum era starts with analyzing which systems and processes will be affected by PQC. This involves identifying and defining the impacted use cases, such as the following examples:

1. Code Signing

   Purpose: Digitally signing software to verify its authenticity and prevent tampering.

   Why it matters: Devices that install and execute software must validate these signatures.

   Quantum risk: If devices remain in use for a long time and their signature verification systems can’t be updated, they must be designed to support quantum-resistant signatures now to ensure long-term security.

2. User and Machine Authentication

   Purpose: Verifying identities to control access to systems using asymmetric cryptographic protocols.

   Quantum risk: Unlike encryption (which faces the “harvest now, decrypt later” threat), authentication systems are safe until quantum computers can break current algorithms.

   Action needed: Organizations must upgrade systems, PKI, and hardware tokens to support quantum-resistant authentication before quantum computers arrive.

3. Network Security Protocols

   Purpose: Secure data transmission via protocols like TLS and VPNs using asymmetric cryptography.

   Quantum risk: Key establishment (encryption keys) are vulnerable to “harvest now, decrypt later.” Authentication (identity verification keys) can be transitioned later but will eventually need quantum-resistant replacements.

   Next steps: Organizations need a strategic migration plan to secure network protocols against quantum threats.

4. Email and Document Signing & Encryption

   Purpose: Email encryption (S/MIME), encrypts emails and files for secure transmission, ensuring the integrity and authenticity of digital communications.

   Quantum risk: Email encryption is vulnerable to “harvest now, decrypt later”, meaning adversaries could store encrypted emails today and decrypt them once quantum computers are available.

   Action needed: Organizations should transition encryption and signing mechanisms to quantum-safe alternatives as soon as possible.

The road to Q-day!

According to National Security Memorandum 10 (NSM-10), the U.S. government aims to complete the shift to quantum-resistant cryptography by 2035. This transition is necessary because quantum computers could break current encryption methods.

However, not all systems will switch to PQC at the same time. Some, especially those handling long-term confidential data, may need to transition sooner. Others, due to technical limitations, may take longer. NIST recognizes these challenges and will support organizations through this shift while ensuring that critical systems stay protected.

While this timeline is a prediction, advancements in quantum computing could accelerate it. Preparation is key, organizations must start transitioning to quantum-safe cryptography today to stay ahead of the threat.

• 2024-2026: Regulatory bodies like NIST will finalize and standardize the first quantum-resistant algorithms. Soon after, certified cryptographic libraries will begin implementing them.
• 2027-2029: A major industry push will take place as vendors start integrating NIST-approved algorithms into products and security protocols. Global standardization bodies will follow suit.
• 2030-2033: Q-Day arrives—experts predict that Cryptographically Relevant Quantum Computers (CRQCs) will be capable of breaking today’s encryption, making post-quantum cryptography (PQC) a necessity.

How Encryption Consulting’s PQC Advisory Can Help?

• Validation of Scope and Approach: We assess your organization’s current encryption environment and validate the scope of your PQC implementation to ensure alignment with industry best practices.
• PQC Program Framework Development: Our team designs a tailored PQC framework, including projections for external consultants and internal resources needed for a successful migration.
• Comprehensive Assessment: We conduct in-depth evaluations of your on-premise, cloud, and SaaS environments, identifying vulnerabilities and providing strategic recommendations to mitigate quantum risks.
• Implementation Support: From program management estimates to internal team training, we provide the expertise needed to ensure a smooth and efficient transition to quantum-resistant algorithms.
• Compliance and Post-Implementation Validation: We help organizations align their PQC adoption with emerging regulatory standards and conduct rigorous post-deployment validation to confirm the effectiveness of the implementation.

Conclusion

The transition to post-quantum cryptography is no longer a distant consideration—it is a necessary step for ensuring long-term data security in a rapidly evolving technological landscape. With NIST finalizing the fifth PQC algorithm, organizations must take proactive measures to adopt quantum-resistant cryptographic standards. Whether it’s securing sensitive communications, protecting financial transactions, or ensuring the authenticity of digital signatures, the time to prepare is now. As quantum threats grow, those who act early will be best positioned to safeguard their critical system against future cryptographic vulnerabilities.