Your Encryption Has an Expiration Date

The thing your encryption wasn't designed for

Every HTTPS handshake, every Signal conversation, every VPN tunnel on the internet today relies on math that quantum computers can break. Not theoretically. Not eventually. The math was broken on paper back in 1994 by Peter Shor. The only thing standing between that proof and a working attack is a machine that doesn't yet exist at scale, and that window is closing faster than most of the industry is willing to admit.

This is the post-quantum transition. It is happening now, and most organizations are not moving.

What Shor's algorithm actually breaks

Shor's algorithm solves two problems that classical computers cannot solve efficiently: integer factorization and the discrete logarithm problem. Every piece of public-key cryptography currently deployed on the internet depends on one of those problems being hard.

RSA (key exchange, signatures): security rests on the difficulty of factoring large integers.

ECDH / ECDSA / ECC (TLS, SSH, Bitcoin, every modern protocol): security rests on the difficulty of the elliptic curve discrete logarithm problem.

Diffie-Hellman, DSA: classical discrete log problem.

All of it breaks the moment a sufficiently large quantum computer exists. Not "weakened." Not "reduced security margin." It just breaks. Shor's algorithm runs in polynomial time on a quantum computer. A 2048-bit RSA key that would take classical computers longer than the age of the universe to factor becomes tractable.

What is NOT broken

Symmetric cryptography survives. Grover's algorithm gives quantum computers a quadratic speedup for brute-force search, reducing AES-256's effective security from 2^256 to 2^128. That is still computationally infeasible. At a trillion Grover operations per second, brute-forcing a 128-bit key takes approximately 10^13 years — roughly 1,000 times the age of the universe.

Safe from quantum attacks:

• AES-256 (symmetric encryption)
• SHA-256, SHA-3 (hash functions)
• HMAC constructions
• The new NIST post-quantum standards (ML-KEM, ML-DSA, SLH-DSA)

Broken by Shor's algorithm:

• All currently deployed public-key crypto

The critical nuance: even if your session is encrypted with AES-256, the session key was established using RSA or ECDH. Break the key exchange, recover the session key, and decrypt everything. AES-256 doesn't save you.

Harvest now, decrypt later

Nation-state adversaries don't need a quantum computer today to exploit this. They need one eventually. In the meantime: intercept and store.

The operation is exactly what it sounds like: capture encrypted traffic now, archive it, decrypt it once the hardware catches up. China, Russia, and almost certainly the NSA are doing this at scale. The 2015 OPM breach demonstrated China's appetite for bulk exfiltration — 22 million background check records with decades of sensitive context. Russian signals intelligence has been hoovering diplomatic cables for decades.

Anything with long-term sensitivity is a target. State Department cables. Trade secrets that take 20 years to commercialize. Medical records. Financial data. Source code. Anything covered by attorney-client privilege. If a quantum computer breaks the key exchange in 2030, the 2026 traffic you sent is also plaintext.

NIST finalized the replacement standards

August 14, 2024 — NIST published the first three finalized post-quantum standards:

• FIPS 203 — ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism, formerly CRYSTALS-Kyber). General-purpose key exchange. Replaces RSA and ECDH for establishing session keys.
• FIPS 204 — ML-DSA (Module-Lattice-Based Digital Signature Algorithm, formerly CRYSTALS-Dilithium). Replaces RSA and ECDSA signatures.
• FIPS 205 — SLH-DSA (Stateless Hash-Based Digital Signature Algorithm, formerly SPHINCS+). Hash-based signature hedge in case the lattice-based assumptions in ML-DSA are broken.

All three are lattice-based or hash-based. They resist both classical and quantum attacks under current cryptanalysis. The underlying math (learning with errors, module lattices, short integer solutions) has been scrutinized for over a decade during the NIST competition.

Signal shipped PQXDH first

September 19, 2023. Signal deployed PQXDH ("Post-Quantum Extended Diffie-Hellman"), becoming the first major messaging platform to ship a post-quantum key exchange in production.

PQXDH upgrades X3DH (the previous protocol) by computing a shared secret using both X25519 (classical elliptic curve) and CRYSTALS-Kyber (ML-KEM-768). The two shared secrets are combined so an attacker must break both to decrypt a session.

Designed for asynchronous settings — Alice can initiate encrypted communication using Bob's pre-published keys while Bob is offline. The construction preserves Signal's existing forward secrecy guarantees.

Limitation: PQXDH protects key establishment, not authentication. Against an active quantum adversary mid-handshake, parties have no cryptographic guarantee of who they are talking to. Post-quantum deniable mutual authentication is still an open research problem.

Apple followed with PQ3 for iMessage

February 21, 2024. Apple announced PQ3, claiming "Level 3" security and calling it the first messaging protocol to reach that tier.

Design:

• Hybrid ECC + ML-KEM at initial key exchange
• Hybrid ECC + ML-KEM at rekeying
• Periodic post-quantum rekeying creates fresh message encryption keys that cannot be computed from past ones — self-healing from key compromise
• Rolled out in iOS 17.4, iPadOS 17.4, macOS 14.4, watchOS 10.4 (March 2024)

Formal verification: Douglas Stebila (University of Waterloo) produced a pen-and-paper proof. David Basin, Felix Linker, and Ralf Sasse at ETH Zurich computer-verified the protocol using Tamarin, a symbolic protocol analyzer.

The self-healing rekey is the novel property. Signal's Double Ratchet already provided forward secrecy at the symmetric layer. PQ3 added post-quantum guarantees to the asymmetric layer of that ratchet — if a session key leaks at time T, the session automatically recovers at time T+N.

Chrome forced post-quantum TLS on every user

March 2024: Chrome enabled hybrid post-quantum key agreement (X25519+Kyber) by default on desktop.

November 2024 (Chrome 131): Switched from experimental Kyber to NIST-standardized ML-KEM. The two are incompatible due to final spec changes during standardization.

2025 (Chrome 138): Disabled the ability for users to turn off post-quantum TLS.

By March 2025, over 38% of human HTTPS traffic on Cloudflare's network was using hybrid post-quantum handshakes. That number keeps climbing as servers upgrade. The bytes on the wire changed, and nobody noticed.

When does the threat become real

The target is a cryptographically relevant quantum computer: one large enough to run Shor's algorithm on real-world key sizes. Estimates keep dropping:

• 2012: 1 billion physical qubits needed for RSA-2048
• 2019: 20 million physical qubits
• May 2025 (Gidney, Google): fewer than 1 million physical qubits — a 20x reduction in six years
• February 2026 (Iceberg Quantum, Sydney): fewer than 100,000 physical qubits using quantum LDPC codes instead of surface codes
• March 2026 (JVG algorithm): potentially thousands of logical qubits, approximately 1,000x fewer resources than prior approaches (the claim is under scientific scrutiny but has not been refuted)

For secp256k1 (the curve securing Bitcoin and much of modern TLS), Google's 2026 whitepaper estimated ~1,200 logical qubits and fewer than 500,000 physical qubits, execution time roughly 9 minutes.

Timeline estimates from people who know

• IBM roadmap: 200 logical qubits with 100 million gates by 2029
• Gartner: widely used asymmetric crypto compromised by 2029, fully broken by 2034
• Expert survey at 10-year horizon: 28-49% probability of RSA-2048 falling in under 24 hours
• 1 in 3 cybersecurity experts forecast Q-Day before 2032
• NSA CNSA 2.0 framework: PQC mandated for new national security deployments by January 2027, all systems by December 2031, full readiness by 2035

"Q-Day" is the industry shorthand for the day a cryptographically relevant quantum computer is demonstrated publicly. The uncertainty is huge. The direction isn't in dispute.

The enterprise reality

Only 14% of organizations have conducted a full assessment of their quantum-vulnerable cryptography. 43% remain in "wait and see" mode. The typical enterprise cryptographic migration takes 3 to 8 years. Organizations starting in 2026 will finish near the 2030 compromise date. That assumes they're lucky and the timeline doesn't accelerate.

Industry estimates put the total migration cost at approximately $15 billion.

Where the pain will concentrate:

• Embedded systems / IoT / PLCs / industrial controllers: designed without cryptographic agility. Limited memory, storage, and compute for the larger PQC key sizes. Often no firmware update path. This is the biggest mess.
• Hidden cryptography: firmware, third-party libraries, closed-source SDKs. Organizations prioritize public-facing systems; internal systems lag for years.
• Larger key sizes and ciphertexts: PQC keys and signatures are substantially larger than classical equivalents. Protocols with fixed-size fields break. Bandwidth-constrained systems struggle.
• Certificate authorities, PKI, code signing: every trust anchor in the chain has to rotate, and some roots are 10+ years from expiry.

What you should actually do

If you build software:

• Inventory every place you use RSA, ECDH, ECDSA, Diffie-Hellman. Assume it is more than you think.
• Enable post-quantum TLS wherever your stack supports it (modern OpenSSL, BoringSSL, BearSSL forks, AWS s2n, Cloudflare TLS).
• Design for cryptographic agility: never hardcode an algorithm. Wrap crypto behind an interface you can swap.
• If you ship long-lived signed artifacts (firmware, code signing, document signatures), switch to ML-DSA or SLH-DSA as soon as your toolchain supports it. Those signatures are meant to remain valid for years.

If you run infrastructure:

• Start the inventory now. You cannot migrate what you cannot see.
• Prioritize by data lifetime. Anything you need to stay confidential for 5+ years is already at risk from harvest-now-decrypt-later.
• Update load balancers, CDNs, and edge to hybrid post-quantum TLS. Most major vendors support it today.
• For VPNs carrying long-lived sensitive traffic, evaluate WireGuard forks and IPsec extensions with post-quantum key agreement.

If you use messaging:

• Signal and iMessage are already post-quantum. WhatsApp, Telegram, Matrix are not, as of this writing. The gap matters.

The only honest answer

AES-256 survives. Everything with a public key does not survive. The replacements are standardized, deployed in Chrome, deployed in Signal, deployed in iMessage. The work is real. The tooling is real. What's missing is organizational urgency.

The attackers harvesting traffic today aren't waiting for Q-Day to be announced on CNN. They're betting on the math. The math says they're right.

Sources

1. [NIST Releases First 3 Finalized Post-Quantum Encryption Standards](https://www.nist.gov/news-events/news/2024/08/nist-releases-first-3-finalized-post-quantum-encryption-standards)
2. [FIPS 203 (ML-KEM) - NIST CSRC](https://csrc.nist.gov/pubs/fips/203/final)
3. [Quantum Resistance and the Signal Protocol (PQXDH)](https://signal.org/blog/pqxdh/)
4. [iMessage with PQ3 — Apple Security Research](https://security.apple.com/blog/imessage-pq3/)
5. [Google Chrome Switches to ML-KEM — The Hacker News](https://thehackernews.com/2024/09/google-chrome-switches-to-ml-kem-for.html)
6. [State of Post-Quantum Internet 2025 — Cloudflare](https://blog.cloudflare.com/pq-2025/)
7. [Q-Day Just Got Closer — Quantum Insider (March 2026)](https://thequantuminsider.com/2026/03/31/q-day-just-got-closer-three-papers-in-three-months-are-rewriting-the-quantum-threat-timeline/)
8. [Harvest Now Decrypt Later — Palo Alto Networks](https://www.paloaltonetworks.com/cyberpedia/harvest-now-decrypt-later-hndl)
9. [CNSA 2.0 PQC Requirements and Timelines](https://www.qusecure.com/cnsa-2-0-pqc-requirements-timelines-federal-impact/)