In this overview, we present a comparison of post-quantum cryptography (PQC) algorithms with classical RSA/ECC, outline a threat matrix across sectors highlighting the urgency of PQC migration, and chart the progress of PQC adoption by leading tech companies versus government agencies.
PQC vs RSA/ECC (Classical Cryptography)
Post-Quantum Cryptography refers to cryptographic algorithms designed to be secure against an attack by a quantum computer. How do these new algorithms compare with traditional RSA and ECC (elliptic curve cryptography) which are widely used today? The table below contrasts key characteristics:
| Feature | RSA/ECC (Classical) | PQC (Post-Quantum) |
|---|---|---|
| Security Basis | Based on hard math problems like integer factorization (RSA) or elliptic curve discrete log (ECC). | Based on quantum-resistant problems (lattices, error-correcting codes, hash-based, etc.) that are believed to resist quantum algorithms. |
| Vulnerable to Quantum? | Yes – A large quantum computer running Shor’s algorithm could break RSA/ECC, undermining their security. | No (Known) – Designed to withstand known quantum attacks; no efficient quantum algorithm is known for solving their underlying problems. |
| Key Sizes | Relatively small keys for current security levels (e.g. a 256-bit ECC public key or 2048-bit RSA key). | Generally larger keys (often in the kilobytes). For example, a PQC public key (lattice-based KEM) might be ~1–2 KB for equivalent strength. |
| Signature/Ciphertext Size | Small signatures or ciphertexts (e.g. 256 bytes for an RSA-2048 signature). | Larger signature or ciphertext sizes (often 1–5 KB). PQC digital signatures and encrypted messages tend to be bulkier due to the different math basis. |
| Performance | Efficient on classical hardware; RSA/ECC operations are well-optimized (sometimes via hardware acceleration) and fast for typical use cases. | Varies by algorithm – some post-quantum operations are computationally heavier or use more memory. Certain PQC schemes are relatively efficient, but others can be slower than RSA/ECC. Performance is an active area of improvement. |
| Maturity & Adoption | Very mature and ubiquitous. Supported by virtually all protocols and systems today (SSL/TLS, PKI, etc.). | New and emerging. NIST standardized first PQC algorithms in 2022–2024. Early adoption is in progress, but not yet widespread; toolchains and hardware support are just beginning. |
Sector Threat Matrix: Quantum Vulnerability by Industry
Not all industries face the quantum threat with equal urgency. Some sectors deal with information that must remain secure for decades or are high-priority targets for adversaries (“harvest now, decrypt later” attacks), while others handle data with shorter sensitivity lifespans. Below is a sector-wise threat matrix indicating which industries must prioritize the transition to PQC sooner:
| Sector | Quantum Threat Level | Key Considerations |
|---|---|---|
| Government / Military | Very High 🟥 | National security information often needs confidentiality for many decades. Adversaries may already be harvesting encrypted state secrets, expecting to decrypt them once a quantum computer is available. Governments are investing in PQC to secure military and diplomatic communications for the long term. |
| Financial Services | High 🟧 | Financial data (bank transactions, trade data, personal financial info) remains sensitive for many years and is a frequent target for cybercriminals and nation-states. A quantum breach could undermine banking systems and customer trust. The finance industry is urged to upgrade cryptography proactively to avoid catastrophic fraud or data theft. |
| Technology & Telecom | High 🟧 | This sector underpins the security of all others by providing internet infrastructure, communications, and IT services. If core internet protocols or tech provider systems are broken by quantum attacks, the ripple effects hit every industry. Many tech companies are leading in PQC adoption to secure data in transit (e.g. internet traffic, cellular networks) against future threats. |
| Healthcare | Medium 🟨 | Patient records, DNA data, and healthcare research must remain confidential, but the immediacy of threat is somewhat lower. However, personal health information can retain sensitivity throughout a person’s lifetime. Healthcare providers should plan for PQC to protect patient privacy and medical IP, even if they are not the first targets of quantum-enabled adversaries. |
| Critical Infrastructure (Energy, Transportation, etc.) | Medium 🟨 | Power grids, water systems, transportation control systems rely on encryption for commands and data. These systems often have long equipment lifecycles (decades), meaning current cryptographic solutions might remain in use for a long time. A future quantum attack could disrupt essential services or sabotage industrial controls. Upgrading these systems is complex, but planning for PQC now is crucial to avoid security gaps that persist over time. |
| Retail & Consumer Services | Low 🟩 | E-commerce and consumer data typically have shorter-term sensitivity (credit card numbers, passwords that can be changed). While any breach is bad, the strategic impact of a quantum attack here is lower relative to other sectors. This sector will eventually adopt PQC as part of ecosystem pressure (e.g. payment processors and browsers updating standards), but it’s not the top priority for early migration unless handling long-lived customer data. |
(🟥 High urgency, 🟧 Moderate-high, 🟨 Moderate, 🟩 Lower urgency)
Adoption Progress: Tech Companies vs. Governments
How prepared are organizations for the post-quantum era? Broadly, the tech industry has moved faster to experiment with and implement PQC than governments. Many tech companies began testing post-quantum algorithms years ago, whereas government agencies often must wait for standards and policy directives before widespread adoption. The following chart illustrates the relative progress of some leading organizations:
PQC adoption progress among leading tech companies (blue bars) versus government entities (green bars). The tech industry has generally moved faster in testing and deploying PQC solutions, whereas government sectors are still largely in planning and early migration stages. Companies like Google and Cloudflare (top) show significant progress in rolling out PQC (e.g. in web browsers and network services), while governments such as the U.S. and EU lag behind in widespread implementation.
The tech industry has been proactive in piloting and integrating post-quantum algorithms. For example, Google started experimenting with post-quantum TLS as early as 2016 and in 2023 enabled a hybrid post-quantum key agreement (X25519+Kyber) in Chrome. Cloudflare, which delivers a large portion of global internet traffic, has enabled post-quantum cipher suites for TLS 1.3 on its network – by early 2024, a small but growing percentage of connections to Cloudflare used PQC, and that share is expected to rise rapidly. IBM and Microsoft have contributed to the development of PQC (IBM co-developed some of the NIST-selected algorithms, and Microsoft is adding PQC support into Windows and Azure services). These companies are actively updating protocols and products to be quantum-safe.
In contrast, governments are moving methodically through mandates and standards. The U.S. government, for instance, through National Security Memorandum 10 (2022) and subsequent directives, has instructed federal agencies to inventory their cryptographic systems and prepare plans to migrate to PQC. NIST’s publication of finalized PQC standards in 2024 was a major milestone, allowing government and industry to start implementing vetted algorithms. However, actual deployment in government systems (from military communications to public-sector IT) is just beginning. The European Union and other governments are also formulating PQC migration strategies, funding research and pilot projects. Over the next few years, we will likely see requirements for contractors and critical infrastructure providers to adopt PQC, mirroring how past crypto transitions (like the move to AES and ECC) were driven by government and industry standards bodies.
Bottom line: Tech companies are spearheading the early adoption of post-quantum cryptography — testing performance, ironing out compatibility issues, and demonstrating feasibility. Governments are ensuring the policy and standardization groundwork is laid, so that as the technology matures and threats intensify, a broader and more orderly transition can take place across all sectors.
References
• Post-Quantum Cryptography – APNIC Blog by Geoff Huston
An analysis of RSA/ECC key sizes, corresponding security levels, and the emerging threat quantum computing poses to current cryptosystems.
https://blog.apnic.net/2024/11/29/post-quantum-cryptography/
• NIST Releases First 3 Finalized Post-Quantum Encryption Standards – NIST News
Official announcement of CRYSTALS-Kyber, Dilithium, and SPHINCS+ as the first standardized quantum-resistant algorithms for public use.
https://www.nist.gov/news-events/news/2024/08/nist-releases-first-3-finalized-post-quantum-encryption-standards
• President Biden Signs Memo to Combat Quantum Computing Threat – NSA Press Release
U.S. National Security Memorandum 10 outlining quantum migration directives for federal agencies and the national cybersecurity strategy.
https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/3020175/president-biden-signs-memo-to-combat-quantum-computing-threat/
• The State of the Post-Quantum Internet – Cloudflare Blog by Bas Westerbaan
A detailed look at real-world PQC deployments, TLS 1.3 usage metrics, and the implementation of hybrid PQC in major platforms like Chrome and Signal.
https://blog.cloudflare.com/pq-2024/
• Preparing Critical Infrastructure for Post-Quantum Cryptography – CISA Insights
Sector-by-sector risk assessment and guidance from the U.S. Cybersecurity and Infrastructure Security Agency for planning PQC adoption.
https://www.cisa.gov/sites/default/files/publications/cisa_insight_post_quantum_cryptography_508.pdf
• How Quantum Computing and Post-Quantum Cryptography Will Impact Cybersecurity for the Financial Services Industry – Redjack Blog
Explores the financial sector’s exposure to quantum attacks and outlines why institutions must begin adopting PQC to prevent future compromise.
https://redjack.com/resources/quantum-computing-cybersecurity-financial-services
Tags
#PostQuantumCryptography #QuantumComputing #Cybersecurity #PQC #DataSecurity #RSA #ECC #QuantumThreat #Cryptography #QuantumSafe #Encryption #NIST #TechSecurity #CyberThreats #InformationSecurity #QuantumPreparedness #SecureCommunications #HybridCryptography #SecurityInnovation #QuantumResistant
Leave a Reply