Quantum computers will eventually break the cryptographic algorithms that protect today's digital certificates. The organizations that survive this transition will be those that built crypto agility into their infrastructure before the deadline arrived.
The cryptographic algorithms that underpin today's digital certificates (RSA, ECDSA, ECDH) derive their security from mathematical problems that classical computers cannot solve efficiently. Factoring large integers and computing discrete logarithms would take billions of years on the fastest supercomputers we have today.
Quantum computers change this equation. A sufficiently powerful quantum computer running the right algorithm could break RSA and elliptic curve cryptography in hours or even minutes. This is not science fiction: governments and technology companies are investing billions in quantum computing research, and steady progress is being made year after year.
The question is not whether quantum computers will threaten current cryptography, but when. And because migrating an entire PKI infrastructure to new algorithms takes years, organizations need to start preparing now. The ability to swap cryptographic algorithms quickly and smoothly is called crypto agility, and it is rapidly becoming a strategic priority for every organization that depends on digital trust.
Quantum computers exploit the principles of quantum mechanics (superposition and entanglement) to perform certain calculations exponentially faster than classical computers. Two algorithms are particularly relevant to cryptography.
Published by Peter Shor in 1994, this algorithm can factor large integers and compute discrete logarithms in polynomial time on a quantum computer. This directly breaks RSA (which relies on integer factoring) and elliptic curve cryptography (which relies on the discrete logarithm problem). A sufficiently large quantum computer running Shor's algorithm would render every RSA and ECC key pair in existence completely insecure.
Grover's algorithm provides a quadratic speedup for searching unstructured data, which effectively halves the security of symmetric encryption algorithms like AES. An AES-128 key, which offers 128 bits of security against classical attacks, would offer only 64 bits of security against a quantum attacker. The practical mitigation is straightforward: double the key size. AES-256, which is already widely deployed, provides 128 bits of post-quantum security, which remains more than adequate.
The critical takeaway is that asymmetric cryptography (the foundation of all digital certificates and PKI) is existentially threatened by quantum computing, while symmetric cryptography requires only a key-size increase. This is why the entire PKI ecosystem must transition to new, quantum-resistant algorithms.
In 2016, the U.S. National Institute of Standards and Technology (NIST) launched a multi-year competition to identify and standardize post-quantum cryptographic algorithms. After years of evaluation involving hundreds of submissions and extensive cryptanalysis, NIST published its first finalized standards in 2024. These algorithms are designed to resist both classical and quantum attacks.
Formerly known as CRYSTALS-Kyber, ML-KEM is a lattice-based key encapsulation mechanism used for key exchange. It replaces the key agreement step in TLS and other protocols where two parties need to establish a shared secret. ML-KEM is fast and produces relatively compact keys and ciphertexts.
Formerly CRYSTALS-Dilithium, ML-DSA is a lattice-based digital signature algorithm. This is the primary replacement for RSA and ECDSA signatures in digital certificates. It will be used by Certificate Authorities to sign certificates and by end entities to prove identity. ML-DSA signatures are larger than their classical counterparts, which has implications for certificate size and network performance.
Formerly SPHINCS+, SLH-DSA is a hash-based digital signature algorithm. Unlike lattice-based schemes, its security relies solely on the well-understood properties of hash functions, making it a conservative backup option. The trade-off is larger signature sizes and slower performance compared to ML-DSA. SLH-DSA is recommended for scenarios where long-term security confidence is paramount and performance constraints are less critical.
Crypto agility is the ability of an information system to rapidly switch between cryptographic algorithms, key sizes, and protocols without requiring a wholesale redesign of the system's architecture. It means that when a new vulnerability is discovered in an algorithm, or when a new standard is published, your organization can adopt the change across its infrastructure in weeks or months rather than years.
Crypto agility is not a product you can buy. It is an architectural property that must be designed into your systems from the ground up. Organizations that hardcoded RSA-2048 into configuration files, embedded algorithm choices in application code, or tied their infrastructure to a single CA's capabilities will find the post-quantum migration extremely painful.
The concept matters now, even before quantum computers are a practical threat, for several reasons. First, cryptographic transitions take far longer than anyone expects. The migration from SHA-1 to SHA-2, a comparatively simple change, took over a decade. The post-quantum migration will be significantly more complex. Second, regulations are beginning to mandate crypto agility. The NSA's CNSA 2.0 suite and the EU's evolving requirements both point toward post-quantum readiness timelines. Third, every year of delay increases the volume of encrypted data that adversaries can collect today and decrypt later.
Achieving crypto agility requires action across three layers: knowing what you have, abstracting how it is used, and testing what comes next.
You cannot migrate what you cannot find. The first step is building a comprehensive inventory of every certificate, key, and cryptographic dependency in your environment. This includes certificates on servers, in cloud services, embedded in applications, and used by IoT devices. For each asset, record the algorithm, key size, issuing CA, and expiration date. This inventory becomes your migration planning baseline.
Design your systems so that cryptographic choices are made in configuration, not in code. Use cryptographic libraries and frameworks that support algorithm negotiation and make it possible to change the algorithm a service uses by updating a configuration file rather than rewriting application logic. In PKI terms, this means using certificate management platforms that are algorithm-agnostic and can issue, deploy, and renew certificates regardless of whether they use RSA, ECDSA, ML-DSA, or a future algorithm not yet standardized.
During the transition period, hybrid certificates offer a pragmatic path forward. A hybrid certificate contains both a classical signature (RSA or ECDSA) and a post-quantum signature (ML-DSA or SLH-DSA). Clients that support post-quantum algorithms verify the PQ signature; legacy clients fall back to the classical signature. This approach enables gradual migration without breaking backward compatibility. Multiple browser vendors and CA/Browser Forum working groups are actively developing standards for hybrid certificate issuance.
Estimates for when a cryptographically relevant quantum computer (CRQC) will exist vary, but most experts place it between 2030 and 2040. That may sound distant, but the urgency is driven by a threat that exists today.
Nation-state adversaries are already intercepting and storing encrypted communications with the explicit intention of decrypting them once quantum computers become available. Any data encrypted today with RSA or ECC that must remain confidential for 10 or more years is effectively at risk now. This applies to government secrets, healthcare records, financial data, and intellectual property.
The SHA-1 to SHA-2 migration, which involved changing a single hash algorithm, took over a decade from the first deprecation announcements to full ecosystem adoption. The post-quantum migration is vastly more complex: it involves changing signature algorithms, key exchange mechanisms, certificate formats, and potentially the protocols themselves. Starting early is not optional; it is a requirement.
The NSA's CNSA 2.0 guidance requires all national security systems to support post-quantum algorithms by 2030 and to use them exclusively by 2033. The White House National Security Memorandum NSM-10 directs federal agencies to begin inventorying cryptographic systems and planning migrations. Similar requirements are emerging in the EU and across other jurisdictions.
Major browsers, operating systems, and TLS libraries are already adding post-quantum support. Chrome and Firefox have begun experimenting with hybrid key exchange using ML-KEM. Cloud providers are rolling out PQC support in their key management and certificate services. The ecosystem is moving, and organizations that delay risk falling behind their vendors and peers.
The formula is simple: if the time to migrate your infrastructure exceeds the time until quantum computers arrive, you are already late. Organizations should use the Mosca inequality as a planning tool: if the shelf life of your data plus the time to migrate is greater than the time until a CRQC exists, you need to act now.
Cryptographic inventory: Evertrust CLM discovers and catalogs every certificate in your environment along with its algorithm, key size, and issuing CA. This gives you the migration planning baseline you need to understand the scope of your post-quantum transition.
Algorithm-agnostic platform: Evertrust's architecture is designed to be algorithm-agnostic. As post-quantum algorithms are adopted by CAs and integrated into standards, Evertrust will support their issuance, deployment, and lifecycle management without requiring a platform overhaul.
Policy-driven migration: Define policies that flag certificates using deprecated algorithms and automatically route renewals toward approved post-quantum or hybrid configurations. Build a CLM strategy that includes crypto agility as a core requirement from day one.
Migration dashboards: Track your post-quantum migration progress with real-time visibility into which certificates have been migrated, which are in progress, and which still use vulnerable classical algorithms. Report on readiness to auditors and leadership with confidence.
