Post-Quantum Cryptography in 2026: How NIST's ML-KEM and ML-DSA Standards and the "Harvest Now, Decrypt Later" Threat Are Forcing a Global Migration off RSA and ECC
- Internet Pros Team
- June 20, 2026
- Networking & Security
Almost every secure connection you make - the padlock in your browser, your VPN, your bank app, the signature that proves a software update is genuine - rests on two pieces of math: RSA and elliptic-curve cryptography. For half a century they have been effectively unbreakable, because no classical computer can factor enormous numbers or unwind elliptic curves in any reasonable amount of time. A large-scale quantum computer changes that overnight. In 2026, post-quantum cryptography (PQC) - encryption designed to survive a quantum attacker - has stopped being a research curiosity and become an active, standards-backed migration that touches nearly every connected system on Earth.
Why Quantum Computers Break Today's Encryption
Public-key cryptography works because some math is easy one way and brutally hard to reverse. Multiplying two huge primes is trivial; factoring the result back into those primes would take a classical supercomputer longer than the age of the universe. That asymmetry is the entire foundation of RSA and ECC. In 1994 the mathematician Peter Shor showed that a sufficiently powerful quantum computer running Shor's algorithm could solve exactly these problems - factoring and discrete logarithms - efficiently, collapsing centuries of work into hours.
No such machine exists today. But the trajectory of quantum hardware is steep enough that security agencies no longer treat a cryptographically relevant quantum computer as science fiction - they treat it as a deadline. The industry even has a nickname for the day it arrives: Q-Day. Symmetric encryption like AES survives largely intact (a quantum attack only weakens it modestly), but the public-key layer that negotiates keys and verifies identity must be rebuilt.
"The mistake is thinking we have until Q-Day to act. Encrypted data being copied today can be unlocked the moment the machine arrives. For anything that must stay secret for a decade, the quantum threat is not in the future - it is already here."
Harvest Now, Decrypt Later
The most important idea in this whole subject is also the most unsettling. An adversary does not need a quantum computer today to benefit from one tomorrow. They can simply record encrypted traffic now and store it - intercepted VPN sessions, exfiltrated databases, captured government cables - and wait. When a capable quantum computer exists, they decrypt the entire archive at once. This is called Harvest Now, Decrypt Later (or Store Now, Decrypt Later), and it means the clock is already running for any information with a long shelf life: health records, state secrets, intellectual property, financial data, and the master keys that protect all of it.
2026: The Year the Standards Became Real
For years PQC lacked the one thing enterprises need before they move: official, vetted standards. That changed when the U.S. National Institute of Standards and Technology (NIST) concluded a multi-year, global competition and published its first finalized algorithms. By 2026 these are the load-bearing pillars of the migration:
ML-KEM — FIPS 203
Formerly CRYSTALS-Kyber, a lattice-based key encapsulation mechanism that two parties use to agree on a shared secret. It is the quantum-safe replacement for the key exchange behind every HTTPS connection.
ML-DSA — FIPS 204
Formerly CRYSTALS-Dilithium, a lattice-based digital signature scheme for proving identity and authenticity - signing software updates, certificates, and documents.
SLH-DSA — FIPS 205
Formerly SPHINCS+, a hash-based signature built on different math entirely - a conservative backup if a weakness is ever found in the lattice family.
Why Lattices Resist Quantum Attack
Most of the new standards rest on the mathematics of lattices - regular grids of points stretching through high-dimensional space. The core hard problem, Learning With Errors, asks you to recover a secret hidden inside a system of equations that has been deliberately blurred with small random noise. Finding the nearest lattice point in hundreds of dimensions is brutally difficult, and - crucially - Shor's algorithm gives a quantum computer no shortcut for it. The security comes from a problem quantum machines are not known to be good at, which is exactly the property RSA and ECC lack.
What Changes - and What Stays the Same
| The Job | Classical Crypto (Today) | Post-Quantum (2026) |
|---|---|---|
| Agree on a session key (HTTPS) | RSA or elliptic-curve Diffie-Hellman | ML-KEM, usually in a hybrid with X25519 for belt-and-suspenders safety |
| Prove identity / sign code | RSA or ECDSA signatures | ML-DSA, with SLH-DSA as a conservative alternative |
| Encrypt bulk data | AES-256 | AES-256 - still safe, just keep the key length high |
| Key and signature size | Small - tens to hundreds of bytes | Larger - often several kilobytes, the main practical cost |
It Is Already Shipping
- Your browser uses it now. Chrome, Firefox, and major servers already negotiate hybrid key exchange (X25519MLKEM768) by default, so a huge share of TLS traffic is quantum-safe today without anyone noticing.
- Messaging led early. Signal's PQXDH and Apple's iMessage PQ3 protocol rebuilt their key agreement around ML-KEM to defend against harvest-now attacks on private chats.
- The toolkits are ready. OpenSSL, OpenSSH, and cloud KMS and load-balancer services now support the NIST algorithms, turning migration from research into configuration.
- Governments set deadlines. The NSA's CNSA 2.0 suite and national roadmaps push critical systems toward PQC well before 2030.
The Honest Trade-Offs
- Bigger keys and signatures. PQC keys and signatures are far larger than their classical cousins, which inflates handshakes, certificates, and bandwidth - a real concern for embedded devices and high-volume servers.
- Newer math, less battle-testing. Lattice schemes are well studied but younger than RSA. That is exactly why 2026 deployments favor hybrid modes - if one layer ever falls, the other still holds.
- Hidden dependencies everywhere. Cryptography is buried in firmware, chips, libraries, and protocols you forgot you had. You cannot replace what you have not inventoried.
- Long-lived hardware lags. Cars, medical devices, satellites, and industrial controllers built today may outlive Q-Day, yet cannot be easily patched.
What This Means for Businesses
- Build a cryptographic inventory. You cannot migrate what you cannot see. Map every place RSA, ECC, and certificates live - in apps, VPNs, devices, and vendor products.
- Protect long-lived secrets first. Prioritize data that must stay confidential for a decade; it is already exposed to harvest-now collection.
- Adopt crypto-agility. Architect systems so algorithms can be swapped without re-engineering - the next change will not be the last.
- Push your vendors. Ask cloud providers, SaaS tools, and hardware suppliers for their PQC roadmaps now, and prefer products that already support the NIST standards.
The Bottom Line
Post-quantum cryptography is the rarest kind of security project: one where the deadline is set by an event that has not happened yet, but the damage can begin years before it does. The harvest-now threat means the data you transmit today is already at risk, and the finalized NIST standards mean there is no longer any excuse to wait for the dust to settle - the dust has settled. ML-KEM, ML-DSA, and their hash-based backup are vetted, shipping, and already protecting a growing share of the internet quietly in the background.
The organizations that come through Q-Day intact will not be the ones that scrambled at the last minute; they will be the ones that started inventorying their cryptography, prioritizing their most durable secrets, and demanding quantum-safe roadmaps from their vendors in 2026. The math that protected the digital world for fifty years is being quietly retired. Replacing it is the largest cryptographic migration in history - and the clock is already running.
