Quantum-capable adversaries threaten current public-key systems because Shor’s algorithm shows that a sufficiently large quantum computer can factor integers and solve discrete logarithms, breaking widely used algorithms such as RSA and elliptic-curve cryptography. Peter Shor Massachusetts Institute of Technology formulated that algorithm, and cryptographers such as Michele Mosca University of Waterloo have warned about the operational risk of “harvest now, decrypt later” campaigns where today’s encrypted traffic is captured and stored for future decryption once quantum capacity exists. NIST has responded by running a Post-Quantum Cryptography standardization process to identify replacements for vulnerable primitives, reinforcing the practical relevance for custodians of critical data and infrastructure.
Immediate technical mitigations
Custodians should begin with a rigorous crypto inventory that records where vulnerable algorithms, keys, certificates, and protocols are used across systems and supply chains. Implementing crypto-agility through modular key management and protocol abstraction reduces migration friction when standards evolve. Transition strategies should include hybrid constructions that combine classical and post-quantum cryptography to protect data during the transition period, monitoring guidance from NIST and other standards bodies. Regularly applying cryptographic best practices such as key rotation, multi-factor key protection, and hardware security modules reduces attack surface while migration is planned.
Organizational contingency planning
Contingency planning must integrate legal, operational, and incident-response elements. Custodians should classify data by lifespan and sensitivity so that long-retention secrets receive priority for migration. Contracts and procurement policies must require quantum-resilient clauses and visibility into vendors’ cryptographic roadmaps. Exercises and tabletop scenarios that model a sudden quantum-capable adversary help organizations test detection, communication, and rollback procedures. Investment in staff training and the appointment of a cryptographic transition lead fosters sustained institutional expertise.
Cultural and territorial considerations
Adoption timelines and regulatory expectations vary by jurisdiction and sector, so custodians should align plans with local regulators and cross-border data obligations. Infrastructures operated in resource-constrained regions may need tailored, low-footprint migration approaches that respect environmental and cultural constraints on hardware upgrades. Collaboration with academic centers and national bodies helps translate evolving research into operational policy, ensuring custodians remain both proactive and accountable as quantum threats develop.