Quantum computers will break RSA and ECDSA. NIST finalized the replacement algorithms in August 2024. Here is everything a developer needs to know to start migrating today.
In 1994, Peter Shor published an algorithm that can factor large integers in polynomial time on a quantum computer. RSA, the most widely deployed public-key cryptosystem in the world, derives its security entirely from the hardness of integer factorization. Shor's algorithm renders RSA theoretically broken the moment a sufficiently powerful quantum computer exists.
The same algorithm, with minor modifications, breaks elliptic curve cryptography (ECDSA, ECDH) — the other pillar of modern public-key infrastructure. TLS, SSH, code signing, certificate authorities, and virtually every secure communication protocol on the internet depends on one or both of these systems.
Current estimates from NIST, NSA, and leading quantum computing researchers suggest a cryptographically relevant quantum computer (CRQC) could exist within 10 to 15 years. Some estimates are more aggressive.
The most immediate threat is the "harvest now, decrypt later" (HNDL) attack strategy. Nation-state adversaries are collecting encrypted internet traffic today — TLS sessions, VPN tunnels, encrypted emails — and storing it for future decryption once a CRQC becomes available.
This means data encrypted with RSA-2048 or ECDH P-256 today may be readable in 10 years. If you are transmitting data that needs to remain confidential for more than a decade, you are already at risk.
Key insight
The threat is not future encryption being broken. It is current encryption being stored and broken later. Migration needs to start now, not when quantum computers arrive.
NIST launched its Post-Quantum Cryptography Standardization project in 2016. After multiple rounds of public evaluation and cryptanalysis, NIST selected four algorithms for standardization in 2022 and published the final standards in August 2024.
Based on CRYSTALS-Kyber. The post-quantum replacement for ECDH and RSA key transport.
Based on CRYSTALS-Dilithium. The post-quantum replacement for ECDSA and RSA-PSS.
Based on SPHINCS+. A hash-based signature scheme recommended as a backup signature algorithm.
ML-KEM is a key encapsulation mechanism (KEM) — its purpose is to establish a shared secret between two parties, which is then used as a symmetric key for AES or ChaCha20 encryption. This is the same role ECDH plays in TLS today.
ML-KEM comes in three parameter sets:
| Parameter Set | Security Level | Public Key | Ciphertext |
|---|---|---|---|
| ML-KEM-512 | 128-bit | 800 bytes | 768 bytes |
| ML-KEM-768 | 192-bit | 1184 bytes | 1088 bytes |
| ML-KEM-1024 | 256-bit | 1568 bytes | 1568 bytes |
For most applications, ML-KEM-768 (192-bit security) is the recommended choice. ML-KEM-1024 is appropriate for long-term secrets or high-security environments.
Use the MainState Crypto Scanner API to analyze your codebase for RSA, ECDSA, and ECDH usage. Build a complete inventory of where classical cryptography is used.
Focus first on data that needs to remain confidential for 10+ years, and on key exchange mechanisms (TLS, SSH) that are vulnerable to HNDL attacks.
Add ML-KEM alongside existing ECDH in key exchange. This is safe to deploy immediately — it cannot make security worse, only better.
Replace ECDSA with ML-DSA for code signing, certificate issuance, and authentication tokens. Note that signature sizes are larger — plan for this in your protocols.
Work with your CA to obtain post-quantum or hybrid certificates. This is the longest-lead-time item and should be started early.
The MainState Post-Quantum Cryptography API provides all NIST-standardized algorithms via a simple REST interface. The free tier includes 1,500 requests per month — enough to integrate and test in development.