Quantum computers are not yet powerful enough to break RSA. But attackers are already collecting encrypted data today with plans to decrypt it later — the “harvest now, decrypt later” strategy. Migration to post-quantum cryptography is not a question of if, but when.

Why Act Now¶

In 2024, NIST finalized three post-quantum standards: ML-KEM (formerly CRYSTALS-Kyber) for key exchange, ML-DSA (CRYSTALS-Dilithium) for digital signatures, and SLH-DSA (SPHINCS+) as a hash-based backup. This means the standards exist — and regulators are starting to require action.

The US NSA set 2035 as the deadline for government system migration. The European ENISA recommends a hybrid approach immediately. The Czech NÚKIB has not set a specific deadline yet, but the Cybersecurity Act and the upcoming NIS2 implementation implicitly require migration for critical infrastructure.

The “harvest now, decrypt later” (HNDL) problem is real, especially for data with a long sensitivity period — medical records, state secrets, financial contracts, intellectual property. Data captured today could be readable in 10–15 years.

What’s Changing Technically¶

Post-quantum algorithms fundamentally differ from RSA and ECC. Instead of factoring large numbers or discrete logarithms, they build on mathematical problems resistant even to Shor’s algorithm:

• Lattice-based problems: ML-KEM and ML-DSA — fast, relatively small keys, well-studied
• Hash-based signatures: SLH-DSA — conservative, large signatures, but minimal cryptographic assumptions
• Code-based problems: BIKE, HQC — candidates in NIST’s 4th round, not yet standardized

Practical impact for developers: larger keys and signatures. ML-KEM-768 has a public key of 1,184 bytes (vs. 32 bytes for X25519). ML-DSA-65 signature is 3,309 bytes (vs. 64 bytes for Ed25519). This affects TLS handshake, certificates, IoT devices with limited memory.

Hybrid Approach — The Gold Standard of Transition¶

Nobody sensible switches from RSA to ML-KEM overnight. The correct approach is hybrid cryptography — a combination of classical and post-quantum algorithms. If one proves weak, the other still protects.

Google Chrome and Cloudflare have already deployed hybrid TLS (X25519 + ML-KEM-768) to production. AWS Key Management Service supports post-quantum TLS. Signal messenger switched to the PQXDH protocol combining X25519 with ML-KEM.

OpenSSL 3.5+ — hybrid TLS configuration¶

ssl_conf = ssl_sect

[ssl_sect]

system_default = system_default_sect

[system_default_sect]

Groups = x25519_mlkem768:x25519:secp256r1

SignatureAlgorithms = mldsa65:ecdsa_secp256r1_sha256:rsa_pss_rsae_sha256

Inventory — Where You Use Cryptography¶

The biggest challenge of migration isn’t technical — it’s visibility. Most organizations have no idea where they use cryptography. A systematic audit includes:

• TLS/mTLS: Web servers, API gateways, service mesh, load balancers
• Certificates: PKI infrastructure, code signing, S/MIME
• Data at rest: Disk encryption, databases, backups, key vaults
• Application cryptography: JWT tokens, HMAC, encryption in code
• Hardware: HSM modules, TPM chips, smart cards, IoT sensors
• Third-party: SaaS integrations, VPN tunnels, partner APIs

Tools like IBM Quantum Safe Explorer or open-source Cryptobom help with automated inventory. The output should be a Cryptographic Bill of Materials (CBOM) — a list of all cryptographic dependencies.

Migration Plan in 4 Phases¶

Phase 1: Inventory (1–3 months)¶

Map all cryptography in the organization. Create a CBOM. Identify data with a long sensitivity period — those have the highest priority.

Phase 2: Testing (3–6 months)¶

Deploy hybrid cryptography in a test environment. Measure the performance impact — ML-KEM is fast (encapsulation ~30 μs), but larger keys increase TLS handshake latency by 5–15%. Test compatibility with existing systems.

Phase 3: Gradual Rollout (6–18 months)¶

Start with the most exposed systems — public APIs, VPNs, communication channels. Use hybrid mode. Monitor. Gradually expand.

Phase 4: Full Migration (18–36 months)¶

Replace classical cryptography everywhere possible. Update HSM firmware. Renew certificates. Update compliance documentation.

Specifics for the Czech Market¶

Czech companies in regulated industries (banking, healthcare, energy) should watch:

• NIS2 implementation: The new cybersecurity act will require “state of the art” cryptography
• DORA (financial sector): Since January 2025, it requires regular testing of cryptographic resilience
• eIDAS 2.0: European digital identity will need post-quantum signatures
• NÚKIB recommendations: Watch for updates to minimum security standards

What You Can Do Today¶

You don’t need to wait for a quantum computer. Start pragmatically:

1. Update libraries — OpenSSL 3.5+, BoringSSL, liboqs already support ML-KEM/ML-DSA
2. Enable hybrid TLS on public endpoints — Chrome and Firefox support it
3. Audit cryptography — create a CBOM for critical systems
4. Educate your team — post-quantum cryptography requires new knowledge
5. Plan the budget — HSM upgrades and certification processes cost time and money

Summary¶

Post-quantum cryptography has moved from academic theory to practice. Standards exist, tools are available, major players are already migrating. For Czech companies in regulated industries, it’s time to start with inventory and the hybrid approach. Whoever waits for Q-Day will be too late.

CORE SYSTEMS helps with cryptographic audits, migration strategy design, and implementation of post-quantum solutions.