The migration of the world’s cryptographic infrastructure to algorithms designed to resist attack by sufficiently capable quantum computers has entered an active operational phase. The motivation is not that such computers exist today — they do not, at any scale capable of breaking current public-key cryptography — but that the data being encrypted today will, in many cases, remain sensitive long enough to be at risk if such machines eventually do exist. The principle of “harvest now, decrypt later” has moved from an abstract concern in cryptographic literature to a working assumption in serious security planning.

The technical foundation for the migration has been under construction for years. Standards bodies have completed multi-round competitive evaluations of candidate algorithms across several mathematical families, settling on a small set of recommended primitives for key exchange, digital signatures, and related primitives. Those recommendations have now been incorporated into the protocol stacks that underpin the modern internet, and reference implementations are available in the major cryptographic libraries.

The hard part is not the math; it is the integration. Public-key cryptography is embedded in an extraordinary range of systems, many of which were designed with assumptions about key sizes, signature sizes, and computational costs that the post-quantum algorithms violate in various ways. Some of the new primitives have signatures that are an order of magnitude larger than current ones; others have higher computational costs that affect throughput on constrained devices. None of these issues are fatal, but each requires engineering work in every system that depends on the affected primitive.

The migration is happening in layers, and the timing of the layers matters. Browser-to-server connections, where the most visible cryptographic handshakes occur, have been among the first to deploy hybrid key exchange schemes that combine a classical and a post-quantum primitive. The hybrid approach provides protection against both currently known attacks and future quantum attacks while limiting the risk that a flaw in the relatively newer post-quantum algorithms compromises the connection. Large content delivery networks and cloud providers have been the leading adopters.

Beneath the visible layer, deeper changes are underway. The infrastructure that issues and validates the digital certificates underlying internet security operates on long timescales, and incorporating post-quantum signatures into that infrastructure is a multi-year project. Code-signing systems, secure boot chains, hardware security modules, and the protocols governing inter-bank financial messaging all need their own migrations, each with its own constraints and stakeholders.

The most challenging environments are the ones with long device lifecycles and limited update mechanisms. Industrial control systems, embedded sensors, vehicles, and certain categories of medical devices may operate for a decade or more after deployment, often without the ability to receive substantial software updates. For those systems, the cryptographic choices being made today need to anticipate threats that may not become practical for years, and the cost of choosing wrong is borne for the entire device lifetime.

The enterprise picture is uneven. Organizations with mature security functions and clear visibility into their cryptographic dependencies have begun systematic inventories of where public-key cryptography is used in their environments, often discovering more instances than initial estimates suggested. Organizations without that level of maturity have been slower to engage, and there is a real concern that the migration will produce a long tail of unmigrated systems that quietly carry quantum-vulnerable cryptography well past the point when alternatives are available.

The regulatory dimension is sharpening. Several jurisdictions have published timelines for the migration of government systems and have begun signaling expectations for the private-sector infrastructure that supports critical functions. The timelines are generally measured in years rather than months, but the existence of explicit deadlines has begun to focus procurement and architectural decisions in ways that abstract risk warnings did not.

There is no expectation that the migration will be completed quickly or cleanly. The realistic timeline measures in the high single digits of years for most large environments, and significantly longer for the harder cases. What has changed is that the work is now happening at the level of operational projects rather than research agendas, and the underlying assumption — that the cryptographic foundations of the digital economy need to be rebuilt before they are credibly threatened — has moved from contested to mainstream. That alone is a significant shift.