Skip to content

Services, Wiki-Artikel, Blog-Beiträge und Glossar-Einträge durchsuchen

↑↓NavigierenEnterÖffnenESCSchließen

Cryptography | Quantum Security

Post-Quantum Cryptography:
Preparing for the
Quantum Threat.

Quantum computers will break RSA and ECC - the question is not if, but when. NIST has published three final standards. Attackers are already stockpiling encrypted data today (Harvest Now, Decrypt Later).

Schedule Cryptography Audit NIS-2 Cryptography Requirements

Last updated: March 2026 - References: NIST FIPS 203/204/205, BSI TR-02102

NIST Standards
3 Final
FIPS 203, 204, 205 (August 2024)
BSI Recommendation
By 2030
Migration to PQC algorithms
Harvest Now
Active
Attackers are stockpiling encrypted data
Key Sizes
2-10x
Larger keys than RSA/ECC
RSA-2048 breakable by quantum computers
2.030-2035
NIST PQC standards published as final
Aug. 2024
BSI migration target for KRITIS systems
By 2027
FIPS 203, FIPS 204, FIPS 205
3 New Standards

Fundamentals

What is Post-Quantum Cryptography?

Post-Quantum Cryptography (PQC) refers to cryptographic algorithms that are resistant to attacks by quantum computers. Concretely: algorithms that remain secure even when a powerful quantum computer uses Shor's algorithm.

Shor's algorithm can solve the mathematical problems underlying RSA and ECC (integer factorisation, discrete logarithm) in polynomial time - something classical computers cannot do. A quantum computer with sufficient stable qubits would break RSA-2048 within hours or a few days.

The good news: symmetric schemes like AES-256 and SHA-256 are barely threatened. Grover's algorithm effectively halves key length - AES-256 remains sufficiently strong with 128-bit security. The urgent migration concerns only asymmetric cryptography: RSA, ECDSA, ECDH, Diffie-Hellman.

Post-Quantum Cryptography at a Glance

NIST Standards
FIPS 203, FIPS 204, FIPS 205 (Aug. 2024 final)
Threatened
RSA, ECC, ECDH, DH (all asymmetric)
Remains Secure
AES-256, SHA-256+ (symmetric)
BSI Target (DE)
KRITIS migration by 2027 (TR-02102)
EU Recommendation
Migration by 2030 (EU PQC Recommendation)
Quantum Computer
RSA-2048 breakable: 2030-2035 (expert consensus)

The threat is already real

"Harvest Now, Decrypt Later": state actors are already collecting encrypted data today. Anyone working with data that requires protection for 10+ years is affected now - not just in 2030.

Current Threat

Harvest Now, Decrypt Later: The Threat of Today

State intelligence services and sophisticated cybercriminals are already massively collecting encrypted data - in anticipation of decrypting it in a few years with quantum computers. Migration must begin before quantum computers become available.

Data Protection Requirements by Sector

State secrets 50+ years

Critical - Quantum risk exists today

Patient data (EHR) 30+ years

Critical - Immediate action required

Trade secrets 10-20 years

High - Migration planning urgent

Financial transactions 7-20 years

High - Note DORA quantum risk

General business data 3-7 years

Medium - Medium-term planning sufficient

Who is Already Collecting Data?

  • State intelligence agencies (NSA, GCHQ, FSB, MSS)
  • State-sponsored APT groups (Lazarus, APT28, APT41)
  • Industrial espionage actors (particularly targeting European industry)
  • Organised crime with long-term horizons

Which Data is Already at Risk?

  • Long-term diplomatic and military communications
  • Patents, R&D data, and trade secrets
  • Electronic health records and patient data
  • Encrypted financial transactions and contract data

NIST FIPS 203/204/205

The New NIST Post-Quantum Standards

Following a 7-year public standardisation process with hundreds of participating cryptographers worldwide, NIST published three final post-quantum standards in August 2024. These are the algorithms your systems need to migrate to.

01
FIPS 203

ML-KEM

Module-Lattice-Based Key-Encapsulation Mechanism
Replaces: RSA, ECDH (key exchange)
Basis: CRYSTALS-Kyber (lattice-based)

The primary standard for quantum-safe key exchange. ML-KEM replaces RSA and Elliptic Curve Diffie-Hellman (ECDH) for encrypting communication channels. Used in TLS 1.3, SSH, and VPN protocols. Hybrid mode (ML-KEM + ECDH) recommended for the transition period.

Cryptography Analysis in Pentesting
02
FIPS 204

ML-DSA

Module-Lattice-Based Digital Signature Algorithm
Replaces: ECDSA, RSA-PSS (digital signatures)
Basis: CRYSTALS-Dilithium (lattice-based)

The primary standard for quantum-safe digital signatures. ML-DSA replaces ECDSA and RSA-PSS for code signing, certificates (X.509), and authentication. Particularly relevant for PKI infrastructures, software supply chains, and email signing (S/MIME). Smaller than SPHINCS+ and faster than FALCON.

ISMS Consulting
03
FIPS 205

SLH-DSA

Stateless Hash-Based Digital Signature Algorithm
Replaces: ECDSA, RSA-PSS (as backup)
Basis: SPHINCS+ (hash-based)

The conservative backup option for digital signatures. Hash-based schemes are mathematically independent from lattice-based algorithms - if ML-DSA were ever compromised, SLH-DSA provides an independent alternative. Larger signatures than ML-DSA, but maximum security guarantees. Recommended for particularly long-lived signatures.

BSI & ENISA Recommendation: For the transition period, hybrid cryptography is recommended: classical algorithm (e.g. ECDH) combined with PQC algorithm (e.g. ML-KEM). This way, the connection is protected against both classical AND quantum attacks, without relying exclusively on still-young PQC implementations.

Impact

Which Sectors Must Migrate First?

The urgency of PQC migration depends on data protection requirements and regulatory obligations. Critical infrastructure operators, the financial sector, and government agencies face the earliest requirements.

By 2027 Critical

Critical Infrastructure (KRITIS)

Energy, water, transport, healthcare

BSI TR-02102 binding. Long-lived systems and data with 10-20 year protection requirements.
By 2027 Critical

Financial Sector

Banks, exchanges, insurance, payment providers

DORA "Quantum Risks" in guidance documents. Transaction data, long-term financial contracts.
By 2027 Critical

Defence & Government

Military, intelligence agencies, public authorities

BSI mandate. State secrets with protection requirements spanning decades.
By 2029 High

Healthcare

Hospitals, electronic health records, pharma

Patient data has 30+ year protection requirements. EHR encryption must be migrated.

By 2029 High

Automotive & IoT

Connected cars, OTA updates, vehicle certificates

Vehicles with 15-20 year lifespans need quantum-safe cryptography built in today.

By 2029 High

Telecommunications

5G infrastructure, 3GPP standards, backbone

5G protocols use ECC. 3GPP is developing PQC profiles for future standards.

Implementation

PQC Migration Roadmap for Organisations

Full PQC migration takes 3 to 7 years. Those who start today have sufficient time for an orderly transition. Those who wait risk regulatory pressure and short-notice, expensive emergency migrations.

  1. 1 Phase 1 - Now - 2026

    Cryptography Inventory & Risk Analysis

    • Complete cryptography inventory: where is RSA, ECC, DH in use?
    • Identification of "Harvest Now, Decrypt Later" risks (data protection requirement > 10 years)
    • Assessment of data lifetime vs. expected quantum computer availability
    • Prioritisation of systems to be migrated by risk and effort
    • Crypto-agility assessment: can systems flexibly switch algorithms?
  2. 2 Phase 2 - By 2027

    Hybrid Cryptography & Pilot Projects

    • Implementation of hybrid cryptography (classical + PQC combined)
    • Pilot projects for critical systems: TLS connections, VPN, PKI
    • Procurement of PQC-capable HSMs (Hardware Security Modules)
    • Update of cryptography policies in line with BSI TR-02102
    • Supplier audits: do critical third-party providers support PQC?
  3. 3 Phase 3 - By 2030

    Full PQC Migration

    • Complete migration of all critical systems to FIPS 203/204/205
    • PKI migration: upgrade CA hierarchy to ML-DSA/SLH-DSA
    • Disable classical algorithms (RSA, ECC) for highly sensitive data
    • Documentation and compliance evidence for regulatory authorities
    • Continuous monitoring of new quantum computer developments

Consulting Services

How AWARE7 Helps with PQC Migration

From the initial cryptography inventory to validating migrated systems - we accompany your PQC migration with technical depth and regulatory know-how.

Cryptography Inventory & Risk Analysis

Complete identification of all asymmetric algorithms in use, risk classification by data protection requirements, and prioritisation of the migration sequence.

Request Crypto Inventory

Penetration Test with Cryptography Analysis

Penetration tests with explicit examination of cryptography in use: weak algorithms, certificate issues, insecure TLS configurations, and missing crypto-agility.

Request Pentest

ISMS & BSI TR-02102 Compliance

Embedding PQC migration in your ISMS. Cryptography policies according to BSI TR-02102, NIS-2-compliant crypto-agility, and evidence for regulatory authorities.

Start ISMS Consulting
„Post-quantum cryptography is not a future concern - the Harvest-Now-Decrypt-Later threat is already real. Organisations working with data that requires protection for 10 or more years must act today. We help organisations inventory their cryptography and develop a realistic migration plan.“

Chris Wojzechowski

Cryptography & Security Consulting · AWARE7 GmbH

FAQ

Frequently Asked Questions on Post-Quantum Cryptography

The most important questions about PQC, NIST standards, and the quantum threat - answered with technical depth and practical guidance.

Post-Quantum Cryptography (PQC) refers to cryptographic algorithms that remain secure even against attacks by powerful quantum computers. The most widely used asymmetric schemes today - RSA, Elliptic Curve Cryptography (ECC), Diffie-Hellman (DH) - are based on mathematical problems (integer factorisation, discrete logarithm) that a sufficiently powerful quantum computer can solve efficiently using Shor's algorithm. Symmetric schemes like AES-256 and SHA-256 are barely threatened by quantum computers (only effectively doubling the key length). The necessity arises from the "Harvest Now, Decrypt Later" threat: attackers are already stockpiling encrypted data to decrypt it once powerful quantum computers become available.
Based on current scientific consensus, cryptographically relevant quantum computers are expected to be dangerous to RSA-2048 between 2030 and 2035. Some estimates - including from NSA and NIST experts - place the window more broadly (2029-2040). Importantly: migration takes years, not months. Organisations must start today to be ready in time. Moreover, the "Harvest Now, Decrypt Later" risk already exists today - attackers do not need to wait until they operate a quantum computer themselves.
NIST published three final standards in August 2024: FIPS 203 (ML-KEM, based on CRYSTALS-Kyber): key exchange, replaces RSA/ECDH. FIPS 204 (ML-DSA, based on CRYSTALS-Dilithium): digital signatures, replaces ECDSA/RSA-PSS. FIPS 205 (SLH-DSA, based on SPHINCS+): hash-based digital signatures as a backup option. A fourth standard for FALCON-based signatures (FIPS 206) is in final preparation. The algorithms were selected through a more than 7-year public competition and extensively cryptanalysed.
"Harvest Now, Decrypt Later" (HNDL) describes the attack strategy of collecting and storing encrypted data today, to decrypt it at a later point in time - when quantum computers become available. Concretely affected: state intelligence agencies intercepting encrypted diplomatic communications today, cybercriminals collecting encrypted financial transactions or health data, industrial espionage archiving encrypted trade secrets. Particularly affected are data with long protection requirements: state secrets (50+ years), patient data (30 years), financial data (7-20 years), trade secrets (10-20 years).
Yes, symmetric cryptography is significantly more robust against quantum attacks. Grover's algorithm can halve the effective key length of symmetric schemes - AES-256 would still offer 128-bit security, which is considered adequately secure by current assessment. AES-128, however, would be reduced to 64-bit security, which would no longer be sufficient. SHA-256 remains at 128-bit collision security. BSI TR-02102 recommends: use AES-256 (not AES-128), use SHA-256 or better SHA-384. The urgent migration concerns only asymmetric schemes: RSA, ECDSA, ECDH, DH.
The BSI regularly updates TR-02102 (Cryptographic Mechanisms: Recommendations and Key Lengths). Current recommendations: migration to quantum-safe algorithms for KRITIS systems should be completed by 2027, hybrid schemes (classical + PQC) are recommended during the transition period, CRYSTALS-Kyber (ML-KEM), CRYSTALS-Dilithium (ML-DSA), and FALCON are assessed as suitable. BSI TR-02102-1 already recommends hybrid cryptography for newly developed systems. For KRITIS operators, TR-02102 is binding - deviations must be justified and documented on a risk basis.
Crypto-agility refers to the ability of a system to flexibly exchange cryptographic algorithms without having to redevelop the entire system. Systems with embedded, hard-coded cryptographic algorithms (e.g. RSA directly baked into firmware) are extremely difficult to migrate. NIS-2 explicitly requires crypto-agility as part of cryptography requirements (Art. 21 para. 2 lit. h). In concrete terms: cryptographic algorithms should be implemented as configurable parameters, not fixed code. Algorithm updates should be possible through configuration change or software update.
Several regulatory frameworks address PQC: BSI TR-02102: binding for KRITIS, migration target 2027 for critical systems. EU Recommendation on PQC (April 2024): migration by 2030, hybrid cryptography as transition solution. NIS-2 Art. 21 para. 2 lit. h: cryptography agility and alignment with BSI/ENISA recommendations. DORA: "Quantum Risks" explicitly mentioned in guidance documents, financial sector must include quantum risks in ICT risk management. ENISA PQC Roadmap: technical recommendations for European organisations. For many sectors there is not yet an explicit PQC obligation, but the regulatory direction is clear.
A cryptography inventory (Crypto Discovery) comprises: (1) Automated scan of IT infrastructure for cryptographic algorithms in use (TLS certificates, SSH keys, code-signing certificates, VPN configurations, database connections). (2) Manual analysis: software code review (which cryptographic libraries are used?), HSM inventory, PKI hierarchy analysis. (3) Risk classification: which systems process data with long protection requirements? (4) Dependency mapping: which external partners, suppliers, and APIs still use classical cryptography? AWARE7 conducts cryptography inventories as part of penetration tests and ISMS projects.
PQC migration is a multi-year programme, not a one-time activity. Typical costs and timeframes: cryptography inventory: EUR 15,000-60,000 (depending on infrastructure complexity); hybrid pilot projects: EUR 30,000-100,000; full PKI migration: EUR 100,000-500,000 for large organisations; total timeframe: 3-7 years for complete migration. The biggest cost drivers are: legacy systems without update capability (requiring replacement), hardware HSMs without PQC support, and certificates with long remaining validity. Early action is considerably less costly than short-notice emergency migration under regulatory pressure.

Aus dem Blog

Weiterführende Artikel

Schedule a Cryptography Audit

In a free 30-minute conversation, we analyse your current cryptography situation, identify the most urgent migration priorities, and outline a realistic path to post-quantum readiness - with a concrete next step.

Book Cryptography Audit Learn More About NIS-2 Cryptography Requirements

Kostenlos · 30 Minuten · Unverbindlich