Understanding PQC Standards and Timelines

In 1994, Peter Shor introduced an algorithm that fundamentally changed the cybersecurity landscape. It revealed that a sufficiently powerful quantum computer could break widely used encryption systems like Rivest–Shamir–Adleman (RSA) and Elliptical Curve Cryptography (ECC)—cornerstones of today’s digital security used to ensure confidentiality and integrity. 

While cryptanalytically relevant quantum computers (CRQCs) don't yet exist, their arrival will compromise much of today’s cryptography and the security of digital systems. For Chief Information Security Officers (CISOs), the pressing question is no longer if to prepare, but when, how, and how much investment is required.

Quantum threats have moved beyond theory through the tactic known as “harvest now, decrypt later.” Attackers today collect encrypted data and store it, planning to decrypt once quantum computing capabilities mature. This poses a serious risk to sensitive information with long confidentiality requirements—such as personal records, intellectual property, critical infrastructure controls, and long-lived credentials. 

Data encrypted today could be compromised years from now. Moreover, recent disclosures from Google’s Quantum AI team and other researchers suggest that the timeline toward “Q-Day”—the uncertain future date when quantum computers will break classical encryption—may be accelerating. Unlike fixed deadlines like Y2K, Q-Day remains unknown, making active preparation both critical and challenging.

While preparing for a quantum-safe future is critical, it’s far from a straightforward process. The transition to post-quantum cryptography (PQC) involves significant, practical challenges that organizations must overcome to remain secure.

Although the goal is to implement end-to-end PQC before Q-Day, this remains complicated to achieve today. Many legacy systems lack support for quantum-safe algorithms and are difficult or not even possible to upgrade or patch. Plus, not all third-party services that you depend on may be PQC-ready. Additionally, resource-constrained devices, such as IoT and embedded systems, pose a unique challenge, as they are often hardcoded or lack the processing power needed to support PQC.

Realistically, achieving full-stack PQC deployment is impractical in the near term. Instead, organizations need a layered transitional strategy that prioritizes high-risk exposures and long-lived data.

To provide organizations with a roadmap for defending against quantum threats, standards bodies, led by the U.S. National Institute of Standards and Technology (NIST), have been laying the groundwork for post-quantum cryptographic systems. Understanding these standards and associated timelines is essential for planning your transition.

NIST has finalized these key PQC algorithms:

• Module-Lattice-Based Key-Encapsulation Mechanism (FIPS 203: Key Exchange)
• Module-Lattice-Based Digital Signature (FIPS 204: Digital Signatures)
• Stateless Hash-Based Digital Signature (FIPS 205: Fallback Signatures)
• Hamming Quasi-Cyclic (not yet standardized but slated for 2027)

Critical timelines include:

• Today: Early adoption of quantum-safe algorithms is both possible and advised
• By 2030: U.S. federal agencies must migrate to PQC
• By 2035: National security systems must be fully quantum-resistant

With the quantum timeline uncertain, CISOs must move from reactive planning to proactive protection. Understanding the urgency of PQC adoption begins with effective threat modeling to identify where and when to act.

Organizations can better understand their urgency by considering two factors outlined in Mosca’s Theorem: how long data needs to remain secure and how long it will take to switch to quantum-safe encryption. Simply put, if the time your data must stay protected plus the time needed to update your systems exceeds the time left before quantum computers arrive, it’s time to act now to safeguard your data.

A PQC-focused threat model sharpens prioritization and planning.

Taking action in the near term is critical to protect your organization’s most vulnerable assets. As CISOs begin to develop their roadmap, they should prioritize these steps over the next two years:

Inventory your cryptographic footprint. Identify where vulnerable algorithms and long-lived assets exist across your environment, including third-party systems.

Deploy edge platforms with PQC capabilities. Adopt solutions to terminate quantum-safe TLS connections at the perimeter without backend rewrites.

Engage vendors on quantum readiness. Integrate PQC requirements into procurement and vendor risk management processes.

Focus on long-term confidentiality. Prioritize PQC protection of backups, certificates, signed artifacts, and sensitive data critical for prolonged confidentiality.

Building a secure quantum-safe infrastructure will take time, especially for legacy systems and long-lived data sets. As organizations implement immediate measures, they must also plan for long-term actions to protect themselves over the next decade:

Extend PQC end-to-end. Gradually implement quantum-resistant algorithms within clients, applications, networks, and storage systems.

Plan for legacy system sunset. Identify systems incapable of supporting PQC or cryptographic agility and develop replacement or phase-out plans.

Adopt hybrid certificates and crypto-aware PKI. Manage dual-signature certificates, enable PQC key rotation, and expand trust anchors for quantum-safe roots.

Elevate cryptographic governance. Treat cryptography as an ongoing board-level risk requiring regular review, testing, and resource allocation.

Adapting to meet quantum-safe standards can be daunting. Given the complexity of modifying backend applications or infrastructure, many organizations will leverage application delivery controllers, such as TLS proxies, to accelerate PQC adoption. 

These platforms terminate quantum-safe TLS connections at the network perimeter and internally route traffic over legacy protocols without immediate retooling. They also facilitate centralized cryptographic policy enforcement and agility and enable deployment of hybrid classical and PQC algorithms for a smooth transition. Industry-leading solutions supporting this approach include the F5 Application Delivery and Security Platform (ADSP).

However, it is vital to acknowledge that some devices—notably IoT or low-powered embedded systems—are often incapable of upgrading cryptographic algorithms due to hardware or firmware constraints. These environments require alternative risk mitigations or replacement planning.

The shift to quantum-resistant security is no longer optional—it’s a strategic necessity. While the exact timing of Q-Day remains unknown, advances in quantum computing demand action today to safeguard your future. 

The journey begins with practical steps: Assess risks, prioritize long-lived data, and deploy PQC-ready solutions like F5 ADSP. These tools offer a scalable way to begin building quantum resilience now, even as backend and device upgrades take more time.

Post-quantum cryptography is here. Acting today ensures your encryption protects your data for years to come. Start preparing for a quantum-safe future—one step at a time.

Stay tuned for the next blog post in our series where we’ll evaluate the impact of PQC on apps and infrastructure—and discuss F5’s role in the post-quantum transition.

Also, be sure to check out our previous blog posts in the series:

Weighing in on the Post-Quantum Cryptography Hype

Setting the Stage: Why Does PQC Matter?