1. Executive Summary
The core problem: Nation-state actors are intercepting and storing encrypted data today, waiting for quantum computers to break RSA and ECC encryption. When that happens — estimated between 2029 and 2035 — every secret, password, API key, and private communication encrypted with classical algorithms will be exposed retroactively.
This is not a theoretical risk. Intelligence agencies have publicly acknowledged harvest-now-decrypt-later (HNDL) programs. The data you encrypt today has a shelf life — and for many organizations, that shelf life is shorter than they think.
NIST finalized three post-quantum cryptographic standards in 2024 (FIPS 203, 204, 205). The EU published its Post-Quantum Cryptography Roadmap in June 2025, setting a 2030 deadline for critical infrastructure migration. The window to act is now.
This whitepaper explains the threat, the standards, the regulatory landscape, and provides a practical migration path using QuantumAPI — the European platform for quantum-safe identity, secrets, and encryption.
2. The Quantum Threat to Encrypted Data
Modern encryption relies on two mathematical problems that classical computers cannot solve efficiently:
- RSA / Diffie-Hellman: Integer factorization and discrete logarithm
- ECC (Elliptic Curve): Elliptic curve discrete logarithm
In 1994, mathematician Peter Shor published an algorithm that, running on a sufficiently powerful quantum computer, solves both problems in polynomial time. This means:
Broken by Quantum
- RSA-2048, RSA-4096
- ECDSA, ECDH (P-256, P-384)
- Diffie-Hellman key exchange
- DSA digital signatures
- EdDSA (Ed25519, Ed448)
Quantum-Resistant
- ML-KEM (CRYSTALS-Kyber) — FIPS 203
- ML-DSA (CRYSTALS-Dilithium) — FIPS 204
- SLH-DSA (SPHINCS+) — FIPS 205
- AES-256-GCM (symmetric, already safe)
- SHA-3, SHA-256 (hash functions)
Symmetric algorithms like AES-256 are not directly threatened by quantum computers. Grover’s algorithm reduces AES-256 to the equivalent security of AES-128, which remains computationally infeasible. The real vulnerability lies in asymmetric cryptography — the key exchange, digital signatures, and public-key encryption that protect virtually every internet connection and stored secret.
3. Timeline: When Will Quantum Computers Break RSA?
The honest answer: nobody knows exactly. But the estimates are converging:
| Source | Estimate | Year |
|---|---|---|
| Global Risk Institute | Significant chance of RSA-2048 break | 2029-2035 |
| BSI (German Federal Office) | Recommends PQC migration by | 2030 |
| ENISA / EU Roadmap | Critical infrastructure deadline | 2030 |
| NSA / CNSA 2.0 | National security systems must use PQC | 2035 |
| IBM Quantum Roadmap | 100,000+ qubit systems | 2033 |
The critical insight is not the exact year — it’s the data lifespan. If your data needs to remain confidential for 10 years, and quantum computers might break RSA in 5-9 years, then your data is already at risk today.
Data Lifespan Examples
- Customer PII: Must remain confidential as long as the person is alive (50+ years)
- Medical records: Legally protected for 30+ years in most EU jurisdictions
- Trade secrets: Competitive advantage lost permanently upon exposure
- Encryption keys: Compromise of a root key exposes everything ever encrypted with it
- API secrets & credentials: Even if rotated, exposed secrets reveal historical access patterns
4. Harvest Now, Decrypt Later: The Attack Model
The Harvest Now, Decrypt Later (HNDL) attack is deceptively simple:
- Intercept — Capture encrypted traffic and data at rest (via network taps, compromised infrastructure, insider access, or supply chain attacks)
- Store — Archive the encrypted data. Storage is cheap — a petabyte costs under $20,000/year
- Wait — Continue collecting until quantum computers are available
- Decrypt — Run Shor’s algorithm to recover the private keys, then decrypt everything retroactively
This is not speculative. In 2023, the European Parliament’s ITRE Committee acknowledged HNDL as an active threat. The Five Eyes intelligence alliance has explicitly cited this attack model in guidance documents.
The economic calculus is overwhelmingly in favor of the attacker: the cost of storage drops every year, while the value of the data remains constant or increases. There is zero downside to hoarding encrypted data if you believe quantum decryption will eventually be possible.
5. What TLS 1.3 Does Not Protect
A common response we hear: “TLS 1.3 already supports post-quantum key exchange (X25519Kyber768). Problem solved, right?”
Wrong. TLS only protects data in transit — the moment between sending and receiving. Once your data arrives, TLS has done its job and the protection ends. Consider what happens next:
TLS is necessary but not sufficient. Your secrets vault, key management system, and identity platform must independently use post-quantum algorithms to protect data at rest and key material.
6. NIST Post-Quantum Standards
In August 2024, NIST published three post-quantum cryptographic standards after an 8-year evaluation process involving submissions from researchers worldwide:
ML-KEM
Key Encapsulation Mechanism based on Module Lattices (formerly CRYSTALS-Kyber). Used for key exchange and encryption.
ML-KEM-512 — NIST Level 1
ML-KEM-768 — NIST Level 3 (default)
ML-KEM-1024 — NIST Level 5
ML-DSA
Digital Signature Algorithm based on Module Lattices (formerly CRYSTALS-Dilithium). Used for digital signatures and authentication.
ML-DSA-44 — NIST Level 2
ML-DSA-65 — NIST Level 3 (default)
ML-DSA-87 — NIST Level 5
SLH-DSA
Stateless Hash-Based Digital Signature Algorithm (formerly SPHINCS+). Alternative signature scheme based on hash functions.
SLH-DSA-128s — Small signatures
SLH-DSA-128f — Fast signing
Higher parameter sets available
QuantumAPI implements all three standards via BouncyCastle Cryptography, with ML-KEM-768 as the default key encapsulation mechanism and ML-DSA-65 as the default digital signature algorithm. Data encryption uses AES-256-GCM (symmetric, already quantum-resistant) with keys encapsulated via ML-KEM.
7. EU Regulatory Landscape
The European Union has taken an aggressive stance on post-quantum migration:
EU PQC Roadmap (June 2025)
Published by ENISA and the European Commission. Sets a clear timeline: critical infrastructure must migrate to post-quantum cryptography by 2030. All EU member states are expected to adopt national transition plans.
NIS2 Directive
Requires “state-of-the-art” security measures for essential and important entities. As PQC standards become adopted, organizations using only classical encryption may fall below the “state-of-the-art” threshold, creating compliance risk.
DORA (Digital Operational Resilience Act)
Applies to financial institutions. Mandates ICT risk management including encryption standards. Financial regulators will increasingly expect quantum-resistant protection for sensitive financial data.
eIDAS 2.0
The EU Digital Identity Wallet framework. Cryptographic agility is a design requirement, meaning wallet implementations must be capable of transitioning to PQC algorithms.
Organizations that begin migration now will have a significant compliance advantage. Those that wait until regulations mandate PQC will face rushed, expensive migrations under regulatory pressure.
8. QuantumAPI: Architecture for Quantum-Safe Protection
QuantumAPI is the European platform that provides quantum-safe protection across three layers:
QuantumID
Quantum-safe IAM platform. Drop-in replacement for Auth0 and Okta.
- OIDC/OAuth2 with PQC token signatures
- SSO federation (Entra ID, Okta, SAML)
- MFA with passkeys and TOTP
- Unlimited users, no per-seat pricing
QuantumVault
Quantum-safe secrets and key management. Replaces 1Password and HashiCorp Vault.
- Envelope encryption: ML-KEM-768 + AES-256-GCM
- QRNG entropy for nonce generation
- Automatic key rotation policies
- Breach monitoring and security scoring
QuantumKeys
Encryption-as-a-Service REST API for any application.
- Encrypt, decrypt, sign, verify via API
- ML-KEM and ML-DSA algorithms
- Sub-2ms P99 latency
- SDKs for TypeScript, Python, .NET, Rust
Encryption Architecture
QuantumAPI uses a two-layer envelope encryption model:
- Data Encryption Key (DEK): Each secret is encrypted with a unique AES-256-GCM key using a QRNG-generated nonce
- Key Encryption Key (KEK): The DEK is encapsulated using ML-KEM-768, producing a quantum-safe ciphertext that wraps the symmetric key
This means: even if an attacker obtains the encrypted data and the wrapped DEK, they cannot recover the plaintext without breaking ML-KEM — which is designed to resist quantum attacks at NIST Security Level 3.
Quantum Random Number Generation (QRNG)
Cryptographic security depends on the quality of randomness. Classical pseudo-random number generators (PRNGs) are deterministic — given enough output, the internal state can theoretically be reconstructed.
QuantumAPI uses real quantum random numbers generated by Quantum Blockchains quantum hardware located in Poland (EU). This provides true entropy derived from quantum mechanical phenomena, ensuring nonces and key material are genuinely unpredictable.
EU Sovereignty
All QuantumAPI infrastructure runs on Scaleway (French cloud provider) in EU data centers. No data is processed or stored outside the European Union. There are no dependencies on US cloud providers (AWS, Azure, GCP) for any customer data processing.
9. Practical Migration Guide
Migrating to post-quantum cryptography does not require replacing your entire stack overnight. Here is a pragmatic, phased approach:
Audit Your Cryptographic Inventory
Identify every place you use RSA, ECC, or Diffie-Hellman: TLS certificates, JWT signing, database encryption, API authentication, key storage. Map which data has the longest confidentiality requirements.
Prioritize by Risk
Start with data that has the longest lifespan and highest sensitivity: secrets vaults, encryption keys, PII databases, medical records, financial data. These are the most valuable HNDL targets.
Migrate Secrets and Keys First
Move your secrets to QuantumVault and your key management to QuantumKeys. This provides immediate quantum-safe protection for your most sensitive data with minimal application changes — just swap your vault API endpoint.
Migrate Identity
Replace Auth0, Okta, or Keycloak with QuantumID. Federation means you can migrate incrementally — connect QuantumID as an OIDC provider alongside your existing IAM and migrate users progressively.
Integrate Encryption-as-a-Service
For custom encryption needs, use the QuantumKeys API. A single API call replaces hundreds of lines of cryptography code. SDKs available for TypeScript, Python, .NET, and Rust.
10. Conclusion & Call to Action
The harvest-now-decrypt-later threat is real, active, and growing. Every day that passes, more encrypted data is being collected by adversaries who are patient enough to wait for quantum decryption.
The good news: the solution exists today. NIST standards are finalized. EU regulations are clear. And QuantumAPI provides a complete, European platform to migrate your identity, secrets, and encryption to post-quantum cryptography — without rebuilding your stack.
Start Your Migration Today
Free tier includes 500 API calls/month, unlimited users, and full access to QuantumVault and QuantumID. No credit card required.
About QuantumAPI
QuantumAPI is the European platform for quantum-safe identity, secrets, and encryption. Built by Kovimatic Limited (Ireland), hosted on Scaleway (France/Netherlands). 100% EU-sovereign with no US cloud dependencies.
For technical questions or enterprise inquiries: it@kovimatic.ie