CSAIChaptersEventsBlog
Join CSA, RSAC, and UNLV for a one-day summit in Las Vegas exploring how AI is reshaping enterprise cybersecurity →
Publication Tag

A Practitioner’s Guide to Post-Quantum Cryptography

Released: 11/10/2025

Quantum-safe Security

A Practitioner’s Guide to Post-Quantum Cryptography
Cryptographically relevant quantum computers are projected to emerge as early as the 2030s. Traditional cryptographic systems like RSA, Diffie-Hellman, and elliptic curve algorithms face obsolescence. This guide from the CSA Quantum-Safe Security Working Group provides a practical roadmap for organizations seeking to assess, plan, and mitigate quantum computing risks.

Building on prior CSA research, these actionable steps are tailored for enterprises that may lack in-house cryptographic expertise. The document explains how to identify vulnerable cryptographic components, assess “store now, decrypt later” threats, and map out mitigation strategies for encryption in transit and at rest.

Readers will gain insights into emerging post-quantum standards (such as NIST FIPS-203, -204, and -205), hybrid key exchange protocols, and experimental post-quantum cryptography (PQC) modules. 

Prepare your organization for a post-quantum future while maintaining backward compatibility and resilience during the transition.

Key Takeaways:
  • Quantum computing’s impact on today’s cryptographic systems
  • How to assess and prioritize data at risk from quantum attacks
  • Mitigation options and PQC implementation strategies
  • Cloud Controls Matrix principles that apply to quantum-safe governance

Download this Resource


Best For IconBest For:
  • CISOs and Security Architects
  • IT Risk and Compliance Managers
  • Enterprise Architects
  • Cryptography and Data Protection Specialists
  • Cloud Security Professionals

Overview

The Threat

With the publication of Shor’s and Grover’s quantum algorithms in the mid-1990s, modern cryptography has been threatened. The 2019 US National Academy of Sciences report, “Quantum Computing: Progress and Prospects,” provides an in-depth discussion on this topic. The threat stems from the vast amount of parallel computing power that quantum computers possess, earning them the name Cryptographically Relevant Quantum Computers (CRQCs).

While functional CRQCs remain theoretical, research laboratories and, more recently, companies have demonstrated limited-scale prototypes. Some industry projections suggest that operational CRQCs might emerge by the early 2030s and pose a risk to data that has long-term value. The threat comes from the Store Now, Decrypt Later (SNDL) attacks12, also called Harvest Now, Decrypt Later (HNDL) attacks. “Later” means when CRQCs come —the so-called Q-Day—and “long-term value” is assessed against the Q-Day.

Solutions

The threat is real, and the risk is high. The US National Institute of Standards and Technology (NIST) has made a nine-year (and ongoing) effort to seek solutions and, in 2024, published three post-quantum cryptographic (PQC) standards: FIPS-203 (ML-KEM for key encapsulation), FIPS-204 (ML-DSA for digital signatures), and FIPS-205 (SLH-DSA for stateless hash-based signatures). However, it takes time for technology producers and cloud providers to implement and deploy PQC solutions incorporating the US NIST standards. Mitigation to PQC solutions for enterprises is not effortless and can be costly. Most critically, SNDL is unlike most other attacks, and the factor of time greatly determines its threat and therefore affects risk assessment, which must be the first step of all security activities.

Guidance Outline

The CSA Quantum-Safe Security Governance with the Cloud Controls Matrix white paper3 published in 2024, advises enterprises to assess their risk immediately and periodically thereafter before mitigation is determined, planned, and implemented. The white paper advises systematic steps that follow the selected controls from the CSA Cloud Controls Matrix4 (CCM). The working group’s 2021 white paper, CSA Practical Preparations for the Post-Quantum World,5 advises on a broader range of topics.

This white paper extends the previous one with technical details and practical examples. It is a guide to enterprises that typically lack PQC expertise, not a guide to technology producers and cloud providers who are staffed with cryptographic expertise, including PQC expertise.

The following diagram illustrates how a typical enterprise may proceed through the CSA controls. This guide assumes the enterprise has an established risk management program as required by CSA CCM GRC-024 and has classified its data assets. This guide starts with risk assessment before going into mitigation planning.

Figure 1: Enterprise PQC Migration Workflow Using CSA Controls

Risk Assessment

The outcome of the risk assessment should include a list of at-risk data assets and their risk levels. The risk levels are proportional to the business losses due to compromise and the likelihood of compromise. Despite “decrypt” in the name, SNDL attacks compromise not only data confidentiality but also data integrity. The compromise likelihood depends on how vulnerable the existing data protection functions are.

Unlike other attacks, SNDL exploitation may start today but will not be complete until the appearance of CRQCs. Due to the factor of time, some experts emphasize agility, while others recommend Mosca’s Theorem6. The agility proponents emphasize action, whereas Mosca’s Theorem guides risk assessment using three time factors. This guide advises using only one time factor to assess risk, which is whether the data retains its value when Q-Day comes. If a data asset has no value by then, it is not at risk. If an operational secret is changed sufficiently frequently, it is not at risk. The projection that CRQCs may be available by the turn of this decade (less than 5 years from the time of this writing) is the assessment of some experts. And one needs to monitor threat reports to adjust the assessment periodically.

Another reason that an enterprise needs to assess its risk carefully is that most PQC replacement components are not readily available at this point, so the cost of mitigation against the risk needs to be considered.

Identifying Data Assets at Risk

Security-sensitive data includes business data, such as trade secrets and financial data, and operational data, such as passwords and X.509 certificates.

Maintaining an up-to-date inventory of business data assets is essential. The inventory records should include the name or identification of the assets and their values by Q-Day. An asset’s value is determined by the business impact if its confidentiality or integrity is compromised. SNDL attacks do not impact data availability. Ideally, an enterprise has a data asset management system to assist this process.

Operational data is often tracked in a configuration management database (CMDB), which can facilitate identifying sensitive operational data, such as certificates and keys. X.509 certificates with expiration dates beyond the turn of the decade are the most common operational data with long-term value.

For enterprises that are subjected to industrial or government regulations, industry or sector-specific data identification and risk assessment guidelines should be followed if they exist. For example, the federal departments of the US should follow the US Quantum Computing Cybersecurity Preparedness Act7 8 9.

Identifying Vulnerable Data Protection Functions

Vulnerable Cryptographic Algorithms

Essentially all currently used public key encryption algorithms, including Rivest, Shamir, and Adleman (RSA), Diffie-Hellman (DH), and Elliptic Curve (EC), are vulnerable to CRQC attacks. Hash and symmetric key encryption algorithms, including the most used secure hash algorithm (SHA) and advanced encryption system (AES), are weakened by Grover’s algorithm-based quantum attacks but are not vulnerable. Increasing the digest sizes and the key lengths is recommended.

Vulnerable Security Functions

Cryptographic components enable three types of data protection functions that enterprises typically use: data at rest, data in transit, and non-repudiation.

Data at rest is encrypted with symmetric encryption keys. However, such keys are typically stored in key management systems (KMSs), which are ultimately protected by public-key encryption. Quantum risks to data at rest are around the public key algorithms of the KMS.

Data in transit is encrypted with symmetric encryption keys, which are called session keys. Session keys, however, are established by key exchange procedures using public key algorithms. Quantum risks to data in transit are around the public key algorithms used in the key exchange procedures.

Non-repudiation is used in many business and trade scenarios, including real estate document signing, smart contracts, and cryptocurrencies. In these applications, the digests or hashes of the documents, contracts, and transaction records are first generated. The signing parties then use their public keys (often part of their certificates) to sign the digests. The digests are used to validate the integrity of the documents when needed in the future. Quantum risks are around the public key signing algorithms of the certificates.

Mitigation Planning

Mapping out Vulnerable Technology Components

Encryption at Rest

Data at rest is typically protected by symmetric encryption. However, encryption keys are stored in key management systems (KMSs) or hardware security modules (HSMs) and are ultimately protected by public key encryption using providers’ certificates. Mitigation requires the providers’ certificates to be quantum-safe and the KMS and HSMs to use PQC algorithms.

Encryption in Transit Protocols

The most used end-to-end encryption protocols are Transport Layer Security (TLS) and Secure Shell (SSH). The key exchange function is part of both protocols. The most commonly used network-to-network encryption is a virtual private network (VPN) using IP security (IPsec) protocols. The key exchange function is performed using the Internet Key Exchange (IKE) protocol.

An interim solution to address their vulnerability is the so-called hybrid mode key exchange (e.g., TLS 1.3 hybrid key exchange combining X25519 with Kyber ML-KEM), in which the vulnerable key exchange is encapsulated by the encryption with a key exchanged by a PQC public key algorithm using the FIPS-203 key encapsulation mechanism (KEM) standard.

Non-Repudiation

Non-repudiation can be regarded as authentication with long-term values. The critical components are the public key algorithms used by the signing certificates.

Security and cryptographic components in focus

Security Functions Applications Security Components in Focus Cryptographic Components
Encryption in transit Web browsers and servers, most cloud applications TLS (HTTPS) Authentication X.509 certificate Key exchange RSA Diffie-Hellman Elliptic curve Integrity validation SHA256
  Access remote computers and transfer files SSH Authentication Certificate Public key Password Key exchange algorithm RSA Diffie-Hellman Elliptic curve Integrity validation SHA256
  Virtual private network (VPN) key exchange IKE Authentication X.509 certificate Shared secret Key exchange algorithm RSA Diffie-Hellman Elliptic curve Integrity validation SHA256
Encryption at rest Data storage Key management system (KMS) Key encryption RSA Diffie-Hellman Elliptic curve
Non- repudiation Contract signing   Authentication X.509 certificate Integrity validation SHA256

Identifying Technology Components for Mitigation

Most PQC modules and components are in the experimental stage and have not made it into mainstream products, such as web browsers and servers. Even interim solutions enabled by FIPS 204 or hybrid mode for encryption in transit protocols are not supported by out-of-the-box mainstream products. For example, OpenSSH version 10 may have its cryptographic library replaced to support PQC out of the box, but for version 9 or below, one needs to compile and build with PQC module replacement oneself. Having to compile, build, and maintain these technology components, mitigation can be costly. One needs to consider the costs against the risks when deciding and planning on mitigation. Below is an incomplete list of PQC modules that may be used to replace many products’ existing cryptographic components.

PQC Modules Supported Cryptographic Libraries & SDK Supported Products
Open Quantum Safe (liboqs)10 OpenSSL Curl, OpenSSH
    IBM Key Protect (TLS)
  BoringSSL Chrome, Android, Google KMS
  NSS Firefox
PQ Code Package AWS-LC AWS TLS clients and servers, KMS
CIRCL Cloudflare Interoperable Reusable Cryptographic Library (CIRCL) Cloudflare WARP client, Secure Web Gateway, Cloudflare Tunnel
SafeLogic CryptoComply PQ TLS OpenSSL Apache, Nginx
PQ3 CryptoKit Apple iMessage
DigiCert NanoCrypto TrustCore SDK DocuSign certificates

Conclusion

Although several PQC algorithms have now been standardized and implemented in some cryptographic libraries, their adoption in enterprise applications remains sporadic. Transitioning to PQC solutions requires significant effort and can be costly. Therefore, an enterprise should assess its own risk and determine whether its data is vulnerable and whether the cost of mitigation is justified.

This guide helps enterprise audiences evaluate their risk. The threat that cryptographically relevant quantum computers (CRQCs) pose depends largely on time. If data has no value beyond the arrival of Q-Day, it is not at risk. If data is at risk, this guide recommends following the controls defined by the CSA Cloud Controls Matrix (CCM) or managing supply chain practices to mitigate the risk.

An enterprise needs to periodically assess its risk because data is continually added, deleted, and updated. In addition, an enterprise needs to monitor the availability of relevant technologies. The Quantum-Safe Security Working Group of the CSA, along with its published literature, provides a good starting point for tracking technology developments.

  1. 2021 Quantum Threat Timeline Report: Global Risk Institute - Global Risk Institute, globalriskinstitute.org/publication/2021-quantum-threat-timeline-report-global-risk-institute-global-risk-institute/ 

  2. NIST SP1800-38B Migration to Post-Quantum Cryptography Quantum Readiness: Risk Assessment, www.nccoe.nist.gov/sites/default/files/2023-12/pqc-migration-nist-sp-1800-38b-preliminary-draft.pdf 

  3. CSA Quantum-Safe Security Governance with the Cloud Controls Matrix, cloudsecurityalliance.org/artifacts/quantum-safe-security-governance-with-the-cloud-controls-matrix 

  4. CSA Cloud Control Matrix, cloudsecurityalliance.org/research/cloud-controls-matrix 

  5. CSA Practical Preparations for the Post-Quantum World, cloudsecurityalliance.org/artifacts/practical-preparations-for-the-post-quantum-world/ 

  6. Michele Mosca, “Cybersecurity in a Quantum World: will we be ready?” CryptoWorks21, 2015 

  7. HR7535 - Quantum Computing Cybersecurity Preparedness Act, www.congress.gov/bill/117th-congress/house-bill/7535/text 

  8. US Executive Order 14144 of January 16, 2025, https://public-inspection.federalregister.gov/2025-01470.pdf 

  9. Amendment to US Executive Order 14144, June 2025, www.whitehouse.gov/presidential-actions/2025/06/sustaining-select-efforts-to-strengthen-the-nations-cybersecurity-and-amending-executive-order-13694-and-executive-order-14144/ 

  10. Open Quantum Safe, openquantumsafe.org 

Unlock the full resource by signing in:

Explore More of CSA

Research & Best Practices

Stay informed about the latest best practices, reports, and solutions in cloud security with CSA research.

Upcoming Events & Conferences

Stay connected with the cloud security community by attending local events, workshops, and global CSA conferences. Engage with industry leaders, gain new insights, and build valuable professional relationships—both virtually and in person.

Training & Certificates

Join the countless professionals who have selected CSA for their training and certification needs.

Industry News

Stay informed with the latest in cloud security news - visit our blog to keep your competitive edge sharp.