Skip to content
English

Post-quantum: prepare today for tomorrow's encryption

There is an uncomfortable truth that few technology committees in LATAM dare to put on the table: most of the encryption protecting your organization today has an expiration date, and that date is not yours to decide. It is decided by the advance of quantum computing. The most unsettling part is that the clock has already started, even though the machine capable of breaking your encryption does not yet exist. Those who understand this in time act not out of fear, but out of strategy. And the time to start is now.

In short: A sufficiently powerful quantum computer could break much of the asymmetric cryptography that underpins the Internet, digital signatures and secure communications. Although that machine has not yet arrived, the encrypted data you transmit today can be captured now and decrypted tomorrow. The good news: post-quantum cryptography standards are already published, and there is a clear path to migrate in an orderly way.

Why quantum computing threatens today's encryption

The security of much of modern systems rests on mathematical problems that classical computers cannot solve in a reasonable time: factoring enormous numbers (the basis of RSA) or computing discrete logarithms over elliptic curves (the basis of ECC). It is not that they are impossible; it is that they would take thousands of years with current technology.

The problem is that a quantum computer does not solve these problems faster: it solves them in a fundamentally different way. Known quantum algorithms would, in theory, allow those keys to be broken down in practical time once stable, sufficiently large-scale hardware exists. It is worth distinguishing two fronts:

  • Asymmetric (public-key) cryptography: the most exposed. RSA, Diffie-Hellman and the elliptic curves we use to exchange keys and sign are vulnerable to a mature quantum attacker.
  • Symmetric cryptography: algorithms like AES hold up much better. The impact is largely mitigated by increasing the key size.

Put another way: the lock that seals the envelope (the symmetric key) remains solid; what is fragile is the mechanism by which we exchange and sign the keys to that lock today.

"Harvest now, decrypt later": the risk already unfolding

Here is the nuance that changes the entire analysis of timelines. An attacker does not need to wait until they have a quantum computer to start causing harm. They can start today.

The strategy is known as "harvest now, decrypt later": intercepting and storing large volumes of encrypted traffic in the present, waiting for the computing power needed to break it to become available in the future. If your information has value that outlives the passing of years, that future concerns you directly.

Ask yourself how long these data must remain confidential:

  • Medical records and biometric data, which do not expire.
  • Financial information, contracts and long-term intellectual property.
  • Trade secrets, strategic plans and personal data under regulation.
  • Corporate governance and other sensitive communications.

If the answer is "ten years or more," then the quantum threat is not a problem for tomorrow: it is a problem for today, because what is encrypted and transmitted now could already be being stored.

What post-quantum cryptography is

Post-quantum cryptography (PQC) is a set of algorithms designed to resist both classical and quantum computers. An important point: it does not require quantum computers to work. It runs on the infrastructure you already have, on conventional processors.

Its security rests on mathematical problems different from factoring and discrete logarithms, for which no efficient quantum algorithms are known. Among the most studied families are those based on lattices, on hash functions, and on codes.

The key fact of this moment is that the standardization work has already borne fruit: post-quantum cryptography standards are published, the result of years of public analysis and scrutiny by the international cryptographic community. This shifts the conversation from "which algorithm will we use?" to "how and when do we migrate?" The technical uncertainty has been reduced; what remains is organizational execution.

Crypto-agility: the real goal of the migration

If there is a single idea we would want your team to retain, it is this: the goal is not merely to replace one algorithm with another. The goal is to build crypto-agility, that is, the ability to change cryptographic algorithms quickly and at low cost when needed, without rewriting half the system each time.

Many organizations discover, when they try to migrate, that cryptography is rigidly embedded in their code, their devices and their integrations. Changing an algorithm means touching dozens of components that no one documented. Crypto-agility attacks that rigidity at the root:

  • Abstraction: having applications invoke cryptographic services instead of fixed algorithms hard-wired into the code.
  • Modularity: being able to swap an algorithm without redesigning the entire application.
  • Governance: clear policies on what is used, where, and for how long.

This is, at its core, an enterprise architecture decision rather than a technical patch. A crypto-agile organization not only survives the post-quantum transition: it stands ready for the next one, whatever it may be.

Cryptography inventory: you can't protect what you don't know about

No one can migrate what they don't know they have. That is why the first tangible deliverable of any serious program is a cryptography inventory: a map of where, how and for what purpose encryption is used across the entire organization.

A useful inventory answers concrete questions:

  • Which algorithms and key sizes are used in each application, database and communication channel?
  • Where do digital certificates live and when do they expire?
  • Which third-party vendors and services handle sensitive data, and what encryption do they use?
  • Which legacy systems have cryptography that is difficult or impossible to update?
  • Which data, given its long confidentiality period, must be prioritized?

This exercise almost always reveals surprises: obsolete cryptography in production, unknown dependencies, and critical data protected by fragile mechanisms. Beyond the quantum question, it is one of the most valuable cybersecurity diagnostics an organization can perform for itself.

Why start now, even though the threat is in the future

The objection is understandable: if the quantum computer capable of breaking RSA does not yet exist, why invest today? For three compelling reasons:

  • Today's data is already at risk. Because of "harvest now, decrypt later," what you encrypt now can be decrypted later. Protecting long-lived information does not allow for waiting.
  • The migration is slow. Inventorying, redesigning, testing and deploying new cryptography across an entire organization takes years, not weeks. Whoever starts when the threat is imminent starts late.
  • Preparation generates immediate value. The inventory and crypto-agility improve your security posture from day one, regardless of the quantum timeline.

Starting now is not alarmism; it is affording yourself the luxury of migrating calmly, in phases and with a planned budget, rather than doing it in a rush under regulatory pressure or after an incident.

Frequently asked questions

Do I need a quantum computer to use post-quantum cryptography?

No. Post-quantum algorithms run on conventional hardware. They are designed to run on the infrastructure you already have and to resist both classical and quantum attacks.

Should I replace all my encryption immediately?

No, and doing it all at once would be a mistake. The migration is gradual and priority-driven: first you identify the data of highest value and longest confidentiality period, and you advance in phases with approaches that coexist with current cryptography during the transition.

Does the threat also affect symmetric encryption such as AES?

The impact is much smaller. Symmetric cryptography holds up reasonably well and is mitigated by increasing the key size. The urgency is concentrated in public-key cryptography: key exchange and digital signatures.

What happens if I do nothing?

You run two risks: that sensitive data captured today is decrypted in the future, and that you are forced into a rushed, costly migration when the pressure is at its peak, without the inventory or the agility to execute it in an orderly way.

The first step

The post-quantum transition is not a project you resolve in a single quarter, but you can indeed start well in one. The first step is not to buy technology: it is to understand where your cryptography is, which data you must protect for longer, and how agile your architecture is to change when needed.

At SUMāTO we help organizations across LATAM build that diagnosis and chart a realistic migration roadmap, aligned with their architecture and risk appetite. If you want to turn a future threat into a present advantage, let's talk. The best time to prepare for tomorrow's encryption is today.