Insider Brief
- RSA and ECC are being replaced because quantum algorithms like Shor’s can break the mathematical problems they rely on.
- New standards such as ML-KEM, ML-DSA, and SLH-DSA introduce quantum-resistant cryptography based on lattice and hash-based methods.
- The transition is underway due to long migration timelines and the risk that encrypted data today could be decrypted in the future.
The encryption protecting most of the internet is expected to become vulnerable to sufficiently advanced quantum computers. RSA and elliptic curve cryptography, which secure online banking, email, cloud storage, and messaging systems, rely on mathematical problems that quantum algorithms are designed to solve more efficiently.
This is based on established theory. Shor’s algorithm, published in 1994, shows that a large-scale fault-tolerant quantum computer could factor the integers behind RSA and solve the discrete logarithm problems used in elliptic curve systems. The primary uncertainty lies in when such systems will become practical, along with the engineering challenges required to reach that scale.
What RSA and ECC Actually Do
RSA and ECC support two core functions – establishing secure connections and verifying identity.
When a user connects to a website, algorithms such as RSA or Diffie-Hellman are used to exchange encryption keys. This allows secure communication between parties that have not interacted before. The security depends on mathematical problems that are difficult for classical computers to solve.
Digital signatures are used to verify the origin and integrity of data. Software updates, financial transactions, and secure communications depend on these signatures to confirm authenticity.
If large-scale quantum computers become available, these assumptions may no longer hold. A sufficiently advanced system could derive private keys from public keys, forge signatures, and decrypt previously recorded communications.
The Three Standards That Replace Them
NIST’s post-quantum cryptography standards define algorithms designed to resist both classical and quantum attacks.
FIPS 203 (ML-KEM) is intended to replace RSA and Diffie-Hellman for key establishment. ML-KEM, short for Module-Lattice-Based Key-Encapsulation Mechanism, allows two parties to establish a shared secret over a public channel. The security relies on the difficulty of solving lattice problems, which are not known to be efficiently solvable by quantum algorithms.
ML-KEM comes in three parameter sets: ML-KEM-512, ML-KEM-768, and ML-KEM-1024. Higher numbers provide stronger security but require more computing resources and larger key sizes. Most implementations are expected to use ML-KEM-768, which provides security roughly equivalent to AES-192.
FIPS 204 (ML-DSA) is intended to replace RSA and ECDSA for digital signatures. ML-DSA, short for Module-Lattice-Based Digital Signature Algorithm, generates and verifies signatures that authenticate the sender and detect unauthorized modifications. Like ML-KEM, it relies on lattice-based cryptography and comes in three parameter sets: ML-DSA-44, ML-DSA-65, and ML-DSA-87.
FIPS 205 (SLH-DSA) provides a backup option for digital signatures. SLH-DSA, short for Stateless Hash-Based Digital Signature Algorithm, uses an entirely different mathematical approach based on hash functions rather than lattices. This diversity matters because if lattice-based cryptography turns out to be weaker than expected, SLH-DSA provides an alternative that does not share the same vulnerabilities.
SLH-DSA signatures are significantly larger than ML-DSA signatures, which limits where they can be used. But the algorithm is conservative and well-understood, making it appropriate for situations where long-term security is more important than efficiency.
According to NIST, these three standards have been published since August 2024 and are ready for deployment.
What Changes for End Users
For most users, the transition is expected to be largely invisible. Browsers, operating systems, and cloud platforms will update their cryptographic libraries without requiring direct user action.
At the infrastructure level, the changes are more substantial.
TLS, the protocol that secures HTTPS connections, is being updated to support ML-KEM for key exchange and ML-DSA for server authentication. Major browsers including Chrome and Firefox already support hybrid post-quantum key exchange, combining classical algorithms with ML-KEM to provide defense-in-depth during the transition.
Certificate authorities, the organizations that issue digital certificates verifying website identity, are preparing to issue certificates signed with post-quantum algorithms. This requires updating certificate infrastructure, testing compatibility, and coordinating across the ecosystem to ensure that certificates signed with ML-DSA or SLH-DSA work correctly.
VPNs, secure messaging apps, and encrypted file storage systems all depend on the same cryptographic primitives being replaced. Each will need to transition to post-quantum algorithms, test for compatibility issues, and deploy updates across potentially millions of devices.
A Comparison: What Is Changing
| Details | Current (RSA/ECC) | Post-Quantum (ML-KEM/ML-DSA) |
| Key Exchange | RSA, Diffie-Hellman, ECDH | ML-KEM (lattice-based) |
| Digital Signatures | RSA, ECDSA | ML-DSA (lattice-based), SLH-DSA (hash-based) |
| Security Basis | Integer factorization, discrete logarithm | Lattice problems, hash functions |
| Quantum Vulnerable? | Yes | No |
| Key Sizes | RSA: 2048-4096 bits, ECC: 256-521 bits | ML-KEM: 800-1568 bytes, ML-DSA: 1312-2592 bytes |
| Signature Sizes | RSA: 256-512 bytes, ECDSA: 64-132 bytes | ML-DSA: 2420-4595 bytes, SLH-DSA: 7856-49856 bytes |
The most visible difference is size. Post-quantum algorithms require larger keys and produce larger signatures. This creates practical challenges for systems with limited bandwidth, storage, or processing power. Certificate chains become longer. Network packets require more space. Embedded devices may need hardware upgrades to handle the additional load.
Performance also differs. ML-KEM and ML-DSA are generally fast on modern processors, but they are not drop-in replacements. Software libraries need updates. Hardware accelerators designed for RSA and ECC do not work for lattice-based algorithms. Systems that rely on specific key sizes or signature formats need modifications.
Why the Transition Matters Now
Data encrypted today with RSA or ECC may be vulnerable in the future if it needs to remain confidential over long time horizons.
Recent research has reduced the estimated resources required to break RSA-2048 from tens of millions of qubits to under one million, with some proposals suggesting even lower requirements under specific assumptions. These estimates depend on both hardware and error correction advances, which remain active areas of research.
Cryptographic transitions take time. Identifying where algorithms are used, testing compatibility, coordinating with vendors, and deploying replacements across global infrastructure all require significant time. Organizations that wait until quantum computers become practical will find themselves trying to protect data that adversaries have already collected.
NIST recommends that organizations begin migrating critical systems now, starting with data that has long confidentiality requirements.
What Comes Next
NIST selected a fifth algorithm, HQC, as a backup for ML-KEM in March 2025. HQC is based on error-correcting codes rather than lattices, providing mathematical diversity in case lattice-based cryptography is compromised. A draft standard is expected in 2026, with finalization in 2027.
Additional signature algorithms are under evaluation. NIST also announced a “signatures onramp” competition to find alternatives that perform better than SLH-DSA while still providing diversity from lattice-based approaches.
Standardization bodies including the Internet Engineering Task Force (IETF) are finalizing protocols for hybrid cryptography, where classical and post-quantum algorithms run in parallel. This provides a safety net during the transition: if one algorithm fails, the other still protects the data.
Adoption is increasing across cloud providers, browser vendors, and operating system manufacturers. Federal agencies face mandates to transition by 2035. Certificate authorities are preparing to issue quantum-resistant certificates. The infrastructure is moving, whether individual organizations are ready or not.
RSA and ECC remain widely deployed today, but the change toward post-quantum alternatives has begun.
Partner with the Year of Quantum Security 2026
This article is part of The Year of Quantum Security 2026 – a year-long editorial and convening initiative produced by The Quantum Insider, covering post-quantum readiness, quantum resilience, and responsible adoption.
Organizations supporting YQS2026 – post-quantum vendors, cybersecurity providers, telcos, and critical infrastructure operators – gain year-long editorial visibility across TQI, direct access to CISOs and policymakers, and category-leadership positioning at a pivotal moment in the security transition.
Founding Partner, Global Strategic, Program Partner, and Supporting Partner tiers are open for 2026.
→ Book a 20-minute briefing with Luke Preskey, CRO
QuantumSecurity2026.org | #YQS2026
