Post-Quantum Cryptography vs RSA/ECC

The fundamental difference between Post-Quantum Cryptography vs RSA/ECC is the mathematical problem each uses for security and whether that problem is solvable by a quantum computer. RSA derives security from the difficulty of factoring large numbers; ECC derives security from the elliptic curve discrete logarithm problem. Both are efficiently solvable by Shor’s Algorithm on a quantum computer — making RSA and ECC completely insecure against quantum attacks.

Post-Quantum Cryptography uses entirely different mathematical foundations: lattice problems (the Learning With Errors problem underlying ML-KEM and ML-DSA), hash function hardness (SLH-DSA), and error-correcting code decoding (HQC). No efficient quantum algorithm is currently known for any of these problem classes. The practical consequence: RSA and ECC will be deprecated by 2030 and disallowed by 2035 per NIST IR 8547. ML-KEM, ML-DSA, and SLH-DSA are the standardised replacements, ready to deploy now on existing hardware.

No Cryptographically Relevant Quantum Computer (CRQC) exists as of 2026 — current quantum computers are too small and error-prone to run Shor’s Algorithm on real cryptographic key sizes. The timeline is genuinely uncertain, but the expert consensus has narrowed. The Global Risk Institute’s 2026 Quantum Threat Timeline estimates a CRQC is “quite possible” within ten years and “likely” within fifteen. Mainstream researchers estimate a CRQC likely between 2030 and 2040.

Breaking RSA-2048 requires approximately 4,000 logical qubits (millions of physical qubits accounting for error correction). Breaking ECC-256 now appears achievable with fewer than ~500,000 physical qubits following recent research showing a ~20× reduction in required resources. Google’s Quantum AI team published a March 2026 paper showing ECC could be broken in approximately nine minutes on a sufficiently advanced future quantum computer. The uncertainty in the exact date is precisely why the “harvest now, decrypt later” threat is so important: adversaries who collect encrypted data today need only wait for the quantum capability to arrive, which means data with 10+ year confidentiality requirements is already exposed.

Harvest Now, Decrypt Later (HNDL), also called “store now, decrypt later” or the “retrospective decryption threat,” is a data collection strategy where adversaries — typically nation-state intelligence agencies — intercept and archive encrypted network traffic today, store it at scale, and plan to decrypt it retrospectively once quantum computing capability becomes available. The threat is active because encrypted data from a TLS session, a VPN tunnel, or an encrypted file is mathematically identical whether collected today or in five years — the mathematical operations required to decrypt it are the same.

An adversary who stores an encrypted RSA session today needs only wait for a CRQC to arrive to read its contents. This is why the PQC vs RSA/ECC migration is urgent even though no CRQC exists in 2026. Any data that must remain confidential for longer than the expected quantum timeline (~10–15 years) — medical records, legal communications, government secrets, long-lived financial records, software signing keys — is already exposed to retrospective decryption by any adversary collecting and archiving encrypted traffic today. This converts what seems like a future problem into a present security obligation.

NIST finalised three Post-Quantum Cryptography standards in August 2024 after an eight-year international competition. FIPS 203 (ML-KEM, formerly CRYSTALS-Kyber) is a key encapsulation mechanism that replaces RSA key exchange (RSA-OAEP), Diffie-Hellman (DH), and Elliptic Curve Diffie-Hellman (ECDH) in protocols like TLS. ML-KEM-768 is the recommended default, with a 1,184-byte public key and 1,088-byte ciphertext versus ECDH’s 32-byte key — larger, but fast enough for real-time use. FIPS 204 (ML-DSA, formerly CRYSTALS-Dilithium) is a digital signature algorithm that replaces ECDSA, RSA-PSS, and EdDSA in certificate signing, JWT tokens, SAML assertions, code signing, and document integrity. ML-DSA-65 is the recommended default with 3,293-byte signatures versus ECDSA’s 64 bytes.

FIPS 205 (SLH-DSA, formerly SPHINCS+) is a hash-based digital signature scheme based on SHA-2/SHA-3 hardness, serving as a conservative backup to ML-DSA. In March 2025, NIST selected HQC as a fourth code-based backup key encapsulation mechanism. FN-DSA (Falcon) standardisation is also ongoing, offering notably smaller signatures than ML-DSA. NIST’s explicit guidance: “There is no need to wait for future standards. Go ahead and start using these three.”

Post-Quantum Cryptography algorithms have significantly larger key and signature sizes than their RSA and ECC equivalents — this is the primary engineering trade-off. For key exchange: ECDH uses 32-byte public keys, while ML-KEM-768 uses 1,184-byte public keys (approximately 37× larger) with 1,088-byte ciphertexts. For digital signatures: ECDSA produces 64-byte signatures, while ML-DSA-65 produces 3,293-byte signatures (approximately 51× larger) with 1,952-byte public keys.

For comparison with RSA: RSA-2048 public keys are approximately 384 bytes — ML-KEM-768 is roughly 3× larger. The exception is FN-DSA (Falcon), which produces 666-byte signatures — approximately 10× ECDSA but far smaller than ML-DSA. SLH-DSA signatures can range from 7,856 to 49,856 bytes depending on parameter variant, reflecting its conservative mathematical approach. In practice, the additional bandwidth overhead is manageable for most applications — TLS handshakes increase by 1–2 KB with hybrid ML-KEM, and most modern network infrastructure handles this without meaningful latency impact. The most challenging environments are bandwidth-constrained IoT devices, smart cards, and embedded systems where smaller algorithms like ML-KEM-512 and Falcon-512 are preferred.

No — doubling RSA key size does not solve the quantum threat and is not a viable mitigation strategy. Shor’s Algorithm breaks RSA at any key size in polynomial time — the computational resources required grow only polynomially with key size rather than exponentially. Moving from RSA-2048 to RSA-4096 slightly increases the number of quantum operations required but does not change the fundamental attack feasibility. A CRQC that can break RSA-2048 in hours can break RSA-4096 in somewhat more time — still within practical reach for a motivated adversary with quantum capability. Increasing key sizes does provide additional security against classical attacks — RSA-4096 offers significantly more classical security margin than RSA-2048 — but provides no meaningful protection against quantum attacks.

This is distinct from symmetric cryptography (AES, SHA): Grover’s quantum algorithm provides only a quadratic speedup against AES key search, meaning AES-256 remains quantum-secure (a quantum computer gains only the equivalent of halving the key size, effectively reducing AES-256 to AES-128 security against quantum attacks). For symmetric cryptography, doubling key sizes is sufficient. For RSA and ECC, only a fundamentally different mathematical foundation — which is exactly what PQC provides — offers quantum resistance.

Hybrid cryptography runs a classical algorithm (e.g., X25519 ECDH) and a post-quantum algorithm (e.g., ML-KEM-768) simultaneously in the same cryptographic operation, combining their outputs into a single shared secret or key. The security property of a properly implemented hybrid is that breaking it requires breaking both algorithms — so a session protected by X25519MLKEM768 is secure as long as either ECDH or ML-KEM remains unbroken. This approach is recommended as the migration strategy for two reasons.

First, backward compatibility: hybrid modes can fall back gracefully to classical algorithms for endpoints that do not yet support ML-KEM, maintaining interoperability during the multi-year transition period when both PQC and non-PQC systems are in production simultaneously. Second, insurance against PQC uncertainty: PQC algorithms are newer with a shorter cryptanalytic track record than RSA/ECC. A hybrid approach provides quantum safety from ML-KEM while classical security from ECDH provides a safety net if unforeseen weaknesses in the PQC algorithm emerge. X25519MLKEM768 is the de facto industry standard for TLS PQC key exchange — deployed by Google Chrome, Akamai (default from January 2026), Cloudflare, and most major TLS implementations.

Symmetric encryption algorithms like AES and hash functions like SHA-256 are significantly less vulnerable to quantum attacks than RSA and ECC, and the mitigation is straightforward. The relevant quantum algorithm for symmetric cryptography is Grover’s Algorithm, which provides a quadratic speedup for searching an unstructured database — applied to AES, this effectively halves the key length in terms of security. AES-128 (with 128-bit key) would be reduced to approximately 64-bit classical equivalent security by a quantum computer, which is considered potentially inadequate for long-term security.

AES-256 would be reduced to approximately 128-bit classical equivalent — still secure for any foreseeable threat. For SHA-256 and SHA-3, Grover’s Algorithm affects preimage resistance; collision resistance requires more complex analysis. NIST’s current assessment is that SHA-256 remains secure for hash functions, and AES-256 remains secure for encryption. The practical guidance: if you are using AES-128, consider upgrading to AES-256 for long-lived data. If you are using AES-256, no change is required for quantum resistance. SHA-256 remains acceptable; SHA-384 or SHA-512 provide additional security margin. The critical distinction from RSA/ECC: symmetric algorithms require parameter adjustment, not complete replacement.

Cryptographic agility is the architectural property of a system that allows its cryptographic algorithms to be updated, swapped, or reconfigured without requiring changes to the broader system architecture. A cryptographically agile system treats the algorithm as a parameter rather than a hard-coded implementation detail — enabling the system to adopt ML-KEM today, switch to HQC if a lattice vulnerability is discovered, or adopt a future algorithm that emerges from NIST’s ongoing standardisation rounds, all without architectural redesign. Cryptographic agility is the most important architectural principle for 2026 for three reasons.

First, the PQC field is still maturing: NIST’s Signatures Onramp competition is evaluating additional algorithms; FN-DSA and HQC are in final standardisation; new competition winners will emerge before 2030. A cryptographically agile system can adopt improvements as they arrive. Second, NIST’s FIPS 203/204/205 are not the last word: SIKE was broken during the competition; future cryptanalysis may weaken assumptions in currently standardised algorithms. The ability to switch algorithms rapidly is as important as choosing the right algorithm initially. Third, the RSA/ECC deprecation creates a single migration deadline: systems that are cryptographically agile can meet that deadline by updating configuration; systems with hard-coded RSA/ECC require architectural rework. For any system designed or rebuilt in 2026, cryptographic agility is a fundamental design requirement, not a bonus feature.

Blockchain and cryptocurrency systems face a serious quantum threat because their security foundations are entirely based on the elliptic curve cryptography that quantum computers can break. Bitcoin wallets use ECDSA with the secp256k1 curve — the same mathematical problem Shor’s Algorithm solves — to generate public/private key pairs and sign transactions. A CRQC with sufficient qubits could derive a wallet’s private key from its public key, enabling the theft of any funds in that wallet. In March 2026, Google’s Quantum AI team published a paper showing Bitcoin’s specific ECC implementation could be broken in approximately nine minutes on a sufficiently advanced quantum computer.

Public blockchain addresses whose public keys have been exposed (i.e., the wallet has previously made a transaction) are directly vulnerable — the public key is visible on-chain and derivable by a quantum attacker. Addresses whose public keys have never been broadcast (spent zero transactions) are less immediately vulnerable. The blockchain community is aware of this threat and PQC migration efforts are underway, but the challenge is immense: migrating a decentralised protocol where participants cannot be forced to update requires achieving broad community consensus, and the migration path involves moving funds from quantum-vulnerable addresses to new PQC-secured addresses before a CRQC arrives. Several blockchain projects are exploring PQC-native chains and protocol upgrades. As of 2026, no major public blockchain has completed a quantum-resistant migration, creating a significant systemic risk that grows as the CRQC timeline compresses.