What is post-quantum cryptography, and why the US has accelerated its migration deadline

The White House has cut the deadline by which US federal systems must move off quantum-vulnerable cryptography by three years compared with the previous plan. The executive order, described by Ars Technica on Tuesday, sets a 2027 target for the adoption of post-quantum cryptography (PQC) algorithms in critical infrastructure and federal systems, replacing the previous 2030 date.

Post-quantum cryptography (PQC) is the general name for cryptographic techniques designed as an alternative to classical encryption algorithms that future quantum computers are projected to break. RSA and elliptic-curve cryptography (ECC), which protect most of today's internet traffic, can be broken by a sufficiently powerful quantum computer running Shor's algorithm.

The US National Institute of Standards and Technology (NIST) selected PQC algorithms through a multi-year evaluation process that began in 2016. The first two standards, finalized in mid-2024, are ML-KEM (for key exchange, based on Kyber) and ML-DSA (for digital signature, based on Dilithium). A third standard, SLH-DSA (based on Sphincs+), was added earlier this year.

The urgency of the PQC transition stems from the "harvest now, decrypt later" threat. This means that encrypted data captured today could be decrypted retroactively tomorrow with a quantum computer. This is particularly concerning for data that remains important for 20 to 30 years, such as health records, government secrets and long-lived infrastructure control messages.

The executive order requires federal agencies to use PQC algorithms in all new systems built by 2027. For existing systems, asset inventory and migration plans become mandatory by the end of 2026. Ars Technica reported NSA cybersecurity director David Luber as saying "we expect the majority of federal network endpoints to be running PQC actively by mid-2027."

The technical challenges of a PQC transition are significant. PQC keys and signatures are much larger than their classical counterparts: an ML-KEM public key is roughly 1.2 KB, while an RSA-2048 public key is 256 bytes. The difference imposes serious engineering constraints on IoT devices, embedded systems and low-bandwidth networks.

A secondary difficulty is managing the hybrid cryptography transition period. Most systems are being configured to use classical and PQC algorithms in parallel; this can introduce performance overhead and compatibility errors. Google, Cloudflare and AWS spent the past year testing this hybrid mode in production networks.

The selection process for PQC standards itself remains contested. Some algorithms selected by NIST have shown laboratory weaknesses against attacks initially overlooked. In mid-2024, researchers at IBM and ETH Zurich published practical attacks on the SIKE and Rainbow algorithms running on classical computers. The finalists chosen by NIST were not affected by these attacks, but the industry remains vigilant.

The financial sector has emerged as the one preparing most rigorously for the new timeline. JPMorgan Chase, Bank of America and Citigroup formed a joint PQC integration working group last year. SWIFT plans to complete PQC support for its global banking messaging network by 2027.

The executive order is also being read as an effort to underscore US leadership in global cybersecurity policy. The European Union's ENISA had set a mid-2028 target for PQC migration; the White House's new 2027 target is one year more aggressive than the EU's. Japan's METI agency reported it would reconsider its own timeline following the order.