PQC: Why Post-Quantum Crypto Matters

Key insights

• Post-Quantum Cryptography (PQC) protects data from future quantum computers by using algorithms designed to resist quantum attacks. It focuses on replacing vulnerable asymmetric cryptography (like RSA and ECC), while symmetric primitives such as AES and SHA remain largely safe.
  
• Attackers can collect encrypted data today and wait to break it later with a quantum computer. This threat is called Harvest Now, Decrypt Later (HNDL) and makes long‑lived secrets—archives, backups, and email—especially at risk.
  
• Microsoft has moved PQC into production components and announced general availability of quantum‑resistant features across key platforms. The platform cryptography library SymCrypt now includes support for these post‑quantum algorithms to secure Windows and cloud services.
  
• Core, NIST‑selected algorithms in use are ML-KEM (for key exchange, formerly Crystals‑Kyber) and ML-DSA (for digital signatures, formerly Crystals‑Dilithium). These lattice‑based schemes provide quantum‑resistant key agreement and signing.
  
• Microsoft recommends a careful rollout with phased deployment and hybrid deployments, running traditional and post‑quantum algorithms in parallel to validate performance, compatibility, and risk before full migration.
  
• Practical steps now: inventory and classify cryptographic assets, prioritize long‑lived secrets, adopt crypto agility to enable fast swaps of algorithms, and where possible act on stop‑harvest now—reduce exposure by limiting data collection and encrypting critical data with quantum‑safe methods or layered protections.
  

Introduction

The following article summarizes a recent YouTube presentation by John Savill's [MVP] that explains Post-Quantum Cryptography and why organizations should prepare now. In clear chapters, the video walks viewers through the problem, the emerging PQC algorithms, recommended steps, and the crucial concept of Harvest Now, Decrypt Later. Consequently, the presentation aims to translate complex cryptographic changes into practical guidance for IT teams. This summary highlights the main points and explores the tradeoffs and challenges organizations will face.

The Problem and Urgency

John Savill emphasizes that current public-key systems like RSA and elliptic curve cryptography will become vulnerable once powerful quantum computers arrive. Therefore, adversaries can already collect encrypted traffic and store it for future decryption, a tactic known as Harvest Now, Decrypt Later. This threat drives urgency because data with long-term value—such as health records, intellectual property, or legal documents—could be exposed years from now. As a result, organizations must balance the uncertain quantum timeline against the real risk to archived data.

Moreover, Savill explains that symmetric primitives such as AES and SHA families are relatively resilient, so the immediate focus is on asymmetric algorithms used for key exchange and signatures. He points out that planning is sensible today because migrating complex systems later will be costly and error-prone. Thus, proactive preparation reduces future risk and smooths the path for technology upgrades. However, this preparation requires careful inventory and prioritization of sensitive assets.

Microsoft’s PQC Rollout

The video highlights Microsoft’s progress in making quantum-safe algorithms available across its platforms, noting general availability in Windows Server 2025, Windows 11, and .NET 10. In particular, Microsoft integrated standardized algorithms such as ML-KEM for key exchange and ML-DSA for digital signatures, reflecting NIST's selections. These additions are delivered through the SymCrypt library, which provides a common cryptographic foundation for Windows and Azure services. Consequently, enterprises that rely on Microsoft platforms gain a clearer migration path through vendor-supported primitives.

Savill stresses that Microsoft prefers a phased, hybrid approach instead of an abrupt cutover, combining classical and quantum-resistant algorithms during transition. This approach supports compatibility with legacy systems while enabling new, resistant primitives to be tested and validated. Early adoption windows extend through 2029 for broader implementation, giving organizations time to pilot changes. Nevertheless, timing and scope will vary by service, workload, and risk appetite.

Tradeoffs: Performance, Compatibility, and Complexity

Transitioning to post-quantum algorithms involves clear tradeoffs, particularly around performance and message sizes. For example, lattice-based algorithms usually produce larger keys and signatures, which can increase bandwidth use and latency, especially on constrained devices. Therefore, teams must weigh the performance impact against security benefits and plan for hardware and network implications. In addition, cryptographic agility becomes essential so systems can switch algorithms if standards evolve.

Compatibility issues also create friction because certificate authorities, device firmware, and third-party services must support new algorithms for an end-to-end secure chain. This reality forces organizations to run hybrid modes or negotiate phased upgrades with vendors, which adds project complexity and testing overhead. Implementation risks include coding errors, side-channel vulnerabilities, and immature library support, so careful validation and review are crucial. Consequently, the cost of change includes engineering time, testing, and potential short-term performance tradeoffs.

Practical Steps and Planning

According to the video, the first practical step is to take inventory: map where cryptography is used, note key lifetimes, and identify data with long-term sensitivity. Next, organizations should classify risk and prioritize systems that protect archived or especially valuable data, since these are the highest priority for quantum-safe measures. Savill recommends enabling hybrid cryptography where possible so new connections use both classical and PQC algorithms, thereby preserving compatibility while gaining protection.

Additionally, teams should update cryptographic libraries, test workloads in controlled environments, and ensure that key management processes support rotation and multiple algorithm types. It is also important to engage vendors and cloud providers to confirm their PQC roadmaps, because supply-chain and third-party compatibility will shape overall success. Finally, ongoing monitoring and a plan to respond to new standards or discovered issues will keep the migration resilient and maintainable.

Challenges Ahead and Final Thoughts

In closing, John Savill’s presentation makes clear that the move to post-quantum cryptography is necessary but complex, and it will require cross-team coordination across security, infrastructure, and application owners. The biggest challenges are uncertainty about the quantum timeline, interoperability among diverse systems, and the resource cost of rigorous testing and migration. Nevertheless, incremental steps—such as inventory, hybrid deployments, and enabling cryptographic agility—can reduce risk without causing disruptive change.

Therefore, organizations do not need to panic, but they should act deliberately: prioritize long-lived secrets, test PQC in non-production environments, and align procurement and development plans with vendor roadmaps. By taking measured steps now, IT teams can limit the impact of future quantum threats while managing the tradeoffs inherent in a large-scale cryptographic transition. Overall, Savill’s video offers practical advice grounded in current Microsoft efforts and industry standards, helping viewers prepare for the next era of cryptographic change.

Keywords

post-quantum cryptography, PQC overview, quantum-safe encryption, quantum-resistant algorithms, NIST PQC standards, lattice-based cryptography, why PQC matters, migrating to post-quantum security