- NIST finalized ML-KEM, ML-DSA, and SLH-DSA in August 2024 — government agencies must support PQC by 2030, and vendor timelines are now locked in.
- "Harvest Now, Decrypt Later" attacks are happening today — adversaries are stockpiling your TLS traffic to decrypt once quantum computers arrive, making long-lived secrets already at risk.
- Production-ready libraries exist right now — BouncyCastle 1.78+ (Java), liboqs, and OpenSSL 3.x all support the finalized NIST algorithms, so you can begin migrating non-production systems immediately.
The quantum deadline is no longer abstract. In August 2024, NIST published three finalized post-quantum cryptographic standards that replace RSA and elliptic-curve cryptography for most use cases. Meanwhile, nation-state actors are almost certainly running "harvest now, decrypt later" campaigns — collecting encrypted traffic today with the intention of decrypting it once sufficiently powerful quantum hardware arrives. If your application protects data that must stay secret for more than five years, the migration clock is already ticking.
What Changed: NIST's Three Finalized Standards
After an eight-year standardization process, NIST published three Federal Information Processing Standards in August 2024. These are not drafts or experimental algorithms — they are production standards with full government backing and a clear mandate for adoption.
FIPS 203 (ML-KEM), based on CRYSTALS-Kyber, is the primary key-encapsulation mechanism replacing RSA and ECDH for encrypting data in transit. It is lattice-based and is considered the workhorse of the PQC transition — TLS, SSH, and VPN protocols are all being updated to support it. FIPS 204 (ML-DSA), based on CRYSTALS-Dilithium, is the primary digital signature algorithm replacing RSA-PSS and ECDSA for signing. FIPS 205 (SLH-DSA), based on SPHINCS+, is a hash-based signature algorithm included as a conservative alternative whose security relies only on the hardness of hash functions rather than lattice problems.
A fourth standard, FIPS 206 (FN-DSA), based on FALCON, was finalized shortly after. Its smaller signature sizes make it attractive for constrained environments like IoT firmware signing, though it is more complex to implement safely due to its reliance on floating-point arithmetic.
| Standard | Replaces | Public Key Size | Ciphertext / Sig Size | Primary Use |
|---|---|---|---|---|
| ML-KEM-768 (FIPS 203) | ECDH / RSA-2048 | 1,184 bytes | 1,088 bytes (ciphertext) | Key exchange / TLS |
| ML-DSA-65 (FIPS 204) | ECDSA-P256 / RSA-PSS | 1,952 bytes | 3,309 bytes (signature) | Code signing / Auth |
| SLH-DSA-128f (FIPS 205) | RSA / ECDSA | 32 bytes | 17,088 bytes (signature) | Conservative backup |
| RSA-2048 (classical) | — | 256 bytes | 256 bytes | Both (quantum-vulnerable) |
The size differences are significant. ML-KEM public keys are roughly 4.6× larger than RSA-2048 keys, and ML-DSA signatures are 13× larger than their ECDSA equivalents. Applications that embed certificates in firmware, cache JWTs, or operate under strict bandwidth budgets will need to account for this overhead.
The "Harvest Now, Decrypt Later" Threat Is Not Hypothetical
The most pressing reason to act now is not that quantum computers can break your encryption today — it is that adversaries do not need to wait. Network traffic intercepted and stored today remains just as usable once quantum hardware arrives, even if that is five or ten years from now. This strategy, known as "harvest now, decrypt later" (HNDL), is considered highly likely to be running at nation-state scale against high-value targets.
Consider what this means in practice: a TLS session key negotiated with ECDH today protects data only until a cryptographically relevant quantum computer (CRQC) exists. If your application transmits medical records, financial data, authentication credentials, intellectual property, or anything with a multi-year confidentiality requirement, that data's security window may already be shorter than its required retention period. The NSA's Commercial National Security Algorithm Suite 2.0 (CNSA 2.0) guidance explicitly acknowledges this risk and mandates that US national security systems complete the transition to PQC algorithms by 2030 for most use cases, and by 2033 for the most sensitive.
For most commercial developers, the practical implication is: key exchange should be migrated first, because that's where HNDL attacks land. Signature algorithm migration is also important (for code signing, certificate authorities, and auth tokens), but the urgency is slightly lower since a stored signature cannot be "decrypted" retroactively in the same way a session can be.
Practical Migration: Starting With Java and BouncyCastle
The good news is that production-grade libraries are ready today. In the Java ecosystem, BouncyCastle 1.78+ (released in 2024) ships a full implementation of all four NIST PQC standards. Here is a minimal example of ML-KEM-768 key generation and encapsulation using the BouncyCastle provider:
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.pqc.jcajce.provider.BouncyCastlePQCProvider;
import javax.crypto.KeyAgreement;
import java.security.*;
public class MlKemExample {
static {
Security.addProvider(new BouncyCastleProvider());
Security.addProvider(new BouncyCastlePQCProvider());
}
public static void main(String[] args) throws Exception {
// Recipient generates key pair
KeyPairGenerator kpg = KeyPairGenerator.getInstance("ML-KEM", "BCPQC");
kpg.initialize(new org.bouncycastle.pqc.jcajce.spec.KyberParameterSpec(
org.bouncycastle.pqc.jcajce.spec.KyberParameterSpec.kyber768
));
KeyPair recipientKeyPair = kpg.generateKeyPair();
// Sender encapsulates a shared secret using recipient's public key
KeyAgreement ka = KeyAgreement.getInstance("ML-KEM", "BCPQC");
ka.init(recipientKeyPair.getPublic());
ka.doPhase(null, true);
byte[] senderSharedSecret = ka.generateSecret();
// Recipient decapsulates to recover the same shared secret
ka.init(recipientKeyPair.getPrivate());
byte[] recipientSharedSecret = ka.generateSecret();
System.out.println("Shared secret match: " +
java.util.Arrays.equals(senderSharedSecret, recipientSharedSecret));
}
}In your pom.xml, add BouncyCastle 1.78+:
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk18on</artifactId>
<version>1.78.1</version>
</dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcpkix-jdk18on</artifactId>
<version>1.78.1</version>
</dependency>For TLS specifically, you cannot yet simply flip a flag to enable ML-KEM in standard Java TLS — the JSSE provider does not yet ship ML-KEM support natively. The recommended interim approach is a hybrid key exchange: combine X25519 (classical ECDH) with ML-KEM-768 so that the session is secure even if one algorithm is broken. Several TLS libraries support this as X25519MLKEM768 already, including Go's standard library (via the crypto/tls MLKEM experiment flag) and recent versions of OpenSSL 3.x.
Building a Crypto-Agile Architecture
The single most important architectural pattern for PQC migration is crypto-agility: designing your system so that the cryptographic algorithm is a configuration choice, not a hardcoded implementation detail. This means abstracting your crypto operations behind an interface layer, storing the algorithm identifier alongside encrypted data (so old records can be identified and re-encrypted), and never hardcoding key sizes or algorithm names in binary formats or database schemas.
A practical migration plan for most applications looks like this: First, inventory your crypto surface — find every place you use RSA, ECDH, or ECDSA (TLS configs, JWT signing, database field encryption, file signing, inter-service calls). Second, migrate key exchange first on your highest-risk data paths, using hybrid mode (classical + PQC) so you do not sacrifice security during the transition. Third, migrate signatures for code signing, certificate chains, and long-lived auth tokens. Finally, plan for certificate rotation: your CA infrastructure will need to issue ML-DSA or FN-DSA certificates, which most CAs are piloting in 2025-2026.
The Bottom Line
Post-quantum cryptography is not a future concern — the standards are final, the libraries are production-ready, and the threat model (harvest now, decrypt later) means your long-lived secrets are potentially already at risk. Start with an inventory of your application's cryptographic surface, migrate key exchange to hybrid classical+ML-KEM on your most sensitive data paths, and design your new systems with crypto-agility as a first-class requirement. The 2030 government deadline is a useful forcing function even for commercial teams: the ecosystem of compliant hardware security modules, certificate authorities, and TLS implementations will be mature by then, making migration far easier if you have already done your internal groundwork.
Further Reading
- NIST Post-Quantum Cryptography project (csrc.nist.gov/projects/post-quantum-cryptography): Official home of FIPS 203, 204, 205, and 206 — includes the full standard documents, implementation notes, and FAQ
- NSA CNSA 2.0 Cybersecurity Advisory: Details the US government's PQC migration requirements and timelines for national security systems, useful as a benchmark even for commercial teams
- BouncyCastle PQC Documentation (bouncycastle.org): API reference and examples for ML-KEM, ML-DSA, SLH-DSA, and FN-DSA in Java and C#
- IETF Hybrid Key Exchange in TLS 1.3 (draft-ietf-tls-hybrid-design): The in-progress RFC defining how to combine classical and post-quantum algorithms in TLS handshakes without sacrificing backward compatibility