For the past three decades, public-key cryptography has been the bedrock of information security. RSA, ECC, and Diffie-Hellman underpin TLS, code signing, VPNs, digital certificates, and virtually every authenticated session on the internet. These algorithms are trusted not because they are mathematically proven secure, but because breaking them with classical computers would require more computational time than the universe has existed.
Quantum computers change that equation — not incrementally, but categorically. This article explains how, which specific algorithms are at risk, what NIST has standardized to replace them, and how this topic shows up on the CISSP exam and in real-world cryptographic architecture decisions.
Why Quantum Computing Breaks Public-Key Cryptography
Classical computers work in bits — each one is a 0 or a 1. Quantum computers use qubits, which exploit quantum mechanical properties to exist in superpositions of both states simultaneously. This doesn't make quantum computers universally faster — they excel at specific problem types, and cryptographic key factoring happens to be one of them.
Shor's Algorithm: The Core Threat
In 1994, mathematician Peter Shor published an algorithm that can factor large integers in polynomial time on a quantum computer. This is devastating for public-key cryptography because RSA's entire security model rests on the assumption that factoring the product of two large primes is computationally infeasible.
On a classical computer, factoring a 2048-bit RSA key would take longer than the age of the universe. On a sufficiently large quantum computer running Shor's algorithm, the same key could theoretically be broken in hours. The same vulnerability applies to Diffie-Hellman and elliptic curve cryptography — both rely on mathematical problems (discrete logarithms) that Shor's algorithm also solves efficiently.
Grover's Algorithm: The Symmetric Threat
Grover's algorithm provides a quadratic speedup for searching unstructured data — which means it can brute-force symmetric keys in roughly the square root of the classical time. AES-128 effectively drops to 64-bit security against a quantum adversary. The countermeasure is straightforward: AES-256 is considered quantum-safe because its effective key length under Grover's attack is still 128 bits — well beyond practical attack range.
| Algorithm | Type | Classical Security | Quantum Threat | Status |
|---|---|---|---|---|
| RSA-2048 | Asymmetric | 128-bit effective | Broken by Shor's | ⚠ Vulnerable |
| ECC-256 | Asymmetric | 128-bit effective | Broken by Shor's | ⚠ Vulnerable |
| Diffie-Hellman | Key Exchange | Varies | Broken by Shor's | ⚠ Vulnerable |
| AES-128 | Symmetric | 128-bit | ~64-bit (Grover's) | ⚡ Weakened |
| AES-256 | Symmetric | 256-bit | ~128-bit (Grover's) | ✓ Resistant |
| SHA-256 | Hash | 256-bit | Minimal impact | ✓ Resistant |
| SHA-3 | Hash | Variable | Minimal impact | ✓ Resistant |
Harvest Now, Decrypt Later: The Present Threat
The most commonly misunderstood aspect of the quantum cryptography threat is the timeline. Most security professionals assume quantum computers capable of breaking RSA are still a decade or more away — and that may be true. But nation-state adversaries and sophisticated threat actors are not waiting.
"You don't need a quantum computer to be harmed by quantum computing. You just need an adversary who is collecting your encrypted traffic today."
The "harvest now, decrypt later" strategy — also called SNDL (Store Now, Decrypt Later) — involves capturing encrypted communications in bulk today, with the intent to decrypt them once quantum hardware is capable. For data with a confidentiality lifespan of 10–20 years (classified government data, medical records, long-term financial contracts, intellectual property), this is not a theoretical concern. It is an active operational threat.
NIST Post-Quantum Cryptography Standards
The National Institute of Standards and Technology spent seven years running a global competition to evaluate and standardize post-quantum cryptographic algorithms. In 2024, NIST finalized the first three post-quantum standards — and CISSP candidates should know them by name and category.
The Finalized Standards (FIPS 203, 204, 205)
- ML-KEM (FIPS 203) — Module-Lattice-Based Key Encapsulation Mechanism, derived from CRYSTALS-Kyber. This is the primary algorithm for key establishment and key exchange. It replaces Diffie-Hellman and RSA key encapsulation.
- ML-DSA (FIPS 204) — Module-Lattice-Based Digital Signature Algorithm, derived from CRYSTALS-Dilithium. This is the primary algorithm for digital signatures. It replaces RSA and ECDSA for authentication and signing.
- SLH-DSA (FIPS 205) — Stateless Hash-Based Digital Signature Algorithm, derived from SPHINCS+. This is a hash-based backup algorithm for digital signatures, with different security properties than lattice-based algorithms.
Why Lattice-Based Cryptography?
Most of the NIST winners are based on the hardness of lattice problems — specifically the Learning With Errors (LWE) problem. Unlike RSA's reliance on integer factoring or ECC's reliance on discrete logarithms, LWE is not known to be solvable by any quantum algorithm. The mathematical foundations are fundamentally different, and they appear robust against both classical and quantum attacks.
Crypto Agility and Migration Planning
Post-quantum migration is not a single switch to flip. Organizations running RSA and ECC are embedded across certificate authorities, TLS configurations, code signing pipelines, VPN endpoints, authentication tokens, and encrypted storage. A CISSP-level security architect needs to approach this as a multi-year program, not a patch.
The Concept of Crypto Agility
Crypto agility is the ability of a system to rapidly switch cryptographic algorithms without significant architectural rework. It is the property that makes post-quantum migration manageable rather than catastrophic. Systems designed with hard-coded cryptographic dependencies — where the algorithm is baked into the protocol or implementation — will require full replacement. Systems designed with crypto agility can update the algorithm while keeping surrounding infrastructure intact.
- 1Cryptographic inventory. Catalog every system, protocol, and library that uses public-key cryptography. You cannot migrate what you cannot find. Certificate management tools and network scanning can surface most of this.
- 2Data sensitivity triage. Classify data by required confidentiality lifespan. Anything that must remain confidential past 2030 is a priority candidate for immediate migration or hybrid encryption.
- 3Hybrid approach for high-risk systems. Run classical and post-quantum algorithms in tandem — so that breaking either one is insufficient to compromise the session. TLS 1.3 hybrid key exchange is already supported in most major browsers and servers.
- 4Vendor and supply chain pressure. Identify which third-party systems and vendors have post-quantum roadmaps. Certificate authorities, HSM vendors, and cloud providers are the first movers to prioritize.
- 5Update cryptographic policies. Information security policies that name specific algorithms (e.g., "RSA-2048 minimum") need sunset dates and migration triggers added to their acceptable use standards.
How This Maps to the CISSP Exam
Quantum computing and post-quantum cryptography appear primarily in Domain 3 (Security Architecture and Engineering), but the implications touch multiple domains. Here's how the topic surfaces in different exam contexts:
- Domain 3 — Algorithm selection: Scenario questions may present a long-term data protection requirement and ask you to identify the most appropriate cryptographic approach. Knowing which current algorithms are quantum-vulnerable and which NIST alternatives exist is directly testable.
- Domain 1 — Risk management: Harvest-now-decrypt-later represents a current, documented threat that must factor into risk assessments for sensitive data. Understanding the threat model is part of competent risk identification.
- Domain 5 — IAM and PKI: Certificate authorities and digital signatures are among the most exposed systems. Post-quantum migration of PKI infrastructure is an architecture and governance problem, not just a technical one.
- Domain 7 — Security operations: Cryptographic monitoring, key lifecycle management, and incident response planning for potential quantum-era breaches all have operational dimensions.
Practice Cryptography Questions Built for the CAT
CISSP Adaptive Prep includes Domain 3 scenario questions covering post-quantum concepts, algorithm selection, and crypto agility — tested in a real CAT engine.
Start Practicing Domain 3 →The Bottom Line for Security Professionals
Quantum computing is not a threat that will announce itself. There will be no single moment when RSA breaks and the internet goes down. What will happen — and in some cases is already happening — is that encrypted data captured today is being held by adversaries who will decrypt it when capability permits.
The CISSP credential marks you as someone who understands security at a strategic level. That means understanding this threat class, knowing what NIST has standardized to address it, and being able to advise organizations on migration priorities and crypto agility — not just knowing that quantum computers exist.
The algorithms are changing. The question for every organization is whether they will manage that transition on their own timeline or be forced to react to it.