Skip to main content

Thank you for visiting You are using a browser version with limited support for CSS. To obtain the best experience, we recommend you use a more up to date browser (or turn off compatibility mode in Internet Explorer). In the meantime, to ensure continued support, we are displaying the site without styles and JavaScript.

Transitioning organizations to post-quantum cryptography


Quantum computers are expected to break modern public key cryptography owing to Shor’s algorithm. As a result, these cryptosystems need to be replaced by quantum-resistant algorithms, also known as post-quantum cryptography (PQC) algorithms. The PQC research field has flourished over the past two decades, leading to the creation of a large variety of algorithms that are expected to be resistant to quantum attacks. These PQC algorithms are being selected and standardized by several standardization bodies. However, even with the guidance from these important efforts, the danger is not gone: there are billions of old and new devices that need to transition to the PQC suite of algorithms, leading to a multidecade transition process that has to account for aspects such as security, algorithm performance, ease of secure implementation, compliance and more. Here we present an organizational perspective of the PQC transition. We discuss transition timelines, leading strategies to protect systems against quantum attacks, and approaches for combining pre-quantum cryptography with PQC to minimize transition risks. We suggest standards to start experimenting with now and provide a series of other recommendations to allow organizations to achieve a smooth and timely PQC transition.

This is a preview of subscription content, access via your institution

Relevant articles

Open Access articles citing this article.

Access options

Rent or buy this article

Prices vary by article type



Prices may be subject to local taxes which are calculated during checkout

Fig. 1: Post-quantum cryptography timeline.
Fig. 2: NIST post-quantum cryptography process timeline.
Fig. 3: NIST post-quantum cryptography algorithm performance.

Data availability

The datasets analysed in the report are available from SUPERCOP at data are provided with this paper.


  1. Shor, P. W. Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. In Proc. 35th Annual Symposium on Foundations of Computer Science 124–134 (Soc. Industr. Appl. Math., 1994). Shor’s quantum algorithm demonstrated how to factorize large integers in polynomial time, which is an exponential speed-up over the best classical algorithms.

  2. Bernstein, D. J. & Lange, T. Post-quantum cryptography. Nature 549, 188–194 (2017).

    Article  ADS  CAS  Google Scholar 

  3. Arute, F. et al. Quantum supremacy using a programmable superconducting processor. Nature 574, 505–510 (2019).

    Article  ADS  CAS  Google Scholar 

  4. Gidney, C. & Ekerå, M. How to factor 2048 bit RSA integers in 8 hours using 20 million noisy qubits. Quantum 5, 433 (2021). Gidney and Ekerå describe the resources required to implement Shor’s algorithm to break today’s standard cryptography, assuming noisy qubits.

    Article  Google Scholar 

  5. Bennett, C. H. & Brassard, G. Quantum cryptography: public key distribution and coin tossing. Proceedings of the IEEE International Conference on Computers, Systems, and Signal Processing 175–179 (1984).

  6. Alagic, G. et al. Computational security of quantum encryption. In International Conference on Information Theoretic Security 47–71 (Springer, 2016).

  7. Barnum, H., Crepeau, C., Gottesman, D., Smith, A. & Tapp, A. Authentication of quantum messages. In Proc. 43rd Annual IEEE Symposium on Foundations of Computer Science 449–458 (IEEE, 2002).

  8. Paquin, C., Stebila, D. & Tamvada, G. Benchmarking post-quantum cryptography in TLS. In International Conference on Post-Quantum Cryptography 72–91 (Springer, 2020).

  9. Rose, S., Borchert, O., Mitchell, S. & Connelly, S. Zero Trust Architecture (NIST, 2020);

  10. Kearney, J. J. & Perez-Delgado, C. A. Vulnerability of blockchain technologies to quantum attacks. Array 10, 100065 (2021).

    Article  Google Scholar 

  11. Lemke, K., Paar, C. & Wolf, M. Embedded Security in Cars (Springer, 2006).

  12. Anderson, R. & Fuloria, S. Security economics and critical national infrastructure. In Economics of Information Security and Privacy 55–66 (Springer, 2010).

  13. Gura, N., Patel, A., Wander, A., Eberle, H. & Shantz, S. C. Comparing elliptic curve cryptography and RSA on 8-bit CPUs. In International Workshop on Cryptographic Hardware and Embedded Systems 119–132 (Springer, 2004).

  14. Rivest, R. L., Shamir, A. & Adleman, L. A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21, 120–126 (1978).

    Article  MathSciNet  Google Scholar 

  15. Miller, V. S. Use of elliptic curves in cryptography. In Conference on the Theory and Application of Cryptographic Techniques 417–426 (Springer, 1985).

  16. Koblitz, N. Elliptic curve cryptosystems. Math. Comput. 48, 203–209 (1987).

    Article  MathSciNet  Google Scholar 

  17. Chang, S. et al. Third-Round Report of the SHA-3 Cryptographic Hash Algorithm Competition NISTIR 7896 (NIST, 2012).

  18. Hülsing, A., Butin, D., Gazdag, S.-L., Rijneveld, J. & Mohaisen, A. XMSS: eXtended Merkle signature scheme. RFC 8391 (2018);

  19. McGrew, D., Curcio, M. & Fluhrer, S. Leighton-Micali hash-based signatures. RFC 8554 (2019);

  20. Cooper, D. A. et al. Recommendation for Stateful Hash-based Signature Schemes NIST Special Publication 800-208 (NIST, 2020);

  21. Alagic, G. et al. Status Report on the Second Round of the NIST Post-quantum Cryptography Standardization Process (US Department of Commerce, NIST, 2020); report describes NIST’s findings after evaluation of the second round, and explains the motivation for selecting the seven finalist schemes as well as the eight alternative track schemes for evaluation in the third round.

  22. Gheorghiu, V. & Mosca, M. Benchmarking the quantum cryptanalysis of symmetric, public-key and hash-based cryptographic schemes. Preprint at (2019).

  23. Bernstein, D. J. et al. SPHINCS: practical stateless hash-based signatures. In Proc. EUROCRYPT Vol. 9056 368–397 (Springer, 2015).

  24. Nechvatal, J. et al. Report on the development of the advanced encryption standard (AES). J. Res. Natl Inst. Stand. Technol. 106, 511–577 (2001).

    Article  Google Scholar 

  25. Chen, L. et al. Report on Post-quantum Cryptography (NIST, 2016);

  26. McEliece, R. J. A public-key cryptosystem based on algebraic coding theory. Jet Propulsion Laboratory, Pasadena. DSN Progress Reports 4244, 114–116 (1978).

    ADS  Google Scholar 

  27. Dierks, T. & Allen, C. The TLS protocol version 1.0. RFC 2246 (1999);

  28. Rescorla, E. & Dierks, T. The transport layer security (TLS) protocol version 1.3. RFC 8446 (2018);

  29. Rescorla, E. & Schiffman, A. The secure hypertext transfer protocol. RFC 2660 (1999);

  30. Holz, R., Amann, J., Mehani, O., Wachs, M. & Kaafar, M. A. TLS in the wild: an Internet-wide analysis of TLS-based protocols for electronic communication. Proceedings of the Network and Distributed System Security Symposium (NDSS) (2016).

  31. Steblia, D., Fluhrer, S. & Gueron, S. Hybrid Key Exchange in TLS 1.3 (IETF, 2020);

  32. Tjhai, C. et al. Multiple Key Exchanges in IKEv2 (IETF, 2021);

  33. CYBER; Quantum-Safe Hybrid Key Exchanges ETSI TS 103 744, (ETSI, 2020);

  34. Quantum Safe Cryptography and Security; An Introduction, Benefits, Enablers and Challenges White Paper No. 8 (ETSI, 2015);

  35. Barker, W., Souppaya, M. & Newhouse, W. Migration to Post-Quantum Cryptography (NIST & CSRC, 2021);

  36. Lu, X. et al. LAC: practical ring-LWE based public-key encryption with byte-level modulus. IACR Cryptol. ePrint Arch. 2018, 1009 (2018).

    Google Scholar 

  37. Announcement of nation-wide cryptographic algorithm design competition result. Chinese Association for Cryptology Research (2021).

  38. Alagic, G. et al. Status Report on the First Round of the NIST Post-Quantum Cryptography Standardization Process (NIST, 2019);

  39. Ott, D. et al. Identifying research challenges in post quantum cryptography migration and cryptographic agility. Preprint at (2019).

  40. Bindel, N., Brendel, J., Fischlin, M., Goncalves, B. & Stebila, D. Hybrid key encapsulation mechanisms and authenticated key exchange. In International Conference on Post-Quantum Cryptography 206–226 (Springer, 2019).

  41. Crockett, E., Paquin, C. & Stebila, D. Prototyping post-quantum and hybrid key exchange and authentication in TLS and SSH. IACR Cryptol. ePrint Arch. 2019, 858 (2019). Implementations of NIST round two PQC algorithms in TLS, providing insightful data on which algorithms are likely to be performant enough for widespread use and which will suffer severe performance issues.

    Google Scholar 

  42. Ounsworth, M. & Pala, M. Composite Signatures For Use In Internet PKI (IETF, 2021);

  43. Barker, E., Chen, L. & Davis, R. Recommendation for Key-Derivation Methods in Key-Establishment Schemes (NIST, 2020);

  44. Peikert, C. A decade of lattice cryptography. Found. Trends Theor. Comput. Sci. 10, 283–424 (2016).

    Article  MathSciNet  Google Scholar 

  45. Bernstein, D. J., Buchmann, J. & Dahmen, E. Post-Quantum Cryptography (Springer, 2009).

  46. Stebila, D. & Mosca, M. Post-quantum key exchange for the internet and the open quantum safe project. In International Conference on Selected Areas in Cryptography 14–37 (Springer, 2016).

  47. Langley, A. BoringSSL. GitHub (2020).

  48. Duong, T. Tink. GitHub (2020).

  49. Bernstein, D. J. & Lange, T. SUPERCOP: system for unified performance evaluation related to cryptographic operations and primitives (VAMPIRE Lab, 2018);

  50. Mosca, M. & Piani, M. Quantum Threat Timeline (Global Risk Institute, 2021);

  51. Memorandum on Improving the Cybersecurity of National Security, Department of Defense, and Intelligence Community Systems. The White House (2022).

Download references

Author information

Authors and Affiliations



D.J., R.M. and M.M. drafted the paper and provided technical expertise. J.T., F.D.P., O.L., P.V. and S.L. participated in extensive discussions, providing business and organizational perspectives and edits, and J.H. and R.H. drove the project from an executive level, helping to gather resources, provide direction and edit the manuscript. A substantial part of this paper was written while all the authors were a part of Alphabet.

Corresponding author

Correspondence to David Joseph.

Ethics declarations

Competing interests

The authors declare no competing interests.

Peer review

Peer review information

Nature thanks Tanja Lange and the other, anonymous, reviewer(s) for their contribution to the peer review of this work.

Additional information

Publisher’s note Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Supplementary information

Rights and permissions

Reprints and Permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Joseph, D., Misoczki, R., Manzano, M. et al. Transitioning organizations to post-quantum cryptography. Nature 605, 237–243 (2022).

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI:

This article is cited by


By submitting a comment you agree to abide by our Terms and Community Guidelines. If you find something abusive or that does not comply with our terms or guidelines please flag it as inappropriate.


Quick links

Nature Briefing

Sign up for the Nature Briefing newsletter — what matters in science, free to your inbox daily.

Get the most important science stories of the day, free in your inbox. Sign up for Nature Briefing