I wrote about quantum computing's threat to encryption back in December. This post goes deeper on the two primary paths to Post-Quantum Cryptography (PQC): software and hardware.
Encryption protects everything: your bank transactions, your medical records, your company’s intellectual property, and the communications infrastructure that governments and militaries depend on. All of it rests on mathematical problems that classical computers cannot solve in any practical timeframe. Quantum computers change that equation. They do not simply run faster than classical machines; they operate on fundamentally different principles that make certain hard math problems trivial. The encryption standards that have secured the internet for decades, RSA and ECC, will not survive contact with a sufficiently powerful quantum computer. The question is not whether this happens, but when. Most experts put that date around 2035. The problem is that replacing encryption is not like patching software or upgrading a server. It requires identifying every system, device, protocol, and data store that relies on vulnerable cryptography, and migrating all of it to new standards. That process takes a decade or more even when organizations start immediately. Most have not started. The window to act in an orderly, cost-effective way is open now, but it will not stay open.
Quantum computing will break widely used encryption. Experts put the timeline at around 2035, when quantum machines will likely have the power to crack RSA and ECC. The threat does not wait until then. Harvest Now, Decrypt Later (HNDL) attacks are happening now: adversaries intercept and store encrypted data today, betting they can decrypt it once quantum hardware matures.
To understand the stakes, it helps to know what RSA and ECC actually are. RSA (Rivest-Shamir-Adleman, named for its three MIT inventors in 1977) is the encryption standard that secures most of the internet today, including HTTPS, email, and VPNs. Its security rests on a simple fact: factoring the product of two very large prime numbers is computationally impractical for classical computers. A quantum computer running Shor’s algorithm eliminates that protection entirely. ECC, Elliptic Curve Cryptography, is a more efficient alternative that provides equivalent security to RSA with much smaller key sizes. It is widely used in mobile devices, payment systems, and digital certificates precisely because it is lightweight. Its security depends on the difficulty of the elliptic curve discrete logarithm problem, which Shor’s algorithm also breaks. Both are public-key cryptography systems, meaning they underpin the key exchange that makes encrypted communication possible in the first place. When quantum computers can crack them, the foundation of modern digital security fails.
Organizations need to move to Post-Quantum Cryptography (PQC). Two paths exist: software and hardware.
Software-based PQC means implementing NIST-selected algorithms, like CRYSTALS-Kyber (now standardized as ML-KEM under FIPS 203), at the application or OS layer. These algorithms rely on math that is computationally infeasible for classical and quantum machines alike. Among the top 1,000 websites, PQC support averages just 21.9%, dropping to 8.4% for the top 100,000, and only 3% of banking websites currently support it. The practical management approach is “crypto agility”, a modular architecture that lets you swap algorithms as standards evolve without rebuilding from scratch.
Software has limits. It can be too power-hungry for constrained environments, which is where hardware-based PQC comes in. Embedding cryptographic algorithms directly into silicon is faster and more energy-efficient. It matters most for the roughly 20 billion IoT devices deployed worldwide, many of which cannot run complex PQC algorithms in software. SEALSQ launched the QS7001 in late 2025, the first chip to embed NIST-standardized PQC algorithms directly at the hardware level. Samsung developed the S3SSE2A, its own hardware PQC security chip targeting IoT devices and industrial sensors. (Click table below to enlarge)
The transition math is straightforward. Major cryptographic migrations take more than a decade, and history makes that concrete. The Data Encryption Standard (DES), adopted by the US government in 1977, was the dominant symmetric encryption algorithm for two decades. By the late 1990s it was demonstrably breakable, and NIST ran a competition to replace it. The winner, the Advanced Encryption Standard (AES), was standardized in 2001. Despite DES being publicly compromised, the full industry migration from DES to AES took roughly 16 years. The same pattern held for cryptographic hash functions: retiring the MD family in favor of the more secure SHA family took about 10 years even with clear technical justification. PQC is a more complex transition than either of those, touching more layers of the stack, more device types, and more legacy infrastructure.
The White House estimates the federal government alone will spend $7.1 billion on PQC migration between 2025 and 2035. Software and hardware solutions are not competing; they address different constraints in the same stack.
