Post-quantum cryptography: why Australian organisations need to act before quantum computers arrive
NIST has finalised the first post-quantum cryptography standards. Here's what that means for Australian organisations, what's at risk, and how to start your PQC readiness assessment.
In August 2024, NIST published the first finalised post-quantum cryptography (PQC) standards, ML-KEM, ML-DSA and SLH-DSA. This was a significant moment, and one that many Australian organisations have not yet registered. They should.
What is post-quantum cryptography?
Most of today's encryption relies on mathematical problems that are hard for classical computers to solve, specifically, large integer factorisation (used by RSA) and discrete logarithm problems (used by ECC). These underpin HTTPS, digital signatures, VPNs, and effectively every secure communications system in use today.
A sufficiently powerful quantum computer running Shor's algorithm would break both RSA and ECC cryptography. Not slowly, essentially instantly.
Post-quantum cryptography (PQC) refers to a new class of cryptographic algorithms designed to be secure against both classical and quantum attacks. They rely on mathematical problems that are believed to be hard even for quantum computers.
Why act now if quantum computers aren't here yet?
The attack that should concern most organisations is called "harvest now, decrypt later" (HNDL).
Adversaries, typically nation-state actors, are already harvesting encrypted data at scale. Intercepting and storing a TLS session or VPN connection doesn't require breaking the encryption today. It only requires storing the ciphertext and waiting until a quantum computer exists that can break it.
For data with a long sensitivity lifetime, medical records, defence intelligence, legal documents, long-term financial data, the threat is present now, not in the future.
What NIST's finalised standards mean
The publication of ML-KEM (for key encapsulation), ML-DSA (for digital signatures) and SLH-DSA (for hash-based signatures) removes one of the key blockers to action: uncertainty about which algorithms to migrate to.
Vendors are now implementing these standards. FIDO2, TLS 1.3, and major cloud providers are already integrating PQC. The migration path, while not trivial, is clearer than it was twelve months ago.
What Australian organisations should do now
Step 1: Cryptographic inventory Before you can migrate, you need to know what cryptography you're running. This means inventorying all systems, applications and data flows that use asymmetric cryptography, RSA, ECC, DH, and understanding where they sit in your architecture.
For most mid-size organisations, this alone is revealing. Many find significant use of legacy protocols and key lengths that were already marginal before the quantum threat was considered.
Step 2: Data sensitivity assessment Not all data needs immediate protection against HNDL attacks. Classify data by sensitivity lifetime, if the information will still be sensitive in ten years, it needs priority attention. If it's operational data with a 30-day sensitivity window, the urgency is lower.
Step 3: Vendor engagement Start asking your software and infrastructure vendors when they plan to support PQC. This pressure matters, it accelerates vendor roadmaps and gives you visibility into migration timelines before they become emergencies.
Step 4: Develop a migration roadmap A PQC migration roadmap prioritises systems by risk, maps vendor dependencies, and stages the migration to avoid operational disruption. For most organisations, this is a 2–5 year program.
What Pholarix does in this space
Our AI & Quantum Readiness service includes a structured PQC assessment covering cryptographic inventory, data sensitivity classification, HNDL risk profiling and a prioritised migration roadmap. The output is board-ready, designed for a CISO or CTO to present to leadership with a clear recommendation on investment and sequencing.
We don't oversell quantum risk. A lot of organisations are being told they need to act immediately across their entire estate. The reality is more nuanced, some data and systems need urgent attention, many don't. Our assessments are designed to give you an honest, prioritised picture rather than a licence to over-invest.
The NIST standards are finalised. The HNDL threat is real. The migration timeline is measured in years, not months, which means now is exactly the right time to start the planning work.
Contact Pholarix to discuss a PQC readiness assessment for your organisation.