Quantum Computing Threats- A Guide for Cyber Security Auditors on Post-Quantum Cryptography.pdf

The Quantum Threat
Quantum computers are not yet fully mature, but the threat is real. They promise to tackle
certain problems in new ways which changes the security landscape for public-key
cryptography.
 How quantum computers break RSA and ECC encryption
RSA and ECC rely on hard mathematical problems: factoring large numbers (RSA), or solving
discrete logarithms on elliptic curves (ECC). A sufficiently capable quantum computer can solve
these in feasible time, undermining the security.
 Shor’s algorithm explained
Shor’s algorithm is a quantum algorithm that factors integers and solves discrete logs in
polynomial time. In essence, it turns what is classically intractable into something efficiently
solvable on a quantum machine rendering RSA/ECC useless against it.
 When quantum computers become a real threat
Estimates vary, but many in the research community see a cryptographically relevant quantum
computer emerging toward the late 2020s. Some national guidance (e.g. from Australia’s ACSC)
already treats 2030 as a deadline to retire vulnerable cryptography.
If adversaries harvest encrypted traffic today and can decrypt it later, long-term secrets (e.g.
personal data, IP, health, financial records) become exposed. Systems that rely on digital
signatures (software updates, certificate chains) also break. The impact spans confidentiality,
integrity, authentication.
Explore our strategy on NIST CSF Cybersecurity.
What is Post-Quantum Cryptography?
Post-quantum cryptography is an emerging class of algorithms. It aims to resist attacks by both
classical and quantum computers. It enables us to replace vulnerable schemes before quantum
machines arrive.

PQC refers to public-key encryption, key exchange, and signature schemes based on
mathematical problems not easily solved by quantum algorithms. These include lattice
problems, hash-based schemes, code-based, multivariate, etc.
Key difference from current cryptography is that PQC algorithms do not rely on factoring or
discrete logarithms. They are designed from hardness assumptions believed to hold even in the
quantum era. They tend to have larger keys, different performance trade-offs, and require new
implementations.
NIST’s standardization process and recent selections ran a multi-year competition and review
process to pick quantum-resistant schemes. By 2024, it had selected a small number of
algorithms for standardisation in encryption and signatures. These will serve as a foundation
for future secure systems.
NIST’s Post-Quantum Standards (2024)
NIST’s choices define what many organisations will adopt. Understanding them helps auditors
assess how well migration is proceeding. Let’s look at the key algorithms.
 CRYSTALS-Kyber (now ML-KEM) – for encryption
CRYSTALS-Kyber, renamed ML-KEM, is selected for quantum-resistant key encapsulation. It’s
efficient among lattice-based schemes and offers good performance in many environments.
 CRYSTALS-Dilithium (now ML-DSA) – for digital signatures
CRYSTALS-Dilithium is renamed ML-DSA and is a lattice-based digital signature scheme. It
balances signature size, verification cost, and robustness under current analysis.
 SPHINCS+ (now SLH-DSA) – for signatures
SPHINCS+, now SLH-DSA, is a stateless hash-based signature scheme. While slower, it offers
strong assurances and diversity: it relies on different hardness assumptions than lattice
schemes.
 Why these algorithms are quantum-resistant

They rely on hard problems like module-lattice shortest vector problems (for Kyber and
Dilithium) or cryptographic hash function chains (for SPHINCS+). To date, no efficient quantum
algorithm is known to break them reliably, unlike Shor’s algorithm for factoring or discrete logs.
Why CEOs should acquire knowledge on cyber security.
Implementation Challenges
Moving to PQC is not trivial. There are many engineering and operational hurdles. Cyber
security auditors must be aware of these when assessing readiness.
 Larger key sizes and performance impacts
Many PQC schemes require larger public keys, signatures, and ciphertexts. This increases
network bandwidth, storage, and computational overhead. Some devices (embedded, IoT) may
struggle.
 Crypto-agility: designing systems that can switch algorithms
Crypto-agility is the ability to replace cryptographic algorithms without rewriting whole
systems. Architectures must allow switching from RSA/ECC to PQC or even hybrid modes
smoothly.
 Legacy system compatibility
Older systems might embed cryptographic libraries or firmware that cannot be changed easily.
Compatibility issues arise when new PQC algorithms don’t fit constraints (memory, CPU,
protocol).
 Cost and timeline for migration
Transitioning involves planning, testing, training, procurement, and possibly hardware
upgrades. Organisations must budget for implementation, staffing, and risk, and pace the
migration carefully.
What Organizations Should Do Now
You can’t wait until quantum machines arrive. Early action matters. Let’s see a roadmap of
steps.

 Inventory current cryptographic systems
Cyber security auditors should lead in mapping where encryption is used: TLS, VPN, code
signing, email, storage. Build a “cryptographic bill of materials.”
 Start planning migration strategies
Develop a migration roadmap. Consider short-, mid-, and long-term phases. Use risk
prioritisation: move critical systems first.
 Implement crypto-agility
Architect systems so that underlying algorithms can be changed (plug in PQC later). Use hybrid
approaches (mix PQC + existing) where feasible—though with caution.
 Prioritize high-value data
Classify data by sensitivity and retention period. Focus migration attention on assets whose
confidentiality must last decades.
 Test post-quantum algorithms in non-production
Run PQC implementations in test environments. Benchmark performance, compatibility, side
channels, and integration issues. Use pilot programs before large rollout.
Cyber security risks in electric vehicles.
Quantum computing threatens classical public-key encryption. Post-quantum cryptography
offers resistant alternatives. NIST’s 2024 standards (ML-KEM, ML-DSA, SLH-DSA) provide a
starting point. Migration brings challenges—performance, legacy compatibility, and
architecture must adapt. Organisations must inventory, plan, test and build crypto-agility now.
The arrival of cryptographically relevant quantum computers is uncertain in timing, but
inevitable in effect. Delaying action only raises risk. The earlier an organisation begins, the
smoother the shift. It gives space to test, fix and iterate.
If your organisation has not yet assessed its cryptographic posture, now is the time. A qualified
party, such as a certified cyber security consultant in Australia, should assist in inventory, risk
prioritisation and migration planning.

At Cybernetic Global Intelligence (CGI), our team including certified cyber security
professionals is ready to support such transitions. Our services encompass vulnerability
assessment, architecture review, and advisory support. Cyber security auditors or your cyber
incident response team can lean on us to validate your post-quantum strategy. Contact CGI
today to begin your PQC readiness journey.

Resource

https://www.cyberneticgi.com/2025/10/10/a-guide-for-cyber-security-auditors-on-post-
quantum-cryptography/

Contact Us:

Cybernetic Global Intelligence
Address: Waterfront Place, Level 34/1 Eagle St, Brisbane City QLD 4000, Australia
Phone: +61 1300 292 376
Email: [email protected]
Web : https://www.cyberneticgi.com/