Key Takeaways
- Today’s public‑key cryptography (RSA, ECC) will be broken by sufficiently powerful quantum computers, driving the need for quantum‑resistant algorithms.
- Asymmetric post‑quantum cryptography—especially ML‑KEM—preserves the open trust model of the Internet while offering practical security, performance, and a path for crypto‑agility.
- Alternative approaches such as Quantum Key Distribution (QKD), symmetric‑only key agreement, and pre‑shared keys face scalability, hardware, or management barriers that prevent global deployment.
- A pragmatic migration strategy uses hybrid protocols that combine classical and post‑quantum schemes, enabling gradual rollout, forward secrecy, and the ability to swap algorithms as standards evolve.
- Crypto‑agility—the capability to update cryptographic primitives without disruptive overhauls—is essential for long‑term resilience against both known and future quantum threats.
The Quantum Threat to Current Cryptography
Quantum computing advances threaten the security foundations of today’s Internet. Algorithms such as RSA and elliptic‑curve cryptography (ECC) rely on mathematical problems that quantum computers can solve efficiently, meaning that data protected by these schemes could be decrypted once a sufficiently large, fault‑tolerant quantum computer exists. This “harvest now, decrypt later” risk has spurred worldwide investment in quantum‑resistant cryptography aimed at defending against both classical and quantum attacks while keeping existing systems operational.
Why Asymmetric Cryptography Remains Central
The asymmetric cryptographic pattern that underpins global communications—public‑key exchange, identity verification, and trust establishment—has proven scalable and resilient across billions of devices. To survive the quantum era, the goal is not to discard this model but to migrate to quantum‑resistant primitives that fit within the same asymmetric workflows. Maintaining the open trust model ensures that new solutions can interoperate with legacy systems and support the dynamic, multi‑party nature of the Internet.
ML‑KEM as a Practical Post‑Quantum Primitive
ML‑KEM (Module‑Lattice‑Based Key Encapsulation Mechanism) is a leading post‑quantum asymmetric key‑exchange algorithm based on lattice cryptography. It has undergone extensive public scrutiny and was selected for inclusion in the Commercial National Security Algorithm (NSA) Suite 2.0 (CNSA 2.0), designating it as the quantum‑secure mechanism for general‑purpose key establishment. ML‑KEM thus offers a theoretically sound and operationally viable foundation for post‑quantum security.
How ML‑KEM Preserves the Asymmetric Trust Model
Unlike symmetric‑only or hardware‑bound solutions, ML‑KEM enables true asymmetric key exchange that:
- Preserves the open trust and identity model of today’s Internet, allowing parties without prior relationships to authenticate and establish shared secrets.
- Operates on classical hardware, requiring no exotic photonics or cryogenic equipment.
- Scales to billions of endpoints, making it suitable for global Internet deployment.
- Derives security from hard lattice problems, for which no efficient quantum attacks are currently known.
These properties support crypto‑agility—the ability to evolve cryptographic primitives while retaining existing trust frameworks.
Advantages of ML‑KEM for Real‑World Deployment
ML‑KEM balances security, performance, and deployability:
- Quantum resistance stems from lattice‑based hardness, offering confidence against both classical and quantum adversaries.
- Asymmetric key exchange lets parties establish shared secrets without any pre‑shared material.
- Efficient performance enables its use in latency‑sensitive protocols such as TLS handshakes and secure messaging.
- Reasonable key sizes keep bandwidth and storage demands compatible with modern networks.
- Drop‑in migration path through hybrid modes allows organizations to run ML‑KEM alongside legacy algorithms, facilitating a low‑risk, gradual transition.
The Need for Thoughtful Implementation and Crypto‑Agility
Simply deploying ML‑KEM does not guarantee long‑term resilience. True crypto‑agility demands an implementation strategy that anticipates algorithm updates, supports parameter negotiation, and manages hybrid handshakes and lifecycle changes. Organizations should select systems that enable rolling updates and provide a framework for swapping primitives as new standards emerge or vulnerabilities are discovered, ensuring that the transition remains smooth and cost‑effective.
Limitations of Quantum Key Distribution (QKD)
QKD leverages quantum mechanics to generate provably secure shared keys, detecting any eavesdropping attempt. However, practical drawbacks limit its applicability: it requires specialized hardware (photon sources, detectors, dedicated fiber or free‑space links), suffers from range and scalability issues that necessitate trusted repeaters, and provides only key distribution without built‑in identity or authentication. High deployment costs, operational complexity, and incompatibility with existing network architectures confine QKD to niche, high‑assurance environments rather than global Internet use.
Challenges of Symmetric‑Only Key Agreement Protocols
Symmetric key agreement schemes aim to avoid public‑key cryptography by relying on pre‑established secrets or trusted intermediaries. While symmetric primitives resist quantum attacks, these protocols face fundamental obstacles: they demand an initial trust relationship, lack a scalable method for distributing or refreshing keys over untrusted channels, suffer from poor scalability due to exponential key‑management overhead, and often fail to provide forward secrecy. Consequently, symmetric cryptography remains valuable for bulk data encryption but cannot replace public‑key systems for open, multi‑party communication.
Drawbacks of Pre‑Shared Keys (PSKs)
PSKs simply reuse a secret exchanged ahead of time. Though they avoid quantum‑vulnerable public‑key operations, they introduce severe scalability and management problems: each communicating pair needs a unique key, leading to exponential key‑distribution complexity; secure provisioning, rotation, and revocation become unmanageable at scale; and compromise of a single key jeopardizes all communications protected by it. PSKs work only in contained, static environments and are unsuitable for the open, dynamic nature of the Internet.
A Pragmatic Migration Strategy Using ML‑KEM
The most viable path to post‑quantum security is an incremental, hybrid approach that combines classical and post‑quantum algorithms until confidence in the new primitives is solid. ML‑KEM fits naturally into this model, allowing organizations to encrypt data today against “harvest now, decrypt later” threats while retaining interoperability. As additional post‑quantum key‑exchange algorithms (e.g., Hamming Quasi‑Cyclic, HQC) finish standardization, they can be added to the hybrid suite, further enhancing flexibility. Crypto‑agility—built into the hybrid design—ensures that future algorithm swaps or responses to newly discovered vulnerabilities are straightforward, avoiding costly, disruptive overhauls.
Conclusion
Quantum computing’s emergence threatens the validity of today’s public‑key cryptography, but a complete abandonment of the asymmetric trust model is unnecessary and impractical. ML‑KEM offers a scalable, hardware‑friendly, quantum‑resistant asymmetric key‑exchange mechanism that preserves the open Internet’s identity and trust properties while enabling crypto‑agility. Alternative schemes such as QKD, symmetric‑only agreements, and pre‑shared keys each encounter prohibitive scalability, hardware, or management barriers that preclude global deployment. By adopting hybrid protocols that integrate ML‑KEM with existing algorithms and maintaining a framework for continual updates, organizations can secure communications against both current and quantum threats, ensuring a resilient transition into the quantum era.
Helena Handschuh is an advisor to QuSecure, Inc., and a security technologies expert specializing in cryptography, post‑quantum security, and hardware protections. A former Rambus Fellow, she has led teams at Cryptography Research, Intrinsic‑ID, and Gemplus, chaired the RISC‑V Security Committee, and contributed to global standards.
Join our LinkedIn group Information Security Community!