Skip to navigation

      Cryptography underpins the security and trust of today’s digital services, making quantum resilience a critical pillar of cybersecurity strategies across industries.

      While large-scale, fault-tolerant quantum computers are not yet available, their future impact on cryptography is inevitable and the disruptions will be substantial. The question is not whether quantum computers will succeed in breaking asymmetric cryptography, but when this breakthrough will occur. 

      Attackers may be storing encrypted data today to decrypt it later, once quantum computers can break modern encryption. To assess this risk to your organization, you can start with Mosca's theorem, which states the following: 

      The time your data needs to remain secret (X) plus the time required to upgrade systems to be quantum-safe (Y) should be smaller than the time until Q-day, that is the time until quantum computers can break current encryption (Q). 

      Quantum security


      If you feel that X + Y > Q might be true for your organization, then your data is already at risk and you should immediately start preparing for the quantum future.

      With quantum computing technology and research advancing quickly, organizations handling sensitive data or depending on digital trust must act now to protect resilience and reliability for future operations. Using our Quantum Readiness framework, KPMG Switzerland supports clients in their transition to post-quantum cryptography, combining regulatory insight, technical depth, and business strategy.

      Yves Bohren

      Partner, Cyber & Digital Risk

      KPMG Switzerland

      Thomas Bolliger

      Director, Information Management & Compliance

      KPMG Switzerland

      A short introduction to modern cryptography

      Cryptography provides the framework for ensuring the confidentiality and integrity of our daily digital communication. In general, it can be divided into the following three categories.

      Asymmetric cryptography (or public key cryptography) is a cryptographic function that uses two mathematically related but different keys:

      • a public key, which can be shared openly
      • a private key, which must be kept secret

      The public key is used for encryption or verification, whereas the private key is used for decryption or signing. Asymmetric cryptography is commonly used for key exchange, digital signatures, authentication, and certificate‑based trust models (Public Key Infrastructure).

      Symmetric cryptography is a cryptographic function where the same secret key, which must be securely shared and properly protected, is used for both encryption and decryption of data.

      Symmetric cryptography is typically used for bulk data encryption because it is computationally efficient and fast, making it suitable for protecting data at rest and data in transit once a secure key has been established through a secure key exchange method.

      A hash function is a cryptographic function that transforms input data of arbitrary length into a fixed‑length output value, called hash or digest. Cryptographic hash functions are designed to be non‑invertible (one-way functions) and collision‑resistant.

      Hash functions are used to ensure data integrity, store passwords securely, as well as to support digital signatures and message authentication.

      How quantum computers threaten modern cryptography

      In 1994, Peter Shor showed that the underlying mathematical problems of most modern public key encryption algorithms, which are considered to be impossible to solve for classical (super)computers, can be efficiently broken by quantum computers.

      Shor’s quantum algorithms showed that so called “cryptographically relevant quantum computers” (CRQCs) endanger essentially all currently used public key encryption algorithms, including the RSA Cryptosystems and Elliptic Curve Cryptography.

      Unlike public key cryptography, hash functions and symmetric key encryption are currently not vulnerable to attacks by quantum computers, although they are weakened by Grover’s quantum algorithm.

      To maintain the current security level even after the emergence of CRQCs, doubling the digest size for hash functions and the key length for symmetric encryption, respectively, is sufficient.

      Quantum threats to information security

      The confidentiality of data is primarily secured by encrypting it.

      While data at rest is encrypted with symmetric encryption algorithms, the encryption of data in transit relies on public key cryptosystems to exchange the symmetric session key which in turn is used to encrypt the transmitted data. 

      Harvest now, decrypt later


      The concept of “Harvest now, decrypt later” (HNDL) presents a substantial risk, particularly for sensitive data requiring confidentiality over extended periods, such as government communications, medical records, or intellectual property with long-term value.

      The HNDL threat refers to the practice of adversaries gathering encrypted information with the intention of retaining it until future advancements in quantum computing may enable decryption.

      Essentially, HNDL is the concept formalized by Mosca’s Theorem (see above, “X+Y > Q”) and constitutes a threat to confidentiality of sensitive data, as information intercepted today may become accessible to adversaries in the future.

      Authentication and non‑repudiation is secured by enabling verifiable proof of identity and transaction, respectively, using cryptographic protocols. Authentication is achieved through mechanisms such as digital certificates, challenge–response protocols, and message authentication codes (MACs), which are often based on public key cryptographic protocols.

      Non‑repudiation is primarily provided by digital signatures, which use public key cryptography to bind an identity to a specific message or transaction in a way that can be independently verified and cannot be denied later.

      Trust now, forge later


      The concept of “Trust now, forge later” (TNFL) describes the risk affecting digital signatures and non‑repudiation, where for example signatures that are trusted as valid today can be forged in the future once cryptographic algorithms are broken by quantum computers.

      As a result, previously trusted records – such as software updates, contracts, certificates, identity credentials, audit logs, or blockchain transactions – lose their evidentiary value.

      Any overlooked quantum-vulnerable login key may serve as an entry point for unauthorized access, any automatic software-update mechanism may become an attack vector for remote code execution.

      Examples of threats

      • Network communication and email

        Internal and external network traffic secured by TLS, IPSec and SSH protocols, encrypted messaging platforms, as well as S/MIME and PGP-signed email all rely on public key encryption algorithms for key exchange. Thus, data in transit is mostly vulnerable to quantum decryption, exposing data transmissions across the enterprise and towards clients.

      • Public key infrastructure and digital certificates

        Every X.509 certificate securing web servers, APIs, email, and internal services is anchored to an asymmetric key pair. Quantum decryption poses the risk of broken certificate chains and therewith enables undetected impersonation across the entire organization and the internet.

      • Identity and authentication

        User authentication systems, device authentication in OT systems digital passports, SSO platforms, API calls, cloud storage access, passwordless authentication and MFA tokens are often built on classical public-key cryptography and can thus be compromised by a quantum adversary capable of forging credentials. Quantum attackers could be impersonating any user or service account.

      • Software, firmware & code signing

        Application binaries, firmware updates, and CI/CD pipelines authenticated with quantum-vulnerable signatures could be silently tampered with, allowing adversaries to distribute malicious code as trusted software.

      • Document signing and blockchains

        Qualified electronic signatures used to digitally sign documents and contracts, smart contracts based on the blockchain and cryptocurrencies rely on public key cryptography. A sufficiently powerful quantum computer could forge digital signatures, steal funds from wallets, and tamper with contract logic.


      What post quantum cryptography means for organizations

      Post-Quantum Cryptography (PQC), a core element of post quantum cybersecurity, involves developing and implementing cryptographic algorithms based on mathematical problems which are secure against future quantum computer attacks.

      Since 2016, the US National Institute of Standards and Technology (NIST) is evaluating candidates for quantum-resistant cryptographic algorithms and, in 2024, published the first three PQC standards: ML-KEM for key encapsulation (FIPS-203), ML-DSA for digital signatures (FIPS-204), and SLH-DSA for stateless hash-based signatures (FIPS-205).

      For organizations, the migration to PQC is not just “swap some algorithms and done” – It requires a clear PQC strategy aligned with business objectives, risk appetite, and regulatory expectations and a staged adoption across systems and vendors.

      In practice, a successful migration depends on:

      • knowing where (quantum-vulnerable) cryptographic primitives exists (ciphers, protocols, libraries, certificates, embedded components, …).
      • understanding which assets matter most (long-lived and sensitive data, critical authentication functions, …).
      • planning realistic timelines (dependencies, vendor roadmaps, interoperability constraints, …).

      Why crypto agility is critical for long term resilience

      Advances in cryptoanalysis, implementation attacks and computing power threaten any cryptographic algorithm, including PQC algorithms. Thus, crypto agility – the ability to change cryptographic algorithms, keys, and configurations using fast, controlled transitions with minimal disruption – becomes a strategic capability.

      Crypto agility reduces long-term risk by enabling faster, safer transitions as standards, threats, and vendor support mature. Crypto agility ensures that security remains intact even when cryptographic algorithms fail.

      Quantum key distribution: where it fits – and where it does not

      Quantum key distribution (QKD) is often discussed alongside PQC as a complementary mitigation to the quantum threat to information security. In a nutshell, Quantum key distribution is a technology that uses quantum physics to securely distribute encryption keys, enabling the detection of any eavesdropping and remaining secure even against quantum computers.

      It is important to note that QKD only provides a secure way for key distribution, it cannot be used to encrypt data or in authentication protocols. Despite its limitations, QKD can be well suited to specific scenarios and serve as an additional layer of security. For example, the Canton of Geneva has used QKD in elections since 2007, and several organizations, including banks, have been actively exploring this technology.

       

      PQC vs. QKD 

       Post-Quantum Cryptography (PQC)Quantum Key Distribution (QKD)

      Definition

      New encryption algorithms which are resilient against quantum attacks

      A secure way to share encryption keys using quantum physics and light particles (photons).

      Infrastructure

      Software‑based, works on modern hardware

      Specialized hardware and quantum communication technology

      Security

      Strong security, based on difficult math problems

      Information-theoretic security, guaranteed by physics

       

      Q-Day is coming, we just do not know when

      Q‑Day refers to the point in time when cryptographically relevant quantum computers (CRQCs) become powerful enough to break widely used public‑key cryptography in practical conditions.

      The advent of Q-Day is influenced by the pace of hardware advances, in particular circuit depth (number of logical gate operations a system can perform before failure) and operational throughput (logical operations per second), qubit stability (available logical qubits, error correction and connectivity), as well as algorithmic efficiency.

      Interested to learn more about quantum computing? Find more information on this page.

      Recent breakthroughs from Google Quantum AI in May 2025 and March 2026 (joint work with University of California, Berkeley, Stanford University and Ethereum), Iceberg Quantum in February 2026, and Oratomic in March 2026 (joint work with University of California, Berkeley and California Institute of Technology) drastically reduced the hardware requirements needed to break asymmetric cryptography. 

      What required 20 million physical qubits just a bit over a year ago, now requires fewer than one million for RSA, and less than 500,000 for the elliptic curve cryptography.

      Furthermore, under newer quantum computer architectures, it might even require fewer than 100,000 physical qubits to break RSA and as few as 10’000 for elliptic curve cryptography.

      Notably, these breakthroughs, alongside the roadmaps of IBM, IQM, IonQ and others to build large-scale quantum computers, triggered companies such as Google and Cloudflare to accelerate their post-quantum cryptography migration timelines, setting the deadline for the deprecation of quantum-vulnerable asymmetric algorithms to 2029.

      Regulatory expectations are increasing

      Although most countries and regions do not yet have an explicit requirement to migrate to quantum-safe cryptography, regulatory expectations are becoming increasingly clear: organizations are expected to identify, assess, and actively manage quantum risks at an early stage.

      This includes, in particular, integrating quantum risks into existing governance, risk, and security processes, and establishing a sound basis for strategic, risk-based migration decisions in good time.

      switzerland
      EC
      france
      Germany
      UK
      usa
      canada
      Australia

      Getting post quantum ready – our approach

      • Quantum readiness assessments

        We help evaluate your current state, risks, and opportunities – identifying no-regret moves to initiate your quantum journey today. Our multidisciplinary team combines deep expertise across various domains including cybersecurity, data protection, IT, regulations, and quantum technologies to best support your organization.

      • Innovation sessions and tailored workshops

        Customized sessions provide you with state-of-the-art insights and practical expertise to build awareness and to enable your company stay ahead. Our KPMG Ignition services and capabilities further accelerate your transformation journey. 

      • Quantum risk management and guidance toward quantum-safe security

        We provide risk assessments, help with cryptographic inventories, and practical roadmaps to enable cryptographic agility and efficient migration to post-quantum cryptography to protect your critical systems. We also analyse and develop strategies that include quantum key distribution for further risk mitigation. 

      • Use case development and implementation

        We provide proofs of concept and unlock business-relevant quantum use cases by leveraging our extensive experience across industries, quantum algorithm design and quantum machine learning. Learn more about it here.

      • Access to the KPMG Network

        Throughout our services, you benefit from our national and international network of quantum and industry experts and our established technology partnerships, for example with IBM. KPMG serves as your trusted partner in the dynamically evolving quantum ecosystem.


      Looking for a practical view of your exposure?

      KPMG supports organizations with quantum readiness assessments, cryptographic discovery, risk prioritization and roadmaps toward quantum-safe security.

      Meet our experts

      Yves Bohren

      Partner, Cyber & Digital Risk

      KPMG Switzerland

      Thomas Bolliger

      Director, Information Management & Compliance

      KPMG Switzerland

      Pascal Pfister
      Pascal Pfister

      Quantum Resilience Lead

      KPMG Switzerland

      Related articles and more information

      Business Impact, Opportunities, and the Path to Readiness

      Stay ahead of the curve with insights on technology trends, emerging technologies, cloud adoption, and SAP solutions that are shaping industries.