Post-Quantum Cryptography: Why Key Exchange Won't Save Your Data

Post-Quantum Cryptography: Why Key Exchange Won't Save Your Data

8 min read

The Post-Quantum Reality Gap

  • The Pivot: Google's accelerated 2029 timeline shifts the primary migration focus from passive key exchange (ML-KEM) to active authentication (ML-DSA and SLH-DSA).
  • The Threat: While hybrid key exchange mitigates "Harvest Now, Decrypt Later" (HNDL) attacks, unmigrated digital signatures leave networks vulnerable to real-time identity spoofing.
  • The Scale: The U.S. Commerce Department's $2 billion funding of foundries like IBM and GlobalFoundries signals that quantum capability is now an industrial manufacturing race.
  • The Liability: The hardest migration challenges lie in "abandoned" assets—orphaned API clients, legacy firmware, and dormant wallets that cannot be updated.

The Silent Shift in Google's 2029 Post-Quantum Strategy

The race for post-quantum cryptography migration is quietly shifting from a theoretical physics problem to an immediate engineering crisis.

For years, the security industry treated the quantum threat as a distant, abstract milestone. CISOs signed off on long-term planning documents, comfortable in the belief that "Q-Day"—the moment a quantum computer can shatter standard asymmetric encryption—was decades away. That comfort evaporated in late March of 2026, when Google announced a firm 2029 timeline for its own post-quantum cryptography (PQC) migration. But the real story was not the date; it was a quiet, drastic change in priorities that the headline coverage completely missed.

Until recently, the defensive focus was almost entirely on key exchanges. Security teams rushed to implement algorithms like ML-KEM (formerly Kyber) during session negotiations, such as getting TLS to run X25519MLKEM768. The logic was simple: stop "Harvest Now, Decrypt Later" (HNDL) attacks, where adversaries intercept and store encrypted enterprise traffic today, waiting for a future quantum machine to decrypt it. But Google’s sudden pivot to prioritizing PQC in authentication services—specifically digital signature algorithms like ML-DSA (Dilithium) and SLH-DSA (SPHINCS+)—reveals a far more urgent threat vector. The capability gap to Q-Day is being squeezed from both sides, and the defenses we built to protect data in transit are about to be bypassed at the identity layer.

The Double-Sided Squeeze of Key Exchange vs. Digital Signatures

To understand why this priority shift matters, we have to look at how cryptographic protocols actually fail in the wild. Key exchange and digital signatures serve two entirely different security functions. Key exchange establishes a secure tunnel between two parties who want to talk. Digital signatures prove that the party on the other end of that tunnel is actually who they claim to be. Locking a courier's briefcase with an unbreakable lock does nothing if the bank teller still accepts a forged driver's license to hand over the assets.

By focusing almost exclusively on key exchange, the industry built stronger tunnels while leaving the badges completely vulnerable. If a quantum computer can break RSA or ECDSA signatures, an attacker does not need to decrypt your old, harvested traffic. They can simply forge a digital signature in real time, impersonate your identity provider, and walk through the front door of your enterprise network. This is why Google is now forcing the migration of its authentication services. It is an acknowledgment that the identity layer is the softest target in the post-quantum transition.

Why Authentication is the Hidden Failure Point

Migrating digital signatures is orders of magnitude harder than upgrading key exchanges. A key exchange is ephemeral; it happens on the fly during a TLS handshake. If a browser and a server both support ML-KEM, they use it, and if they do not, they fall back to classical algorithms. Digital signatures, however, are stateful and persistent. They are baked into code-signing pipelines, identity assertions, active directory certificates, and hardcoded API clients. Upgrading them requires touching every piece of software, every operating system image, and every legacy device across the entire enterprise footprint.

"Updating your session keys while leaving your authentication certificates on RSA is like putting a biometric lock on the front door while leaving the window open with a ladder leaning against it."

Anatomy of an Identity Bypass: A Composite Migration Autopsy

To see how this plays out in production, consider a representative critical infrastructure provider that spent millions upgrading its customer-facing web portals to support hybrid post-quantum TLS. The project was celebrated as a major security win, but the engineering team missed a legacy machine-to-machine API endpoint used by third-party logistics partners. This pattern of partial migration is one we keep seeing across the enterprise landscape.

  1. The False Sense of Security: The organization's external traffic logs showed that 90% of user sessions were successfully negotiated using ML-KEM. Executives assumed their post-quantum exposure window was closed, believing the data was safe from future decryption.
  2. The Silent Dependency: Beneath the modern web portal lay a legacy middleware layer running on old Java runtimes. This layer relied on hardcoded RSA-2048 certificates to authenticate incoming API requests from logistics partners. Because these partners ran embedded, low-power devices, their firmware could not easily be updated to support the larger key sizes required by post-quantum algorithms.
  3. The Cryptographic Debt: When security architects finally audited the API gateway, they realized that migrating to ML-DSA-65 would increase signature sizes from 256 bytes (RSA-2048) to a brutal 3,293 bytes. On their legacy embedded hardware, this size increase caused severe packet fragmentation and pushed p99 latency from 45ms to 320ms, completely destabilizing the real-time tracking system. The organization was forced to choose between breaking operational workflows or leaving a massive cryptographic backdoor wide open.

The $2 Billion Industrialization of Quantum Computing

While enterprises struggle with the software migration, the physical reality of quantum hardware is accelerating. In May of 2026, the U.S. Commerce Department signed letters of intent to award just over $2 billion to nine quantum computing companies. This is not a series of academic research grants. It represents a deliberate, aggressive industrial policy designed to scale manufacturing capacity.

US Commerce Department Quantum Infrastructure Allocation ($ Millions)
IBM Wafer Foundry1000 $MGlobalFoundries Fab375 $MQuantum Hardware Builders (7 Co.)636 $M

Figures compiled from the sources cited below.

When a government spends $1 billion to help IBM stand up a quantum-grade superconducting wafer foundry, and another $375 million for GlobalFoundries to build a multi-architecture fab, the conversation changes. We are no longer asking if these machines can be built; we are asking how fast they can be mass-produced. This massive capital injection drastically shortens the timeline to Q-Day, making the 2029 target set by Google look less like a conservative estimate and more like a tight, high-stakes deadline.

Where the Focus on Key Exchange Actually Holds Up

Despite the critical need to secure authentication, we must not swing the pendulum too far in the opposite direction. The early industry focus on key exchange and ML-KEM was not a mistake; it was a necessary response to a specific, active threat. For organizations handling highly sensitive, long-lived data—such as national security intelligence, medical records protected by HIPAA, or intellectual property—the "Harvest Now, Decrypt Later" threat is an active vulnerability today.

Adversaries are actively capturing encrypted traffic off the wire, banking on the fact that a quantum computer built in 2030 will easily read the secrets of 2026. If your data has a shelf life of ten years or more, you must implement hybrid key exchange immediately. The mistake was treating key exchange as the finish line of post-quantum migration rather than the first, easiest step of a much longer and more complex journey.

The Three Fatal Assumptions of Post-Quantum Readiness

  • "We have until 2029 to begin our migration." The $2 billion manufacturing injection from the U.S. Commerce Department proves that hardware development is accelerating. Furthermore, any data encrypted with classical algorithms today is already vulnerable to future decryption via HNDL attacks.
  • "Our cloud providers will handle the heavy lifting." While major hyperscalers can easily update their edge load balancers, they cannot rewrite your custom code-signing pipelines, update your legacy Active Directory domains, or patch the hardcoded certificates inside your third-party API clients.
  • "Abandoned assets do not pose an active risk to our enterprise." As the Coinbase Quantum Advisory Council recently highlighted, "abandoned" cryptographic assets—such as dormant accounts, orphaned API keys, and legacy wallets—cannot be updated. These assets represent permanent, unpatchable entry points that attackers will exploit on Q-Day.

Frequently Asked Questions

What happens to our compliance audit trail when a legacy certificate authority cannot support ML-DSA signatures?

If your legacy Certificate Authority (CA) cannot be upgraded to issue ML-DSA or SLH-DSA certificates, your compliance audit trail under frameworks like SOC 2 or ISO 27001 will break. You will be unable to prove cryptographically that the system configurations, code deployments, or administrative access events recorded in your logs were signed by authorized entities, potentially leading to immediate audit failures.

How does the US Commerce Department's $2 billion hardware bet affect our immediate risk assessment timeline?

The $2 billion funding injection compresses the estimated timeline for a cryptographically relevant quantum computer (CRQC). Risk assessments that previously modeled Q-Day out to 2035 or 2040 must be revised. Security leaders must now align their risk registers with Google's 2029 target, treating any classical asymmetric cryptography remaining in production past 2028 as a high-severity risk.

If we run hybrid TLS (X25519MLKEM768), does that protect our API endpoints from active man-in-the-middle attacks?

No. Hybrid TLS using X25519MLKEM768 only protects the confidentiality of the session key negotiation against future decryption. If the authentication step of that same handshake still relies on classical RSA or ECDSA certificates, an attacker with a quantum computer can forge the digital signature in real time, intercept the connection, and execute a successful man-in-the-middle attack.

What is the operational blast radius of "abandoned coins" and orphaned cryptographic identities in enterprise networks?

The operational blast radius is massive. In financial systems, as noted by the Coinbase Quantum Advisory Council, abandoned assets cannot be migrated because the private keys are lost or unmanageable. In enterprise networks, this translates to orphaned service accounts, legacy firmware on operational technology (OT) networks, and hardcoded API integrations that cannot be updated without breaking critical business logic, leaving permanent backdoors for post-quantum adversaries.

References & Further Reading

This explainer is synthesized directly from active reporting and the Source Data above.

  • Wiz.io: State of Post Quantum Cryptography (May 2026)
  • Coinbase: Coinbase Quantum Advisory Council: Post-Quantum Migration and Abandoned Coins (June 2026)
  • CoinDesk: The U.S. government is betting $2 Billion on quantum computing (June 2026)

Related from this blog

Sources

Next Post Previous Post
No Comment
Add Comment
comment url