As quantum computing progress accelerates these days, it carries a profound implication for cybersecurity. It’s widely known that today’s public-key cryptography will eventually fail. Algorithms such as RSA and elliptic-curve cryptography (ECC) can be broken by operational quantum computers, and this has accelerated global investment in quantum-resistant algorithms built to protect against both classical and quantum attacks.
However, organizations are challenged both to find algorithms that are secure, and also deploy them at global scale without disrupting current systems. As a result, three broad approaches have been explored to address this post-quantum threat. Each offers valuable insights, but comes with significant limitations that prevent it from serving as a universal solution. Buyer beware.
Asymmetric Encryption Helps Secure the Internet
To date, the asymmetric cryptographic pattern that underpins today’s internet is both scalable and resilient. Public-key cryptography enables secure key exchange, identity verification, and trust establishment across billions of devices. As quantum threats emerge, the challenge is migrating to quantum-resistant algorithms while preserving this operational model. This means adopting approved, standardized post-quantum primitives within familiar asymmetric workflows, rather than abandoning the model entirely.
Before examining why other approaches fail, it’s important to understand what a practical solution looks like – and why asymmetric post-quantum cryptography is not just theoretically sound, but operationally viable today. ML-KEM (Module-Lattice-Based Key Encapsulation Mechanism) represents one such approach.
ML-KEM: A Practical Foundation for Post-Quantum Security
ML-KEM is a post-quantum asymmetric key exchange algorithm based on lattice cryptography, which has been selected through extensive public scrutiny for global post-quantum standardization. Validation of its practical relevance includes being part of the Commercial National Security Algorithm (NSA) Suite 2.0 (CNSA 2.0) – the NSA’s set of quantum-resistant algorithms for National Security Systems. CNSA 2.0 lists ML-KEM as the quantum-secure mechanism for key establishment in general-purpose cryptographic use cases.
Why ML-KEM Preserves the Asymmetric Trust Model
Unlike symmetric-only solutions or hardware-bound approaches, ML-KEM enables true asymmetric key exchange that:
- Preserves the open trust and identity model of today’s internet
- Operates on classical hardware without exotic infrastructure
- Scales to billions of endpoints
- Provides quantum-resilient security built on hard lattice problems
This supports the aim of crypto-agility – preserving existing trust frameworks while enabling evolution of cryptographic primitives underneath them. ML-KEM offers a compelling balance of security, performance, and deployability because of:
- Quantum resistance: Based on lattice problems where no efficient quantum attacks are known.
- Asymmetric key exchange: Establishes secure keys between parties with no prior shared secrets.
- Efficient performance: Fast enough for real-world use, including TLS handshakes and secure messaging.
- Reasonable key sizes: Keys and ciphertexts are manageable and compatible with modern networks.
- Drop-in migration path: Deployment option in hybrid modes alongside classical algorithms, allowing gradual and low-risk transition.
Adopting ML-KEM itself, however, is not enough because simply deploying the latest algorithm does not automatically yield long-term resilience. To achieve true crypto-agility – the ability to swap and evolve cryptographic primitives – organizations must adopt a thoughtful implementation strategy that anticipates updates, hybrid handshakes, and lifecycle management. This often results in selecting systems to support parameter negotiation and a framework for rolling updates.
Limitations of Alternative Post-Quantum Approaches
As noted, three approaches have been explored as alternatives to asymmetric post-quantum cryptography – quantum key distribution (QKD), symmetric key agreement protocols, and pre-shared keys. While each offers theoretical benefits, none can operate at scale without specialized hardware, pre-established trust relationships, or exponential key management overhead.
Quantum Key Distribution (QKD)
QKD leverages quantum mechanics to establish a shared secret key between two parties with provable security guarantees. In theory, any attempt to eavesdrop on the quantum channel disturbs the system in a detectable way, alerting the communicating parties.
Despite its theoretical foundations, QKD faces practical obstacles:
- Specialized hardware needed: QKD needs dedicated quantum communication equipment, such as photon sources, detectors, and often fiber-optic or free-space optical links.
- Limited scalability and range: Quantum signals degrade rapidly, requiring trusted repeaters for long-distance communication, which reintroduce trust assumptions.
- Limited to secure key distribution: QKD does not provide identity, authentication, or trust establishment on its own, nor does it replace asymmetric cryptography for open, multi-party systems.
- High deployment cost: QKD infrastructure is expensive and incompatible with most existing network architecture.
- Operational complexity: Maintaining and managing quantum hardware at scale is beyond most organizations’ capabilities.
QKD is best suited for niche, high-assurance environments rather than global internet-scale deployment, and is not recommended for securing the post-quantum era. This is also discussed in a recent memo published by the U.S. government.
Symmetric Key Agreement Protocols
Symmetric key agreement protocols look to establish shared secrets without relying on traditional public-key cryptography. In some cases, they assume an initial shared secret or use trusted intermediaries to bootstrap secure communication. Because symmetric cryptographic primitives such as block ciphers and hash functions are relatively resilient to quantum attacks, they have been considered as a possible path toward post-quantum security.
Despite their basic quantum resilience, symmetric key agreement protocols face significant challenges, including:
- Initial trust requirement: Most symmetric key agreement schemes require pre-established trust or secret material, making them unsuitable for open networks where parties have no prior relationship.
- Key distribution problem: Without asymmetric cryptography, there is no scalable way to securely distribute or refresh symmetric keys over untrusted channels.
- Poor scalability: Required management of a rapidly growing number of shared secrets creates operational and administrative complexity.
- Lack of forward secrecy: Compromised long-term keys pose a significant security risk to past communications.
As a result, while symmetric cryptography remains essential for high-performance data encryption after keys are established, symmetric key agreement protocols alone cannot replace public-key cryptography for secure communication. However, adding symmetric keys into asymmetric protocols remains a valid approach to strengthen overall communication security.
Pre-Shared Keys (PSKs)
Pre-shared keys represent the simplest available solution. In this approach, keys are exchanged securely ahead of time and reused for encrypted communication. While PSKs avoid quantum-vulnerable public-key operations, they come with significant challenges:
- Poor scalability: Each communicating pair needs a unique secret, leading to exponential key management complexity.
- Operational overhead: Securely provisioning, rotating, and revoking keys quickly becomes unmanageable in large or distributed systems.
- Single point of failure: Compromise of a key threatens all communications protected by it.
PSKs work in contained environments but fundamentally contradict the open, dynamic nature of the internet. In the absence of asymmetric post-quantum secure key agreement, however, they may represent the only viable way forward.
The Ideal Migration Strategy – ML-KEM
The transition to post-quantum security is not an overnight event. The most practical strategy is incremental migration and crypto-agility using hybrid protocols that combine classical and post-quantum algorithms until confidence in post-quantum schemes is fully realized.
ML-KEM fits well into this model. Additional post-quantum secure asymmetric key-exchange algorithms such as Hamming Quasi-Cyclic (HQC) are still being standardized and will be added to the list in the future. They enable organizations to begin protecting data today against threats, such as “harvest now, decrypt later,” and against future quantum attacks without sacrificing interoperability or performance.
Crypto-agility is a must, otherwise transitioning to future algorithms or responding to newly discovered vulnerabilities becomes complex, disruptive, and costly.
Conclusion
Quantum computing poses a fundamental threat to traditional public-key cryptography, creating an urgent requirement for new, quantum-resistant solutions. While approaches such as quantum key distribution, symmetric-only systems, and pre-shared keys offer partial answers, each falls short.
Asymmetric post-quantum cryptography – and the ability to replace it seamlessly over time – is the most practical and scalable path forward. It preserves the core advantages of public-key systems while providing strong resistance to quantum attacks, making it the optimal foundation for secure communication in the quantum era.
While the quantum future is still unfolding, the time to migrate cryptography deliberately and with agility is now.
___
Helena Handschuh is an advisor to QuSecure, Inc., and a security technologies expert specializing in cryptography, post-quantum security, and hardware protections. A former Rambus Fellow, she has led teams at Cryptography Research, Intrinsic-ID, and Gemplus, chaired the RISC-V Security Committee, and contributed to global standards.
Join our LinkedIn group Information Security Community!
