NIST finalized three post-quantum cryptography standards in 2024: FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA). Most migration guides tell you to start planning. This one tells you how to be done.
Direct answer: Post-quantum migration does not require replacing your infrastructure. The NIST standards define key encapsulation and digital signature algorithms that can wrap existing systems. A production implementation uses ML-KEM for key exchange, ML-DSA for signatures, and SLH-DSA as a hash-based fallback — all through a single API layer that sits in front of your current stack.
NIST published three standards. Each replaces a specific classical algorithm:
| NIST Standard | Algorithm | Replaces | Purpose |
|---|---|---|---|
| FIPS 203 | ML-KEM (Kyber) | RSA key exchange, ECDH | Key encapsulation |
| FIPS 204 | ML-DSA (Dilithium) | RSA signatures, ECDSA | Digital signatures |
| FIPS 205 | SLH-DSA (SPHINCS+) | RSA signatures, ECDSA | Stateless hash-based signatures |
The standards are finalized. The algorithms are specified. The question is no longer "what to migrate to" — it's "how to migrate without a multi-year infrastructure project."
The standard migration approach looks like this:
For an organization with 50+ systems using classical cryptography, this is a 3-5 year project with millions in engineering cost. Most organizations are still in the "planning" phase. Meanwhile, adversaries are already harvesting encrypted data for future quantum decryption.
The harvest-now-decrypt-later threat is not theoretical. Nation-state adversaries are collecting encrypted traffic today, storing it, and waiting for quantum capability. Data with long-term sensitivity — health records, financial data, government communications, intellectual property — is already at risk. The question is not when quantum computers will break RSA. The question is how long your encrypted data needs to stay secret.
Instead of replacing cryptography inside every system, place a post-quantum attestation layer in front of your existing infrastructure. Every API response, every data operation, every authentication event gets wrapped in a post-quantum signature — without changing the underlying system.
Deploy the PQ attestation API. One endpoint. One integration. Every outgoing response gets signed with three independent post-quantum signature families. Your existing systems don't change.
Wrap key exchange with ML-KEM. New TLS connections use hybrid key exchange (classical + ML-KEM). Existing certificates continue to work. No re-issuance required for the transition period.
Attest data at rest. Sensitive data gets a post-quantum attestation at the time of creation. The attestation is 74 bytes — append it to your existing records. The data itself doesn't move.
Retire classical signatures on your timeline. The PQ layer is already protecting everything. You can migrate internal systems at your own pace, system by system, without urgency.
NIST standardized three algorithms for a reason: no single mathematical assumption is guaranteed to survive. A production post-quantum system should use at least two independent families so that the failure of one doesn't compromise everything.
| Family | Hardness Assumption | Risk Profile |
|---|---|---|
| ML-DSA (Dilithium) | Module lattice (MLWE) | Strongest confidence, largest signatures |
| FALCON | NTRU lattice (NTRU-SIS) | Compact signatures, different math from ML-DSA |
| SLH-DSA (SPHINCS+) | Hash function collision resistance | Conservative fallback, no lattice assumption |
An attacker would need to simultaneously break lattice problems (two different constructions) AND stateless hash functions to forge a triple-signed attestation. No known or theoretical quantum algorithm can do this.
NIST recommends "crypto agility" — the ability to swap algorithms when one is broken. In practice, crypto agility is impossible if your cryptography is embedded in every system. You can't swap the algorithm in your database, your API gateway, your authentication service, and your backup system simultaneously.
Crypto agility works when cryptography is a layer, not a feature. A single attestation layer with an algorithm selection byte can rotate families without touching any downstream system. If ML-DSA is compromised tomorrow, disable it with one configuration change. The other two families continue protecting everything while you migrate.
| Approach | Timeline | Engineering Cost | Risk During Migration |
|---|---|---|---|
| System-by-system replacement | 3-5 years | $2-10M+ (depending on systems) | High — partial migration = partial protection |
| Attestation-layer migration | Days to weeks | API integration cost only | Low — full protection from day one |
The attestation approach doesn't eliminate the eventual need to upgrade internal systems. It eliminates the urgency. Your data is protected by post-quantum signatures immediately. Internal migration happens on your timeline, not the adversary's.
Post-quantum signatures protect data integrity and authentication. For data confidentiality (protecting the data itself from future quantum decryption), you need post-quantum encryption.
Two approaches:
What your organization needs to demonstrate for post-quantum readiness:
The harvest-now-decrypt-later window is open. Every day of delay is another day of intercepted traffic that an adversary stores for future decryption. The NIST standards are finalized. The algorithms are production-ready. The only remaining step is deployment.
The migration path: Deploy a post-quantum attestation layer. Wrap every API response in triple-signed PQ attestation. Protect data at rest with ML-KEM key encapsulation. Retire classical algorithms at your own pace. Total time to protection: days, not years.
Schedule a Migration Assessment →