Related · tier-1 reading. For how to migrate before the NIST deadline and stay verifiable, see Post-Quantum.
RSA will be broken by quantum computers. The migration path does not require rebuilding your systems. Deploy the H33 overlay, run in hybrid mode, and phase out RSA on your timeline -- with instant rollback if anything goes wrong.
RSA security depends on the difficulty of factoring large integers. Shor's algorithm, running on a sufficiently powerful quantum computer, factors integers in polynomial time. RSA-2048, the most commonly deployed key size, requires approximately 4,000 logical qubits to break. Current quantum computing roadmaps project this capability between 2030 and 2040.
But the threat is not just future decryption. The harvest-now-decrypt-later threat means that RSA-encrypted data transmitted today is being captured by adversaries who will decrypt it when quantum computers arrive. Every day that RSA remains in use adds more data to the adversary's collection.
| Operation | RSA-2048 | ML-KEM-768 | ML-DSA-65 |
|---|---|---|---|
| Key generation | ~50ms | ~0.1ms | ~0.2ms |
| Encrypt / Encapsulate | ~0.3ms | ~0.15ms | N/A |
| Decrypt / Decapsulate | ~5ms | ~0.2ms | N/A |
| Sign | ~5ms | N/A | ~0.8ms |
| Verify | ~0.2ms | N/A | ~0.4ms |
| Public key size | 256 bytes | 1,184 bytes | 1,952 bytes |
| Signature size | 256 bytes | N/A | 3,293 bytes |
| Quantum-safe | No | Yes (FIPS 203) | Yes (FIPS 204) |
Post-quantum algorithms are faster than RSA for key generation, encapsulation, and signing. The tradeoff is larger key and signature sizes, which affects bandwidth but not latency for most applications.
Deploy the H33 Gateway in front of your RSA-protected services. The gateway terminates TLS connections using hybrid key exchange (ECDH + ML-KEM). Both classical and post-quantum key material are used to derive the session key. If either key exchange is compromised (ECDH by a quantum computer, or ML-KEM by a theoretical break), the other provides protection.
Your backend continues to use RSA internally. The gateway handles all PQC operations. No code changes are required on your backend services.
Enable ML-DSA response signing on the gateway. Every response receives a post-quantum signature in addition to any existing RSA signatures. Clients that can verify ML-DSA signatures gain quantum-safe assurance. Legacy clients ignore the additional header.
During this phase, both RSA and ML-DSA signatures are present. This dual-signature approach provides quantum-safe protection for clients that support it while maintaining compatibility for those that do not.
Once all clients support hybrid TLS and ML-DSA verification, begin deprecating RSA-only connections. Configure the gateway to require hybrid TLS for new connections. Set a deprecation timeline for classical-only clients. Remove RSA signing from the response pipeline when all clients have migrated.
The overlay architecture provides instant rollback at every phase. If hybrid TLS causes compatibility issues, disable it with a configuration change -- the gateway falls back to classical TLS. If ML-DSA signing causes performance issues, disable the signing header. If any issue arises, the gateway can revert to classical-only operation in seconds.
Your backend is never modified during this process. The rollback path is always available because the gateway is an additional layer, not a replacement for existing infrastructure. This separation means that a PQC issue cannot affect your backend services.
TLS certificates signed with RSA must be replaced with certificates signed using quantum-safe algorithms. The H33 approach supports two migration paths:
Gateway termination: The gateway presents its own certificate (which can be quantum-safe) to clients and connects to the backend using the existing RSA certificate internally. The internal connection is protected by the network perimeter. This approach requires no certificate changes on the backend.
Full chain migration: For organizations that require end-to-end quantum-safe certificates, the H33 CA service issues certificates signed with ML-DSA that chain to a quantum-safe root. This approach requires updating certificates on both the gateway and the backend.
Your application code does not change. Your database schema does not change. Your deployment pipeline does not change. Your monitoring and alerting do not change. Your API contracts do not change. The only change is an additional component (the H33 Gateway) deployed in front of your existing infrastructure.
This is the core value proposition of the overlay approach: you get quantum-safe protection for the cost of deploying and configuring a reverse proxy, not for the cost of rebuilding your entire cryptographic stack.
Deploy the H33 Gateway and start your migration from RSA to post-quantum cryptography.