Quantum computing threat to defense communications: timeline and practical response

The question defense leadership most frequently asks about quantum computing is: "When?" When will a quantum computer large enough to break current military encryption actually exist? The uncomfortable answer from the research community is: probably between 2030 and 2035, with significant uncertainty in both directions. The more uncomfortable answer from a security standpoint is that the exact date is the wrong thing to focus on – because the attack that matters most, harvest-now-decrypt-later, is already underway regardless of when that machine arrives.

Adversaries with the patience and storage capacity of nation-states do not need to wait for quantum capability before acquiring the data they intend to decrypt with it. Bulk encrypted traffic collection is inexpensive relative to national intelligence budgets. Any classified communications protected by RSA or elliptic-curve cryptography that will remain sensitive into the 2030s are already at risk – not hypothetically, but operationally. This article examines the threat timeline, identifies which categories of defense data are most exposed, and provides a practical framework for prioritizing the response.

The harvest-now-decrypt-later threat: why urgency is justified today

Harvest-now-decrypt-later (HNDL) is a straightforward attack: an adversary records encrypted communications in bulk, stores the ciphertext, and waits until a quantum computer capable of recovering the session keys becomes available. The attack requires no cryptanalytic capability at collection time – only the ability to intercept and store traffic, which state-level adversaries have demonstrated repeatedly through signals intelligence programs.

The economic logic of HNDL is asymmetric in the adversary's favor. Storage costs for bulk intercepted traffic have fallen dramatically – storing petabytes of ciphertext is operationally feasible for major intelligence services. The cost of a future quantum decryption operation, amortized against the intelligence value of decades of classified communications, is highly favorable. There is no technical barrier to beginning this collection now, and no reason to assume it is not already occurring.

The data most at risk is not routine operational traffic but long-lived classified information: nuclear command and control protocols and their associated communications architectures, intelligence sources and methods that will remain active through the 2030s, strategic plans with 10-year or longer planning horizons, and capability assessments that inform acquisition decisions over decades. This is precisely the category of information that adversaries most want and that defense organizations most need to protect beyond any reasonable quantum computing timeline.

The quantum computing timeline: what current estimates say

Shor's algorithm, developed in 1994, provides a polynomial-time quantum algorithm for factoring large integers – the mathematical foundation of RSA security – and for solving the discrete logarithm problem underlying all elliptic-curve cryptography. Running Shor's algorithm against RSA-2048 or 256-bit ECC keys requires a fault-tolerant quantum computer with millions of error-corrected logical qubits. Current quantum hardware operates with hundreds to a few thousand physical qubits, with error rates that require extensive overhead for error correction.

The most credible public estimates for a cryptographically relevant quantum computer converge on a 2030–2035 range. NSA's September 2022 CNSA 2.0 advisory, which mandates post-quantum algorithm transitions for National Security Systems, uses 2035 as its planning horizon. NIST's post-quantum standardization timeline was explicitly designed to complete before that window. The US "National Quantum Initiative" and Chinese national quantum programs both reflect government assessments that CRQC capability is achievable within a decade from around 2022.

What is less certain is whether programs with significant classified funding – both US and adversary – are ahead of the public research frontier. The history of cryptographic capability development suggests that publicly disclosed breakthroughs often lag operational capability by years. Defense planning should not assume that public timelines represent the full picture.

Which classified data has the longest secrecy requirement

Not all defense data has equal exposure to the HNDL threat. Sensitivity to quantum-enabled decryption is a function of two independent variables: classification level (how sensitive the information is) and shelf life (how long the information remains sensitive and actionable). The risk exposure is the product of both.

Nuclear command, control, and communications (NC3) protocols and the communications architectures that support them have essentially unlimited shelf life – the underlying command authority structures and authorization codes that protect nuclear systems must remain secret indefinitely. NC3 systems also tend to use legacy cryptographic implementations with very long replacement cycles, compounding the exposure.

Intelligence sources and methods – human intelligence assets, signals collection platforms, and the analytic tradecraft that interprets raw intelligence – have shelf lives that frequently extend decades. A source recruited today may remain active through the 2040s. The communications used to manage and protect that source, if intercepted and stored today, become readable when quantum capability arrives.

Long-range strategic planning documents – force structure assessments, capability development roadmaps, alliance commitments, and war plans – describe intended military posture over 10–20 year horizons. These are precisely the documents adversary collection programs prioritize, and they are precisely the documents whose secrecy must be maintained throughout the planning period they describe.

Acquisition and capability assessment data – technical specifications for next-generation platforms, vulnerability assessments of fielded systems, and developmental testing results – can provide adversaries with exploitation roadmaps valid for the operational life of the system, which may extend 30 years beyond the date of encryption.

Routine operational communications – daily operational orders, logistics status reports, personnel administrative traffic – generally have short shelf lives measured in days or weeks. The HNDL risk for this category is substantially lower: the information will be operationally irrelevant long before any plausible quantum decryption becomes feasible.

The migration lead time problem: why action is needed now

Enterprise cryptographic migration is among the most complex and time-consuming infrastructure changes a defense organization undertakes. Unlike a software update or a hardware replacement, cryptographic migration touches every system that encrypts, signs, authenticates, or verifies – which in a modern defense network is effectively everything.

A realistic timeline for full PKI migration in a large defense program: cryptographic inventory and dependency mapping, 6–18 months; PKI migration architecture design and accreditation, 12–24 months; post-quantum root and issuing CA deployment, 6–12 months; dual-issuance phase (classical and PQC certificates simultaneously), 12–24 months; fleet upgrade to support PQC certificate validation, 12–36 months depending on endpoint count and update mechanisms; classical certificate retirement, gated on fleet saturation. Total: 5–9 years for a large, complex program operating under defense acquisition constraints.

TLS endpoint migration, firmware signing transitions, VPN protocol upgrades, and HSM firmware updates run in parallel with PKI migration but impose their own dependencies and timelines. A program that begins comprehensive migration planning in 2026 targeting completion by 2030 is already operating with minimal margin against the conservative end of the quantum timeline.

A prioritization framework: sensitivity × shelf life

Given constrained resources and the impossibility of migrating every system simultaneously, programs need a principled basis for sequencing the work. The sensitivity × shelf life matrix provides this framework.

Construct a two-axis assessment for each communication system or data category: on one axis, the classification level and operational sensitivity of the data (from routine unclassified to TOP SECRET/SCI); on the other, the shelf life of the data measured in years. Systems in the high-sensitivity, high-shelf-life quadrant – NC3 communications, intelligence source protection, long-range strategic plans – are the immediate priority for HNDL mitigation. Systems in the low-sensitivity, short-shelf-life quadrant – routine administrative traffic, tactical operational reports – can follow later in the migration sequence.

This framework also determines which systems justify early deployment of hybrid post-quantum cryptography before full PKI migration is complete. For the highest-priority systems, waiting for PKI migration is not acceptable – hybrid PQC deployed at the session layer provides immediate HNDL resistance without requiring certificate infrastructure changes.

What organizations can do this year

Several actions deliver concrete risk reduction on a short timeline, independent of longer-term PKI migration programs.

Cryptographic inventory. Begin a systematic inventory of every cryptographic dependency in the program. Automated cryptographic discovery tools exist for network infrastructure; application-layer cryptography requires code audit and architecture review. The inventory is the prerequisite for all subsequent work – without it, migration scope cannot be accurately estimated and unrecognized dependencies create late-breaking blockers.

PKI migration design. Commission the architectural design for post-quantum PKI now. Design work does not require implementation to begin – the design phase identifies dependencies, estimates timelines, and produces the accreditation artifacts required before any implementation can proceed under defense acquisition frameworks. Starting design in 2026 allows implementation to begin in 2027–2028, consistent with a 2030–2032 completion target.

Hybrid PQC deployment for priority systems. For systems identified in the highest-priority quadrant of the sensitivity matrix, deploy hybrid ML-KEM encryption at the session layer. Corvus.Quantum provides a battle-tested hybrid ML-KEM streaming encryption layer specifically designed for defense communications environments, deployable on existing infrastructure without requiring PKI changes. Hybrid deployment provides immediate HNDL resistance for the most sensitive traffic while the broader migration proceeds.

Procurement requirement updates. Review current and planned contracts for communications systems, software, and infrastructure. Insert post-quantum cryptography requirements into upcoming solicitations – specifically, support for ML-KEM (FIPS 203), ML-DSA (FIPS 204), and hybrid cipher suites in TLS. This ensures that systems procured today do not add to the migration backlog.

Firmware signing assessment. Identify weapon system and hardware platforms whose firmware signing keys will remain in operational use through the 2030s. Document the migration path for each – either planned replacement with PQC-signed firmware on next refresh cycle, or explicit risk acceptance where architecture prevents key rotation.

The post-quantum algorithm landscape for defense

NIST completed its post-quantum cryptography standardization in 2024, publishing three algorithms that form the foundation of quantum-safe cryptography for defense applications. NSA's CNSA 2.0 advisory, published in 2022, mandates these algorithms (or their precursors) for National Security Systems.

ML-KEM (FIPS 203), based on CRYSTALS-Kyber, is the approved algorithm for key encapsulation – the mechanism by which two parties establish a shared secret. ML-KEM replaces RSA and ECDH for key exchange in TLS and other protocols. CNSA 2.0 specifies ML-KEM-1024 for NSS applications. ML-KEM has relatively compact ciphertext sizes compared to other lattice-based alternatives and fast key generation and encapsulation operations.

ML-DSA (FIPS 204), based on CRYSTALS-Dilithium, is the primary approved algorithm for digital signatures. ML-DSA replaces RSA-PSS and ECDSA for certificate signatures, code signing, and authentication. Signature sizes are larger than ECDSA (approximately 3–4 KB for ML-DSA-87 vs 70 bytes for ECDSA P-256) but well within the tolerance of most protocol applications.

SLH-DSA (FIPS 205), based on SPHINCS+, provides an alternative signature algorithm with security derived from hash functions rather than lattice mathematics. SLH-DSA offers cryptographic diversity – if lattice-based algorithms are weakened by future mathematical advances, SLH-DSA remains unaffected. It is appropriate for high-security applications where performance requirements permit its larger signatures and slower operations, particularly firmware signing where additional security diversity is warranted.

Symmetric algorithms – AES-256 and SHA-384/512 – are quantum-safe at current key lengths. Grover's algorithm provides a quadratic speedup for exhaustive search, effectively halving the bit-security of a symmetric algorithm, but AES-256 retains approximately 128-bit security against a quantum adversary, which remains computationally infeasible to attack. No symmetric algorithm migration is required as part of post-quantum transition.

Related reading

For implementation detail on the algorithms mandated by NSA for defense systems, see Post-Quantum Cryptography for Defense: CNSA 2.0 Guide, which covers ML-KEM, ML-DSA, and SLH-DSA parameter set selection, TLS migration mechanics, and the hybrid transition approach in detail. For the zero-trust network architecture context in which quantum-safe communications operate, see Zero-Trust Architecture for Military Networks: Principles and Implementation. For the broader secure cloud infrastructure that classified workloads require, see GovCloud Architecture for Defense: Azure Government vs AWS GovCloud.