The risk of rushing into post-quantum cryptography: the ballad of FOMO, YOLO and FAFO

Come, let us hasten to a higher plane,
Where dyads tread the fairy fields of Venn,
Their indices bedecked from 1 to n,
Commingled in an endless Markov chain!

Summary

The rumor mill says we need to ditch all our cryptography today. Quantum computing is coming! It will crack every lock we use! Swap your devices, your software, your entire stack – right now.

That story sells panic, not reality.

Quantum breakthroughs are still wrapped in maybes. If they arrive, they won’t blow up everything at once. A lot of today’s crypto will hold. And the “new” replacements some vendors push? Many of them haven’t been tested in the wild. Some already show cracks.

That’s the real danger: trading defenses that might fail someday for defenses that are weak today.

There’s a smarter path. Stay agile. Build the ability to shift quickly when the evidence demands it. No panic. No blind leaps. Just clear eyes, steady hands, and a plan that moves when the world does.

The heat is on

There’s a rising push to jump into post-quantum cryptography at full speed. A big part of that comes from a real concern: exposure to ‘harvest now, decrypt later’ tactics. Attackers stealing encrypted data today, waiting for tomorrow’s quantum power to pry it open. That threat isn’t fiction.

But the rest of the pressure? That’s noise. Venture capital chasing another rocket ride. Industry chasing the thrill of a “next big thing,” even as the well of resources runs dry. A mirage dressed up as momentum.

The post-quantum crypto rush

So, there’s a perceived pressure. A sense of a need to rush things. Quickly.
Or else.

But rushing has a long, messy history. Time for a quick parable.

In 1848, a few gold flakes showed up at Sutter’s Mill in California. One man, Sam Brannan, spread the news far and wide. By 1849, waves of prospectors were pouring into the state. The legend says fortunes were made. The reality was different. Across the whole gold rush, only about 800 kilos of gold were pulled from the ground. A lot of sweat. Not much glitter.

The real winners were not the miners. They were the merchants.
Brannan had quietly bought up almost all the tools needed for prospecting and sold them back at huge markups. California’s first millionaire did not pan for gold. He sold the shovels.

Levi Strauss made his mark too, with reinforced clothing. Hotels, bars, gambling rooms and brothels cashed in while prospectors kept digging.

End of parable.

The shadow of hidden agendas

Cryptography has a long history, and not all of it is clean. It grew out of military needs. The idea was simple: you want secure, untouchable communication for yourself, while your adversaries have none.

In a totalitarian mindset, the word adversary stretches far beyond enemy states. It includes everyone. Every citizen. Every organisation. If everyone is a potential threat, then every message must be watched. That thinking shaped the vast surveillance programs revealed by Snowden and others.

The doctrine of Total Information Awareness is still alive. It often hides behind noble banners like fighting cybercrime, child exploitation or terrorism. More recently, it surfaced again in the EU through attempts to introduce ChatControl.

One part of this surveillance push matters directly here. Cryptography itself. The algorithms chosen. The standards set. The gatekeepers who influence both. For decades, one agency has held outsized power in that space: the NSA.

Depending on who you ask, NSA stands either for “No Such Agency” or “National Security Agency”. It’s worth noting that an intelligence agency with national interests shaping global cryptographic standards introduces understandable risks and tradeoffs.

Are you not entertained?

DARPA, another US agency, has stepped into the quantum arena with the Quantum Benchmarking Initiative (QBI). Unlike the NSA, DARPA is not fixated on cryptography. It is asking a broader question: does quantum computing have any real, practical use in the near term?

Stage A consisted of a conceptual exploration of potential near term realizable utility-scale quantum computer concepts. As of Nov. 6, 2025, DARPA has selected 11 companies to enter Stage B, in which the selected companies get to develop and detail their R&D plans. Stage C is intended to follow, and consists of verification and validation of results claimed in Stage B.

Given Gutmann’s observations the general question of long-term quantum computing utility makes sense. That observation being: the largest number honestly factorized by a quantum computer presently is 35, and that Factorisation can be easily reproduced using “VIC-20 8-bit home computer from 1981, an abacus, and a dog”.

So presently, an early ’80s home computer trumps the state of the art in quantum computing. Then again, so does Gutmann’s dog, as does a 2700-2300 BCE computing device. Progress is real, but it is still slow. Quantum development is in the stage of writing R and D plans, not rewriting the laws of mathematics. This should give us pause. It should counter the idea that we must rush headfirst into new, untested, barely examined cryptographic algorithms simply because the word quantum has been repeated loudly enough. Our current tools may not be perfect, but they are understood, vetted and battle tested. The new ones are not.

Full steam ahead

Icebergs be damned. Captain Edward John Smith felt the heat to make a fast Atlantic crossing. The Titanic pushed ahead at 22 knots. The crew knew ice was in the water. They pressed on anyway. We know how that ended. Pressure makes people take risks they should not.

We are in a similar channel, but with one advantage. We can still change course. We can steer between the Scylla of harvest now, decrypt later fears and the Charybdis of rushing into cryptography that is untested, unsound or quietly compromised.

We do not have to repeat the Titanic’s mistake.

Multiple encryption

Fear of a sudden quantum leap that could break parts of today’s cryptography, combined with doubts about the maturity of new algorithms like CRYSTALS Kyber, CRYSTALS Dilithium and SPHINCS Plus, has pushed some people toward a fallback idea: use both. This approach is also known as cascade encryption, cipher stacking, superencipherment.

It sounds safe. In practice, it comes with baggage.

More configuration. More operational overhead. More chances for mistakes. And heavier demands on silicon. Hardware has to do more work. That matters for devices with tiny footprints and built in cryptography, like payment cards, smart locks and car access systems.

There is another trap. Combining two cryptographic functions does not automatically give you a stronger one. In the worst case, one cancels out the other. In less obvious cases, the keys used in each stage are not independent. Break one stage and the whole chain can fall apart. The attacker ends up with the key that protects everything.

Though dual encryption is a mandate in the NSA’s “Commercial Solutions for Classified Program” (CSfC), there is no wide-spread use.

A call for agility

“Cryptography is the art of transforming large secrets into small ones.“

---

Bruce Schneier

We do not have a crystal ball. We do not have access to the hidden digital armories of today’s intelligence agencies.

What we do know is this. The new crop of post quantum algorithms being pushed into the spotlight is not battle tested. That is expected at this stage, but it matters. The tools we use to analyse and attack these algorithms are not yet sharp enough.

Rushing to replace stable, proven cryptography with something new, untested or possibly weakened out of fear of a future quantum breakthrough is not wise. But what is wise, then?

Agility.
Build the ability to change your cryptography at speed.
Make sure you can swap components in communication systems and data storage without tearing your environment apart. When you decide a new algorithm is sound, uncompromised and mature, you can adopt it immediately.

Agility is the safety valve. The pressure may rise, but you can move when it matters.

FAQ