Most of what software does is a promise. The button promises the action it implies. The privacy policy promises what it claims. Promises are good — civilization runs on them — but they’re enforced by reputation, law, and consequence over time. They can be broken.
Encryption is unusual: it gives you a guarantee instead. Done right, the math is the enforcement. There’s no person at the keyboard who could break it if they wanted to badly enough. To break it, you’d need to break math itself.
A very compressed history
Encryption is older than computing — older than most of what we’d call mathematics. Caesar shifted his alphabet by three. Mary Queen of Scots’ coded letters got her executed when her cipher was broken. Arab scholars invented frequency analysis around the 9th century and held the state of the art for centuries.
The 20th century industrialized it. Enigma, Lorenz, the cryptanalysis effort at Bletchley Park that arguably shortened the Second World War by years and gave us, as a side effect, the first programmable computers. After the war, cryptography mostly lived inside intelligence agencies, until two things happened in the 1970s.
The first was DES, the Data Encryption Standard — the first publicly available, government-blessed encryption algorithm. The second, more important, was a paper by Diffie and Hellman in 1976 proposing that two strangers could agree on a shared secret over a public channel without ever having met. RSA followed two years later, making the idea practical. That was the moment encryption left intelligence agencies and became something the internet could be built on.
The two families
Modern cryptography has two main flavours, and almost everything you use is some combination of them.
Symmetric encryption is the old idea: one key, used by both sides. Fast, efficient, well understood. AES is the workhorse — it’s what encrypts files on disk, what protects traffic once a TLS connection is established, what your iPhone uses when it locks. The problem with symmetric encryption is the same problem Caesar had: how do you and I, two strangers on a wire, agree on a key without an eavesdropper learning it?
Asymmetric encryption is the answer. Each side has a keypair — one public, one private. You can encrypt something with my public key, but only my private key can decrypt it. You can sign something with your private key, and anyone with your public key can verify it was you. RSA was the first; elliptic curve cryptography (ECC) is the more modern, more efficient version. Asymmetric is slow and computationally expensive, so we don’t use it for bulk data — we use it to agree on a symmetric key, then switch to AES. Every HTTPS connection on the internet does this dance, billions of times a day.
There’s a third thing worth mentioning: hash functions like SHA-256. Not encryption, exactly — there’s no “decrypt.” A hash takes any input and produces a fixed-length fingerprint that’s effectively unique. Hashes are how passwords are stored (the system never knows your password, only its hash), how Bitcoin works, how the integrity of every software update you install is verified.
What’s keeping you safe right now
Open a banking site. The little padlock in the browser bar represents, roughly, this sequence:
- Your browser and the bank’s server prove they’re who they say they are, using asymmetric cryptography and a chain of trust rooted in certificate authorities.
- They use a key exchange protocol — these days usually ECDH, an elliptic-curve variant of Diffie-Hellman — to agree on a shared symmetric key, in a way that an eavesdropper recording the entire conversation can’t recover.
- They switch to AES-GCM and use it to encrypt every subsequent byte.
This is fast, reliable, and as far as we know mathematically sound against any classical computer. Which is where the story gets harder.
The quantum problem
Quantum computers don’t exist yet at useful scale. Nobody outside a handful of labs really knows how close we are to one that does, and the people inside those labs disagree.
What we do know is that if a sufficiently large quantum computer is built, two algorithms become dangerous:
- Shor’s algorithm efficiently factors large numbers and computes discrete logarithms. This breaks RSA, ECC, and Diffie-Hellman. All of them. The entire asymmetric layer of modern cryptography falls.
- Grover’s algorithm speeds up brute-force search. This dents symmetric cryptography but doesn’t break it — AES-128 effectively becomes AES-64 (weak), but AES-256 effectively becomes AES-128 (still fine). We respond by using bigger keys, and the problem largely goes away.
So the symmetric world is mostly OK. The asymmetric world is in trouble. And the asymmetric world is what bootstraps every secure connection on the internet.
Harvest now, decrypt later
A sufficiently motivated adversary — a nation-state intelligence service, say — does not need a quantum computer today to attack the encryption you’re using today. They need a quantum computer eventually. In the meantime, they record your encrypted traffic and store it.
This is harvest now, decrypt later — HNDL — and it’s not a hypothetical. We have to assume that significant volumes of encrypted internet traffic, from at least the early 2010s onward, are sitting in storage somewhere, waiting for the math to give way.
Whether your data is in that bucket, and whether it still matters in ten or twenty years, is a question about your threat model, not about cryptography. For healthcare records, government communications, intellectual property, and personal information of long-lived value: it matters now.
The migration
In 2024, after eight years of public competition, NIST standardized the first batch of post-quantum cryptographic algorithms:
- ML-KEM (formerly Kyber) for key encapsulation — the replacement for RSA/ECC key exchange.
- ML-DSA (formerly Dilithium) and SLH-DSA (formerly SPHINCS+) for digital signatures.
These algorithms are based on entirely different mathematical hardness assumptions — lattice problems, mostly — that quantum computers, as far as we know, don’t have any special advantage against.
The rollout has already started. Chrome and Cloudflare have been doing hybrid post-quantum key exchange (classical ECC plus ML-KEM, belt-and-suspenders) for over a year. Signal upgraded its protocol. Apple iMessage upgraded its protocol. AWS, Azure, and Google Cloud all have post-quantum options for their key management services.
Migrating the internet to post-quantum cryptography is the largest cryptographic transition since the invention of public-key cryptography itself. It will take a decade. The work is happening now.
What this means in practice
If you’re building systems that handle long-lived sensitive data — healthcare records, legal files, government communications, intellectual property — PQC migration is worth raising with your vendors and your security team now. The tooling is shipping; the open question is whether your stack has picked it up.
For users, most of this happens on your behalf without you noticing. The exception is whatever you sent over the internet a decade ago, or send today: it may be sitting in someone’s archive, waiting for the math to give way.