Securing the quantum era: Future proof your data

Software engineers often use encryption to protect data, secure communications and preserve system integrity. But what happens if the cryptographic foundations trusted for decades become obsolete? 

This isn’t science fiction—it’s a rapidly approaching reality. While the exact timeline for a reliable quantum computing era remains complex, the caution from the National Institute of Standards and Technology (NIST) is clear: should large-scale quantum computers be built, they would be able to break many of the public-key encryption systems currently in use.

The vast majority of encryption in use today falls into two categories: asymmetric (public/private key) and symmetric (shared key). Quantum computing impacts each differently.

Many key security protocols we rely on every day, like SSL/TLS for secure websites, online banking and digital signatures, use asymmetric encryption. This involves two keys: a public-key for encryption and a private key for decryption. These methods rely on math problems that are incredibly hard for classical computers to solve in reverse. 

For example, RSA encryption is based on the fact that multiplying two large prime numbers is easy, but determining the original primes from the resulting number is extraordinarily difficult—a math problem that would take classical computers billions of years to solve. However, a quantum computer using Shor’s algorithm could theoretically factor large numbers and break elliptic-curve problems at unprecedented speeds, potentially within hours.

Symmetric algorithms like AES (Advanced Encryption Standard), which use the same key for encryption and decryption, are generally more resistant. A quantum computer leveraging Grover's algorithm achieves a quadratic speedup for brute-force searches, effectively halving the bit strength of symmetric keys. As a result, organizations would need to use larger keys (e.g. 256-bit instead of 128-bit) to maintain equivalent security, which can affect performance and involve significant overhead.

PQC is a family of encryption methods built to withstand attacks from both the conventional supercomputers we know and the quantum computers of tomorrow. Instead of relying on factoring or discrete logs, they use entirely different mathematical problems:

• Lattice-based cryptography: Secures data using complex geometric structures. Breaking it is like finding a single hidden point in a vast 3D grid.

• Hash-based cryptography: Relies on one-way mathematical functions. Think about mixing ingredients into a cake—simple to combine, nearly impossible to unmix.

• Code-based cryptography: Builds security on sophisticated error-correction codes, similar to how data transmission remains reliable even over noisy networks.

These methods form the foundation of emerging quantum-resistant standards.

As quantum computing advances, one concern is a tactic called “harvest-now, decrypt-later,” where attackers could store encrypted data now and attempt to unlock it in the future should more powerful quantum tools become available. This risk is particularly relevant for sensitive data, such as financial records and personally identifiable information (PII), that must remain protected over long periods. 

This urgency is driving industry and government bodies, like NIST, to prioritize standardizing PQC and encouraging organizations to prepare now by understanding where cryptography is used and planning for migrations. Key NIST and government milestones include:

• On Aug. 13, 2024, NIST finalized its first quantum-resistant cryptography standards. These include Federal Information Processing Standard (FIPS) 203, FIPS 204 and FIPS 205. 

• On March 11, 2025, NIST selected Hamming Quasi-Cyclic (HQC) as the fifth algorithm in its suite of PQC standards. 

• By December 2025, CISA and NSA must release a list of product categories ready for quantum-safe encryption.

• By 2030, NSA and OMB agencies must support Transport Layer Security (TLS) 1.3 or a successor version by 2030. 

• By 2035, the NSA expects owners and operators of national security systems to use post-quantum algorithms.

To get ready for the post-quantum era, organizations should consider following a clear preparedness roadmap. The Post-Quantum Cryptography Coalition (PQCC) released its Post-Quantum Cryptography Migration Roadmap, which outlines four critical categories: 

1. Preparation: Understand which stakeholders are involved, evaluate potential vulnerabilities and ensure organizational goals are aligned with planned migration timelines. 

   • Check what inventories, risk assessments and cryptographic bills of materials (CBOM) already exist. Document all findings. 

   • Identify key stakeholders to support and a strategic leader to manage the PQC migration. 

   • Develop messaging to communicate the value purpose of PQC migration to the broader organization. 

2. Baseline understanding: The migration lead develops an initial view of the organization’s cryptographic inventory, identifies which assets should be prioritized for updates and evaluates resources available to support. 

   • Use tools like static code analysis platforms to scan codebases, network traffic and configurations for cryptographic assets.

   • Use quantum risk assessment tools to evaluate exposure and prioritize critical assets for migration:

     1. Vulnerable - RSA, ECC 

     2. Partially vulnerable - AES

     3. Quantum-resistant - Kyber, Dilithium

3. Planning and execution: Decide which post-quantum solutions to source from vendors versus developing internally. Address near- and long-term risks through interim safeguards and phased PQC implementation.

   • Set a budget and identify solutions that are current with PQC standards. To help alleviate some cost, consider implementing hybrid crypto stacks combining classical and PQC.

   • Put short-term protective measures, like out-of-band-tools, to reduce exposure to “harvest now, decrypt later” threats while full PQC solutions are being deployed.

   • Acquire or develop, then implement PQC solutions in order of the prioritized assets determined. Test NIST-approved algorithms in staging environments and put contingency plans in place in case of disruptions.

4. Monitoring and evaluating: Continue to track migration progress and reassess security as quantum standards evolve. 

   • Monitor updates from NIST and other industry regulators to ensure alignment with evolving standards.

   • Create KPIs to measure performance and migration progress of prioritized assets.

   • Continually optimize and assess workforce needs to determine if additional workflows, training or other support is needed.

Following this roadmap is an important step in preparing systems for the post-quantum era. However, encryption alone may not address every risk, particularly for sensitive data that must remain secure during migration or over long retention periods. 

That’s where tokenization comes in. By replacing sensitive data with non-sensitive tokens, tokenization adds a complementary layer of protection that reduces exposure while working alongside encryption. For a deeper dive into how tokenization complements encryption, see our white paper Beyond Encryption. 

Earlier this year, Capital One Software introduced Databolt, a tokenization solution built to address complex security challenges like these.

Databolt is a vaultless tokenization solution that replaces sensitive data with secure tokens, reducing exposure risk in the event of a breach. It uses a hybrid deployment architecture where configuration and management live in our secure control plane, while the tokenization operations happen within the customer’s environment, providing flexibility, security and reliability at scale. 

Preparing for quantum threats is about building systems that can evolve alongside emerging standards. Databolt’s architecture was designed with this future-readiness in mind. 

• Quantum-safe core: Databolt’s tokenization and secret-management services are built on strong symmetric encryption and hashing algorithms, which remain resilient against known and emerging quantum threats. 

• Hybrid cryptography support: We implement a hybrid key encapsulation (KEM) approach, combining classical and post-quantum algorithms. This positions customers to incrementally adopt PQC as standards mature, without disrupting existing systems. 

• Quantum-safe digital signatures: Our engineering team has already upgraded Databolt’s signature algorithm for cryptographic materials and libraries to quantum-safe versions selected by NIST.

At Capital One Software, we don’t view quantum-safe security as a one-time milestone. Our engineering team continuously evaluates emerging cryptographic standards and tests new approaches as they mature. This ongoing work keeps Databolt ready to protect sensitive data and reduce exposure risk as cryptographic standards develop.

If you want to learn more about Databolt, explore our resources or request a demo.

References

• Forbes & Freund, K. (2025, 02 11). The Raging Debate: When Will Quantum Arrive? https://www.forbes.com/sites/karlfreund/2025/02/11/the-raging-debate-when-will-quantum-arrive/
• Google Quantum AI & Gidney, C. (2025). How to factor 2048 bit RSA integers with less than a million noisy qubits. https://arxiv.org/pdf/2505.15917
• National Archives and Records Administration. (2024, August 1413). Announcing Issuance of Federal Information Processing Standards (FIPS) FIPS 203, Module-Lattice-Based Key-Encapsulation Mechanism Standard, FIPS 204, Module-Lattice-Based Digital Signature Standard, and FIPS 205, Stateless Hash-Based Digital Signature Stan. Federal Register. https://www.federalregister.gov/documents/2024/08/14/2024-17956/announcing-issuance-of-federal-information-processing-standards-fips-fips-203-module-lattice-based
• National Security Agency. (2022, September 7). NSA Releases Future Quantum-Resistant (QR) Algorithm Requirements for National Security Systems. Announcing the Commercial National Security Algorithm Suite 2.0. https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/3148990/nsa-releases-future-quantum-resistant-qr-algorithm-requirements-for-national-se/
• NIST. (2024, August 13). What Is Post-Quantum Cryptography? | NIST. National Institute of Standards and Technology. Retrieved August 1, 2025, from https://www.nist.gov/cybersecurity/what-post-quantum-cryptography
• NIST. (2025, March 11). NIST Selects HQC as Fifth Algorithm for Post-Quantum Encryption | NIST. National Institute of Standards and Technology. Retrieved August 1, 2025, from https://www.nist.gov/news-events/news/2025/03/nist-selects-hqc-fifth-algorithm-post-quantum-encryption
• NIST. (2025, 07 28). Post-Quantum Cryptography. NIST Computer Security Resource Center. https://csrc.nist.gov/projects/post-quantum-cryptography
• Post-Quantum Cryptography Coalition (PQCC). (2025, May 16). PQC Migration Roadmap | Post-Quantum Cryptography Coalition. Post-Quantum Cryptography Coalition |. Retrieved August 1, 2025, from https://pqcc.org/post-quantum-cryptography-migration-roadmap/
• UK National Cyber Security Centre. (2024). On the practical cost of Grover for AES key recovery. NIST CSRC. https://csrc.nist.gov/csrc/media/Events/2024/fifth-pqc-standardization-conference/documents/papers/on-practical-cost-of-grover.pdf
• Vacca, J. R. (Ed.). (2013). Computer and Information Security Handbook. Elsevier Science. https://www.sciencedirect.com/topics/computer-science/integer-factorization
• The White House. (2025, June 6). Sustaining Select Efforts to Strengthen the Nation's Cybersecurity and Amending Executive Order 13694 and Executive Order 14144. The White House. Retrieved August 1, 2025, from https://www.whitehouse.gov/presidential-actions/2025/06/sustaining-select-efforts-to-strengthen-the-nations-cybersecurity-and-amending-executive-order-13694-and-executive-order-14144/