Zara "QuantumQuill" Nova

Appearance

Essays

Post-quantum cryptography is usually discussed as a technical migration. It is also a redistribution of who can keep secrets, and from whom, over what period of time. A short essay on what we lose, and what we might recover, when the cryptographic ground beneath us shifts.

Essay by Zara Nova·27 April 2026·8 min read

cryptographyprivacyquantum-computingpolitical-philosophy

Quantum Cryptography and the Private Self

The migration from RSA and elliptic-curve cryptography to the post-quantum schemes standardised in the last two years is, by any reasonable measure, the largest planned change in the infrastructure of the internet since the rollout of TLS itself.[^1] It is being conducted, on the whole, as a technical exercise. Engineering teams at the major cloud providers are inventorying their cryptographic dependencies; standards bodies are working through the migration paths; cryptographic libraries are issuing updated releases. The conversation in trade publications has been almost entirely about backwards compatibility, packet sizes, and the performance penalties of lattice-based schemes.

What is largely missing from this discussion is its political content. Cryptography is not merely a piece of infrastructure; it is the substrate on which the modern distinction between public and private is implemented. When the substrate changes, the distinction changes too — sometimes in ways the engineers performing the migration are not in a position to anticipate, because the change is not in their hands. It is in the hands of whoever, ten years from now, will be in possession of the relevant decryption capacity. That is the political fact about the transition that I think deserves more attention than it has received.

What Will Become Public

The technical fact of the transition is by now widely known. Peter Shor's 1994 algorithm showed that a sufficiently large quantum computer could factor integers and compute discrete logarithms in polynomial time, breaking the asymmetric cryptography that underlies most secure communication on the modern internet.[^2] Lov Grover's 1996 algorithm provided a more modest quadratic speedup against symmetric schemes, requiring those to use longer keys but not invalidating them.[^3] No quantum computer presently exists that can run Shor's algorithm at relevant scale; estimates of when one might exist range from "ten years" to "never", with the truth depending on the difficulty of error-corrected qubits, an open problem in physics about which honest experts disagree.

The post-quantum cryptographic standards, finalised by NIST in 2024 after a multi-year competition, are designed to resist Shor-style attacks; they rely on mathematical problems — structured lattices, hash-based signatures — for which no quantum speedup is presently known.[^4] The new standards have been integrated into TLS, into the signing protocols for code distribution, and are slowly being adopted by financial messaging, secure email, and the more security-conscious applications. The transition is, from a strictly technical perspective, manageable.

The political fact is more uncomfortable. Every TLS session that is currently being intercepted and stored by any party with the resources to do so — and there are several such parties — will, the moment a sufficient quantum computer comes online, be retrospectively decryptable. The same applies to every signed document, every encrypted email, every transaction record whose contents were not protected at the symmetric layer. The standard term for this strategy is harvest now, decrypt later, and it is documented to be in use by several national intelligence services. The data being harvested today, against the possibility of decryption in 2034 or 2040 or 2050, includes diplomatic cables, medical records, journalists' correspondence, dissident communications, and routine personal traffic. None of these can be retroactively encrypted with post-quantum schemes once they have been recorded under the old ones.

The migration to post-quantum cryptography protects future correspondence. It does nothing for the past, which is already being collected against a future in which it will become legible.

This is, I think, the part of the transition that most deserves moral attention. The promise of cryptographic privacy was, in the strong form most of us have inherited from the early-internet civil-libertarian tradition, a promise about the future as well as the present: that the conversation you are having now will remain private not only against your interlocutor's coffee shop neighbour but against any plausible institutional adversary, indefinitely. That promise was contingent on cryptographic assumptions that we now know to be temporary. It will not survive the quantum transition in anything like its earlier form.

Quantum Cryptography, Properly So Called

A clarification is needed. The phrase quantum cryptography is sometimes used to mean two quite different things. The first is post-quantum cryptography — classical algorithms designed to resist attack by a future quantum computer, which is what the NIST standards address. The second is quantum key distribution (QKD), a class of protocols that use the physics of quantum measurement to detect eavesdropping in principle. The latter is more famous and, I think, often oversold.

The original QKD protocol, BB84, was proposed by Charles Bennett and Gilles Brassard in 1984 and is one of the most beautiful ideas in modern physics.[^5] It exploits the fact that a quantum measurement disturbs the system being measured: an eavesdropper attempting to read a stream of polarised photons will, by the act of reading them, leave a statistical fingerprint that the legitimate parties can detect. The protocol guarantees, in a sense that classical cryptography cannot, that the secrecy of the key depends only on the laws of physics, not on the computational difficulty of an underlying mathematical problem.

The trouble with QKD is not the mathematics but the engineering. It requires a continuous, low-loss optical channel between the parties — a dedicated fibre or a line-of-sight free-space link — and the equipment is expensive, finicky, and limited in range. It does not scale to the kind of mass deployment that secures the contemporary internet. It is presently in use, on a small scale, by central banks, military communications, and a handful of intercity links in China, Switzerland, and the Netherlands. It is unlikely, on any honest assessment, to become the default for ordinary internet traffic.

The political effect of this is that QKD is becoming a privacy good available only to institutions wealthy enough to deploy it. The rest of us are left with post-quantum classical schemes, which is fine for the future but offers no protection for the past. The asymmetry should be uncomfortable. The most secure communications of the next decades will be those between governments, defence contractors, and major banks, with a long tail of ordinary users on a strictly inferior cryptographic footing.

Privacy as a Contextual Property

To say what we lose in this transition requires some care about what privacy is supposed to be. Helen Nissenbaum's notion of contextual integrity is, I think, the most useful framework here.[^6] On Nissenbaum's account, privacy is not a single substance that one has more or less of; it is a function of whether information about a person flows according to the norms appropriate to the context in which the information was disclosed. Medical disclosures, on this view, are not "private" because they are hidden; they are private because the norms of medicine direct them only to other medical professionals with a need to know, and a violation occurs when they leak into a context (the employer, the insurer) where those norms do not apply.

The quantum transition affects contextual integrity in a particular way. It enlarges the temporal scope of leakage. A conversation conducted in 2026, under the norms of 2026, may become legible in 2040 to an institution whose access to it was never anticipated when the conversation took place. The journalist's source, the patient confiding in a tele-medical service, the activist organising opposition to a government policy — all of these are operating today under cryptographic assumptions whose temporal validity they cannot themselves audit.

Daniel Solove's work on the taxonomy of privacy harms identifies aggregation and secondary use as two of the most common modes by which contextual integrity is violated.[^7] Both are amplified by the quantum transition. A communication that, at the time, was protected against any plausible adversary can, when retrospectively decrypted, be aggregated with other later-decrypted communications and used in contexts the original speaker could not have foreseen. The harvested-and-stored data of the present is, in this sense, a kind of moral debt that the technologies of the future will collect.

What Might Be Recovered

I do not think the situation is hopeless, but the recovery requires institutional rather than technical means.

The most useful thing the cryptographic community could do, in the next several years, is to develop and promote cryptographic erasure practices: routine procedures by which long-stored encrypted data is, after a fixed period, either re-encrypted under post-quantum schemes (where the original sender can be reached for consent) or securely destroyed by the holder. The presumption should be that data is held only as long as it is needed and only under cryptographic guarantees appropriate to the entire period of holding. Cloud providers and email services should publish their cryptographic-erasure policies in the way that financial institutions publish their data-retention policies.

The second useful thing is a public regulatory frame that distinguishes between forward secrecy (the property that compromise of a long-term key does not compromise past sessions) and quantum forward secrecy (the property that no future computational capacity, including quantum, will compromise past sessions). The first is widely deployed; the second is not, but is technically achievable with currently available schemes. Regulators in the EU, UK, and US are beginning to think about this; the conversations are happening too slowly.

The third useful thing — the one I think will turn out to matter most — is a public conversation about who in our societies has the right to expect their past communications to remain past. Journalists' sources, lawyers' clients, dissidents in regimes that may someday become hostile, ordinary people whose personal lives are no one else's business. Cryptography has, for thirty years, been the technical implementation of that right. The right has not been argued for in those terms because it did not need to be; the cryptography was simply there. It is now beginning to be uncertain, and the argument is therefore necessary.

Some of the people who will most need this argument are not in a position to make it for themselves. That, I think, is why the rest of us should.

[^1]: NIST (2024); the relevant standards are FIPS 203 (ML-KEM, formerly Kyber) and FIPS 204 (ML-DSA, formerly Dilithium). [^2]: Shor (1994). [^3]: Grover (1996). [^4]: NIST (2024). [^5]: Bennett & Brassard (1984). [^6]: Nissenbaum (2010). [^7]: Solove (2008), esp. the taxonomy in chs. 4–5.

Cited Works

  1. Shor, P. W. (1994). “Algorithms for quantum computation: discrete logarithms and factoring.” Proceedings of FOCS, 124–134.
  2. Grover, L. K. (1996). “A fast quantum mechanical algorithm for database search.” Proceedings of STOC, 212–219.
  3. NIST (2024). Module-Lattice-Based Key-Encapsulation Mechanism Standard (FIPS 203). National Institute of Standards and Technology.
  4. Bennett, C. H. & Brassard, G. (1984). “Quantum cryptography: Public key distribution and coin tossing.” Proceedings of IEEE International Conference on Computers, Systems and Signal Processing, 175–179.
  5. Nissenbaum, H. (2010). Privacy in Context. Stanford: Stanford University Press.
  6. Solove, D. J. (2008). Understanding Privacy. Cambridge, MA: Harvard University Press.

A Syllabus, Continued

Edited at the QuantumQuill desk by The Editors. Set in EB Garamond and Source Sans, on cream.