Why “Good Enough” Encryption Is No Longer Good Enough
In boardrooms across the financial world, an unprecedented security challenge is looming. The rise of quantum computing promises tremendous breakthroughs, but it also threatens to break the cryptographic locks guarding our financial transactions. Today’s financial systems rely on encryption methods, like RSA and Elliptic Curve Cryptography (ECC), that could take classical computers millions of years to crack.
Modern quantum computers exploit quantum physics to achieve computing power far beyond classical machines. These devices use qubits (quantum bits) that can exist in multiple states simultaneously, allowing them to perform many calculations in parallel. Along with qubits, Quantum computers, leverage phenomena such as superposition and entanglement to solve certain problems astronomically faster.
Till 2023 it was believed that a quantum computer using Shor’s algorithm would need millions of qubits (quantum bits) to factorize a 2048 bit long integer, a principle used in RSA-2048 encryption method. A 2017 paper (https://arxiv.org/pdf/1706.06752) calculated quantum resource estimates of Shor’s algorithm:
All the experts agreed that the timeline to build such a quantum computer was a couple decades away.
In early 2023, an article “Factoring integers with sublinear resources on a superconducting quantum processor” presented a significant advancement in the field of quantum integer factorization, particularly for near-term quantum computers. The authors claimed to have successfully factorized the integers 1961 (11-bit), 48567227 (26-bit), and 261980999226229 (48-bit), with 3, 5 and 10 qubits in a superconducting quantum processor. Authors of the paper also estimated the quantum resources required to factor RSA-2048 – a quantum circuit with 372 physical qubits and a depth of thousands. The framework of the algorithm is illustrated below: (https://arxiv.org/pdf/2212.12372v1)
The algorithm leverages classical techniques (lattice reduction) to pre-process the problem and then uses a Quantum Approximate Optimization Algorithm (QAOA) to optimize the solutions. While the article created excitement it was also met with scepticism [Read paper: A comment on “Factoring integers with sublinear resources on a superconducting quantum processor” (https://arxiv.org/abs/2307.09651) where the authors found that quantum+classical version of Schnorr’s algorithm (Note this is not Shor’s algorithm) successfully factors integers up to 70 bits only].
Fast forward to May 2025, Google Quantum AI researchers showed that RSA-2048 could, in principle, be cracked in under a week with < 1 million noisy qubits, a 20-fold drop from previous estimates (Read The Quantum Insider and Phys.org). The headline splashed across tech media crystallises the coming “Q-Day” moment when today’s public-key systems fall to tomorrow’s quantum machines. Wired’s recent analysis frames it simply: “the race is on to upgrade before the countdown hits zero.” (WIRED) While the advent of quantum computing heralds transformative possibilities, it simultaneously poses significant threats to current cryptographic systems. This will accelerate the urgency and dates already published by NIST [6].
| “Organizations should continue to migrate their encryption systems to the standards NIST finalized in 2024. We are announcing the selection of HQC because we want to have a backup standard that is based on a different math approach than ML KEM.” Dustin Moody, NIST mathematician and project head |
For financial-services leaders, that race is now strategic, not academic. Payment credentials, cardholder data, and high-value transfer messages are already being harvested for decrypt-later attacks (HNDL: “Harvest Now, Decrypt Later” or SNDL: “Store Now, Decrypt Later”). This development underscores the urgency for financial institutions to transition to quantum-resistant cryptographic methods to safeguard sensitive data and maintain trust in digital transactions.
Embracing Quantum-Resistant Cryptography
Traditional encryption methods like RSA and ECC are vulnerable to quantum attacks. In response, the National Institute of Standards and Technology (NIST) has finalized standards containing the encryption algorithms’ computer code, instructions for how to implement them, and their intended uses (general encryption and digital signatures used for identity authentication). The four algorithms (CRYSTALS-Kyber, CRYSTALS-Dilithium, Sphincs+ and FALCON) and the three standards are codified below:
| Cryptographic task | Post-Quantum Cryptography (PQC) algorithm (Federal Information Processing Standard) |
| Key exchange / general encryption | CRYSTALS-Kyber renamed to ML-KEM, short for Module-Lattice-Based Key-Encapsulation Mechanism(FIPS 203) |
| Digital signatures | ML-DSA (Module-Lattice-Based Digital Signature Algorithm) / CRYSTALS-Dilithium (FIPS 204) |
| Alternate signatures | SLH-DSA (Stateless Hash-Based Digital Signature) / SPHINCS+ (FIPS 205) |
(NIST, NIST Computer Security Resource Centre)
Financial institutions are encouraged to adopt these standards proactively. The Financial Services Information Sharing and Analysis Centre (FS-ISAC) has released guidance to help mitigate risks associated with quantum computing, emphasizing the need to adopt crypto-agility – the ability to roll out new algorithms without rewriting entire systems and to begin dual-stack (hybrid classical + PQC) deployments in 2025 pilot cycles.(EY, FS-ISAC)
Industry Implementations and Initiatives
Several organizations have already begun integrating quantum-resistant technologies: (Security Magazine)
- Project Leap: A collaboration between the BIS Innovation Hub’s Eurosystem Centre, Bank of France and the Deutsche Bundesbank to test and transition towards quantum-resistant encryption over communication channels demonstrating practical applications in financial transactions. (Bank for International Settlements)
- Quantinuum’s Quantum Origin: This platform is the first software-based Quantum Random Number Generator (QRNG) to receive validation from the National Institute of Standards and Technology (NIST). This supports cybersecurity needs in environments where traditional QRNGs are impractical. (Quantum Insider)
- Signal’s PQXDH Protocol: The Signal messaging app has implemented the Post-Quantum Extended Diffie–Hellman (PQXDH) protocol, combining traditional and quantum-resistant algorithms to secure communications against future quantum threats. It ensures that even if long-term private keys are compromised in the future, past encrypted messages remain secure. (Signal)
- Toshiba’s Multiplexed QKD System and Quantum Key Management System has reference architecture and compliance artefacts for rapid proof-of-concept work. (Toshiba Asia Pacific)
While PQC fortifies algorithms, quantum key distribution (QKD) and quantum random-number generation (QRNG) provide hardware-anchored security for the most sensitive corridors.
A Roadmap for Cybersecurity Planning
Financial services could consider the following strategic actions to enhance cybersecurity in the quantum era (EY). The below illustrated plan is expanded from the original 4 steps listed in “Why Financial Services Should Pay Attention Now”.
- Quantum-Risk Inventory and Assessment
Create a heat-map of cryptographic assets across key applications and internal APIs. Prioritise those with ≥ 10-year data-sensitivity. - Build Crypto-Agility into Product Pipelines
Begin integrating NIST-recommended post-quantum algorithms into systems and services to future-proof encryption methods. Adopt abstraction layers (e.g., AWS KMS External Key Stores, OpenSSL 3 provider model) so algorithms can be swapped via config, not code rewrites. (Wikipedia) - Hybrid Roll-Out 2025–27
Implement hybrid models that combine classical and quantum-resistant algorithms, ensuring a layered security approach during the transition period. Offer Kyber/Dilithium options alongside RSA/ECC for APIs and ISO 20022 messaging. Early-adopter clients can gain brandable “quantum-ready” badges. - QKD Pilot for High-Value Settlement
Collaborate with client(s) to link your apps/data-centre via Quantum Key Distribution (QKD). - Governance & Talent
Establish a Quantum Security Council chaired by the CISO and engage with industry consortia and standardization bodies to stay abreast of developments in quantum cryptography. - Employee Training and Awareness: Educate staff on quantum computing risks and the importance of quantum-safe practices to foster a security-conscious culture.
- Client & Regulator Communication
Publish a “Quantum Transition Whitepaper” (at a fixed frequency), documenting algorithm migrations, residual risk, and future milestones.
Putting It All Together
Quantum computing is no longer a distant science-project. It is a board-level risk vector and a competitive differentiator.
- Institutions that postpone action face not only eventual data breaches but reputational loss for having ignored clear warning signs.
- Early movers, by contrast, can market “quantum-safe payments” as a premium feature, much as EMV chip cards and tokenisation once were.
By proactively adopting quantum-resistant cryptographic methods and engaging in industry collaborations, financial institutions like Fiserv can ensure the security and integrity of financial transactions in the quantum era. The quantum era will rewrite the rules of cybersecurity. The time to act is now, securing a future where trust in digital financial systems remains unshaken.
