Quantum computers won’t magically read every HTTPS session on Earth. But if you’re storing sensitive traffic today, you’re already making a bet about the next decade.
Great framing on the harvest now decrypt later threat. The per-session breakpoint for ECDHE is super important - people hear Shor and assume instant apocalypse. We started moving patient records to hybrid ML-KEM last quarter for exactly this reason. The asymmetric risk calc you laid out makes way more sense than waiting for consensus on timleines.
Love this, thank you — and huge respect for actually moving patient data to hybrid ML‑KEM instead of waiting for yet another “state of PQC” panel to converge on a date that still won’t be real.
You’re absolutely right that the per‑session nature of ECDHE is the underrated part of this story: it’s not “one Shor run, decrypt the planet,” it’s “very expensive door‑picking, prioritized for the traffic with real shelf life.”
I’m especially glad you called out timelines vs asymmetry. The whole point of the piece was: if your data needs 10–20 years of confidentiality, you’re already in the “harvest now, decrypt later” window, whether or not a CRQC shows up on any particular forecast slide.
If you’re ever up for it, I’d love to hear more about how you approached rollout on the clinical side (threat modeling, regulators, “don’t break the EMR” constraints, etc.) — that’s exactly the kind of boring-but-crucial migration story I think this space needs more of.
Great framing on the harvest now decrypt later threat. The per-session breakpoint for ECDHE is super important - people hear Shor and assume instant apocalypse. We started moving patient records to hybrid ML-KEM last quarter for exactly this reason. The asymmetric risk calc you laid out makes way more sense than waiting for consensus on timleines.
Love this, thank you — and huge respect for actually moving patient data to hybrid ML‑KEM instead of waiting for yet another “state of PQC” panel to converge on a date that still won’t be real.
You’re absolutely right that the per‑session nature of ECDHE is the underrated part of this story: it’s not “one Shor run, decrypt the planet,” it’s “very expensive door‑picking, prioritized for the traffic with real shelf life.”
I’m especially glad you called out timelines vs asymmetry. The whole point of the piece was: if your data needs 10–20 years of confidentiality, you’re already in the “harvest now, decrypt later” window, whether or not a CRQC shows up on any particular forecast slide.
If you’re ever up for it, I’d love to hear more about how you approached rollout on the clinical side (threat modeling, regulators, “don’t break the EMR” constraints, etc.) — that’s exactly the kind of boring-but-crucial migration story I think this space needs more of.