The Silent Threat: Store-Now-Decrypt-Later (SNDL)
While a cryptographically relevant quantum computer (CRQC) capable of breaking current RSA or Elliptic Curve Cryptography (ECC) is still years away, the threat to enterprise data is immediate.
State-sponsored groups are actively executing Store-Now-Decrypt-Later (SNDL) attacks. They intercept and archive encrypted enterprise traffic, API calls, and proprietary communication today, knowing they can decrypt it once quantum computing becomes commercially viable.
[Encrypted mTLS API Traffic (2026)]
│
▼
[State-Sponsored Snooper] ───> [SNDL Encrypted Archives]
│
┌────────────────────────────┘ (Years Later)
▼
[Cryptographic Quantum Computer]
│
▼
[Decrypted Cleartext Secrets & Credentials]To protect long-term secrets, organizations must immediately transition to Post-Quantum Cryptography (PQC) within their Zero-Trust architectures.
The NIST Standards: ML-KEM and ML-DSA
Following a multi-year evaluation process, NIST has finalized the primary algorithms for post-quantum key exchange and digital signatures. The two main algorithms securing modern Zero-Trust tunnels are:
- ML-KEM (formerly Kyber): A lattice-based Key Encapsulation Mechanism used to establish secure symmetric keys over public channels. It replaces Diffie-Hellman and ECDH.
- ML-DSA (formerly Dilithium): A lattice-based digital signature scheme used for identity validation and signing certificates. It replaces RSA and ECDSA.
// Example: Conceptual structure of a PQC hybrid key encapsulation exchange
import { generateKeyPair, encapsulate, decapsulate } from 'pq-crypto-lib';
// 1. Server generates lattice-based ML-KEM public/private key pairs
const { publicKey, privateKey } = await generateKeyPair('ML-KEM-768');
// 2. Client encapsulates a shared secret using server's ML-KEM public key
const { ciphertext, sharedSecretClient } = await encapsulate(publicKey);
// 3. Server decapsulates the ciphertext using its private key to derive the same secret
const sharedSecretServer = await decapsulate(ciphertext, privateKey);Implementing PQC in Zero-Trust Pipelines
Integrating PQC into a zero-trust model requires updating cryptographic policies across three major planes:
1. Hybrid mTLS (Mutual TLS) Tunnels
Latticed keys are computationally different from elliptic curves. During the transition phase, enterprises should use hybrid mTLS. Tunnels are established using both X25519 (classical ECC) and ML-KEM-768. If one algorithm is broken, the session remains secure under the other.
2. Post-Quantum API Gateways
API requests often transit over public CDNs and load balancers. Upgrading API gateway configurations to support TLS 1.3 with draft PQC groups ensures that captured payloads cannot be decrypted using SNDL methodologies.
3. High-Performance Token Signatures
Identity tokens (like JWTs or OAuth assertions) must be signed with quantum-resistant algorithms. Because ML-DSA signatures are significantly larger than ECDSA signatures (thousands of bytes vs 64 bytes), token caching and authorization headers must be resized to prevent truncation.
Overcoming Performance Bottlenecks
Transitioning to post-quantum standards isn’t as simple as swapping a library. It introduces real engineering challenges:
- Network Packet Fragmentation: Larger keys mean handshake packets often exceed the standard Ethernet MTU (1500 bytes). This leads to IP fragmentation, which is blocked by many corporate firewalls. Configurations must be updated to handle larger handshake frames or utilize TCP fallback.
- CPU Overhead: Although ML-KEM is faster than RSA, it requires more RAM and CPU cycles than ECDSA. High-throughput gateways must scale horizontal compute to accommodate the increased cryptographic workload.
Action Plan
Do not wait for standard vendor upgrades. Perform an inventory of your organization’s data transit routes today. Identify data that must remain confidential for 5+ years (such as health records, government intelligence, and platform source code) and enforce hybrid ML-KEM tunnels for all communication channels handling this data. Zero-Trust is not zero-trust if it can be decrypted tomorrow.