Post-Quantum Cryptography: What the Transition Means for Technology Disputes

Quantum computing has received substantial attention in recent years, much of it focused on the potential to break the cryptographic algorithms that underpin modern digital security. The prospect of a sufficiently powerful quantum computer rendering current encryption obsolete has prompted a global effort to develop and standardise replacement algorithms, known collectively as post-quantum cryptography (PQC).

For solicitors and counsel advising on technology matters, this transition has practical implications that extend beyond theoretical computer science. Contractual obligations around data security, regulatory expectations, and the standard of care applied to organisations handling sensitive information are all affected. As the transition progresses, disputes arising from the adequacy (or inadequacy) of cryptographic practices may become more frequent, depending on how the regulatory and technical landscape develops.

This article sets out the technical background in terms relevant to legal practitioners, and considers how post-quantum issues may arise in litigation.

What quantum computing actually threatens

The concern is specific. Current public-key cryptographic algorithms, including RSA and elliptic curve cryptography (ECC), derive their security from mathematical problems that are computationally infeasible for classical computers to solve within any practical timeframe. A sufficiently capable quantum computer, running an algorithm known as Shor’s algorithm, could solve these problems efficiently, rendering the encryption ineffective.

It is important to be precise about the scope of the threat. Not all cryptography is equally vulnerable:

• Public-key encryption and key exchange (RSA, ECC, Diffie-Hellman): These are the primary targets. They are used to establish secure connections, exchange keys, and verify digital signatures. A cryptographically relevant quantum computer would compromise these algorithms.
• Symmetric encryption (AES): Quantum computers offer a theoretical speedup against symmetric algorithms via Grover’s algorithm, but the practical impact is more limited. Doubling the key length (for example, moving from AES-128 to AES-256) is generally considered sufficient to maintain security against quantum attack.
• Hash functions (SHA-256, SHA-3): Similarly, hash functions are affected by Grover’s algorithm but remain secure at current standard lengths for most applications.

The practical consequence is that the most urgent migration concerns public-key cryptography: the systems used for TLS/SSL connections, digital signatures, certificate authorities, VPNs, and secure messaging protocols. These are foundational to secure digital communication as it is commonly implemented.

The timeline question

There is no consensus on when a quantum computer capable of breaking current public-key cryptography will exist. Estimates from credible research institutions and government agencies vary considerably, and the timeline depends on engineering advances that are difficult to predict. The UK National Cyber Security Centre (NCSC) and the US National Institute of Standards and Technology (NIST) have both taken the position that organisations should begin preparing now, regardless of uncertainty about the precise timeline.

The reason for urgency despite uncertainty is the “harvest now, decrypt later” threat. An adversary can intercept and store encrypted communications today, with the intention of decrypting them once a sufficiently capable quantum computer becomes available. For data that must remain confidential over long periods (trade secrets, privileged legal communications, government intelligence, medical records, financial data) this is not a theoretical concern. The sensitivity of the data does not diminish simply because the means to decrypt it do not yet exist.

This threat model is particularly relevant to organisations with long-duration confidentiality obligations, whether arising from contract, regulation, or the nature of the information itself.

The NIST PQC standards

In 2024, NIST published its first set of post-quantum cryptographic standards, the culmination of an eight-year evaluation and selection process. The finalised standards include:

• ML-KEM (based on the CRYSTALS-Kyber algorithm): A key encapsulation mechanism for establishing shared secrets over insecure channels, replacing the key exchange function currently performed by RSA and ECC.
• ML-DSA (based on the CRYSTALS-Dilithium algorithm): A digital signature scheme for authentication and integrity verification.
• SLH-DSA (based on the SPHINCS+ algorithm): A hash-based digital signature scheme offering a different security foundation from ML-DSA.

These standards are expected to form the basis for updated compliance requirements across regulated sectors. The NCSC has published guidance recommending that organisations begin planning their migration to PQC, with particular emphasis on identifying where public-key cryptography is used and assessing the sensitivity and longevity of the data it protects.

For legal practitioners, the significance of these standards is that they establish a benchmark. Once PQC standards are published and migration guidance is available, the question of what constitutes “reasonable” cryptographic practice begins to shift. An organisation that continues to rely exclusively on algorithms known to be vulnerable, without a credible migration plan, may face increasing difficulty in demonstrating that its security measures were adequate, though this would depend on the specific contractual and regulatory context.

How PQC issues may arise in disputes

Several categories of dispute may involve post-quantum considerations:

Contractual obligations. Many technology contracts include obligations to maintain “industry standard” or “appropriate” security measures, or to comply with specific security frameworks. As PQC standards become established and migration timelines are set by regulators and industry bodies, the interpretation of these obligations will evolve. A party that has not begun migration planning may find it harder to argue that its security practices meet the contractual standard, particularly where the contract concerns data with a long confidentiality horizon.

Data protection and regulatory compliance. Data protection legislation in the UK (the UK GDPR and the Data Protection Act 2018) requires organisations to implement “appropriate technical and organisational measures” to protect personal data. The assessment of what is appropriate is context-dependent and evolves with the state of the art. As PQC migration becomes an expected part of information security practice, regulators may take the view that continued reliance on vulnerable algorithms, without mitigation, falls below the required standard, though this would depend on the circumstances and the regulatory guidance in force at the time. The timing and reasonableness of this expectation will depend on the sector, the sensitivity of the data, and the availability of practical migration paths.

Data breach litigation. Where a data breach involves the compromise of encrypted data, the adequacy of the encryption in use may be scrutinised. If an organisation was storing data encrypted with algorithms known to be quantum-vulnerable, and the data had a long confidentiality requirement, the question of whether the organisation should have adopted PQC (or at least hybrid approaches combining classical and post-quantum algorithms) may arise. This assessment would depend on the facts, including the date of the breach, the state of available standards and guidance at that time, and the nature of the data.

Supply chain and procurement disputes. Organisations procuring technology systems or services may impose PQC-readiness requirements on their suppliers. Disputes could arise where a supplier delivers a system that does not support PQC, or where migration obligations are ambiguous. The technical assessment in such cases would focus on what was specified, what was delivered, and whether the system can be upgraded to PQC without disproportionate cost or disruption.

Intellectual property and trade secrets. Where trade secrets or confidential information are alleged to have been compromised, the adequacy of the encryption protecting that information may be relevant. If the information was encrypted using algorithms that are quantum-vulnerable, and the threat of quantum decryption was foreseeable at the time, this could bear on questions of whether reasonable steps were taken to maintain confidentiality.

The expert’s role in PQC disputes

A technology expert instructed in a dispute involving post-quantum cryptographic issues will typically be asked to assess one or more of the following:

• What cryptographic algorithms were in use, and whether they are vulnerable to quantum attack. This involves examining the specific implementations deployed by the organisation, not just the high-level protocol names.
• Whether the organisation’s approach to PQC migration was reasonable in light of the standards, guidance, and threat intelligence available at the relevant time. This is necessarily a contextual assessment. What is reasonable for a large financial institution with a dedicated security team differs from what is reasonable for a small technology company.
• Whether a hybrid approach was available and appropriate. Hybrid cryptography, which combines classical and post-quantum algorithms so that the system remains secure even if one of the two is compromised, is recommended by the NCSC as a transitional measure. Whether an organisation should have adopted a hybrid approach depends on the sensitivity of the data, the maturity of the available PQC implementations, and the cost and complexity of the change.
• The technical feasibility of migration. Cryptographic algorithms are embedded deeply in software systems, hardware devices, network protocols, and certificate infrastructures. Migration is not a simple software update. The expert may be asked to assess whether the organisation’s migration timeline was realistic, whether the technical challenges were properly identified and addressed, and whether the approach taken was consistent with good engineering practice.

As with all expert evidence under CPR Part 35, the expert’s duty is to the court. The assessment must be objective, grounded in the technical evidence, and must acknowledge the uncertainties inherent in a field where the threat is evolving and best practice is still being established.

Practical guidance for solicitors

Post-quantum cryptography is an area where legal and technical considerations are closely intertwined. The following points may assist solicitors advising clients or handling disputes in this space:

1. Understand what your client uses. Many organisations do not have a complete inventory of where public-key cryptography is deployed in their systems. A cryptographic audit, identifying the algorithms in use, the data they protect, and the systems that depend on them, is a necessary first step in assessing both litigation risk and migration readiness.

2. Review contractual security obligations. Where contracts require “appropriate” or “industry standard” security, consider whether PQC migration is becoming part of that standard in the relevant sector. The answer may differ between financial services, healthcare, government, and general commercial contexts.

3. Preserve cryptographic evidence. In disputes involving data security, the specific cryptographic configurations in use at the relevant time are material evidence. System configurations, certificate records, and security policies should be preserved, as they may be difficult to reconstruct after the fact.

4. Instruct early on technical complexity. PQC is a technically dense area. Early engagement with a technology expert can help frame the issues, identify what evidence is available, and assess whether the technical aspects of the dispute are as straightforward (or as complex) as they initially appear.

5. Be cautious about timeline claims. Both “quantum computers will never break encryption” and “quantum computers will break encryption imminently” are positions that lack adequate support. The honest answer is that the timeline is uncertain, which is precisely why standards bodies recommend acting now. An expert who acknowledges this uncertainty is more credible than one who claims certainty in either direction.

The transition to post-quantum cryptography is a significant undertaking for any organisation that handles sensitive data. In my experience, disputes in the technology sector can arise not from the existence of a new threat, but from the gap between what was known, what was done, and what should have been done. As PQC standards mature and migration expectations become clearer, that gap is likely to become a focus of scrutiny in technology litigation.