Post-Quantum Cryptography: Preparing for Long-Term Security Risks

On 13 August 2024 the National Institute of Standards and Technology released the first three federal standards for post-quantum cryptography, covering public-key key establishment (used to set up encrypted connections) and digital signatures. The standards, FIPS 203, 204 and 205, specify algorithms that are designed to resist attacks from cryptographically relevant quantum computers, meaning systems large enough to break today’s public-key cryptography.

For organizations that rely on records and signatures that must remain valid for decades, this turned quantum risk into a concrete implementation deadline. The precise arrival date of cryptographically relevant quantum computers is uncertain, but the migration lead time is not, which is why standards bodies and agencies frame the work as a multi-year program that starts now.

Post-quantum cryptography is defined by NIST as public-key cryptography designed to remain secure even when an attacker has a large-scale quantum computer capable of breaking current schemes. Its explainer notes that deploying new algorithms can take 10 to 20 years across complex systems and highlights the threat of “harvest now, decrypt later.”

In this scenario, adversaries collect encrypted or signed data today and decrypt it once quantum capabilities arrive. This is a risk that is especially acute for long-lived secrets and authenticity claims, such as property titles and safety records.

For real-world assets, BIM and blockchain systems, the shared issue is longevity. Ownership chains, approvals, and transaction histories are expected to retain evidentiary value well into the 2030s and 2040s. This means that cryptographic failures in the future can undermine decisions made today.

That is why recent federal standards and guidance treat post-quantum migration as an immediate planning requirement rather than a problem to revisit once large quantum computers are visible.

Standards and Federal Timelines Set the Pace

NIST’s August 2024 announcement turned three post-quantum algorithms into Federal Information Processing Standards (FIPS): U.S. government specifications for security-critical technology that often become the baseline for federal procurement and, by extension, the vendors and regulated environments that track federal requirements.

According to the 2024 news release from NIST, FIPS 203 standardizes ML-KEM, a key-encapsulation mechanism used to establish a shared secret key over an untrusted network; that shared secret then drives the “everyday” symmetric encryption and authentication used by real systems. FIPS 204 standardizes ML-DSA for digital signatures, and FIPS 205 standardizes SLH-DSA, a stateless hash-based digital signature (based on SPHINCS+) positioned as a conservative backup if lattice-based schemes face unexpected cryptanalytic advances.

In practical terms, ML-KEM is the kind of building block used to set up encrypted sessions (the step that lets protocols like TLS and VPNs agree on shared keys), while ML-DSA and SLH-DSA are signature tools relevant to software update signing and long-lived approvals on regulated records.

In the same release, NIST mathematician Dustin Moody stated that the standards include instructions for integrating the algorithms into products and encryption systems. He said, “We encourage system administrators to start integrating them into their systems immediately, because full integration will take time.”

The agency also indicated that a draft FIPS 206 standard based on the FALCON signature scheme, to be named FN-DSA, is planned as an additional backup. However, it stressed that there is no need to wait for future standards before beginning migration.

NIST’s public explainer on post-quantum cryptography notes that new cryptographic algorithms historically take a decade or more to propagate fully through software, hardware and services. It emphasizes that even if post-quantum algorithms are deployed before cryptographically relevant quantum computers exist, previously captured ciphertext remains at risk.

This risk, known as “harvest now, decrypt later” attacks, is a key reason systems need to start encrypting data with post-quantum techniques as soon as possible.

The U.S. Office of Management and Budget’s Memorandum M-23-02, published in 2022, requires federal agencies to build and maintain inventories of cryptographic systems that are vulnerable to quantum attacks. The memo directs agencies to prioritize high-value assets and high-impact systems, provide annual updates through 2035, and plan funding and technical transitions toward post-quantum algorithms, according to the text released by the White House.

A joint factsheet from the Cybersecurity and Infrastructure Security Agency, the National Security Agency and NIST recommends that organizations create quantum-readiness roadmaps, conduct cryptographic inventories and engage vendors about migration plans for critical systems. CISA’s publication on migrating to post-quantum cryptography characterizes preparation as a multi-year program that must start with understanding where vulnerable algorithms are deployed, particularly in long-lived systems and protocols that protect sensitive data.

Although these federal documents are binding only on U.S. agencies, they are likely to influence procurement and assurance expectations in adjacent sectors. Contractors, cloud providers and software integrators that support government clients will need to show how their roadmaps align with these inventories and timelines.

For RWA, BIM and blockchain teams that interact with public-sector infrastructure or regulated industries, the effect is to convert post-quantum cryptography from a strategic curiosity into a compliance-relevant planning item.

Chaum’s Track Record and Quantum Warnings

David Chaum’s warnings about quantum risk to blockchains carry weight because they rest on decades of applied cryptography work. A 2019 profile by the Dutch research institute CWI describes him as one of the most important pioneers in encryption and argues that his research anticipated several ideas later used in blockchain and bitcoin-era systems.

The profile notes that he led the cryptography department at CWI in the second half of the 1980s and that peers already viewed him as a leading cryptographer.

Chaum introduced blind signatures for untraceable payments in work published in 1982. This construction allows a signer to approve a message without learning its contents and later informed designs for privacy-preserving digital cash. An online copy of his paper "Blind Signatures for Untraceable Payments" hosted by the University of Houston illustrates how the scheme can support anonymous payment tokens by decoupling identity from transaction authorization.

In parallel, the Dining Cryptographers protocol, documented in a classic reading on DC-nets from Carnegie Mellon University, established a framework for unconditional sender and recipient untraceability in group communications.

The CWI interview notes that in 1990, when the general public had little exposure to the internet, Chaum founded DigiCash, which provided financial institutions with a system for secure and anonymous digital micropayments. The same profile reports that he is called the "Godfather of Cryptocurrency" because these systems and protocols anticipated later blockchain-based currencies and privacy mechanisms.

His work helped establish that applied cryptography could support real-world payment systems rather than remaining a purely academic topic.

In an April 8, 2024 interview transcript hosted by PatCrypt, Chaum argued that governments are likely to have access to powerful quantum computers before other actors. He said that state operators might seek to "take down blockchains" and added that, in his view, there was at that time no blockchain he knew of that could withstand such an attack on consensus.

In the same discussion he described a second attack path in which a quantum-capable adversary could use exposed public keys to forge signatures and create false transfers, enabling theft of digital assets.

These concerns map directly onto RWA and BIM contexts, where owners, regulators and courts expect to verify signatures, approvals and chain-of-custody well beyond the lifespan of current hardware. If state-level actors can reconstruct private keys from public keys or otherwise subvert classical signature schemes, then titles, models and tokenized representations that depend on those schemes may lose their evidentiary value.

Chaum’s position links long-standing privacy and cash concerns to a broader question of whether digital infrastructures are designed to survive a shift in the underlying cryptographic threat model.

Technical Paths Toward Quantum-Safe Signatures

Post-quantum cryptography proposals fall broadly into two families that matter for signatures and key exchange: lattice-based schemes and hash-based schemes. Lattice-based algorithms rely on the difficulty of finding short vectors or solving related problems in high-dimensional integer lattices, problems that are believed to resist both classical and quantum attacks.

Hash-based schemes instead build security on one-way hash functions that have been studied for decades and are not known to be broken even by quantum algorithms, apart from generic speedups that can be addressed by enlarging output sizes.

NIST’s three finalized standards reflect this split. FIPS 203 and 204 standardize ML-KEM and ML-DSA, respectively, both of which are lattice-based and optimized for general encryption and digital signatures in a wide range of applications. FIPS 205 standardizes SLH-DSA, a stateless hash-based digital signature algorithm built on the SPHINCS+ design.

The NIST announcement explains that it is intended as a backup method using a different mathematical basis in case lattice-based assumptions face successful attacks.

Chaum and co-authors have proposed a "sleeve" construction that allows classical and post-quantum signatures to coexist at the wallet level. In this approach, a classical signature such as ECDSA is combined with a hash-based Winternitz One-Time Signature so that both are published when a transaction is signed.

A 2022 paper titled "WOTSwana: A Generalized Sleeve Construction for Multiple Proofs of Ownership," published by Springer, generalizes the technique so that a single public key can support multiple proofs through methods including linear concatenation and Merkle trees.

Research prototypes have explored how such constructions could provide long-term ownership proofs even if classical algorithms fail. For example, a blockchain might continue to use existing signatures for compatibility while also verifying hash-based sleeves attached to each transaction. This means auditors who distrust the classical layer can still check the hash-based evidence.

The WOTSwana work frames these designs as experimental contributions that aim to make wallet-level quantum migration possible without requiring an immediate and disruptive change to consensus rules.

Beyond wallet protocols, post-quantum migration depends on so-called crypto-agility, meaning the ability of systems to adopt new algorithms without major redesign. NIST’s post-quantum guidance encourages technology managers to inventory where public-key cryptography is used and to design systems so that new algorithms can be slotted in as standards mature.

Hardware security modules that can host both classical and post-quantum keys are one example of a building block that can support hybrid deployments during multi-year transition periods.

For organizations that do not operate blockchains but depend on them for anchoring data or recording tokenized assets, these technical paths are important primarily as signals about feasibility. The open literature now contains multiple ways to embed hash-based signatures, lattice-based schemes or hybrids into ledgers and wallets, but they remain early-stage and often carry performance and usability trade-offs.

The strategic challenge is timing: deciding when these tools are mature enough to include in procurement, standardization or protocol roadmaps for systems that must remain trustworthy for decades.

Operational Implications for RWA, BIM and Blockchain Teams

Real-world asset transactions depend on records that often outlast individual information systems. Deeds, mortgage documents and security interests are expected to remain enforceable for the life of a property, which can span many decades and multiple refinancing cycles.

If these records rely on classical public-key signatures that are later considered vulnerable, courts and counterparties may question whether they still provide strong evidence of authenticity and consent.

For legal teams handling RWA portfolios, a practical starting point is a cryptographic inventory focused on how documents are signed, stored and verified. That includes examining document-management systems, e-signature platforms and notary workflows to identify where algorithms such as RSA or elliptic-curve signatures are embedded.

Once those points are mapped, procurement teams can add clauses that require vendors to provide a transition path toward NIST-approved post-quantum algorithms or compatible hybrids as standards and products mature.

Building information modeling systems and AECO workflows carry similar long-lived authenticity requirements. BIM files can capture structural calculations, safety approvals and as-built changes for infrastructure expected to operate safely for half a century or more.

If those approvals and change records rely on signatures or secure channels that are later downgraded because of quantum attacks, the evidentiary status of archived models and logs may be weakened. This is a critical risk at exactly the time when operators and regulators need to rely on them.

Engineering teams responsible for BIM repositories can apply the same inventory logic that federal guidance recommends for agencies. They can identify which components use public-key cryptography, including server authentication, user access control and digital signatures on models or change orders.

From there, they can plan for crypto-agility by separating key storage from application code where possible. For example, using hardware modules or services that can be upgraded to support ML-DSA or SLH-DSA without rewriting modeling applications.

Blockchain protocol engineers confront both consensus-level and wallet-level migration questions. Chaum’s 2024 interview highlights a scenario in which a quantum-capable adversary could both subvert signature schemes used in consensus and exploit exposed public keys in user wallets to forge transfers.

Protocol designers exploring quantum-safe roadmaps therefore need to consider new signature schemes for validators, transitional mechanisms such as hash-based sleeves for wallets, and governance processes for activating these changes without fragmenting the network.

Business developers working on tokenized real-estate funds or other RWA structures need to connect these technical issues to legal and operational risk. If investor rights or asset ownership depend on entries in a blockchain that uses vulnerable signatures, then a quantum-era compromise could affect the integrity of the entire history of transfers, not just future ones.

That consideration may lead to representations in term sheets about support for NIST-standardized algorithms, or to contractual language that specifies how the system will respond if classical cryptography is downgraded during the life of the fund.

Conclusion: From Standards to Implementation

For cybersecurity teams supporting these sectors, post-quantum planning resembles other long-horizon risk programs but with distinctive technical details. They must track evolving standards, assess where public-key cryptography underpins critical processes, and coordinate with legal and business stakeholders.

The goal is to ensure migration is reflected in contracts and governance documents. The combination of NIST standards, OMB timelines, CISA guidance and expert warnings from figures like Chaum provides both a technical foundation and a clear indication that waiting for visible quantum hardware breakthroughs is not a safe option for long-lived records.

The immediate steps are relatively modest: build inventories of cryptographic dependencies, open conversations with vendors about post-quantum support, and document governance expectations for how and when algorithms will be switched. Over time, those inventories can inform more detailed decisions about which post-quantum schemes to adopt, how to phase out classical algorithms, and how to maintain interoperability across systems that upgrade at different speeds.

Without that groundwork, any future quantum-driven disruption would force rushed, fragmented responses that are more likely to introduce new vulnerabilities.

The longer horizon question is how these migrations will be evaluated when disputes arise. Courts, regulators and counterparties will likely ask whether organizations followed available guidance, planned around the known lead times for cryptographic change, and respected the federal standards and expert assessments that were already on the public record.

For RWA, BIM and blockchain professionals, aligning with those expectations is now part of maintaining the long-term authenticity that underpins their core business.

Sources

• National Institute of Standards and Technology. "NIST Releases First 3 Finalized Post-Quantum Encryption Standards." NIST.gov, 2024.
• National Institute of Standards and Technology. "What Is Post-Quantum Cryptography?." NIST.gov, 2024.
• Office of Management and Budget. "Memorandum M-23-02: Migrating to Post-Quantum Cryptography." The White House, 2022.
• Cybersecurity and Infrastructure Security Agency; National Security Agency; National Institute of Standards and Technology. "Quantum Readiness: Migration to Post-Quantum Cryptography." CISA, 2023.
• David Chaum. "David Chaum and Jim Dolbear Talk to Burak Kesmeci about the XX Network." PatCrypt, 2024.
• David Chaum. "Blind Signatures for Untraceable Payments." CRYPTO 1982 / University of Houston–Clear Lake (online copy), 1982.
• David Chaum. "The Dining Cryptographers Problem: Unconditional Sender and Recipient Untraceability." Journal of Cryptology / Carnegie Mellon University (online copy), 1988.
• D. Chaum et al. "WOTSwana: A Generalized Sleeve Construction for Multiple Proofs of Ownership." Springer, 2022.
• "Interview David Chaum: "Blockchain will decentralize power"." CWI, 2019.