Quantum Computing and the Post-Quantum Cryptographic Transition

Executive Summary

The advent of cryptographically relevant quantum computers (CRQCs) poses a systemic threat to the public-key cryptographic infrastructure underpinning global finance, communications, and digital governance. While expert consensus places Q-Day — the point at which quantum computers can break RSA-2048 and ECC-256 in practical timeframes — between 2029 and 2035, the "harvest now, decrypt later" threat means that data encrypted today using vulnerable algorithms is already at risk. The National Institute of Standards and Technology (NIST) finalised its first post-quantum cryptographic (PQC) standards in August 2024, yet as of early 2026, fewer than 3% of global financial institutions have begun substantive migration to quantum-resistant algorithms.

This policy brief analyses the post-quantum cryptographic transition as a large-scale coordination game. The migration challenge is not primarily technical — viable PQC algorithms exist — but institutional. Financial systems, payment networks, certificate authorities, and identity frameworks form a deeply interconnected network in which unilateral migration by any single actor yields limited benefit unless counterparties migrate simultaneously. We estimate the global cost of coordinated PQC migration at $280–420 billion, with the cost of delayed migration potentially reaching $3.5 trillion in the event of a sudden cryptographic break. The analysis identifies critical coordination failures and proposes multilateral mechanisms to accelerate the transition.

The Quantum Threat Landscape: Timing and Severity

Quantum computing exploits quantum mechanical phenomena — superposition and entanglement — to perform certain computations exponentially faster than classical machines. Shor's algorithm, published in 1994, demonstrated that a sufficiently powerful quantum computer could factor large integers and compute discrete logarithms in polynomial time, rendering the mathematical foundations of RSA and elliptic curve cryptography obsolete.

The operative question is timing. The Global Risk Institute's annual quantum threat timeline survey of 40 leading quantum computing researchers shows a steady leftward shift in estimates: in 2023, 50% of respondents estimated a greater than 50% chance of CRQCs within 15 years; by 2025, the same threshold had shifted to within 10 years. IBM's quantum computing roadmap targets 100,000 qubit systems by 2033, and Google's Willow processor demonstrated below-threshold error correction in 2024 — a critical engineering milestone.

The "harvest now, decrypt later" (HNDL) attack vector means the effective threat window is already open. State-level actors are widely assessed to be intercepting and storing encrypted communications for future decryption. The BIS Quarterly Review (2025) estimates that approximately $7.8 trillion in long-dated financial instruments (sovereign bonds, derivatives, insurance contracts) currently rely on cryptographic protections that must remain secure for 10–30 years — well within plausible Q-Day horizons.

The Coordination Game: Why Individual Rationality Produces Collective Delay

The PQC migration can be modelled as a coordination game with N players (financial institutions, payment networks, certificate authorities, government systems) connected through a network of cryptographic dependencies. Each player i faces a binary choice: Migrate (invest in PQC implementation) or Wait (continue using classical cryptography).

The payoff structure exhibits strong complementarities. The value of migration to player i depends critically on the migration status of its counterparties: a bank that migrates to PQC gains limited security benefit if its payment network, correspondent banks, and certificate authorities continue using classical algorithms. Formally, the payoff to migration is: π_i(Migrate) = V · f(n_migrate/N) − C_i, where V is the full security value of quantum resistance, f is an increasing function reflecting network complementarities (with f(0) ≈ 0 and f(1) = 1), and C_i is the migration cost. When n_migrate/N is low, the net payoff to migration is negative — making Wait the individually rational choice even when universal migration is the socially optimal outcome.

This structure produces two stable Nash equilibria: one in which all players migrate (Pareto-optimal) and one in which none migrate (risk-dominant when Q-Day appears distant). The current state of the financial system — with widespread awareness of the quantum threat but minimal migration activity — is consistent with the inferior equilibrium.

Several factors reinforce the Wait equilibrium. Cost asymmetry: migration costs are front-loaded and certain, while breach costs are probabilistic and temporally distant. The World Economic Forum estimates average PQC migration costs at 0.5–1.2% of IT budgets annually for 3–5 years. First-mover disadvantage: early migrators bear higher costs due to immature tooling and potential algorithm revisions, while later movers benefit from improved implementations and established best practices. Discounting: standard corporate discount rates of 8–12% heavily devalue risks 5–10 years in the future.

Critical Interdependencies: The Web of Cryptographic Trust

The financial system's cryptographic infrastructure forms a complex dependency network. TLS certificates securing web communications depend on certificate authorities; SWIFT messaging depends on shared cryptographic protocols; central bank real-time gross settlement systems interoperate through standardised security frameworks; derivatives markets rely on digital signatures for contract execution.

Migration at any single layer requires compatible migration at adjacent layers. The Bank for International Settlements identifies 14 critical dependency chains in global financial infrastructure where all nodes must achieve PQC compatibility for any node to be fully protected. This cascading dependency transforms what might otherwise be parallel independent migrations into a sequentially constrained coordination problem requiring careful orchestration.

The SWIFT network illustrates the challenge. With over 11,000 member institutions across 200 countries, SWIFT's cryptographic upgrade requires coordinated action across institutions with vastly different IT capabilities, regulatory environments, and investment capacities. SWIFT's own PQC readiness assessment (2025) found that while 78% of Tier 1 banks had initiated PQC evaluation, only 12% of Tier 3 institutions had begun planning — creating a weakest-link vulnerability where the least-prepared institutions determine the security of the entire network.

Option Value and the Timing of Migration

From a real options perspective, each institution holds an "option to migrate" whose optimal exercise timing depends on the resolution of two uncertainties: (1) the arrival time of CRQCs and (2) the stability and performance of PQC standards. Exercising the option early forecloses the possibility of migrating to superior future algorithms at lower cost; exercising late risks being caught unprepared.

The option value of waiting is maximised when uncertainty is high and the cost of delay is low. However, the HNDL threat fundamentally alters this calculus: data encrypted today with classical algorithms is already being compromised if intercepted by adversaries with storage capacity and future quantum access. For long-dated financial instruments and state secrets, the cost of delay is not concentrated at Q-Day but accumulates from the present moment.

NIST's finalisation of ML-KEM (Kyber), ML-DSA (Dilithium), and SLH-DSA (SPHINCS+) as PQC standards significantly reduces algorithm uncertainty. The remaining uncertainty is primarily engineering-related: performance optimisation, hardware acceleration, and integration testing. This shifts the optimal timing toward earlier migration, particularly for institutions handling data with long secrecy requirements.

Lessons from Historical Infrastructure Transitions

The PQC migration bears structural similarities to previous large-scale infrastructure transitions, each offering lessons for coordination mechanism design. The Y2K remediation (1997–1999) demonstrated that credible deadline pressure and government coordination can mobilise rapid industry action — global Y2K spending exceeded $300 billion but prevented catastrophic system failures. The IPv4 to IPv6 transition provides a cautionary counterexample: without a hard deadline, the transition has taken over 25 years and remains incomplete, with IPv6 adoption at approximately 45% globally as of 2025. The EMV chip card migration (2004–2024) illustrates the role of liability shifts in overcoming coordination failures — Visa and Mastercard's fraud liability shift to non-compliant merchants provided individual incentives aligned with collective migration.

The key lesson: coordination problems of this scale require either credible deadlines, liability mechanisms, or both to overcome the natural tendency toward delay.

Policy Recommendations: Mechanisms for Coordinated Migration

Drawing on coordination game theory and historical precedents, we propose four complementary mechanisms to accelerate the PQC transition:

1. Regulatory Migration Mandates with Phased Timelines. Financial regulators should establish binding PQC migration deadlines for systemically important financial institutions (SIFIs), tiered by institutional size and systemic importance. The US National Security Memorandum 10 (2022) established federal agency migration timelines; equivalent mandates for the private financial sector would create credible commitment. We recommend: Tier 1 institutions by 2028, Tier 2 by 2030, Tier 3 by 2032.

2. Liability Shift Mechanisms. Following the EMV precedent, regulators and industry bodies should establish a liability shift date after which institutions using classical-only cryptography bear full liability for quantum-enabled breaches. This converts the positive externality of migration (network security) into a private cost of non-migration (liability exposure), aligning individual incentives with collective welfare.

3. Multilateral Technical Assistance Facility. A BIS- or World Bank-administered facility providing technical assistance and concessional financing for PQC migration in developing-economy financial systems. Without such support, the weakest-link vulnerability will persist: advanced-economy financial systems cannot be fully secured if their developing-economy counterparties remain on classical cryptography.

4. Crypto-Agility Standards. Rather than mandating specific PQC algorithms, regulators should require "crypto-agility" — the architectural capacity to switch cryptographic algorithms with minimal disruption. This addresses residual algorithm uncertainty while ensuring that institutions can respond rapidly if any specific PQC algorithm is found vulnerable.

Implications for GDEF's Technology & Transformation Working Group

The PQC transition represents perhaps the most consequential infrastructure coordination challenge of the coming decade. Its resolution will determine whether the quantum computing revolution enhances or undermines the security of global digital systems. GDEF's Technology & Transformation Working Group is uniquely positioned to convene the cross-sector, cross-border dialogue necessary for coordinated action, and will present detailed migration framework proposals at the 2026 Annual Summit.

References & Sources

1. NIST, Post-Quantum Cryptography: FIPS 203, 204, and 205. National Institute of Standards and Technology, August 2024. csrc.nist.gov/projects/post-quantum-cryptography
2. BIS, Quarterly Review: Quantum Computing and the Financial System. Bank for International Settlements, September 2025. bis.org/publ/qtrpdf
3. World Economic Forum, Quantum Security: Building a Quantum-Safe Economy. WEF Centre for Cybersecurity, 2025. weforum.org/publications
4. Global Risk Institute, Quantum Threat Timeline Report 2025. globalriskinstitute.org
5. Shor, P.W. (1994). "Algorithms for Quantum Computation: Discrete Logarithms and Factoring." Proceedings of the 35th Annual Symposium on Foundations of Computer Science, 124–134. doi.org/10.1109/SFCS.1994.365700
6. SWIFT, Post-Quantum Cryptography Readiness Assessment. Society for Worldwide Interbank Financial Telecommunication, 2025. swift.com
7. ETSI, Quantum-Safe Cryptography: Migration Strategies. European Telecommunications Standards Institute, Technical Report 103 619. etsi.org
8. White House, National Security Memorandum on Promoting United States Leadership in Quantum Computing. NSM-10, May 2022. whitehouse.gov
9. Cooper, R. (1999). Coordination Games: Complementarities and Macroeconomics. Cambridge University Press. doi.org/10.1017/CBO9780511609428