As Simple as Quantum Physics! The Future of Post-Quantum Cryptography in the Absence of a Comprehensive Federal Data Privacy Framework
Blog Post | 113 KY. L. J. ONLINE | April 10, 2025
As Simple as Quantum Physics! The Future of Post-Quantum Cryptography in the Absence of a Comprehensive Federal Data Privacy Framework
By: Bridget Lienau, Staff Editor, Vol. 113
Tax Day is looming and, like 78.6% of American taxpayers, perhaps you opted to file electronically.[1] While you were at it, maybe you checked some other items off the laundry list: requested refills on overdue prescriptions in your patient portal, reviewed the bank statement sitting in your email, or booked the flights you’ve been putting off. In the year 2025, data is currency, and for the convenience of participating in the digital market, most Americans are willing to pay. As a nascent form of technology known as the quantum computer develops—expected to make its debut by the year 2035[2]—the bubble of this data market is at risk of bursting seemingly overnight. To ensure robust protection of American data from the unprecedented capabilities of the quantum computer, the federal government must pair new cryptography[3] standards with comprehensive federal data privacy legislation.
Quantum computers are not merely a highly advanced predecessor of today’s computer—known as the classical computer—but rather are cut from a different code—er, cloth.[4] Classical computing employs binary code or “bits” to encode the information the computer stores in a serial processing mechanism.[5] This information is converted into a 0 or a 1, enabling the computer to run calculations, process, store, and express information.[6] The prowess of the quantum computer is instead in its use of the quantum bit, or qubit: particles which represent the smallest measurable units of the physical universe, such as atoms and photons.[7]
While the qubit can also employ binary coding, hallmark to the technology is its ability to exist in superposition: that is, representing information as a 0, 1, or any proportion of the two at the same time with the certain probability of simultaneously being both a 0 and a 1.[8] Through a phenomenon known as entanglement, multiple qubits correlate together to create a single system despite a potentially infinite distance between the particles.[9] Barring the rather complex mathematics underlying quantum computing, the result is plain: by exploiting natural phenomena at the subatomic level, quantum computers can perform calculations and process information at rates which are, quite literally, millions of years faster than the classical computer.[10]
The future of quantum cryptography is promising in many regards. The technology is expected to generate billions in the financial sector by enhancing the speed and precision of existing tools such as Monte Carlo simulations,[11] drive research and dramatically accelerate the discovery of new drugs in the pharmaceutical industry,[12] and equip supply chain specialists with real-time adjustments to routes and forecasting to the benefit of entire fleets.[13]
As is the case in any classic sci-fi movie, the advent of quantum computing is tempered by a host of unsettling realities that create an overcast on the technology’s otherwise bright future. Most notable among these realities is the ability of the quantum computer to crack present encryption algorithms which protect confidential information communicated electronically between users.[14] Where these cryptographic algorithms have proven sufficient in the age of the classical computer—largely because the classical computer struggles to factor the very large prime numbers used to encrypt said data—the quantum computer could decrypt what would take the classical computer billions of years to work through in mere hours.[15] Left in the wrong hands, the consequences would be harrowing.
Encryption safeguards highly sensitive medical and financial data for consumers, as well as coveted government and national security communications.[16] A risk to encryption is a risk to the livelihoods of persons across the globe and a risk of residual fallout in consumer confidence and industry reputations.[17] To keep pace with adversaries developing their own prototypes for the quantum computer and post-quantum cryptography, [18] the U.S. has developed several algorithm standards specifically designed to withstand quantum computing power by employing structured lattices and hash functions to encrypt data, as opposed to large prime numbers.[19] Known as Federal Information Processing Standards (FIPS) 203, 204, and 205, the standards include computer code, instructions for implementation, and intended uses which the U.S. National Institute of Standards and Technology (NIST) has urged industries to adopt.[20]
Where the U.S. government falls short, however, is in protecting American data which has already fallen into the wrong hands. In a strategic data collection tactic known as harvest now, decrypt later (HNDL), data thieves acquire masses of encrypted American data.[21] Though useless in encrypted form, the eventual release of the quantum computer will allow this data to be quickly decrypted and exploited to the benefit of the bad actor and devastation of the party whose data has been stolen.[22] While the efforts of the government to protect future data from breaches through post-quantum cryptography standards are commendable, they are not compensatory.
Instead, the American government must enact legislation which accounts for the data currently being stolen in HNDL collections. A comprehensive federal data privacy framework would accomplish just this.[23] The viability of this response is evidenced by the European Union, which made effective the General Data Protection Regulation (GDPR) in 2018.[24] The framework enhances data privacy by requiring transparency and disclosure upon collection, ensuring consumer erasure rights, overseeing breach notifications,[25] and promoting data minimization practices.[26] While states like California have taken matters into their own hands by enacting legislation like the California Consumer Privacy Act (CCPA),[27] the matter remains too pressing to continue relying on privacy laws fragmented between sectors and states. Standardizing data privacy through federal legislation would harmonize compliance domestically and internationally for the protection of both consumers and the government.[28] The ten short years it will take for the post-quantum cryptography efforts to prove worthwhile are ten long years for cybercriminals and adversaries to continue collecting vulnerable encrypted data should the government not take a more aggressive approach concerning present practices.
In the face of HNDL collections, post-quantum cryptography is akin to locking the vault after the heist. The U.S. must prioritize adopting a comprehensive federal data privacy framework to unite American consumers, businesses, and government at all levels in minimizing the data which can be stolen and mitigating the harms of that which already has. Post-quantum cryptography may fortify our future systems, but only privacy law can shrink the market.
[1] Returns Filed, Taxes Collected and Refunds Issued, IRS (Mar. 21, 2025), https://www.irs.gov/statistics/returns-filed-taxes-collected-and-refunds-issued#:~:text=Highlights%20of%20the%20data&text=More%20than%20213.3%20million%20returns,78.6%20percent%20of%20all%20filings.
[2] Josh Schneider & Ian Smalley, What Is Quantum Computing?, IBM (Aug. 5, 2024), https://www.ibm.com/think/topics/quantum-computing#:~:text=What%20is%20a%20classical%20computer,either%20a%200%20or%201.
[3] Cryptography refers to the practice of coding information in such a way that it limits visibility of the message for only the intended sender and recipient, often using encryption and decryption algorithms. See NIST Releases First 3 Finalized Post- Quantum Encryption Standards, NIST (Aug. 13, 2024), https://www.nist.gov/news-events/news/2024/08/nist-releases-first-3-finalized-post-quantum-encryption-standards.
[4] See Christopher J. McKenna & Kamyar Masserat, Beyond the Binary: Legal Considerations in the Quantum Computing Era, Foley (Apr. 9, 2024), https://www.foley.com/insights/publications/2024/04/beyond-binary-legal-considerations-quantum-computing-era/.
[5] Schneider & Smalley, supra note 2.
[6] Id.
[7] Josh Schneider & Ian Smalley, What Is a Qubit?, IBM (Feb. 28, 2024), https://www.ibm.com/think/topics/qubit/; Quantum Computing Explained, NIST (Mar. 24, 2025), https://www.nist.gov/quantum-information-science/quantum-computing-explained.
[8] What Is a Qubit, Azure, https://azure.microsoft.com/en-us/resources/cloud-computing-dictionary/what-is-a-qubit (last visited Mar. 31, 2025).
[9] Id.
[10] See id. (noting qubits can perform a calculation that would take the classical computer millions of years within minutes).
[11] Martina Gschwendtner, Nicole Morgan & Henning Soller, Quantum Technology Use Cases as a Fuel for Value in Finance, McKinsey Digital (Oct. 23, 2023), https://www.mckinsey.com/capabilities/mckinsey-digital/our-insights/tech-forward/quantum-technology-use-cases-as-fuel-for-value-in-finance (predicting that use of the quantum computer by the finance industry could generate 622 billion dollars in value by the time it becomes available).
[12] Matthias Evers, Anna Heid & Ivan Ostojic, Pharma’s Digital Rx: Quantum Computing in Drug Research and Development, McKinsey & Co. (June 18, 2021), https://www.mckinsey.com/industries/life-sciences/our-insights/pharmas-digital-rx-quantum-computing-in-drug-research-and-development.
[13] See Ken Englund & Rajesh Rao, How Quantum Computing Can Help Untangle Tmt Supply Chains, EY (Feb. 8, 2024), https://www.ey.com/en_us/insights/tech-sector/how-quantum-computing-can-untangle-tmt-supply-chains.
[14] What is Post-Quantum Cryptography?, NIST (Aug. 13, 2024), https://www.nist.gov/cybersecurity/what-post-quantum-cryptography.
[15] Id.
[16] Id; Securing Data in the Post-quantum Age, PWC (Feb. 11, 2025), https://www.pwc.com/m1/en/publications/securing-data-in-the-post-quantum-age.html.
[17] See Zach Montague, Quantum Technology Could Compromise Our Encryption Systems. Can America Replace Them Before It’s Too Late?, NY Times (Oct. 22, 2023), https://www.nytimes.com/2023/10/22/us/politics/quantum-computing-encryption.html; Securing Data in the Post-quantum Age, supra note 16.
[18] In December 2024, Russia revealed a prototype for a 50-qubit quantum computer based on rubidium atoms in a $790 million government initiative. Matt Swayne, Russia Unveils Its 50-Qubit Rubidium Neutral Atom Prototype Quantum Computer, The Quantum Insider, (Dec. 29, 2024), https://thequantuminsider.com/2024/12/29/russia-unveils-its-first-50-qubit-quantum-computer-prototype/. Similarly, China has announced its own 105-qubit prototype—the Zuchongzhi 3—in addition to a quantum computer coined the “Tianyan-504” which contains a 504-qubit chip, the “Ziahong”. Matt Swayne, China Introduces 504-Qubit Superconducting Chip, Quantum Insider (Dec. 6, 2024), https://thequantuminsider.com/2024/12/06/china-introduces-504-qubit-superconducting-chip/; Liu Danxu & Ge Shuyun, Superconducting quantum processor prototype operates 10¹⁵ times faster than fastest computer, PHYS.ORG (Mar. 3, 2025), https://phys.org/news/2025-03-superconducting-quantum-processor-prototype-faster.html.
[19] What is Post-Quantum Cryptography, supra note 13.
[20] See NIST Releases First 3 Finalized Post- Quantum Encryption Standards, supra note 14.
[21] What is Post-Quantum Cryptography, supra note 13.
[22] See Id.
[23] Despite attempts by Congress to enact a comprehensive federal data privacy framework with bills such as the American Data Privacy and Protection Act (ADPPA), none have yet been successfully passed. Instead, the U.S. relies on patchwork state and sector-specific laws to govern. American Data Privacy and Protection Act, H.R. 8152, 117th Cong., https://www.congress.gov/bill/117th-congress/house-bill/8152/text#toc-H4B489C75371741CBAA5F38622BF082DE. See Data Protection in the United States, DLA Piper (Feb. 6, 2025), https://www.dlapiperdataprotection.com/?t=law&c=US.
[24] 2016 O.J. (L. 119) 1.
[25] Notably, data which is stolen but encrypted does not always amount to the level of a “breach” and therefore may not always warrant notification. This is true in legislative frameworks such as the EU’s. See Encryption, GDPR, https://gdpr-info.eu/issues/encryption/ (last visited Mar. 31, 2025). The U.S. may consider adopting a framework which accounts for the cause or severity of the underlying theft in lieu of creating a blanket notification exception for data which has been stolen but remains encrypted. Some scholars argue this approach can reduce under-reporting in data breaches. See Kelce S. Wilson, Some Privacy Practices May Result in Under-Reporting Breach Incidents, IAPP (May 2018), https://iapp.org/resources/article/some-privacy-practices-may-result-in-under-reporting-of-breach-incidents/. But c.f. Phillip Harmon, Data Breach Notification Laws and the Quantum Decryption Problem, 79 Wash. & Lee L. Rev. 475, 485 (2022) (noting that legislators may be inclined to exempt encrypted data from breach notification requirements as they pollute the existing pool of breaches in need of urgent notifications while posing minimal threat themselves).
[26] 2016 O.J. (L. 119) 1; see also A Guide to GDPR Data Privacy Requirements, GDPR, https://gdpr.eu/data-privacy/ (last visited Mar. 31, 2025).
[27] Cal. Civ. Code §§ 1798.100–199 (West 2025).
[28] See Karen Schuler, Federal Data Privacy Regulation Is on the Way—That’s a Good Thing, IAPP (Jan. 22, 2021), https://iapp.org/news/a/federal-data-privacy-regulation-is-on-the-way-thats-a-good-thing.