Meta Unveils Post-Quantum Cryptography Migration Blueprint as ‘Store Now, Decrypt Later’ Attacks Accelerate

Meta Completes Multi-Year PQC Rollout, Issues Urgent Industry Call to Action

Meta today published a comprehensive framework for migrating to post-quantum cryptography (PQC), revealing that it has already deployed PQC across its internal infrastructure over a multi-year process. The company warns that the “store now, decrypt later” (SNDL) threat—where adversaries collect encrypted data today to decrypt it once quantum computers mature—could compromise sensitive information within 10 to 15 years.

“We are sharing these lessons to help other organizations strengthen their resilience as the entire industry transitions to post-quantum standards,” said a Meta spokesperson. “The complexity of PQC migration cannot be underestimated, and our goal is to provide practical guidance that accelerates the community’s journey toward a quantum-safe future.”

Background: The Quantum Threat and Industry Standards

Research indicates that quantum computers will eventually break conventional public‑key cryptography, rendering current encryption methods obsolete. Experts estimate this tipping point could arrive within 10–15 years, but sophisticated adversaries are already hoarding encrypted data—anticipating a time when quantum decryption becomes viable.

To counter this, the U.S. National Institute of Standards and Technology (NIST) and the UK’s National Cyber Security Centre (NCSC) have published migration guidelines targeting 2030 for priority systems. NIST has also finalized the first industry-wide PQC standards, including ML-KEM (Kyber) and ML-DSA (Dilithium), with additional algorithms like HQC on the way. Notably, Meta cryptographers are co-authors of HQC, reflecting the company’s commitment to advancing global cryptographic security.

What This Means: A Race Against Time for Every Organization

Meta’s framework introduces the concept of PQC Migration Levels to help organizations manage complexity across different use cases. The framework covers risk assessment, asset inventory, deployment strategies, and guardrails—all critical for an efficient, effective, and economical transition.

“Organizations must act now, not wait until quantum computers are operational,” the spokesperson emphasized. “The SNDL attack means your encrypted data may already be at risk. By adopting a proactive, tiered approach, companies can avoid scrambling at the last minute and protect their most sensitive information.”

Meta’s Approach: Proven at Scale

Meta’s migration began with a thorough inventory of cryptographic assets across its platforms, which serve billions of users daily. The company then prioritized high-risk services, deployed PQC protections incrementally, and established monitoring guardrails to ensure performance and security.

Key elements of Meta’s approach include:

• Risk assessment aligned with NIST and NCSC timeframes
• Asset inventory to identify every system using vulnerable cryptography
• Tiered deployment using PQC Migration Levels to match complexity
• Guardrails to prevent regressions and ensure continuous protection

“We have already seen positive results from our multi-year rollout,” the spokesperson noted. “Our internal infrastructure is now quantum‑resistant, but the real victory will be when the entire industry reaches the same level of readiness.”

Lessons for the Broader Community

Meta’s publication aims to help other organizations avoid common pitfalls, such as underestimating the scale of inventory work or failing to plan for algorithm transitions. The company stresses that early planning and phased execution are essential.

“The biggest takeaway is start now,” the spokesperson said. “Even if your organization is years away from deploying quantum-safe systems, you can begin by cataloging your cryptographic usage and aligning with emerging standards. The PQC Migration Levels provide a simple roadmap for doing just that.”

Next Steps: A Quantum‑Safe Future

Meta continues to collaborate with NIST, NCSC, and other industry groups to refine PQC standards and deployment practices. The company encourages all organizations—from small startups to global enterprises—to review the newly published guidance and begin their own migration journeys as soon as possible.

“Post‑quantum cryptography is not a future problem—it is a present imperative,” the spokesperson concluded. “The time to act is now.”

For more details, read the full framework on Meta’s Engineering Blog.