Meta's Guide to Post-Quantum Cryptography Migration: Key Questions and Answers
As the threat of quantum computers looms, organizations must transition to post-quantum cryptography (PQC) to protect sensitive data. Meta has been at the forefront of this effort, deploying quantum-safe encryption across its infrastructure. Below, we address critical questions about PQC migration based on Meta's hands-on experience, covering risks like “store now, decrypt later,” emerging standards, and practical migration strategies.
Why is post-quantum cryptography migration urgent today?
Quantum computers will eventually break current public-key encryption methods like RSA and ECC. While experts predict this capability within 10–15 years, attackers can already capture encrypted data today and decrypt it later once quantum machines become viable—a tactic known as “store now, decrypt later” (SNDL). This means any sensitive information transmitted today may be exposed in the future. Organizations must prioritize PQC migration now to protect long-lived secrets. NIST and the UK's NCSC have published timelines urging critical systems to adopt PQC by 2030. Meta's early migration across its internal infrastructure demonstrates proactive defense against this evolving threat.
What are the main PQC standards organizations should know?
NIST has finalized the first industry-wide PQC standards. ML-KEM (formerly Kyber) provides key encapsulation for secure key exchange, while ML-DSA (Dilithium) offers digital signatures. An additional algorithm, HQC (Hamming Quasi-Cyclic), has been selected as a backup; notably, Meta cryptographers contributed to its development, reflecting the company's commitment to global cryptographic security. These standards equip organizations with robust defenses against quantum-based attacks. Adopting them now helps future-proof systems and aligns with recommendations from cybersecurity authorities worldwide. Organizations should evaluate their cryptographic inventories and begin testing these algorithms in non-critical environments.
What is Meta's approach to PQC migration?
Meta treats PQC migration as a multi-year, structured process. The first step is risk assessment to identify systems most vulnerable to quantum threats. Next comes a thorough inventory of all cryptographic implementations, followed by deployment of PQC algorithms in phases. Meta also enforces guardrails—policy controls that ensure new implementations meet security standards. To manage complexity across diverse use cases, Meta has proposed “PQC Migration Levels,” a framework that helps teams prioritize and track progress. This systematic approach has allowed Meta to roll out post-quantum encryption across its internal infrastructure while maintaining performance and reliability for billions of users.
What are PQC Migration Levels and why do they matter?
PQC Migration Levels are a concept Meta introduced to help teams categorize and manage the complexity of transitioning to post-quantum cryptography. Each level corresponds to a degree of integration—from initial testing of PQC algorithms in isolated environments (Level 1) to full production deployment with monitoring and fallback (Level 5). This tiered structure allows organizations to tackle migration incrementally, reducing risk and resource strain. For example, high-risk systems handling sensitive data might target Level 5 first, while lower-risk services can progress more slowly. The framework also provides a common language for coordinating across departments, making it easier to track overall progress and allocate budgets effectively.
What key lessons did Meta learn during its PQC migration?
Meta's migration revealed several important takeaways. First, start early—even before standards are finalized, organizations can begin inventorying cryptographic assets and testing candidate algorithms. Second, automation is critical; manual audits of thousands of cryptographic endpoints are impractical, so tooling that continuously scans and validates PQC usage saves time and prevents errors. Third, performance impacts vary—some PQC algorithms like ML-KEM are efficient, while others may require larger key sizes or bandwidth. Meta found it essential to benchmark against real workloads. Finally, collaboration matters: sharing insights with the broader community (e.g., co-authorship of HQC) accelerates industry-wide adoption and helps standardize best practices.
How can other organizations get started with PQC migration?
Begin by conducting a cryptographic inventory to identify all systems using public-key cryptography. Then perform a risk assessment to prioritize high-value or long-lived data that could be vulnerable to SNDL attacks. Next, test PQC candidates in sandboxed environments, starting with NIST-standardized algorithms like ML-KEM and ML-DSA. Establish internal guardrails (e.g., policy that all new cryptographic deployments must support PQC). Finally, use a phased approach like Meta's PQC Migration Levels to roll out gradually, and don't forget to update monitoring and incident response plans to account for quantum-era threats. Engaging with industry groups and following NIST/NCSC guidance will also help align efforts with global timelines.