Even When You Expect it to Take Longer...
During the "PQ Crypto Panel" at the 2017 RSA Conference in San Francisco, the panelists were asked what should be done about the quantum computing threat on cryptography.
One of the panelists, Stanford University professor Dan Boneh, advised the audience to "do nothing, just wait for the NIST process." The U.S. National Institute of Standards and Technology (NIST) process he is referring to is the "Post Quantum Crypto Project" which is collecting candidate algorithms through November 2017 and will pick the "winning" algorithms in 5 years. Read more about the panel here.
If you're not familiar with the quantum computing threat, here's a quick synopsis. A new technology, called Quantum Computers, is being worked on by a number of large companies and universities. Once they are operational, they will be able to break all public-key cryptography commonly used today. This means that online shopping, code updates, encrypted emails, etc will all be unprotected. The consensus estimate is that they will be available in 9-10 years, but aggressive estimates are for a soon as 4-5 years.
Let's assume that NIST completes their work in 2023 and that quantum computers don't arrive until 2027. This gives the industry 4 years to switch over all of their crypto in times to stop the "Cryptopocolypse."
Migration time isn't the only element in the equation though. Another panelist, Michele Mosca, CEO of EvolutionQ, explains that your quantum risk is when your security shelf life (x) plus your migration time (y) exceeds the time when hackers will have access to quantum computers (z).
If your secrets only need to be kept secret for a year or two, then Professor Boneh's "wait for NIST" advise will probably work for you. But if your migration time (y) is longer than 4 years and/or your secrets need to be kept safe for several years (x), then you can't afford to wait.
The other element in this is your appetite for risk. We are working with one financial organization that transmits billions of dollars a day over the internet and they can't wait for the risk to get any closer. Even a 20% chance of losing that money is too much to swallow, so they are working on migrating their crypto today.
So if your x+y>z or if your tolerance for z is low, then you can't "do nothing" and you can't afford to "wait for NIST."