Is it possible that YouTube and Netflix are investing more in the future of their content than the motion picture industry? The coming emergence of quantum computing presents a unique and massive threat to digital security. It is not a matter of if, but when. The damage it can inflict on media distribution is already being set in motion. But as technology giants race to address the problem, the motion picture industry risks being left behind.
Infrastructure companies including Apple, Google, and Microsoft have taken public steps towards post-quantum solutions across their platforms, and this will include the DRM utilized by the home entertainment industry. However, these are not the companies that provide the security infrastructure for motion picture exhibition. Digital cinema distribution and exhibition is built on a home-grown solution devised wholly within the motion picture industry, and for this reason, the post-quantum solution for cinema will also need to be home-grown. The solution is not simply a matter of flipping a switch at a later time. The time to take action is now.
Quantum computing is not a replacement for classical computing: it is a completely different tool unlike anything commonly available today. A simple analogy is to think of a librarian in search of a specific quote from a book. The classical librarian must search the entire library, shelf-by-shelf, book-by-book, to find the quote. The process is painfully slow. In contrast, the “quantum librarian” operates very differently, spreading out across all the shelves and pages like a mist, all at once. The quantum librarian quickly finds the quote.
How Cinema Security Works Today
The quantum challenge to digital security is the breaking of classical encryption algorithms. Encryption is a mathematical process whose security rests on the difficulty of reverse-engineering the math. The Digital Cinema Package (DCP) that arrives in a cinema carries multiple files that comprise a movie, each content file protected by AES symmetric encryption. These are very large collections of files, typically ranging in size from 100GB to as much as 500GB. Consequently, when a version of a movie is encrypted, it is encrypted once and the identical encrypted movie files are distributed to many locations in the form of a DCP.
While AES encryption is the lock on the movie itself, a different algorithm, RSA, is used to lock the AES content keys in a separate carrier. This carrier is called a Key Delivery Message, or KDM. Each KDM carries a uniquely encrypted set of AES keys directed to both a specific player and a DCP. The 2048‑bit RSA encryption is termed asymmetric encryption. The keys carried in the KDM can only be unlocked by the projector’s media block in the cinema to which it is directed, effectively locking the movie to that projector. This method of protecting motion picture content in the first release window has worked brilliantly for over 20 years.
It is the technology that underwrites the value of the first release window.
Why Quantum Changes the Risk
But the security of today’s KDM will change when viable quantum computers emerge. Asymmetric encryption algorithms are at risk. Breaking the mathematics behind 2048-bit RSA encryption with classical computers is estimated to take hundreds of millions, if not billions, of years. It is this apparent invincibility in distribution that leads the industry to worry more about content theft in post-production and the capture of screen light on cameras. However, just as our mythical quantum librarian can find the right quote in an instant, it is estimated that a capable quantum computer will crack the RSA encryption of a KDM in a matter of days, if not hours. And if Gordon Moore’s law has any applicability to quantum computing, that time factor will rapidly shrink. In short, it is the very property that made KDMs feel unbreakable in the past that quantum computing now puts at risk.
“Harvest Now, Decrypt Later” Is Already Real
Such quantum computers will likely not exist for another 10 to 15 years. But it would be a mistake to think “we have time.” The threat posed is very much present today with the attack called “harvest now, decrypt later.” In cinema, this means copying the blockbuster DCP to a $100 portable SSD drive, along with at least one KDM that targets the movie. And then wait. Eventually, this most pristine version of the movie will be decrypted and in the hands of parties that will not benefit the motion picture industry.
“Harvest now, decrypt later” is taken very seriously by those who provide digital messaging services. Signal first implemented its post-quantum cryptography (PQC) solution in 2023. Apple introduced PQC Messages in 2024, and the latest iOS and macOS operating systems now carry PQC-compliant tools to enable the eventual transition to full PQC security. Microsoft has taken similar steps with its operating systems, which it first publicly outlined in 2025. Meta has begun its PQC transition for Facebook, Instagram, and WhatsApp. Google recently announced the ambitious goal of being fully PQC compliant by 2029. This will include YouTube. Google researchers have been actively publishing papers on both advancements in quantum computing and the threat posed by PQC non-compliance. (See the list of references at the end of this article.) Netflix recently announced the end of support for an estimated 90M devices as it incorporates upgrades that include DRM. Netflix does not specifically state PQC security as the reason for these cuts, but the direction is clear. If looking for a canary in the coal mine, there is always Bitcoin, having over $200B worth of coins with lost keys, whose underlying cryptography is even easier for quantum computers to attack than RSA.
What Cinema Must Do Next
The immediate challenge for the cinema industry is to commit to a process of migrating to a full PQC solution. A new equipment specification is needed that not only addresses PQC, but includes the manner in which the crossover from classical KDM to PQC KDM takes place. The solution needs to address the crossover period in distribution, and the performance of the crossover-capable equipment in the cinema. A test plan will be needed. The multiple independent manufacturers of DCI-compliant media blocks must be onboard to perform the engineering needed to create these new products and/or upgrades to existing products. Manufacturers also will need to invest in new product assessments, both FIPS validation and DCI compliance testing, which impose significant cost. And importantly, exhibitors must sign up to pay for the new equipment and/or upgrades.
Why Exhibitors Should Care — And Pay
Why should exhibitors pay? For the transition from film distribution to digital distribution, the Hollywood studios stood up to subsidize the purchase of digital projection equipment because of the imbalance between what would be saved in distribution from the elimination of film prints and the investment required in new equipment by exhibitors. The agreement was to transfer much of the per-print savings toward the purchase of digital projection equipment through a subsidy mechanism called the Virtual Print Fee. To mimic the cost of a film print, the VPF subsidy was paid per booking. But that imbalance does not exist with a PQC solution. Just as investment will be needed in new exhibition equipment and/or secure firmware upgrades, investment will also be needed at the distribution head end. Importantly, the transition will deliver no net savings to any party.
The benefit of a PQC transition, and the reason exhibitors should embrace the cost on their end, is the preservation of the first release window. DCI security is the critical infrastructure that supports first release. For distributors, the very worst case is the loss of confidence in theatrical as a trusted first‑release platform. If PQC-capable Apple TV and Roku players in cinemas become a more secure platform than the current solution, it opens the door to day-and-date distribution for both cinema and home entertainment. That would be an effective path forward for distributors, but for exhibition this worst-case scenario would be catastrophic. It may seem impossible today — but will it be impossible ten years from now?
Technology Path
The technology itself deserves some words. NIST, the US government body upon whose work current-day digital cinema security is based, has now defined the PQC algorithm known as ML-KEM in FIPS 203. NIST’s efforts provide a trusted and consistent path for digital cinema to follow. This does not override the need for discussion within the industry as there are significant details to work out, such as a possible change from long-term to ephemeral key pairs in media blocks. While the technology and underlying workflow for PQC are substantially different, from a user standpoint, much should remain the same. A PQC KDM is possible, and as with the current KDM, it can safely travel untrusted channels, meaning that third-party services for managing KDMs in cinemas can continue to provide support. For exhibitors, that fact should provide the comfort needed to know that the PQC transition does not have to be disruptive to operations.
Now Is The Time
The transition to PQC will not happen overnight. It took approximately 12 years from the initiation of work on the DCI Digital Cinema System Specification, through the formalization of a test plan, to the design and testing of equipment, and finally the installation of DCI-compliant equipment in around 90% of global cinemas. Maybe cinema will meet NIST’s ultimate timeline of 2035 for US federal migration to PQC solutions. That’s only nine years from now. (This article was written in April 2026.) But it will take effort. The work to secure the rest of the media ecosystem has already begun. Cinema can either lead its own PQC transition—or watch other platforms set the standard for protecting high‑value content in the quantum era.
Further reading
The quantum era is coming. Are we ready to secure it? (Google 2026)
https://blog.google/innovation-and-ai/technology/safety-security/the-quantum-era-is-coming-are-we-ready-to-secure-it
Quantum frontiers may be closer than they appear (Google 2026)
https://blog.google/innovation-and-ai/technology/safety-security/cryptography-migration-timeline
Safeguarding cryptocurrency by disclosing quantum vulnerabilities responsibly (Google 2026)
https://research.google/blog/safeguarding-cryptocurrency-by-disclosing-quantum-vulnerabilities-responsibly
Quantum-secure cryptography in Apple operating systems (Apple 2026)
https://support.apple.com/guide/security/quantum-secure-cryptography-apple-devices-secc7c82e533
iMessage with PQ3: The new state of the art in quantum-secure messaging at scale (Apple 2024)
https://security.apple.com/blog/imessage-pq3
Post-Quantum Cryptography Migration at Meta: Framework, Lessons, and Takeaways (Meta 2026)
https://engineering.fb.com/2026/04/16/security/post-quantum-cryptography-migration-at-meta-framework-lessons-and-takeaways/
Post-quantum resilience: building secure foundations (Microsoft 2025)
https://blogs.microsoft.com/on-the-issues/2025/08/20/post-quantum-resilience-building-secure-foundations
Post-Quantum Cryptography APIs Now Generally Available on Microsoft Platforms (Microsoft 2025)
https://techcommunity.microsoft.com/blog/microsoft-security-blog/post-quantum-cryptography-apis-now-generally-available-on-microsoft-platforms/4469093
Netflix says goodbye to old TVs starting from 2026
https://www.linkedin.com/posts/enigma-security_netflix-technology-smarttv-activity-7434216806917038080-2jCP
About the author
Michael Karagosian began his career in the motion picture industry in 1979 with the movie “Apocalypse Now,” developing the stereo surround sound format, a precursor to 5.1 sound, for the 70mm release. In 2001 he organized and led the effort to define the Digital Cinema Package (DCP), now in use globally, first presenting this work at NAB 2002. In 2005 he helped drive the first public demonstration of digital 3D projection at the ShoWest trade show in Las Vegas, identifying it as a key value‑add element for the digital cinema rollout. Soon after, he led the standards effort for closed captions in cinema, work that was noted by the US Department of Justice in its 2016 Final Rule for the Americans with Disabilities Act. In direct relation to the rollout, he led Virtual Print Fee (VPF) negotiations with the (then) six major studios in eight countries, covering up to $300M in equipment. He has consulted to numerous companies in the digital cinema ecosystem and served as Technology Consultant to the National Association of Theatre Owners for 11 years during the development of the DCI specification and the rollout of digital cinema.