Post-Quantum Cryptography: The Biggest Security Migration in Internet History Has Begun

The global transition from classical cryptography to post-quantum cryptography (PQC) has officially begun, and it’s the most significant security infrastructure migration since the adoption of HTTPS. In August 2024, the US National Institute of Standards and Technology (NIST) published the first three finalized post-quantum cryptographic standards: ML-KEM (based on CRYSTALS-Kyber) for key encapsulation, ML-DSA (based on CRYSTALS-Dilithium) for digital signatures, and SLH-DSA (based on SPHINCS+) for stateless hash-based signatures. Now, in 2026, the industry is translating those standards into deployed code — and the scale and urgency of the migration are becoming clear.

Why the Rush: Harvest Now, Decrypt Later

The urgency behind post-quantum cryptography isn’t that quantum computers can break current encryption today — they can’t. The most powerful quantum computer in 2026, IBM’s 10,000-qubit Starling processor, is still far from the estimated million-plus fault-tolerant qubits needed to run Shor’s algorithm at a scale that would break RSA-2048 or ECC-256 encryption. Most cryptographers estimate that cryptographically relevant quantum computers are 10-15 years away, possibly more.

The real threat is “harvest now, decrypt later.” Intelligence agencies and sophisticated adversaries are actively recording encrypted communications today with the intention of decrypting them once quantum computers become available. Diplomatic communications, military strategies, trade secrets, healthcare records, financial transactions — anything encrypted with RSA or elliptic curve cryptography that’s intercepted today could potentially be read in a decade. For data with long-term sensitivity (government secrets with 50-year classification periods, medical records with lifetime relevance, corporate intellectual property), the quantum threat is effectively present-tense.

The NSA has been explicit about this risk. In 2022, the agency directed all National Security Systems to transition to quantum-resistant algorithms by 2035, with planning required to begin immediately. CISA (the Cybersecurity and Infrastructure Security Agency) has issued similar guidance for critical infrastructure. The message from every major intelligence and security organization is consistent: the time to migrate is now, because cryptographic migrations at national and global scale take a decade or more to complete, and the window before quantum computers arrive may be as short as that.

The NIST Standards in Detail

ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism) replaces the Diffie-Hellman and RSA key exchange mechanisms that underpin virtually all encrypted internet communication. When your browser establishes an HTTPS connection to a website, it currently uses one of these classical algorithms to securely exchange the encryption keys that protect the session. ML-KEM provides the same functionality using mathematical problems based on lattice structures that are believed to be resistant to both classical and quantum attack. Key sizes are larger (800-1568 bytes for ML-KEM versus 256 bytes for ECC), but performance is actually faster than classical algorithms for key generation and encapsulation.

ML-DSA (Module-Lattice-Based Digital Signature Algorithm) replaces RSA and ECDSA digital signatures used for authenticating software updates, signing documents, verifying website certificates, and countless other applications where you need to prove that data came from a specific source and hasn’t been tampered with. Signature sizes are considerably larger than classical equivalents (2420-4627 bytes for ML-DSA versus 64 bytes for Ed25519), which has implications for bandwidth-constrained applications like IoT devices and blockchain networks.

SLH-DSA (Stateless Hash-Based Digital Signature Algorithm) provides a conservative backup to ML-DSA. While ML-DSA’s security relies on the assumed hardness of lattice problems (which are well-studied but relatively newer than hash-based mathematics), SLH-DSA’s security derives from the well-understood properties of hash functions. The tradeoff is performance — SLH-DSA signatures are slower to generate and larger in size — but for applications requiring maximum confidence in long-term security, the conservative approach is worth the overhead.

Migration in Practice: The TLS Challenge

The most immediately impactful migration is in TLS (Transport Layer Security), the protocol that secures HTTPS web traffic, email, VPN connections, and most encrypted internet communication. TLS 1.3 — the current standard used by 99% of web traffic — must be updated to support post-quantum key exchange and authentication.

Google and Cloudflare have taken the lead on deployment. Google has been testing post-quantum key exchange in Chrome since 2023, using a hybrid approach that combines classical X25519 key exchange with ML-KEM-768. The hybrid approach ensures that even if the new post-quantum algorithm is eventually found to be vulnerable (an unlikely but nonzero risk with any new cryptographic standard), the classical algorithm provides a safety net. By early 2026, approximately 30% of all Chrome TLS connections use this hybrid post-quantum key exchange — the largest deployment of post-quantum cryptography in history.

Cloudflare activated hybrid post-quantum TLS on its CDN network in 2025, immediately protecting the millions of websites fronted by Cloudflare’s infrastructure. The performance impact was minimal: post-quantum TLS handshakes added approximately 0.5 milliseconds to connection setup time and 1-2KB of additional data per handshake. For most websites, this overhead is imperceptible. AWS, Microsoft Azure, and Google Cloud have all announced timelines for post-quantum TLS support on their platforms, with full availability expected by end of 2026.

The Software Supply Chain Migration

Beyond TLS, post-quantum cryptography touches every component of the software supply chain. Code signing certificates that verify the authenticity of software updates need quantum-resistant signatures. Package managers (npm, pip, Maven, NuGet) that verify package integrity through cryptographic digests need to support post-quantum algorithms. Certificate authorities that issue the TLS certificates underlying HTTPS must transition their root certificates to post-quantum signatures — a process complicated by the need for backward compatibility with older systems that don’t yet support the new algorithms.

SSH, the protocol used by developers and system administrators to securely access remote servers, already supports post-quantum key exchange in OpenSSH 9.0+ through the sntrup761 algorithm. S/MIME email encryption, VPN protocols (WireGuard has added post-quantum support through its pqWireGuard extension), and messaging apps (Signal added post-quantum key exchange in 2023) are at various stages of migration.

The long tail of migration will extend for years. Embedded systems with 10-20 year lifespans (industrial controllers, medical devices, automotive systems) that were deployed with classical-only cryptography cannot easily be updated. Some will need physical replacement. Legacy enterprise applications that use hardcoded cryptographic libraries may require significant rewriting. The migration is not a one-time event but an ongoing process that will consume substantial engineering resources across the entire technology industry for the remainder of this decade.

Enterprise Planning and Compliance

For enterprise IT leaders, post-quantum migration planning is becoming a compliance requirement rather than an optional security improvement. The US government’s OMB Memorandum M-23-02 requires federal agencies to inventory their cryptographic assets and develop migration plans by 2025 (a deadline most agencies met) and begin active migration by 2027. The financial services industry, through guidance from FINRA and the OCC, expects banks and brokerages to demonstrate post-quantum readiness in their cybersecurity examinations.

The first step in any enterprise PQC migration is a cryptographic inventory — identifying every system, application, and protocol that uses classical public-key cryptography. This turns out to be a surprisingly difficult task because cryptography is embedded at every layer of the technology stack: in TLS libraries, in database encryption, in backup systems, in VPN configurations, in API authentication, in code signing processes, in hardware security modules. Organizations that have never conducted a cryptographic inventory are discovering that they have thousands of touchpoints that eventually need to be addressed.

Vendors including IBM, Thales, Entrust, and DigiCert offer post-quantum readiness assessment tools and “crypto-agile” platforms that can support both classical and post-quantum algorithms simultaneously, easing the transition. These hybrid platforms allow organizations to upgrade systems incrementally rather than in a single disruptive switchover — a practical necessity given that full migration will take years even for well-resourced organizations.

Open Questions and Concerns

The post-quantum standards are new, and some cryptographers express caution about their long-term security. Unlike RSA and ECC, which have been studied for decades, the lattice-based problems underlying ML-KEM and ML-DSA have been the focus of intensive cryptanalysis for only about 10-15 years. While no practical attacks have been found, the possibility that a breakthrough in lattice cryptanalysis could undermine the new standards cannot be completely ruled out. This is precisely why NIST published three algorithms based on different mathematical foundations — if one is broken, alternatives exist.

Performance concerns, while manageable for most internet applications, are significant for constrained environments. IoT devices with limited memory and processing power may struggle with the larger key and signature sizes of post-quantum algorithms. Blockchain and cryptocurrency systems that rely on compact digital signatures face bandwidth challenges. Real-time communication protocols where every millisecond of latency matters require careful optimization. These edge cases will drive continued research into more efficient post-quantum algorithms and hardware acceleration.

The migration also highlights the importance of “crypto-agility” — designing systems that can switch cryptographic algorithms without major architectural changes. Organizations that hardcoded specific algorithms into their systems are paying the price now; organizations that abstracted cryptographic operations behind configurable interfaces can swap algorithms more easily. The lesson for future system design is clear: always build in the ability to change your cryptography, because the only certainty in cryptography is that today’s secure algorithms will eventually be broken.