Post-quantum cryptography: what it means for you

Why this matters now, not in 2035

A quantum computer powerful enough to break today's public-key cryptography does not yet exist. Estimates of when one will exist range from five years (optimistic) to twenty (sceptical). Either way, it's not imminent.

What is imminent is 'harvest now, decrypt later.' An adversary records and stores encrypted traffic today — the assumption being that in ten or fifteen years, when a sufficiently powerful quantum computer arrives, they decrypt the captured data retroactively. Anything sensitive with a long shelf life — medical records, intellectual property, identity documents, diplomatic cables — is a viable target now.

That's why the migration to post-quantum cryptography is happening today rather than in 2034. The goal is to make traffic captured today useless to a future quantum attacker.

What NIST standardized

After an eight-year international competition involving cryptographers from 25 countries, NIST published three post-quantum standards in 2024:

ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism, FIPS 203) is the primary standard for key exchange — replacing today's Diffie–Hellman and ECDH. Based on the CRYSTALS-Kyber algorithm, it has relatively small keys and fast operations.

ML-DSA (Module-Lattice-Based Digital Signature Algorithm, FIPS 204) is the primary digital-signature standard — replacing today's RSA and ECDSA in many contexts.

SLH-DSA (Stateless Hash-Based Digital Signature Algorithm, FIPS 205) is a backup signature scheme based on hash functions, providing diversity in case future research finds weaknesses in the lattice-based approach.

NIST is also evaluating additional algorithms (HQC, BIKE) as future alternatives. The transition guidance, published as NIST IR 8547, sets a deprecation timeline that fully removes quantum-vulnerable algorithms from federal systems by 2035.

What's already deployed in 2026

You may already be using post-quantum cryptography without knowing it.

Cloudflare deployed a preliminary version of ML-KEM (called X25519Kyber) on its CDN in 2022. By mid-2024, over 16% of human-generated traffic to Cloudflare was already protected by hybrid post-quantum key exchange.

Google Chrome supports ML-KEM key agreement for connections to compatible servers. The feature shipped in Chrome 116 (2023) and is on by default in current versions.

Apple deployed PQ3, a post-quantum protocol, in iMessage in March 2024. Signal deployed a similar PQXDH protocol in late 2023.

Apple, Google, and Microsoft have all integrated PQC into their cloud and OS-level services — Microsoft has added ML-KEM to Windows updates and Azure; AWS has rolled out hybrid PQC across its services.

Post-quantum certificates (for HTTPS site identity) lag behind. Cloudflare expects the first widely-available post-quantum TLS certificates in 2026, but they will not be the default for some years.

What it means for an everyday user

Practically, very little. The migration is happening below the application layer — you don't see it, and you don't need to install anything.

Keep your browser updated. Chrome, Edge, Safari, and Firefox all update PQC support through normal browser updates.

Keep your OS updated. Windows, macOS, iOS, and Android receive PQC support via OS updates.

Keep your messaging apps updated. iMessage and Signal already have post-quantum key agreement; WhatsApp's plans are less public.

When choosing a VPN provider, check whether they support post-quantum key exchange. As of 2026, most consumer VPNs do not, but the leading providers are starting to add it.

What it means for a business

The harder work is on the enterprise side: identifying every place quantum-vulnerable cryptography is in use (TLS termination, code signing, document signing, VPN tunnels, hardware security modules, payment systems, IoT firmware) and planning a phased migration.

NIST's 2024 transition guidance (NIST IR 8547) recommends starting with an inventory: where in your stack are RSA, DH, and ECC used? Most organizations don't actually know.

Hybrid deployments — combining a classical algorithm with a post-quantum one — are the recommended interim approach. They protect against both classical attacks (in case the new algorithms turn out to have flaws) and quantum attacks.

Critical infrastructure, financial services, and any sector with long-shelf-life data should already be in pilot or production. Most others can plan migration over the next 3–5 years.

What it does not mean

Post-quantum cryptography does not protect data already breached. If your data was stolen in plaintext, no encryption upgrade helps.

It does not protect against weak passwords, phishing, or compromised devices. Those threats don't need a quantum computer.

It does not 'replace' all classical cryptography immediately. Symmetric algorithms like AES are not significantly weakened by quantum computers (only halved in effective key length). Hashing algorithms like SHA-256 remain fine. The migration is targeted at public-key algorithms.

It does not require you to abandon current tools. Your VPN still works. Your password manager still works. The cryptography underneath is being upgraded incrementally.

Frequently asked questions

Do I need a quantum-safe VPN today?

Not urgently. If you have especially sensitive long-lived data (legal, medical, business secrets), prefer a VPN provider that supports post-quantum key exchange — NordVPN, Mullvad, and ExpressVPN have all announced PQC support timelines. For everyday browsing, current VPNs are sufficient.

When will quantum computers actually break encryption?

Estimates vary. A 'cryptographically relevant' quantum computer — one capable of breaking 2048-bit RSA — is generally estimated at 5 to 20 years away. The migration to post-quantum cryptography is happening now to stay ahead of harvest-now-decrypt-later attacks.

Is my Wi-Fi password quantum-safe?

WPA3 uses symmetric cryptography for the data channel, which is largely quantum-resistant (AES-128 effective security drops to 64-bit-equivalent against a quantum attacker, AES-256 drops to 128-bit-equivalent — still secure). The handshake uses a process that has known weaknesses against quantum attackers, but those are not the urgent concern.

Will my Bitcoin be safe?

Bitcoin uses ECDSA for signatures, which a sufficiently powerful quantum computer could break. The Bitcoin community has plans for a post-quantum migration, but it requires a network-wide upgrade. If you hold cryptocurrency long-term, this is a real consideration.

Should I be using a quantum-safe messenger?

Use Signal or iMessage. Both already have post-quantum key exchange. WhatsApp's status is less clear publicly. SMS is not encrypted at all, quantum-safe or otherwise.

Related guides