Currently, there’s nothing that can unravel the public key encryption that underpins the modern Internet. But that might soon change. So, using “yet” may not be the best approach here. Right now, adversaries don’t actually need quantum computers; they just need to be patient. By collecting encrypted traffic and saving it, they can await advancements in technology to decrypt it later. This strategy—”harvest now, decrypt later”—isn’t merely hypothetical; it’s likely already in practice. Consequently, any communication that needs to remain confidential for over a decade stands as a vulnerability today. The real threat looms in the future, and organized initiatives are kicking off now, though most entities are dragging their feet.
The transition to post-quantum cryptography is a complex narrative. Its main actors are those working within standards organizations, but the most notable aspect is perhaps how uneventful it all appears. Imagine a world where, unknown to most, the mathematics that facilitate everyday interactions—from how browsers communicate to app synchronization—has been subtly revised, much like how bridge cables are replaced without halting traffic. People, oblivious, listen to the radio while contemplating dinner.
Engineers who manage to nail this task rarely receive accolades. This is the hidden infrastructure; you only notice it when something goes wrong.
In August 2024, the National Institute of Standards and Technology released its first significant post-quantum cryptography standard, outlining a gradual phase-out of algorithms vulnerable to quantum attacks by 2035, with earlier transitions for high-priority systems. The UK National Cyber Security Center set targets for 2028 to complete discovery and planning, 2031 for initial shifts in crucial systems, and a full transition by 2035. The NSA has also mandated that the national security system tighten up, with new implementations slated for 2027 and a complete phase-out by 2030. While the bureaucratic groundwork is set, the actual migration of systems is still a work in progress.
There are frequent comparisons to the Y2K scenario within the technological community. This analogy usually emerges to illustrate the urgency or complexity of a looming threat that hasn’t yet crystallized. Yet, the essence lies in its structure. Even though Y2K required significant mobilization, its success was only evident in the absence of calamity. If it was effective, nothing transpired, and no public acknowledgment was needed.
The shift toward post-quantum standards follows a similar pattern. It’s all about preventative measures woven into infrastructure rather than flashy technologies. Engineers who get it right won’t be celebrated; they will simply avoid blame.
Attention to Detail
One critical aspect in cryptography is size. Newer algorithms tend to require more space than their predecessors. For instance, ML-KEM-768 demands a 1,184-byte public key and 1,088 bytes for ciphertext during key exchanges. In contrast, SLH-DSA for digital signatures requires a minimum signature of 7,856 bytes, whereas classical elliptic curve signatures generally clock in under 100 bytes. These size variations complicate handshake processes, certificate behaviors, hardware security module designs, logging, and storage considerations. Unlike previous cryptographic updates, post-quantum cryptography necessitates protocol redesign.
Meta’s internal rollout of TLS corresponds to a field report following migration. They opted for a hybrid setup combining classical elliptic curve exchange with the post-quantum ML-KEM variant, opting for a more secure 768-parameter version but reverting to a smaller 512-parameter version in certain internal scenarios due to packet size and latency issues. They noted about a 40% increase in CPU cycles during initial deployment and encountered a threading issue in their cryptographic library during a larger scale rollout. This illustrates the real challenges of migration—finding the right balance between latency, compatibility, and troubleshooting in a working environment.
This transition is likely to benefit organizations already aware of where their encryption resides. Meta’s migration framework outlines steps from “PQ-Unaware” to “PQ-Enabled,” emphasizing that a solid understanding of a cryptographic inventory is crucial for advancement. Without knowledge of which systems use RSA or where certificates are stored, migration remains a dream. This change rewards institutions that behave more like proactive maintainers of infrastructure as opposed to passive consumers. NIST has termed this capability “crypto agility,” reflecting an organization’s awareness of potential future threats.
Lack of Clarity or Consensus
Cloudflare reported that over 60% of human-generated TLS traffic is already secured with hybrid ML-KEM. Apple has begun deploying quantum-secure TLS in iMessage by default with iOS 17.4. Similarly, Signal has introduced a sparse post-quantum mechanism to ensure continuous security throughout conversations. Their public statements stress that user experience will remain unchanged.
This encapsulates the overarching approach to the transition. The best encryption integrates complexity so seamlessly into protocol design that everyday users don’t need to grasp it. True security thrives when it blends into the background. The trust we seek arrives quietly, negotiated through intangible agreements when no one is paying attention.
The European Union Cybersecurity Agency, ENISA, noted in a 2025 study that the post-quantum adoption rate in the aerospace sector remains stagnant at about 2%. While technical standards are being set, many institutions still need to adapt to meet those standards. The end goal is clear, but the path ahead is still under construction. Somewhere in a concealed data center, encrypted traffic is being gathered for a future that data collectors can’t fully comprehend.
