The Quiet Race to Rewrite the Internet’s Locks: A Primer on Post-Quantum Cryptography

Every time you tap “Pay,” send a message on Signal, or log into your bank, an invisible layer of math keeps prying eyes out. That math has held up beautifully for decades. But it has an expiration date. In 2026, the people designing its replacement are no longer working ahead. They’re racing to catch up. 

Welcome to the world of post-quantum cryptography (PQC).

Today’s Cryptography, in 30 Seconds

The internet’s security runs overwhelmingly on elliptic-curve cryptography (ECC). TLS 1.3 — the protocol behind every HTTPS connection — uses curves like X25519 and NIST P-256 for key exchange, Ed25519 and ECDSA for digital signatures, paired with symmetric ciphers like AES-256-GCM for the actual encryption. RSA still appears in legacy systems, but the live traffic flowing through Chrome, Safari, Signal, and every major CDN is ECC.

The security of all these schemes rests on math problems that classical computers cannot solve in any reasonable time. Breaking a 256-bit elliptic curve would take roughly 2¹²⁸ operations — more than there are atoms in the observable universe. 

For decades, that was enough.

The Quantum Threat: Why the Clock Is Ticking

In 1994, Peter Shor proved that a sufficiently powerful quantum computer could break all current public-key cryptography — both integer factorization (RSA) and discrete logarithms (ECC, Diffie–Hellman) — in polynomial time. That is not just shaving a few seconds off. It is catastrophically faster.

Shor’s algorithm reduces both factoring and discrete-log to a period-finding problem. A quantum computer puts all candidate periods into superposition and uses the Quantum Fourier Transform to extract the answer in O((log n)³) time - polynomial, where classical approaches are sub-exponential or worse. 

The result: one algorithm, one machine, every public-key system in production today — broken.

The Estimates Are Getting Worse, Fast

In 2019, estimates placed the cost of breaking RSA-2048 at around 20 million physical qubits. By 2025, improved algorithms reduced that to under 1 million. In early 2026, researchers at Iceberg Quantum proposed the Pinnacle architecture using quantum LDPC codes, suggesting the figure could drop to fewer than 100,000 physical qubits under certain assumptions. In March 2026, researchers from Google Quantum AI, UC Berkeley, Stanford, and the Ethereum Foundation published a paper, Securing Elliptic Curve Cryptocurrencies against Quantum Vulnerabilities, showing that breaking elliptic curve cryptography (secp256k1) could require fewer than 500,000 physical qubits, roughly 20 times fewer resources than previous estimates.

Today’s largest quantum systems are still around 1,000–1,500 physical qubits. But the gap between what exists and what’s needed is closing from both sides: hardware is scaling up while the algorithmic cost of attack is plummeting.

Symmetric crypto holds up better. Grover’s algorithm only delivers a square-root speedup: a 2²⁵⁶ brute-force search becomes 2¹²⁸. So AES-256 effectively becomes AES-128 in a quantum world — still strong, but a reason to double key sizes for long-lived secrets.

“Harvest Now, Decrypt Later”

This is what makes the timeline deceptive. Adversaries are already capturing encrypted traffic today, storing it cheaply, and betting they can unlock it the moment a cryptographically relevant quantum computer (CRQC) arrives. At the Vanderbilt Quantum Forum in April 2026, the message from security leaders was blunt: adversaries are already harvesting encrypted data and waiting patiently for quantum capability to catch up.

Anything you encrypt now that must stay secret for ten or twenty years is, in effect, already at risk. That’s why the migration to PQC is urgent even though the machine that breaks current crypto doesn’t exist yet. The Cloud Security Alliance now estimates Q-Day could arrive by 2030.

The New Math: How Post-Quantum Cryptography Works

The replacements abandon the number-theoretic problems (factoring, discrete logs) that Shor’s algorithm exploits. Instead, most PQC schemes are built on lattice problems, a completely different branch of mathematics where even quantum computers get stuck.

Lattices and Learning With Errors

A lattice is a regular grid of points in high-dimensional space. Imagine an infinite, multidimensional mesh of dots. Certain problems on lattices, such as finding the shortest vector, are believed to be hard for both classical and quantum computers.

The core building block for NIST’s new standards is Learning With Errors (LWE). The idea is elegant:

Given a matrix A and a vector b = As + e (mod q) where e is a small, random noise vector, recover the secret vector s.

Without the noise, this is just solving a system of linear equations — trivial. But the noise e makes it exponentially hard. Increasing the lattice dimension makes the problem harder at a rate that scales exponentially, and no quantum algorithm has found a shortcut. This is what gives cryptographers confidence that lattice-based PQC won’t fall the way RSA and ECC will.

Why Not Just Use Bigger Classical Keys?

Because Shor’s algorithm isn’t a brute-force attack. It’s a structural attack that exploits the specific algebraic properties of factoring and discrete logs. Making keys bigger just forces a slightly longer polynomial computation. It doesn’t change the fundamental vulnerability. The only real defense is to move to math that quantum computers can’t structurally exploit.

The NIST Standards: What’s Been Chosen and Why

After an eight-year global competition evaluating 82 algorithms from 25 countries, NIST published its first post-quantum standards in August 2024 and has continued expanding the suite since. 

Here’s the current landscape:

ML-KEM (Kyber) — Key Encapsulation — FIPS 203

• Replaces: ECDH / X25519 (key exchange)
• Based on: Module Learning With Errors (MLWE)
• Status: Primary standard. Production-deployed in Chrome, Cloudflare, Apple iMessage, Signal, and cloud KMS services.
• Why it won: Best balance of key size, ciphertext size, and speed. ML-KEM-768 offers 192-bit equivalent security with a public key of ~1,184 bytes and ciphertext of ~1,088 bytes.

ML-DSA (Dilithium) — Digital Signatures — FIPS 204

• Replaces: ECDSA / Ed25519
• Based on: Module LWE and “Fiat-Shamir with Aborts”
• Status: Primary signature standard. Includes both regular and prehashed variants. Being integrated into certificate chains, with first PQ certificates expected to appear in 2026 (broad browser trust likely by 2027).
• Why it won: Strong security proofs, relatively compact signatures (~2.4 KB), fast verification.

SLH-DSA (SPHINCS+) — Hash-Based Signatures — FIPS 205

• Replaces: Nothing directly. It’s a conservative backup.
• Based on: Hash functions only (SHA-256, SHAKE). No lattice assumptions.
• Why it’s there: Diversity. If a breakthrough ever cracks lattice problems, SLH-DSA remains standing. The tradeoff is much larger signatures (~8–50 KB).

FN-DSA (Falcon) — Compact Signatures — FIPS 206

• Replaces: ECDSA / Ed25519 where signature size is critical.
• Based on: NTRU lattices with Gaussian sampling.
• Status: Draft standard (FIPS 206) released in 2025.
• Why it matters: Smallest PQC signatures (~666 bytes for Falcon-512), making it attractive for certificate chains, blockchain, and bandwidth-constrained environments.

HQC — Backup Key Encapsulation (Selected March 2025)

• Replaces: Nothing directly. It’s a backup for ML-KEM.
• Based on: Error-correcting codes (Hamming Quasi-Cyclic), a completely different mathematical foundation from the lattices used in ML-KEM
• Status: Selected by NIST in March 2025. Draft standard expected 2026, finalized standard expected 2027.
• Why it matters: If a vulnerability is ever found in lattice-based ML-KEM, HQC provides a fallback built on decades-proven code-based cryptography. This “don’t-put-all-eggs-in-one-basket” approach is central to NIST’s long-term resilience strategy.

What’s Still in the Pipeline

NIST isn’t done. Two parallel efforts continue: the Round 4 process (which yielded HQC) and the Signatures On-Ramp, a separate competition for additional signature schemes. In October 2024, NIST selected 14 candidates for the second round of the on-ramp. These represent exciting new directions in PQC signatures, but standardization is unlikely before 2028.

Where We Are in April 2026

The pace of real-world deployment has accelerated dramatically. 2026 has been declared the “Year of Quantum Security” by an industry coalition, launched in January 2026 with participation from the FBI, CISA, and NIST.

Deployment Milestones

• Cloudflare reported in April 2026 that over 65% of human traffic passing through its network is now protected with post-quantum key exchange (X25519 + ML-KEM). Full PQ migration, including authentication, is targeted by 2029.
• Google Chrome has had hybrid PQ TLS enabled by default since 2024. Google has set an internal 2029 deadline for complete PQC migration.
• Apple shipped PQ3 for iMessage in early 2024, making it one of the first messaging protocols to deploy post-quantum key exchange at scale.
• Signal deployed PQXDH, adding post-quantum key exchange to its end-to-end encrypted messaging.
• AWS, Azure, and Google Cloud all expose PQC options in their key-management services.
• Microchip Technology announced PQC-ready hardware root-of-trust controllers (TS1800, TS50x) in April 2026, signaling PQC’s arrival in embedded silicon.

Regulatory Timelines

• NIST IR 8547 (initial public draft, November 2024) outlines the transition roadmap: 112-bit quantum-vulnerable algorithms deprecated by 2031, and algorithms above 128-bit security disallowed by 2035.
• CNSA 2.0 (NSA): All new National Security System acquisitions must be CNSA 2.0 compliant by January 1, 2027. Final mandatory compliance by 2033.
• Executive Order 14144 (Biden, January 2025; PQC provisions maintained by Trump’s June 2025 amendment) requires TLS 1.3 (or successor) adoption by January 2, 2030.
• CISA published its Product Categories guidance in January 2026, advising agencies to prioritize PQC-capable products in procurement.
• EU Cyber Resilience Act and UK NCSC guidance set similar migration expectations for critical infrastructure.
• TLS certificate validity periods are shrinking from 398 days to 200 days as of March 2026, dropping further to 47 days by 2029 — forcing faster cryptographic agility.

The Hybrid Era

The current best practice is hybrid mode, combining a classical algorithm (like X25519) with a PQC algorithm (like ML-KEM) so that even if one is broken, the other still protects the data. IETF has formalized this in hybrid TLS key exchange drafts (X25519 + ML-KEM-768 as TLS group 0x11EC). Hybrid key exchange is in production. Hybrid certificates are still being standardized and are expected to appear later in 2026.

The Hard Part: Why Migration Is Massive

Publishing a standard is one thing. Replacing cryptography across the entire internet is another.

• Larger keys and signatures. ML-KEM public keys are ~1.2 KB vs. 32 bytes for X25519. ML-DSA signatures are ~2.4 KB vs. 64 bytes for Ed25519. This affects TLS handshake latency, certificate chain size, IoT devices with limited memory, and protocols designed around small keys.
• Buried cryptography. Crypto is embedded in firmware, smart cards, HSMs, embedded sensors, certificate chains, and decades of legacy code. The Entrust/Ponemon 2026 report found that 68% of organizations say managing cryptographic assets is extremely difficult.
• Authentication lags behind encryption. While PQ key exchange is broadly deployed, not a single publicly-trusted PQ certificate is in use yet. CAs need HSM hardware support and audit approval. The CA/Browser Forum needs to approve new algorithms. The first PQ certificates are expected in 2026, but broad browser trust likely won’t arrive before 2027.
• Implementation risk. PQC implementations are new and haven’t been battle-tested at scale the way AES and ECC have. AI-assisted side-channel analysis improved markedly in 2025, increasing the likelihood of implementation surprises.
• Blockchain exposure. Bitcoin’s entire transaction history is public, permanent, and secured with ECDSA signatures that quantum computers will threaten. No future algorithm can retroactively protect data that is already publicly available. Ethereum published a formal PQ roadmap in February 2026. Bitcoin’s more conservative governance means migration could take 5–10 years even after consensus is reached.

The Bottom Line

Post-quantum cryptography isn’t speculative anymore. It’s a deployment project in its execution year. The math has been chosen. Five algorithms are standardized or selected (ML-KEM, ML-DSA, SLH-DSA, FN-DSA, HQC). Over 65% of web traffic through the world’s largest CDN is already post-quantum encrypted. Regulatory deadlines are set. The qubit estimates for attack keep dropping.

The question for engineers, security leads, and executives isn’t whether to migrate. It’s how fast. The data you’re protecting today may need to survive an adversary that doesn’t yet exist, but is being built right now.