If any kind of proof about serious quantum computers comes to light, browsers can force most websites' hand by marking non-PQ ciphers as insecure.

Maybe it'll require TLS 1.4/QUIC 2, with no changes but the cipher specifications, but it can happen in two or three years. Certificates themselves don't last longer than a year anyway. Corporations running ancient software that doesn't support PQ TLS will have the same configuration options to ignore the security warnings already present for TLS 1.0/plain HTTP connections.

The biggest problem I can imagine is devices talking to the internet no longer receiving firmware updates. If the web host switches protocols, the old clients will start dying off en masses.

Waiting now means rushing even more close to the deadline! We added stats on origin support for post-quantum encryption. Not as much support as browsers of course, but better than I expected. Still a long road (and authentication!). https://radar.cloudflare.com/post-quantum

> Updating websites is going to be so much easier than dealing with other systems (bitcoin probably the worst; data at rest storage systems; hardware).

IPv6 deserves a prominent spot there

That is a beautiful api.

Wow that’s a lot better browser support than expected

Among cryptography engineers there was a sharp vibe shift over the last 2 months; there are papers supporting that vibe shift, but there's also a rumor mill behind it too. The field has basically aligned fully in a way it hadn't before that this is an urgent concern. The simplest way to put it is that everyone's timeline for a real-world CRQC has shortened. Not everyone has the same timeline, but all those timelines are now shorter, and for some important (based on industry and academic position) practitioners, it's down to "imminent".

It's theory. The concern is for avoiding a (likely, IMO) scenario where the only real indication that someone cracked QC is one or more teams of researchers in the field going dark because they got pulled into some tight-lipped NSA project. If we wait until we have an unambiguous path to QC, it might well be too late.

To avoid the scenario where for a prolonged period of time the intelligence community has secret access to QC, researchers against that type of thing are incentivized to shout fire when they see the glimmerings of a possibly productive path of research.

still theory, but there seems to be an emerging consensus that quantum systems capable of real-world attacks are closer to fruition than most people generally assumed.

Filippo Valsorda (maintainer of Golang's crypto packages, among other things) published a summary yesterday [0] targeted at relative laypeople, with the same "we need to target 2029" bottom line.

0: https://words.filippo.io/crqc-timeline/

Nothing has been broken yet, however data can be collected now and be cracked when the time comes, hence why there is a push.

Still theory

Theory. And afaik there are still questions as to if the PQ algorithms are actually secure.

Yeah, it's rough. Important to understand now for each product / system what the business impact is if it's not upgraded in time.

Only the asymmetric portion of the cryptography (which is only used in the handshake) will need to use PQC algorithms. Symmetric crypto algorithms (AES/ChaCha20/SHA-*), which are used after the handshake, are not as badly affected by quantum computing so they're not being replaced in the immediate term. I'm pretty sure that general purpose CPUs do not have hardware acceleration for the asymmetric crypto anyways.

you don't really need that tbh. you can get pretty good speedups using standard (vector) intrinsics. the new algorithms are (mostly) modular linear algebra (+ some concept of "noise").

To start, I am NOT an expert on the underlying technologies. But I have some exposure to the topic at let’s say more like an ecosystem level.

There are tons of hypothesized applications for quantum computing based on the expectation it will provide better simulation of quantum effects for e.g. chemistry, and offer major speedups of highly parallel simulation problems like nuclear plasma or some things in finance. Easy to Google to learn more about these.

But keeping the focus squarely on the military and intelligence services, one answer to your question is that everyone is not going to switch to post-quantum cryptography instantaneously. It’s going to take a while, especially for a long tail of “infrastructure” type things like networking gear, “internet of things,” industrial sensors, etc. Things that national intelligence services might like to break into to enable breaking into other things.

Quantum breaks may also still succeed against stored encrypted data from before the switch to PQ. And for at least a couple decades, national intelligence services have been scaling up their storage resources. So they might have a “backlog” they can work through.

Finally, things don’t have to last forever. Everything the military / government builds has an expected lifespan, and it only has to be valuable during that life span. And risks can be rare but huge in national security. So if quantum code-breaking computers only help the NSA learn a few very important things for a limited time, that still might be “worth it” to them. Or if a quantum computer doesn’t break any important cryptography, but helps advance the engineering and enables better quantum computers in the future for other anpplications—again, still might be worth it.

We can assume that organizations like NSA have collected a huge amount of traffic that is protected by RSA or EC. So they well have plenty of use for those quantum computers.

OpenSSH has supported post-quantum key agreement since 2022, and since 10.1 (October 2025) you'll get a warning if your connection isn't using it. It doesn't require rotating your keys, just upgrading the software on both sides.

Post-quantum signatures will require rotating your keys, but that's less urgent.

they are much more thoroughly vetted than other schemes. They're more thoroughly vetted than elliptic curves were before we deployed them. Much more vetted than RSA was ever.

Practically though, there are some downsides. Elliptic curves tend to have smaller ciphertexts/keys/signatures/so are better on bandwidth. If you do everything right with elliptic curves, we're also more confident in the hardness of the underlying problems (cf "generic group lower bounds", and other extensions of this model).

The new algorithms tend to be easier to implement (important, as a big source of practical insecurity is implementation issues. historically much more than the underlying assumption breaking). This isn't uniformly, e.g. I still think that the FN-DSA algorithm will have issues of this type, but ML-DSA and ML-KEM are fine. They're also easier to "specify", meaning it is much harder to accidentally choose a "weak" instance of them (in several senses. the "weak curve" attacks are not really possible. there isn't really a way to hide a NOBUS backdoor like there was for DUAL_EC_DRBG). They also tend to be faster.

Post-quantum algorithms tend to be slower than existing elliptic curve algorithms and require more data to be exchanged to provide equivalent security against attacks run on non-quantum computers.

AFAIK, PQ certificates are significantly longer than current ones. I don't know exact numbers though.

nah. governments around the world are hoovering up traffic today with the hope of a "cheap" (by nation state standards) quantum computer. Some of the secrets sent today are "evergreen" (i.e are still relevant 10+ years into the future), amongst a whole lot of cruft. There is massive incentive to hide the technology to keep your peers transmitting in vulnerable encryption as long as possible.

At least it's time bound: hope to have this job done by 2029!

If we do our job, it changes nothing. Problem with security generally: no spectacle if it's all correct. :)

It would mean that they're future-proofing their security

"Nothing happened for y2k" energy

What do you mean? For as long as I remember (back to late 1994) people understood DES to be inadequate; we used DES-EDE and IDEA (and later RC4) instead. What "secrecy" would there have been? The feasibility of breaking DES given a plausible budget goes all the way back to the late 1970s. The first prize given for demonstrating a DES break was only $10,000.

My read of the recent google blog post is that they framed it as cryptocurrency related stuff just so they don't say the silent thing out loud. But lots of people "in the know" / working on this are taking it much more seriously than just cryptobros go broke. So my hunch is that there's more to it and they didn't want to say it / couldn't / weren't allowed to.