The quiet migration to post-quantum cryptography stopped being quiet in 2026. For the first time, more than half of the human web traffic flowing through Cloudflare is now protected by quantum-resistant key agreement , a threshold that would have sounded like science fiction when NIST published its first standards less than two years ago. The shift marks a turning point in one of the largest cryptographic transitions in the history of the internet, and it is being driven by a single uncomfortable idea: adversaries may already be stealing encrypted data today, betting they can decrypt it once a powerful enough quantum computer exists.
This is a news analysis of where the post-quantum transition stands as of June 10, 2026 , the finalized standards, the federal deadlines now bearing down on agencies, the browsers and messengers that have quietly flipped the switch, and the expert disagreement over exactly when “Q-Day” arrives. The numbers tell a story of accelerating urgency.
Post-Quantum Cryptography Crosses the 50% Threshold in 2026
The headline data point comes from Cloudflare, which sits in front of a large slice of the world’s websites and APIs. On April 7, 2026, the company confirmed that more than half of the human traffic it processes now uses post-quantum key agreement. To appreciate how fast that happened, rewind to early 2024: at that point Cloudflare reported that “nearly two percent of all TLS 1.3 connections established with Cloudflare are secured with post-quantum cryptography.” Going from roughly 2% to north of 50% in about two years is one of the steepest cryptographic adoption curves the web has seen.
The mechanism behind that jump is a hybrid key exchange called X25519MLKEM768. It pairs the classical X25519 elliptic-curve handshake with ML-KEM-768, the NIST-standardized lattice key-encapsulation mechanism formerly known as CRYSTALS-Kyber. The “hybrid” design is deliberate: even if one of the two algorithms is later found to have a flaw, the connection remains secure as long as the other holds. Browsers negotiate it automatically, so most users protected by it have no idea anything changed.
Cloudflare’s own documentation does not mince words about the stakes. “It is urgent to migrate key agreement to post-quantum algorithms as soon as possible,” the company writes in its public PQC guidance , framing the rollout explicitly as a defense against “harvest now, decrypt later” attacks rather than a forward-looking nicety. That urgency is now showing up in roadmaps across the industry.
What “Harvest Now, Decrypt Later” Actually Means
The reason post-quantum cryptography is a 2026 problem rather than a 2035 problem comes down to a deceptively simple attack strategy. In a “harvest now, decrypt later” (HNDL) operation, an adversary records encrypted traffic or exfiltrates encrypted archives today, stores them, and waits. The data is useless while the encryption holds. But the moment a cryptographically relevant quantum computer (CRQC) exists, Shor’s algorithm can break the public-key cryptography , RSA, Diffie-Hellman, and elliptic-curve schemes like X25519 , that protected those captured sessions.
This inverts the usual security timeline. For data that must stay confidential for a decade or more , medical records, state secrets, intellectual property, financial archives , the relevant question is not “is a quantum computer dangerous today?” but “will one exist before this data stops being sensitive?” If the answer is plausibly yes, the data is already at risk, because it can be captured now. Cloudflare puts the practical implication bluntly: data with confidentiality requirements extending past 2035 should already be moving to quantum-resistant protection.
That logic is formalized in what cryptographers call Mosca’s inequality, named after quantum researcher Michele Mosca: if the time your data must remain secret, plus the time it takes your organization to migrate, exceeds the time until a quantum computer arrives, you are already too late. With migration of large enterprises measured in years, the math is unforgiving even under optimistic Q-Day estimates.
The NIST Standards: FIPS 203, 204, 205 and the HQC Backup
The foundation of the entire migration is a small set of standards from the U.S. National Institute of Standards and Technology. On August 13, 2024, NIST published its first three finalized post-quantum standards after an eight-year, multi-round international competition. Each replaces a category of vulnerable classical cryptography.
| Standard | Algorithm (former name) | Type | Mathematical basis | Status |
|---|---|---|---|---|
| FIPS 203 | ML-KEM (CRYSTALS-Kyber) | Key encapsulation | Module lattices | Final, Aug 13 2024 |
| FIPS 204 | ML-DSA (CRYSTALS-Dilithium) | Digital signature | Module lattices | Final, Aug 13 2024 |
| FIPS 205 | SLH-DSA (SPHINCS+) | Digital signature | Hash-based | Final, Aug 13 2024 |
| FIPS 206 (planned) | FN-DSA (FALCON) | Digital signature | Lattices (NTRU) | Draft in progress |
| HQC | HQC | Key encapsulation (backup) | Error-correcting codes | Selected Mar 11 2025 |
The selection of HQC on March 11, 2025 is strategically important. ML-KEM and HQC both do key encapsulation, but they rest on entirely different mathematical foundations , structured lattices versus error-correcting codes. NIST deliberately wanted a backup that would not fall to the same cryptanalytic breakthrough that might one day threaten lattices. It is a hedge built into the standard itself, an acknowledgment that even the new cryptography needs a Plan B.
NIST’s message to operators is unambiguous. The agency’s guidance states that the three primary standards “can and should be put into use now,” and that organizations should “begin migrating their systems to quantum-resistant cryptography” immediately. Dustin Moody, the NIST mathematician who leads the post-quantum project, has repeatedly urged system administrators to start integrating the algorithms into their systems without waiting for a quantum computer to appear , the entire point of the HNDL threat model is that waiting is the failure mode.
NIST’s 2035 Deprecation Timeline for Classical Cryptography
Beyond publishing replacements, NIST has set an expiration date on the old guard. Under its current roadmap, quantum-vulnerable algorithms such as RSA and elliptic-curve cryptography are slated to be deprecated and ultimately removed by 2035, with high-risk systems expected to transition considerably earlier. That date is not arbitrary; it aligns with U.S. national security guidance and gives the broader ecosystem a hard horizon to plan against.
NIST has also kept publishing operational guidance to smooth the transition. SP 800-227, finalized on September 18, 2025, lays out recommendations for using key-encapsulation mechanisms and hybrid deployments , the practical “how” behind ML-KEM. And on December 19, 2025, NIST finalized CSWP 39, which elevates cryptographic agility to a first-class engineering requirement. The thinking is that organizations should never again hard-code a single algorithm so deeply that swapping it takes a decade; systems should be designed so that the next algorithm change is a configuration update, not a rebuild.
Federal Mandates and the September 2026 FIPS Deadline
For U.S. federal agencies, post-quantum migration is not a suggestion , it is law and policy. The framework rests on three pillars: the Quantum Computing Cybersecurity Preparedness Act, National Security Memorandum 10 (NSM-10) with its 2035 migration target, and NIST’s finalized standards. The Office of Management and Budget was required to issue migration guidance within one year of the August 2024 standards release, putting that deadline at roughly August 2025.
The most concrete near-term deadline is procedural but consequential. NIST’s sunset of FIPS 140-2 moves all remaining validation certificates to “Historical” status on September 21, 2026. After that date, only FIPS 140-3 validated cryptographic modules may be used in new federal procurement , a forcing function that quietly pushes vendors and agencies toward modern, agile crypto implementations. On the national security side, CNSA 2.0 (the NSA’s Commercial National Security Algorithm Suite) began its migration phase in 2025 and disallows classical algorithms in national security systems by 2035.
| Milestone | Date | What it requires |
|---|---|---|
| FIPS 203/204/205 published | Aug 13, 2024 | Standards available for adoption |
| OMB migration guidance due | ~Aug 2025 | Within 1 year of standards |
| CNSA 2.0 migration begins | 2025 | NSS vendors start transition |
| SP 800-227 finalized | Sep 18, 2025 | KEM deployment guidance |
| CSWP 39 finalized | Dec 19, 2025 | Cryptographic agility framework |
| FIPS 140-2 to Historical | Sep 21, 2026 | Only FIPS 140-3 modules for new procurement |
| Classical crypto removed | 2035 | NIST deprecation + NSM-10/CNSA 2.0 target |
How Browsers and Messengers Quietly Went Quantum-Safe
One reason the Cloudflare traffic numbers climbed so quickly is that the client side of the equation moved in parallel. By 2025, recent versions of all major browsers had enabled X25519MLKEM768 by default. Chrome and its derivatives (including Edge) and Firefox all support the hybrid key exchange, meaning a typical user visiting a typical website is now negotiating post-quantum protection without clicking anything. A connection only becomes quantum-safe when both endpoints support it , so as servers and browsers converged, the protected share of traffic compounded.
Encrypted messaging led the consumer charge even earlier. Apple announced in February 2024 that it would secure iMessage with post-quantum cryptography , its PQ3 protocol , rolling out before the end of that year, and recent Apple operating systems now enable X25519MLKEM768 by default. Signal had already deployed its post-quantum hybrid key exchange, PQXDH, with Cloudflare noting that “Signal chats are already secured.” For two of the world’s most security-conscious messaging platforms, the post-quantum transition is effectively complete on the key-agreement front.
| Vendor / platform | Mechanism | Status (2025–2026) |
|---|---|---|
| Cloudflare network | X25519MLKEM768 | >50% of human traffic protected |
| Chrome / Edge / Firefox | X25519MLKEM768 | Enabled by default |
| Apple iMessage | PQ3 | Deployed (announced Feb 2024) |
| Signal | PQXDH | Deployed |
| Apple OS TLS stack | X25519MLKEM768 | Default in recent releases |
The IETF Standardizes the Hybrid Handshake
Vendor adoption needs a common wire format, and that is the job of the Internet Engineering Task Force. The relevant specification, draft-ietf-tls-ecdhe-mlkem, defines the post-quantum hybrid ECDHE-MLKEM key agreement for TLS 1.3 , the exact construction browsers and Cloudflare are using. Its fifth revision was last changed on November 18, 2025 and has moved into IESG evaluation, the late-stage review that precedes publication as a standards-track RFC.
This matters because interoperability is what lets the ecosystem scale. When the handshake is a published standard rather than a proprietary experiment, every TLS library, load balancer, and CDN can implement the same thing and trust that it will negotiate cleanly across vendors. The rapid convergence on X25519MLKEM768 in 2025 and 2026 is a direct dividend of getting the IETF process most of the way to the finish line.
Cloudflare Accelerates Its Roadmap After New Research
A notable plot twist in 2026 was Cloudflare’s decision to fast-track the rest of its post-quantum rollout. The company moved its roadmap forward after Google and research from a group identified as Oratomic demonstrated what was described as significant advances putting encryption “on notice.” In other words, the people closest to the cryptographic frontier saw enough movement in quantum capability and cryptanalysis to decide that the comfortable timelines were no longer comfortable.
The same April 2026 reporting noted that some projections now place Q-Day , the arrival of a quantum computer capable of breaking current public-key cryptography , “as early as the end of the decade.” That is a striking compression. For years, conventional wisdom held that a cryptographically relevant quantum machine was fifteen to thirty years out. A credible “end of the decade” estimate would mean roughly 2029 to 2030, which is inside the migration window of many large institutions that have barely started.
What the Experts Are Saying
The expert consensus has shifted from “prepare eventually” to “migrate now,” even as forecasters disagree on the precise Q-Day date. A few representative voices capture the current mood.
Dustin Moody, NIST mathematician and post-quantum project lead, has framed the August 2024 standards release as a starting gun rather than a finish line, urging administrators to begin integrating the algorithms immediately because retrofitting cryptography across global infrastructure takes years, not months.
Cloudflare’s post-quantum engineering team, whose research is authored by cryptographer Bas Westerbaan, states the case operationally: “It is urgent to migrate key agreement to post-quantum algorithms as soon as possible.” The company pairs that with the data point that “more than half of human traffic” on its network is already protected , proof that the migration is technically feasible at internet scale today.
The framing that ties these positions together is Michele Mosca’s risk model. Mosca, a quantum-computing researcher, has spent years warning that organizations systematically underestimate how long migration takes and overestimate how far away Q-Day is , a combination that leaves long-lived secrets exposed to harvest-now-decrypt-later collection well before any quantum computer is switched on.
How Post-Quantum Algorithms Differ From RSA and ECC
The classical algorithms now being retired all rely on math problems that are hard for ordinary computers but easy for a quantum one. RSA depends on the difficulty of factoring large integers; Diffie-Hellman and elliptic-curve cryptography depend on the discrete logarithm problem. Shor’s algorithm, running on a sufficiently large quantum computer, solves both efficiently , which is exactly why a single hardware breakthrough threatens the whole category at once.
The replacements rest on problems with no known efficient quantum attack. ML-KEM and ML-DSA are built on structured lattice problems; SLH-DSA leans on the security of cryptographic hash functions, the same primitives underpinning much of modern security; HQC is built on error-correcting codes. The trade-off is size. Post-quantum keys and signatures are generally larger than their elliptic-curve equivalents, which is why hybrid deployments and careful engineering , the territory of SP 800-227 , matter so much for performance.
For readers who want the deeper machinery, the relationship between key exchange, digital signatures, and the TLS handshake that secures HTTPS is where post-quantum cryptography actually lives. Understanding that stack is the difference between treating PQC as a checkbox and treating it as an architecture decision.
Market Impact: A Multi-Year Migration Wave
The post-quantum transition is reshaping the security market on several fronts at once. The first is demand for cryptographic inventory: before an organization can migrate, it has to know where it uses vulnerable cryptography , in TLS endpoints, code-signing, VPNs, databases, hardware security modules, and embedded firmware. NIST’s guidance explicitly tells organizations to identify where vulnerable algorithms are used and plan to replace or update them, and that discovery work has become a product category of its own.
The second is the hybrid-deployment window. Industry guidance suggests many organizations should begin hybrid deployments within 12 to 18 months, with Cloudflare and Google having publicly oriented commitments around 2029. That creates a multi-year procurement cycle for PQC-capable libraries, HSMs, and managed services. The FIPS 140-2 sunset on September 21, 2026 sharpens the incentive further: federal buyers will need FIPS 140-3 validated modules, and vendors that lag on validation risk being shut out of government contracts.
The third front is risk concentration. Because so much of the web’s encryption runs through a handful of CDNs, browsers, and operating systems, a small number of engineering decisions , Cloudflare flipping a default, Chrome shipping a release, Apple updating iOS , can move the global protected-traffic share by tens of percentage points. That centralization accelerated the rollout, but it also concentrates the responsibility for getting the cryptography right.
Historical Context: The Longest Crypto Migration Yet
Cryptographic transitions are always slow, but post-quantum is on track to be the largest yet. The deprecation of MD5 dragged on for years after the algorithm was known to be broken. The retirement of SHA-1, dramatized by the SHAttered collision, took the better part of a decade from first theoretical warnings to browsers finally rejecting SHA-1 certificates. Each of those was a single primitive. Post-quantum cryptography asks the entire ecosystem to replace its public-key foundations , key exchange and signatures both , across every protocol simultaneously.
What is different this time is that the migration began before the threat materialized. With SHA-1 and MD5, the world moved only after collisions were demonstrated. With post-quantum, there is no working quantum computer that can break RSA-2048 today , the migration is preemptive, driven entirely by the harvest-now-decrypt-later logic and the long shadow it casts over confidential data. That is a meaningful maturation in how the security industry handles cryptographic risk: acting on a credible future threat rather than waiting for the breach.
Five Predictions for Post-Quantum Cryptography Through 2030
Based on the current trajectory of standards, deadlines, and vendor behavior, several developments look likely over the next few years.
- Protected web traffic clears 80% before 2028. With browsers defaulting to hybrid key exchange and CDNs accelerating, the share of PQ-protected human traffic should keep compounding well past today’s 50% as the long tail of servers upgrades.
- Signatures become the next battleground. Most 2025–2026 progress is in key agreement. Migrating digital signatures , for code-signing, certificates, and PKI , is harder and slower, and will dominate the 2027–2029 agenda as ML-DSA and SLH-DSA roll out.
- Cryptographic agility becomes a procurement requirement. Following CSWP 39, expect “crypto-agile” to appear in enterprise and government RFPs the way “zero trust” did, with auditors checking that algorithms can be swapped without re-architecting.
- Q-Day estimates keep getting earlier , and stay contested. As quantum hardware advances, credible forecasts will continue compressing toward the end of the decade, even as skeptics argue error correction remains the real bottleneck. The disagreement itself will drive faster migration.
- A second wave targets long-lived data at rest. Once transport encryption is largely handled, attention shifts to re-encrypting archives and backups whose confidentiality must outlast 2035 , the data most exposed to harvest-now-decrypt-later.
What Organizations Should Do Right Now
The practical playbook in mid-2026 is clear, and it does not require waiting for a quantum computer. First, build a cryptographic inventory: catalog every place public-key cryptography is used, with special attention to data that must stay confidential past 2035. Second, prioritize by exposure , anything that transmits or stores long-lived secrets over untrusted networks is a harvest-now-decrypt-later target and should move first. Third, enable hybrid post-quantum key agreement wherever the stack supports it; for many organizations running modern TLS, this is closer to a configuration change than a rebuild.
Fourth, design for agility per CSWP 39, so the next algorithm change , whether to HQC as a backup or to a future standard , is routine. And fifth, track the federal deadlines even outside government, because the FIPS 140-3 procurement cutoff and the 2035 deprecation horizon set the cadence that vendors and the broader market will follow. The organizations that started cryptographic inventory work in 2025 are the ones flipping hybrid key agreement on today; the ones still deliberating are the ones whose harvested data may be decrypted first.
Frequently Asked Questions
What is post-quantum cryptography?
Post-quantum cryptography (PQC) is a family of encryption and digital-signature algorithms designed to resist attacks from both classical and quantum computers. Unlike RSA and elliptic-curve cryptography, which a large quantum computer could break using Shor’s algorithm, PQC schemes such as ML-KEM (FIPS 203) and ML-DSA (FIPS 204) rest on mathematical problems , lattices, codes, and hashes , with no known efficient quantum attack.
Is post-quantum cryptography in use today?
Yes, extensively. As of April 2026, more than half of the human traffic processed by Cloudflare uses post-quantum hybrid key agreement (X25519MLKEM768). Chrome, Edge, and Firefox enable it by default, and messengers including Apple iMessage (PQ3) and Signal (PQXDH) have already deployed post-quantum key exchange.
Why migrate now if there’s no quantum computer yet?
Because of “harvest now, decrypt later” attacks. Adversaries can capture encrypted data today and decrypt it once a cryptographically relevant quantum computer exists. Any data that must stay confidential past roughly 2035 is therefore already at risk, since migration across large systems takes years.
What are FIPS 203, 204, and 205?
They are the first three finalized NIST post-quantum standards, published August 13, 2024. FIPS 203 (ML-KEM) handles key encapsulation; FIPS 204 (ML-DSA) and FIPS 205 (SLH-DSA) handle digital signatures. NIST also selected HQC on March 11, 2025 as a code-based backup key-encapsulation mechanism.
When will classical cryptography be retired?
NIST’s roadmap deprecates and ultimately removes quantum-vulnerable algorithms like RSA and ECC by 2035, with high-risk systems expected to transition earlier. U.S. national security guidance (NSM-10 and CNSA 2.0) shares that 2035 target, and the FIPS 140-2 sunset on September 21, 2026 already steers federal procurement toward modern modules.
When is “Q-Day” expected?
Estimates vary and are contested. Some 2026 projections place the arrival of a cryptographically relevant quantum computer as early as the end of the decade, while others argue quantum error correction remains a major bottleneck. The uncertainty is precisely why experts recommend migrating now rather than waiting for a definitive date.
Is hybrid key exchange more secure than pure post-quantum?
Hybrid schemes like X25519MLKEM768 combine a classical and a post-quantum algorithm so the connection stays secure as long as either one holds. This guards against the possibility that a newly standardized algorithm is later found to have a flaw, which is why most 2025–2026 deployments are hybrid rather than post-quantum-only.
Related Coverage
- Hashing and Cryptography Explained , the foundations behind modern encryption
- HTTPS and TLS Explained: What the Padlock Really Means
- Digital Signatures Explained: How They Work and Why Hashes Matter
- Cryptographic Hash Functions Explained
- SHA-256 Explained: How It Works and Why It Matters
- The SHAttered SHA-1 Collision, Explained
