Quantum computing has been a theoretical threat for years, but in 2026 it stopped being theoretical. With GnuPG landing post-quantum cryptography in its mainline release, Google Chrome shipping ML-KEM by default for TLS 1.3, and NIST finalising three post-quantum encryption standards, the migration clock is officially ticking. If your web applications still rely exclusively on RSA or elliptic curve cryptography, now is the time to start planning your transition.
TL;DR
- NIST has finalised three post-quantum cryptography standards (FIPS 203, 204, 205) — organisations should begin migration now, not wait for quantum computers to arrive
- Chrome already ships ML-KEM (post-quantum key exchange) by default for TLS 1.3 and QUIC — your users may already be making PQC-protected connections
- GnuPG mainline now includes post-quantum algorithms, signalling that PQC is moving from research to production tooling
- “Harvest now, decrypt later” attacks mean sensitive data encrypted today could be decrypted by future quantum computers — long-lived secrets need PQC protection immediately
- The practical first step is a cryptographic inventory: know what algorithms your systems use before you can migrate them
Why Post-Quantum Cryptography Matters Now
The concern is not that quantum computers will break your encryption tomorrow. The concern is a strategy called “harvest now, decrypt later” (HNDL). Nation-state actors and sophisticated attackers are already intercepting and storing encrypted traffic with the expectation that future quantum machines will be able to decrypt it retroactively.
For most web applications serving ephemeral content, this is a moderate risk. But if your application handles financial data, health records, legal documents, government communications, or anything with a long confidentiality window, HNDL is a real and present threat — not a future one.
The maths is straightforward: if your data needs to remain confidential for 10+ years, and cryptographically relevant quantum computers could arrive within 10-15 years, the window to act is now.
The Three NIST Standards You Need to Know
In August 2024, NIST released the first three finalised post-quantum encryption standards. These are not experimental — they are production-ready specifications:
FIPS 203: ML-KEM (Key Encapsulation)
Based on the CRYSTALS-Kyber algorithm, ML-KEM is the primary standard for general encryption and key exchange. It features relatively small encryption keys and fast operation, making it practical for TLS handshakes. This is what Chrome is already using for post-quantum key exchange.
FIPS 204: ML-DSA (Digital Signatures)
Based on CRYSTALS-Dilithium, ML-DSA is the primary standard for digital signatures. If your application signs tokens, certificates, or documents, this is the algorithm you will eventually migrate to.
FIPS 205: SLH-DSA (Backup Signatures)
Based on SPHINCS+, this is the backup digital signature standard. It uses a fundamentally different mathematical approach (hash-based rather than lattice-based), providing algorithmic diversity. If a breakthrough undermines lattice-based schemes, SLH-DSA remains secure.
All three standards run on classical computers. You do not need quantum hardware to implement them. The algorithms are available today in libraries like liboqs (Open Quantum Safe), Bouncy Castle, and increasingly in platform-native cryptographic libraries.
What Has Already Changed
Post-quantum cryptography is not a future state — it is already shipping in production systems:
- Chrome Desktop enabled ML-KEM by default for TLS 1.3 and QUIC connections in 2024. Google has protected internal communications with PQC since 2022.
- Cloudflare supports post-quantum key agreement across its network, meaning sites behind Cloudflare can already negotiate PQC-protected connections with supporting clients.
- GnuPG has landed post-quantum algorithms in its mainline release (April 2026), bringing PQC to the most widely used open-source encryption tool.
- Signal implemented the PQXDH protocol, adding post-quantum protection to its messaging encryption.
- AWS, Azure, and GCP have all begun offering PQC-capable TLS endpoints for their services.
The ecosystem is moving. The question is whether your applications are keeping pace.
A Practical Migration Roadmap for Development Teams
Step 1: Conduct a Cryptographic Inventory
Before you can migrate, you need to know what you are migrating from. Audit your applications for:
- TLS configurations — what cipher suites do your servers negotiate?
- Certificate chains — what signature algorithms do your certificates use?
- Application-layer cryptography — JWT signing, API authentication tokens, webhook signatures, encrypted database fields
- Key management — where are keys stored, how are they rotated, what is the rotation process?
- Third-party dependencies — which libraries handle your cryptographic operations?
This inventory is valuable regardless of quantum threats. Many teams discover outdated cipher suites, hardcoded keys, or inconsistent encryption practices during this audit.
Step 2: Build Crypto Agility Into Your Architecture
The single most important preparation is crypto agility — the ability to swap cryptographic algorithms without rewriting your application. This means:
- Abstract your crypto operations behind interfaces. Libraries like Google’s Tink or AWS Encryption SDK provide algorithm-agnostic APIs.
- Centralise key management. If keys are scattered across config files, environment variables, and hardcoded strings, migration will be painful.
- Test key rotation regularly. If you cannot rotate keys today without downtime, you cannot migrate algorithms tomorrow.
- Version your encrypted data. Tag ciphertext with the algorithm used so you can decrypt with the correct scheme during transition periods.
Step 3: Start With TLS (The Lowest-Hanging Fruit)
TLS is the easiest place to begin because the heavy lifting is done by the infrastructure layer, not your application code:
- If you are behind Cloudflare, you may already be negotiating PQC key exchanges with supporting clients.
- If you manage your own TLS termination, check whether your TLS library (OpenSSL 3.x, BoringSSL) supports ML-KEM. OpenSSL’s oqs-provider adds PQC algorithm support.
- Use hybrid mode — combine a classical key exchange (X25519) with a post-quantum one (ML-KEM) so that security is maintained even if one scheme is broken. Chrome already does this with X25519Kyber768.
Step 4: Prioritise Long-Lived Secrets
Not everything needs to migrate at once. Prioritise based on confidentiality window:
- Immediate priority: data with 10+ year confidentiality requirements — health records, financial data, legal documents, trade secrets
- Medium priority: authentication infrastructure — signing keys for JWTs, SAML assertions, code signing certificates
- Lower priority: ephemeral session data, short-lived tokens, real-time communications (already protected if using PQC-enabled TLS)
Step 5: Plan for Larger Keys and Signatures
Post-quantum algorithms produce larger keys, ciphertexts, and signatures than their classical counterparts. ML-KEM public keys are roughly 800 bytes versus 32 bytes for X25519. ML-DSA signatures are approximately 2.4 KB versus 64 bytes for Ed25519.
This has practical implications:
- TLS handshake sizes increase, potentially requiring multiple round trips on constrained networks
- Certificate chains become significantly larger, affecting connection setup time
- Stored signatures consume more database and cache space
- IoT and embedded devices may struggle with memory requirements
Test your systems with realistic PQC payload sizes before committing to a migration timeline.
What This Means for Your Business
For most SMEs, the practical action items are:
- Do not panic — current encryption is not broken today. You have time to plan.
- Do start planning — a cryptographic inventory costs nothing but time and reveals useful information regardless.
- Ensure your hosting and CDN support PQC — if you are on Cloudflare or a major cloud provider, you are likely already covered for TLS.
- Factor PQC into new builds — any new application being built today should use crypto-agile patterns from the start.
- Watch compliance timelines — regulated industries (finance, healthcare, government) will likely mandate PQC migration within the next 2-3 years.
At REPTILEHAUS, we build applications with crypto agility as a default architectural consideration. Whether you are building a new SaaS platform or auditing the security posture of an existing application, our team can help you navigate the post-quantum transition — from cryptographic inventory through to production migration. Get in touch if you would like to discuss your migration roadmap.
