Skip to main content
CodeLint.Dev Dev Tools
Developer Tools 10 min read By CodeLint.Dev Team

Harvest Now, Decrypt Later: The Post-Quantum Migration Is Actually Happening

Cryptographic migrations are the slowest processes in computing — MD5 took a decade to die after being broken, SHA-1 nearly two. The post-quantum transition is the first one humanity is attempting before the attack exists, because this threat has a time machine: encrypted traffic recorded today becomes readable the day a large quantum computer boots. As of 2026 the migration has real momentum — NIST's standards are final, Chrome and Firefox negotiate quantum-resistant key exchange by default, major CDNs protect large shares of their TLS traffic, and US federal mandates begin biting in 2027 with RSA/ECC deprecation targeted for 2030–2035. If you operate anything with a TLS endpoint, this is now a scheduled project, not a research topic.

Try the tool
SSL Certificate Decoder
Inspect your certs' algorithms now →

The Threat Model With a Time Machine

The reason PQC can't wait for quantum computers is captured in one inequality, known as Mosca's theorem: if (years your data must stay secret) + (years your migration takes) exceeds (years until a cryptographically relevant quantum computer), you are already late. Plug in realistic numbers — data lifetimes of 10–25 years for health, financial, legal, and state records; enterprise crypto migrations historically taking 5–10 years; CRQC estimates centering on the 2030s — and most organizations with long-lived secrets come out late today.

That is the logic of harvest now, decrypt later: intelligence agencies and well-resourced criminals record high-value encrypted traffic at scale now, betting on future decryption. The recording is cheap; only the decryption waits on physics. Consequences worth internalizing:

  • Key exchange is the urgent half. Every TLS session's confidentiality rests on an ephemeral key agreement (X25519/ECDH today). Once quantum-broken, all recorded sessions open retroactively. This is why the internet is migrating key exchange first and fastest.
  • Signatures are the slower half. A forged signature only matters at verification time — there's no retroactive attack on past authentications — so certificates, code signing, and identity can trail key exchange by years. (The exceptions: firmware and root certificates whose verification lifetime spans decades — those need PQ signatures early.)
  • What survives untouched: AES and SHA-2/3 lose only half their effective bits to Grover's algorithm — AES-256 and SHA-256 remain safe. The migration replaces the public-key layer, not your symmetric or hashing stack.

The Standards and Who's Shipped Them

The alphabet, finalized by NIST in August 2024 after an eight-year global competition:

  • ML-KEM (FIPS 203, née Kyber) — lattice-based key encapsulation; the TLS workhorse. ML-KEM-768 is the recommended default.
  • ML-DSA (FIPS 204, née Dilithium) — lattice-based signatures; the general-purpose replacement for RSA/ECDSA certificates.
  • SLH-DSA (FIPS 205, née SPHINCS+) — hash-based signatures; slower and bigger but resting on the most conservative assumptions; the belt-and-suspenders option for firmware and roots. HQC, a code-based backup KEM selected in 2025, becomes the fourth standard (draft expected ~2026–27) as insurance against lattice cryptanalysis.

Deployment status as of mid-2026 — further along than most engineering leaders assume:

  • Browsers: Chrome and Firefox negotiate hybrid X25519+ML-KEM-768 key exchange by default; a large and rising share of human web traffic to major CDNs (Cloudflare reported ~half by 2026) is already quantum-resistant on the key-exchange half. Akamai turned hybrid on by default for customers in February 2026.
  • Protocols and stacks: OpenSSL 3.5 ships native ML-KEM/ML-DSA; Signal (PQXDH) and Apple iMessage (PQ3) run post-quantum messaging at billions-of-users scale; SSH, VPNs, and major cloud KMS services offer PQ modes.
  • Mandates: CNSA 2.0 requires US national-security systems to begin PQC adoption by January 2027 with class-by-class deadlines through 2033; NIST's transition guidance (IR 8547) targets deprecating RSA/ECC by 2030 and disallowing them by 2035; the EU and UK have published aligned national roadmaps with 2030–2035 horizons.

Note the pattern in every serious deployment: hybrid — classical + post-quantum run together, session keys derived from both, so an attacker must break X25519 and ML-KEM. Hybrid converts "trust the new math" into "trust either math," which is what made default-on politically possible this early.

What It Costs: The Engineering Realities

  • Handshakes get heavier, mostly tolerably. ML-KEM-768 adds roughly 1–2 KB in each direction versus X25519's 32 bytes; measured TLS impact at CDN scale is single-digit-percent latency in the median, worse on lossy/constrained networks (where an extra packet can mean an extra round trip). CPU cost is comparable to or better than classical ECDH — lattice math is fast; size, not speed, is the tax.
  • Signatures are the real bloat. An ML-DSA signature runs ~2.4–3.3 KB against ECDSA's ~64–96 bytes, and a full PQ certificate chain multiplies that — one reason certificate migration trails key exchange, and why standards work on shorter chains and merkle-tree certificates is active. Expect PQ certificates in general web PKI to phase in over 2026–2029 rather than arrive at once.
  • Embedded and long-lived devices are the hard tail. Cars, meters, medical devices, and industrial controllers shipping in 2026 will still be verifying signatures in 2040 — anything without crypto-agility (upgradable algorithms) being deployed today is future e-waste with a compliance deadline. This, not the web, is where migration pain concentrates.
  • Interop archaeology. The migration is exposing decades of middlebox assumptions — TLS inspection appliances, hardcoded cipher lists, handshake-size limits. Budget for discovery of systems nobody knew still existed; every crypto transition in history has been mostly an inventory problem wearing a math costume.

A Migration Playbook That Fits on One Page

  • 1. Inventory (start this quarter). Build a cryptographic bill of materials: every TLS endpoint, certificate, library, protocol, HSM, and hardcoded algorithm — including which suites your endpoints actually negotiate today. Inspecting your own certificates' key types, signature algorithms, and expiries is the literal first work item, and it's automatable.
  • 2. Classify by data lifetime. Apply Mosca's inequality per system: anything protecting 10+-year secrets over networks gets priority; ephemeral traffic can ride the default browser/CDN wave.
  • 3. Enable hybrid key exchange where it's a checkbox. For most stacks behind modern CDNs, load balancers, or OpenSSL 3.5+, hybrid ML-KEM is now configuration, not engineering. Take the free win and measure handshake sizes on your worst networks.
  • 4. Demand crypto-agility in everything you buy. Procurement language requiring upgradable algorithms and PQ roadmaps costs nothing today and prevents the 2035 hostage situation. For anything you ship with a 10+-year life, PQ signatures (or at least agile verification) should be a 2026 requirement, not a future one.
  • 5. Sequence signatures deliberately. Roots and firmware first (longest verification lifetimes), then code signing, then leaf certificates as CAs and standards mature. Watch CNSA 2.0 and NIST IR 8547 dates — they're becoming the de facto commercial schedule via vendor compliance.
  • 6. Assign an owner. Every successful crypto migration in history had a named team and a deadline; every failed one had a committee and a someday. The 2030 deprecation date is seven certificate renewals away — that's the whole margin.

Frequently Asked Questions

What is harvest now, decrypt later?
An attack strategy where adversaries record encrypted traffic today to decrypt it once cryptographically relevant quantum computers exist — likely in the 2030s. Recording is cheap and undetectable; only decryption waits on hardware. It means data with long secrecy requirements (health, financial, legal, government records) is already exposed to a future capability, which is why post-quantum key exchange is deploying now, a decade ahead of the threat, per Mosca's inequality: if data lifetime plus migration time exceeds time-to-quantum, you're already late.
What are the NIST post-quantum standards?
Finalized August 2024: ML-KEM (FIPS 203, lattice-based key encapsulation — the TLS default, typically at security level ML-KEM-768), ML-DSA (FIPS 204, lattice signatures — the RSA/ECDSA successor), and SLH-DSA (FIPS 205, conservative hash-based signatures for firmware and roots). HQC, a code-based backup KEM chosen in 2025, is being drafted as a fourth standard in case lattice cryptanalysis advances. US guidance targets deprecating RSA/ECC by 2030 and disallowing them by 2035, with national-security systems starting mandatory adoption January 2027 under CNSA 2.0.
Is post-quantum TLS already deployed?
Substantially, on the key-exchange half: Chrome and Firefox negotiate hybrid X25519+ML-KEM-768 by default, Cloudflare reported roughly half of human web traffic quantum-protected by 2026, Akamai enabled hybrid by default in February 2026, and OpenSSL 3.5 ships the algorithms natively. Signal and iMessage run PQ messaging at billion-user scale. Certificates and signatures lag deliberately — ML-DSA signatures are ~30x larger than ECDSA, so PQ web PKI phases in through the late 2020s while recorded-traffic risk gets addressed first.
Does quantum computing break AES and SHA-256?
No — only mildly weakens them. Grover's algorithm halves effective symmetric security, leaving AES-256 with ~128-bit strength and SHA-256 practically collision-resistant, both considered quantum-safe indefinitely. Shor's algorithm is the real threat and it targets public-key crypto: RSA, ECDH, ECDSA — the key exchange and signatures underlying TLS, code signing, and PKI. The migration therefore swaps the asymmetric layer (to ML-KEM/ML-DSA) while keeping symmetric ciphers and hashes, sizing up key lengths where policies demand extra margin.
What should my team do about PQC this year?
Four concrete moves: (1) inventory your cryptography — endpoints, certificates, libraries, negotiated suites; decode your own certs to see key types and signature algorithms; (2) classify systems by data lifetime and prioritize anything protecting 10+-year secrets; (3) enable hybrid ML-KEM key exchange where your CDN/load balancer/OpenSSL version makes it configuration; (4) add crypto-agility and PQ-roadmap requirements to procurement, especially for devices with long field lives. Signatures can wait for the ecosystem; the inventory and key-exchange steps should not.

Ready to try SSL Certificate Decoder?

Free, private, and runs entirely in your browser — no sign-up, no server, no data sent anywhere.

Open SSL Certificate Decoder