Post-quantum cryptography in TLS stopped being science fiction the minute people accepted “harvest now, decrypt later” as a serious threat model.
You don’t need a useful quantum computer today for that threat to matter. You only need an adversary willing to record encrypted traffic now and wait. If the secrets inside that traffic still matter years from now — government communications, medical records, infrastructure commands, financial data — patience becomes part of the attack.
That’s why this transition is already underway, even though nobody is breaking mainstream TLS with a quantum computer this afternoon.
What the Quantum Threat Actually Breaks
Current TLS depends on public-key systems like RSA and elliptic-curve cryptography for authentication and key exchange. Shor’s algorithm is the problem: a sufficiently powerful quantum computer can factor RSA moduli and solve discrete logarithms efficiently. RSA signatures, ECDSA signatures, and elliptic-curve Diffie-Hellman key exchange all become breakable.
For TLS, the scary part arrives first in key exchange. If an adversary records a TLS handshake today and later breaks the key exchange, they can derive the session keys and decrypt the entire recorded conversation. Forward secrecy protects against classical key compromise but not against an adversary who can solve the underlying math problem.
Symmetric cryptography — AES, ChaCha20 — is less affected. Grover’s algorithm gives a quadratic speedup for brute force, which means AES-128 drops to roughly 64-bit security against a quantum attacker. AES-256 drops to 128-bit. That’s still strong enough. The symmetric side isn’t the emergency.
The emergency is the asymmetric side: key exchange and signatures.
Harvest Now, Decrypt Later
This is the threat that makes the timeline urgent.
Intelligence agencies and sophisticated adversaries are widely assumed to be recording encrypted traffic at scale. They can’t decrypt it today. But encrypted data doesn’t expire. Store a petabyte of recorded TLS sessions, wait for quantum computers to mature, then decrypt at leisure.
For secrets with short lifetimes — a session token that expires in an hour — this doesn’t matter. For secrets with long lifetimes — diplomatic communications, patient records, trade secrets with decade-long value — the clock started years ago.
The data being harvested right now is the data that needs post-quantum protection right now. Not when quantum computers arrive. Now.
NIST’s Post-Quantum Standards
NIST finalized its first set of post-quantum cryptographic standards in 2024 after an eight-year evaluation process:
ML-KEM (formerly CRYSTALS-Kyber) — a key encapsulation mechanism based on module lattice problems. This replaces the elliptic-curve Diffie-Hellman key exchange in TLS. Three parameter sets: ML-KEM-512, ML-KEM-768, and ML-KEM-1024, offering different security-performance tradeoffs.
ML-DSA (formerly CRYSTALS-Dilithium) — a digital signature scheme, also lattice-based. This would replace RSA and ECDSA for certificate signatures.
The lattice problems these rely on are believed to be hard for both classical and quantum computers. Believed. Not proven. This is why the transition is cautious.
Hybrid Mode: Belt and Suspenders
Nobody trusts brand-new cryptography enough to bet everything on it. The current deployment strategy is hybrid: combine a classical algorithm with a post-quantum algorithm. If the PQ algorithm turns out to have a flaw, the classical one still protects against classical attackers. If a quantum computer arrives, the PQ algorithm protects against that.
In practice, TLS key exchange is moving to X25519 + ML-KEM-768. The client sends both key shares in ClientHello. The server combines both to derive the shared secret. Both must be broken to compromise the session.
Chrome started experimenting with hybrid key exchange in 2023. Cloudflare enabled it for their edge. The ecosystem is moving.
What Changes in the Handshake
The practical impact: bigger messages.
An X25519 public key is 32 bytes. An ML-KEM-768 public key is about 1,184 bytes. A hybrid ClientHello carrying both is noticeably larger than a classical one. The ciphertext in the server’s response is also larger — about 1,088 bytes for ML-KEM-768.
For most connections on modern networks, this extra kilobyte is invisible. But it matters at the edges: constrained devices, high-latency satellite links, networks with small MTU. Some middleboxes choke on oversized ClientHello messages because they were built assuming TLS handshakes fit in certain sizes.
Signature migration is harder. ML-DSA signatures are much larger than ECDSA — roughly 2,420 bytes for ML-DSA-65 versus 64 bytes for ECDSA-P256. Certificate chains include multiple signatures. A certificate chain with PQ signatures could add several kilobytes to every handshake. This affects performance more than key exchange does.
That’s why key exchange is migrating first and signatures later. Key exchange protects against harvest-now-decrypt-later. Signatures protect against real-time impersonation, which requires a working quantum computer — a later threat.
The Timeline
Key exchange migration is happening now. Chrome, Firefox, and Cloudflare are deploying hybrid key exchange. If you connect to a Cloudflare-protected site with a recent Chrome, you may already be using X25519 + ML-KEM-768 without knowing it.
Signature migration is slower and harder. Certificate authorities need to issue PQ certificates. Browsers need to validate them. The entire PKI chain needs to support larger signatures without breaking compatibility. This is a multi-year project.
Full PQ-only TLS — no classical algorithms at all — is probably a decade away. Hybrid will be the norm for years.
Not Science Fiction
The quantum computer that breaks RSA doesn’t exist yet. Estimates range from 5 to 20+ years for a cryptographically relevant machine. Nobody knows for sure.
But the migration takes years too. Changing the cryptographic foundations of the internet is not something you do in a weekend. NIST spent eight years just selecting the algorithms. Deploying them across browsers, servers, CAs, middleboxes, embedded devices, and legacy systems will take longer.
The race isn’t “deploy PQ before quantum computers arrive.” It’s “deploy PQ before the data being harvested today becomes decryptable.” For some secrets, that race is already uncomfortably close.
Start with hybrid key exchange. It’s available now. The cost is a kilobyte per handshake. The insurance is against a threat that may arrive sooner than anyone comfortable admits.