The Global Race to Post-Quantum Cryptography
The advent of powerful quantum computers threatens to break
today’s public-key cryptography (e.g. RSA, ECC). Research and media warn that adversaries may
already be “harvesting encrypted data today…to decrypt
later”cloudflare.comnist.gov.
In response, governments and industry worldwide are urgently transitioning to post-quantum cryptography (PQC) – new algorithms
believed secure against quantum attacks. The last 90 days have seen intense activity: new
standards, corporate pilot projects, regulatory roadmaps, and updated products. This report
reviews these developments with up-to-date citations (as of May 2025).
Quantum Threat and the Need for Transition
Leading experts emphasize that sufficiently large quantum
computers could soon break conventional encryptionnist.gov.
The U.S. NIST and others note that data requiring long-term confidentiality (medical records,
financial ledgers, national secrets) are especially at risk if not protected nowcloudflare.comquantumzeitgeist.com.
Attackers’ “harvest now, decrypt later” strategy –
collecting ciphertext today to crack with future quantum machines – is already under wayquantumzeitgeist.comcloudflare.com.
For example, Cloudflare reports that as of March 2025, its network saw 38% of HTTPS traffic using hybrid (classical+PQC) key exchange – up
from just 3% in early 2024 – thanks to its default deployment of post-quantum TLScloudflare.com.
Security leaders warn that delaying PQC migration is risky: “Organizations that have managed to avoid post-quantum planning so far will
not be able to avoid it for very long.”cloudflare.com.
Standards Developments
NIST’s PQC Standards and Crypto Agility
In August 2024 NIST finalized three primary PQC algorithms
(Kyber, Dilithium, SPHINCS+) as Federal Information Processing Standards. In March 2025 NIST
announced a fourth encryption algorithm, HQC,
to serve as an alternate key-encapsulation methodnist.govutimaco.com.
HQC (based on error-correcting codes) provides a non‑lattice alternative to ML-KEM (Kyber)nist.govutimaco.com.
NIST plans a draft standard in ~2026 and final by 2027. NIST’s PQC project head noted that “organizations should continue to migrate to the standards
finalized in 2024” (i.e. the Kyber/Dilithium/SPHINCS+ suite) and that HQC serves as a
backup in case future analysis breaks Kybernist.gov.
Alongside standards, NIST has emphasized crypto agility. In March 2025 NIST released draft
guidance (CSWP 39) on strategies for algorithm agility – replacing and upgrading cryptography
without disrupting systemscsrc.nist.gov.
This reflects the realization that transitioning to PQC is complex, multi-year work, so systems
should be designed for easy algorithm swaps. A public comment period for the draft ended Apr 30,
2025csrc.nist.gov.
NIST also announced a workshop on crypto agility (April 2025) and invited industry to share
readiness plans.
National and Global Roadmaps
Several governments and regulators have issued roadmaps:
-
United
Kingdom: In March 2025 the U.K. National Cyber Security Centre (NCSC) published
guidance for critical sectors to adopt quantum-resistant encryption by 2035industrialcyber.co.
The plan has a three-phase timeline:
-
By
2028: Inventory cryptographic services needing upgrade and build a migration
plan.
-
2028–2031: Execute high-priority PQC upgrades and refine
plans as standards evolve.
-
2031–2035: Complete migration of all systems and products to
PQCindustrialcyber.co.
NCSC CTO Ollie Whitehouse emphasized that “Quantum
computing … poses significant risks to current encryption methods. Our new guidance …
provides a clear roadmap for organizations to safeguard their data against these
future threats”industrialcyber.co.
-
European Union
(Financial Sector): In February 2025 Europol’s Quantum Safe Financial Forum
(QSFF) convened industry, regulators and banks, issuing a call to action for the finance sector. The QSFF urged firms and
policymakers to prioritize quantum-safe
cryptography, coordinate plans, and foster global partnershipsquantumzeitgeist.com.
Participants warned of ‘store-now, decrypt-later’ attacks on financial data and noted a 2023
survey where 86% of financial leaders felt unprepared for PQ threatsquantumzeitgeist.comquantumzeitgeist.com.
No new laws were called for; instead a voluntary, standardized approach to PQC was
advocated.
-
China:
In Feb 2025 China’s Cryptography Standards Technical Committee (via the Institute of
Commercial Cryptography Standards) launched a global call for PQC algorithmsstacker.news.
This initiative solicits submissions for quantum-resistant public-key schemes, hash
functions and block ciphers to form China’s own PQC standards. It highlights the
geopolitical urgency of PQC and seeks international input on algorithm security and
performancestacker.news.
-
International: Industry consortia are active. For example, a
March 2025 conference (RWPQC 2025) brought together experts from AWS, Google, IBM, Meta,
NVIDIA, the NSA, CISA and others to advance PQC deploymentmitre.orgmitre.org.
The forum’s theme was proactive planning: “Cyber
resilience in the quantum era requires proactive planning and strategic investment,”
said SandboxAQ’s Marc Manzanomitre.org.
Similarly, NIST and industry bodies (e.g. IETF LAMPS working group) are drafting PQC
profiles for TLS, X.509 certificates and code signingtechcommunity.microsoft.comtechcommunity.microsoft.com.
Industry Adoption and Initiatives
Government Mandates and Procurement
Governments are also moving. In the U.S., the Biden
administration and agencies like CISA have urged federal departments to include PQC requirements
in procurements (e.g. building a “PQC-approved products” list) so that all new systems are
quantum-ready. The EU and UK regulators have indicated that financial institutions and critical
infrastructure operators should begin PQC migration in the near term. Although much of this work
is ongoing, the trend is clear: procurement specifications and compliance frameworks are
beginning to demand PQC awareness.
Technology Sector Leaders
Major technology companies have begun pilot deployments and
early releases of PQC features:
-
Microsoft: On May 19, 2025 Microsoft announced that Windows
Insiders (Canary Channel) and Linux (via SymCrypt-OpenSSL 1.9.0) can now experiment with
PQCtechcommunity.microsoft.com.
In these previews, Microsoft added the NIST-standard algorithms ML-KEM (Kyber) and ML-DSA
(Dilithium) to Windows’ CNG Crypto API and certificate functionstechcommunity.microsoft.com.
Developers can import PQC certificates, perform hybrid key exchange with ML-KEM, and
sign/verify with ML-DSA. Microsoft strongly encourages a hybrid approach (using PQC alongside existing ECDH/RSA) during
migrationtechcommunity.microsoft.comtechcommunity.microsoft.com.
They also participate in IETF efforts: for example, Microsoft’s SymCrypt-OpenSSL provider
already implements TLS hybrid KEM (per IETF draft) for Linux, with Schannel support
plannedtechcommunity.microsoft.com.
Microsoft is working on PQC support in Active Directory PKI (allowing CAs to issue ML-DSA
certificates for code signing and identity) and updating Intune to deliver PQC
credentialstechcommunity.microsoft.com.
-
Amazon Web
Services (AWS): AWS has followed its 2024 roadmap with concrete releases. On
April 7, 2025 AWS announced that hybrid
post-quantum TLS (using the new ML-KEM KEM + classical ECDH) is now supported in
security-critical services: AWS Key Management Service (KMS), AWS Certificate Manager (ACM),
and AWS Secrets Manageraws.amazon.com.
These services now accept TLS connections with Module-Lattice-Based KEM (ML-KEM) for key
agreement. Customers using the AWS Secrets Manager agent can opt in to hybrid PQC TLS in
applicationsaws.amazon.com.
AWS noted that support for Kyber (its predecessor) will continue through 2025 but be phased
out by 2026 in favor of ML-KEMaws.amazon.com.
AWS encourages customers to update their TLS clients to use ML-KEM to protect against future
“harvest-now” attacksaws.amazon.com.
Behind the scenes, AWS’s open-source crypto library (AWS-LC) is already FIPS‑validated for
ML-KEMaws.amazon.com,
and their TLS library (s2n) includes PQC support.
-
Google
Cloud: On Feb 20, 2025 Google announced quantum-safe digital signatures in Cloud KMS (currently in
preview)cloud.google.com.
Cloud KMS now supports NIST-approved PQC signature algorithms (specifically, ML-DSA-65 from
FIPS 204 and SLH-DSA-SHA2-128S from FIPS 205) for software keyscloud.google.com.
Customers can create and verify digital signatures using these lattice- and hash-based
algorithms. Google also outlined a broader PQC roadmap: Cloud KMS and Cloud HSM will support
all NIST PQC standards (FIPS 203–205 and future updates) in both software and hardware,
enabling quantum-safe key exchange, encryption, and key import operationscloud.google.comcloud.google.com.
Google contributes its implementations to open-source cryptographic libraries (BoringCrypto
and Tink) for transparencycloud.google.com.
-
Cloudflare: Cloudflare has been a pioneer in deploying PQC at
scale. In December 2024 it rolled out hybrid PQ TLS by default on its CDN, and by March 2025
about 38% of its traffic used a PQ KEMcloudflare.com.
On March 17, 2025 Cloudflare announced an enterprise Zero Trust solution with built-in PQC: web traffic
can now be tunneled with post-quantum encryption (initially HTTPS, expanding to all IP
protocols by mid‑2025)cloudflare.com.
This means organizations can achieve end‑to‑end quantum-safe connectivity without upgrading
every application. The company pointed to NIST’s goal of retiring classical crypto by 2030,
arguing that “post-quantum security [should be] the
new baseline” and has made PQC “free, by default” for its customerscloudflare.com.
Cloudflare’s field CIO and industry analysts note that regulatory changes around PQC are
accelerating worldwide and advise organizations to adopt hybrid PQC nowcloudflare.comcloudflare.com.
-
Others: Major cloud and crypto vendors (IBM, Oracle, NVIDIA,
Entrust, Thales, Palo Alto Networks, etc.) have announced PQC efforts or products. For
example, Entrust reported a PQC pilot for securing corporate PKI, and AWS’s hardware
partners (Thales, Gemalto) are developing quantum-safe HSMs. Notably, OpenSSL Corporation
(the commercial steward of the OpenSSL library) released OpenSSL 3.5 on April 8, 2025, which “introduces early implementation for PQC algorithms: ML-KEM, ML-DSA, and
SLH-DSA”openssl-corporation.org.
This means the widely-used open-source TLS library now supports the new NIST algorithms
(Kyber, Dilithium, SPHINCS+) as prototype features.
Tools, Protocols, and Products
Figure: OpenSSL
Corporation’s RSAC 2025 exhibit highlights post-quantum security features. The slide lists new
algorithms (e.g. ML-KEM, ML-DSA) and emphasizes defending against “record-now, decrypt-later”
attacks.
Tool and product providers are rapidly adding PQC.
Cryptographic libraries (OpenSSL, BoringSSL, SymCrypt, AWS-LC, liboqs, etc.) now include PQC
primitives. For instance, AWS’s open AWS-LC library became the first FIPS-validated module
including ML-KEMaws.amazon.com.
Microsoft’s SymCrypt and Windows Crypto APIs in development channels let developers
import/export PQC certificates and perform hybrid key exchangestechcommunity.microsoft.comtechcommunity.microsoft.com.
Linux distributions and OpenSSL forks support hybrid PQ TLS ciphers. One key protocol change is
hybrid TLS 1.3: the client and server
negotiate both a classical and a PQ KEM (e.g. X25519 + ML-KEM) and combine the secrets. AWS,
Google, and others have demonstrated hybrid TLS in their services. (See Figure above:
Cloudflare’s 2019 experiment diagrammed client/server using CECPQ2 hybrid TLS【77†】.) IETF is
standardizing hybrid KEX for TLS 1.3 as well as PQC-aware TLS cipher suites.
Key protocols and use-cases:
-
TLS/HTTPS: Hybrid key exchange drafts exist (CECPQ2, etc.). AWS
now supports hybrid PQ TLS on KMS/ACM/Secrets Manageraws.amazon.com.
Cloudflare’s default TLS config uses post-quantum KEMs. Microsoft’s AD CS will allow PQC CA
certificates (e.g. ML-DSA) for TLS and code signingtechcommunity.microsoft.com.
Browser vendors (Chrome, Firefox, Edge) have experimental PQC support.
-
IPsec/VPN
and Zero Trust: Cloudflare’s ZTNA product supports PQC tunnelscloudflare.com.
Other vendors (Cisco, Palo Alto, Thales) are developing PQC VPNs and network appliances.
-
Public Key
Infrastructure: IETF’s LAMPS working group is defining X.509 and PKIX profiles
for PQC. Microsoft and others collaborate on integrating ML-DSA, SLH-DSA, and hybrid
certificates for code signing and firmwaretechcommunity.microsoft.com.
Tools like Microsoft Intune are being updated to deliver PQC certificates to devicestechcommunity.microsoft.com.
This will enable enterprises to issue PQC certificates within existing PKI.
-
Hardware
Security Modules (HSMs): At RSA 2025, vendors and researchers highlighted
PQC-capable HSMs as critical infrastructuremitre.org.
For example, Thales has announced hybrid HSM modules that can wrap keys with PQ KEMs, and
companies like ID Quantique and IBM offer PQC in hardware.
In summary, PQC is being embedded at many layers – from
cryptographic libraries and APIs to network protocols to hardware modules. Early adopters stress
“crypto agility” – designing systems that can swap
algorithms without downtimecsrc.nist.govcloudflare.com.
Typical advice is to use hybrid schemes
(classical+PQC) so that current security is preserved while gaining quantum resistancetechcommunity.microsoft.comtechcommunity.microsoft.com.
Expert Insights and Trends
Experts and industry leaders reiterate that 2025 is a pivot
point. Security analysts note that regulatory and
standards momentum has exploded: governments (NIST, UK NCSC, CISA, Bank of England,
EU regulators) are setting deadlines and guidelines, and large vendors are moving from research
to deployment. Financial leaders are warning that PQC is now a boardroom issue.
-
Dustin
Moody (NIST PQC project) advises organizations to follow the current NIST standards
and have a fallback ready (HQC)nist.gov.
-
Ollie
Whitehouse (NCSC) emphasizes that PQC migration is multi‑year but essential, and that
robust planning today prevents rushed, insecure transitionsindustrialcyber.coindustrialcyber.co.
-
Cloudflare
CTO (and Accenture’s Scott Francis) point out that data lifetimes mean everyone must
plan now. Francis warns AI could accelerate key-cracking once quantum arrivescloudflare.com.
-
Industry forums (RWPQC 2025) convened cybersecurity,
academia and policy leaders. Keynotes stressed “cyber resilience in the quantum era requires
proactive planning”mitre.org,
and speakers from AWS, Google, Meta, etc. shared concrete PQC migration case studiesmitre.org.
Financial analysts see PQC as a growth market: one estimate
forecasts the global PQC market growing >40% annually (from hundreds of millions in 2024 to
several billion by 2030) as IoT, AI and critical infrastructure drive adoption. However, many
reports warn most enterprises are still in “exploration” phase – pilots and lab tests – and awareness must
translate into budgets and projects quicklyquantumzeitgeist.comcloudflare.com.
Conclusion
As of mid-2025, the race to quantum-safe encryption is in
full swing. Governments have issued roadmaps; standards bodies have selected algorithms and
issued guidelines; and technology companies have begun rolling out PQC capabilities. But experts
caution that mainstream deployment (beyond pilots) is just beginning. The advice is unanimous:
start now. Enterprises are urged to
inventory cryptography, plan for crypto-agility, and begin hybrid implementations so that by the
late 2020s they can switch to pure PQC before “Q-Day” arrives. The stakes are high – data
encrypted today (medical, financial, strategic) must remain secure for decades – and the next
few years are critical for preventing a “post-quantum security gap.”
Sources: Recent announcements and analyses
(Feb–May 2025) from NIST, government agencies, major vendors, and cybersecurity press are cited
throughoutnist.govindustrialcyber.cotechcommunity.microsoft.comcloud.google.com.
These include official blogs (Microsoft, Google Cloud, AWS, Cloudflare), government reports
(NIST, UK NCSC), industry news, and conference releases. Each fact above is supported by the
references noted.
