Jacar mascot — reading along A laptop whose eyes follow your cursor while you read.
Metodologías Tecnología

Post-quantum migration: what is actually happening

12 min read 81 reads
Post-quantum migration: what is actually happening
Table of contents
  1. Key takeaways
  2. What Has Actually Been Migrated
  3. What Remains Stuck
  4. The Real Operational Problems
  5. Harvest Now, Decrypt Later: What It Means Today
  6. How It Looks From April 2026
  7. When It’s Worth It

Actualizado: 2026-05-03

In August 2024 NIST published the first final post-quantum cryptography standards:

  • ML-KEM (derived from Kyber) for key exchange.
  • ML-DSA (derived from Dilithium) for digital signature.
  • SLH-DSA (based on Sphincs+) as a conservative alternative signature.

Twenty months have passed since then, and the conversation has moved from “when to start” to “how it’s really going”. In April 2026, with two full years of real deployment to look at, there is enough data to separate what has worked from what remains stuck.

Key takeaways

  • Public web traffic has mostly migrated on its own: over 60% of global handshakes are now hybrid post-quantum.
  • Signatures (ML-DSA, SLH-DSA) remain the hard front due to signature size.
  • DNSSEC is the most problematic case: post-quantum signatures don’t fit in UDP without fragmentation.
  • The most frequent migration problem was not cryptographic but inventory: organisations don’t know where their cryptography lives.
  • The pragmatic window for real threat remains seven to ten years.

What Has Actually Been Migrated

Public-web TLS is the most advanced area. Major browsers enabled X25519+ML-KEM hybrid exchanges by default through 2025, and Cloudflare, Google, and the large CDNs negotiate post-quantum on almost every new connection. Telemetry puts hybrid handshakes over 60% of global web traffic. For services behind a modern CDN, migration has already happened without operations needing to do anything special.

SSH is the second area with real progress. OpenSSH 9.9 made sntrup761x25519-sha512 the default exchange, and OpenSSH 10.0 added mlkem768x25519-sha256 aligned with the final standard. In environments with automatic configuration management — Debian Trixie or RHEL 10 — SSH migration happened without intervention. In environments where configuration is frozen by policy or fear of breaking old jump hosts, it remains stuck.

Corporate VPN is the third area with movement. Enterprise VPN vendors — Palo Alto, Fortinet, Cisco, Check Point — have added IKEv2 options in hybrid mode using ML-KEM, and many large companies have enabled that option on site-to-site tunnels. For remote users with proprietary clients, results are uneven.

What Remains Stuck

Signatures have been, predictably, the hardest part. ML-DSA signatures are five to ten times larger than classical equivalents. X.509 certificates with ML-DSA plus their chains weigh several kilobytes; in TLS this inflates the handshake enough to cause visible issues on marginal networks. Let’s Encrypt’s ML-DSA chain trials remain in limited pilots in 2026.

Code signing is another slow front. SLH-DSA is quite large — tens of kilobytes per signature — which clashes with legacy firmware formats and embedded devices. The real mitigation here is device replacement on normal cycles, not forced retroactive migration.

DNSSEC is the most problematic and honest case. Post-quantum signatures are too large to fit in UDP packets without fragmentation, and DNS over fragmented UDP is a well-known operational nightmare. The IETF has been discussing solutions since 2024 but no canonical solution exists in April 2026.

The Real Operational Problems

The serious problems of 2025 and early 2026 have been engineering, not cryptographic:

  • Implementation incompatibilities because an intermediate draft crystallised differently from the final standard.
  • Hardware acceleration incompatibility: old HSMs don’t support ML-DSA and need specific firmware or replacement.
  • CPU cost: ML-KEM adds cycles over pure X25519 that show up on nodes handling thousands of handshakes per second.

Less technical but more frequent: inventory. Most organisations discovered during migration that they didn’t know where their cryptography lived. Old libraries linked into production binaries, calls into crypto APIs inside third-party code, signatures embedded in proprietary formats. The crypto-agility effort has in many cases been larger than the migration itself.

Harvest Now, Decrypt Later: What It Means Today

The underlying economic motivation is unchanged: encrypted traffic captured now with classical algorithms could be decrypted a decade from now if a Shor-useful quantum computer exists. Information that outlives 2035 and remains confidential must be protected today:

  • Long-lived industrial secrets.
  • Diplomatic communications.
  • Long-term medical records.
  • Unpublished patents.
  • Legal records.

The pragmatic consolidation is that, for ephemeral consumer traffic — retail user accounts, web searches, short-lived application sessions — classical cryptography remains acceptable because decrypting it in 2035 will carry little value. This segmentation by secret lifetime is what distinguishes security teams that think about real risk from those that write uniform policies.

How It Looks From April 2026

Official forecasts still pointed to late decade for a quantum computer able to break RSA or ECC keys at current sizes, and in 2026 that expectation has not materially changed. IBM today has four-thousand-physical-qubit processors but noise keeps the usable logical qubit well below what Shor needs. The pragmatic window remains seven to ten years for real threat.

bash
# Quickly check whether your server negotiates post-quantum
openssl s_client -connect example.com:443 -tls1_3 -groups X25519MLKEM768:X25519 </dev/null 2>&1 
  | grep -E 'Server Temp Key|Cipher'

When It’s Worth It

Post-quantum migration is happening, but not uniformly:

  • Ephemeral public traffic has almost solved itself.
  • Intra-corporate traffic depends on refreshing equipment and configurations.
  • Signatures and long-term validation remain the tricky cases.
  • DNSSEC is the extreme example of a non-trivial transition.

When to invest today:

  • If your organisation handles secrets with lifetimes over ten years → you should already have a plan and have executed part of it.
  • If your main workload is public web behind a modern CDN → migration probably rolled over you already and what’s missing is documentation.
  • For everyone else → useful work isn’t flipping post-quantum on everywhere; it’s honest inventory, closing the crypto-agility gap, and refreshing broken systems sensibly on their natural cycle.

Insurance is cheap when it’s not raining; this is one of those. The same anticipatory planning logic that applies to post-quantum migration applies to enterprise agent governance: the cost of doing it right early is always lower than remediating after an incident.

Was this useful?
[Total: 3 · Average: 4]
Post Views: 81

Written by

CEO - Jacar Systems

Passionate about technology, cloud infrastructure and artificial intelligence. Writes about DevOps, AI, platforms and software from Madrid.

440 Articles 35K Reads Rating

Related posts