PQC timeline

The UK National Cyber Security Centre publishes official timelines for migration to post-quantum cryptography, setting three milestones: discovery and planning by 2028, high-priority migration by 2031, and full PQC migration by 2035.

NIST announces the selection of HQC (Hamming Quasi-Cyclic) as a code-based key encapsulation mechanism for standardization, providing a backup KEM based on different mathematical assumptions than the lattice-based ML-KEM. HQC gives NIST a backup KEM whose security does not depend on lattice problems.

Major cloud providers expand post-quantum key agreement deployment across production TLS. By early 2025, approximately 38% of Cloudflare HTTPS connections use hybrid PQ key exchange. AWS, Google Cloud, and Azure have all deployed PQ-capable endpoints.

NIST releases the initial public draft of IR 8547, outlining the transition from quantum-vulnerable cryptographic algorithms to post-quantum standards. The report proposes deprecating RSA-2048 and ECC P-256 by 2030, with full retirement of classical public-key algorithms by 2035.

The UK National Cyber Security Centre updates its PQC whitepaper following NIST's FIPS finalization, recommending ML-KEM-768 for key encapsulation and ML-DSA-65 for digital signatures as the default parameter sets for most applications.

NIST finalizes the first three post-quantum cryptographic standards: FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA).

Google Chrome 124 enables X25519MLKEM768 hybrid key exchange by default for TLS connections, making post-quantum key agreement the default for the world's most-used browser. This is the largest production deployment of post-quantum cryptography to date.

The UK National Cyber Security Centre publishes 'Next steps in preparing for post-quantum cryptography,' outlining recommended actions for organizations planning their migration to quantum-resistant algorithms.

NIST publishes initial public drafts of FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA) for public comment.

The IETF publishes RFC 9370, extending IKEv2 to support multiple key exchanges in a single SA setup. This enables hybrid post-quantum/classical key agreement for IPsec VPNs, allowing post-quantum KEMs to be combined with established ECDH exchanges.

The National Security Agency publishes the Commercial National Security Algorithm Suite 2.0, mandating transition to post-quantum algorithms for National Security Systems. CNSA 2.0 specifies ML-KEM and ML-DSA as required algorithms, with timelines for adoption beginning in 2025.

Researchers Wouter Castryck and Thomas Decru publish an efficient key recovery attack against SIDH/SIKE, breaking the isogeny-based candidate in a single classical computation. This eliminates the only isogeny-based candidate from the NIST process and raises questions about the viability of isogeny-based constructions for standardization.

NIST announces the selection of CRYSTALS-Kyber (key encapsulation), CRYSTALS-Dilithium, FALCON, and SPHINCS+ (digital signatures) for standardization.

NIST selects 15 algorithms for the third round (7 finalists and 8 alternates) for deeper cryptanalysis and performance evaluation.

NIST narrows the field to 26 candidate algorithms for further evaluation in the second round of the PQC standardization process.

NIST receives 69 valid submissions to the PQC standardization process, spanning lattice-based, code-based, hash-based, multivariate, and other approaches.

NIST initiates the Post-Quantum Cryptography Standardization Process, calling for submissions of quantum-resistant public-key cryptographic algorithms.