PQC Adoption Timeline: Who Has Adopted Post-Quantum Cryptography and When
The PQC adoption timeline is no longer a theoretical roadmap reserved for government labs — it is an active, accelerating schedule touching browsers, operating systems, messaging apps, cloud platforms, and blockchains. This article maps every significant milestone to date: NIST's standardisation process, the first commercial TLS deployments, enterprise software patches, and the blockchain projects that have already migrated or announced firm plans. Whether you are a security engineer, an investor, or simply a curious observer, understanding where the world stands on post-quantum cryptography is increasingly essential.
Why a PQC Adoption Timeline Matters
Cryptographic transitions take time. The shift from DES to AES took roughly a decade from the initial NIST call in 1997 to widespread deployment. The move to elliptic-curve cryptography (ECC) began around 2005 and is still not universal. Post-quantum cryptography faces the same inertia, but with a harder deadline: the point when a cryptographically relevant quantum computer (CRQC) can break 2048-bit RSA or 256-bit ECDSA in practical time.
Most serious estimates from national security agencies place that risk window somewhere between 2030 and 2035, though some researchers argue the tail risk begins earlier. Harvest-now, decrypt-later (HNDL) attacks are already operational: adversaries record encrypted traffic today and will decrypt it retroactively once a CRQC exists. Any data that must remain secret beyond five to ten years is already at risk.
Tracking adoption milestones lets organisations benchmark their own progress, identify gaps, and prioritise migration before the risk window closes.
---
NIST Standardisation: The Foundation of the Timeline
The National Institute of Standards and Technology (NIST) launched its Post-Quantum Cryptography Standardisation project in 2016. It is the single most important institutional driver of global adoption, because vendors, browsers, and governments worldwide wait for NIST standards before shipping production code.
Round-by-Round Progress
| Year | NIST Milestone |
|---|---|
| 2016 | Call for submissions; 82 candidates received |
| 2019 | Round 2 announced; 26 candidates selected |
| 2020 | Round 3 announced; 7 finalists + 8 alternates |
| 2022 | Four algorithms selected for standardisation: CRYSTALS-Kyber (KEM), CRYSTALS-Dilithium, FALCON, SPHINCS+ |
| August 2024 | Final standards published: FIPS 203 (ML-KEM / Kyber), FIPS 204 (ML-DSA / Dilithium), FIPS 205 (SLH-DSA / SPHINCS+) |
| 2024–2025 | FALCON standardised as FIPS 206 (FN-DSA); HQC selected as backup KEM for future standardisation |
FIPS 203, 204, and 205 represent the first formally published post-quantum standards in history. All three are lattice-based or hash-based, meaning their security rests on mathematical problems believed to be hard even for quantum computers running Shor's algorithm.
What These Algorithms Do
- ML-KEM (FIPS 203): A Key Encapsulation Mechanism used to establish shared secrets over untrusted channels. It replaces RSA-OAEP and ECDH in TLS key exchange.
- ML-DSA (FIPS 204): A digital signature scheme. It replaces ECDSA and RSA-PSS for code signing, certificate signing, and authentication.
- SLH-DSA (FIPS 205): A stateless hash-based signature scheme. Slower and larger than ML-DSA but relies only on hash function security, providing a conservative fallback.
- FN-DSA (FIPS 206): Based on NTRU lattices, producing compact signatures suitable for constrained environments.
---
Browser and TLS Rollouts
Transport Layer Security is the most widely deployed cryptographic protocol on the internet, protecting HTTPS, email, VPNs, and API calls. Browser vendors and server-side TLS libraries have been the first commercial sector to ship PQC at scale.
Google Chrome
- 2023 (Chrome 116): Google enabled X25519Kyber768 — a hybrid key agreement combining X25519 (classic ECDH) and Kyber-768 — for TLS 1.3 connections by default in Chrome. This was the first major browser to enable PQC key exchange in production.
- 2024 (Chrome 124): Google updated to X25519MLKEM768, aligning with the finalised FIPS 203 standard. Hybrid mode remains: both classical and PQC algorithms must independently agree, so a break in either does not compromise the session.
Mozilla Firefox
- Firefox shipped ML-KEM hybrid key exchange in Firefox 128 (July 2024), shortly after the FIPS 203 publication. The implementation follows the same hybrid-TLS pattern as Chrome.
Apple Safari / Security Framework
- Apple added ML-KEM support to its Security framework in macOS Sequoia and iOS 18 (late 2024), enabling PQC key exchange for Safari and any app using Apple's native TLS stack.
Cloudflare and Server Infrastructure
- Cloudflare began testing post-quantum TLS connections in 2022 and enabled ML-KEM hybrid by default across its network in late 2024, meaning any site behind Cloudflare automatically negotiates PQC key exchange with compatible clients. This is significant because Cloudflare terminates TLS for millions of websites.
OpenSSL and BoringSSL
- BoringSSL (Google's TLS library, used in Chrome and Android) has tracked experimental PQC support since 2022, with ML-KEM landing in stable form after the FIPS 203 publication.
- OpenSSL 3.x incorporates PQC via the OQS Provider (Open Quantum Safe project). Native integration into the OpenSSL mainline is under active development as of 2025.
---
Operating Systems and Platform Vendors
Microsoft Windows and Azure
- Windows 11 Insider builds (2024): Microsoft added ML-KEM and ML-DSA support to the Windows cryptographic API (CNG — Cryptography Next Generation). Plans to enable PQC in Windows Hello and Azure Key Vault are documented in public roadmaps.
- Azure: Microsoft's cloud key management service began offering preview PQC algorithm support in 2024.
Linux Kernel and Distributions
- The Linux kernel's crypto subsystem has accepted patches for Kyber/ML-KEM. Major distributions (RHEL, Ubuntu) include PQC via OpenSSL and NSS in their 2024–2025 LTS releases.
Apple
- Beyond browser TLS, Apple's CryptoKit framework gained ML-KEM APIs in the 2024 SDK cycle, enabling iOS and macOS application developers to use FIPS 203 in their own apps.
---
Messaging Applications
End-to-end encrypted messaging is an attractive early adopter because message metadata and content are high-value long-term secrets, and HNDL attacks directly threaten private communications.
| Application | PQC Milestone | Algorithm Used |
|---|---|---|
| **Signal** | September 2023: PQXDH protocol deployed globally | ML-KEM (Kyber-1024) in a hybrid with X25519 |
| **Apple iMessage** | iOS 17.4 / macOS 14.4 (March 2024): PQ3 protocol | ML-KEM hybrid; achieves "Level 3" PQC security in Apple's own classification |
| **Zoom** | 2024: Post-quantum E2EE for Zoom Meetings | ML-KEM-768 |
| **WhatsApp / Meta** | 2024: PQXDH implementation announced, rollout ongoing | Kyber-based hybrid |
| **Wickr (AWS)** | 2023: PQC integration into enterprise tier | Kyber + NIST algorithms |
Signal's PQXDH (Post-Quantum Extended Diffie-Hellman) was the first large-scale deployment of PQC in a consumer messaging application, reaching hundreds of millions of users before the NIST standards were formally finalised.
---
Government and Regulatory Mandates
Regulatory pressure is a critical adoption driver, particularly for vendors serving government markets.
- NSA CNSA 2.0 (2022): The US National Security Agency issued the Commercial National Security Algorithm Suite 2.0, requiring PQC algorithms for national security systems. Timelines require PQC for most software and firmware by 2030, with critical infrastructure targets as early as 2025–2026.
- CISA / OMB Memo M-23-02 (2022): US federal agencies were required to begin inventorying cryptographic dependencies and submit migration plans.
- ETSI QSC: The European Telecommunications Standards Institute's Quantum-Safe Cryptography working group has published technical specifications aligned with NIST selections.
- BSI (Germany): Issued migration recommendations in 2024, strongly endorsing hybrid schemes during the transition period.
- UK NCSC: Published PQC migration guidance in 2024, recommending ML-KEM and ML-DSA for new systems.
---
Blockchain and Cryptocurrency Adoption
Blockchains present a unique challenge: wallets rely on ECDSA for transaction signing, and public keys (or public-key-derivable addresses) are exposed on-chain, making them directly vulnerable to a CRQC running Shor's algorithm. The cryptographic transition for blockchains requires protocol-level upgrades, not just library patches.
Ethereum
The Ethereum Foundation's long-term roadmap includes a transition to quantum-resistant signatures. Vitalik Buterin has publicly described a planned hard fork that would allow users to migrate to Winternitz One-Time Signatures or similar hash-based schemes. No firm activation date has been set as of early 2025, but research is active under the "Splurge" phase of the roadmap.
Bitcoin
Bitcoin's developer community has discussed PQC migration through BIP proposals. The core challenge is backward compatibility: any transition must allow legacy UTXO holders to migrate funds. Tapscript's flexibility is cited as an enabling mechanism, but no BIP has achieved consensus for PQC signatures as of 2025.
Purpose-Built PQC Chains
Several newer projects have built post-quantum cryptography into their core architecture from the start, using lattice-based or hash-based signatures for wallet keys. Projects like BMIC.ai represent this approach in the wallet layer, applying NIST PQC-aligned, lattice-based cryptography to protect user holdings against the quantum threat before Q-day arrives. This is notably easier to do in greenfield projects than in retrofitting mature chains with millions of existing addresses.
Quantum-Resistant Ledger (QRL)
QRL launched in 2018 using XMSS (eXtended Merkle Signature Scheme) — a stateful hash-based signature scheme — and remains one of the longest-running live blockchains with PQC signatures.
---
What Comes Next: 2025–2030 Outlook
The next five years will be dominated by three parallel workstreams:
1. Library and Protocol Maturation
OpenSSL mainline integration, finalisation of PQC in X.509 certificate formats, and deployment of PQC code-signing certificates across major certificate authorities are all in progress. Let's Encrypt and other public CAs are expected to begin issuing PQC hybrid certificates within the 2025–2026 window.
2. Hardware and HSM Support
Hardware Security Modules (HSMs) from vendors like Thales, Entrust, and AWS CloudHSM are adding ML-KEM and ML-DSA support. Hardware wallets for cryptocurrency (Ledger, Trezor) have not yet shipped PQC firmware, representing a gap that will need to close before blockchain migrations can be completed by average users.
3. Cryptographic Agility
The dominant enterprise strategy is cryptographic agility: architecting systems so that algorithms can be swapped without redesigning protocols. NIST's guidance explicitly endorses hybrid schemes (classical + PQC) during the transition, ensuring that a flaw discovered in a new PQC algorithm does not leave systems unprotected.
---
Summary: PQC Adoption at a Glance
| Sector | Status (Early 2025) |
|---|---|
| NIST Standards | Final: FIPS 203, 204, 205, 206 published |
| Major browsers | PQC key exchange enabled by default (Chrome, Firefox, Safari) |
| Cloud TLS (Cloudflare, AWS, Azure) | Hybrid PQC in production or preview |
| Messaging apps | Signal, iMessage, Zoom, WhatsApp deployed or rolling out |
| OS vendors | Windows 11, macOS 15, Linux: API support added |
| Certificate Authorities | Hybrid PQC certs in development; no mass issuance yet |
| Bitcoin / Ethereum | Research phase; no activation date |
| Purpose-built PQC chains/wallets | Live, greenfield deployments underway |
| Hardware wallets | Not yet shipped PQC firmware |
| HSMs | Vendor previews; production rollout 2025–2026 |
The transition is well underway at the protocol and application layer. The gaps that remain — hardware wallets, legacy blockchain addresses, enterprise PKI — are real but tractable. Organisations that begin migration planning now, rather than waiting for a forced deadline, will be better positioned when the risk window closes.
Frequently Asked Questions
What is the current status of NIST PQC standardisation?
NIST published its first three final post-quantum standards in August 2024: FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA). A fourth standard, FIPS 206 (FN-DSA, based on FALCON), followed shortly after. These replace the previous draft status and are now the authoritative standards for PQC implementation.
Is post-quantum cryptography already in use in everyday software?
Yes. Google Chrome, Mozilla Firefox, and Apple Safari all ship ML-KEM hybrid key exchange for TLS by default as of 2024. Signal, iMessage, Zoom, and WhatsApp have deployed or are rolling out PQC-protected messaging. Cloudflare enables PQC TLS for millions of websites. PQC is not a future promise — it is already active in software most people use daily.
What does 'hybrid' PQC mean and why is it used?
A hybrid scheme combines a classical algorithm (such as X25519 elliptic-curve Diffie-Hellman) with a PQC algorithm (such as ML-KEM). Both must independently succeed for the connection to be established. This means a newly discovered flaw in the PQC algorithm does not compromise security, because the classical algorithm still holds — and vice versa for a quantum attack. Hybrid mode is the recommended approach during the transition period.
When will Bitcoin and Ethereum be quantum-resistant?
Neither Bitcoin nor Ethereum has set a firm activation date for quantum-resistant signatures as of early 2025. Ethereum's roadmap includes a planned migration under its 'Splurge' phase, with hash-based signatures discussed as a candidate. Bitcoin's developer community has debated BIP proposals but has not reached consensus. Both transitions require significant community agreement and backward-compatibility engineering.
What is a harvest-now, decrypt-later attack and why does it matter for the timeline?
A harvest-now, decrypt-later (HNDL) attack means an adversary records encrypted traffic today and stores it, planning to decrypt it once a cryptographically relevant quantum computer exists. This means data encrypted with classical algorithms today could be exposed in the future. It is the primary reason security agencies recommend beginning PQC migration immediately, even though large-scale quantum computers capable of breaking current encryption do not yet exist.
Which sectors are lagging behind in PQC adoption?
Hardware security modules (HSMs) are in preview rollout. Public certificate authorities have not yet begun mass issuance of PQC or hybrid X.509 certificates. Hardware wallets for cryptocurrency have not shipped PQC firmware. Legacy blockchain protocols with millions of existing addresses face particularly complex migration challenges requiring protocol-level consensus changes.