Research, analysis, and tools for the post-quantum transition.
Filippo Valsorda argued last week that AES-128 holds up against quantum computers. [PQ]probe scan data adds the empirical layer: AES-128-only hosts have deployed hybrid PQC key exchange at roughly 8 times the rate of AES-256-only hosts. They upgraded the cipher and left the key exchange alone. Audit checklists treating AES-256 as a quantum-preparedness criterion check the cipher when the quantum threat is on the key exchange.
Read more →Filippo Valsorda has reversed his position on hybrid signatures: pure ML-DSA-44 is fine for sigs, hybrid stays for KEX, non-PQ KEX is a potential active compromise. The shift puts BSI's hybrid mandate and the new Geomys/OpenSSH posture on a collision course. Scanners will need to report against both.
Read more →Both combine X25519 and ML-KEM-768 with identical wire sizes. The combiners differ. Vendor documentation routinely treats them as synonyms. Treating them that way in a migration plan is a defect.
Read more →Classical TLS 1.3 is 4 to 6 KB. Hybrid key exchange plus ML-DSA certificates is 15 to 20 KB. That gap crosses IW10, QUIC 3x amplification, and DNSSEC boundaries. Reference tables plus a calculator for your specific stack.
Read more →Microsoft Security published a Cryptographic Posture Management framework that organizes PQC work across code, network, runtime, and storage. The network-domain starter steps give you inventory of where encrypted sessions live. A companion layer answers what those sessions are negotiating, and that pairing is where a migration plan comes together.
Read more →Sectigo announced Private PQC on April 14, issuing ML-DSA-signed certificates from a private CA. ML-DSA defends signature authentication. Harvest-now-decrypt-later is addressed by ML-KEM in the handshake. Both belong on the migration plan; knowing which layer each covers keeps the scoping honest.
Read more →Germany’s Quantum Computing Competition funds neutral-atom consortia targeting 4,000 qubits by 2030. The Oratomic/Caltech estimates put ECC-256 at risk from approximately 26,000 neutral-atom qubits. One scaling step apart.
Read more →A new paper finds structural gaps in the formal verification behind libcrux, the ML-KEM library used by Signal, Google, Firefox, and the Linux Foundation. The proofs are real. They cover less than procurement language suggests.
Read more →Two papers from Oratomic/Caltech and Google Quantum AI confirm ECC-256 breaks one to two orders of magnitude faster than RSA-2048. The most modern cryptographic deployments are the most exposed.
Read more →Google committed to completing PQC migration by 2029, well ahead of regulatory deadlines. Their acceleration matches what we see in deployment: the tooling works, hybrid PQC is a config change on most cloud infrastructure, and the real bottleneck is inventory, not research.
Read more →China will finalize independent PQC standards by 2029 on structureless lattice math, diverging from NIST. Organizations with cross-jurisdictional exposure now face parallel migration tracks.
Read more →Aer Lingus gets a B from SSL Labs and an F from pqprobe. Both grades are correct. They answer different questions, and the gap between them is where the real risk lives.
Read more →A researcher confident enough to put a hard date on Shor’s algorithm doesn’t know the protocol it breaks. The gap between theoretical physics and operational security is where risk lives.
Read more →WSJ calls quantum computing “seemingly magical science.” CSIRO calls entanglement “the magic of quantum computers.” This framing gives CISOs permission to defer migration. That’s the damage.
Read more →IBM published a quantum-centric supercomputing blueprint. Qutwo signed enterprise orchestration deals. These are not physics experiments. They are procurement decisions.
Read more →More than 90% of origin servers negotiate zero post-quantum key exchange. The IETF is debating the 2035 destination. Most organizations haven’t met the 2027 starting line.
Read more →COM(2026) 13 adds the first explicit PQC requirement to EU law. BSI wrote the guidance and co-chaired the EU roadmap. We scanned bsi.bund.de. No post-quantum key exchange.
Read more →Three days after we argued that edge PQC numbers create a false floor, Cloudflare launched origin-server tracking on Radar. The gap narrowed from 60% vs 1% to 60% vs some-fraction-of-10%. Still enormous. Still the most important number in PQC.
Read more →A group of engineering professors and PQC hardware executives have announced their "apocalypse" algorithm breaks RSA-2048 in 11 hours. However, it failed initial scrutiny, which reveals how commercial incentives threaten to distort PQC migration.
Read more →Google won’t add post-quantum X.509 certificates to the Chrome Root Store. Instead, Chrome is building Merkle Tree Certificates — and the migration target just moved for everyone.
Read more →Cloudflare reports 52% PQC adoption. Behind the edge, 1% of origin servers are post-quantum. The gap between those numbers is where the risk lives.
Read more →Which of your vendors are actually shipping post-quantum cryptography? We mapped 28+ vendors across seven categories and checked announcements against TLS handshakes.
Read more →Australia’s Signals Directorate published a quantum primer with no qubit estimates. That tells you everything about what actually matters for PQC migration.
Read more →BSI published 70 pages of post-quantum guidance. Four years later, 28 out of 150 companies responded to a survey about what they’d done. The manual was never the problem.
Read more →Germany PQC-hardened the eID chip. Nobody's talking about the quantum-vulnerable middleware between the chip and the EUDI Wallet shipping in 2026.
Read more →HAProxy delegates TLS to OpenSSL. If OpenSSL supports ML-KEM, HAProxy can negotiate it. The question is whether yours does.
Read more →Germany's BSI now recommends classical asymmetric encryption should no longer be used alone after 2031. For high-sensitivity applications, 2030.
Read more →The industry talks about one barrier to cryptographically relevant machines. I think there are five, and they're nested.
Read more →NSA, ASD, and the G7 are setting migration deadlines based on intelligence the open research community doesn't have.
Read more →Citi says $2-3 trillion at risk. Google says 10 septillion years. Both are right, and that's the problem.
Read more →Mandiant published 8TB of attack tools and 4 sentences on remediation. We built the defense tool they didn't.
Read more →We scanned Cloudflare's "post-quantum" Matrix homeserver. Zero post-quantum cryptography found in the application layer.
Read more →