Many years ago, meeting with Chinese officials about their standards, they suggested it was best to just follow NIST. It was obvious then. Today things have changed. The significance of NIST losing its once-unquestioned role is much bigger news than being reported. China is building its own post-quantum cryptography standards. Not aligning with America. Building a track on different mathematics, with different algorithms, on a different timeline. It’s perhaps not unlike how China developed electric vehicle standards that ended up prohibiting Tesla, forcing a higher bar than America for safe engineering.
Wang Xiaoyun, professor at Tsinghua University’s Institute for Advanced Study, told Reuters that China expects to finalize national PQC standards within three years. Finance and energy are the priority sectors. The algorithm family under development — structureless lattice, with S-Cloud+ as a leading candidate — is fundamentally different from the algebraic lattice designs that underpin NIST’s ML-KEM and ML-DSA.
Wang’s argument is that algebraic lattices carry structural patterns that could eventually be exploited. Structureless lattice algorithms remove those patterns at the cost of heavier computation. This is not a fringe position. Wang is the cryptographer who demonstrated collision attacks against MD5 and SHA-1 in 2004 and 2005 — work that triggered the phase-out of both hash functions from production systems worldwide. When she questions the long-term security of a cryptographic construction, we remember that she was right before when the consensus thought weak algorithms were still fine.
NIST had hedged against this very possibility. In March 2025, it selected HQC — a code-based algorithm built on entirely different mathematics — as a backup fourth standard, explicitly citing the need for a fallback if ML-KEM ends up broken.
An Elusive Single-Track
Until now, the global PQC migration story has been relatively coherent because of how NIST traditionally functioned for exactly that purpose. The US finalized standards in 2024. The UK, EU, Canada, Japan, South Korea, and Australia set their own deadlines but aligned on the same NIST algorithm family. Everyone converges on 2035. One set of algorithms. One migration.
China’s announcement changes the long-standing assumption that NIST is able to set global standards. China has required domestic cryptographic algorithms (SM2, SM3, SM4) alongside international standards for years. A PQC mandate following the same pattern is the baseline expectation. Organizations operating across jurisdictions now face China diverging the migration tracks, and potentially incompatible algorithm requirements.
The timeline gap compounds the problem. NIST shipped standards in 2024. China’s are targeting roughly 2029. That five-year window affects Chinese market exposure: deploy NIST algorithms now to close the harvest window and then pivot to Chinese compliance when it solidifies? This seems like the rational state, rather than leave data exposed to harvest-now-decrypt-later collection before 2029.
As CSO Online put it, everyone should start hybrid deployments immediately and build systems that can swap algorithms as requirements clarify. That sounds reasonable in theory, and for someone writing in 2024. In practice in 2026 it means organizations need to know — continuously, not once — what their systems are actually negotiating, whether that’s improving over time, and whether the pace of change will hit any of these deadlines.
What We Updated
We’ve updated the [PQ]time page to reflect the news. China (2029, TC260, structureless lattice) now appears in the visual timeline, the national timelines table, and the algorithm recommendations table. South Korea’s 2025 pilot transition is also now represented. The ICCSC’s global call for algorithm proposals is linked in the official sources.
The bigger change is admitting as of today, and into the foreseeable future, we no longer have a single converging global timeline.
Crypto-Agility Measured
Every vendor op-ed in the PQC space still blandly recommends “crypto-agility.” It's like recommending cars should have tires that can be replaced regularly. None of them define what it means to actually do the work. Agility without measuring it is just aspiration. The question is whether your architecture is ready to swap algorithms, and whether your deployed systems are actually negotiating quantum-resistant key exchange today. Unless you see coverage increasing over time, and a rate of change towards compliance before the deadline, you aren't prepared enough, whatever deadline applies to you.
We see organizations already on hybrid PQC have the skills to absorb a second standard. That's a significant step beyond everyone else who is still just inventorying.