Post-quantum encryption ranked: 3 protect you, 1 is already dead
Google just moved its Q-Day estimate from 2035 to 2029. That is not a policy revision. That is a countdown. If the encryption protecting your banking credentials, medical records, and private messages still relies on classical RSA or ECC, the clock is running out faster than most security teams expected.
The urgency goes beyond future decryption. Nation-states are already running "harvest now, decrypt later" campaigns, stockpiling encrypted data with the expectation that a 10,000-qubit machine will crack it within years. Your encrypted traffic from last Tuesday may already be in a queue.
NIST finalized three post-quantum cryptography standards in August 2024, with three more in the pipeline. Not all six are created equal. Here is how they rank, from weakest to strongest real-world readiness.
6. BIKE: dead on arrival
BIKE lost the NIST competition outright. It showed promise in low memory usage, but latency and power costs at higher security levels made it impractical. NIST chose HQC over BIKE for the fourth-round backup slot. No FIPS standard is coming. If your vendor mentions BIKE support, treat it as a red flag.
5. HQC: insurance you cannot deploy yet
HQC won the backup slot for a code-based alternative to lattice cryptography, expected to be standardized by 2027. The logic: if lattice math ever falls, HQC gives the world a different mathematical foundation.
The problem is performance. HQC suffers from high memory demand and thermal overhead on constrained devices. For servers, manageable. For IoT sensors and mobile hardware, still a question mark. HQC is insurance, not a first choice.
4. SLH-DSA: bulletproof but slow
SLH-DSA (FIPS 205), derived from SPHINCS+, relies entirely on hash functions. If hash functions work, SLH-DSA works. That makes it the safest long-term bet for data needing verification for decades: government archives, legal records, critical infrastructure logs.
The tradeoff is severe. Signatures exceed 7,800 bytes (compared to 3,300 for ML-DSA), and signing is painfully slow. SLH-DSA will not protect your TLS handshake. It exists for one purpose: maximum assurance when speed does not matter.
3. FN-DSA: compact but complicated
FN-DSA (FIPS 206), derived from FALCON, produces the smallest signatures and keys of any PQC signature scheme. For bandwidth-constrained environments like the shift from passwords to passkeys or certificate chains in constrained IoT networks, that compactness matters.
The catch: FN-DSA requires constant-time floating-point arithmetic during key generation, notoriously difficult to implement without side-channel vulnerabilities. NIST delayed its release for this reason. Finalization was still underway in early 2026. Watch it closely; deploying before the standard is locked would be premature.
2. ML-DSA: the signature workhorse
ML-DSA (FIPS 204), built from CRYSTALS-Dilithium, handles code signing, document verification, and authentication. Signing speed is roughly 10x faster than RSA-2048: 100 to 200 microseconds versus 2 to 5 milliseconds.
Public keys run about 1,952 bytes, signatures about 3,309 bytes at ML-DSA-65. Larger than classical ECDSA, but the real-world TLS penalty is negligible. NIST says deploy now. Google and Cloudflare already have.
One caveat: ML-DSA shares lattice-based math with ML-KEM. If lattice problems fall, both fall. That is exactly why SLH-DSA and HQC exist as hedges.
1. ML-KEM: deploy yesterday
ML-KEM (FIPS 203), derived from CRYSTALS-Kyber, has the most deployment momentum of any post-quantum encryption standard. Google enabled it in Chrome. Cloudflare reports 65% of human traffic already uses post-quantum key encapsulation. Akamai made it default for all customers in January 2026.
Performance overhead is minimal. ML-KEM-768 produces a 1,088-byte ciphertext and 1,184-byte public key. Key generation, encapsulation, and decapsulation each take microseconds. NIST told the industry to integrate it "immediately."
ML-KEM is not just the top-ranked PQC standard. Delaying adoption is itself a security risk. Every day your key exchange relies on classical Diffie-Hellman, you generate traffic a future quantum machine can decrypt retroactively.
What to do before the deadline
ML-KEM for key exchange and ML-DSA for signatures cover the vast majority of use cases. SLH-DSA is your archival insurance. FN-DSA is worth watching. HQC is a hedge you hope you never need. BIKE is history.
NIST says quantum-vulnerable algorithms will be deprecated by 2035, with high-risk systems transitioning much sooner. Google and Cloudflare are targeting 2029. While AI-powered cyberattacks accelerate the speed at which stolen data gets exploited, the window for a comfortable migration just closed.
Start with ML-KEM in your TLS stack today. The quantum computer that breaks your encryption does not need to exist yet; it only needs to exist before your data stops mattering.
Related Reading:
Sources and References
- NIST Computer Security Resource Center — NIST finalized three PQC standards (FIPS 203, 204, 205) in August 2024 and declared quantum-vulnerable algorithms will be deprecated by 2035, with high-risk systems transitioning much earlier.
- CyberScoop / Google — Google accelerated its post-quantum migration timeline from 2035 to 2029, citing faster-than-expected advances in quantum hardware, error correction, and factoring resource estimates.
- Cloudflare — 65% of human traffic to Cloudflare already uses post-quantum key encapsulation, and the company targets full PQC security by 2029.
- arXiv (Performance Analysis of PQC in TLS) — ML-DSA signing is roughly 10x faster than RSA-2048, clocking 100-200 microseconds versus 2-5 milliseconds, with negligible impact on TLS handshake usability.
Read about our editorial standards →
