Who has shipped post-quantum cryptography, who has committed, who is silent.
The largest commercial impact of quantum, by an order of magnitude
Is not buying a quantum computer. It is replacing the cryptographic plumbing on every system that needs to survive past 2030.
NIST standardized ML-KEM, ML-DSA, and SLH-DSA in August 2024. Apple, Cloudflare, Google, Mozilla, and AWS have already migrated meaningful portions of TLS traffic to hybrid PQC. This page tracks who has actually shipped, who is hybrid-live, who has committed, and — the most interesting list — who is silent despite obvious exposure.
Shipped
13
Hybrid live
5
Announced
3
Committed
3
Silent
2
Total tracked
26
Status taxonomy
Post-quantum cryptography live in production traffic or signed code, default-on.
PQC running alongside classical, often as opt-in or in preview for specific workloads.
Public commitment with a specific date or regulatory deadline.
Public commitment without a specific date — often a published roadmap with TBD milestones.
No public PQC roadmap despite obvious exposure. The most interesting list.
Shipped · 13 entries
iMessage (PQ3 protocol)
PQ3 launched in iOS 17.4. Post-quantum key establishment with continuous re-keying. Largest deployment of PQC to consumers globally — billions of iMessage handshakes daily.
Algorithm: ML-KEM (Kyber) + ECDH hybrid · ratcheted
source ↗Signal Protocol PQXDH
First PQC-enabled key agreement in Signal — X25519 plus Kyber (now ML-KEM). All Signal handshakes now post-quantum.
Algorithm: PQXDH (ML-KEM + X25519 hybrid)
source ↗TLS 1.3 PQ key agreement
PQC key agreement live across the Cloudflare edge. As of late 2025, ~52% of inbound TLS traffic to Cloudflare uses a post-quantum hybrid handshake — the highest organic PQC adoption rate on the public web.
Algorithm: X25519MLKEM768 (ML-KEM + X25519 hybrid)
source ↗Chrome (TLS 1.3 + Boring SSL)
Chrome enabled ML-KEM hybrid TLS by default in Chrome 124. Together with Cloudflare deployment, established the de-facto industry default.
Algorithm: X25519MLKEM768 (hybrid)
source ↗Firefox
Firefox 132 enabled ML-KEM hybrid TLS by default. Brings open-source browser to parity with Chrome on PQC handshakes.
Algorithm: X25519MLKEM768
Edge platform TLS
PQC hybrid key agreement available on Akamai edge for customer configuration; default-on for traffic to PQC-capable origins.
Algorithm: X25519MLKEM768
KMS, Secrets Manager, ACM
AWS KMS and several internal services migrated to post-quantum hybrid TLS. AWS published a multi-year migration plan covering S3, CloudFront, ACM.
Algorithm: ML-KEM + classical hybrid
source ↗iOS / macOS Sequoia secure enclave
Apple signaling movement on PQC for Secure Enclave attestation and code signing chains. Full timeline not public.
Algorithm: ML-DSA for code signing (transitional)
OpenSSL 3.5 + oqs-provider
OpenSSL 3.5 ships with ML-KEM, ML-DSA, and SLH-DSA in the default build. Foundational for downstream PQC deployment across server software.
Algorithm: ML-KEM, ML-DSA, SLH-DSA
BoringSSL
ML-KEM support in BoringSSL underpins Chrome and Google service deployment.
Algorithm: ML-KEM
liboqs + oqs-provider
Reference implementations of every NIST-standardized and candidate algorithm. The de facto research baseline for PQC integration testing.
Algorithm: All NIST PQC + alternates
Trade finance PQC pilot
HSBC ran the first publicly disclosed live PQ-secured trade-finance transaction between Hong Kong and London. Pilot, not production.
Algorithm: ML-KEM hybrid
FIPS 203 / 204 / 205
NIST formally standardized ML-KEM (Kyber), ML-DSA (Dilithium), and SLH-DSA (SPHINCS+). The reference for every other PQC migration.
Algorithm: ML-KEM, ML-DSA, SLH-DSA
source ↗Hybrid live · 5 entries
Edge TLS
PQC TLS available as an opt-in for customers; not default-on across the platform.
Algorithm: X25519MLKEM768
Azure Confidential Computing + Key Vault
Azure Key Vault offers PQC algorithms in preview. SymCrypt library updated to support ML-KEM and ML-DSA. Production rollout staged through 2026.
Algorithm: ML-KEM, ML-DSA
source ↗Cloud KMS + ALTS
Cloud KMS supports ML-DSA signing in preview. Internal ALTS service-to-service authentication uses hybrid key agreement.
Algorithm: ML-KEM hybrid
Windows 11 + SymCrypt
Windows 11 24H2 introduced PQC algorithm support in SymCrypt. Developer APIs available; default in TLS not yet enabled.
Algorithm: ML-KEM, ML-DSA, SLH-DSA
source ↗OpenVPN 3 CloudConnexa
OpenVPN CloudConnexa enables PQC via underlying TLS stack when OpenSSL 3.5 or equivalent is used.
Algorithm: ML-KEM hybrid via TLS layer
Announced · 3 entries
CNSA 2.0 mandate
CNSA 2.0 mandates PQC for U.S. National Security Systems. Software signing PQC-only by 2027; networking PQC-only by 2030; HSMs PQC-only by 2030.
Algorithm: ML-KEM-1024, ML-DSA-87, SHA-384, AES-256
source ↗PQC guidance + Government Crypto Modernisation
NCSC published PQC migration roadmap targeting all UK government systems by 2035. Aligned with NIST standards.
Algorithm: NIST PQC suite
Post-Quantum Cryptography Coordinated Implementation Roadmap
ENISA published a coordinated PQC implementation roadmap for EU member states. Aligned with EuroQCI quantum-network deployment.
Algorithm: NIST PQC suite
Committed · 3 entries
Internal crypto modernization
JPMorgan publicly committed to post-quantum migration across internal systems; timeline disclosed as multi-year with no public completion date.
Algorithm: NIST PQC suite
Internal PQC roadmap
Public commitment to PQC migration as part of broader cryptographic modernization.
Algorithm: NIST PQC
Reference VPN protocol
WireGuard maintainers have signaled PQC integration is on the roadmap but not shipped at protocol level. Forks (e.g., Mullvad) experiment with PQC layers.
Algorithm: TBD (PQC hybrid)
Silent · 2 entries
Consumer messaging + auth
No public PQC roadmap as of May 2026 despite billions of daily handshakes. WhatsApp is widely expected to follow Signal's PQXDH design since Signal Protocol underpins WhatsApp encryption.
Algorithm: —
TLS, DMs
No public PQC commitment.
Algorithm: —
Why this tracker matters
The largest commercial impact of quantum computing, by an order of magnitude, is not the new compute paradigm but the cryptographic transition forced by Shor's algorithm. Every TLS connection, every signed firmware blob, every long-lived signed document is potentially exposed to a future cryptographically-relevant quantum computer (CRQC). Harvest-now-decrypt-later attacks make the calendar urgent even though a CRQC does not yet exist.
The PQC market is forecast at $50B+ cumulative through 2035 (McKinsey, BCG mid-cases). Most of that spend is software services and HSM replacement, not new product sales. The names with shipping PQC products today — Cloudflare, Apple, Google, NIST-aligned vendors — capture the first wave; the names silent at scale (notably Meta, X) are accumulating risk that auditors will start to price.
See /glossary for ML-KEM, ML-DSA, SLH-DSA, HNDL, Q-Day, CNSA 2.0 definitions. See /learn/bb84 for the QKD alternative architecture and the NSA's reasoning for preferring PQC over QKD.