We use third-party cookies in order to personalize your site experience. See our Privacy Policy.

Technology thesis · Cybersecurity

high conviction growth

Post-quantum cryptography

Post-quantum cryptography standards are finalised and migration has begun; the urgency comes from harvest-now-decrypt-later attacks that threaten data encrypted today.

Position maintained continuously · last reviewed May 7, 2026

The thesis

Core thesis

NIST finalised its first PQC standards (FIPS 203/204/205) in August 2024 and selected HQC as a fifth, code-based algorithm in March 2025. Dustin Moody led the multi-year selection process. The threat: a cryptographically relevant quantum computer would break RSA and ECC. Harvest-now-decrypt-later means sensitive data encrypted today is already at risk. The work is now migration, not algorithm choice: crypto-inventory, crypto-agility and PKI rework against NSA CNSA 2.0 (new NSS acquisitions compliant from 2027) and the NSM-10 2035 federal target.

State of the art (2026)

The standards fight is over; the migration is the story. NIST finalised ML-KEM, ML-DSA and SLH-DSA (FIPS 203/204/205) in August 2024 and selected code-based HQC as a fifth, diversity algorithm in March 2025, with a draft standard due in 2026 and finalisation expected 2027. Key exchange has moved fastest: by March 2026 over 60% of human TLS traffic to Cloudflare used hybrid ML-KEM, and Chrome, Edge and Firefox now negotiate it by default. Signatures lag - the first post-quantum certificates are only expected through 2026-2027, because certificate formats, CAs and browsers all need reworking first. The real work now is crypto-inventory, crypto-agility and PKI migration against NSA CNSA 2.0 and EU NIS2/DORA deadlines, not algorithm research.

The rest of the file

Everything below is live inside CanaryIQ

The full analysis behind the verdict — the structure is real; the content unlocks when you log in.

Signal stack

Evidence stacked leading → lagging

9 signals
talent
research
patent
expert
operational
regulatory
market

Technology-native KPIs

Metrics that predict trajectory, tracked over time

4 tracked
NIST PQC standard algorithms finalized
PQC-enabled TLS connections
Enterprise PQC migration readiness
Federal PQC compliance deadline pressure

Landscape map

Who builds what — and who depends on whom

123 players · 6 layers

Catalyst calendar

Dated events that will move the position

4 ahead

Technology roadmap

Milestones on the path to maturity

8 milestones

Watchlists

Companies, people and papers — each with a remove-by condition

20 · 3 · 1
Companies · 20
People · 3

Decision frameworks

The same call, framed for your desk

Locked
Public Equity
PE / VC
Corporate Leader

Thesis changelog

When our view changed, and why

5 updates

Change our mind

3 disconfirming conditions

The rest is inside

You've read the verdict. The file is much deeper.

The full signal stack, technology-native KPIs tracked over time, the landscape of who depends on whom, the dated catalyst calendar, decision frameworks for every desk, live watchlists and the changelog of every time our call on Post-quantum cryptography has changed — all live inside CanaryIQ.

Log in to read the full analysis Create an account