FAQ

The switch needs to happen before quantum computers get powerful enough.

The catch: by the time we read about it in the news, it will have been much too late.

People won’t be able to notice.

Consumer devices will not struggle.

Constrained devices (IoT) may need a little extra oomph.

Telcos may see a small increase in bandwidth overall.

It depends on the algorithm. For ML-DSA and FN-DSA, very roughly speaking:

• Signature verification speeds will be mostly unaffected.
• Signature generation speeds will be 10 times slower than EdDSA, but 10 times faster than RSA – and still microseconds on unconstrained devices.
• Public keys and signature will be ~10 times larger – but still about a kilobyte instead of 100 bytes. See the cloudflare blog for a quick summary and the NIST signature zoo for more detail.

Chrome has been offering hybrid key exchange mechanisms since late 2023 - that means running both the classical and the post-quantum version – and aside from a few initial hick-ups, hardly anyone even noticed.

Due to the larger public key and signature sizes, certificate chains will be larger. Verification times remain of a similar order of magnitude, but overall handshake times may be affected.

Cloudflare and google report a ~10 to 15% slowdown in the handshake protocol – i.e., when a session is established, not in the transmission of content – for an extra ~1 to 10 kb of data.

Some failures were observed when adding more than 9kb of data to the handshake, so long certificate chains may cause issues – but it is not unreasonable to expect this to become an insignificant fraction with updates over the next few years.