Skip to main content

Quantum Threats

This chapter provides a first-principles account of quantum computing, the specific mechanisms by which quantum algorithms undermine current cryptographic systems, and the mathematical foundations of the defenses deployed in Zentalk. It is intended for readers who wish to understand not merely that quantum computers threaten encryption, but precisely why, and what can be done about it. The technical implementation details of Zentalk's post-quantum protocols are covered in Chapter 4.

Quantum Computing

Classical Limits

A classical computer, whether a smartphone or a supercomputer, operates on bits: indivisible units of information that take one of exactly two values, conventionally labeled 0 and 1. Every computation -- from rendering a web page to simulating a protein fold -- reduces to a sequence of logical operations on bits. A register of n classical bits can represent exactly one of 2n2^n possible states at any given moment. To examine all possible states, a classical computer must iterate through them sequentially or in parallel across multiple processors, but each processor still examines one state at a time.

This computational model, formalized by Alan Turing in 1936, has been extraordinarily successful. The exponential growth in classical computing power over the past seven decades (commonly described by Moore's Law) has been driven by miniaturization of transistors, not by a change in the underlying computational model. A modern processor contains billions of transistors, each implementing the same binary logic that Turing described ninety years ago. For certain classes of problems, however, no amount of classical hardware can overcome a fundamental algorithmic barrier: the best known classical algorithms require time that grows exponentially with the size of the input. These problems are not merely slow to solve on today's hardware; they are slow to solve on any classical hardware, regardless of how powerful.

Qubits and Superposition

A quantum computer replaces the classical bit with a quantum bit, or qubit. A qubit is a two-level quantum mechanical system -- typically realized as the spin state of a trapped ion, the polarization of a photon, or the current direction in a superconducting circuit -- that obeys the laws of quantum mechanics rather than classical physics. The crucial distinction is that a qubit can exist in a superposition of the states 0|0\rangle and 1|1\rangle simultaneously:

ψ=α0+β1|\psi\rangle = \alpha|0\rangle + \beta|1\rangle

where α,β\alpha, \beta are complex numbers (probability amplitudes) satisfying α2+β2=1|\alpha|^2 + |\beta|^2 = 1.

The coefficients α\alpha and β\beta are not probabilities but probability amplitudes, which can interfere constructively or destructively, much like waves on a water surface. When a qubit is measured, the superposition collapses: the outcome is 0|0\rangle with probability α2|\alpha|^2 and 1|1\rangle with probability β2|\beta|^2. Before measurement, however, the qubit exists in both states at once in a physically meaningful sense -- it carries information about both possibilities simultaneously.

A system of n qubits can exist in a superposition of all 2n2^n possible states at once:

ψ=x=02n1αxx|\psi\rangle = \sum_{x=0}^{2^n - 1} \alpha_x |x\rangle

where each αx\alpha_x is a complex amplitude satisfying αx2=1\sum |\alpha_x|^2 = 1.

This is not merely a compact mathematical notation. A quantum computer operating on n qubits can, in a single computational step, apply a transformation to all 2n2^n amplitudes simultaneously. This property -- known as quantum parallelism -- does not mean that a quantum computer "tries all answers at once" in the naive sense. The art of quantum algorithm design lies in structuring the computation so that the amplitudes of incorrect answers interfere destructively (canceling out) while the amplitudes of correct answers interfere constructively (amplifying), so that measurement yields the correct answer with high probability.

Entanglement

A second quantum mechanical phenomenon essential to quantum computation is entanglement. When two or more qubits become entangled, their states are correlated in a way that has no classical analogue. Measuring one qubit instantaneously determines the measurement outcome of the other, regardless of the physical distance between them. Formally, an entangled state of two qubits cannot be written as a product of individual qubit states:

ψ=12(00+11)[Bell state — entangled]|\psi\rangle = \frac{1}{\sqrt{2}} \bigl(|00\rangle + |11\rangle\bigr) \quad \text{[Bell state — entangled]}

This is not equivalent to ψ=ϕAϕB|\psi\rangle = |\phi_A\rangle \otimes |\phi_B\rangle for any single-qubit states ϕA|\phi_A\rangle, ϕB|\phi_B\rangle.

Entanglement allows quantum algorithms to establish correlations between qubits that classical algorithms cannot replicate efficiently, and it is a necessary resource for any quantum computation that achieves a speedup over classical methods.

Misconceptions

It is important to dispel a common misconception. A quantum computer is not simply a faster classical computer. It does not accelerate arbitrary computations. For many problems -- including most everyday computing tasks such as word processing, web browsing, and database queries -- a quantum computer offers no advantage over a classical machine. The advantage is algorithmic: for specific, mathematically structured problems, quantum algorithms exploit superposition and entanglement to achieve computational complexities that are provably unattainable by any classical algorithm. The problems relevant to cryptography, as we shall see, happen to be among them.

Breaking Encryption

Shor's Algorithm

In 1994, the mathematician Peter Shor published an algorithm that, if executed on a sufficiently large quantum computer, would solve two of the foundational hard problems of public-key cryptography in polynomial time [Shor 1994]:

I. Integer factorization. Given a composite integer N=pqN = p \cdot q, find the prime factors pp and qq.

II. The discrete logarithm problem. Given elements gg and h=gxh = g^x in a cyclic group, find the exponent xx.

The complexity of Shor's algorithm for factoring an n-bit integer is:

O(n2lognlog(logn))quantum operationsO\bigl(n^2 \cdot \log n \cdot \log(\log n)\bigr) \quad \text{quantum operations}

This is polynomial in the input size -- a dramatic contrast with the best known classical factoring algorithm (the General Number Field Sieve), which requires:

O ⁣(exp ⁣(cn1/3(logn)2/3))classical operations, where c1.923O\!\left(\exp\!\left(c \cdot n^{1/3} \cdot (\log n)^{2/3}\right)\right) \quad \text{classical operations, where } c \approx 1.923

For concrete numbers: factoring a 2048-bit RSA modulus classically is estimated to require approximately 21122^{112} operations, a computational effort far beyond any existing hardware. Shor's algorithm would accomplish the same factorization in roughly 2402^{40} quantum operations -- a task that a sufficiently large quantum computer could complete in hours.

The implications for currently deployed public-key cryptography are comprehensive:

RSA
Relies on the difficulty of factoring the product of two large primes. Shor's algorithm recovers the private key from the public key in polynomial time, rendering RSA encryption and signatures entirely insecure.
Elliptic Curve Cryptography (ECC)
Including X25519 and Ed25519 used in Zentalk's classical layer. Shor's algorithm, adapted for elliptic curves, solves the ECDLP in polynomial time. Breaking 256-bit ECC requires an estimated 2,330–4,000 logical qubits [Roetteler et al. 2017].
Diffie-Hellman Key Exchange
Both finite-field and elliptic curve variants fall to the same discrete logarithm attack. Every classical key agreement protocol in widespread use — TLS, SSH, PGP, and every major encrypted messenger — is vulnerable.

The impact on symmetric cryptography is qualitatively different and far less severe, as discussed below.

Grover's Algorithm

In 1996, Lov Grover published a quantum algorithm for unstructured search that provides a quadratic speedup over classical brute-force search [Grover 1996]. Given a function ff that returns 1 for exactly one of NN possible inputs and 0 for all others, a classical search must evaluate ff on average N/2N/2 times. Grover's algorithm finds the marked input in:

O ⁣(N)quantum evaluations of fO\!\left(\sqrt{N}\right) \quad \text{quantum evaluations of } f

Applied to symmetric cryptography:

AES-256
Key space 22562^{256}. Grover reduces brute-force to O(2128)O(2^{128}) — still far beyond any foreseeable computation. 128-bit security is the minimum acceptable threshold for long-term protection.
SHA-256
Collision resistance 2128{\sim}2^{128}. The BHT quantum algorithm reduces this to 285{\sim}2^{85} — a meaningful reduction, but 2852^{85} operations remain computationally infeasible.
HMAC-SHA256
With a 256-bit key, retains 128-bit security against quantum adversaries by the same Grover argument.

The critical conclusion is that symmetric cryptography survives the quantum transition. AES-256, SHA-256, and HMAC-SHA256 -- the symmetric primitives used throughout Zentalk -- retain security levels that are considered safe even against quantum adversaries, provided the key lengths are sufficient (which they are). The vulnerability is concentrated entirely in public-key cryptography: key agreement (X25519, ECDH, DH) and digital signatures (Ed25519, ECDSA, RSA).

Quantum Impact Summary

PrimitiveClassical SecurityQuantum SecurityStatus
RSA-2048~112-bit0-bit (Shor)Broken
RSA-4096~140-bit0-bit (Shor)Broken
X25519 / ECDH-256128-bit0-bit (Shor)Broken
Ed25519 / ECDSA-256128-bit0-bit (Shor)Broken
AES-128128-bit64-bit (Grover)Weakened (insufficient)
AES-256256-bit128-bit (Grover)Safe
SHA-256 (collision)128-bit~85-bit (BHT)Safe
HMAC-SHA256256-bit128-bit (Grover)Safe

The table reveals a stark asymmetry. Symmetric algorithms lose at most half their security level and remain viable at current key sizes. Public-key algorithms based on factoring or discrete logarithms lose all their security and must be replaced entirely.

Quantum Threat to Classical Cryptography
Shor's algorithm efficiently factors integers and computes discrete logarithms, breaking RSA and elliptic curve cryptography. No equivalent quantum algorithm exists for the Module Learning With Errors problem underlying Kyber-768.

Harvest Now, Decrypt Later

Harvest Now, Decrypt Later — The Quantum Threat Timeline
An adversary intercepts and stores encrypted traffic today, then decrypts it once a quantum computer is available. Zentalk's hybrid post-quantum key exchange closes this vulnerability at the moment of key agreement.

Retroactive Decryption

The quantum threat to cryptography is not a future problem. It is a present-day problem with a deferred consequence.

Intelligence agencies and state-level adversaries operate large-scale communications interception programs. The existence and scope of such programs has been documented through official disclosures, parliamentary inquiries, and leaked classified materials across multiple jurisdictions. These programs collect and store encrypted communications in bulk, including communications that cannot currently be decrypted. The operating assumption -- confirmed by public statements from intelligence officials and by the investment patterns of national security agencies -- is that stored ciphertexts will become decryptable when sufficiently powerful quantum computers become available.

This strategy is known as "harvest now, decrypt later" (HNDL), and its logic is straightforward:

Intercept
Store ciphertext C=Encrypt(k,message)C = \text{Encrypt}(k, \text{message}) today.
Wait
Until a quantum computer can recover kk from the public-key exchange.
Decrypt
message=Decrypt(k,C)\text{message} = \text{Decrypt}(k, C)

The cost of storage is negligible and declining (approximately $0.004 per gigabyte per month at current cloud storage rates). The cost of interception is already budgeted. The only variable is the timeline for quantum computers capable of running Shor's algorithm at cryptographically relevant scales.

Timeline Estimates

Estimates for when a cryptographically relevant quantum computer (CRQC) will exist vary, but converge on a range:

Global Risk Institute (2024)
Median expert estimate: 14% probability of a cryptographically relevant quantum computer by 2030, 57% by 2040.
NSA — CNSA 2.0 (2022)
All national security systems must begin transitioning to post-quantum algorithms by 2025, with completion required by 2035.
ENISA (2024)
Organizations should migrate to post-quantum cryptography immediately for data that must remain confidential beyond 2030.

The precise date is less important than the following observation: if a message encrypted today must remain confidential for T years, and a CRQC becomes available in Y years, then the message is at risk if T>YT > Y. For a journalist's source whose identity must remain protected indefinitely, a diplomat's classified communication, a physician's patient records (subject to decades-long retention requirements), or an activist's correspondence in an authoritarian state, the relevant time horizon is measured in decades. Against a "harvest now, decrypt later" adversary, the effective window of vulnerability is already open.

Who Is at Risk

The HNDL threat is not uniformly distributed. The following categories of communication face the most acute risk:

Journalists
Sources whose exposure could result in prosecution, imprisonment, or physical harm.
Activists and Dissidents
Operating in jurisdictions where political activity is criminalized.
Legal Professionals
Attorney-client privilege, where retroactive disclosure compromises proceedings.
Medical Professionals
Patient records governed by long-term confidentiality requirements.
Diplomats
Communications classified at levels requiring decades of protection.
Corporate Entities
Trade secrets and intellectual property with long commercial lifetimes.

For these users, the decision to encrypt communications using only classical algorithms -- algorithms known to be vulnerable to quantum attack -- is a decision to accept a quantifiable, time-bounded risk. Post-quantum cryptography eliminates this risk.

Lattice-Based Cryptography

Hard Problems

The collapse of factoring and discrete logarithm assumptions under Shor's algorithm necessitates the identification of mathematical problems that remain hard even for quantum computers. Several candidate families have been studied extensively:

Hash-Based Signatures
Lamport, Merkle, SPHINCS+. Security reduces to hash function preimage resistance, which Grover weakens but does not break.
Code-Based Cryptography
McEliece, BIKE, HQC. Security reduces to decoding random linear codes.
Multivariate Polynomials
Rainbow, GeMSS. Security reduces to solving systems of multivariate polynomial equations over finite fields.
Isogeny-Based
SIKE/SIDH. Security reduces to finding isogenies between supersingular elliptic curves. SIKE was broken by a classical attack in 2022, demonstrating that not all post-quantum candidates withstand scrutiny.
Lattice-Based
Kyber, Dilithium, NTRU. Security reduces to finding short vectors in high-dimensional lattices. This is the family Zentachain uses.

Of these families, lattice-based cryptography has emerged as the most broadly adopted foundation for post-quantum key exchange and digital signatures, owing to a combination of strong security arguments, efficient implementations, and decades of cryptanalytic attention.

Lattice Problems

A lattice in nn-dimensional Euclidean space is the set of all integer linear combinations of a collection of linearly independent basis vectors {b1,b2,,bn}\{b_1, b_2, \ldots, b_n\}:

L={z1b1+z2b2++znbn:ziZ}\mathcal{L} = \{ z_1 b_1 + z_2 b_2 + \cdots + z_n b_n : z_i \in \mathbb{Z} \}

Visually, in two dimensions, a lattice is an infinite grid of regularly spaced points (though in general the spacing need not be uniform along different directions, and in high dimensions the geometry becomes far more complex than human spatial intuition can accommodate).

Two problems on lattices are believed to be computationally hard, even for quantum computers:

The Shortest Vector Problem (SVP). Given a basis for a lattice L\mathcal{L}, find the shortest nonzero vector in L\mathcal{L}:

Find vL{0} such that v=minwL{0}w\text{Find } v \in \mathcal{L} \setminus \{0\} \text{ such that } \|v\| = \min_{w \in \mathcal{L} \setminus \{0\}} \|w\|

In two dimensions, this is trivial -- one can visually identify the shortest lattice vector. In hundreds or thousands of dimensions, the problem becomes intractable. The best known classical algorithms (lattice sieving, BKZ) require time exponential in the lattice dimension:

Classical: O(2cn) where c0.292 (sieving)\text{Classical: } O(2^{cn}) \text{ where } c \approx 0.292 \text{ (sieving)} Quantum: O(2cn) where c0.265 (quantum sieving)\text{Quantum: } O(2^{c'n}) \text{ where } c' \approx 0.265 \text{ (quantum sieving)}

Critically, the quantum speedup is only a constant-factor improvement in the exponent -- it does not reduce the problem from exponential to polynomial as Shor's algorithm does for factoring. This is the fundamental reason lattice problems are believed to resist quantum attack.

The Learning With Errors Problem (LWE). Given a matrix AZqm×nA \in \mathbb{Z}_q^{m \times n} and a vector b=As+e(modq)b = As + e \pmod{q}, where ss is a secret vector and ee is a "small" error vector sampled from a discrete Gaussian distribution, recover ss:

Given: AZqm×n (public, random),b=As+e(modq)\text{Given: } A \in \mathbb{Z}_q^{m \times n} \text{ (public, random)}, \quad b = As + e \pmod{q} where sZqn (secret),eDZm,σ (discrete Gaussian)\text{where } s \in \mathbb{Z}_q^n \text{ (secret)}, \quad e \sim D_{\mathbb{Z}^m, \sigma} \text{ (discrete Gaussian)} Find: s\text{Find: } s

Without the error term ee, this would be a system of linear equations solvable by Gaussian elimination in polynomial time. The addition of the small error vector transforms the problem from trivially solvable to (believed) intractable. The error acts as a form of information-theoretic "noise" that obscures the linear structure.

The LWE problem was introduced by Oded Regev in 2005 [Regev 2005], who proved a quantum reduction from worst-case lattice problems (including approximations of SVP) to average-case LWE. This reduction means that breaking LWE -- even for random instances -- is at least as hard as solving worst-case lattice problems, providing a strong theoretical foundation for cryptographic constructions based on LWE.

ML-KEM (formerly CRYSTALS-Kyber)

ML-KEM (formerly CRYSTALS-Kyber; Cryptographic Suite for Algebraic Lattices -- Key Encapsulation Mechanism), standardized as NIST FIPS 203, is a key encapsulation mechanism (KEM) whose security is based on a structured variant of LWE called Module-LWE (MLWE). The structuring replaces integer vectors with vectors of polynomials over the ring Rq=Zq[X]/(X256+1)R_q = \mathbb{Z}_q[X]/(X^{256} + 1), where q=3329q = 3329. This algebraic structure enables smaller key sizes and faster operations while preserving the essential hardness of the underlying lattice problem.

Following a seven-year evaluation process involving submissions from research teams worldwide, NIST selected Kyber as the sole post-quantum key encapsulation standard, publishing it as FIPS 203 (ML-KEM) in August 2024. The standardization process included extensive public scrutiny, independent security analyses, and side-channel resistance evaluations.

Kyber is defined at three security levels:

Parameter SetNIST LevelApproximate SecurityPublic KeyCiphertext
Kyber-512 (ML-KEM-512)Level 1~128-bit quantum800 bytes768 bytes
Kyber-768 (ML-KEM-768)Level 3~183-bit classical1,184 bytes1,088 bytes
Kyber-1024 (ML-KEM-1024)Level 5~256-bit quantum1,568 bytes1,568 bytes

Zentalk uses ML-KEM-768 (Kyber-768), which provides NIST Security Level 3 -- approximately 183-bit classical security and approximately 161-bit quantum security, based on conservative core-SVP hardness estimates. The best known quantum attack against Kyber-768 requires on the order of 21612^{161} quantum operations. For comparison, the total number of operations performed by all computers on Earth in a year is estimated at approximately 2932^{93}.

NIST Standardization

The significance of the NIST standardization process warrants emphasis. NIST's Post-Quantum Cryptography Standardization Project began in 2016 with 69 candidate submissions. Over four rounds of evaluation, candidates were scrutinized by hundreds of independent cryptographers and subjected to both classical and quantum cryptanalytic attacks. Several initially promising candidates were eliminated during the process -- most notably SIKE, which was broken entirely by a classical algorithm after reaching the fourth round [Castryck and Decru 2022], and Rainbow, whose parameters were shown to be insufficient [Beullens 2022].

Kyber survived this process intact. No practical attack -- classical or quantum -- has been found against its recommended parameter sets. The NIST standardization provides a level of confidence that ad hoc or proprietary constructions cannot match: the algorithm has been examined by the global cryptographic community under adversarial conditions for nearly a decade.

Hybrid Post-Quantum Construction

Hybrid Approach

A naive response to the quantum threat would be to discard classical cryptography entirely and replace it with post-quantum alternatives. Zentalk does not take this approach. Instead, it employs a hybrid construction that combines the classical X25519 key agreement with the post-quantum Kyber-768 key encapsulation, deriving the final shared secret from both components simultaneously.

The rationale for this design is the principle of defense in depth applied to cryptographic assumptions:

Quantum Breaks X25519
Shor's algorithm compromises the classical component. Kyber-768 remains secure (lattice problems resist Shor). The hybrid secret retains full post-quantum security.
Breakthrough Breaks Kyber-768
A future algorithm solves MLWE efficiently. X25519 remains secure against all classical adversaries. The hybrid secret retains full classical security.
Neither Is Broken
Both components contribute independent entropy. Security is at least as high as the stronger component:
Security(Hybrid)max ⁣(Security(X25519),  Security(Kyber-768))\text{Security}(\text{Hybrid}) \geq \max\!\bigl(\text{Security}(\text{X25519}),\; \text{Security}(\text{Kyber-768})\bigr)

This property is not merely a heuristic. It follows from the construction of the combiner. The shared secrets from both key exchanges are concatenated and processed through HKDF-SHA256, a randomness extractor. If the HKDF is modeled as a random oracle, the output is computationally indistinguishable from random as long as at least one of the two input secrets is indistinguishable from random. An adversary who can distinguish the hybrid output from random must be able to break both the X25519 assumption (ECDLP hardness) and the Kyber-768 assumption (MLWE hardness). The hybrid is strictly at least as strong as the stronger component.

Key Exchange

When two Zentalk users establish a conversation, the key exchange proceeds as follows:

  1. Both parties generate classical key pairs (X25519) and post-quantum key pairs (Kyber-768) as part of their key bundles.

  2. The initiating party performs both a classical X25519 key agreement and a Kyber-768 key encapsulation against the recipient's public keys, producing two independent shared secrets:

classical_secret  = X25519(initiator_private, recipient_public)     [32 bytes]
pqc_secret        = Kyber768.Decapsulate(kyber_private, ciphertext) [32 bytes]
  1. The two secrets are combined through HKDF-SHA256 with domain separation:
hybrid_secret = HKDF-SHA256(
    IKM  = classical_secret || pqc_secret,
    salt = HYBRID_X3DH_SALT,
    info = "zentalk.hybrid-x3dh.v1"
)
  1. The resulting hybrid secret initializes the Double Ratchet protocol, which governs all subsequent message encryption for the conversation.

The additional computational cost of the hybrid exchange is approximately 0.7 milliseconds on contemporary hardware (measured on an Apple M3 Pro). The additional bandwidth is approximately 3.5-4.5 KB per session establishment, incurred only once at the beginning of each conversation. Subsequent messages incur no post-quantum overhead, as the Double Ratchet operates with standard 32-byte Diffie-Hellman public keys.

Digital Signatures

The same defense-in-depth principle extends to digital signatures. Zentalk's key bundles are authenticated using both Ed25519 (classical) and Dilithium3 (post-quantum, standardized as NIST FIPS 204 / ML-DSA-65). Both signatures must verify for a key bundle to be accepted. If either signature scheme is broken, the other continues to provide authentication guarantees. An attacker who wishes to forge a key bundle must break both Ed25519 and Dilithium3 simultaneously.

Compatibility

The hybrid protocol is designed for graceful degradation. When a Zentalk user communicates with a client that does not yet support post-quantum cryptography, the system falls back to the classical X25519-only key exchange. No negotiation or error condition occurs; the absence of Kyber public keys in the recipient's key bundle simply causes the initiator to omit the post-quantum component. This ensures that the deployment of post-quantum protection does not fragment the user base or prevent communication between upgraded and non-upgraded clients.

Deployment Urgency

Timing

There is a fundamental asymmetry in the timing of the quantum threat. Deploying post-quantum cryptography after quantum computers exist protects only future communications. It does nothing for communications already sent and intercepted. If a message encrypted today with classical-only cryptography is harvested by an adversary, deploying post-quantum protection tomorrow, next year, or next decade does not retroactively protect that message. The plaintext will be recovered when the adversary gains access to a quantum computer, regardless of any subsequent protocol upgrades.

This means the decision to deploy post-quantum cryptography is time-sensitive in a way that most engineering decisions are not. Every day of delay extends the window during which intercepted communications are vulnerable to future quantum decryption. The cost of premature deployment is modest (slightly larger key bundles, marginally increased bandwidth during session establishment). The cost of delayed deployment is the permanent, irrevocable exposure of every message sent during the delay period.

Current State

As of 2026, the adoption of post-quantum cryptography in messaging systems remains limited. Most major messaging platforms continue to rely exclusively on classical key exchange algorithms. Google Chrome and Cloudflare have deployed hybrid post-quantum key exchange for TLS connections, protecting web traffic. Apple has introduced PQ3 in iMessage, employing a hybrid key exchange. Signal has deployed the PQXDH protocol. However, the vast majority of encrypted communication -- including most enterprise messaging, email encryption, VPN tunnels, and IoT device communication -- remains protected by classical cryptography alone.

Zentalk's deployment of hybrid post-quantum encryption places it among the earliest messaging systems to provide production-grade quantum resistance. Every conversation initiated with hybrid key exchange is protected against both current classical adversaries and future quantum adversaries. The "harvest now, decrypt later" window is closed for these conversations at the moment of key agreement, not at some future date contingent on the pace of quantum hardware development.

Insurance

The hybrid post-quantum approach can be understood as a form of cryptographic insurance. The premium is small: a fraction of a millisecond of computation and a few kilobytes of additional bandwidth, paid once per conversation. The coverage is comprehensive: protection against the complete class of quantum attacks on key exchange, with no degradation of classical security guarantees. The alternative -- relying on classical cryptography alone and hoping that quantum computers arrive later rather than sooner, or that one's communications are not among those being harvested -- is a bet against a well-documented and increasingly probable threat.

For users whose communications carry long-term sensitivity -- and for a privacy-focused communication system, the conservative assumption is that all communications do -- deploying hybrid post-quantum encryption today is not a speculative precaution. It is the minimum responsible cryptographic engineering practice.