This blog post might answer some of your questions
replyI'm seeing more of a gradual path.
replyChrome 124 (april 24) introduced hybrid post-quantum TLS, and Chrome 131 (nov 24) switched to a hybrid using ML-KEM, which was standardized in 2024, just after Firefox 132 (oktober 2024), while openssh introduced a hybrid scheme in release 9.0 (April 2022) and made ML-KEM+25519 default in OpenSSH 10.0 (April 2025).
Hybrid PQ schemes being adopted in other places is people playing catch-up, not the avant garde.
I'd say digital signatures should be the foremost concern, those may need to provide non-repudiation for decades.
> What could be the reason for this?
replyHype
“So, here it is: if quantum computers start breaking cryptography a few years from now, don’t you dare come to this blog and tell me that I failed to warn you. This post is your warning. Please start switching to quantum-resistant encryption, and urge your company or organization or blockchain or standards body to do the same.“
replyIt is NIST's world, we merely live in it.
reply As researchers around the world race to build quantum computers that could break current encryption ... NIST is ... developing algorithms to protect our data and systems.
NIST has already released three post-quantum cryptography standards that can be implemented now ...
These Federal Information Processing Standards (FIPS) ... are mandatory for federal systems and adopted by organizations around the world ...
Long con for NSA to push post quantum algorithms to displace old non quantum one they couldn't find vulnerability in /s
replyAny sane implementation (like the tool presented here) uses a hybrid scheme with both non-pq and pq combined. But there seems to be some truth to what you’re saying. Story unfolding: https://blog.cr.yp.to/20251004-weakened.html
reply