The confidentiality layer of the internet
needs to be rebuilt before
a quantum computer is fielded that can break it.

The arrival of a cryptographically relevant quantum computer is not the interesting variable. The interesting variable is the gap between the moment one is fielded and the moment the confidentiality layer it can break has been replaced. That gap is the work.

The replacement is mechanically straightforward and politically slow. The primitives exist. NIST published ML-KEM, ML-DSA, and SLH-DSA as FIPS 203, 204, and 205 in August 2024. The standards bodies have done their part. What is left is integration into the actual moving parts of the internet: every TLS endpoint, every SSH daemon, every VPN concentrator, every messenger's key-exchange flow, every code-signing chain. That integration runs at the speed of organisational inertia.

Meanwhile, adversaries continue to capture and store encrypted traffic. Storage is the cheap part. The expensive part has been the cryptanalysis, and the cryptanalysis is the part that gets cheaper on a schedule no integration project is going to outrun.

The question is not whether the boundary will be crossed. The question is what fraction of the present internet will be on the wrong side of it.

The dominant response is straightforward: replace each asymmetric primitive in the existing stack with its NIST PQC counterpart, in some cases hybrid with the classical primitive during transition, and declare the migration done when every component has switched. This is correct, and it is necessary, and it is the cleanest thing to do for most of the stack.

It is also not the whole answer. Three things it does not address:

1. The captures already in storage are still going to be decrypted under their original key material. Post-quantum upgrade of TLS in 2027 does nothing for the TLS recorded in 2024.
2. The side-channel surface of lattice schemes is younger than the side-channel surface of RSA and ECDH, and several constant-time properties are non-trivial to preserve in production environments — particularly browser ones. The community is actively mitigating this, and there will be incidents along the way.
3. Surfaces that did not need asymmetric primitives in the first placeare now using lattice schemes where they could have used nothing. This is the part we care about most. The discipline we're proposing is to not add the surface unless the threat model genuinely requires it.

Reasonable people will disagree about where that line falls. The principle is the part we are confident about.

For a meaningful subset of the things people do over the internet — private messaging, configuration of trust between known parties, distribution of state between machines that have already met — the minimum cryptographic surface is symmetric. Two endpoints that share a 256-bit key can communicate in a way whose quantum security degrades under Grover to a 128-bit level and stops there. Forward secrecy is obtained via a symmetric one-way ratchet, in the spirit of Signal's Double Ratchet construction; our parameter choices are documented on the security page. Integrity is HMAC or a GCM tag. None of this is novel; it is composed from primitives that are decades old, that have been attacked by the entire field, and that have no Shor surface by construction.

The engineering challenge is not the primitives. It is the workflow that gets the shared key between the two endpoints without putting it on a network. Out-of-band key exchange — a URL fragment that never crosses a request boundary, a QR code, a physical handoff — is an old idea. It carries real user-side friction. It also removes an entire class of future attack from the lifetime of a conversation.

What we are building is the discipline of choosing the smallest primitive set that the work allows, demonstrated through surfaces that show the discipline composes into useful systems.

The cleanest defense against Shor's algorithm is not running it on anything.

The right way to demonstrate a cryptographic discipline is not to publish a whitepaper that gestures at it. It is to ship a surface that operates under it, expose enough of the internals that a careful reader can verify the claims, and let the surface accumulate adversarial attention.

Qubble Chat is our first such surface. The server it runs on receives only ciphertext; it holds no key material and performs no decryption. Every message exposes its ratchet step, IV, and key fingerprint in the client UI, where they can be checked against the documented wire format. Full posture and primitives are on the security page; the disclosure channel runs through security@qubblelabs.com. The claims above are stated so that they can be falsified.

The next surfaces extend the same discipline into adjacent layers of the stack. We will publish them only when each is at a state where it can be criticised on the terms it sets for itself.

• It does not claim that lattice-based cryptography is unsound. The NIST PQC suite is well-studied, has the attention of the field, and will be the right answer for most production migrations. We adopt it where the threat model requires asymmetric behaviour.
• It does not claim that out-of-band key exchange is convenient. It isn't. The friction is part of the cost.
• It does not claim that all communication can be reduced to symmetric. Some workflows genuinely require public-key behaviour, and pretending otherwise is dishonest. For those, we use ML-KEM and ML-DSA in hybrid with their classical counterparts during the transition window, then PQ-only.
• It does not promise immunity to implementation bugs, side-channel attacks on browsers, or operator compromise. The architecture narrows the attack surface; it does not eliminate it.
• It does not claim that this is the only credible response to harvest-now-decrypt-later. It is the response we believe is most worth our time.