Paragon ships two post‑quantum toolkits for PHP as Google and Cloudflare push a 2029 deadline

April 9, 2026
aisecurityhardwareopen-source
Wooden letter tiles spelling 'Crypto' creatively arranged on a rustic wood surface.
Photo by Markus Winkler on Pexels

Overview

It has been reported that Google set an aggressive 2029 timeline for migrating to post‑quantum cryptography, and Cloudflare allegedly matched that roadmap. The takeaway? The clock is ticking for every stack that still trusts classical crypto. Paragon Initiative Enterprises says the PHP community needs to take the quantum threat seriously — and fast. Will your app still be standing when a cryptography‑relevant quantum computer arrives? Hard to sleep on that one.

What was released

Paragon today released two open‑source projects aimed at PHP: ext-pqcrypto and pqcrypto_compat. ext-pqcrypto is a PHP extension written in Rust (using ext‑php‑rs) that wraps RustCrypto’s post‑quantum KEMs and signature algorithms and exposes them under a PQCrypto namespace. For environments that can’t install extensions — think shared hosting and legacy deployments — pqcrypto_compat is a pure‑PHP fallback implementing three ML‑KEM parameter sets, all ML‑DSA sets, and the hybrid X‑Wing KEM. Per the Zeroth Rule of PHP Cryptography, if the extension is available, the Compat API will prefer the Rust implementation.

Why it matters

This isn’t just another library drop. By piggybacking on the RustCrypto ecosystem, PHP apps can benefit from the broader community work on performance and correctness without reinventing the wheel. That said: Paragon warns the code isn’t “pencils down” yet. There will be bugs; don’t rush it into production. Still — having both an extension and a pure‑PHP fallback is a pragmatic double‑track approach that acknowledges the realities of PHP deployments while moving the ecosystem toward a 2029 migration.

Bottom line

Paragon is a Florida‑based security firm with deep PHP and applied cryptography chops, and this release is a call to arms: start the migration work now. Quantum resistance is trending from academic headache to operational imperative. The hope is simple — and urgent: fewer embarrassing breaches, more peace of mind. Who wouldn’t want that?

Sources: paragonie.com, Lobsters