Zoom has over 300 million daily meeting participants. It is the default video conferencing tool for enterprises, law firms, healthcare providers, and government agencies worldwide. When people ask "is Zoom safe?" they typically mean: are my conversations private? Can someone intercept my call? The answer in 2026 is more nuanced than Zoom's marketing suggests.
Zoom's encryption is strong by classical standards. It uses well-established algorithms that are not broken by any known classical computer. But "classical" is the operative word. Zoom's entire cryptographic foundation — the key exchange that establishes session secrets, the digital signatures that authenticate participants — will be broken by quantum computers running Shor's algorithm. This is not a matter of if, but when.
This article is a technical audit. We examine exactly what cryptographic algorithms Zoom uses, identify precisely which components are quantum-vulnerable, and show how V100 replaces each vulnerable component with a NIST-standardized post-quantum alternative. We are not claiming Zoom is insecure today against classical threats. We are documenting that Zoom provides zero protection against quantum threats, while V100 provides defense-in-depth across three independent mathematical hardness assumptions.
Zoom's Cryptographic Architecture: What They Actually Use
Zoom's security architecture has improved substantially since the well-publicized issues of 2020. Their current implementation, based on publicly available documentation including Zoom's security whitepaper and their MLS-based E2EE specification, uses the following cryptographic primitives:
Zoom's cryptographic stack (as of 2026)
Zoom's E2EE mode, when enabled (it is off by default and disables cloud recording, live transcription, and breakout rooms), uses the Messaging Layer Security (MLS) protocol for group key agreement. The underlying key agreement within MLS still uses ECDH. MLS itself is protocol-agnostic regarding the key exchange algorithm, but Zoom's implementation binds it to P-256.
What Shor's Algorithm Actually Breaks (And What It Doesn't)
A common misconception is that quantum computers "break all encryption." This is false. Shor's algorithm is specific. It efficiently solves two mathematical problems: integer factorization and the discrete logarithm problem (including the elliptic curve discrete logarithm problem). These two problems are the foundation of:
RSA — based on integer factorization. Broken.
ECDH (all curves) — based on elliptic curve discrete log. Broken.
ECDSA — based on elliptic curve discrete log. Broken.
DSA — based on discrete log in finite fields. Broken.
Diffie-Hellman (all variants) — based on discrete log. Broken.
What Shor's algorithm does NOT break:
AES — symmetric cipher. Grover's algorithm provides at most a quadratic speedup, reducing 256-bit AES to 128-bit equivalent security. Still considered safe.
SHA-256/SHA-3 — hash functions. No known quantum algorithm provides better than quadratic speedup for preimage or collision attacks.
HMAC — hash-based message authentication. Quantum-resistant.
Here is the critical insight for Zoom's security model: Zoom's AES-256-GCM media encryption is quantum-resistant, but it is worthless without a quantum-resistant key exchange. If an attacker uses Shor's algorithm to solve the ECDH key exchange, they recover the shared secret. From the shared secret, they derive the AES session key via HKDF. With the AES session key, they decrypt every media frame in the session. The quantum-resistant AES encryption provides zero protection because the quantum-vulnerable key exchange gives away the key.
The chain breaks at the weakest link
ECDH P-256 → shared_secret (quantum-vulnerable)
HKDF(shared_secret) → session_key (derived from compromised input)
AES-256-GCM(session_key, media) → ciphertext (secure algorithm, compromised key)
Result: attacker decrypts everything
V100's Post-Quantum Stack: Algorithm-by-Algorithm Replacement
V100 replaces every quantum-vulnerable component in the video conferencing stack with a NIST-standardized post-quantum alternative. The symmetric components (AES-256-GCM, HKDF, SHA-3) remain unchanged because they are already quantum-resistant. The asymmetric components are replaced entirely.
| Function | Zoom (Classical) | V100 (Post-Quantum) | Quantum Safe |
|---|---|---|---|
| Key Exchange | ECDH P-256 | ML-KEM-768 + X25519 | Yes |
| Primary Signatures | ECDSA P-256 | ML-DSA-65 (FIPS 204) | Yes |
| Compact Signatures | ECDSA P-256 (64 B) | FALCON-512 (666 B) | Yes |
| Long-lived Attestation | None | SLH-DSA (FIPS 205) | Yes |
| Media Encryption | AES-256-GCM | AES-256-GCM | Yes (both) |
| Key Derivation | HKDF-SHA-256 | HKDF-SHA3-256 | Yes (both) |
ML-KEM-768: Replacing ECDH for Key Exchange
ML-KEM-768 (Module Learning with Errors Key Encapsulation Mechanism) is the NIST FIPS 203 standard for post-quantum key exchange. It replaces ECDH with a key encapsulation mechanism whose security is based on the Module Learning With Errors (MLWE) problem — a lattice problem that no known quantum algorithm can solve efficiently.
V100 uses a hybrid key exchange: ML-KEM-768 combined with X25519. The session key is derived as SHA3-256(x25519_shared || ml_kem_shared). This hybrid approach ensures that the session remains secure if either algorithm holds. Even if a catastrophic break in lattice cryptography occurred tomorrow, the X25519 component still provides classical security. And X25519 alone cannot be broken by a quantum computer in practice within the HNDL window.
ML-KEM-768 vs ECDH P-256 comparison
The public key size increase from 64 bytes to 1,184 bytes is a one-time cost per participant at session establishment. In the context of a video call that transmits megabytes of media data per second, this additional kilobyte of signaling data is statistically invisible.
ML-DSA-65 and FALCON-512: Replacing ECDSA for Authentication
Zoom's ECDSA signatures authenticate participant identities and sign protocol messages. When quantum computers break ECDSA, an attacker can forge signatures — impersonating any participant, injecting messages, and performing man-in-the-middle attacks that are cryptographically indistinguishable from legitimate communication.
V100 uses two post-quantum signature algorithms from two different mathematical families:
ML-DSA-65 (FIPS 204) is the primary signature scheme. Based on the Module Learning With Errors (MLWE) problem, it provides NIST Level 3 security. Signature size is 3,309 bytes (compared to ECDSA's 64 bytes), but signing speed is fast: approximately 0.3 milliseconds per operation. V100 uses ML-DSA-65 for session authentication, recording signatures, and all long-form protocol messages.
FALCON-512 is the compact signature scheme, based on the NTRU lattice problem — a mathematically distinct hardness assumption from MLWE. FALCON produces 666-byte signatures (the smallest of any lattice-based scheme), making it ideal for bandwidth-sensitive signaling messages where signatures must be transmitted frequently. V100 uses FALCON for real-time signaling channel authentication.
Using two signature schemes from independent mathematical families (MLWE and NTRU) means that a breakthrough against one lattice family does not compromise V100's authentication. This is defense-in-depth applied to signature verification.
The Critical Difference: What Happens When Q-Day Arrives
Let us project forward to the day a cryptographically relevant quantum computer (CRQC) becomes operational. The NSA estimates this could occur between 2030 and 2040. On that day, every recorded Zoom session becomes decryptable.
Q-Day scenario comparison
1. Attacker retrieves stored ECDH public keys from recorded handshake
2. Shor's algorithm solves ECDLP, recovers private keys (~4,000 logical qubits)
3. Attacker computes ECDH shared secret from recovered private keys
4. HKDF derives AES session key from compromised shared secret
5. Attacker decrypts every media frame with recovered AES key
Result: complete plaintext recovery of video, audio, screen shares, chat
1. Attacker retrieves stored ML-KEM ciphertext from recorded handshake
2. No known quantum algorithm efficiently solves MLWE
3. Session key remains secret
Result: encryption holds. No plaintext recovered.
Fair Comparison: Where Zoom Is Still Strong
This audit is intended to be factual, not a hit piece. Zoom has invested significantly in security since 2020, and there are dimensions where Zoom's offering is mature:
Classical security: Zoom's ECDH + AES-256-GCM is fully secure against all known classical attacks. If your threat model only includes today's computers, Zoom's encryption is sound.
Ecosystem: Zoom integrates with thousands of enterprise tools, has extensive admin controls, and supports large-scale deployments.
SOC 2 / FedRAMP: Zoom holds SOC 2 Type II and FedRAMP certifications, demonstrating mature security operations (though these certifications do not evaluate quantum readiness).
The question is not whether Zoom is a bad product. The question is whether Zoom's encryption will hold for the lifetime of the data it protects. For any conversation whose content remains sensitive beyond 2035, the answer is provably no.
Who Should Switch: A Practical Framework
Not every organization needs post-quantum video conferencing today. If your video calls discuss next week's lunch plans, quantum attacks are not your threat model. But if your conversations fall into any of the following categories, the harvest-now-decrypt-later threat is real and actionable:
Board meetings and executive strategy sessions — M&A discussions, competitive strategy, and financial projections have multi-decade sensitivity.
Legal proceedings — Depositions, attorney-client privilege conversations, and settlement negotiations are permanently privileged.
Healthcare — Patient data must be protected for the patient's lifetime under HIPAA. A telehealth session recorded today must remain confidential for 50+ years.
Government and defense — NSA's CNSA 2.0 mandates post-quantum transition by 2030. Agencies using Zoom for sensitive discussions are already non-compliant with the timeline.
Financial services — Trading strategies, customer account discussions, and regulatory communications have long sensitivity windows and attract state-level surveillance.
Complete Security Comparison: V100 vs Zoom
| Capability | Zoom | V100 |
|---|---|---|
| PQ Key Exchange | No | ML-KEM-768 (FIPS 203) |
| PQ Signatures | No | ML-DSA-65 + FALCON-512 |
| Hash-based Signatures | No | SLH-DSA (FIPS 205) |
| E2EE by Default | No (opt-in, feature-limited) | Yes (always on) |
| Per-frame Attestation | No | H33-74 Substrate |
| HNDL Protection | No | Yes (3 PQ families) |
| Independent Math Assumptions | 1 (ECDLP) | 3 (MLWE, NTRU, Hash) |
| Tamper-proof Recording | No cryptographic proof | PQ-signed chain of custody |
| NIST PQ Standard Compliance | None | FIPS 203, 204, 205 |
Migration Path: From Zoom to V100
V100 is an API-first video platform. Organizations can integrate V100's quantum-safe video into existing workflows through the REST API and SDKs. For teams using Zoom today, the transition path is straightforward:
Identify high-sensitivity meetings — Board meetings, legal consultations, healthcare, executive sessions. These move first.
Deploy V100 via API or white-label — V100 integrates into your existing calendar and scheduling workflows. Users see a branded experience with a green PQ-E2E badge.
Run in parallel — Keep Zoom for low-sensitivity meetings. Use V100 for anything with multi-year confidentiality requirements.
Full migration when ready — V100 supports all standard video conferencing features (recording, transcription, screen sharing, 200+ participants) with PQ protection on by default.
See the difference: quantum-safe video in action
V100 is the only video platform with ML-KEM-768 key exchange, ML-DSA-65 + FALCON-512 signatures, and SLH-DSA attestation protecting every session. Start free and verify the cryptography yourself.