The post-quantum cryptography reference
A cited, plain-language encyclopedia of the quantum threat and the cryptography that answers it: the NIST standards, migration in practice, and what it all means for blockchains.
Start here
The entries most readers come for.
Post-quantum cryptography
Post-quantum cryptography is the field of cryptographic algorithms designed to resist attacks by both classical computers and future quantum computers.
ML-KEM (FIPS 203)
ML-KEM is the module-lattice key-encapsulation mechanism of FIPS 203, formerly CRYSTALS-Kyber, and the default post-quantum key establishment method.
Is Bitcoin quantum safe?
An evidence-based look at Bitcoin's quantum exposure: which coins have revealed public keys, how fast an attacker must be, and the proposed fixes.
Harvest now, decrypt later
Harvest now, decrypt later is an attack in which encrypted data is recorded today so it can be decrypted once quantum computers can break the encryption.
Q-Day
Q-Day is the hypothetical future date when a cryptographically relevant quantum computer can break RSA and elliptic curve cryptography in practice.
Post-quantum algorithm comparison
Reference comparison of ML-KEM, ML-DSA, SLH-DSA, FN-DSA, and HQC against RSA and elliptic-curve cryptography on sizes, speed, and security basis.
Browse by category
Foundations
The concepts behind the field: the quantum threat, the algorithm families, and why public-key cryptography is being replaced.
Standards & algorithms
The NIST post-quantum standards and the algorithms behind them: ML-KEM, ML-DSA, SLH-DSA, FN-DSA, HQC, with parameters and comparisons.
Migration & practice
Post-quantum cryptography in production: TLS, SSH, PKI, messaging protocols, and the libraries that implement the standards.
Blockchain & quantum
What quantum computing means for Bitcoin and other blockchains: exposed keys, honest timelines, and post-quantum chain designs.
Ecosystem
Reference entries on the BTX post-quantum ecosystem. These describe projects maintained by this wiki's team and are labeled as such.
Glossary
Short, precise definitions of the terms used across the wiki.
Foundations
View category →- Code-based cryptographyCode-based cryptography builds encryption on the hardness of decoding random linear codes, from McEliece in 1978 to the NIST-selected HQC KEM.
- Grover's algorithmGrover's algorithm gives quantum computers a quadratic speedup for unstructured search, weakening symmetric ciphers and hash functions but not breaking them.
- Harvest now, decrypt laterHarvest now, decrypt later is an attack in which encrypted data is recorded today so it can be decrypted once quantum computers can break the encryption.
- Hash-based signaturesHash-based signatures derive their security only from hash functions, spanning stateful XMSS and LMS and the stateless NIST standard SLH-DSA.
- Isogeny-based cryptographyIsogeny-based cryptography builds on maps between supersingular elliptic curves; SIDH and SIKE were broken in 2022, leaving CSIDH and SQIsign.
- Lattice-based cryptographyLattice-based cryptography builds encryption and signatures on hard lattice problems such as LWE and underpins the NIST standards ML-KEM and ML-DSA.
- Multivariate cryptographyMultivariate cryptography builds signatures on the hardness of solving multivariate quadratic equations, from the broken Rainbow to the surviving UOV and MAYO.
- Post-quantum cryptographyPost-quantum cryptography is the field of cryptographic algorithms designed to resist attacks by both classical computers and future quantum computers.
- Q-DayQ-Day is the hypothetical future date when a cryptographically relevant quantum computer can break RSA and elliptic curve cryptography in practice.
- Quantum computerA quantum computer processes information with qubits and quantum effects; current machines remain far from breaking deployed public key cryptography.
- Quantum key distribution (QKD)Quantum key distribution (QKD) uses quantum physics to share encryption keys; the NSA and UK NCSC recommend post-quantum cryptography instead.
- Shor's algorithmShor's algorithm factors integers and computes discrete logarithms in polynomial time on a quantum computer, breaking RSA, Diffie-Hellman, and ECDSA.
Standards & algorithms
View category →- BIKEBIKE is a code-based key-encapsulation mechanism using QC-MDPC codes with compact keys, not chosen by NIST in round 4 due to decoding-failure-rate concerns.
- Classic McElieceClassic McEliece is a code-based key-encapsulation mechanism from 1978, the oldest unbroken post-quantum scheme, with very large keys and tiny ciphertexts.
- FN-DSA / FalconFN-DSA is the planned FIPS 206 standard for the Falcon signature scheme, an NTRU-lattice design with the smallest keys and signatures among NIST selections.
- FrodoKEMFrodoKEM is a key-encapsulation mechanism built on plain, unstructured LWE, trading larger keys and slower operations for a conservative security margin.
- HQCHQC is a code-based key-encapsulation mechanism selected by NIST in March 2025 as a backup to ML-KEM, adding non-lattice diversity to the PQC standards.
- ML-DSA (FIPS 204)ML-DSA is the module-lattice digital signature algorithm of FIPS 204, formerly CRYSTALS-Dilithium, and the primary post-quantum signature recommendation.
- ML-KEM (FIPS 203)ML-KEM is the module-lattice key-encapsulation mechanism of FIPS 203, formerly CRYSTALS-Kyber, and the default post-quantum key establishment method.
- NIST Post-Quantum Cryptography StandardizationNIST's multi-year process to standardize post-quantum cryptography, from the 2016 call for proposals to FIPS 203, 204, and 205 and the 2025 HQC selection.
- Post-quantum algorithm comparisonReference comparison of ML-KEM, ML-DSA, SLH-DSA, FN-DSA, and HQC against RSA and elliptic-curve cryptography on sizes, speed, and security basis.
- SLH-DSA (FIPS 205)SLH-DSA is the stateless hash-based signature scheme of FIPS 205, formerly SPHINCS+, valued for resting only on well-studied hash function security.
Migration & practice
View category →- Apple iMessage PQ3Apple iMessage PQ3 is a post-quantum messaging protocol with Kyber-based key establishment and ongoing rekeying, deployed to iMessage beginning March 2024.
- Browser post-quantum adoptionBrowser post-quantum adoption traces how Chrome, Firefox, Edge, and Safari enabled hybrid ML-KEM key exchange in TLS, from 2023 experiments to default rollout.
- Hybrid cryptography (PQ/T hybrid)Hybrid cryptography combines a classical algorithm with a post-quantum one so that security holds as long as either component remains unbroken.
- liboqsliboqs is an open source C library from the Open Quantum Safe project that provides a unified API for post-quantum key encapsulation and signature schemes.
- OpenSSL post-quantum supportOpenSSL added native ML-KEM, ML-DSA, and SLH-DSA support in version 3.5, an LTS release from April 2025 that also enabled hybrid post-quantum TLS key exchange.
- PKI migration to post-quantumPKI migration to post-quantum cryptography replaces RSA and ECDSA across roots, chains, HSMs, and CT logs, guided by NIST IR 8547 and its 2030 to 2035 timeline.
- Post-quantum cryptography librariesPost-quantum cryptography libraries compared in one directory: liboqs, PQClean, OpenSSL, BoringSSL, AWS-LC, wolfSSL, Bouncy Castle, CIRCL, and reference code.
- Post-quantum SSHPost-quantum SSH covers OpenSSH hybrid key exchange, sntrup761x25519 since 2022 and ML-KEM based mlkem768x25519, protecting sessions from future quantum attack.
- Post-quantum TLSPost-quantum TLS adds quantum-resistant key exchange to TLS 1.3 through hybrid groups such as X25519MLKEM768, now protecting a large share of web traffic.
- PQCleanPQClean is a repository of clean, portable C implementations of post-quantum schemes from the NIST standardization project, used by liboqs and other libraries.
- Side-channel attacks on post-quantum cryptographySide-channel attacks recover secrets from the timing, power, or electromagnetic behavior of a post-quantum implementation, not from breaking its math.
- Signal PQXDHSignal PQXDH is the Signal Protocol post-quantum initial key agreement, combining X25519 with Kyber since September 2023 to resist harvest now, decrypt later.
Blockchain & quantum
View category →- Is Bitcoin quantum safe?An evidence-based look at Bitcoin's quantum exposure: which coins have revealed public keys, how fast an attacker must be, and the proposed fixes.
- Post-quantum blockchains (survey)A neutral survey of post-quantum signatures on blockchains, from QRL, Algorand, and BTX to Bitcoin and Ethereum research, with schemes and status compared.
- Quantum computers and proof-of-work miningGrover's algorithm gives only a quadratic speedup on proof-of-work hashing, so quantum mining stays impractical against ASIC fleets for the foreseeable future.
- Quantum threat to ECDSAShor's algorithm solves the elliptic curve discrete logarithm behind ECDSA in polynomial time; published estimates need about 2330 logical qubits.
- Taproot and quantum key exposureTaproot P2TR outputs place an x-only public key directly on chain, so taproot coins are quantum-exposed at rest, unlike hash-guarded legacy addresses.
Ecosystem
View category →- bonuz walletbonuz wallet is the first mobile wallet available for the BTX blockchain, offering iOS and Android apps with built-in qID sign-in support.
- BTXBTX is a post-quantum blockchain forked from Bitcoin Knots that signs transactions with ML-DSA and SLH-DSA and uses MatMul proof of work.
- BTX dropsBTX drops are collectible releases issued on the BTX blockchain via the BZA1 artifact standard; this index lists drops as they become public.
- BTXScanBTXScan is the block explorer for the BTX blockchain at btxscan.io, covering blocks, transactions, addresses, the mempool, and network charts.
- BZA1 (BTX Artifacts standard)BZA1 is a standard for issuing on-chain artifacts on BTX that carries collectible data in an OP_RETURN payload while ownership follows the coin.
- EVXEVX is a private EVM-compatible layer 2 associated with the BTX ecosystem, with a testnet live since July 2026 that is not publicly accessible.
- PQ WalletPQ Wallet is a desktop wallet for the BTX blockchain, available for Windows, macOS, and Linux, using post-quantum signature keys throughout.
- qIDqID is an open-source post-quantum identity and sign-in system whose identity keys are the same post-quantum keys used on the BTX blockchain.
- qID ConnectqID Connect is a connection layer in development that lets BTX applications request sign-in and transaction approvals from a user's wallet.
Glossary
View category →- AES (Advanced Encryption Standard)AES is the standardized symmetric block cipher; Grover's algorithm gives only a quadratic speedup, so a 256-bit key preserves the post-quantum margin.
- Bech32mBech32m is the checksummed address encoding defined in BIP 350; it fixes a bech32 weakness and encodes taproot addresses as well as BTX addresses.
- Constant-time implementationA constant-time implementation runs in time independent of secret data, the standard defense against timing and other side-channel attacks on cryptography.
- Cryptographic agilityCryptographic agility is the ability to swap algorithms and parameters without redesigning a system, a first-class requirement of the post-quantum era.
- Cryptographic bill of materials (CBOM)A cryptographic bill of materials (CBOM) is a machine-readable inventory of the algorithms, keys, certificates, and libraries a system uses for cryptography.
- Cryptographic hash functionA cryptographic hash function maps input of any length to a fixed-size digest and must resist preimage, second preimage, and collision attacks.
- Cryptographic inventoryCryptographic inventory is the process of discovering and cataloging where cryptography is used in an organization, the first step of post-quantum migration.
- Cryptographically relevant quantum computer (CRQC)A cryptographically relevant quantum computer (CRQC) is a machine capable enough to break the public-key cryptography, such as RSA and ECC, in wide use today.
- DecoherenceDecoherence is the loss of a quantum system's coherent state through interaction with its environment, the reason quantum error correction is needed.
- Diffie-HellmanDiffie-Hellman is the 1976 key-exchange protocol that lets two parties derive a shared secret over a public channel, with security that Shor's algorithm breaks.
- Digital signature schemeA digital signature scheme binds a message to a private key holder so that anyone can verify its origin and integrity with the matching public key.
- Dilithium (CRYSTALS-Dilithium)Dilithium, formally CRYSTALS-Dilithium, is the original name of the lattice-based signature scheme NIST renamed ML-DSA and standardized in FIPS 204.
- Discrete logarithm problemThe discrete logarithm problem asks for the exponent in a modular power, underpinning Diffie-Hellman and ECDSA and solved efficiently by Shor's algorithm.
- ECDSAECDSA is the elliptic-curve digital signature used by Bitcoin and TLS; its discrete logarithm security falls to Shor's algorithm on a quantum computer.
- Ed25519Ed25519 is a fast, modern EdDSA signature scheme over Curve25519 used in SSH and TLS; it is classical and vulnerable to Shor's algorithm on a quantum computer.
- Elliptic-curve cryptography (ECC)Elliptic-curve cryptography gives public-key security with smaller keys than RSA, on a discrete logarithm problem that Shor's algorithm solves efficiently.
- EntanglementEntanglement is a quantum correlation linking two or more qubits so that their states cannot be described independently of one another.
- EUF-CMAEUF-CMA is existential unforgeability under chosen-message attack, the standard security target a digital signature scheme must meet to be considered secure.
- Fiat-Shamir transformThe Fiat-Shamir transform turns an interactive identification protocol into a non-interactive digital signature by computing the challenge as a hash.
- FORS (Forest of Random Subsets)FORS (Forest of Random Subsets) is the few-time hash-based signature that signs message digests inside the stateless standard SLH-DSA, formerly SPHINCS+.
- Forward secrecyForward secrecy keeps past session keys safe if long-term keys leak later, but it does not protect recorded traffic from future quantum decryption.
- Fujisaki-Okamoto transformThe Fujisaki-Okamoto transform turns a weakly secure encryption scheme into an IND-CCA2 secure key encapsulation mechanism, the method behind ML-KEM.
- IND-CCA2IND-CCA2 is indistinguishability under adaptive chosen-ciphertext attack, the standard security target that post-quantum key encapsulation mechanisms must meet.
- Integer factorizationInteger factorization is the problem of splitting a number into prime factors, the hardness assumption behind RSA and a target of Shor's quantum algorithm.
- KEM combinerA KEM combiner merges a classical and a post-quantum shared secret into one key that stays secure if either mechanism holds, the core of hybrid cryptography.
- Key encapsulation mechanism (KEM)A key encapsulation mechanism (KEM) uses a public key to establish a shared secret, the primitive that replaces Diffie-Hellman in post-quantum protocols.
- Key exchangeKey exchange lets two parties establish a shared secret over a public channel; quantum-vulnerable Diffie-Hellman variants are giving way to KEMs.
- Kyber (CRYSTALS-Kyber)Kyber, formally CRYSTALS-Kyber, is the original name of the lattice-based KEM that NIST renamed ML-KEM and standardized in FIPS 203 in August 2024.
- Learning With Errors (LWE)Learning With Errors (LWE) is the lattice problem of solving noisy linear equations, the hardness assumption underpinning most post-quantum encryption.
- LMS (Leighton-Micali Signature)LMS (Leighton-Micali Signature) is a stateful hash-based signature scheme defined in RFC 8554 and approved by NIST SP 800-208 for firmware signing.
- Logical qubitA logical qubit is an error-corrected qubit encoded across many physical qubits, the unit in which cryptographically relevant quantum computers are sized.
- Merkle treeA Merkle tree is a hash tree whose root commits to an entire data set, enabling compact membership proofs in hash-based signatures and blockchains.
- Module Learning With Errors (Module-LWE)Module-LWE is the structured lattice assumption behind ML-KEM and ML-DSA, tuning algebraic structure by module rank to reach each NIST security level.
- Mosca's theoremMosca's theorem is an inequality that judges post-quantum migration urgency by comparing data secrecy time, migration time, and time to a quantum computer.
- NIST security levelsNIST security levels are five strength categories for post-quantum algorithms, each anchored to the cost of attacking AES or SHA-2 at a given size.
- NTRUNTRU is the oldest practical lattice-based cryptosystem, a polynomial-ring public-key scheme from 1998 and the basis of the FN-DSA (Falcon) signature.
- Public-key cryptographyPublic-key cryptography uses key pairs for key exchange, encryption, and signatures; the deployed schemes rest on problems Shor's algorithm breaks.
- Quantum supremacyQuantum supremacy is the milestone where a quantum computer beats every classical computer at one contrived task, distinct from breaking real cryptography.
- QubitA qubit is the basic unit of quantum information, a two-level quantum system that can hold superpositions and become entangled with other qubits.
- Ring Learning With Errors (Ring-LWE)Ring-LWE is the polynomial-ring variant of Learning With Errors, trading extra algebraic structure for the compact keys and fast arithmetic PQ schemes need.
- RSARSA is a classical public-key cryptosystem based on integer factoring, securing encryption and signatures but broken by Shor's algorithm on a quantum computer.
- SHA-2SHA-2 is the widely deployed family of NIST cryptographic hash functions, including SHA-256, weakened only quadratically by Grover's algorithm.
- SHA-3SHA-3 is the Keccak-based NIST hash standard whose SHAKE extendable-output functions are used inside the ML-KEM and SLH-DSA post-quantum schemes.
- Short Integer Solution (SIS) problemThe Short Integer Solution (SIS) problem seeks a short vector a random matrix maps to zero, the dual of LWE that underlies lattice-based signatures.
- SoulboundSoulbound describes blockchain tokens or artifacts bound to one holder and not designed to be transferred, a term popularized by Vitalik Buterin in 2022.
- SPHINCS+ (SLH-DSA)SPHINCS+ is the original name of the stateless hash-based signature scheme that NIST renamed SLH-DSA and standardized in FIPS 205 in August 2024.
- SuperpositionSuperposition is the quantum property by which a qubit holds a weighted combination of 0 and 1 until measurement collapses it to one outcome.
- Surface codeThe surface code is the leading quantum error-correcting code, encoding one logical qubit in a two-dimensional grid of physical qubits.
- Symmetric cryptographySymmetric cryptography uses one shared key, as in AES; quantum attacks give only a quadratic speedup, so larger keys preserve the security margin.
- UTXOA UTXO is an unspent transaction output; the UTXO ledger model limits public key exposure per output, which shapes quantum risk on Bitcoin-style chains.
- Winternitz one-time signature (WOTS)A Winternitz one-time signature (WOTS) signs one message from a hash-based key pair and is the building block of larger hash-based signature schemes.
- X25519X25519 is the Curve25519 Diffie-Hellman function; TLS now pairs it with ML-KEM in hybrid groups such as X25519MLKEM768 for post-quantum key exchange.
- XMSS (eXtended Merkle Signature Scheme)XMSS is a stateful hash-based signature scheme standardized in RFC 8391 that arranges one-time keys under a Merkle tree for many signatures per key pair.