# postquantum.wiki > A cited encyclopedia of quantum computing and post-quantum cryptography: quantum computers and the physics behind them, the quantum threat, the NIST standards, and migration in practice. Maintained by the team behind PQ Wallet, qID and BTXScan. Entries about the maintainers' own projects are labeled "Related project" and live in the Ecosystem category. Every entry cites primary sources and shows an updated date. Full corpus for LLMs: https://postquantum.wiki/llms-full.txt (every entry as plain text in one file). Feeds: https://postquantum.wiki/feed.xml (RSS), https://postquantum.wiki/feed.json (JSON Feed). Sitemap: https://postquantum.wiki/sitemap.xml ## Foundations - [Code-based cryptography](https://postquantum.wiki/code-based-cryptography): Code-based cryptography builds encryption on the hardness of decoding random linear codes, from McEliece in 1978 to the NIST-selected HQC KEM. - [Grover's algorithm](https://postquantum.wiki/grovers-algorithm): Grover's algorithm gives quantum computers a quadratic speedup for unstructured search, weakening symmetric ciphers and hash functions but not breaking them. - [Harvest now, decrypt later](https://postquantum.wiki/harvest-now-decrypt-later): Harvest now, decrypt later is an attack in which encrypted data is recorded today so it can be decrypted once quantum computers can break the encryption. - [Hash-based signatures](https://postquantum.wiki/hash-based-signatures): Hash-based signatures derive their security only from hash functions, spanning stateful XMSS and LMS and the stateless NIST standard SLH-DSA. - [Isogeny-based cryptography](https://postquantum.wiki/isogeny-based-cryptography): Isogeny-based cryptography builds on maps between supersingular elliptic curves; SIDH and SIKE were broken in 2022, leaving CSIDH and SQIsign. - [Lattice-based cryptography](https://postquantum.wiki/lattice-based-cryptography): Lattice-based cryptography builds encryption and signatures on hard lattice problems such as LWE and underpins the NIST standards ML-KEM and ML-DSA. - [Multivariate cryptography](https://postquantum.wiki/multivariate-cryptography): Multivariate cryptography builds signatures on the hardness of solving multivariate quadratic equations, from the broken Rainbow to the surviving UOV and MAYO. - [Post-quantum cryptography](https://postquantum.wiki/post-quantum-cryptography): Post-quantum cryptography is the field of cryptographic algorithms designed to resist attacks by both classical computers and future quantum computers. - [Q-Day](https://postquantum.wiki/q-day): Q-Day is the hypothetical future date when a cryptographically relevant quantum computer can break RSA and elliptic curve cryptography in practice. - [Quantum computer](https://postquantum.wiki/quantum-computer): A quantum computer processes information with qubits and quantum effects; current machines remain far from breaking deployed public key cryptography. - [Quantum key distribution (QKD)](https://postquantum.wiki/quantum-key-distribution): Quantum key distribution (QKD) uses quantum physics to share encryption keys; the NSA and UK NCSC recommend post-quantum cryptography instead. - [Shor's algorithm](https://postquantum.wiki/shors-algorithm): Shor's algorithm factors integers and computes discrete logarithms in polynomial time on a quantum computer, breaking RSA, Diffie-Hellman, and ECDSA. ## Quantum computing - [D-Wave](https://postquantum.wiki/d-wave): D-Wave Systems sold the first commercial quantum computer in 2011 and builds quantum annealers for optimization, not universal gate-model machines. - [Google Quantum AI](https://postquantum.wiki/google-quantum-ai): Google Quantum AI builds superconducting processors; its 2019 Sycamore supremacy claim was contested, and 2024 Willow showed below-threshold error correction. - [IBM Quantum](https://postquantum.wiki/ibm-quantum): IBM Quantum builds superconducting transmon processors, from the 127-qubit Eagle to the 1121-qubit Condor, and develops the Qiskit software stack. - [IonQ](https://postquantum.wiki/ionq): IonQ builds trapped-ion quantum computers with all-to-all qubit connectivity, reports an algorithmic-qubits metric, and offers access through major clouds. - [Microsoft Azure Quantum](https://postquantum.wiki/microsoft-azure-quantum): Microsoft Azure Quantum is a cloud platform for quantum hardware and software, paired with Microsoft's long-running topological-qubit research program. - [Neutral-atom qubits](https://postquantum.wiki/neutral-atom-qubits): Neutral-atom qubits hold single atoms in optical tweezer arrays and entangle them via Rydberg interactions, giving large, reconfigurable qubit registers. - [NISQ (Noisy Intermediate-Scale Quantum)](https://postquantum.wiki/nisq): NISQ, Noisy Intermediate-Scale Quantum, is John Preskill's 2018 term for today's noisy, uncorrected quantum machines holding dozens to hundreds of qubits. - [Pasqal](https://postquantum.wiki/pasqal): Pasqal, based in France, builds neutral-atom quantum computers that use optical tweezers and Rydberg atoms for both analog and digital operation. - [Photonic quantum computing](https://postquantum.wiki/photonic-quantum-computing): Photonic quantum computing encodes qubits in photons and processes them with linear optics and measurement, near room temperature but limited by photon loss. - [PsiQuantum](https://postquantum.wiki/psiquantum): PsiQuantum pursues photonic quantum computing in silicon, manufacturing with GlobalFoundries, and states a goal of a fault-tolerant million-qubit machine. - [Quantinuum](https://postquantum.wiki/quantinuum): Quantinuum formed in 2021 from Honeywell and Cambridge Quantum and builds trapped-ion H-series processors known for gate fidelity and quantum-volume records. - [Quantum advantage](https://postquantum.wiki/quantum-advantage): Quantum advantage is a quantum computer beating the best classical methods on a task; useful advantage on practical problems is still limited as of early 2026. - [Quantum annealing](https://postquantum.wiki/quantum-annealing): Quantum annealing is a heuristic that encodes an optimization problem as an Ising Hamiltonian and evolves toward a low-energy state to find good solutions. - [Quantum circuit](https://postquantum.wiki/quantum-circuit): A quantum circuit is a sequence of quantum gates and measurements acting on qubits; it is the standard model in which quantum algorithms are expressed and run. - [Quantum error correction](https://postquantum.wiki/quantum-error-correction): Quantum error correction builds reliable logical qubits from many noisy physical qubits, using redundancy to suppress errors below a critical threshold. - [Quantum logic gate](https://postquantum.wiki/quantum-logic-gate): A quantum logic gate is a reversible unitary operation on qubits; small universal gate sets approximate any quantum computation to arbitrary accuracy. - [Quantum teleportation](https://postquantum.wiki/quantum-teleportation): Quantum teleportation transfers an unknown quantum state using shared entanglement and two classical bits; it moves no matter and is not faster-than-light. - [Rigetti Computing](https://postquantum.wiki/rigetti): Rigetti Computing is a full-stack superconducting quantum company that designs and fabricates its own chips and runs the Quantum Cloud Services platform. - [Superconducting qubits](https://postquantum.wiki/superconducting-qubits): Superconducting qubits are circuits using Josephson junctions as artificial atoms, cooled to millikelvin, with fast gates but limited coherence times. - [Topological qubits](https://postquantum.wiki/topological-qubits): Topological qubits would store information nonlocally in states like Majorana zero modes, protecting it from local noise, but remain unproven as of early 2026. - [Trapped-ion qubits](https://postquantum.wiki/trapped-ion-qubits): Trapped-ion qubits store quantum information in electronic states of ions held in electromagnetic traps, giving high gate fidelity and all-to-all connectivity. - [Xanadu](https://postquantum.wiki/xanadu): Xanadu, a Canadian company, builds photonic quantum computers and reported a 2022 Borealis quantum-advantage result in Nature; it maintains PennyLane. ## Quantum physics - [Albert Einstein](https://postquantum.wiki/albert-einstein): Albert Einstein (1879 to 1955) explained the photoelectric effect with light quanta in 1905 and later challenged the completeness of quantum mechanics. - [Bell's theorem](https://postquantum.wiki/bells-theorem): Bell's theorem proves that no local hidden-variable theory can reproduce all quantum predictions, a result confirmed by experiments and the 2022 Nobel Prize. - [Double-slit experiment](https://postquantum.wiki/double-slit-experiment): The double-slit experiment shows single particles building up an interference pattern, and demonstrates that which-path information destroys that pattern. - [Erwin Schrodinger](https://postquantum.wiki/erwin-schrodinger): Erwin Schrodinger (1887 to 1961) wrote the 1926 wave equation of quantum mechanics and devised the Schrodinger's cat thought experiment in 1935. - [History of quantum mechanics](https://postquantum.wiki/history-of-quantum-mechanics): The history of quantum mechanics runs from Planck's 1900 quantum through the 1925 and 1926 formulations by Heisenberg, Schrodinger, Born, and Dirac. - [Max Planck](https://postquantum.wiki/max-planck): Max Planck (1858 to 1947) originated quantum theory in 1900, proposing that energy is emitted in discrete quanta and defining Planck's constant h. - [Niels Bohr](https://postquantum.wiki/niels-bohr): Niels Bohr (1885 to 1962) built the 1913 quantized model of the atom and shaped the Copenhagen interpretation of quantum mechanics. - [Quantum entanglement](https://postquantum.wiki/quantum-entanglement): Quantum entanglement is a correlation between quantum systems whose joint state cannot be described independently, producing nonlocal but non-signaling links. - [Quantum field theory](https://postquantum.wiki/quantum-field-theory): Quantum field theory unites quantum mechanics with special relativity, treating particles as excitations of fields, and underpins the Standard Model. - [Quantum mechanics](https://postquantum.wiki/quantum-mechanics): Quantum mechanics is the physical theory of matter and energy at atomic and subatomic scales, built on quantization, superposition, and probability. - [Quantum realm](https://postquantum.wiki/quantum-realm): The quantum realm is the scale, roughly atomic and smaller, at which quantum effects dominate; the term is also used loosely in popular culture. - [Richard Feynman](https://postquantum.wiki/richard-feynman): Richard Feynman (1918 to 1988) co-developed quantum electrodynamics and the path integral, and in 1981 proposed simulating physics with quantum computers. - [Schrodinger's cat](https://postquantum.wiki/schrodingers-cat): Schrodinger's cat is a 1935 thought experiment in which a cat is placed in a superposition of alive and dead to expose the quantum measurement problem. - [The measurement problem](https://postquantum.wiki/measurement-problem): The measurement problem asks why quantum superpositions yield single definite outcomes, the question that divides the interpretations of quantum mechanics. - [Uncertainty principle](https://postquantum.wiki/uncertainty-principle): The uncertainty principle states that conjugate quantities such as position and momentum cannot both have precisely defined values at the same time. - [Wave-particle duality](https://postquantum.wiki/wave-particle-duality): Wave-particle duality is the quantum principle that matter and light each show both wave-like and particle-like behavior depending on the experiment. - [Werner Heisenberg](https://postquantum.wiki/werner-heisenberg): Werner Heisenberg (1901 to 1976) created matrix mechanics in 1925, the first complete quantum theory, and stated the uncertainty principle in 1927. ## Standards & algorithms - [BIKE](https://postquantum.wiki/bike): BIKE is a code-based key-encapsulation mechanism using QC-MDPC codes with compact keys, not chosen by NIST in round 4 due to decoding-failure-rate concerns. - [Classic McEliece](https://postquantum.wiki/classic-mceliece): Classic McEliece is a code-based key-encapsulation mechanism from 1978, the oldest unbroken post-quantum scheme, with very large keys and tiny ciphertexts. - [FN-DSA / Falcon](https://postquantum.wiki/fn-dsa): FN-DSA is the planned FIPS 206 standard for the Falcon signature scheme, an NTRU-lattice design with the smallest keys and signatures among NIST selections. - [FrodoKEM](https://postquantum.wiki/frodokem): FrodoKEM is a key-encapsulation mechanism built on plain, unstructured LWE, trading larger keys and slower operations for a conservative security margin. - [HQC](https://postquantum.wiki/hqc): HQC is a code-based key-encapsulation mechanism selected by NIST in March 2025 as a backup to ML-KEM, adding non-lattice diversity to the PQC standards. - [ML-DSA (FIPS 204)](https://postquantum.wiki/ml-dsa): ML-DSA is the module-lattice digital signature algorithm of FIPS 204, formerly CRYSTALS-Dilithium, and the primary post-quantum signature recommendation. - [ML-KEM (FIPS 203)](https://postquantum.wiki/ml-kem): ML-KEM is the module-lattice key-encapsulation mechanism of FIPS 203, formerly CRYSTALS-Kyber, and the default post-quantum key establishment method. - [NIST Post-Quantum Cryptography Standardization](https://postquantum.wiki/nist-pqc-standardization): NIST's multi-year process to standardize post-quantum cryptography, from the 2016 call for proposals to FIPS 203, 204, and 205 and the 2025 HQC selection. - [Post-quantum algorithm comparison](https://postquantum.wiki/pqc-algorithm-comparison): Reference comparison of ML-KEM, ML-DSA, SLH-DSA, FN-DSA, and HQC against RSA and elliptic-curve cryptography on sizes, speed, and security basis. - [Rainbow (signature scheme)](https://postquantum.wiki/rainbow): Rainbow is a multivariate post-quantum signature scheme, a NIST finalist that was broken by a practical key-recovery attack in 2022. - [SLH-DSA (FIPS 205)](https://postquantum.wiki/slh-dsa): SLH-DSA is the stateless hash-based signature scheme of FIPS 205, formerly SPHINCS+, valued for resting only on well-studied hash function security. ## Migration & practice - [Apple iMessage PQ3](https://postquantum.wiki/imessage-pq3): Apple iMessage PQ3 is a post-quantum messaging protocol with Kyber-based key establishment and ongoing rekeying, deployed to iMessage beginning March 2024. - [Browser post-quantum adoption](https://postquantum.wiki/browser-pqc-adoption): Browser post-quantum adoption traces how Chrome, Firefox, Edge, and Safari enabled hybrid ML-KEM key exchange in TLS, from 2023 experiments to default rollout. - [Hybrid cryptography (PQ/T hybrid)](https://postquantum.wiki/hybrid-cryptography): Hybrid cryptography combines a classical algorithm with a post-quantum one so that security holds as long as either component remains unbroken. - [liboqs](https://postquantum.wiki/liboqs): liboqs is an open source C library from the Open Quantum Safe project that provides a unified API for post-quantum key encapsulation and signature schemes. - [OpenSSL post-quantum support](https://postquantum.wiki/openssl-pqc): OpenSSL added native ML-KEM, ML-DSA, and SLH-DSA support in version 3.5, an LTS release from April 2025 that also enabled hybrid post-quantum TLS key exchange. - [PKI migration to post-quantum](https://postquantum.wiki/pki-migration): PKI migration to post-quantum cryptography replaces RSA and ECDSA across roots, chains, HSMs, and CT logs, guided by NIST IR 8547 and its 2030 to 2035 timeline. - [Post-quantum cryptography libraries](https://postquantum.wiki/pqc-libraries): Post-quantum cryptography libraries compared in one directory: liboqs, PQClean, OpenSSL, BoringSSL, AWS-LC, wolfSSL, Bouncy Castle, CIRCL, and reference code. - [Post-quantum SSH](https://postquantum.wiki/post-quantum-ssh): Post-quantum SSH covers OpenSSH hybrid key exchange, sntrup761x25519 since 2022 and ML-KEM based mlkem768x25519, protecting sessions from future quantum attack. - [Post-quantum TLS](https://postquantum.wiki/post-quantum-tls): Post-quantum TLS adds quantum-resistant key exchange to TLS 1.3 through hybrid groups such as X25519MLKEM768, now protecting a large share of web traffic. - [PQClean](https://postquantum.wiki/pqclean): PQClean is a repository of clean, portable C implementations of post-quantum schemes from the NIST standardization project, used by liboqs and other libraries. - [Side-channel attacks on post-quantum cryptography](https://postquantum.wiki/side-channel-attacks): Side-channel attacks recover secrets from the timing, power, or electromagnetic behavior of a post-quantum implementation, not from breaking its math. - [Signal PQXDH](https://postquantum.wiki/signal-pqxdh): Signal PQXDH is the Signal Protocol post-quantum initial key agreement, combining X25519 with Kyber since September 2023 to resist harvest now, decrypt later. ## Blockchain & quantum - [Is Bitcoin quantum safe?](https://postquantum.wiki/is-bitcoin-quantum-safe): An evidence-based look at Bitcoin's quantum exposure: which coins have revealed public keys, how fast an attacker must be, and the proposed fixes. - [Post-quantum blockchains (survey)](https://postquantum.wiki/post-quantum-blockchains): A neutral survey of post-quantum signatures on blockchains, from QRL, Algorand, and BTX to Bitcoin and Ethereum research, with schemes and status compared. - [Quantum computers and proof-of-work mining](https://postquantum.wiki/quantum-mining): Grover's algorithm gives only a quadratic speedup on proof-of-work hashing, so quantum mining stays impractical against ASIC fleets for the foreseeable future. - [Quantum threat to ECDSA](https://postquantum.wiki/quantum-threat-to-ecdsa): Shor's algorithm solves the elliptic curve discrete logarithm behind ECDSA in polynomial time; published estimates need about 2330 logical qubits. - [Taproot and quantum key exposure](https://postquantum.wiki/taproot-quantum-exposure): Taproot P2TR outputs place an x-only public key directly on chain, so taproot coins are quantum-exposed at rest, unlike hash-guarded legacy addresses. ## Ecosystem - [bonuz wallet](https://postquantum.wiki/bonuz-wallet): bonuz wallet is the first mobile wallet available for the BTX blockchain, offering iOS and Android apps with built-in qID sign-in support. - [BTX](https://postquantum.wiki/btx): BTX is a post-quantum blockchain forked from Bitcoin Knots that signs transactions with ML-DSA and SLH-DSA and uses MatMul proof of work. - [BTX drops](https://postquantum.wiki/btx-drops): BTX drops are collectible releases issued on the BTX blockchain via the BZA1 artifact standard; this index lists drops as they become public. - [BTXScan](https://postquantum.wiki/btxscan): BTXScan is the block explorer for the BTX blockchain at btxscan.io, covering blocks, transactions, addresses, the mempool, and network charts. - [BZA1 (BTX Artifacts standard)](https://postquantum.wiki/bza1): BZA1 is a standard for issuing on-chain artifacts on BTX that carries collectible data in an OP_RETURN payload while ownership follows the coin. - [EVX](https://postquantum.wiki/evx): EVX is a private EVM-compatible layer 2 associated with the BTX ecosystem, with a testnet live since July 2026 that is not publicly accessible. - [PQ Wallet](https://postquantum.wiki/pq-wallet): PQ Wallet is a desktop wallet for the BTX blockchain, available for Windows, macOS, and Linux, using post-quantum signature keys throughout. - [qID](https://postquantum.wiki/qid): qID is an open-source post-quantum identity and sign-in system whose identity keys are the same post-quantum keys used on the BTX blockchain. - [qID Connect](https://postquantum.wiki/qid-connect): qID Connect is a connection layer in development that lets BTX applications request sign-in and transaction approvals from a user's wallet. ## Glossary - [AES (Advanced Encryption Standard)](https://postquantum.wiki/aes): AES is the standardized symmetric block cipher; Grover's algorithm gives only a quadratic speedup, so a 256-bit key preserves the post-quantum margin. - [Bech32m](https://postquantum.wiki/bech32m): Bech32m is the checksummed address encoding defined in BIP 350; it fixes a bech32 weakness and encodes taproot addresses as well as BTX addresses. - [Bloch sphere](https://postquantum.wiki/bloch-sphere): The Bloch sphere is the geometric representation of a single qubit's pure state as a point on the surface of a unit sphere in three dimensions. - [Constant-time implementation](https://postquantum.wiki/constant-time): A constant-time implementation runs in time independent of secret data, the standard defense against timing and other side-channel attacks on cryptography. - [Copenhagen interpretation](https://postquantum.wiki/copenhagen-interpretation): The Copenhagen interpretation is the traditional view of quantum mechanics in which measurement collapses the wave function to a single definite outcome. - [Cryptographic agility](https://postquantum.wiki/cryptographic-agility): Cryptographic agility is the ability to swap algorithms and parameters without redesigning a system, a first-class requirement of the post-quantum era. - [Cryptographic bill of materials (CBOM)](https://postquantum.wiki/cbom): A cryptographic bill of materials (CBOM) is a machine-readable inventory of the algorithms, keys, certificates, and libraries a system uses for cryptography. - [Cryptographic hash function](https://postquantum.wiki/hash-function): A cryptographic hash function maps input of any length to a fixed-size digest and must resist preimage, second preimage, and collision attacks. - [Cryptographic inventory](https://postquantum.wiki/crypto-inventory): Cryptographic inventory is the process of discovering and cataloging where cryptography is used in an organization, the first step of post-quantum migration. - [Cryptographically relevant quantum computer (CRQC)](https://postquantum.wiki/crqc): A cryptographically relevant quantum computer (CRQC) is a machine capable enough to break the public-key cryptography, such as RSA and ECC, in wide use today. - [Decoherence](https://postquantum.wiki/decoherence): Decoherence is the loss of a quantum system's coherent state through interaction with its environment, the reason quantum error correction is needed. - [Diffie-Hellman](https://postquantum.wiki/diffie-hellman): Diffie-Hellman is the 1976 key-exchange protocol that lets two parties derive a shared secret over a public channel, with security that Shor's algorithm breaks. - [Digital signature scheme](https://postquantum.wiki/digital-signature): A digital signature scheme binds a message to a private key holder so that anyone can verify its origin and integrity with the matching public key. - [Dilithium (CRYSTALS-Dilithium)](https://postquantum.wiki/dilithium): Dilithium, formally CRYSTALS-Dilithium, is the original name of the lattice-based signature scheme NIST renamed ML-DSA and standardized in FIPS 204. - [Discrete logarithm problem](https://postquantum.wiki/discrete-logarithm): The discrete logarithm problem asks for the exponent in a modular power, underpinning Diffie-Hellman and ECDSA and solved efficiently by Shor's algorithm. - [ECDSA](https://postquantum.wiki/ecdsa): ECDSA is the elliptic-curve digital signature used by Bitcoin and TLS; its discrete logarithm security falls to Shor's algorithm on a quantum computer. - [Ed25519](https://postquantum.wiki/ed25519): Ed25519 is a fast, modern EdDSA signature scheme over Curve25519 used in SSH and TLS; it is classical and vulnerable to Shor's algorithm on a quantum computer. - [Eigenstate](https://postquantum.wiki/eigenstate): An eigenstate is a quantum state with a definite value, the eigenvalue, of a given observable, and measuring that observable returns that value. - [Elliptic-curve cryptography (ECC)](https://postquantum.wiki/elliptic-curve-cryptography): Elliptic-curve cryptography gives public-key security with smaller keys than RSA, on a discrete logarithm problem that Shor's algorithm solves efficiently. - [Entanglement](https://postquantum.wiki/entanglement): Entanglement is a quantum correlation linking two or more qubits so that their states cannot be described independently of one another. - [EUF-CMA](https://postquantum.wiki/euf-cma): EUF-CMA is existential unforgeability under chosen-message attack, the standard security target a digital signature scheme must meet to be considered secure. - [Fiat-Shamir transform](https://postquantum.wiki/fiat-shamir): The Fiat-Shamir transform turns an interactive identification protocol into a non-interactive digital signature by computing the challenge as a hash. - [FORS (Forest of Random Subsets)](https://postquantum.wiki/fors): FORS (Forest of Random Subsets) is the few-time hash-based signature that signs message digests inside the stateless standard SLH-DSA, formerly SPHINCS+. - [Forward secrecy](https://postquantum.wiki/forward-secrecy): Forward secrecy keeps past session keys safe if long-term keys leak later, but it does not protect recorded traffic from future quantum decryption. - [Fujisaki-Okamoto transform](https://postquantum.wiki/fujisaki-okamoto): The Fujisaki-Okamoto transform turns a weakly secure encryption scheme into an IND-CCA2 secure key encapsulation mechanism, the method behind ML-KEM. - [Hamiltonian](https://postquantum.wiki/hamiltonian): The Hamiltonian is the operator representing a quantum system's total energy, and it generates the system's time evolution in the Schrodinger equation. - [IND-CCA2](https://postquantum.wiki/ind-cca2): IND-CCA2 is indistinguishability under adaptive chosen-ciphertext attack, the standard security target that post-quantum key encapsulation mechanisms must meet. - [Integer factorization](https://postquantum.wiki/integer-factorization): Integer factorization is the problem of splitting a number into prime factors, the hardness assumption behind RSA and a target of Shor's quantum algorithm. - [KEM combiner](https://postquantum.wiki/kem-combiner): A KEM combiner merges a classical and a post-quantum shared secret into one key that stays secure if either mechanism holds, the core of hybrid cryptography. - [Key encapsulation mechanism (KEM)](https://postquantum.wiki/kem): A key encapsulation mechanism (KEM) uses a public key to establish a shared secret, the primitive that replaces Diffie-Hellman in post-quantum protocols. - [Key exchange](https://postquantum.wiki/key-exchange): Key exchange lets two parties establish a shared secret over a public channel; quantum-vulnerable Diffie-Hellman variants are giving way to KEMs. - [Kyber (CRYSTALS-Kyber)](https://postquantum.wiki/kyber): Kyber, formally CRYSTALS-Kyber, is the original name of the lattice-based KEM that NIST renamed ML-KEM and standardized in FIPS 203 in August 2024. - [Learning With Errors (LWE)](https://postquantum.wiki/lwe): Learning With Errors (LWE) is the lattice problem of solving noisy linear equations, the hardness assumption underpinning most post-quantum encryption. - [LMS (Leighton-Micali Signature)](https://postquantum.wiki/lms): LMS (Leighton-Micali Signature) is a stateful hash-based signature scheme defined in RFC 8554 and approved by NIST SP 800-208 for firmware signing. - [Logical qubit](https://postquantum.wiki/logical-qubit): A logical qubit is an error-corrected qubit encoded across many physical qubits, the unit in which cryptographically relevant quantum computers are sized. - [Many-worlds interpretation](https://postquantum.wiki/many-worlds-interpretation): The many-worlds interpretation is Everett's proposal that every quantum measurement outcome is realized in a branching universe, with no wave-function collapse. - [Merkle tree](https://postquantum.wiki/merkle-tree): A Merkle tree is a hash tree whose root commits to an entire data set, enabling compact membership proofs in hash-based signatures and blockchains. - [Module Learning With Errors (Module-LWE)](https://postquantum.wiki/module-lwe): Module-LWE is the structured lattice assumption behind ML-KEM and ML-DSA, tuning algebraic structure by module rank to reach each NIST security level. - [Mosca's theorem](https://postquantum.wiki/mosca-theorem): Mosca's theorem is an inequality that judges post-quantum migration urgency by comparing data secrecy time, migration time, and time to a quantum computer. - [NIST security levels](https://postquantum.wiki/security-levels): NIST security levels are five strength categories for post-quantum algorithms, each anchored to the cost of attacking AES or SHA-2 at a given size. - [NTRU](https://postquantum.wiki/ntru): NTRU is the oldest practical lattice-based cryptosystem, a polynomial-ring public-key scheme from 1998 and the basis of the FN-DSA (Falcon) signature. - [Observable](https://postquantum.wiki/observable): An observable is a measurable physical quantity in quantum mechanics, represented by an operator whose eigenvalues are the possible measurement outcomes. - [Photon](https://postquantum.wiki/photon): A photon is the quantum of the electromagnetic field, a massless particle of light that carries energy proportional to its frequency and spin one. - [Planck's constant (h)](https://postquantum.wiki/planck-constant): Planck's constant (h) is the fundamental constant of quantum theory, relating a quantum of energy to its frequency through the relation E = h nu. - [Public-key cryptography](https://postquantum.wiki/public-key-cryptography): Public-key cryptography uses key pairs for key exchange, encryption, and signatures; the deployed schemes rest on problems Shor's algorithm breaks. - [Quantum annealer](https://postquantum.wiki/quantum-annealer): A quantum annealer is a special-purpose quantum device that finds low-energy configurations of a problem through the process of quantum annealing. - [Quantum number](https://postquantum.wiki/quantum-number): A quantum number is one of the discrete labels, such as n, l, m, and spin, that specify the allowed state of a quantum system like an atomic electron. - [Quantum state](https://postquantum.wiki/quantum-state): A quantum state is the complete description of a quantum system, given by a state vector for pure states or a density operator for mixed states. - [Quantum supremacy](https://postquantum.wiki/quantum-supremacy): Quantum supremacy is the milestone where a quantum computer beats every classical computer at one contrived task, distinct from breaking real cryptography. - [Quantum tunneling](https://postquantum.wiki/quantum-tunneling): Quantum tunneling is the effect by which a particle passes through a potential energy barrier that classical physics says it cannot cross. - [Qubit](https://postquantum.wiki/qubit): A qubit is the basic unit of quantum information, a two-level quantum system that can hold superpositions and become entangled with other qubits. - [Ring Learning With Errors (Ring-LWE)](https://postquantum.wiki/ring-lwe): Ring-LWE is the polynomial-ring variant of Learning With Errors, trading extra algebraic structure for the compact keys and fast arithmetic PQ schemes need. - [RSA](https://postquantum.wiki/rsa): RSA is a classical public-key cryptosystem based on integer factoring, securing encryption and signatures but broken by Shor's algorithm on a quantum computer. - [SHA-2](https://postquantum.wiki/sha-2): SHA-2 is the widely deployed family of NIST cryptographic hash functions, including SHA-256, weakened only quadratically by Grover's algorithm. - [SHA-3](https://postquantum.wiki/sha-3): SHA-3 is the Keccak-based NIST hash standard whose SHAKE extendable-output functions are used inside the ML-KEM and SLH-DSA post-quantum schemes. - [Short Integer Solution (SIS) problem](https://postquantum.wiki/sis-problem): The Short Integer Solution (SIS) problem seeks a short vector a random matrix maps to zero, the dual of LWE that underlies lattice-based signatures. - [Soulbound](https://postquantum.wiki/soulbound): Soulbound describes blockchain tokens or artifacts bound to one holder and not designed to be transferred, a term popularized by Vitalik Buterin in 2022. - [SPHINCS+ (SLH-DSA)](https://postquantum.wiki/sphincs-plus): SPHINCS+ is the original name of the stateless hash-based signature scheme that NIST renamed SLH-DSA and standardized in FIPS 205 in August 2024. - [Spin](https://postquantum.wiki/spin): Spin is the intrinsic, quantized angular momentum carried by particles, dividing matter into half-integer fermions and integer-spin bosons. - [Superposition](https://postquantum.wiki/superposition): Superposition is the quantum property by which a qubit holds a weighted combination of 0 and 1 until measurement collapses it to one outcome. - [Surface code](https://postquantum.wiki/surface-code): The surface code is the leading quantum error-correcting code, encoding one logical qubit in a two-dimensional grid of physical qubits. - [Symmetric cryptography](https://postquantum.wiki/symmetric-cryptography): Symmetric cryptography uses one shared key, as in AES; quantum attacks give only a quadratic speedup, so larger keys preserve the security margin. - [UTXO](https://postquantum.wiki/utxo): A UTXO is an unspent transaction output; the UTXO ledger model limits public key exposure per output, which shapes quantum risk on Bitcoin-style chains. - [Wave function](https://postquantum.wiki/wave-function): A wave function is the mathematical object encoding a quantum system's state, whose squared magnitude gives the probability of each measurement outcome. - [Winternitz one-time signature (WOTS)](https://postquantum.wiki/wots): A Winternitz one-time signature (WOTS) signs one message from a hash-based key pair and is the building block of larger hash-based signature schemes. - [X25519](https://postquantum.wiki/x25519): X25519 is the Curve25519 Diffie-Hellman function; TLS now pairs it with ML-KEM in hybrid groups such as X25519MLKEM768 for post-quantum key exchange. - [XMSS (eXtended Merkle Signature Scheme)](https://postquantum.wiki/xmss): XMSS is a stateful hash-based signature scheme standardized in RFC 8391 that arranges one-time keys under a Merkle tree for many signatures per key pair. ## Other pages - [Quantum chronicles (timeline of the quantum world)](https://postquantum.wiki/chronicles) - [All entries A to Z](https://postquantum.wiki/all) - [Resources directory (NIST, agencies, standards, tooling)](https://postquantum.wiki/resources) - [About and editorial policy](https://postquantum.wiki/about) - [Search](https://postquantum.wiki/search)