Post-quantum cryptography

Post-quantum cryptography (PQC), also called quantum-resistant or quantum-safe cryptography, is the branch of cryptography that designs and deploys algorithms believed to remain secure against attackers equipped with large-scale quantum computers. It replaces public key schemes such as RSA and elliptic curve cryptography, which a sufficiently powerful quantum computer could break, with schemes built on mathematical problems that resist both classical and quantum attack.

Why post-quantum cryptography exists

Modern public key cryptography rests on two families of mathematical problems: integer factoring, which underlies RSA, and discrete logarithms, which underlie Diffie-Hellman key exchange, DSA, and elliptic curve schemes such as ECDH and ECDSA. In 1994 Peter Shor showed that a quantum computer can solve both problems in polynomial time (Shor 1994). Shor's algorithm converts key sizes that classical computers cannot break within the lifetime of the universe into a hardware engineering problem: any sufficiently large, error-corrected quantum computer defeats them completely. Such a machine is called a cryptographically relevant quantum computer (CRQC), and the hypothetical date one first exists is known as Q-Day.

Symmetric cryptography and hash functions face a much milder threat. Grover's algorithm provides at most a quadratic speedup for brute force search, which in theory halves the effective key length of a cipher. Doubling key sizes restores the margin, and AES-256 and SHA-384 are considered secure against quantum attack. The quantum problem is therefore concentrated in public key cryptography: key establishment, digital signatures, and the certificate infrastructure built on both.

Post-quantum cryptography is distinct from quantum cryptography. PQC algorithms are conventional mathematics implemented in ordinary software and hardware, deployable over existing networks. Quantum cryptography, such as quantum key distribution, instead uses quantum physics itself and requires specialized equipment.

Algorithm families

PQC draws on mathematical problems for which no efficient quantum algorithm is known.

  • Lattice-based cryptography builds on problems over high-dimensional lattices, such as Learning With Errors (LWE) and its module variants. It offers the best overall balance of key size, ciphertext size, and speed, and supplies the primary NIST standards ML-KEM, ML-DSA, and the forthcoming FN-DSA / Falcon.
  • Hash-based signatures rely only on the security of hash functions. They are the most conservative choice and include the stateless standard SLH-DSA and the stateful schemes XMSS and LMS.
  • Code-based cryptography builds encryption on the hardness of decoding random linear error-correcting codes. The McEliece cryptosystem has resisted attack since 1978, and the code-based KEM HQC is NIST's designated backup to ML-KEM.
  • Multivariate and isogeny-based schemes contributed cautionary lessons. The multivariate signature scheme Rainbow, a NIST finalist, was broken with classical attacks in 2022 (Beullens 2022), and the isogeny-based KEM SIKE fell to a classical key recovery attack the same year (Castryck and Decru 2022). Both breaks occurred during the standardization process and reinforced the value of mathematical diversity and long cryptanalytic scrutiny.

The NIST standardization outcome

The US National Institute of Standards and Technology opened a public competition in 2016 and received 69 complete first-round submissions. After three rounds of worldwide cryptanalysis, NIST published the first three finished standards on August 13, 2024 (FIPS 203): ML-KEM (derived from CRYSTALS-Kyber, FIPS 203) for key encapsulation, ML-DSA (derived from CRYSTALS-Dilithium, FIPS 204) as the primary signature scheme, and SLH-DSA (derived from SPHINCS+, FIPS 205) as a conservative signature alternative. On March 11, 2025 NIST selected HQC as a fifth algorithm and backup KEM built on different mathematics, with a draft standard expected around 2026 to 2027 (NIST 2025). A standard for FN-DSA (derived from Falcon, planned as FIPS 206) remains in draft as of early 2026. The full history, the eliminated candidates, and the selection rationale are covered under NIST Post-Quantum Cryptography Standardization.

Why migration cannot wait for Q-Day

The migration is urgent even though no CRQC exists, for two reasons.

First, encrypted data can be recorded today and decrypted later. In the harvest now, decrypt later model, an adversary captures ciphertext now and archives it until a quantum computer can recover the session keys. Any data whose confidentiality must outlast the arrival of a CRQC, such as medical records, state secrets, or long-lived legal and industrial information, is therefore already exposed.

Second, cryptographic migrations are slow. The often cited inequality attributed to Michele Mosca states that if the time data must stay secret plus the time migration takes exceeds the time until a CRQC exists, the protection has already failed. Past transitions such as the retirement of SHA-1 and 3DES took a decade or more across large ecosystems, and every official playbook starts with inventory, since most organizations do not know where cryptography lives in their systems.

Governments have set planning deadlines on this basis. Draft NIST guidance proposes deprecating quantum-vulnerable public key algorithms such as RSA-2048 and ECDSA P-256 after 2030 and disallowing them after 2035 (NIST IR 8547). The NSA's Commercial National Security Algorithm Suite 2.0 requires US national security systems to complete the transition by 2033, with software and firmware signing moving first (NSA CNSA 2.0).

Deployment as of early 2026

Key establishment is migrating fastest, because it is what harvest now, decrypt later threatens. In TLS, the hybrid key agreement X25519MLKEM768, which combines an elliptic curve exchange with ML-KEM-768, is enabled by default in major browsers and supported by major CDNs and cloud providers. Cloudflare measured about 2 percent of TLS 1.3 handshakes using post-quantum key agreement in early 2024 (Cloudflare 2024); following the default browser rollouts, that share grew to a substantial fraction of all human-initiated web traffic. Details are covered under post-quantum TLS.

Beyond the web, Signal added post-quantum protection to its initial key agreement with PQXDH, Apple deployed PQ3 in iMessage, and OpenSSH enables hybrid post-quantum key exchange by default. Open source libraries such as liboqs and PQClean, and provider support in OpenSSL, make the standardized algorithms broadly available. Support in hardware security modules, smart cards, and embedded devices is arriving more slowly, and profiles for constrained environments remain an active standardization topic.

Signatures lag behind. Public web certificates still use RSA and ECDSA, since certificate chains require coordinated upgrades across certificate authorities, protocols, and hardware, and that migration of the public key infrastructure has barely begun. During the transition, hybrid cryptography (running a classical and a post-quantum scheme together) is the dominant deployment pattern, so that security holds if either component survives.

Limitations and open questions

Post-quantum schemes are practical but not free. Their keys, ciphertexts, and signatures are larger than their classical counterparts.

Object Classical (typical) Post-quantum (typical)
Key exchange public key X25519: 32 bytes ML-KEM-768 encapsulation key: 1184 bytes
Key exchange ciphertext (none needed) ML-KEM-768 ciphertext: 1088 bytes
Signature Ed25519: 64 bytes ML-DSA-65: 3309 bytes; SLH-DSA-128s: 7856 bytes

Computation speed is generally not the obstacle; ML-KEM is faster than RSA key operations on common hardware. The costs show up in packet sizes, constrained devices, and protocols with tight message budgets.

The deeper open question is confidence. Lattice problems have decades of study but less adversarial history than factoring; concrete security estimates depend on evolving models of lattice reduction cost. Because ML-KEM, ML-DSA, and FN-DSA are all lattice-based, a single unexpected advance would affect all three, which is why NIST added the code-based HQC and hash-based SLH-DSA as structural hedges. This risk also motivates cryptographic agility: building systems so algorithms can be replaced without redesign. Implementation security (constant-time code, side-channel resistance, and correct handling of decapsulation failures) remains an active engineering area. None of these caveats changes the consensus conclusion: migrating to post-quantum cryptography is the necessary response to a threat whose timing is uncertain but whose consequences are not.

Frequently asked questions

Is post-quantum cryptography the same as quantum cryptography?

No. Post-quantum cryptography is ordinary software designed to resist quantum attack, while quantum cryptography such as quantum key distribution uses quantum hardware to protect data.

Do quantum computers break AES?

No practical break is known. Grover's algorithm halves the effective key length in theory, so AES-256 keeps a comfortable margin and even AES-128 remains hard to attack in practice.

Which algorithms replace RSA and elliptic curves?

ML-KEM replaces classical key establishment and ML-DSA or SLH-DSA replace classical signatures under the 2024 NIST standards, often deployed in hybrid combination with elliptic curve schemes.

Sources

  1. FIPS 203, Module-Lattice-Based Key-Encapsulation Mechanism Standard (NIST, 2024)
  2. NIST Selects HQC as Fifth Algorithm for Post-Quantum Encryption (NIST, 2025)
  3. Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer (arXiv, 1996)
  4. Post-Quantum Cybersecurity Resources (CNSA 2.0) (NSA, 2022)
  5. NIST IR 8547 (Initial Public Draft), Transition to Post-Quantum Cryptography Standards (NIST, 2024)
  6. The state of the post-quantum Internet (Cloudflare, 2024)
  7. An efficient key recovery attack on SIDH (IACR ePrint, 2022)
  8. Breaking Rainbow Takes a Weekend on a Laptop (IACR ePrint, 2022)
Cite this entry
"Post-quantum cryptography." postquantum.wiki. Updated July 11, 2026. https://postquantum.wiki/post-quantum-cryptography@misc{pqwiki-post-quantum-cryptography, title = {Post-quantum cryptography}, howpublished = {\url{https://postquantum.wiki/post-quantum-cryptography}}, year = {2026}, note = {postquantum.wiki, updated 2026-07-11} }