Post-Quantum Cryptography

Post-Quantum Cryptography (PQC)

Post-Quantum Cryptography (PQC) refers to a new generation of cryptographic algorithms designed to remain secure even against attacks from powerful quantum computers. Unlike today's widely used public-key systems (like RSA and Elliptic Curve Cryptography, or ECC), which could be broken by a sufficiently advanced quantum computer, PQC algorithms rely on mathematical problems that are believed to be hard for both classical and quantum computers to solve.

Why Do We Need Post-Quantum Cryptography?

Modern cryptography protects everything from HTTPS web connections, VPNs, and email encryption to digital signatures, software updates, and blockchain transactions.

Most public-key cryptography today depends on two hard mathematical problems:

  • Integer factorization (used in RSA): Factoring a large composite number into its prime factors.

  • Discrete logarithm (used in ECC and Diffie-Hellman): Finding the exponent in modular arithmetic.

In 1994, mathematician Peter Shor developed a quantum algorithm (Shor's algorithm) that can solve both of these problems exponentially faster than any known classical algorithm. A large enough quantum computer running Shor's algorithm could break RSA-2048 or equivalent ECC keys in hours or days—tasks that would take classical supercomputers billions of years.

This creates two main risks:

  • "Harvest now, decrypt later" attacks: Adversaries (e.g., nation-states) can collect encrypted data today and store it, then decrypt it once a cryptographically relevant quantum computer (CRQC) becomes available.

  • Future breakage of infrastructure: Digital signatures, key exchanges, and certificates would all fail, undermining trust in the internet and secure systems.

Symmetric cryptography (like AES) is less affected—Grover's algorithm provides only a quadratic speedup, so doubling key sizes (e.g., from AES-128 to AES-256) restores security. The urgent problem is asymmetric (public-key) cryptography.

No one knows exactly when a CRQC will exist—estimates range from the late 2020s to beyond 2035—but experts agree migration must start now because cryptographic transitions take many years.

Main Families of Post-Quantum Algorithms

PQC algorithms are built on different "hard problems" that quantum computers do not appear to solve efficiently. The five primary families are:

  • Lattice-based: Relies on problems in high-dimensional lattices, such as finding short vectors (Shortest Vector Problem) or solving noisy linear equations (Learning With Errors, or LWE, and its variants like Module-LWE). These are efficient, have relatively small keys, and strong security reductions. Most promising for general use.

  • Code-based: Based on the difficulty of decoding general linear error-correcting codes (e.g., McEliece cryptosystem from 1978). Very mature and secure, but often suffers from large public keys.

  • Hash-based: Uses cryptographic hash functions (one-way functions) to build digital signatures. Extremely secure (security reduces directly to the hash function's properties) and simple, but signatures can be larger, and some schemes are stateful.

  • Multivariate: Based on solving systems of multivariate polynomial equations over finite fields. Can produce small signatures but often has large public keys and less confidence in long-term security.

  • Isogeny-based (supersingular elliptic curve isogenies): Uses maps between elliptic curves. Offered very small keys but several schemes (like SIKE) were broken by classical attacks during evaluation, so this family is less prominent now.

Other emerging ideas exist (e.g., MPC-in-the-Head), but the above dominate standardization efforts.

NIST Standardization Process and Current Standards

In 2016, the U.S. National Institute of Standards and Technology (NIST) launched a public competition to evaluate and standardize PQC algorithms, similar to the process that selected AES and SHA-3. Dozens of submissions from around the world were rigorously analyzed for security (against both classical and quantum attacks), performance, key/signature sizes, and implementation ease.

In August 2024, NIST released the first three finalized Federal Information Processing Standards (FIPS):

  • FIPS 203: ML-KEM (Module-Lattice-based Key Encapsulation Mechanism, formerly CRYSTALS-Kyber) — Primary choice for general-purpose key exchange/encapsulation (replacing Diffie-Hellman or RSA key transport). Fast, reasonably small keys, good performance.

  • FIPS 204: ML-DSA (Module-Lattice-based Digital Signature Algorithm, formerly CRYSTALS-Dilithium) — Primary digital signature scheme. Efficient and balanced.

  • FIPS 205: SLH-DSA (Stateless Hash-based Digital Signature Algorithm, formerly SPHINCS+) — Backup signature scheme based on hashes. More conservative (different math assumptions), useful if lattice-based schemes face future issues.

Additional selections:

  • FALCON (now heading toward FIPS 206 as FN-DSA) — Another lattice-based signature with smaller signatures but more complex implementation.

  • HQC (Hamming Quasi-Cyclic, code-based) — Selected in 2025 as an additional key encapsulation mechanism (KEM) for diversity.

NIST expects ML-KEM + ML-DSA to form the foundation for most deployments, with SLH-DSA and others as alternatives or backups. More rounds continue for further diversity.

These standards are now ready for immediate use, and organizations (especially governments) are encouraged to begin migration. Protocols like TLS, IPsec, SSH, and certificate formats are being updated to support them (often in "hybrid" mode: classical + PQC together for backward compatibility and extra security).

Practical Considerations and Challenges

  • Performance trade-offs: PQC keys and signatures are often larger than classical ones (e.g., ML-KEM public keys are hundreds of bytes vs. ~32–64 bytes for ECDH). Signatures can be bigger too. This impacts bandwidth, storage, and speed, especially on constrained devices (IoT, embedded systems). Lattice-based schemes perform best overall.

  • Migration is hard: It requires cryptographic inventory (finding all uses of vulnerable algorithms), updating libraries/protocols/hardware, testing, and handling legacy systems. "Crypto agility" (designing systems that can swap algorithms easily) helps.

  • Hybrid approaches: Many early deployments combine classical (e.g., ECDH) and PQC (e.g., ML-KEM) so the connection remains secure even if one part fails.

  • Timeline: Governments like the U.S. (CNSA 2.0) and others aim for high-priority systems by ~2030–2033 and full migration by 2035. Enterprises should start with discovery and pilots now.

Current Status (as of 2026)

NIST's first standards are finalized and being integrated into software libraries (OpenSSL, BoringSSL, etc.), browsers, cloud services, and hardware. Adoption is growing rapidly in TLS (web encryption), with many major sites already supporting hybrid post-quantum key exchange. Full ecosystem readiness (certificates, VPNs, email, etc.) will take years, but the foundation is solid.

PQC does not replace all cryptography—symmetric ciphers like AES remain strong with larger keys, and quantum key distribution (QKD) is a separate physical-layer approach using quantum mechanics directly (complementary but not a full replacement for PQC).

In short, Post-Quantum Cryptography is a proactive upgrade to keep our digital world secure in the quantum era. It's based on well-vetted math, standardized through open global processes, and already deployable. The biggest remaining task is widespread implementation before quantum threats materialize. If you're building or managing systems, start by assessing your cryptographic dependencies and experimenting with the NIST algorithms.

Post-Quantum Cryptography Products & Solutions

Here is a list of notable PQC implementations, libraries, and commercial solutions that support NIST-standardized algorithms (ML-KEM, ML-DSA, SLH-DSA, etc.), often with hybrid modes:

  1. wolfCrypt Post Quantum (wolfSSL) — Lightweight, embeddable, and FIPS 140-3 ready cryptographic library with native support for NIST PQC algorithms including ML-KEM (FIPS 203), ML-DSA (FIPS 204), SLH-DSA (FIPS 205), and hybrid modes. Optimized for embedded/IoT devices and full integration with wolfSSL TLS.
  2. Open Quantum Safe (liboqs) — Leading open-source C library with implementations of NIST PQC algorithms and many others. Includes integrations for OpenSSL and BoringSSL via oqs-provider. Widely used for research and prototyping.
  3. PQShield UltraPQ-Suite (PQCryptoLib-Core, PQMicroLib, PQPlatform) — Highly optimized software libraries (including embedded versions), OpenSSL integration, and hardware cryptographic accelerators/coprocessors. Strong focus on performance, side-channel resistance, and FIPS 140-3 certification.
  4. Bouncy Castle — Popular open-source cryptographic library for Java and C# with excellent unified API support for NIST PQC algorithms.
  5. Botan (C++) — Well-maintained open-source crypto library with strong PQC support, including hybrid key exchange in TLS.
  6. Google Tink & BoringSSL — Google’s multi-language crypto library (Tink) and BoringSSL include production-oriented PQC implementations. Used in Chrome and Google Cloud with hybrid TLS support.
  7. Microsoft SymCrypt — Native PQC support (ML-KEM, ML-DSA, SLH-DSA) integrated into Windows, Azure Key Vault, and Schannel (TLS).
  8. QuSecure QuProtect — Enterprise crypto-agility platform with runtime PQC protection, network overlays, cryptographic inventory (CBOM), and hybrid TLS/VPN solutions.
  9. Entrust Post-Quantum Solutions — PQC-ready PKI, HSMs (Luna), certificate management, and crypto-agility tools with hybrid support.
  10. ISARA Corporation Solutions — Crypto-agility platform focused on certificate management and enterprise/government PQC migration.
  11. Keyfactor PQC Tools — Cryptographic discovery, inventory, and management platform to help with quantum-safe migration and crypto-agility.
  12. DigiCert & Sectigo PQC-Ready Certificates — Certificate authorities offering hybrid and post-quantum digital certificates and PKI solutions.
  13. Thales Luna HSMs — Hardware Security Modules with crypto-agile PQC support for high-assurance environments.
  14. SafeLogic CryptoComply — FIPS 140-3 validated cryptographic modules with comprehensive PQC support (including hybrid modes) across multiple languages and platforms.
  15. Rambus Quantum Safe IP — Hardware IP cores for ML-KEM and ML-DSA acceleration in ASICs, SoCs, and FPGAs.