What is post-quantum cryptography?

Post-quantum cryptography (PQC) refers to classical cryptographic algorithms that are designed to be secure against attacks from quantum computers. Current public-key systems like RSA and elliptic curve cryptography (ECC) rely on mathematical problems -- integer factoring and discrete logarithms -- that Shor's algorithm can solve efficiently on a large enough quantum computer. PQC replaces these with problems believed to be hard even for quantum computers, such as learning-with-errors (lattice problems), hash-based signatures, and code-based cryptography. PQC algorithms run on classical hardware -- no quantum computer required.

Is RSA already broken by quantum computers?

No, not yet. Breaking RSA-2048 would require a fault-tolerant quantum computer with millions of high-quality logical qubits. Current quantum computers have at most a few thousand noisy physical qubits and cannot run Shor's algorithm at any practically useful scale. However, the 'harvest now, decrypt later' threat is real: adversaries can record encrypted communications today and decrypt them once large quantum computers exist. For data that must remain confidential for 10-20 years, migration to post-quantum cryptography should begin now even though the immediate threat is not yet realized.

What are the NIST post-quantum standards?

In 2024, NIST finalized its first set of post-quantum cryptography standards. CRYSTALS-Kyber (now called ML-KEM) handles key encapsulation -- it replaces RSA and ECDH for establishing shared secrets. CRYSTALS-Dilithium (ML-DSA) and FALCON (FN-DSA) handle digital signatures. SPHINCS+ (SLH-DSA) is a hash-based signature scheme with more conservative security assumptions. All four are based on mathematical problems believed to resist quantum attacks. Governments and major technology companies have already begun integrating these into TLS, SSH, and certificate infrastructure.

When do I need to migrate to post-quantum cryptography?

The timeline depends on your data's sensitivity and longevity. The US government has mandated that federal agencies begin PQC migration now, with deadlines staggered by system criticality through 2030. For private organizations, the recommendation is to start by inventorying where public-key cryptography is used, prioritize systems handling long-lived sensitive data, and begin testing PQC in non-critical systems. Full migration for complex PKI infrastructure typically takes 3-5 years, so organizations with data that must stay confidential through the 2030s should have begun planning already.

Post-Quantum Cryptography: Courses & Guide | QuantumComputingCourses.com

The threat: why Shor's algorithm breaks current encryption

RSA and elliptic curve cryptography (ECC) -- the public-key systems securing most internet traffic, financial transactions, and government communications -- rely on mathematical problems that are computationally hard for classical computers. RSA's security rests on the difficulty of factoring large integers. ECC relies on the discrete logarithm problem over elliptic curves. These problems have no known classical algorithms that scale efficiently.

Shor's algorithm, published in 1994, solves both integer factoring and discrete logarithms in polynomial time on a quantum computer. A quantum computer running Shor's algorithm on a sufficiently large number of qubits could break RSA-2048 and ECC-256 in hours, compared to the billions of years required by the best known classical algorithms. This means that once large fault-tolerant quantum computers exist, all current public-key infrastructure is vulnerable.

The threat is not only future -- it is already present. "Harvest now, decrypt later" (HNDL) attacks are being conducted today: adversaries record encrypted data now and plan to decrypt it retroactively when quantum computers mature. Communications that must remain confidential for 10-20 years are already at risk. See the Shor's algorithm guide for a detailed technical explanation.

The NIST PQC standards (2024)

After a multi-year evaluation process involving submissions from cryptographers worldwide, NIST finalized its first post-quantum cryptography standards in 2024. These are the algorithms governments and companies are migrating to now.

Key Encapsulation

CRYSTALS-Kyber (ML-KEM)

Replaces RSA and ECDH for establishing shared secrets. Based on the Module Learning With Errors (MLWE) lattice problem. Used in TLS handshakes and key exchange protocols. Already deployed in Chrome and Cloudflare for experimental PQC TLS.

Digital Signatures

CRYSTALS-Dilithium (ML-DSA)

General-purpose digital signature scheme. Also lattice-based (MLWE). The primary recommended replacement for RSA signatures and ECDSA. Strong security-performance balance, suitable for most use cases including certificates and code signing.

Digital Signatures

FALCON (FN-DSA)

Compact signature scheme with smaller signature sizes than Dilithium. Based on NTRU lattices. Useful when bandwidth is constrained, such as embedded systems or constrained IoT devices. More complex to implement securely than Dilithium.

Digital Signatures

SPHINCS+ (SLH-DSA)

Hash-based signature scheme with the most conservative security assumptions -- it relies only on the security of hash functions, not lattice problems. Significantly larger signatures than the lattice-based schemes, but suitable for long-term high-assurance applications where conservative security assumptions matter most.

PQC vs QKD: two very different approaches

Two quantum-safe security technologies are often confused: post-quantum cryptography (PQC) and quantum key distribution (QKD). They solve related problems through completely different means.

Post-quantum cryptography (PQC)

Classical mathematical algorithms designed to resist quantum attacks
Runs on existing classical hardware -- no quantum devices needed
Can be deployed as a software update to existing systems
NIST standardized in 2024; large-scale deployment underway
Winning the near-term standardization race

Quantum key distribution (QKD)

Uses quantum physics (photon polarization) to distribute cryptographic keys
Requires dedicated quantum hardware channels -- optical fiber or satellite links
Theoretically secure based on physics, not mathematical hardness
Expensive, short-range, and difficult to authenticate
Limited to high-assurance government and financial networks

For most organizations, PQC is the relevant technology. QKD is a niche solution for high-value, high-budget scenarios where classical channels cannot be trusted at all.

Who needs to learn PQC

Post-quantum cryptography is no longer a purely academic concern. Three groups have concrete, immediate reasons to understand it:

Security engineers. Implementing PQC in TLS, SSH, certificate infrastructure, and application-layer protocols is becoming a job requirement. Understanding which algorithms to use, how hybrid classical-PQC schemes work during the transition period, and how to integrate PQC libraries into existing systems is practical, deployable knowledge.
Policy and governance professionals. Regulatory mandates (NIST, NSA, EU NIS2) are driving PQC migration requirements across critical infrastructure. Security leaders need to understand PQC well enough to assess their organization's exposure, build a migration roadmap, and communicate risk to boards and regulators.
Quantum computing learners. Understanding Shor's algorithm and its cryptographic implications is an important part of understanding why quantum computing matters. The connection between quantum algorithms and real-world security infrastructure is one of the field's most compelling stories.

Courses and resources

Courses covering post-quantum cryptography, quantum-safe security, and related quantum algorithm foundations. Dedicated PQC courses are limited; broader quantum cryptography courses cover the essential background.

Quantum Computation (Caltech PHYS 219)

Prof. John Preskill, Caltech

Self-paced advanced

Free Enroll →
Quantum Computing Since Democritus: Scott Aaronson's Lecture Notes

Scott Aaronson (UT Austin)

30 hours advanced

Free Enroll →
Part III Quantum Information (University of Cambridge)

DAMTP, University of Cambridge

Self-paced advanced

Free Enroll →
Quantum Information Review (Perimeter Institute / PIRSA)

Dr. Daniel Gottesman, Perimeter Institute

Self-paced (~14 hours of video) advanced

Free Enroll →
Quantum Information (University of Waterloo IQC)

IQC Faculty, University of Waterloo

Self-paced advanced

Free Enroll →
The Quantum Internet and Quantum Computers: How to Master the Future (QuTech / edX)

Stephanie Wehner, Lieven Vandersypen

8 hours beginner

Free Enroll →
Introduction to Quantum Computing for Everyone (University of Cambridge)

University of Cambridge / Isaac Physics

8 hours beginner

Free Enroll →
Quantum-safe Digital Infrastructures: Challenges and Solutions for Governance

Delft University of Technology (QuTech)

4–5 hours per week intermediate

$150 Enroll →
Quantum-safe Digital Infrastructures: Technical Challenges and Solutions

Delft University of Technology (QuTech)

4–5 hours per week intermediate

$150 Enroll →
Quantum Technology: From Fundamentals to Applications (NUS)

Centre for Quantum Technologies, NUS

6 weeks intermediate

$49 Enroll →

Cryptography tutorials

Frequently asked questions

What is post-quantum cryptography?: Post-quantum cryptography (PQC) refers to classical cryptographic algorithms that are designed to be secure against attacks from quantum computers. Current public-key systems like RSA and elliptic curve cryptography (ECC) rely on mathematical problems -- integer factoring and discrete logarithms -- that Shor's algorithm can solve efficiently on a large enough quantum computer. PQC replaces these with problems believed to be hard even for quantum computers, such as learning-with-errors (lattice problems), hash-based signatures, and code-based cryptography. PQC algorithms run on classical hardware -- no quantum computer required.
Is RSA already broken by quantum computers?: No, not yet. Breaking RSA-2048 would require a fault-tolerant quantum computer with millions of high-quality logical qubits. Current quantum computers have at most a few thousand noisy physical qubits and cannot run Shor's algorithm at any practically useful scale. However, the 'harvest now, decrypt later' threat is real: adversaries can record encrypted communications today and decrypt them once large quantum computers exist. For data that must remain confidential for 10-20 years, migration to post-quantum cryptography should begin now even though the immediate threat is not yet realized.
What are the NIST post-quantum standards?: In 2024, NIST finalized its first set of post-quantum cryptography standards. CRYSTALS-Kyber (now called ML-KEM) handles key encapsulation -- it replaces RSA and ECDH for establishing shared secrets. CRYSTALS-Dilithium (ML-DSA) and FALCON (FN-DSA) handle digital signatures. SPHINCS+ (SLH-DSA) is a hash-based signature scheme with more conservative security assumptions. All four are based on mathematical problems believed to resist quantum attacks. Governments and major technology companies have already begun integrating these into TLS, SSH, and certificate infrastructure.
When do I need to migrate to post-quantum cryptography?: The timeline depends on your data's sensitivity and longevity. The US government has mandated that federal agencies begin PQC migration now, with deadlines staggered by system criticality through 2030. For private organizations, the recommendation is to start by inventorying where public-key cryptography is used, prioritize systems handling long-lived sensitive data, and begin testing PQC in non-critical systems. Full migration for complex PKI infrastructure typically takes 3-5 years, so organizations with data that must stay confidential through the 2030s should have begun planning already.