PQC: Post-Quantum Cryptography Explained

PQC -- post-quantum cryptography -- is the effort to replace today's public-key systems before quantum computers can break them. NIST finalized the first PQC standards in 2024. Migration is already underway at major tech companies and governments.

Quantum entanglement showing the security properties that post-quantum cryptography algorithms protect against

The quantum threat to current cryptography

RSA and elliptic curve cryptography (ECC) -- the algorithms securing most internet traffic -- rely on problems that quantum computers can solve efficiently. Shor's algorithm factors large integers and computes discrete logarithms in polynomial time, breaking RSA and ECC directly.

Current quantum hardware cannot run Shor's algorithm at cryptographically relevant scale. But the "harvest now, decrypt later" threat is real: adversaries record encrypted traffic today for decryption once large quantum computers exist. Data that must remain confidential for 10 or more years is already at risk.

Vulnerable to quantum

RSA

Broken by Shor's algorithm. Private keys can be recovered from public keys once a large enough quantum computer exists.

Vulnerable to quantum

Elliptic curve (ECDH, ECDSA)

Shor's algorithm also solves the elliptic curve discrete logarithm problem, breaking ECC key exchange and signatures.

Quantum-safe

AES-256 symmetric

Grover's algorithm provides only a quadratic speedup against symmetric ciphers -- AES-256 remains secure at its current key length.

Quantum-safe

SHA-3 and hash functions

No known quantum algorithm provides significant speedup against secure hash functions. Hash-based signatures (SPHINCS+) are built on this property.

The 2024 NIST PQC standards

After an 8-year standardization process, NIST published four PQC standards in 2024. These are the algorithms organizations should be migrating to.

ML-KEM
formerly CRYSTALS-Kyber
Key encapsulation

Replaces RSA and ECDH for key exchange. Based on the module learning with errors (MLWE) lattice problem. Included in TLS 1.3, Chrome, and Cloudflare's production infrastructure.

ML-DSA
formerly CRYSTALS-Dilithium
Digital signatures

General-purpose lattice-based signature scheme. The primary NIST recommendation for most signature applications.

FN-DSA
formerly FALCON
Digital signatures (compact)

Lattice-based signatures with smaller output sizes than ML-DSA. More complex to implement securely; recommended where bandwidth is constrained.

SLH-DSA
formerly SPHINCS+
Hash-based signatures

Based only on hash functions -- the most conservative security assumption. Slower and larger than lattice-based schemes, but the least dependent on novel mathematical assumptions.

PQC and quantum cryptography courses

Courses covering post-quantum cryptography, quantum-safe security, and related topics.

PQC frequently asked questions

What does PQC stand for?
PQC stands for post-quantum cryptography -- classical cryptographic algorithms designed to remain secure against both classical and quantum computers. PQC is also called quantum-safe or quantum-resistant cryptography. The algorithms are designed to run on ordinary classical hardware; no quantum computer is needed to use PQC.
What are the NIST PQC standards?
NIST finalized its first PQC standards in 2024. ML-KEM (formerly CRYSTALS-Kyber) is the key encapsulation mechanism, replacing RSA and ECDH for key exchange. ML-DSA (formerly CRYSTALS-Dilithium) and FN-DSA (formerly FALCON) are lattice-based digital signature schemes. SLH-DSA (formerly SPHINCS+) is a hash-based signature scheme. All four are based on mathematical problems believed to be hard for quantum computers.
Is PQC the same as quantum cryptography?
No -- PQC and quantum cryptography are different things. PQC is classical cryptography redesigned to withstand quantum attacks; it runs on ordinary computers. Quantum cryptography (such as quantum key distribution, QKD) uses quantum mechanical properties to secure communications and requires quantum hardware. PQC is far more practical to deploy today and is what most security standards and government mandates address.
Why does PQC matter now if quantum computers aren't powerful enough yet?
Because of 'harvest now, decrypt later' attacks. Adversaries can record encrypted communications today and store them for decryption once large quantum computers exist. Data with a long confidentiality requirement -- government secrets, financial records, medical records -- is already at risk. Migration to PQC is also slow: large PKI infrastructures take 3-5 years to update. Organizations that need to protect data through the 2030s should be planning migration now.
What math underlies PQC algorithms?
Most NIST PQC algorithms are based on lattice problems, specifically learning with errors (LWE) and its ring variant (RLWE). These involve finding a vector in a high-dimensional lattice, a problem believed to be hard for quantum computers. SPHINCS+ uses hash functions only, with more conservative security assumptions. Code-based cryptography (based on error-correcting codes) is another PQC approach with a long history of analysis.