Quantum Computation (Caltech PHYS 219)
Prof. John Preskill, Caltech
PQC -- post-quantum cryptography -- is the effort to replace today's public-key systems before quantum computers can break them. NIST finalized the first PQC standards in 2024. Migration is already underway at major tech companies and governments.
RSA and elliptic curve cryptography (ECC) -- the algorithms securing most internet traffic -- rely on problems that quantum computers can solve efficiently. Shor's algorithm factors large integers and computes discrete logarithms in polynomial time, breaking RSA and ECC directly.
Current quantum hardware cannot run Shor's algorithm at cryptographically relevant scale. But the "harvest now, decrypt later" threat is real: adversaries record encrypted traffic today for decryption once large quantum computers exist. Data that must remain confidential for 10 or more years is already at risk.
Broken by Shor's algorithm. Private keys can be recovered from public keys once a large enough quantum computer exists.
Shor's algorithm also solves the elliptic curve discrete logarithm problem, breaking ECC key exchange and signatures.
Grover's algorithm provides only a quadratic speedup against symmetric ciphers -- AES-256 remains secure at its current key length.
No known quantum algorithm provides significant speedup against secure hash functions. Hash-based signatures (SPHINCS+) are built on this property.
After an 8-year standardization process, NIST published its first three PQC standards (FIPS 203, 204, and 205) in August 2024, with a fourth, FN-DSA, still in draft as of 2026. These are the algorithms organizations should be migrating to.
Replaces RSA and ECDH for key exchange. Based on the module learning with errors (MLWE) lattice problem. Included in TLS 1.3, Chrome, and Cloudflare's production infrastructure.
General-purpose lattice-based signature scheme. The primary NIST recommendation for most signature applications.
Lattice-based signatures with smaller output sizes than ML-DSA. More complex to implement securely; recommended where bandwidth is constrained. Its standard, FIPS 206, is still in draft as of 2026.
Based only on hash functions -- the most conservative security assumption. Slower and larger than lattice-based schemes, but the least dependent on novel mathematical assumptions.
Courses covering post-quantum cryptography, quantum-safe security, and related topics.
Prof. John Preskill, Caltech
Dr Steven Herbert, University of Cambridge
Delft University of Technology
Delft University of Technology
Packt
Dr. Daniel Gottesman, Perimeter Institute
Scott Aaronson (UT Austin)
Kumaresan Ramanathan
IQC Faculty, University of Waterloo