What is post-quantum cryptography?

Post-quantum cryptography refers to public-key cryptographic systems believed to be secure against an adversary equipped with a cryptographically relevant quantum computer (CRQC). The field exists because Peter Shor's 1994 algorithm showed that a sufficiently large quantum computer can factor integers and compute discrete logarithms in polynomial time — breaking RSA, Diffie-Hellman, and elliptic-curve cryptography (ECC), which together secure essentially all of today's TLS, SSH, IPsec, and code-signing infrastructure.

The U.S. National Institute of Standards and Technology (NIST) opened its PQC standardization process in 2016 and ran three rounds plus an "alternates" track. On August 13, 2024, NIST published three final standards: FIPS 203 (ML-KEM, the module-lattice key-encapsulation mechanism formerly known as CRYSTALS-Kyber), FIPS 204 (ML-DSA, the module-lattice digital signature algorithm formerly known as CRYSTALS-Dilithium), and FIPS 205 (SLH-DSA, the stateless hash-based signature scheme formerly known as SPHINCS+). A fourth standard, FIPS 206 (FN-DSA, based on Falcon), is in draft. NIST also ran a separate Round 4 for code-based KEMs and selected HQC for standardization in March 2025 as a backup KEM in case lattice assumptions are weakened.

The threat model that drives PQC adoption is "Harvest Now, Decrypt Later" (HNDL): an adversary records encrypted traffic today and decrypts it when a CRQC is available. This is why NSA's Commercial National Security Algorithm Suite 2.0 (CNSA 2.0), published September 2022, mandates PQC for U.S. national security systems by 2033, with software/firmware signing transitioning first by 2025.

Lattice-based schemes (ML-KEM, ML-DSA, Falcon) currently dominate because they offer the best size/speed tradeoff: ML-KEM-768 has 1184-byte public keys and 1088-byte ciphertexts, with sub-millisecond encapsulation on commodity hardware. Hash-based signatures (SLH-DSA, XMSS in RFC 8391, LMS in RFC 8554) rely only on the security of the underlying hash function and are the most conservative choice, but produce much larger signatures (7,856 to 49,856 bytes for SLH-DSA). Code-based schemes (Classic McEliece, HQC) have very large public keys — hundreds of kilobytes to over a megabyte for McEliece — but use well-studied assumptions dating to 1978.

Real deployments are underway. Apple's iMessage PQ3 protocol (launched February 2024) uses ML-KEM in hybrid with ECDH. Signal added PQXDH using ML-KEM-1024 in September 2023. Cloudflare and Google have rolled out X25519MLKEM768, the hybrid key exchange specified in draft-kwiatkowski-tls-ecdhe-mlkem — as of late 2024, Chrome enables it by default, and Cloudflare reports the majority of its TLS 1.3 connections now negotiate it. AWS KMS, OpenSSH 9.0+, and BoringSSL all support ML-KEM hybrid modes.

The unsolved problem is the migration itself. NIST IR 8547 describes the transition timeline; the agency expects RSA-2048 and ECC-256 to be deprecated after 2030 and disallowed after 2035. Cryptographic agility — the ability to swap algorithms without rearchitecting protocols — is now a first-class engineering requirement, codified in the U.S. National Security Memorandum NSM-10 (May 2022).