person Tute World Team

What is Post-Quantum Cryptography?

Post-quantum cryptography is the field of designing cryptographic algorithms that remain secure even against quantum computers. The key insight: these are classical algorithms — they run on today's computers — but they're based on mathematical problems that even quantum computers can't solve efficiently.

Post-Quantum vs. Quantum Cryptography

These two terms are often confused. They're fundamentally different things:

Post-Quantum Cryptography (PQC)

Classical algorithms that run on today's computers

Designed to resist attacks from both classical AND quantum computers

Can be deployed on existing hardware and software

The practical, near-term solution — NIST standardized first algorithms in 2024

This is what this roadmap focuses on

Quantum Cryptography

Quantum mechanical systems that require quantum hardware

Example: Quantum Key Distribution (QKD) — uses quantum physics to detect eavesdroppers

Requires specialized fiber optic or satellite links

Exotic, expensive, limited range — not a near-term mass-market solution

The New Hard Problems

Post-quantum algorithms replace RSA's factoring problem and ECC's discrete logarithm with different mathematical problems that quantum computers can't solve efficiently.

There are four main families, each based on a different type of hard problem:

🔷

Lattice-Based

Hard problem: Learning With Errors (LWE) and its variants. Involves finding a short vector in a high-dimensional grid of points (a lattice).

Examples: ML-KEM (formerly CRYSTALS-Kyber), ML-DSA (formerly CRYSTALS-Dilithium), NTRU

Status: NIST standardized. The most important PQC family.

#️⃣

Hash-Based

Hard problem: Finding hash collisions or preimages — security reducible to the hash function alone. Very conservative security assumptions.

Examples: SLH-DSA (formerly SPHINCS+), XMSS, LMS

Status: NIST standardized for signatures. Simple and well-understood security model.

📝

Code-Based

Hard problem: Decoding a random linear code. Based on error-correcting codes — a 50-year-old hard problem with excellent confidence.

Examples: Classic McEliece (alternate KEM standard), BIKE, HQC

Status: Classic McEliece is a NIST alternate standard. Large key sizes are the main drawback.

🧮

Multivariate

Hard problem: Solving systems of multivariate polynomial equations over finite fields. Generally NP-hard.

Examples: Rainbow (broken in 2022!), GeMSS

Status: No NIST finalist survived analysis. Under continued research. Not recommended for production.

Rainbow was broken: During the NIST competition, the Rainbow multivariate signature scheme was broken by a researcher on a laptop in a weekend. This is why cryptographic competitions and peer review matter — algorithms must survive scrutiny before standardization.

Why Are We Confident These Are Quantum-Safe?

The selected algorithms have:

  1. Years of public scrutiny: The NIST competition ran from 2017–2024. Hundreds of cryptographers worldwide tried to break them. None of the finalists were broken.
  2. Hard problem reductions: The algorithms' security is mathematically reduced to the hardness of well-studied problems. Breaking the algorithm provably requires solving the underlying hard problem.
  3. No known quantum speedup: The best known quantum algorithms for lattice problems (like LWE) provide negligible advantage over classical computers. Unlike integer factoring, no Shor-like speedup is known for LWE.
Important caveat: "No known quantum algorithm" doesn't mean "proven quantum-safe forever." Cryptography is an evolving field. This is why crypto-agility — building systems that can swap algorithms — is essential. But the NIST-selected algorithms represent our best current understanding.

The NIST Standardization Timeline

2016NIST issues call for post-quantum algorithm proposals
201769 submissions received. Public review begins.
2019Round 2: 26 candidates remain after initial analysis
2020Round 3: 7 finalists + 8 alternates. Analysis continues.
2022Rainbow broken. 4 algorithms selected for standardization.
Aug 2024NIST publishes FIPS 203 (ML-KEM), 204 (ML-DSA), 205 (SLH-DSA) — the world's first post-quantum standards.
2025+Industry adoption, migration begins globally. Classic McEliece in standardization.

Frequently Asked Questions

Do post-quantum algorithms also protect against classical computers?

Yes — post-quantum algorithms are designed to be hard for both classical AND quantum computers. They replace RSA and ECC entirely, not just for quantum threats. There's no trade-off where you gain quantum resistance but lose classical security. The NIST-selected algorithms are designed to provide at least 128 bits of security against both types of computers.

Are post-quantum algorithms slower or have bigger key sizes?

Often yes, but it varies. ML-KEM (Kyber) is remarkably fast and has reasonable key sizes. ML-DSA signatures are larger than ECDSA. SLH-DSA signatures are very large. Classic McEliece has huge public keys (~1MB). The performance overhead is real but manageable for most applications — and is already being optimized with hardware acceleration.

Should I implement post-quantum algorithms myself?

No. Never implement cryptographic algorithms from scratch. Use well-audited libraries like liboqs (Open Quantum Safe), BoringSSL, or OpenSSL 3.x with PQC support. Cryptographic implementation is notoriously error-prone — timing side-channels, subtle mathematical bugs, and implementation-specific vulnerabilities can break algorithms that are secure in theory. Use the libraries; don't roll your own.

← Phase 4 Overview Next: NIST PQC Standards →

Frequently Asked Questions

What will I learn here?

This page covers the core concepts and techniques you need to understand the topic and progress confidently to the next lesson.

How should I use this page?

Start with the overview, then follow the section links to deepen your understanding. Use the table of contents on the right to jump to specific sections.

What should I read next?

Use the navigation below to continue to the next lesson or explore related topics.