Quantum computers will break today's encryption. Post-Quantum Cryptography builds the algorithms that will keep data safe in a quantum-powered world.
Explore PQCQuantum computers leverage qubits and superposition to solve problems that classical computers can't touch — including breaking widely-used cryptographic schemes.
Shor's algorithm can factor large integers and compute discrete logs in polynomial time, shattering RSA and Elliptic Curve cryptography.
Adversaries are already capturing encrypted data today, planning to decrypt it once quantum computers become powerful enough.
Experts estimate cryptographically relevant quantum computers could arrive within 10–15 years. Migration must begin now.
TLS, VPNs, digital signatures, banking, government secrets — all rely on algorithms that quantum computers will defeat.
In 2024, NIST released the first post-quantum cryptographic standards. These are the algorithms that will protect the next era of digital communication.
Module-Lattice-Based Key Encapsulation Mechanism, formerly known as CRYSTALS-Kyber. It is the primary standard for post-quantum key exchange, used in TLS handshakes and hybrid encryption.
Based on the hardness of the Module Learning With Errors (MLWE) problem over structured lattices.
Module-Lattice-Based Digital Signature Algorithm, formerly CRYSTALS-Dilithium. The primary standard for post-quantum digital signatures.
Based on the hardness of finding short vectors in module lattices (MLWE and MSIS problems).
Stateless Hash-Based Digital Signature Algorithm, formerly SPHINCS+. A conservative backup standard relying only on the security of hash functions.
Uses a hypertree of many-time XMSS-like trees with FORS (Forest of Random Subsets) for one-time signing.
FFT over NTRU-Lattice-Based Digital Signature Algorithm. Selected by NIST as an additional signature standard, offering the smallest combined public key + signature sizes among lattice-based schemes.
Based on the hardness of the Short Integer Solution problem over NTRU lattices, using fast Fourier sampling.
Key milestones in the journey toward quantum-resistant cryptography.
Peter Shor demonstrates a quantum algorithm that can factor integers in polynomial time, threatening RSA and ECC.
NIST calls for proposals for post-quantum public-key encryption, key exchange, and digital signature algorithms.
NIST selects CRYSTALS-Kyber, CRYSTALS-Dilithium, Falcon, and SPHINCS+ as the first algorithms to be standardized.
NIST publishes FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA) as the first post-quantum cryptographic standards.
Organizations worldwide begin transitioning to PQC. Hybrid approaches (classical + PQ) are deployed during the transition.
Cryptographically relevant quantum computers may emerge. Systems not yet migrated face existential risk.
How today's cryptographic algorithms compare against the quantum threat.
| Algorithm | Type | Quantum Safe | Key Size | Status |
|---|---|---|---|---|
| RSA-2048 | Encryption / Signature | Vulnerable | 256 bytes | Widely deployed |
| ECDSA (P-256) | Digital Signature | Vulnerable | 32 bytes | Widely deployed |
| ECDH (X25519) | Key Exchange | Vulnerable | 32 bytes | Widely deployed |
| AES-256 | Symmetric Encryption | Safe (Grover: 128-bit) | 32 bytes | Remains secure |
| ML-KEM-768 | Key Encapsulation | Quantum Safe | 1,184 bytes | FIPS 203 standard |
| ML-DSA-65 | Digital Signature | Quantum Safe | 1,952 bytes | FIPS 204 standard |
| SLH-DSA-128f | Digital Signature | Quantum Safe | 32 bytes | FIPS 205 standard |
Common questions about post-quantum cryptography and the transition ahead.