Purpose: concise, technical-friendly overview of post-quantum cryptography: short history, the NIST standardization effort, the current status, and why the process remains active (especially given the early dominance of lattice-based schemes).
For more ways to understand cryptography basics and applications, see crypto-101.
- Post‑quantum cryptography (PQC) studies classical algorithms resistant to attacks by large quantum computers.
- NIST ran a multi-round standardization competition; it has published initial standards (module‑lattice KEM and signature, plus hash‑based signature backup) and continues to evaluate additional candidates to increase mathematical diversity [NIST 2024][nist-fips2024].
- Early standard choices leaned on lattice constructions (e.g., Kyber and Dilithium) because of strong performance and compact parameters, but this creates a need for backups based on different hardness assumptions [NIST PQC Project][nist-pqc].
| Project | Type | Date |
|---|---|---|
| The release of OpenSSL v3.5 is a milestone. The PQC migration accelerates since then. | FOSS project | Apr 2025 |
| A Coordinated Implementation Roadmap for the Transition to Post-Quantum Cryptography | EUCC/EU regulation | Jun 2025 |
| Samsung S25 shipped new secure element S3SSE2A | Vendor | Feb 2025 |
| Post-Quantum Financial Infrastructure Framework (PQFIF): A Roadmap for the Quantum-Safe Transition of Global Financial Infrastructure | Industry | Sept 2025 |
| Github SSH | Vendor | Sept 2025 |
- 1994: Shor's algorithm exposed that quantum computers would break RSA/DSA/ECC by efficiently factoring and computing discrete logarithms [Shor1994].
- Research into alternatives accelerated; proposals based on lattices, codes, hashes, multivariate polynomials, and isogenies emerged over the next two decades.
- In 2016 NIST launched a public standardization project to evaluate and select quantum-resistant public‑key algorithms through multiple rounds of public review [nist-pqc].
- Round 1 (2017–2019): dozens of submissions across different mathematical families; NIST winnowed to a set of candidates for deeper review.
- Round 2 (2019–2020): further analysis and attacks; some candidates withdrawn or demoted. Status report published as NIST IR 8309 [nist-round2].
- Round 3 (2020–2022): finalists emerged (notably CRYSTALS‑KYBER for KEM and CRYSTALS‑DILITHIUM, FALCON, SPHINCS+ for signatures). Status report published as NIST IR 8413 [nist-round3].
- Additional signature call (2023–2024): NIST issued a new call for additional digital signature schemes to diversify beyond lattice‑based approaches. Status report on the first round published as NIST IR 8528 [nist-signnew].
- Round 4 (2023–2025): NIST continued evaluation of remaining KEMs (e.g. BIKE, Classic McEliece, HQC, SIKE). HQC, a code‑based scheme, was selected in 2025 as a backup KEM. Status report published as NIST IR 8545 [nist-round4].
- Finalization (2024): NIST published its first PQC standards, naming the module‑lattice KEM (Kyber family) and module‑lattice signature (Dilithium), plus SPHINCS+ as a hash‑based signature standard; FALCON remained a considered alternative [nist-fips2024].
- NIST's early selections prioritized algorithms that offered a good balance of security evidence, performance, compactness of keys/ciphertexts, and implementability (including resistance to implementation issues such as timing/side‑channel leakage) [nist-round3].
- Lattice‑based constructions (Learning With Errors / Module‑LWE / NTRU variants) delivered attractive speed and small parameters, which influenced their selection for the first wave of standards [nist-round3].
- NIST has finalized initial standards and published FIPS documents for certain algorithms [nist-fips2024].
- The project remains active: NIST is maintaining a set of standardized algorithms while evaluating and documenting additional algorithms (backups and alternates) to increase cryptographic diversity [nist-hqc2025].
-
Assumption diversity matters. If all deployed primitives rely on the same mathematical assumption (e.g., structured lattices), a single unforeseen breakthrough (classical or quantum) that weakens that assumption would threaten a large fraction of deployments. NIST therefore seeks backups from different families (code‑based, hash‑based, multivariate, isogeny‑based) to hedge risk [nist-diversity].
-
Implementation and deployment issues: Even a mathematically secure primitive may be difficult to implement safely (side‑channels, parameter selection, failure modes). Ongoing work is needed to vet implementations across platforms (software, hardware, constrained IoT devices).
-
Ongoing cryptanalysis: Candidate algorithms continue to be studied; new attacks or refinements of security estimates can alter confidence [nist-round3].
-
Performance and ecosystem readiness: Standards must be practical across many contexts — servers, browsers, embedded devices, and large‑scale TLS/PKI ecosystems. Time is required for libraries, hardware accelerators, and protocols to integrate and mature.
-
Need for conservative rollouts: Many organizations face "harvest now, decrypt later" threats. NIST’s balanced approach gives implementers usable standards now while keeping additional options open as the community learns more [nist-pqc].
- Security evidence: Lattice problems (e.g., Learning With Errors, Short Integer Solution) have well‑studied worst‑case/average‑case reductions and a wide academic literature [Regev2005].
- Performance: Lattice schemes yield smaller keys and faster operations compared with many other families, making them attractive for internet protocols and constrained devices [nist-round3].
- Implementation maturity: Several lattice schemes had robust reference implementations and active analysis during the rounds [nist-round3].
- Lattice‑based — fast, compact, but structured lattices raise questions about specific algebraic structure attacks.
- Code‑based — long history (e.g., McEliece), large public keys but different hardness assumptions; useful as a hedge (HQC is an example) [nist-hqc2025].
- Hash‑based — conservative, simple assumptions (security relies on hash functions), but larger signatures or stateful designs; SPHINCS+ is a stateless variant used as a backup for signatures [nist-fips2024].
- Multivariate and isogeny‑based — each brings different tradeoffs and remains under active study [nist-pqc].
- Inventory your crypto: know where RSA/ECC keys and long‑lived encrypted archives exist (harvest‑now risks).
- Adopt hybrid modes: combine a classical primitive with a PQC primitive for key exchange/signatures to avoid single‑point failures during the transition [nist-diversity].
- Prioritize high‑value assets and communications for early migration (VPNs, code signing, certificate authorities, archival data).
- Keep an eye on updates: standards and guidance evolve; plan for crypto‑agility to swap algorithms without massive rewrites [nist-pqc].
- [nist-pqc] NIST PQC Project Overview: https://csrc.nist.gov/projects/post-quantum-cryptography
- [nist-round2] NIST IR 8309: Status Report on the Second Round (2020): https://doi.org/10.6028/NIST.IR.8309
- [nist-round3] NIST IR 8413: Status Report on the Third Round (2022): https://doi.org/10.6028/NIST.IR.8413
- [nist-round4] NIST IR 8545: Status Report on the Fourth Round (2025): https://doi.org/10.6028/NIST.IR.8545
- [nist-signnew] NIST IR 8528: Status Report on the First Round of the Additional Digital Signature Schemes (2024): https://nvlpubs.nist.gov/nistpubs/ir/2024/NIST.IR.8528.pdf
- [nist-fips2024] NIST PQC Standards (2024): https://doi.org/10.6028/NIST.FIPS.203-205
- [nist-hqc2025] NIST Announces HQC as Additional KEM Candidate (2025): https://csrc.nist.gov/News/2025/pqc-hqc-selected
- [nist-diversity] NIST Discussion on Cryptographic Diversity: https://csrc.nist.gov/projects/post-quantum-cryptography/faqs
- [Shor1994] P.W. Shor, "Algorithms for quantum computation: discrete logarithms and factoring," 1994.
- [Regev2005] O. Regev, "On lattices, learning with errors, random linear codes, and cryptography," 2005.
- [crypto-101] HardenedLinux crypto-101: https://github.com/hardenedlinux/crypto-101