What Is Post-Quantum Cryptography?

Post-quantum cryptography (PQC) is the branch of cryptography dedicated to designing algorithms that remain secure against attacks from both classical and quantum computers. As quantum hardware advances toward practical scale, the asymmetric schemes underpinning today's internet security — ECDSA, RSA, and Diffie-Hellman — face an existential threat. This guide explains the mechanics of that threat, what "quantum-resistant" actually means, the five main families of PQC algorithms, how NIST's standardisation process resolved, and why the migration to PQC is already underway across finance, government, and blockchain infrastructure.

Why Classical Cryptography Is Vulnerable to Quantum Computers

Modern public-key cryptography rests on mathematical problems that are computationally hard for classical computers. RSA relies on the difficulty of factoring large integers; ECDSA and Diffie-Hellman rely on the discrete logarithm problem over elliptic curves or finite fields. A classical computer attempting to break a 2048-bit RSA key by brute force would take longer than the age of the universe.

Quantum computers operate on fundamentally different principles. Rather than processing bits in binary states, they use qubits that can exist in superpositions of 0 and 1 simultaneously, and they exploit quantum interference and entanglement to explore many solution paths in parallel.

Shor's Algorithm: The Core Threat

In 1994, mathematician Peter Shor published an algorithm that, running on a sufficiently powerful quantum computer, can factor large integers and solve discrete logarithm problems in polynomial time rather than exponential time. The practical consequence is stark: a quantum computer executing Shor's algorithm could reconstruct a private key from a public key. Every Bitcoin address, every TLS certificate, every digitally signed document protected by RSA or ECDSA becomes potentially breakable.

Grover's Algorithm: A Subtler Threat to Symmetric Cryptography

Grover's algorithm offers a quadratic speedup for unstructured search problems. Against symmetric ciphers like AES-256, this effectively halves the security level, reducing it from 256-bit to roughly 128-bit equivalent strength. The mitigation is straightforward: double the key length. This is why Grover's algorithm is considered a manageable threat, while Shor's algorithm is considered existential for current public-key systems.

The "Harvest Now, Decrypt Later" Problem

A widely discussed concern in the security community is that adversaries may already be harvesting encrypted traffic today, storing ciphertext with the intention of decrypting it once quantum hardware matures. For data with long confidentiality requirements, such as medical records, national-security communications, or long-duration financial contracts, the migration timeline is not theoretical. It starts now.

---

What Does "Quantum-Resistant" Actually Mean?

A cryptographic algorithm is considered quantum-resistant (or post-quantum secure) if no known quantum algorithm can break it in sub-exponential time. The term does not mean "unbreakable by any conceivable future computer." It means the best known attacks, including quantum attacks, require computational resources that are infeasible even for a large-scale quantum adversary.

Quantum resistance is not a binary property. It is evaluated against:

When researchers or vendors claim a system is "quantum-resistant," the claim is only as strong as the maturity of the underlying mathematical problem and the rigour of the implementation.

---

The Five Families of Post-Quantum Cryptographic Algorithms

PQC research has converged on five principal families, each grounded in a distinct hard mathematical problem. No single family dominates; each involves trade-offs between key size, signature size, speed, and confidence in long-term security.

1. Lattice-Based Cryptography

Lattice-based schemes are currently the most prominent family and form the backbone of NIST's primary PQC standards. They rely on problems such as Learning With Errors (LWE), Ring-LWE, and the Shortest Vector Problem (SVP) in high-dimensional geometric lattices.

How it works at a high level: A lattice is a regular grid of points in n-dimensional space. Finding the shortest non-zero vector in that grid, or finding a vector close to a given target point, is believed to be hard for both classical and quantum computers, even with Shor's algorithm.

NIST-standardised lattice schemes:

SchemeTypeNIST StandardPrimary Use
ML-KEM (CRYSTALS-Kyber)Key encapsulationFIPS 203Key exchange, TLS
ML-DSA (CRYSTALS-Dilithium)Digital signatureFIPS 204Document signing, PKI
FALCONDigital signatureFIPS 206Constrained environments

Lattice schemes generally offer small ciphertexts and fast operations, making them practical replacements for RSA and ECDSA in most contexts.

2. Hash-Based Cryptography

Hash-based schemes derive security entirely from the collision resistance of cryptographic hash functions — a well-understood primitive with decades of analysis. Even Grover's algorithm only provides a quadratic speedup against hash functions, which is manageable by choosing sufficient output length.

Key schemes:

Hash-based signatures are considered among the most conservative PQC choices due to the maturity of the underlying hash-function security assumptions. The trade-off is larger signature sizes compared to lattice alternatives.

3. Code-Based Cryptography

Code-based cryptography traces its roots to Robert McEliece's 1978 proposal. Security derives from the difficulty of decoding a random linear error-correcting code, a problem that has resisted both classical and quantum attacks for over four decades.

The original McEliece scheme uses Goppa codes and requires very large public keys (sometimes hundreds of kilobytes), which limited adoption. Modern variants like Classic McEliece and BIKE reduce key sizes while preserving the security properties. Classic McEliece was retained as an additional NIST-approved algorithm, valued precisely because its security assumption has survived decades of scrutiny.

4. Multivariate Cryptography

Multivariate schemes base security on the hardness of solving systems of multivariate polynomial equations over finite fields, a problem known as MQ (Multivariate Quadratic). Solving a random system of such equations is NP-hard in general, and no efficient quantum algorithm is known for it.

Multivariate schemes tend to offer very fast signature verification and small signatures, making them attractive for embedded systems and IoT devices. However, they have a weaker track record of surviving cryptanalysis unscathed. Several earlier multivariate candidates were broken during NIST's evaluation rounds, making the community more cautious. UOV (Unbalanced Oil and Vinegar) variants remain under consideration.

5. Isogeny-Based Cryptography

Isogeny-based schemes rely on the hardness of computing isogenies between elliptic curves — maps that preserve the curve's group structure. The most prominent scheme, SIKE (Supersingular Isogeny Key Encapsulation), was notable for its extremely small key sizes.

However, SIKE was broken in 2022 by a classical attack from researchers Castryck and Decru, demonstrating the risk of relying on newer, less battle-tested mathematical assumptions. Isogeny-based research continues, particularly around CSIDH and newer constructions, but the family lost significant momentum following SIKE's collapse.

---

NIST's Post-Quantum Standardisation Process

The National Institute of Standards and Technology (NIST) launched its PQC standardisation project in 2016, inviting global submissions of candidate algorithms. After multiple evaluation rounds involving the worldwide cryptographic research community, NIST published its first finalised standards in August 2024:

NIST also retained Classic McEliece as an additional key-encapsulation mechanism given its conservative security pedigree. Further candidates continue through evaluation for algorithm diversity, particularly in the signature space.

The NIST process matters beyond US federal systems. It sets the de facto global benchmark for PQC adoption, influencing TLS, PKI, code signing, and blockchain implementations worldwide.

---

Post-Quantum Cryptography in Blockchain and Cryptocurrency

Blockchain networks face a specific and well-documented exposure. Bitcoin and Ethereum addresses are derived from ECDSA public keys. Once a public key is revealed on-chain (which happens whenever a transaction is broadcast), a sufficiently powerful quantum computer running Shor's algorithm could derive the corresponding private key and drain the wallet before the next block is confirmed.

Estimates of when quantum computers will reach the necessary qubit count and error-correction quality vary widely, but timelines of 10 to 20 years are commonly cited in the research literature. Given blockchain's immutability, funds in exposed addresses cannot be retroactively protected without user action.

Migration paths for blockchain systems include:

Projects building quantum-resistant infrastructure from the ground up, rather than retrofitting legacy code, are better positioned for this transition. BMIC.ai is one example of a project applying lattice-based, NIST PQC-aligned cryptography at the wallet layer specifically to address this threat.

---

Challenges and Trade-Offs in Deploying PQC

Switching from RSA or ECDSA to PQC is not a simple algorithm swap. Practitioners face several concrete challenges:

Key and Signature Sizes

PQC algorithms generally produce larger keys and signatures than their classical counterparts. A Dilithium signature is roughly 2.4 KB versus 72 bytes for an ECDSA signature. This affects bandwidth, storage, and certificate chain sizes in TLS.

Performance Overhead

Lattice operations are more computationally intensive than elliptic-curve operations on some hardware. Benchmarks show ML-KEM to be acceptably fast on modern CPUs, but performance on constrained microcontrollers varies significantly.

Cryptographic Agility

Systems should be designed with cryptographic agility — the ability to swap algorithms without architectural changes. Hard-coded algorithm identifiers in protocols are a significant migration barrier.

Hybrid Deployments

During the transition, hybrid schemes that combine a classical key exchange with a PQC key exchange are recommended by NIST and ETSI. This means that security holds as long as either component is unbroken, protecting against both quantum attacks and unforeseen weaknesses in new PQC algorithms.

Standardisation Lag

Not all standards bodies move at the same pace as NIST. X.509 certificate profiles, PKIX extensions, and protocol-level support in TLS 1.3 and SSH are still being finalised. Organisations planning migrations should monitor IETF working groups alongside NIST publications.

---

The Migration Timeline: What Organisations Should Do Now

Security professionals generally recommend a phased approach:

  1. Cryptographic inventory — Catalogue every system using RSA, ECDSA, or Diffie-Hellman. This includes TLS endpoints, code signing pipelines, hardware security modules, and any blockchain key infrastructure.
  2. Risk prioritisation — Identify data with confidentiality requirements extending beyond ten years. That data needs PQC protection soonest.
  3. Pilot hybrid deployments — Test ML-KEM + X25519 hybrid key exchange in non-production TLS configurations. Measure latency and certificate-size impact.
  4. Update dependencies — Ensure cryptographic libraries (OpenSSL, BoringSSL, liboqs) are tracking NIST finalised standards rather than pre-standardisation candidates.
  5. Plan for key ceremony re-execution — Certificate authorities and HSMs holding long-term signing keys will need new key generation events under PQC algorithms.
  6. Monitor for cryptanalytic breaks — The NIST winners are vetted but not infallible. Maintain cryptographic agility so a break in one algorithm does not cascade across the entire infrastructure.

The US government's NSM-10 memorandum (May 2022) set a federal deadline of 2035 for migration of national security systems. Many private-sector organisations are using this as a planning anchor.

Frequently Asked Questions

What is post-quantum cryptography in simple terms?

Post-quantum cryptography refers to cryptographic algorithms designed to resist attacks from quantum computers. Current public-key systems like RSA and ECDSA can be broken by a quantum computer running Shor's algorithm. PQC replaces those systems with algorithms based on mathematical problems — such as lattice problems or hash-function hardness — that quantum computers cannot solve efficiently.

Has NIST finished standardising post-quantum algorithms?

Yes. In August 2024, NIST published four finalised PQC standards: FIPS 203 (ML-KEM / Kyber for key encapsulation), FIPS 204 (ML-DSA / Dilithium for signatures), FIPS 205 (SLH-DSA / SPHINCS+ for signatures), and FIPS 206 (FN-DSA / FALCON for signatures). Additional candidates remain under evaluation for algorithm diversity.

When will quantum computers actually be able to break RSA or ECDSA?

There is no scientific consensus on an exact date. Most credible estimates from quantum computing researchers and security agencies place a cryptographically relevant quantum computer — one capable of breaking 2048-bit RSA — somewhere between 10 and 20 years away, contingent on progress in qubit error correction. The uncertainty itself is a reason to begin migration now rather than waiting for a confirmed threat.

Is symmetric cryptography like AES also threatened by quantum computers?

Symmetric cryptography is affected but not broken by quantum advances. Grover's algorithm provides a quadratic speedup, effectively halving the security level. AES-128 would be reduced to roughly 64-bit equivalent strength, which is inadequate. AES-256 would be reduced to approximately 128-bit equivalent strength, which remains acceptable. The standard guidance is to use 256-bit symmetric keys going forward.

What happened to SIKE, the isogeny-based algorithm?

SIKE (Supersingular Isogeny Key Encapsulation) was broken in July 2022 by a classical — not quantum — attack. Researchers Wouter Castryck and Thomas Decru published an efficient algorithm that could recover SIKE private keys in hours on a standard laptop. NIST subsequently removed SIKE from consideration. The episode underlines why algorithm diversity and conservative security assumptions matter in PQC selection.

Do cryptocurrency wallets need to worry about post-quantum threats?

Yes. Bitcoin and Ethereum wallets use ECDSA, which is vulnerable to Shor's algorithm on a large-scale quantum computer. Once a wallet's public key is exposed on-chain during a transaction, a quantum adversary could theoretically derive the private key. Quantum-resistant wallet designs use PQC signature schemes — such as lattice-based algorithms aligned with NIST standards — to eliminate this exposure.