What Is Post-Quantum Cryptography?
What is post-quantum cryptography? It is a family of cryptographic algorithms designed to remain secure against attacks from both classical computers and the quantum computers that will eventually make today's encryption obsolete. As quantum hardware advances faster than most public timelines suggest, understanding how post-quantum cryptography works, which standards have been ratified, and why it matters for digital assets is no longer optional for anyone who holds or builds on public blockchains. This article explains the mechanisms, the real-world threat model, and the leading algorithm families in plain, precise terms.
Why Classical Cryptography Is Under Threat
Every Bitcoin address, every Ethereum smart contract, and every TLS-secured website currently relies on two mathematical problems that classical computers find practically impossible to solve: integer factorisation (the basis of RSA) and the elliptic-curve discrete logarithm problem (the basis of ECDSA and ECDH).
The security guarantee is straightforward: a classical computer factoring a 2048-bit RSA key would need longer than the age of the universe. That guarantee disappears with a sufficiently powerful quantum computer running Shor's algorithm, published by Peter Shor in 1994.
How Shor's Algorithm Breaks RSA and ECDSA
Shor's algorithm solves the integer factorisation and discrete logarithm problems in polynomial time on a quantum computer, compared with the sub-exponential or exponential time required classically. In practical terms:
- A quantum computer with roughly 4,000 logical, error-corrected qubits could break a 2048-bit RSA key.
- Breaking a 256-bit elliptic curve key (the type used by Bitcoin and Ethereum) requires an estimated 2,330 logical qubits running Shor's variant for elliptic curves.
- Current quantum machines have millions of physical qubits but far fewer error-corrected logical qubits. The gap is closing; IBM, Google, and several sovereign programs have published roadmaps reaching fault-tolerant scale within the next decade.
The moment that threshold is crossed, commonly called Q-day, any public key ever broadcast to a blockchain becomes retroactively vulnerable. Attackers who have been harvesting encrypted traffic today (a strategy called "harvest now, decrypt later") could retroactively expose private keys.
The Grover's Algorithm Problem for Symmetric Cryptography
Grover's algorithm provides a quadratic speedup for brute-forcing symmetric keys and hash functions. A 128-bit AES key effectively drops to 64-bit security against a quantum adversary. The mitigation is simpler: double the key length (AES-256 is considered quantum-safe for symmetric use). The harder problem is asymmetric cryptography, which is where post-quantum cryptography does its work.
---
What Post-Quantum Cryptography Actually Is
Post-quantum cryptography (PQC) refers to classical algorithms, meaning they run on ordinary computers, that are believed to be resistant to attacks from quantum computers. The term is sometimes conflated with quantum key distribution (QKD), which uses actual quantum physics to transmit keys. They are different disciplines. PQC is software; QKD is hardware-and-physics. PQC is far more practical for internet-scale and blockchain applications.
The core design goal is to base security on mathematical problems that Shor's and Grover's algorithms do not efficiently solve.
---
The Main Families of Post-Quantum Algorithms
1. Lattice-Based Cryptography
Lattice-based schemes are the most prominent family in the current NIST PQC standardisation project. Security rests on the hardness of problems such as Learning With Errors (LWE), Ring-LWE, and Module-LWE.
Intuitively, a lattice is a grid of points in high-dimensional space. Finding the shortest vector in a lattice with thousands of dimensions (the Shortest Vector Problem, SVP) is believed to be hard for both classical and quantum computers.
Key ratified standards from NIST (finalised August 2024):
| Algorithm | Type | Based On | Primary Use |
|---|---|---|---|
| **ML-KEM** (CRYSTALS-Kyber) | Key encapsulation | Module-LWE | Key exchange / TLS |
| **ML-DSA** (CRYSTALS-Dilithium) | Digital signature | Module-LWE / SIS | Signing transactions |
| **SLH-DSA** (SPHINCS+) | Digital signature | Hash functions | Stateless signing |
| **FN-DSA** (FALCON) | Digital signature | NTRU lattice | Compact signatures |
ML-KEM and ML-DSA are the primary recommendations for most use cases. FALCON produces smaller signatures but has more complex constant-time implementation requirements.
2. Hash-Based Cryptography
Hash-based signatures derive security entirely from the properties of cryptographic hash functions (collision resistance, pre-image resistance). The most prominent is SPHINCS+, now standardised as SLH-DSA. It is highly conservative because its security assumptions reduce to the strength of a hash function like SHA-256 or SHAKE, which are already considered quantum-resistant at sufficient output lengths.
The tradeoff: hash-based signatures are stateless (no synchronisation of a counter between signers) but produce larger signatures than lattice schemes, typically 8–50 KB depending on parameterisation.
3. Code-Based Cryptography
Code-based cryptography, pioneered by Robert McEliece in 1978, builds security on the hardness of decoding a random linear error-correcting code. The McEliece cryptosystem has survived 45 years of cryptanalysis largely intact. NIST selected Classic McEliece as an additional key encapsulation mechanism in its fourth-round evaluation, valued for its long track record.
The limitation is key size. A Classic McEliece public key can reach 1 MB, which makes it impractical for many constrained environments but suitable for server-side or high-security contexts.
4. Multivariate Cryptography
Multivariate schemes base security on solving systems of multivariate quadratic equations over finite fields, an NP-hard problem. NIST included MAYO and UOV (Unbalanced Oil and Vinegar) variants as candidates in its ongoing signature-scheme competition. These tend to produce very small signatures but large public keys, making them attractive for constrained IoT devices.
5. Isogeny-Based Cryptography
Isogeny-based schemes, such as SIKE, were once considered promising but SIKE was broken by a classical attack in 2022 using only a standard laptop. This was a major reminder that PQC algorithm selection requires rigorous, sustained cryptanalysis. Newer isogeny constructions such as SQIsign continue to be researched but have not yet achieved broad standardisation.
---
The NIST PQC Standardisation Process
The U.S. National Institute of Standards and Technology launched its PQC competition in 2016. After three elimination rounds and an additional fourth round, NIST published the first finalised post-quantum standards in August 2024 under Federal Information Processing Standards (FIPS):
- FIPS 203: ML-KEM (key encapsulation)
- FIPS 204: ML-DSA (digital signatures)
- FIPS 205: SLH-DSA (stateless hash-based signatures)
- FIPS 206: FN-DSA (FALCON-based signatures, draft)
These are not recommendations for future adoption. The U.S. government and NIST-aligned standards bodies expect migration to begin immediately for new systems and to be substantially complete in critical infrastructure by 2030–2035.
---
How Post-Quantum Cryptography Applies to Blockchain and Digital Assets
Standard blockchain wallets use ECDSA (secp256k1 curve for Bitcoin; same curve for Ethereum) to generate key pairs and sign transactions. The public key is derived from the private key via elliptic-curve multiplication. Once a public key is exposed on-chain, which happens every time you spend from an address, a sufficiently powerful quantum computer could run Shor's algorithm in reverse to derive the private key.
This creates three distinct exposure scenarios:
- Reused addresses: Public key is permanently on-chain. Risk activates the moment Q-day arrives.
- Unspent outputs where the public key is already visible: Same risk as above.
- Harvest-now, decrypt-later: An adversary records signed transactions today and waits for quantum hardware to mature.
Migrating a blockchain to post-quantum signatures is technically and politically complex. It requires consensus across every node operator, miner, validator, and wallet developer. Bitcoin, for example, has no on-chain governance mechanism and an extremely conservative upgrade culture. Ethereum's roadmap mentions quantum resistance but has not committed to a timeline.
Projects designed from inception with post-quantum cryptography, using lattice-based key generation and signing, avoid this retrofit problem entirely. BMIC.ai is one such project: its wallet architecture is built on lattice-based, NIST PQC-aligned cryptography, making it one of the few crypto assets where Q-day is a non-event rather than an existential risk. The BMIC presale is currently live at bmic.ai/presale.
---
Key Concepts: Migration Challenges and Hybrid Approaches
Hybrid Classical + Post-Quantum
A common interim strategy is to run a classical algorithm alongside a post-quantum algorithm in parallel, combining both signatures or key exchanges so that security holds as long as either scheme remains unbroken. TLS 1.3 implementations from Google, Cloudflare, and others already use hybrid X25519 + ML-KEM for key exchange. This approach is pragmatic during the transition period but adds overhead.
Performance Tradeoffs
Post-quantum algorithms are not free. Compared with ECDSA:
| Property | ECDSA (secp256k1) | ML-DSA (Dilithium3) | SLH-DSA (SPHINCS+) |
|---|---|---|---|
| Public key size | 33 bytes (compressed) | 1,952 bytes | 32 bytes |
| Signature size | ~71 bytes | 3,293 bytes | ~8,080 bytes |
| Signing speed | Very fast | Fast | Moderate |
| Quantum resistance | None | Strong | Strong |
Lattice-based signatures are larger than ECDSA but orders of magnitude smaller than hash-based alternatives, which is why ML-DSA is the primary recommendation for most applications, including blockchain.
Cryptographic Agility
Security architects now speak of cryptographic agility: designing systems so that the underlying algorithm can be swapped without redesigning the entire protocol. This is considered best practice for any long-lived infrastructure built today.
---
Practical Steps for Crypto Holders Right Now
Given that Q-day has no confirmed date but credible timelines place large-scale quantum capability within 10–15 years, action now is prudent rather than alarmist.
- Avoid address reuse. Using a fresh address for every transaction keeps your public key off-chain until spend time, reducing the exposure window.
- Favour wallets with quantum-resistance roadmaps. Not all wallets are created equal. Check whether the project has published PQC migration plans or, better, uses PQC natively.
- Watch the NIST migration guidance. NIST's National Cybersecurity Center of Excellence (NCCoE) publishes migration playbooks for enterprises; many of the principles apply to crypto custody.
- Understand your exposure horizon. Assets held for decades face far greater quantum risk than short-term positions, so high-value, long-term storage merits the highest scrutiny.
- Evaluate new projects on cryptographic design. If a protocol launched post-2024 still relies purely on ECDSA with no PQC roadmap, that is a design decision worth questioning.
---
Summary
Post-quantum cryptography is not science fiction. It is a ratified, deployable set of NIST-standardised algorithms, already being deployed in TLS, government systems, and purpose-built blockchain architectures. The threat from Shor's algorithm to ECDSA and RSA is mathematically proven; only the timeline to large-scale fault-tolerant quantum computers remains uncertain. For anyone building or holding digital assets with multi-year or multi-decade horizons, understanding which cryptographic primitives underpin their security is foundational, not optional.
Frequently Asked Questions
What is post-quantum cryptography in simple terms?
Post-quantum cryptography is a set of mathematical algorithms designed to be secure against attacks from both ordinary computers and quantum computers. Unlike today's standard encryption (RSA, ECDSA), which a powerful enough quantum computer could break using Shor's algorithm, post-quantum algorithms rely on problems — such as finding the shortest vector in a high-dimensional lattice — that quantum computers are not known to solve efficiently.
Is post-quantum cryptography the same as quantum cryptography?
No. Post-quantum cryptography (PQC) consists of classical software algorithms that resist quantum attacks; they run on ordinary hardware. Quantum cryptography (specifically quantum key distribution, or QKD) uses actual quantum-physical properties like photon polarisation to transmit keys. PQC is far more practical for internet-scale and blockchain applications because it requires no specialised quantum hardware.
Which post-quantum algorithms has NIST standardised?
In August 2024, NIST finalised four post-quantum standards: ML-KEM (CRYSTALS-Kyber) for key encapsulation; ML-DSA (CRYSTALS-Dilithium) for digital signatures; SLH-DSA (SPHINCS+) for stateless hash-based signatures; and FN-DSA (FALCON) for compact lattice-based signatures. ML-KEM and ML-DSA are the primary recommendations for most applications.
Does post-quantum cryptography affect Bitcoin and Ethereum wallets?
Yes. Both Bitcoin and Ethereum use ECDSA on the secp256k1 elliptic curve, which Shor's algorithm can break on a sufficiently powerful quantum computer. Once a public key is visible on-chain (which happens every time you spend from an address), a quantum adversary could eventually derive the private key. Neither blockchain has yet deployed a post-quantum signature scheme, though Ethereum's long-term roadmap acknowledges the need.
When is Q-day expected to happen?
There is no consensus date, but credible estimates from security researchers and national agencies (including NIST and the U.S. NSA) place large-scale, fault-tolerant quantum computing capable of breaking 2048-bit RSA or 256-bit elliptic curves somewhere in the 2030–2040 range under optimistic scenarios. The uncertainty itself is a risk: harvest-now, decrypt-later attacks mean adversaries can collect encrypted data today and decrypt it when hardware matures.
What is the 'harvest now, decrypt later' threat?
Harvest now, decrypt later (HNDL) is a strategy where an adversary records encrypted communications or signed blockchain transactions today, stores them, and decrypts or exploits them once sufficiently powerful quantum computers become available. It means that data encrypted or signed with today's classical algorithms may already be compromised in the future, even if no quantum computer capable of breaking them exists right now. This is a primary reason security agencies recommend migrating to post-quantum cryptography immediately for long-lived sensitive data.