What Is Post-Quantum Cryptography?
Part of the Post-Quantum PKI Migration Guide
In one sentence: Post-quantum cryptography (PQC) is a new generation of quantum-resistant encryption algorithms that will remain secure even after quantum computers can break the encryption we use today.
Why This Matters to Your Business
Every secure connection your organisation makesâwebsite visits, API calls, email, VPN tunnels, internal service communicationârelies on encryption algorithms (RSA and ECC) invented in the 1970s-1980s. These algorithms work because certain mathematical problems are impossibly hard for today's computers to solve.
Quantum computers change that equation. A sufficiently powerful quantum computer, running an algorithm called Shor's algorithm, could break RSA and ECC encryption in hours rather than billions of years. Many experts estimate a cryptographically relevant quantum computer could appear between 2028 and 2035, with some recent analyses suggesting as early as ~2030.
Post-quantum cryptography is the replacement: new algorithms based on different mathematical problems that remain hard even for quantum computers. NIST (the US National Institute of Standards and Technology) standardised the first three quantum-resistant algorithms in August 2024, and federal mandates now require migration by 2030-2035.
The bottom line: If you're responsible for technology, security, or compliance, PQC will affect your organisation within the next 3-5 yearsâwhether through regulation, customer requirements, or the need to protect data that has long-term value.
The Problem: Why Current Encryption Will Break
How today's encryption works
When your browser connects to a bank, two things happen. First, the parties agree on a shared secret key (key exchange, typically using Diffie-Hellman or ECDH). Second, one party proves identity with a digital signature (typically RSA or ECDSA, embedded in an X.509 certificate). Both operations depend on mathematical problemsâfactoring large numbers, computing discrete logarithmsâthat classical computers can't solve efficiently.
What quantum computers change
Quantum computers use fundamentally different physics (superposition, entanglement) to process information. Shor's algorithm, published in 1994, proved that a quantum computer with enough stable qubits could factor large numbers exponentially faster than any classical computer. That breaks RSA. A variant breaks ECC.
In a 2025 resource analysis, Google's Craig Gidney estimated that factoring RSA-2048 could be done in under one week with fewer than one million noisy qubitsâdramatically fewer than previously modelled. This is a theoretical resource estimate, not an experimental break, but it sharply compressed the timeline: hardware roadmaps from IBM, Google, and others aim for machines of that qubit scale by 2028-2030.
The "harvest now, decrypt later" threat
You don't need to wait for quantum computers to be affected. State-sponsored actors are already intercepting and storing encrypted data today. When quantum computers arrive, they'll decrypt everything they've collected. If your data from 2015-2025 still has value in 2032âthink healthcare records, financial transactions, M&A documents, trade secretsâit's at risk now. See our detailed analysis of the harvest-now-decrypt-later threat.
The Solution: Quantum-Resistant Algorithms
Post-quantum cryptography uses mathematical problems that are hard for both classical and quantum computers. Unlike RSA and ECC (which share vulnerability to Shor's algorithm), these new approaches are based on fundamentally different foundations.
The three NIST-standardised algorithms
After an eight-year evaluation process, NIST published three quantum-safe standards in 2024. These are now published as Federal Information Processing Standards (FIPS) and represent the algorithms your infrastructure will need to support:
| Standard | Algorithm | Former Name | What It Does | Based On |
|---|---|---|---|---|
| FIPS 203 | ML-KEM | CRYSTALS-Kyber | Key exchange (establishing shared secrets) | Lattice-based cryptography |
| FIPS 204 | ML-DSA | CRYSTALS-Dilithium | Digital signatures (proving identity) | Lattice-based cryptography |
| FIPS 205 | SLH-DSA | SPHINCS+ | Digital signatures (conservative fallback) | Hash-based cryptography |
What is lattice-based cryptography?
ML-KEM and ML-DSA are built on lattice-based cryptographyâmathematical structures where finding the shortest vector in a high-dimensional lattice is computationally hard for both classical and quantum computers. Lattice problems have been studied for decades and are considered well-understood. This is the primary foundation of quantum-resistant cryptography going forward.
What is hash-based cryptography?
SLH-DSA (FIPS 205) takes a different, more conservative approach. It builds digital signatures using only hash functions (like SHA-256), which are already trusted across all of modern cryptography. The trade-off: SLH-DSA signatures are much larger (17KB vs 3KB for ML-DSA), making it impractical for TLS certificates. It's designed as a fallback for root CAs and offline signingâinsurance in case lattice-based schemes are ever weakened by future research.
What Changes for Your Organisation
Certificates get bigger
ML-DSA signatures are about 30-50x larger than today's ECDSA signatures. A typical X.509 certificate chain (root â intermediate â leaf) grows from ~4KB to ~12KB. This affects TLS handshake times, bandwidth, and storage. See our detailed analysis of PQC's impact on TLS and certificates.
Certificate lifetimes are shrinking
Independently of PQC, the industry is moving toward shorter certificate validity periods: 200 days from March 2026, 100 days from March 2027, potentially 47 days after that. Combined with larger PQC certificates, manual certificate management becomes impossible.
Hybrid mode during transition
During the PQC transition, organisations deploy hybrid certificates containing both classical (RSA/ECC) and quantum-resistant (ML-DSA) algorithms. This ensures backward compatibility with systems that don't yet support PQC, while providing quantum protection where both parties support it.
Automation becomes mandatory
When you combine shorter lifetimes, larger payloads, and the need to swap algorithms across tens of thousands of certificates, automation isn't optionalâit's the only viable operating model. Protocols like ACME (Automated Certificate Management Environment) become essential infrastructure.
The Timeline: When You Need to Act
| Milestone | Date | What It Means |
|---|---|---|
| NIST standards published | August 2024 | Algorithms are final; implementation can begin |
| Federal inventory deadline | 2025 | US agencies must know what cryptography they use |
| New NSS acquisitions prefer CNSA 2.0 | January 2027 | New National Security System procurements must prefer CNSA 2.0 algorithms |
| Federal migration begins | 2027 | Government contractors must support hybrid certificates |
| Classified systems migrated | 2030 | Quantum-resistant algorithms required for sensitive data |
| Full migration complete | 2035 | Classical algorithms phased out entirely |
Timelines based on CNSA 2.0 (NSA), NSM-10 (White House, 2022), and NIST SP 800-208. Commercial and private-sector organisations typically follow similar migration horizons, lagging federal mandates by 3-5 years.
For a detailed breakdown of mandates, industry-specific timelines, and CNSA 2.0 requirements, see PQC Timeline & Mandates.
Realistic enterprise migration takes 3-5 years. If your deadline is 2030, you need to start in 2026-2027. If your data has long-term value (healthcare, financial services, government), the harvest-now-decrypt-later threat means you should be planning now.
Common Questions
"Is this actually going to happen, or is it hype?"
It's happening. NIST spent eight years evaluating algorithms and published final standards. The NSA issued CNSA 2.0 mandating PQC for national security systems. Google, Cloudflare, and Apple are already deploying ML-KEM in production. The question is when, not whether.
"Do I need to worry about this if I'm not in government?"
Yes, if you handle data with long-term value, serve government customers, operate in regulated industries, or compete with organisations that are already preparing. Even if no regulation forces you today, your customers and partners will eventually require quantum-resistant connections. Being quantum-ready before they ask is a competitive advantage.
"Can't I just wait and upgrade when needed?"
Upgrading cryptography across an enterprise takes 3-5 years. If quantum computers arrive in 2030 and you start in 2030, you're exposed for 3-5 years. More critically, any data encrypted before you migrate is permanently vulnerable to harvest-now-decrypt-later attacks. There's no way to retroactively protect data that was already intercepted.
"What about quantum key distribution (QKD)?"
QKD is a different technology: it uses quantum physics to distribute encryption keys over fibre optic links. It's useful for point-to-point high-security connections but doesn't scale to internet infrastructure. PQC and QKD solve different problems. For certificate-based infrastructure (TLS, PKI), PQC is the relevant solution.
Where to Go Next
This page is an introduction. Depending on your role, here's where to dive deeper:
References
- National Institute of Standards and Technology (NIST). (2024). FIPS 203: Module-Lattice-Based Key-Encapsulation Mechanism Standard (ML-KEM).
- NIST. (2024). FIPS 204: Module-Lattice-Based Digital Signature Standard (ML-DSA).
- NIST. (2024). FIPS 205: Stateless Hash-Based Digital Signature Standard (SLH-DSA).
- NIST. (2024). SP 800-208: Recommendation for Stateful Hash-Based Signature Schemes.
- National Security Agency (NSA). (2022). CNSA 2.0 â Cybersecurity Algorithm Suite.
- Gidney, C. (2025). Factoring RSA-2048 in Under One Week with Fewer Than One Million Noisy Qubits. Google Quantum AI.
- Shor, P. (1994). Algorithms for Quantum Computation: Discrete Logarithms and Factoring. Proceedings of the 35th Annual Symposium on Foundations of Computer Science.