Post-Quantum

Post-Quantum Cryptography (PQC) Introduction

Photo of Marin Ivezic Marin Ivezic Follow on X Send an email July 13, 2022
18 minutes read
Post-Quantum Cryptograpy PQC
Post-Quantum Cryptograpy PQC

Introduction

Post-Quantum Cryptography (PQC) refers to cryptographic algorithms (primarily public-key algorithms) designed to be secure against an attack by a future quantum computer. The motivation for PQC is the threat that large-scale quantum computers pose to current cryptographic systems. Today’s widely used public-key schemes – RSA, Diffie-Hellman, and elliptic-curve cryptography – rely on mathematical problems (integer factorization, discrete logarithms, etc.) that could be easily solved by a sufficiently powerful quantum computer running Shor’s algorithm​. While current quantum processors are not yet strong enough to break modern crypto​, experts anticipate a “Q-Day” when this becomes feasible. PQC algorithms aim to remain secure against both classical and quantum attacks, protecting sensitive data well into the future. The urgency is heightened by the possibility of “harvest now, decrypt later” attacks – adversaries stealing encrypted data today to decrypt once quantum capabilities arrive​. In contrast, most symmetric algorithms and hash functions are believed to resist quantum attacks (Grover’s algorithm only modestly speeds up brute-force, mitigated by using larger keys)​. Thus, PQC primarily focuses on replacing vulnerable public-key schemes with quantum-resistant alternatives.

How PQC Differs from Traditional Cryptography

Traditional public-key cryptography (RSA, ECC, DH) is based on problems like factoring large integers or computing discrete logarithms, which are intractable for classical computers but not for quantum computers. PQC, by contrast, uses different mathematical hard problems that have no known efficient quantum algorithms to solve them. These include:

  • Lattice-based problems (e.g. finding short vectors in high-dimensional lattices or solving Learning-With-Errors problems).
  • Code-based problems (decoding random linear codes, as in McEliece encryption).
  • Multivariate quadratic equations (solving large systems of nonlinear equations, as in the broken Rainbow signature).
  • Hash-based constructions (using Merkle trees and one-time signatures for digital signatures).
  • Isogeny-based problems (finding paths between elliptic curves, e.g. SIKE, which was recently broken).

Because of these different foundations, PQC algorithms have distinct characteristics. Many PQC schemes have larger key and ciphertext sizes than RSA/ECC. For example, lattice-based schemes often use keys on the order of a kilobyte instead of a few dozen bytes. Some hash-based signatures require tens of kilobytes per signature. Performance profiles also differ: some PQC algorithms require more computation or memory (e.g. complex linear algebra, FFTs, or many hash calls). Despite this, researchers have optimized implementations so that PQC can be practical for many applications. For instance, the lattice-based algorithms selected by NIST have encryption/signing speeds comparable to or even faster than classic crypto in many settings, though with higher output sizes. Crucially, PQC algorithms are designed to run on classical computers (no quantum hardware needed) – they are conventional software/hardware solutions that are simply resistant to quantum attacks. In summary, PQC replaces the mathematical underpinnings of traditional cryptography with quantum-resistant ones, trading off some efficiency for long-term security.

The NIST PQC Standardization Project and Finalists

Recognizing the quantum threat, NIST launched a public PQC competition in 2016 to standardize quantum-resistant public-key algorithms. After multiple evaluation rounds over six years, NIST announced in July 2022 the first group of algorithms to be standardized​​. This followed an international effort, with 82 candidate algorithms from 25 countries initially submitted​. Through community cryptanalysis and performance testing, NIST narrowed the field to a few finalists in two categories: encryption/key-establishment (KEM) and digital signatures. Ultimately, four algorithms were selected for standardization – one KEM and three signature schemes​​:

  • CRYSTALS-Kyber – Key Encapsulation Mechanism (KEM) for encryption/key exchange
  • CRYSTALS-Dilithium – Digital signature scheme
  • FALCON – Digital signature scheme
  • SPHINCS+ – Digital signature scheme

NIST chose Kyber and Dilithium as primary recommended algorithms for most use-cases, due to their strong security and excellent performance. FALCON and SPHINCS+ will also be standardized to provide alternatives (for small signatures and non-lattice security, respectively)​. Below we provide an overview of each of these four finalist algorithms, including their design principles, security assumptions, and performance characteristics.

(For a more in-depth technical analysis of selected alghoritms, see my newer article: Inside NIST’s First Post-Quantum Standards: A Technical Exploration of Kyber, Dilithium, and SPHINCS+.)

CRYSTALS-Kyber (KEM)

Design & Security: CRYSTALS-Kyber is an IND-CCA2 secure KEM based on lattice cryptography. In particular, Kyber’s security relies on the hardness of the Module-LWE (Learning With Errors) problem over polynomial rings​. This problem is a structured lattice variant of standard LWE, believed to be hard for quantum and classical adversaries. The assumed hardness of Module-LWE provides a reduction from worst-case lattice problems (like the Shortest Vector Problem) to the scheme’s security. NIST considers the Module-LWE assumption highly convincing and solid, slightly more so than some alternatives (like Learning-with-Rounding or the NTRU lattice assumption)​. Kyber was designed with simplicity and robustness in mind – it builds on Regev’s original LWE encryption approach, using a module/ring structure (inspired by NTRU and Ring-LWE) to achieve efficiency​​. Essentially, Kyber generates public keys consisting of matrices of ring elements and encodes the secret as a small random polynomial vector. A Fujisaki-Okamoto transform is applied to achieve CCA2 security (secure against adaptive chosen-ciphertext attacks).

Performance: A key reason Kyber was selected is its strong performance across platforms. It has among the fastest key generation, encapsulation, and decapsulation times of all candidates, and uses relatively moderate resources. Kyber also features compact keys and ciphertexts compared to other PQC KEMs. For example, at NIST’s Category 3 security (~192-bit classical, ~*128-bit quantum security), Kyber’s public key is about 1.2 KB and ciphertext ~1 KB, which is quite efficient for a PQC scheme. Even the highest security level Kyber variant has keys under 1.6 KB​. These sizes and runtimes are practical for network protocols – Kyber KEM can be used in TLS handshakes with only a minor impact on latency. NIST engineers noted Kyber “was near the top (if not the top) in most benchmarks” among KEMs​. Another advantage is that Kyber’s operations (matrix multiplications, polynomial sampling) can be optimized with vector instructions and run in constant time, easing secure implementation. Overall, Kyber offers a balanced mix of strong security, efficiency, and simplicity, making it an ideal replacement for RSA/ECDH key exchanges. (NIST has since standardized Kyber as ML-KEM (FIPS 203), short for Module-Lattice KEM​.)

CRYSTALS-Dilithium (Signature)

Design & Security: CRYSTALS-Dilithium is a digital signature scheme based on lattice assumptions (the hardness of finding short vectors in module lattices). Its design follows the “Fiat-Shamir with aborts” paradigm introduced by Lyubashevsky​. Dilithium uses a Fiat-Shamir transform on a lattice-based identification scheme, with a careful rejection sampling strategy to ensure soundness and compactness. The scheme only uses uniform sampling (no Gaussian sampling), which simplifies implementation and avoids precision issues. In essence, during signing the algorithm samples a random ephemeral secret, computes a lattice syndrome, then derives a challenge by hashing the message and syndrome. If the resulting candidate signature is too large (in terms of coefficient size), it “aborts” and retries – these are the rejection sampling steps to keep the final signature within bounds. The security of Dilithium reduces to the hardness of Module-SIS and Module-LWE problems (closely related to those in Kyber, but used in a signature context). Dilithium’s conservative design avoids the need for complex Gaussian noise generation (unlike FALCON), which eliminates certain side-channel risks. The security assumptions are well-studied lattice problems with conjectured resistance to quantum attacks.

Performance: Dilithium was chosen as NIST’s primary signature scheme because of its solid performance and ease of implementation​. It has relatively fast signing and verification on general-purpose CPUs, and does not require heavy floating-point computations. For instance, at ~128-bit quantum security (Dilithium Level 3), signing and verifying are on the order of a few million cycles on a desktop CPU​ – easily within practical limits (well under a millisecond on modern hardware). Key and signature sizes are larger than classical schemes but reasonable: a Dilithium public key is about 1.3–2.6 KB, and a signature is about 2.4–4.6 KB depending on security level​​. This is an order of magnitude bigger than an ECDSA signature (~64 bytes), but still small enough for most applications (for example, a 3KB signature fits in a network packet, though not with much room to spare). One noted drawback is that Dilithium’s signature cannot fit in a single UDP packet along with a large message, potentially requiring fragmentation in some protocols – this was a consideration for including FALCON​. However, Dilithium’s design simplicity (only integer arithmetic, no FFT or Gaussian sampling) makes it easier to implement in constrained devices and to harden against side channels​. Most implementations are in straightforward C (with optional vector acceleration). In summary, Dilithium provides strong security and acceptable performance at the cost of a few kilobytes per signature, and is likely to be the workhorse for quantum-safe digital signatures in many systems​.

FALCON (Signature)

Design & Security: FALCON (Fast Fourier Lattice-based Compact Signatures over NTRU) is a lattice-based digital signature scheme that, like Dilithium, emerged as a finalist. However, FALCON takes a very different approach: it is built on the GPV framework (Gentry, Peikert, Vaikuntanathan) for lattice signatures using NTRU lattices​. At its core, FALCON uses the NTRU hardness assumption (short vector problems on NTRU lattices) and implements a trapdoor one-way function with a very efficient Gaussian sampler for generating signatures​. The authors introduced a technique called Fast Fourier Sampling: this uses FFT algorithms to sample from a high-dimensional discrete Gaussian distribution over the lattice, which yields signatures that are very compact. The use of true Gaussian noise gives FALCON excellent theoretical security (it leaks minimal information even after many signatures)​. In fact, FALCON’s security reduces to the SIS problem on NTRU lattices, which is believed to be quantum-resistant. A notable aspect of FALCON is its mathematical sophistication – implementing the sampling requires careful floating-point arithmetic or extended precision to achieve the required Gaussian precision. The FALCON team provided optimized implementations, but it remains a challenging scheme to implement from scratch (especially on platforms without hardware floating-point support). The security assumption (NTRU lattice SIS) is well-studied and dates back to one of the earliest lattice cryptosystems (NTRU, 1996), lending confidence in its hardness.

Performance: FALCON’s hallmark is its compact signatures and keys. At ~128-bit security (FALCON-512), signatures are only 666 bytes and public keys ~897 bytes – significantly smaller than Dilithium’s ~2,400-byte signature at a comparable level. Even at the highest security level (FALCON-1024, ~256-bit classical security), signatures are 1280 bytes​. These sizes rival or beat RSA and ECC in terms of total signature+key footprint, which is a remarkable achievement for post-quantum cryptography. Speed-wise, FALCON has very fast verification (faster than Dilithium) and signing can also be extremely fast on processors with hardware floating point​​. Benchmarks show thousands of signatures per second on a laptop CPU​​. However, the algorithm is less suited to small microcontrollers that lack FPUs – software emulation of 64-bit floats or large FFTs would be slow or require extra precision. Moreover, implementing FALCON in a constant-time, side-channel resistant way is tricky: it needs careful Gaussian sampling and inversion in lattice basis, which are mathematically complex to mask or make uniform. NIST noted that FALCON’s signing requires more resources (CPU, memory) and is harder to secure on constrained devices​​. Because Dilithium’s simpler design makes it easier to avoid side-channel leaks, NIST recommends Dilithium as the primary scheme and FALCON as an option for applications that can handle the complexity but need the smaller signature size​​. In practice, FALCON might be favored for contexts like certificate chains (to reduce certificate size) or certain IoT applications where bandwidth is at a premium but the devices are sufficiently powerful to run it. FALCON demonstrates the classic engineering trade-off in PQC: highly optimized outputs at the cost of implementation complexity.

SPHINCS+ (Signature)

Design & Security: SPHINCS+ is a stateless hash-based signature scheme – notably the only finalist not based on lattices or algebraic problems, but rather on cryptographic hash functions. Its design is an improvement over the original SPHINCS (proposed in 2015) and offers a framework with many possible parameter sets. At a high level, SPHINCS+ builds a large binary Merkle tree of hash-based one-time signatures (OTS). Each leaf of the Merkle tree is a public key for a small one-time signature (like a Winternitz or HORST scheme), and the tree’s root is the SPHINCS+ public key. To sign a message, the scheme picks a leaf (using a pseudorandom index derived from the message and a secret seed) and uses the corresponding OTS key to sign. It then outputs the one-time signature along with the authentication path of hashes up the Merkle tree to the root. By using a hypertree of many layers of Merkle trees and carefully chosen parameters, SPHINCS+ achieves an arbitrarily large number of possible signatures (2^64 or more) without ever reusing a one-time key – hence “stateless.” This overcomes the big limitation of earlier hash-based signatures like XMSS, which required state management to avoid reuse​. The security of SPHINCS+ relies only on the security of the underlying hash functions (for preimage and possibly secondary resistance, depending on variant). This makes it a very conservative choice – even if quantum algorithms or unforeseen math breakthroughs weaken lattice or number-theoretic assumptions, SPHINCS+ would remain secure as long as the hashes (SHA-256, SHAKE256, etc.) remain secure. Thus, its security is well-understood and not based on unproven algebraic assumptions​. It is considered a “fallback” or hedge against the risk that one of the newer assumptions is broken.

Performance: The trade-off for SPHINCS+’s robust security is size and speed. SPHINCS+ signatures are notably large and slow compared to the lattice-based finalists. A typical SPHINCS+ signature (at ~128-bit security) can be on the order of 5–15 KB, depending on whether it’s optimized for speed or size (there are “fast” vs “small” parameter sets). Verification involves thousands of hash computations (traversing Merkle paths, etc.), making it relatively slow. Indeed, compared to Dilithium and FALCON, SPHINCS+ has slower signing and verification and much larger signatures​. On the plus side, the public key is very small (just a 32-byte hash seed plus some parameters) and the private key is just some seed values (also a few bytes). This could be beneficial in memory-constrained systems where storing a large public key is harder than handling a large signature occasionally. NIST reviewers acknowledged that SPHINCS+ is “much larger and slower than the lattice signatures” and may not be suitable for many applications​. Nonetheless, NIST decided to standardize SPHINCS+ to ensure diversity in our cryptographic toolkit – i.e., not to “rely entirely on the security of lattices”​. In practice, SPHINCS+ might be used in niche scenarios such as firmware signing or digital archives where long-term security is paramount and the overhead of a big signature is acceptable. Its stateless design is a big advantage in those cases (avoiding the complex state management that comes with XMSS/LMS). As the only non-lattice finalist, SPHINCS+ provides an important insurance against any unforeseen quantum or classical attacks on the lattice schemes. It embodies the classic principle: if you want maximum confidence, pay with performance.

Other Notable PQC Algorithms and Candidates

The NIST competition included many other algorithms representing all major approaches to PQC. Some promising candidates did not ultimately get selected for standardization in the first round, for various reasons ranging from cryptanalysis to practical considerations. A few notable ones include:

  • Saber (KEM): A lattice-based KEM like Kyber, but based on the Learning-with-Rounding (LWR) problem (a variant of LWE). Saber performed similarly to Kyber in many benchmarks, but NIST found Kyber’s Module-LWE assumption slightly more convincing than Saber’s LWR assumption​. Kyber also had a slight edge in hardware performance and had no patent complications, so NIST favored Kyber. Saber was not carried into the 4th round (having been essentially superseded by Kyber).
  • NTRU Prime (KEM): An encryption scheme based on the classic NTRU lattice problem (with modifications to avoid certain algebraic weaknesses). NTRU has the benefit of being one of the oldest PQC schemes (dating to 1996) and had no patent issues by the time of the competition​. NTRU was a finalist, and NIST noted it would consider NTRU as a backup if any last-minute issues arose with Kyber​. In the end, Kyber’s slightly better performance and simpler security proof won out, so NTRU Prime was not selected in round 3. (NTRU is still considered secure, and may see standardization in the future if needed.)
  • Classic McEliece (KEM): A code-based encryption scheme derived from the 1978 McEliece cryptosystem (using algebraic coding theory). Classic McEliece has extremely strong security – it’s survived over 40 years of cryptanalysis. However, it has very impractical public key sizes (e.g. a public key can be nearly a megabyte for 256-bit security)​. It also has slow key generation. McEliece was a finalist, but NIST did not select it for immediate standardization due to lack of broad utility and deployment challenges​. As they noted, if an application can tolerate McEliece’s huge public key, it might work – but for most, the cost is prohibitive. NIST has kept McEliece in a “wait-and-see” state (advancing it to the 4th round for further evaluation), but there is “no urgency” to standardize it until there’s a clear use-case that demands it​.
  • BIKE and HQC (KEMs): These are code-based (specifically QC-MDPC code) encryption schemes. Both made it to NIST’s fourth round as alternate KEM candidates​. Their appeal is that, like McEliece, they are not lattice-based, offering diversity. They have smaller keys than McEliece (tens of KB rather than a MB) by using structured codes, but also somewhat slower encryption/decapsulation. NIST indicated it will likely choose at most one of BIKE or HQC to standardize in the end​. These were not finalized in the first batch because NIST’s priority was Kyber (which covers general-purpose needs); BIKE/HQC are being studied further for performance and security (e.g., to ensure no structural weaknesses in QC codes).
  • SIKE (Isogeny-based KEM): SIKE (Supersingular Isogeny Key Encapsulation) was an innovative KEM based on the hard problem of finding isogenies (mappings) between elliptic curves. It had exceptionally small keys (around 300 bytes) and moderate ciphertext size, making it attractive for low-bandwidth scenarios​. Unfortunately, SIKE was comprehensively broken in 2022 by a mathematical cryptanalysis breakthrough. Researchers Castryck and Decru discovered a classical attack that recovered SIKE’s private key in about an hour on a standard PC​. This was shocking given the scheme had withstood scrutiny for years. The attack used a clever application of an old number theory result to crack the isogeny problem. As a result, SIKE was immediately dropped from consideration. This failure underscored the value of having multiple independent assumptions in PQC and the need for continued cryptanalysis. (On the bright side, it was “caught” during the evaluation process, before standardization.)
  • Rainbow (Multivariate signature): Rainbow was a multivariate quadratic signature scheme (an Oil-and-Vinegar design) that reached the third round finalists for signatures (alongside Dilithium and Falcon). Rainbow enjoyed very fast verification and short signatures (often just a few hundred bytes). However, in early 2022 it was completely broken – a researcher (Ward Beullens) devised a practical key-recovery attack that could recover a Rainbow private key on a laptop in 2 days​. This eliminated Rainbow from the running just before the final decisions. The fall of Rainbow, like SIKE, proved the wisdom of a multi-year review period: even mature proposals can harbor hidden weaknesses.
  • Picnic (Signature): Picnic was a digital signature scheme based on zero-knowledge proofs and symmetric-key primitives (an “MPC-in-the-head” approach, using hash functions and block ciphers rather than number theory). Picnic has no known quantum algorithm attacks (its security is based on secure hash and block cipher assumptions), but its signatures are quite large (tens of KB) and verification is slow. Picnic made it to Round 2/3 as an alternate candidate but was not selected likely due to efficiency concerns – SPHINCS+ offered a more straightforward hash-based solution for a similar trust model. NIST has opened a new call for signature schemes, so schemes like Picnic or its derivatives might reappear with improved performance.
  • GeMSS (Signature): GeMSS (Great Multivariate Short Signature) was a multivariate public-key signature with very short signatures. It wasn’t broken like Rainbow, but it suffered from very large public keys (over 100 KB) and slow signing. These practical issues, along with some partial cryptanalysis that undermined confidence in parameters, led to GeMSS being dropped.

In summary, many algorithms were winnowed out through the NIST process, either by cryptanalysis (e.g. Rainbow, SIKE) or by falling short in the performance/usability balance. The four chosen algorithms (Kyber, Dilithium, Falcon, SPHINCS+) represent the best combination of security and practicality among the submissions. All other round-3 candidates have now been either selected or excluded; NIST concluded the initial PQC project with no other finalists remaining. A few KEM proposals (BIKE, HQC, McEliece) continue in a fourth round for potential standardization as backups, and NIST may consider new signature proposals in a future call.

International PQC Efforts: China and the EU

While NIST’s project has led the global charge in PQC standardization, other countries and regions have mounted their own initiatives:

  • China: China is planning to launch an initiative to develop its own national post-quantum standards, rather than simply adopting the NIST choices. Chinese experts have voiced concern that relying on algorithms from NIST (a U.S. agency) could expose them to potential backdoors​. By developing indigenous PQC algorithms, China seeks to control its cryptographic destiny and possibly even export its standards globally. It’s worth noting that Chinese researchers have been heavily involved in PQC research all along – many submissions to the NIST competition had Chinese authors, and Chinese teams have contributed notable cryptanalysis results. Now, however, China’s standardization effort might favor home-grown algorithms. China’s effort is partially motivated by concerns over backdoors in U.S. standards and the desire to embed their own “covert access” if needed. How this will play out is yet to be seen – there could be a divergence where China ends up with different national PQC algorithms than the West, potentially complicating global interoperability.
  • European Union and ETSI: Europe has not run a separate competition like NIST’s, but European cryptographers have been deeply involved in PQC development from the start. The EU co-funded projects (like the PQCrypto project) and hosts the PQCrypto conference series (since 2006), which helped seed many of the ideas later submitted to NIST​. The European Telecommunications Standards Institute (ETSI) has been a hub for PQC discussions: since the mid-2010s ETSI and the Institute for Quantum Computing (IQC) have run annual “Quantum-Safe Cryptography” workshops in Europe​. These bring together industry, academia, and government to coordinate on quantum-safe measures. ETSI has a working group dedicated to quantum-safe cryptography, which has published reports and recommendations. For example, ETSI standardized some stateful hash-based signatures (XMSS, LMS) in technical specs even before NIST finished its process. The EU Agency for Cybersecurity (ENISA) in 2021 released a comprehensive report on the state of PQC and recommended migration strategies for EU member states​. The EU is generally aligned with NIST’s outcomes – European countries are likely to adopt the same lattice and hash-based algorithms NIST selects (possibly through ISO standardization). However, the EU emphasizes crypto-agility and risk management in transition. Individual European nations have started their own evaluations. There is also academic work on alternative PQC (for example, some European researchers are exploring bold new approaches like PKPs or different multivariate schemes). In summary, the EU’s approach has been collaborative and proactive in supporting NIST’s process, while preparing the European ecosystem (browser vendors, smartcard manufacturers, etc.) to deploy the new standards once ready.

It’s also notable that global standards bodies like ISO/IEC and the IETF are working on PQC as well. Many of the NIST candidate algorithms have undergone evaluation in ISO (some algorithms not chosen by NIST might still become ISO standards via national body contributions). The IETF has begun drafting RFCs for using PQC in protocols (e.g. hybrid key exchange in TLS, PQC in DNSSEC). So, the world at large is moving toward a quantum-safe future, with NIST’s quartet of algorithms as a common base but room for regional variety.

Implications for Industry and Transition Strategies

The advent of post-quantum cryptography has huge implications for industry and government systems. Organizations will need to migrate their cryptographic infrastructure to quantum-safe algorithms in the coming years – a process that should begin now, even though standards are just being finalized. One immediate recommendation (from NIST, ENISA, etc.) is to adopt crypto-agility: systems should be designed to be algorithm-flexible, so that cryptographic algorithms can be swapped out or upgraded with minimal disruption. This is critical because the timeline for quantum threats is uncertain, and also because, as we’ve seen, algorithms can be broken or superseded (e.g. if a flaw is found in a PQC algorithm, we’d need to quickly pivot to alternatives).

Practically, many organizations are experimenting with hybrid encryption – combining a classical algorithm with a PQC algorithm, so that if either is broken the data is still protected by the other. For example, one might do a TLS handshake that uses both ECDH and Kyber, or sign software with both ECDSA and Dilithium. This hedges bets during the transition period. In fact, the Kyber and Dilithium teams themselves recommend hybrid modes as a transitional strategy.

Early adopters in industry have already started implementing PQC: for instance, Cloudflare integrated several PQC algorithms (including Kyber) into its crypto library for experimental use, AWS supports hybrid post-quantum key exchange in its KMS, and IBM announced quantum-safe storage tape drives using Kyber and Dilithium back in 2019. Such trials help test the performance and uncover any integration issues in real-world systems. The general finding so far is that PQC is feasible: while PQC schemes have larger sizes, most networks and applications can accommodate them with some optimizations (for example, adjusting TLS parameters to handle bigger handshake messages).

Moving to PQC will also involve updating standards (TLS, IPsec, PKI, etc.), obtaining new certificates (e.g., with PQC signatures), and ensuring compliance requirements are met. Government agencies like NIST and DHS in the U.S. have published migration roadmaps, and organizations are advised to inventory their uses of cryptography, identify where quantum-vulnerable algorithms are used, and prioritize those systems for upgrade. Critical infrastructure and long-lived data (that needs confidentiality for decades) are top priorities.

One must also keep an eye on the lifespan of current encryption: even if a quantum computer capable of breaking RSA is, say, 8-10 years away, any data encrypted today with RSA and needing secrecy for >10 years is at risk (hence the harvest-now, decrypt-later threat). Industries like finance, healthcare, and government are thus urged to act sooner rather than later.

In implementing PQC, organizations should remain agile and informed. It’s possible that future analysis or new discoveries will change the algorithm landscape (for example, if an improved attack on lattice problems is found, security parameters might need adjustment, or alternative algorithms might be needed). Ongoing cryptanalysis and a potential NIST Phase 2 for more digital signatures means the story of PQC is not final.

In conclusion, Post-Quantum Cryptography represents the next chapter in cryptographic history – a proactive defense against the quantum computing threat. It requires a shift to new algorithms grounded in different math (lattices, hashes, codes, etc.), many of which have now proven themselves in intense evaluation. The NIST finalists Kyber, Dilithium, Falcon, and SPHINCS+ are poised to become the foundational building blocks of secure communication in the quantum era. By understanding their principles and preparing our systems for them, we can ensure that our data and digital systems remain secure against whatever computers – classical or quantum – the future holds. The transition will be challenging, but with careful planning and crypto-agility, it will be achievable and will usher in a new quantum-safe security infrastructure.

Photo of Marin Ivezic Marin Ivezic Follow on X Send an email July 13, 2022
18 minutes read
Photo of Marin Ivezic

Marin Ivezic

I am the Founder of Applied Quantum (AppliedQuantum.com), a research-driven professional services firm dedicated to helping organizations unlock the transformative power of quantum technologies. Alongside leading its specialized service, Secure Quantum (SecureQuantum.com)—focused on quantum resilience and post-quantum cryptography—I also invest in cutting-edge quantum ventures through Quantum.Partners. Currently, I’m completing a PhD in Quantum Computing and authoring an upcoming book “Practical Quantum Resistance” (QuantumResistance.com) while regularly sharing news and insights on quantum computing and quantum security at PostQuantum.com. I’m primarily a cybersecurity and tech risk expert with more than three decades of experience, particularly in critical infrastructure cyber protection. That focus drew me into quantum computing in the early 2000s, and I’ve been captivated by its opportunities and risks ever since. So my experience in quantum tech stretches back decades, having previously founded Boston Photonics and PQ Defense where I engaged in quantum-related R&D well before the field’s mainstream emergence. Today, with quantum computing finally on the horizon, I’ve returned to a 100% focus on quantum technology and its associated risks—drawing on my quantum and AI background, decades of cybersecurity expertise, and experience overseeing major technology transformations—all to help organizations and nations safeguard themselves against quantum threats and capitalize on quantum-driven opportunities.
© Copyright 2025 Marin Ivezic, All Rights Reserved
Share via
Facebook
X (Twitter)
LinkedIn
Mix
Pinterest
Tumblr
Skype
Buffer
Pocket
VKontakte
Parler
Xing
Reddit
Line
Flipboard
MySpace
Delicious
Amazon
Digg
Evernote
Blogger
LiveJournal
Baidu
MeWe
NewsVine
Yummly
Yahoo
WhatsApp
Viber
SMS
Telegram
Facebook Messenger
Like
Email
Print
Copy Link
Powered by Social Snap
Copy link
CopyCopied
Powered by Social Snap