Quantum-Proof

This article is part of the Quantum Snake Oil Dictionary — a series examining terms used in quantum technology marketing. The series is divided into Red Flag Terms (terms with no established technical meaning that almost always signal hype or fraud) and Misused Terms (legitimate concepts routinely stripped of context in marketing). This entry is a Red Flag Term.

“Quantum-Proof”

A note before we begin. This article examines the term “quantum-proof” as it appears in security product marketing. I am not referring to any specific company, product, or individual. My analysis is purely technical: does the term hold up on its own merits? A product using this language might be built on legitimate technology with a marketing department that chose the wrong word. Future developments could also give the term a defensible meaning. As of today, here is my assessment.

Why “Proof” Is the Problem

The word “proof” implies a mathematical guarantee. In cryptography, that word carries weight. When we say the one-time pad has “provable security” (assuming truly random keys as long as the message, used only once), we mean there is a formal mathematical proof that no adversary, classical or quantum, can break it. Shannon published that proof in 1949.

No post-quantum algorithm has an equivalent proof. ML-KEM (formerly CRYSTALS-Kyber), ML-DSA (formerly CRYSTALS-Dilithium), SLH-DSA (formerly SPHINCS+), and the other NIST-standardized post-quantum algorithms are believed to be resistant to quantum attack. That belief is grounded in decades of research into the underlying mathematical problems (lattice problems, hash functions, coding theory). The global cryptographic community has been trying to break these algorithms since NIST’s standardization process began in 2016, and so far nobody has succeeded.

But “believed to be resistant after years of attempted attack” and “proven to be unbreakable” are different claims. The distinction matters because the history of cryptography is full of algorithms that were believed to be secure until someone found a way to break them. The entire reason NIST ran a multi-year, multi-round public competition was to subject candidate algorithms to the widest possible scrutiny before standardization. That process increases confidence. It does not produce proof.

What Standards Bodies Actually Say

This is not a pedantic distinction I invented. The organizations responsible for defining quantum security terminology have deliberately avoided “quantum-proof.”

NIST uses “post-quantum” and “quantum-resistant.” The NCSC (UK’s National Cyber Security Centre) and IETF use “post-quantum” in RFC 9794 (June 2025), the formal terminology standard for post-quantum/traditional hybrid schemes. ETSI uses “quantum-safe.” None of these bodies uses “quantum-proof,” and the reason is the same across all of them: the term implies a certainty that the current state of knowledge does not support.

Even the term “quantum-safe” has attracted criticism for potentially overstating the guarantee, which is why “quantum-resistant” (explicitly acknowledging that resistance is the claim, not immunity) has gained favor in technical contexts. The terminology debate may seem academic, but it reflects a genuine concern: if vendors tell customers their product is “quantum-proof,” those customers may stop thinking about crypto-agility, ongoing algorithm monitoring, and the possibility that a currently standardized algorithm could be weakened by future cryptanalysis. That complacency is dangerous.

When “Quantum-Proof” Becomes a Red Flag

The term by itself is a yellow flag. It becomes a red flag when combined with other patterns:

A vendor claims their proprietary, unpublished algorithm is “quantum-proof.” This is the most dangerous combination. A proprietary algorithm that has not undergone public cryptanalysis cannot be trusted regardless of what label is attached to it. If the algorithm is not ML-KEM, ML-DSA, SLH-DSA, or another algorithm that has survived the NIST process (or an equivalent national standards process), then calling it “quantum-proof” is not just imprecise; it is unsupported by any independent evidence.

A vendor claims “quantum-proof” without specifying which algorithm they implement. If pressed on specifics and the answer is vague, evasive, or wrapped in claims about proprietary innovation, see the companion guide on vendor deflection tactics.

A vendor claims “quantum-proof” for a product that has no FIPS 140-3 module validation. FIPS validation confirms that a specific implementation of a specific algorithm has been tested and certified. Without it, even a well-chosen algorithm could be improperly implemented.

Questions to Ask a Vendor

“Which specific NIST-standardized algorithm does your product implement?” The answer should be one or more of: ML-KEM (FIPS 203), ML-DSA (FIPS 204), SLH-DSA (FIPS 205), or an algorithm in NIST’s ongoing process (HQC, FN-DSA). If the answer is a proprietary name you cannot find in any public cryptanalysis literature, that is a significant concern.

“Do you have or are you pursuing FIPS 140-3 module validation?” This verifies that the implementation, not just the algorithm choice, has been independently tested.

“Why do you use the term ‘quantum-proof’ when NIST and the IETF do not?” The answer to this question will tell you whether the vendor understands the distinction or whether the marketing department wrote the spec sheet.

The Bottom Line

The strongest post-quantum algorithms available today are strong because they have survived years of global cryptanalysis, not because anyone has proven them unbreakable. Calling them “quantum-proof” overstates the guarantee and may discourage the crypto-agility that organizations need if an algorithm is eventually weakened. A vendor who says “quantum-resistant” or “post-quantum” and can name the specific NIST algorithm they implement is giving you a more honest and more useful description than one who says “quantum-proof.”