Quantum-Safe vs Quantum-Resistant vs Post-Quantum

This article is part of the Quantum Snake Oil Dictionary — a series examining terms used in quantum technology marketing. The series is divided into Red Flag Terms (terms with no established technical meaning that almost always signal hype or fraud) and Misused Terms (legitimate concepts routinely stripped of context in marketing). This entry is a Misused Term.

“Quantum-Safe” vs “Quantum-Resistant” vs “Post-Quantum”

The core problem. These three terms are used interchangeably in virtually every vendor brochure, press release, and conference presentation. Even standards bodies have been inconsistent. But the terms carry different implications, and vendors exploit the ambiguity to overstate what their products deliver.

What Each Term Implies

Post-quantum cryptography (PQC) is the most precise and least controversial term. It refers to cryptographic algorithms designed to resist attacks from quantum computers, specifically from Shor’s algorithm (which threatens RSA, ECC, and Diffie-Hellman) and Grover’s algorithm (which weakens symmetric ciphers and hash functions). PQC algorithms run on classical hardware. They are “post-quantum” in the sense that they are designed for the era after quantum computers become powerful enough to break current cryptography. NIST uses this term for its standardization process. The IETF uses it in RFC 9794.

Quantum-resistant implies that the algorithm or system can resist attack by a quantum computer. It is widely used and generally understood to mean the same thing as PQC. The nuance: “resistant” honestly acknowledges that the algorithms are believed to withstand quantum attack but are not proven to be immune. Resistance can be weakened by future cryptanalysis.

Quantum-safe implies that the algorithm or system is safe from quantum attack. It is used by ETSI and by many vendors. The nuance: “safe” sounds more absolute than “resistant,” which is why some cryptographers prefer “quantum-resistant.” The concern is that “safe” may suggest a level of certainty that current PQC algorithms do not possess. No PQC algorithm has an unconditional security proof against quantum attack (see the Quantum-Proof entry for why this matters).

In practice, the cryptographic community treats these terms as near-synonyms. The differences are in emphasis and implied confidence level, not in the underlying technology. RFC 9794 uses “post-quantum” as its primary term, noting that other terms are in circulation.

How Vendors Exploit the Ambiguity

The three-term confusion creates opportunities for overstatement at every level.

“Quantum-safe” applied to a single component. A vendor implements ML-KEM for TLS key exchange and markets the product as “quantum-safe.” But the digital signature scheme is still ECDSA, the certificate infrastructure still uses RSA, and the legacy protocols have not been migrated. The product has one post-quantum component and many quantum-vulnerable components. “Quantum-safe” as a product-level label overstates the coverage.

“Quantum-resistant” applied to a proprietary algorithm. A vendor markets a proprietary cipher as “quantum-resistant” without submitting it to NIST, ETSI, or any public cryptanalysis process. The term “quantum-resistant” implies that the algorithm has been evaluated against quantum attack models. A proprietary algorithm that has not been publicly analyzed carries no such implication. (See the Quantum-Safe Certified entry for the certification angle of this problem.)

“Post-quantum” applied to a non-cryptographic product. “Post-quantum security platform” sounds comprehensive. It might mean the platform implements PQC algorithms throughout its stack. It might mean the platform includes one feature that uses one PQC algorithm. It might mean the vendor plans to add PQC support in a future release. The label does not distinguish between these scenarios.

Timing claims. “We’ve been quantum-safe since 2022” sounds impressive until you learn that the NIST PQC standards were not finalized until August 2024. A product that implemented a pre-standardization algorithm variant may not be compatible with the final FIPS 203/204/205 specifications, may have used parameter sets that were subsequently changed, or may have relied on a candidate algorithm that was not selected (such as SIKE, which was broken in 2022).

What the Standards Bodies Say

The terminology ecosystem is converging, but slowly:

NIST uses “post-quantum cryptography” for the algorithms and standardization process. The standards themselves (FIPS 203, 204, 205) do not use “quantum-safe” or “quantum-resistant” in their titles.

NCSC (UK) co-authored RFC 9794 using “post-quantum” as the primary term, while acknowledging that “quantum-safe” and “quantum-resistant” appear in the wider ecosystem.

ETSI has historically preferred “quantum-safe” in its technical reports and migration guides.

NSA uses “quantum-resistant” in CNSA 2.0 documentation.

ISO is still working on terminology harmonization through its quantum security working groups.

The lack of a single, globally agreed label is not a crisis, but it creates room for marketing to exploit the gaps. A vendor who says “quantum-safe” when NIST says “post-quantum” is not wrong, but a vendor who uses the ambiguity to imply a guarantee that the underlying algorithm does not support is being misleading.

Questions to Ask a Vendor

“When you say ‘quantum-safe/quantum-resistant/post-quantum,’ which specific NIST-standardized algorithm are you referring to?” The three labels are all acceptable descriptions of NIST PQC algorithms. What matters is whether there is a specific algorithm behind the label. ML-KEM-768 is quantum-resistant. A proprietary algorithm that has not been analyzed is not, regardless of which label is attached.

“Which components of your product have been migrated to PQC algorithms, and which still use classical cryptography?” A product is only as quantum-resistant as its weakest cryptographic component. If key exchange uses ML-KEM but signatures still use ECDSA, the product is partially migrated. Ask for the full picture, not the headline alone.

“Are you aligned with the final NIST FIPS 203/204/205 specifications, or with an earlier draft?” Implementations built against pre-standardization drafts may not be interoperable with or cryptographically equivalent to the final standards. This matters for compliance timelines, particularly for organizations tracking CNSA 2.0 deadlines.

The Bottom Line

“Quantum-safe,” “quantum-resistant,” and “post-quantum” all point to the same goal: cryptography that survives the arrival of a CRQC. The differences in wording are less important than the specifics behind them. Which algorithm? Which standard? Which components? How complete is the migration? The label is the starting point of the conversation, not the conclusion. For a detailed guide to the terminology and how PostQuantum.com uses it, see Quantum Security: Understanding the Terminology and Context and Quantum-Safe vs Quantum-Secure.