Skip to content
Encryptorium

PQC

Post-quantum cryptography: what it is and why migration starts now

Encryptorium · · 4 min read
PQC NIST ml-kem ml-dsa introduction

Quantum computers capable of breaking RSA and elliptic curve cryptography do not yet exist, but the cryptographic community is not waiting for them to arrive. The post-quantum cryptography (PQC) transition is already underway.

The quantum threat

Classical public-key cryptography relies on mathematical problems that are computationally hard for conventional computers: factoring large numbers (RSA) and computing discrete logarithms (ECC). Shor's algorithm, running on a sufficiently powerful quantum computer, solves both in polynomial time.

The risk is not limited to future communications. Harvest now, decrypt later attacks mean that encrypted data captured today could be decrypted once quantum computers mature. For data with long-term confidentiality requirements (government communications, medical records, financial data), the threat is already real.

What is post-quantum cryptography?

Post-quantum cryptography refers to cryptographic algorithms designed to resist attacks from both classical and quantum computers. Unlike quantum cryptography (which uses quantum mechanics for key distribution), PQC runs on conventional hardware.

The main families of PQC algorithms are:

  • Lattice-based: Built on the hardness of problems like Learning With Errors (LWE). This family includes ML-KEM and ML-DSA, now the primary NIST standards.
  • Hash-based: Signatures derived from hash function security. SLH-DSA (formerly SPHINCS+) is the conservative choice here.
  • Code-based: Based on error-correcting codes. HQC was selected by NIST in March 2025 for standardization as a backup KEM, with the final standard expected around 2027. Classic McEliece, backed by decades of cryptanalysis, was not selected by NIST, primarily due to its very large public keys (hundreds of kilobytes) and limited anticipated deployment; ISO standardization is underway separately.
  • Multivariate: Based on solving systems of multivariate polynomial equations. Rainbow, the leading NIST candidate, was broken in 2022. However, several multivariate signature schemes (MAYO, UOV, QR-UOV, SNOVA) advanced to round 2 of NIST's additional digital signature evaluation.
  • Isogeny-based: Based on mappings between elliptic curves. SIKE, the leading candidate, was broken in 2022. SQIsign, a newer isogeny-based signature scheme, advanced to round 2 of NIST's additional signature evaluation and is notable for its extremely small combined public key and signature sizes.

The NIST standards

In August 2024, NIST finalized three post-quantum cryptographic standards:

  • FIPS 203 (ML-KEM): Module-Lattice-Based Key-Encapsulation Mechanism. The primary NIST-standardized post-quantum mechanism for key establishment, intended to replace quantum-vulnerable classical approaches such as Diffie-Hellman and RSA key transport.
  • FIPS 204 (ML-DSA): Module-Lattice-Based Digital Signature Algorithm. The primary digital signature scheme.
  • FIPS 205 (SLH-DSA): Stateless Hash-Based Digital Signature Algorithm. A conservative backup signature scheme based purely on hash functions.

A fourth algorithm, FN-DSA (originally Falcon), was also selected by NIST and remains under development as a draft standard. It targets use cases where smaller signature sizes are important.

The NCSC UK recommends ML-KEM-768 for key establishment and ML-DSA-65 for digital signatures as suitable for most general-purpose applications.

Why migrate now?

The migration to PQC is not a simple algorithm swap. It requires:

  1. Cryptographic inventory: Understanding where and how cryptography is used across your systems
  2. Protocol updates: PQC algorithms have different key and signature sizes that affect protocol design
  3. Testing and validation: Ensuring implementations are correct and performant
  4. Hybrid approaches: Running PQC alongside classical algorithms during the transition period

The NCSC's migration timelines (published March 2025) set concrete milestones: complete cryptographic discovery by 2028, high-priority migrations by 2031, and full PQC migration by 2035. Organizations should plan PQC migration within their normal technology refresh cycles rather than treating it as a standalone emergency project, but the planning needs to start now.

The first step is knowing what you have. Most organizations cannot list every algorithm, key length, and protocol version running in their systems. Without that inventory, migration planning is guesswork. For organizations beginning that work, a structured post-quantum readiness assessment provides the baseline: cataloging cryptographic dependencies, scoring exposure by data lifetime and threat model, and producing a prioritized migration sequence. The algorithm swap is the easy part; the inventory, architecture review, and lifecycle planning are where the real work lives.

For a full history of PQC standardization milestones, see the PQC Timeline. Primary sources for each algorithm family are collected on the Resources page.