PQC Essentials

A beginner-friendly guide to the core concepts behind post-quantum cryptography β€” no PhD required.

Quantum computers are advancing rapidly, and future cryptographically relevant systems could break much of today's public-key cryptography that protects internet communications. Post-quantum cryptography (PQC) is the new generation of algorithms designed to resist this threat. This page walks you through the key concepts, from the basics of encryption to the standards that are shaping the future.

1

What Is Post-Quantum Cryptography?

Post-quantum cryptography (PQC) refers to cryptographic algorithms that are secure against attacks from both classical computers and quantum computers. Unlike today's widely used algorithms (RSA, ECC), PQC algorithms are built on mathematical problems for which no efficient quantum attacks are currently known.

πŸ’‘ Think of it this way: Today's encryption is like a lock that only a classical lockpick can open. A quantum computer is like a master key. PQC replaces the lock entirely with one that no known key β€” classical or quantum β€” can pick.

PQC is not science fiction β€” the U.S. National Institute of Standards and Technology (NIST) finalised the first three PQC standards in August 2024, and governments and regulators are publishing migration roadmaps with major milestones across the early-to-mid 2030s.

2

Public-Key Cryptography Fundamentals

Most secure communication on the internet relies on public-key (asymmetric) cryptography. It uses a pair of mathematically related keys:

  • Public key β€” shared openly with everyone. Used to encrypt messages or verify signatures.
  • Private key β€” kept secret by the owner. Used to decrypt messages or create signatures.
πŸ’‘ Analogy: Imagine a mailbox with a slot (public key) that anyone can drop a letter into, but only you have the key (private key) to open it and read the mail.

The security of these systems depends on hard math problems. Traditional public-key systems such as RSA (factoring) and ECC (elliptic curve discrete logarithms) rely on problems that a sufficiently capable quantum computer could solve efficiently. PQC is still public-key cryptography β€” it keeps the same public/private key model, but uses different mathematical problems that are believed to resist quantum attacks.

3

What Is a Key Exchange?

Before two parties (e.g. your browser and a website) can communicate securely, they need to agree on a shared secret key β€” without an attacker being able to figure it out. This process is called a key exchange.

The most common method today is Diffie-Hellman (DH) and its elliptic curve variant ECDH (X25519). Both parties contribute to the secret, and even someone watching all the network traffic cannot reconstruct the key.

πŸ’‘ Analogy: Imagine two people each mixing a secret colour into a shared base colour. They exchange their mixed results publicly, then each adds their own secret colour again. Both end up with the same final colour, but an observer cannot reverse-engineer it.
Deep dive: Key Exchange vs. Digital Signatures β†’
4

What Is a KEM (Key Encapsulation Mechanism)?

A KEM achieves the same goal as a key exchange β€” establishing a shared secret β€” but works differently. Both are forms of key establishment. Instead of both parties contributing, one party (the sender) encapsulates a randomly generated secret inside a "ciphertext" using the other party's public key. Only the holder of the matching private key can decapsulate it.

  • Key Exchange (DH) β€” both parties contribute; the shared secret emerges from their combined inputs.
  • KEM β€” one party generates the secret and wraps it for the other party to unwrap.

NIST's primary post-quantum standard ML-KEM (formerly Kyber) is a KEM. It is already being deployed in selected browser and network rollouts, typically in hybrid TLS configurations as standards and implementations mature.

Deep dive: How Hybrid TLS Uses ML-KEM β†’
5

What Are Digital Signatures?

A digital signature is the electronic equivalent of a handwritten signature β€” it proves that a message or document was created by a specific person and has not been tampered with.

  • Signing: The author uses their private key to produce a signature for the message.
  • Verification: Anyone with the author's public key can check that the signature is valid.

Digital signatures are everywhere: TLS certificates, software updates, code signing, email authentication, and blockchain transactions. NIST standardised two post-quantum signature algorithms: ML-DSA (lattice-based) and SLH-DSA (hash-based).

Deep dive: Code Signing and PQC β†’
6

The Quantum Threat

Quantum computers exploit phenomena like superposition and entanglement to process information in fundamentally different ways. Two quantum algorithms pose a direct threat to today's cryptography:

  • Shor's algorithm β€” can factor large numbers and solve discrete logarithm problems exponentially faster than any classical computer. This would compromise widely deployed RSA and ECC at practical security levels.
  • Grover's algorithm β€” can speed up brute-force searches, effectively halving the security of symmetric algorithms (e.g. AES-128 becomes AES-64 strength). The fix is straightforward: double the key size.

Researchers often refer to a machine powerful enough to run these attacks as a cryptographically relevant quantum computer (CRQC).

The critical point: Shor's algorithm makes the threat existential for public-key crypto, while Grover's is manageable. This is why PQC focuses on replacing public-key algorithms, not symmetric ones.

Deep dive: The Harvest-Now, Decrypt-Later Threat β†’
7

NIST Post-Quantum Standards

In August 2024, the U.S. National Institute of Standards and Technology (NIST) published the first three post-quantum cryptographic standards after an 8-year international evaluation:

  • ML-KEM (FIPS 203) β€” A lattice-based Key Encapsulation Mechanism. The primary replacement for key exchange in TLS, VPNs, and other protocols. Three security levels: ML-KEM-512, ML-KEM-768, ML-KEM-1024.
  • ML-DSA (FIPS 204) β€” A lattice-based digital signature algorithm. Designed for general-purpose signing (certificates, code signing, authentication).
  • SLH-DSA (FIPS 205) β€” A hash-based digital signature algorithm. Provides a conservative, well-understood backup that relies only on the security of hash functions.

Standardising algorithms is a critical first step, but operational migration also depends on protocol standards, validated implementations, and phased deployment planning.

Deep dive: BSI-Compliant PQC β†’
8

What Is Hybrid Cryptography?

Because PQC algorithms are still relatively new, most deployments today use a hybrid approach: combining a proven classical algorithm (like X25519) with a post-quantum algorithm (like ML-KEM-768) in parallel.

The result: when the protocol is designed and implemented correctly, security is not dependent on a single primitive. This gives organisations the quantum resistance of PQC without giving up the battle-tested security of classical crypto.

πŸ’‘ Analogy: It's like locking a door with two different locks β€” a traditional deadbolt and a next-generation smart lock. A burglar would need to defeat both to get in.

Major browser and cloud ecosystems have introduced hybrid TLS support (for example X25519 + ML-KEM-768) in staged rollouts, and these mechanisms continue to evolve as standards mature. Status context: March 2026.

Deep dive: How Hybrid TLS Is Becoming Real β†’
!

Why Does This Matter Now?

You might think: "Quantum computers don't exist yet at scale, so why rush?" The answer is harvest now, decrypt later (HNDL) (also called store now, decrypt later). Attackers are already intercepting and storing encrypted data today, waiting for quantum computers to become powerful enough to break it.

Any data that needs to stay confidential for 10+ years β€” medical records, financial data, trade secrets, government communications β€” is already at risk. That is why regulators have published phased migration timelines and sector-specific requirements; for example, the UK's NCSC uses milestones in 2028, 2031, and 2035.

Deep dive: The Harvest-Now, Decrypt-Later Threat β†’

Glossary

TermDefinition
PQCPost-Quantum Cryptography β€” algorithms designed to withstand attacks from quantum computers.
PKCPublic-Key Cryptography β€” asymmetric cryptography used for key establishment and digital signatures.
KEMKey Encapsulation Mechanism β€” a method for securely establishing a shared secret key.
ML-KEMModule-Lattice-Based KEM (FIPS 203, formerly "Kyber") β€” NIST's primary PQC key establishment standard.
ML-DSAModule-Lattice-Based Digital Signature Algorithm (FIPS 204, formerly "Dilithium") β€” NIST's primary PQC signature standard.
SLH-DSAStateless Hash-Based Digital Signature Algorithm (FIPS 205, formerly "SPHINCS+") β€” a conservative backup PQC signature standard.
TLSTransport Layer Security β€” the protocol that secures HTTPS connections between browsers and websites.
RSARivest–Shamir–Adleman β€” a widely used public-key algorithm, vulnerable to Shor's algorithm.
ECCElliptic Curve Cryptography β€” another public-key approach (e.g. X25519), also vulnerable to quantum attacks.
HNDLHarvest Now, Decrypt Later β€” the strategy of recording encrypted data now to decrypt it with future quantum computers.
CRQCCryptographically Relevant Quantum Computer β€” a quantum computer powerful enough to break current public-key crypto.
HybridAn approach that combines classical and PQC algorithms for defence-in-depth.
NISTNational Institute of Standards and Technology (USA) β€” the agency that standardised PQC algorithms.
BSIBundesamt fΓΌr Sicherheit in der Informationstechnik (Germany) β€” the federal agency for IT security.
QKDQuantum Key Distribution β€” a physics-based approach to key exchange using quantum mechanics (distinct from PQC).

Ready to Go Deeper?

Explore our full collection of technical articles, analyses, and perspectives on post-quantum cryptography.

Browse All Publications β†’