Papers
Topics
Authors
Recent
2000 character limit reached

Post-Quantum Cryptography

Updated 5 December 2025
  • Post-Quantum Cryptography is a framework of cryptographic schemes designed to resist quantum attacks through hardness assumptions like lattice, code, and hash-based problems.
  • It underpins key exchange, digital signature, and encryption systems standardized by NIST, ensuring secure communications in quantum-threat environments.
  • Practical implementations show sub-millisecond operations on modern hardware while addressing challenges such as side-channel resistance, protocol integration, and system agility.

Post-Quantum Cryptography (PQC) encompasses cryptographic primitives, protocols, and deployment strategies designed to resist adversaries equipped with large-scale quantum computers—specifically, those able to execute algorithms such as Shor’s and Grover’s, which threaten all widely used public-key systems based on integer factorization and discrete logarithm problems. As the scale and capabilities of quantum computing advance, established schemes such as RSA, DSA, and elliptic-curve cryptography (ECC) are rendered insecure: Shor’s algorithm provides polynomial-time attacks, while Grover’s algorithm quadratically accelerates brute-force search, forcing a reevaluation of all cryptographic systems intended for long-term confidentiality or authentication. PQC aims to provide cryptographically reliable alternatives—key exchange, digital signatures, encryption, and other primitives—grounded in mathematical problems believed hard even for quantum adversaries. The field rapidly advances through theoretical investigations, algorithm proposals, performance analyses, standardization efforts, and real-world pilot deployments across heterogeneous environments such as the Internet, embedded systems, and national infrastructure networks.

1. Mathematical Foundations and Algorithmic Families

PQC schemes derive their security from a diverse set of hardness assumptions that, unlike integer factorization or discrete logarithm, have to date resisted both classical and quantum cryptanalysis. The primary families include:

  • Lattice-based: Rely on problems such as the Shortest Vector Problem (SVP), Short Integer Solution (SIS), and Learning With Errors (LWE) in high-dimensional integer lattices. Concrete instantiations include Kyber (module-LWE KEM), Dilithium (module-SIS Lattice DSA), and Falcon (NTRU-lattice DSA). The LWE decision problem, for parameters n,q,χn,q,\chi, is conjectured hard even for quantum computers and enjoys reduction from worst-case lattice problems (Chhetri et al., 12 Oct 2025, Bagirovs et al., 19 Jun 2024, Mamatha et al., 18 Mar 2024).
  • Code-based: Utilize NP-hard problems such as syndrome decoding. McEliece and HQC depend on the hardness of recovering low-weight errors given a public linear code (Bagirovs et al., 19 Jun 2024, Chhetri et al., 12 Oct 2025).
  • Hash-based: Institutes digital signatures on the hardness of finding collisions or preimages in cryptographically strong hash functions (e.g., SPHINCS+). Proofs in the quantum random oracle model show for a κ\kappa-bit hash, quantum security is 2κ/22^{\kappa/2} (Chhetri et al., 12 Oct 2025).
  • Multivariate/quadratic (MQ): Built on the difficulty of solving random systems of quadratic equations over finite fields, e.g., Rainbow, UOV, albeit some variants are now broken (Chhetri et al., 12 Oct 2025, Bagirovs et al., 19 Jun 2024).
  • Isogeny-based: Construct KEMs based on the hardness of finding isogenies between supersingular elliptic curves (e.g., SIKE, now considered broken by recent attacks) (Chhetri et al., 12 Oct 2025).
  • MPC-in-the-Head: Constructs signatures via zero-knowledge proofs instantiated from symmetric primitives; e.g., Picnic, MiRitH (Chhetri et al., 12 Oct 2025).

PQC’s fundamental design principle is algorithmic diversity, aiming to avoid a single point of cryptanalytic failure—a lesson emphasized through the history of cryptanalysis in both classical and quantum settings.

2. Standardization and Security Levels

The NIST PQC standardization process, initiated in 2016, selected algorithms spanning these families for standardization based on cryptanalytic resistance, performance, and implementation maturity. As of August 2024, the following are approved as FIPS:

Algorithm Family Use Case Security Levels
ML-KEM (Kyber) Lattice KEM 1, 3, 5
ML-DSA (Dilithium) Lattice Digital signature 2, 3, 5
SLH-DSA (SPHINCS+) Hash-based Digital signature 1, 3, 5
Falcon (track) Lattice Digital signature 1, 5

Security levels are defined as:

  • Level 1: ~128-bit classical, ~64-bit quantum (AES-128 benchmark)
  • Level 3: ~192-bit classical, ~96-bit quantum (SHA-384 benchmark)
  • Level 5: ~256-bit classical, ~128-bit quantum (AES-256 benchmark)

These choices reflect trade-offs among performance, communication costs, and quantum cryptanalytic confidence (Chhetri et al., 12 Oct 2025, Demir et al., 17 Mar 2025, Ott et al., 2019).

3. Performance, Hardware Support, and Software Ecosystem

PQC algorithms feature a broad spectrum of performance characteristics and implementation footprints. Lattice-based schemes such as Kyber and Dilithium benefit from efficient polynomial arithmetic (Notably, O(nlognn\log n) via the NTT), yielding sub-millisecond encapsulation, decapsulation, signing, and verification on modern CPUs. Code-based schemes are computationally efficient but incur immense public key sizes (e.g., >250 kB for McEliece at Level 1). Hash-based signatures like SPHINCS+ are conservative but have large signatures (8–17 kB).

Scheme KeyGen (ms) Encaps/Sign (ms) Decaps/Verif (ms) PubKey (B) Signature/Ciphertext (B)
ML-KEM (Kyber512) 0.01–0.5 0.01–0.5 0.01–0.5 ~800 768
ML-DSA (Dilithium2) 0.02–0.5 0.1–3 0.05–2.9 ~1300 2420
SPHINCS+ 0.6–30 15–311 0.9–2.1 32 17,088
McEliece 21.7–833.5 0.02–0.21 12.7–268 261,120 96

Hardware acceleration (AVX2/AVX512 and ARM NEON for NTT and hash routines) yields 3×–6× speedups. FPGA/ASIC implementations are emerging, especially for signature routines and polynomial arithmetic (Demir et al., 17 Mar 2025, Ricchizzi et al., 7 May 2025, Chhetri et al., 12 Oct 2025, Commey et al., 4 May 2025).

The software ecosystem is maturing, with stable support for NIST PQC algorithms arriving in Bouncy Castle, wolfSSL, Botan, and (roadmapped) OpenSSL 3.5, while others (e.g., libsodium, MbedTLS) maintain experimental PQC branches. Persistent gaps include standardization of composite/hybrid certificate OIDs, API stability, and standardized interop test vectors (Ahmed et al., 22 Aug 2025, Ricchizzi et al., 7 May 2025).

4. Protocol Integration and Applications

PQC deployment spans TLS, SSH, X.509 PKI, IoT/embedded environments, blockchains, and heterogeneous infrastructure. Key drivers and methodologies include:

  • Hybrid and composite certificates: Adoption in X.509 (Catalyst-style hybrid, composite, and chameleon certificates) allows parallel deployment of both classical and PQC keys/signatures, allowing gradual migration while maintaining backward compatibility. Hybrid signatures are concatenated, composite signatures require both components to validate, and chameleon certificates allow dynamic transformation between classical and PQC-only (Ricchizzi et al., 7 May 2025).
  • TLS/SSH handshakes: Hybrid KEM combinations such as sntrup761x25519 in OpenSSH (only 0.029% of monitored handshakes) and Kyber in Chrome (experimental in TLS 1.3) are deployed in supercomputing/enterprise environments, with broad support still lagging (Sowa et al., 31 Jul 2024).
  • IoT/Automotive/Embedded: Direct evaluations on CAN bus (PQ-CAN), CE devices, and 5G user equipment inform parameter selections, highlighting the feasibility of lightweight PQC (e.g., Kyber512, Falcon-512) in constrained environments with millisecond-level latency (Conti et al., 14 Apr 2025, Commey et al., 4 May 2025, Hoque et al., 22 Jul 2025).
  • Blockchains and long-lived trust anchors: PQC-based wallet and transaction signatures, as demonstrated with Dilithium in cryptocurrency exchanges, outperform ECDSA while providing quantum resilience, at the cost of increased on-chain footprint (Chen, 23 Jan 2024).
  • Homomorphic and privacy-preserving schemes: Code-based partially homomorphic encryption (additive XOR) over McEliece variants achieves post-quantum confidentiality with throughput exceeding RSA/ECC on standard CPUs (Chen, 22 Feb 2024).

5. Implementation Security, Migration, and Agility

Migration to PQC is not solely a technical substitution but involves significant infrastructure, side-channel, and agility challenges:

  • Side-channel threats: Practical implementations must address leakage via timing (e.g., KyberSlash vulnerability), power analysis (single-trace attacks on unmasked Gaussian samplers), and code-level bugs (pointer misuse). Constant-time code, masking of secrets, and microarchitectural fencing are best practices (Chhetri et al., 12 Oct 2025, Ahmed et al., 22 Aug 2025).
  • Post-quantum migration: Recommended migration pathways begin with hybrid certificate and handshake deployment, inventorying all cryptosystems, and coordinated protocol upgrades. For example, PQCLI demonstrates end-to-end X.509 PQC automation, outperforming existing OpenSSL toolchains in support for hybrid and composite certs. OpenSSH, Chrome, and BoringSSL enable experimental hybrid PQC, but broad Internet-wide usage is nascent (Ricchizzi et al., 7 May 2025, Sowa et al., 31 Jul 2024).
  • Cryptographic agility: A system is agile if it can introduce, negotiate, upgrade, and retire cryptographic algorithms with minimal disruption, ensuring security, performance, and compliance. Agility must be designed at the API, protocol, and operational level, supporting hybrid deployments and negotiated transitions—e.g., in TLS cipher suite selection and dual-signature certificates. The formal agility property is modeled as a transition system over algorithm/parameter space, where all deprecated algorithms must eventually be retired securely (Ott et al., 2019).

6. Quantum Hardware Assumptions and Resilience

State-of-the-art PQC schemes explicitly defend against quantum adversaries as characterized by current and projected quantum hardware:

  • Quantum attacks: Shor’s algorithm enables polynomial-time factorization and discrete logarithms; Grover’s halves the security of symmetric-key search; Brassard–Høyer–Tapp algorithm addresses collision search. None are known to break LWE, syndrome decoding, or code-based/MQ cryptosystems in sub-exponential time (Chhetri et al., 12 Oct 2025, Mamatha et al., 18 Mar 2024, Bagirovs et al., 19 Jun 2024).
  • QRNG-based PQC: High-security deployments may replace PRNGs with quantum random number generators (QRNGs) for key/nonces, subject to NIST SP 800-90B validation. QRNG-augmented PQC permutations exhibit ideal entropy profiles and unmodified security proofs, albeit with higher bit-generation latency in software; hardware interfaces are recommended for production (Chen, 24 Jul 2025).
  • Complementarity of QKD and PQC: Quantum key distribution (QKD) is being piloted in some central-bank and backbone settings but lacks mesh-scale and flexibility. Hybrid QKD+PQC architectures are discussed for augmenting symmetric key distribution with PQC-based authentication (Chhetri et al., 12 Oct 2025).

7. Open Problems and Future Directions

Despite the transition to standardization and pilot deployments, critical open research emphases remain:

  • Parameter/query agility: Enabling seamless updates to security-critical parameters without fragmentation or incompatibility, especially as cryptanalysis evolves.
  • Leakage/fault resilience: Systematic development of lightweight masking, fault-injection resistance, and side-channel proofs for PQC in both hardware and software.
  • Domain-specific playbooks: Detailed migration, integration, and risk-assessment scenarios for critical domains: automotive, SCADA, IoT, cloud, blockchain.
  • Mechanized benchmarking/telemetry: Internet-wide measurement of handshake success/failure, PQC support, attack surface, and over-the-air implementation security.
  • Expanding cryptanalytic scope: Ongoing cryptanalysis of multivariate, code- and isogeny-based schemes; exploration of new primitives for digital signatures, group key agreement, and privacy-preserving computation.

In aggregate, the PQC ecosystem is characterized by rigorous mathematical foundations, active NIST-guided standardization, a rapidly maturing software/hardware landscape, and growing adoption in pilot and production settings—tempered by the need for continued research on implementation security, cryptographic agility, and future-proofing against ongoing quantum advances (Chhetri et al., 12 Oct 2025, Ricchizzi et al., 7 May 2025, Ott et al., 2019, Sowa et al., 31 Jul 2024).

File Document Download Save Streamline Icon: https://streamlinehq.com PDF File Document Download Save Streamline Icon: https://streamlinehq.com Markdown Chat Bubble Oval Streamline Icon: https://streamlinehq.com Chat (Pro)
Slide Deck Streamline Icon: https://streamlinehq.com

Whiteboard

Generate a whiteboard explanation of this topic.

Ai Sparkles Streamline Icon: https://streamlinehq.com Sign Up to Generate
Forward Email Streamline Icon: https://streamlinehq.com

Follow Topic

Get notified by email when new papers are published related to Post-Quantum Cryptography (PQC).

Add Bell Notification Streamline Icon: https://streamlinehq.com Sign Up to Follow Topic by Email