Post-Quantum Cryptography Fundamentals

Why Current Cryptography Is at Risk

RSA and elliptic curve cryptography (ECC) protect nearly every encrypted connection on the internet. TLS handshakes, digital signatures, VPN tunnels, and code signing all depend on the mathematical difficulty of factoring large integers or computing discrete logarithms on elliptic curves.

Classical computers cannot solve these problems in practical time. A 2048-bit RSA key would take a classical supercomputer billions of years to factor. ECC-256 offers equivalent security with shorter keys.

Quantum computers change this equation entirely.

How Shor’s Algorithm Breaks RSA and ECC

In 1994, mathematician Peter Shor published a quantum algorithm that factors large integers and computes discrete logarithms in polynomial time. On a sufficiently powerful quantum computer, Shor’s algorithm reduces the time to break RSA-2048 from billions of years to hours.

The same algorithm applies to ECC. Elliptic curve discrete logarithm problems fall to a modified version of Shor’s algorithm with similar efficiency gains.

This means every cryptographic system built on integer factorization or discrete logarithms — RSA, DSA, ECDSA, ECDH, DH — becomes insecure once a cryptographically relevant quantum computer (CRQC) exists.

Symmetric algorithms like AES face a lesser threat. Grover’s algorithm provides a quadratic speedup for brute-force search, effectively halving the key strength. AES-256 drops to 128-bit equivalent security — still strong enough for most applications.

The Quantum Threat Timeline

No one knows exactly when a CRQC will arrive. Current quantum computers have thousands of noisy qubits. Breaking RSA-2048 requires millions of error-corrected logical qubits.

Estimates from NIST, the NSA, and academic researchers converge on a window between 2030 and 2040. Some optimistic projections place it earlier. Pessimistic estimates extend to 2050 or beyond.

The uncertainty itself is the problem. Organizations cannot wait for a confirmed date because the harvest-now-decrypt-later (HNDL) threat operates on a different timeline. Adversaries capture encrypted traffic today and store it. Once quantum computers mature, they decrypt the stored data. Any information with a secrecy lifetime beyond the CRQC arrival date is already at risk.

What Post-Quantum Algorithms Look Like

Post-quantum cryptography replaces the mathematical problems that quantum computers solve efficiently with problems they cannot. The three main families are:

Lattice-based cryptography relies on the hardness of finding short vectors in high-dimensional lattices. The Learning With Errors (LWE) problem and its structured variants form the basis of ML-KEM and ML-DSA. No known quantum algorithm solves these problems efficiently.

Hash-based signatures use only the security of cryptographic hash functions. SLH-DSA (FIPS 205) builds signature schemes from hash trees. Hash functions resist quantum attacks because Grover’s algorithm provides only a quadratic speedup, not an exponential one.

Code-based cryptography uses error-correcting codes. The McEliece cryptosystem, proposed in 1978, remains unbroken. NIST selected a code-based scheme (HQC) as an additional standard in 2025.

NIST Standardization Timeline

NIST began its post-quantum standardization process in 2016 with a public call for proposals. The process moved through multiple evaluation rounds:

• 2016: NIST issues call for PQC proposals. 69 submissions received.
• 2017–2019: Round 1 evaluation narrows the field to 26 candidates.
• 2019–2020: Round 2 evaluation selects 7 finalists and 8 alternates.
• 2020–2022: Round 3 evaluation selects 4 algorithms for standardization.
• 2024: NIST publishes three final standards — ML-KEM (FIPS 203), ML-DSA (FIPS 204), and SLH-DSA (FIPS 205).
• 2025: NIST selects HQC as an additional key encapsulation standard for algorithm diversity.

ML-KEM replaces RSA key transport and ECDH key agreement. ML-DSA replaces RSA and ECDSA digital signatures. SLH-DSA provides a hash-based signature alternative that does not depend on lattice assumptions.

Key Sizes and Performance Trade-offs

Post-quantum algorithms use larger keys and signatures than their classical counterparts. ML-KEM-768 public keys are 1,184 bytes compared to 294 bytes for ECDH P-256. ML-DSA-65 signatures are 3,309 bytes compared to 64 bytes for ECDSA P-256.

These size increases affect TLS handshake latency, certificate chain sizes, and bandwidth consumption. Organizations need to evaluate their infrastructure for compatibility before deploying PQC algorithms at scale.

Performance varies by algorithm and security level. ML-KEM key generation and encapsulation are fast — often faster than ECDH on modern hardware. ML-DSA signing and verification are competitive with RSA-2048. SLH-DSA is slower but provides conservative security assumptions.

What Organizations Should Do Now

PQC migration is not a single event. It is a multi-year program that starts with visibility into your current cryptographic posture.

Inventory your certificates and keys. You cannot migrate what you have not cataloged. QCecuring’s CLM platform discovers certificates across your entire infrastructure — cloud, on-premises, and hybrid environments.

Classify data by secrecy lifetime. Data that must remain confidential for 10+ years is already at risk from HNDL attacks. Prioritize these systems for early PQC adoption.

Adopt crypto-agile architectures. Design systems that can swap cryptographic algorithms without rewriting application code. Abstract cryptographic operations behind configuration-driven interfaces.

Test PQC algorithms in non-production environments. Evaluate key size impacts on your TLS infrastructure, certificate chains, and network bandwidth. Identify compatibility gaps early.

Monitor NIST and industry guidance. Standards continue to evolve. NIST’s selection of HQC in 2025 shows the process is ongoing. Stay current with compliance timelines from regulators in your industry.

QCecuring’s SSH KLM extends this readiness to SSH key infrastructure, providing the rotation and governance capabilities needed when SSH transitions to post-quantum key exchange algorithms.