Home/ CSE/ Post-Quantum Cryptography
CSE · Seminar 02 · Encryption that survives quantum computers

Post-Quantum Cryptography

Post-quantum cryptography (PQC) replaces RSA and elliptic-curve schemes with lattice-, hash- and code-based algorithms that resist attack by large-scale quantum computers running Shor's algorithm.

PQClatticesML-KEMML-DSANIST2026

A cryptographically-relevant quantum computer would break the public-key cryptography that secures the internet: Shor's algorithm factors integers and solves discrete logarithms in polynomial time, defeating RSA, Diffie–Hellman and ECC. Post-quantum cryptography is the family of classical algorithms whose security rests on problems believed hard for both classical and quantum machines.

Working principle

The NIST-standardised front-runners are lattice-based. Their hardness comes from the Module Learning-With-Errors (MLWE) problem: recovering a secret vector from many noisy linear equations modulo q. Adding small random errors makes the system intractable, yet a party holding the secret can still decrypt or verify efficiently. FIPS 203 (ML-KEM, formerly Kyber) is a key-encapsulation mechanism; FIPS 204 (ML-DSA, formerly Dilithium) is a digital-signature scheme.

Public params (a, b=a·s+e)1Encapsulate with errors2Ciphertext + shared secret3Decapsulate using secret s4Recover shared key5ML-KEM key encapsulation built on Module-LWE
Figure 1. Simplified ML-KEM flow. Security relies on the difficulty of recovering the secret s and error e from the noisy public sample b = a·s + e.
Table 1. NIST PQC standards (2024) and properties
StandardAlgorithmFamilyUse
FIPS 203ML-KEM (Kyber)Module-latticeKey establishment
FIPS 204ML-DSA (Dilithium)Module-latticeSignatures
FIPS 205SLH-DSA (SPHINCS+)Hash-basedStateless signatures
DraftFN-DSA (Falcon)Lattice (NTRU)Compact signatures

Migration and hybrid mode

Because the new schemes are young, deployments use hybrid key exchange — running ML-KEM alongside X25519 so the session stays secure if either holds. TLS 1.3 and SSH already ship hybrid groups. The driving concern is “harvest now, decrypt later”: adversaries record encrypted traffic today to decrypt once quantum hardware matures.

Trade-offLattice schemes trade larger keys and ciphertexts (kilobytes vs. tens of bytes) for quantum resistance — a real bandwidth and latency cost on constrained links.

Applications

  • TLS, VPN and messaging key exchange (hybrid X25519+ML-KEM)
  • Firmware and software signing with hash-based SLH-DSA
  • Long-lived secrets: government, financial and medical archives

References & further reading

  1. NIST FIPS 203/204/205, Post-Quantum Cryptography Standards, 2024.
  2. Bos et al., “CRYSTALS-Kyber: a CCA-secure module-lattice-based KEM,” 2018.
  3. Shor, “Algorithms for quantum computation: discrete logarithms and factoring,” 1994.
‹ Previous
Agentic AI and Autonomous Workflows