Definition
Post-quantum cryptography (PQC) is classical cryptography — running on the same CPUs you already use — chosen because the underlying mathematical problem is believed to be hard for both classical and quantum computers. It replaces algorithms like RSA and elliptic-curve Diffie-Hellman whose security assumptions break under Shor's algorithm on a sufficiently large quantum computer.
Algorithm families
- Lattice-based — ML-KEM (Kyber), ML-DSA (Dilithium), FN-DSA (Falcon). Fast, moderate key sizes, currently the mainstream choice.
- Hash-based — SLH-DSA (SPHINCS+). Conservative security based only on hash-function assumptions; large signatures.
- Code-based — Classic McEliece and derivatives. Very large public keys; considered for niche long-lived key encapsulation.
- Isogeny-based — SIDH-family was broken in 2022. Later isogeny constructions remain research-stage.
NIST standards
The first three post-quantum standards were finalised by NIST in August 2024. See the dedicated NIST PQC hub for parameter sets and status of the fourth-round candidates.
Real deployments
- Cloudflare, Google Chrome and Apple iMessage have shipped hybrid post-quantum key exchange in production.
- OpenSSH 9.9+ enables hybrid PQC key agreement by default.
- AWS KMS, Azure Key Vault and GCP KMS expose PQC in previews or Regional endpoints.
- Signal deployed a PQXDH key agreement for its ratchet.
Links to the primary announcements live on the Sources page.
Hybrid transition
A hybrid scheme runs a classical algorithm and a post-quantum algorithm in parallel and combines their outputs. The combined key or signature is at least as strong as the strongest input. Hybrid is the mainstream recommendation for TLS and VPN transitions and is what almost every production PQC deployment above is actually using today.
Migration plan
- Build a cryptography inventory. Where is RSA / ECDH / ECDSA in use, and with what data lifetime behind it?
- Prioritise long-life secrets and long-life identities — signing keys embedded in devices, code-signing roots, root CAs.
- Adopt hybrid PQC at the perimeter first (TLS, VPN, SSH). Track upstream library support.
- Plan crypto-agility: expect a second round of parameter changes as fourth-round NIST candidates land.
- Use Business Readiness to score the current position and generate a PDF roadmap.
Frequently asked questions
What is post-quantum cryptography (PQC)?
Post-quantum cryptography is a set of classical cryptographic algorithms designed to remain secure against attacks by both classical and quantum computers. NIST standardised the first three in 2024 — ML-KEM, ML-DSA and SLH-DSA — and internet infrastructure is now migrating to them.
Which PQC algorithms should I use?
For key exchange, ML-KEM (FIPS 203), typically as part of a hybrid with an elliptic-curve algorithm during the transition. For general-purpose signatures, ML-DSA (FIPS 204). For stateless hash-based signatures with the most conservative security assumptions, SLH-DSA (FIPS 205). Falcon is expected to be standardised as FN-DSA for size-constrained signatures.
Is PQC available today?
Yes. Cloudflare, Google Chrome and Apple iMessage have shipped hybrid post-quantum key exchange in production; AWS, Azure and GCP expose PQC in KMS or transit-layer previews; OpenSSH supports hybrid PQC key agreement by default. See the primary sources on the /sources page.
Should I use hybrid or pure PQC?
During the transition, hybrid schemes — running a classical algorithm alongside a post-quantum one — are the mainstream recommendation. They preserve the security of the classical scheme in case a new attack lands against the post-quantum candidate, at a modest cost in bandwidth and CPU.