How Post-Quantum Cryptography Works—and Why It Matters

The Quantum Threat to Encryption

Nearly every secure transaction on the internet—online banking, encrypted email, medical records, military communications—relies on a mathematical trick: certain problems are so hard that even the fastest supercomputers would need billions of years to solve them. Algorithms like RSA and Elliptic Curve Cryptography (ECC) exploit this difficulty to keep data safe.

Quantum computers change the equation. In 1994, mathematician Peter Shor proved that a sufficiently powerful quantum machine could factor large numbers and solve discrete logarithms exponentially faster than any classical computer. That means RSA and ECC—the backbone of internet security—would crumble. Experts estimate such a machine could arrive within 5 to 15 years.

Harvest Now, Decrypt Later

The danger is not hypothetical. Intelligence agencies and sophisticated attackers are already conducting "harvest now, decrypt later" campaigns: intercepting and storing encrypted data today so they can crack it open once quantum decryption becomes feasible. For information with a long shelf life—trade secrets, state secrets, medical records—the vulnerability exists right now, not in some distant future.

This urgency is why governments and tech companies are racing to replace vulnerable algorithms before quantum computers mature.

How Post-Quantum Cryptography Works

Post-quantum cryptography (PQC) does not require a quantum computer. It runs on today's hardware but relies on mathematical problems that quantum machines cannot efficiently solve. The most prominent approach is lattice-based cryptography.

A lattice, in mathematical terms, is a grid of points in many dimensions. Finding the shortest path between two points in a high-dimensional lattice is extraordinarily difficult—even for quantum computers. Unlike the number-factoring problems that Shor's algorithm exploits, lattice problems lack the periodic mathematical structure that gives quantum machines their advantage.

Other PQC approaches include:

• Hash-based signatures — built on well-understood hash functions, offering conservative security guarantees
• Code-based cryptography — derived from error-correcting codes, studied since the 1970s
• Multivariate polynomial systems — using systems of equations over finite fields that resist quantum attacks

NIST Sets the Standard

After an eight-year global competition involving submissions from researchers worldwide, the U.S. National Institute of Standards and Technology (NIST) finalized its first three post-quantum cryptography standards in August 2024:

• ML-KEM (formerly Kyber) — a lattice-based algorithm for key encapsulation, used to establish shared encryption keys
• ML-DSA (formerly Dilithium) — a lattice-based digital signature algorithm for verifying identity
• SLH-DSA (formerly SPHINCS+) — a hash-based signature scheme offering a backup approach independent of lattice math

Under NIST's transition roadmap, quantum-vulnerable algorithms will be deprecated by 2030 and fully removed from federal standards by 2035.

The Web Gets Quantum-Safe

Major technology companies are already deploying PQC. Google's Chrome team is developing Merkle Tree Certificates, a new certificate architecture that keeps post-quantum TLS connections efficient. Because post-quantum cryptographic keys are roughly 40 times larger than current ones, the Merkle tree approach compresses certificate data to approximately 64 bytes by having a certificate authority sign a single "tree head" representing millions of certificates.

Apple, Cloudflare, and Signal have also begun integrating post-quantum algorithms into their products and protocols.

Why It Matters

The transition to post-quantum cryptography is one of the largest infrastructure upgrades in the history of computing. Every encrypted connection, every digital signature, every secure chip must eventually migrate. Organizations that delay risk exposing sensitive data to harvest-now-decrypt-later attacks that are already underway.

As NIST, the Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency have all urged: the time to begin planning is now—not when the first cryptographically relevant quantum computer powers on.