Post-quantum cryptography (PQC), also known as quantum-resistant cryptography, refers to cryptographic algorithms that are believed to be secure against an attack by both a classical computer and a quantum computer. The emergence of quantum computing threatens widely used public-key cryptographic systems, such as RSA and elliptic curve cryptography, which underpin much of modern digital security.
Unlike quantum cryptography (which uses quantum mechanics to perform cryptographic tasks), post-quantum cryptography relies on classical computational problems that are assumed to be hard even for quantum computers.
The Quantum Threat
Current public-key cryptosystems rely on mathematical problems that are hard for classical computers to solve, such as integer factorization (RSA) and the discrete logarithm problem (ECC). However, Shor's algorithm, published in 1994, demonstrates that a sufficiently powerful quantum computer could solve these problems in polynomial time, effectively breaking these systems.
"The transition to post-quantum cryptography is not a matter of if, but when. Organizations must begin cryptanalysis and inventory today."
Symmetric-key cryptography is less affected. Grover's algorithm provides a quadratic speedup for search problems, meaning AES-128 would have security equivalent to AES-64 against a quantum attacker. Doubling the key size (e.g., to AES-256) mitigates this risk.
NIST Standardization
In 2024, the National Institute of Standards and Technology (NIST) finalized its first set of post-quantum cryptographic standards following a multi-year competition:
- CRYSTALS-Kyber (ML-KEM): For general encryption and key establishment.
- CRYSTALS-Dilithium (ML-DSA): For digital signatures.
- FALCON (SLH-DSA): For compact digital signatures.
- SPHINCS+ (SLH-DSA): For stateless hash-based signatures.
Algorithm Categories
PQC algorithms are classified based on the underlying mathematical hardness assumption.
Lattice-Based Cryptography
Lattice-based schemes rely on the hardness of problems in high-dimensional lattices, such as the Learning With Errors (LWE) problem and the Shortest Vector Problem (SVP). These schemes are favored for their efficiency, small signatures, and resistance to both classical and quantum attacks.
// Pseudocode: LWE Sample Generation
function generate_lwe_secret(n, q):
s = random_vector(n, q) // Secret lattice vector
A = random_matrix(n, n, q)
e = sample_error(n) // Small error vector
b = A * s + e mod q
return (A, b) // Public: (A, b), Private: sCode-Based Cryptography
Based on error-correcting codes, notably the McEliece cryptosystem proposed in 1978. Security relies on the difficulty of decoding a general linear code. While secure, McEliece suffers from large public key sizes (hundreds of kilobytes).
Hash-Based Signatures
Hash-based schemes, such as SPHINCS+, rely solely on the security of cryptographic hash functions. They are considered the most conservative and well-understood PQC candidates but typically produce larger signatures and are slower to generate.
Migration Challenges
Transitioning to PQC involves significant challenges:
- Performance Overhead: Larger keys and signatures increase bandwidth and storage requirements.
- Legacy Systems: Embedded devices and IoT systems may lack the computational resources for PQC.
- Interoperability: Hybrid modes (combining classical and PQC) are recommended during transition periods.
- Harvest Now, Decrypt Later: Adversaries may collect encrypted data now to decrypt it once quantum computers become viable.