Frequently Asked Questions about Post-Quantum Cryptography
Note
This page is supplementary material for the NIST Migration to Post-Quantum Cryptography Project
The NIST National Cybersecurity Center of Excellence, NIST’s Applied Cybersecurity Lab, has established a Migration to Post-Quantum Cryptography (PQC) project that is focused on supporting the use of NIST PQC standards. We’re working with industry and government stakeholders on two workstreams, and will develop demonstrations in each:
Cryptographic Visibility and Risk Management, focused on building and maintaining a comprehensive cryptographic inventory to guide PQC migration.
Interoperability and Benchmarking, supporting the technology and public-key cryptography providers who embed PQC algorithms into their products and services.
We’ve grouped the most common questions into six key phases of the PQC migration journey, guiding you through the transition needed to protect against the threat of a cryptanalytically relevant quantum computer (CRQC).
Who should use this? Anyone who uses public key cryptography has been asked to take steps to become CRQC-ready by adopting technologies that use PQC algorithms.
This FAQ is not an exhaustive list and will be updated periodically.
Please contribute to the FAQ by using this form to submit additional questions, answers, and suggestions.
If you have anything to further discuss, please contact us at mailto:applied-crypto-pqc@nist.gov.
Last Updated: May 22, 2026
Awareness and Preparation
What is Post-Quantum Cryptography (PQC)?
Post-Quantum Cryptography (PQC) refers to cryptographic methods designed to resist attacks from both classical and quantum computers. As quantum computers advance, they could potentially break current encryption methods like RSA and elliptic curve cryptography (ECC), which rely on mathematical problems that are difficult for classical computers to solve. The aim of PQC is to develop encryption algorithms that remain secure against these emerging threats while still being compatible with existing systems and networks.
The National Institute of Standards and Technology (NIST) is leading global efforts to standardize these quantum-resistant algorithms to ensure the security of digital communications in the quantum era.
Additional Resources: On NIST’s What Is Post-Quantum Cryptography? webpage, you can learn more about the following:
What is quantum computing?
Why are quantum computers being developed if they can potentially cause so much harm?
How does current cryptography work and how would a quantum computer crack it?
Why do we need post-quantum encryption and how will PQC algorithms work?
If cryptographically relevant quantum computers don’t exist yet, why is developing post-quantum encryption algorithms important now?
What is “harvest now, decrypt later”?
How did NIST design and select the algorithms it is standardizing?
Why is NIST leading the effort to develop PQC standards?
What can we be doing now to get ready for cryptanalytically relevant quantum computers?
What are some other terms used to describe post-quantum cryptography?
With the growing attention on quantum computing as an emerging technology, compounding the term “quantum” with “readiness”, “resistant”. “safe”, or “secure” has become another way to convey what is being achieved in this cryptographic migration.
“Quantum-Readiness”
Canadian Forum for Digital Infrastructure Resilience (CFDIR), Canadian National Quantum-Readiness Best Practices and Guidelines
Cloud Security Alliance, Quantum Readiness Importance: A Comprehensive Guide
Deloitte, Quantum Cyber Readiness
U.S. Cybersecurity and Infrastructure Security Agency (CISA), Quantum-Readiness: Migration to Post-Quantum Cryptography
“Quantum-Resistant”
NIST, NIST Announces First Four Quantum-Resistant Cryptographic Algorithms
The National Cryptologic Foundation, Convening to Act: Quantum Resistant Cryptography (QRC) in Software
Microsoft, Microsoft’s quantum-resistant cryptography is here
Technology Review, What are quantum-resistant algorithms—and why do we need them?
SafeLogic, Why Post-Quantum Cryptography (PQC) is Now a Competitive Advantage for Tech Vendors
“Quantum-Safe”
European Telecommunications Standards Institute (ESTI), Quantum-Safe Cryptography (QSC)
Germany’s Federal Office for Information Security (BSI), Quantum Technologies and Quantum-Safe Cryptography
SafeLogic, Comparing PQC and Classical Algorithms
“Quantum Secure”
World Economic Forum, Quantum Readiness Toolkit: Building a Quantum-Secure Economy
When will a cryptanalytically relevant quantum computer exist?
Estimates for the development of a cryptanalytically relevant quantum computer (CRQC) vary widely:
Near-term: Some believe that CRQCs may emerge by 2030, driven by rapid advancements.
Mid-term: Many anticipate they could become feasible within 15 to 20 years, requiring significant progress in scaling and error correction.
Long-term: Others believe it may take 30+ years due to the challenges of achieving fault-tolerant quantum systems.
Despite uncertainty in when a CRQC will come into existence, experts agree on the importance of preparing for quantum threats now to secure cryptographic systems for the future.
Additional Resources: The following resources provide additional assessments of the state of development of current technologies for the realization of a CRQC:
Germany’s Federal Office for Information Security (BSI), The status of quantum computer development
Global Risk Institute, Quantum Threat Timeline Report 2024
EvolutionQ, The Quantum Threat Timeline: Why Organizations Must Act
Cloud Security Alliance, Quantum-safe Security
Where can I learn more about the critical need to counter the threat to public key cryptography from a cryptanalytically relevant quantum computer?
The following industry resources advocate for countering this threat:
U.S. Cybersecurity and Infrastructure Security Agency (CISA), Quantum-Readiness: Migration to Post-Quantum Cryptography
Cloud Security Alliance, Quantum Readiness Importance: A Comprehensive Guide
Deloitte, Cryptographic Resilience: A Cyber Security Framework (CSF) 2.0 Community Profile
Center for European Policy Studies (CEPS), We need to urgently strengthen the EU’s transition to a quantum-safe world
Palo Alto Networks, Quantum Readiness: What It Means and How to Achieve It
SafeLogic, CISA Takes a Major Step Toward Post-Quantum Readiness
What is cryptographic agility?
Migration to PQC brings a new focus on developing capabilities to replace crypto assets without disruption. The following are some crypto agility papers:
DigiCert, What is crypto-agility?
Financial Services Information Sharing and Analysis Center (FS-ISAC), Post Quantum Cryptography (PQC) Building Cryptographic Agility in the Financial Sector
InfoSec Global, Cryptographic Agility in Practice
NIST, NIST Cybersecurity White Paper (CSWP 39), Considerations for Achieving Crypto Agility: Strategies and Practices (Final) discusses approaches to achieve crypto agility while maintaining interoperability.
PostQuantum, Introduction to Crypto-Agility
Alliance for Telecommunications Industry Solutions (ATIS), Strategic Framework for Crypto Agility and Quantum Risk Assessment
What U.S. government policies, memorandums, and standards discuss migration to PQC?
The U.S. government’s approach to migrating to PQC is designed to safeguard national security and critical infrastructure against future quantum threats.
The following bullets offer a timeline that illustrates the directives and resources which were established for use by federal agencies:
January 2022, National Security Memorandum-8 (NSM-8)
NSM-8 provides guidance for National Security System (NSS) and related assets that outlines updating the Commercial National Security Algorithm (CNSA) to include quantum-resistant protocols, additional protections for data, migration efforts, and reporting requirements.
May 2022, National Security Memorandum-10 (NSM-10)
NSM-10 provides guidance for non-NSS and related assets which outlines the creation of cryptographic migration efforts with NIST NCCoE, the Federal Civilian Executive Branch (FCEB) annual cryptographic inventory of High Value Assets and High Impact Systems reported to CISA, migration efforts and reporting away from Cryptanalytically Relevant Quantum Computer (CRQC) vulnerable cryptography.
September 2022, Announcing the Commercial National Security Algorithm Suite 2.0 (CNSA 2.0)
Release of CNSA 2.0 provides guidance for quantum-resistant algorithms (QRAs), timelines, and additional guidance sources for NSS and related assets. FAQ page was updated Dec 2024.
November 2022, Office of Management and Budget M-23-02
M-23-02 provides direction for agencies to comply with NSM-10 and further defines what systems/assets and associated information to include in inventories. NIST will establish a mechanism to enable the exchange of PQC testing information and best practices. That mechanism is the NCCoE Migration to PQC project.
December 2022, Quantum Computing Cybersecurity Preparedness Act 6 U.S.C. § 1526
The Quantum Computer Cybersecurity Preparedness Act reaffirms NSM-10 and M-23-02. It includes requirements for inventory of cryptographic systems, migration to PQC, and reporting in alignment with prior PQC memorandums.
November 2024, Transition to Post-Quantum Cryptography Standards | Draft NIST IR 8547 is Available for Comment
December 2024, Updated The Commercial National Security Algorithm Suite 2.0 and Quantum Computing FAQ
March 2025, NIST Selects HQC as Fifth Algorithm for Post-Quantum Encryption
What are some additional U.S. government resources?
Cybersecurity and Infrastructure Security Agency (CISA), Post-Quantum Cryptography Initiative
Department of Homeland Security (DHS), Post-Quantum Cryptography
Homeland Security Operational Analysis Center (HSOAC), Preparing for Post-Quantum Critical Infrastructure: Assessments of Quantum Computing Vulnerabilities of National Critical Functions
General Services Administration (GSA), Post Quantum Cryptography Buyer’s Guide
What are some international resources, perspectives, and posts regarding PQC?
The following documents represent a timeline view of international perspectives regarding considerations for the transition to PQC.
July 2020, European Telecommunications Standards Institute (ETSI), TR 103 619 - V1.1.1 - CYBER; Migration strategies and recommendations to Quantum Safe schemes
May 2021, European Union Agency for Cybersecurity (ENISA), Post-Quantum Cryptography: Current state and quantum mitigation
April 2021, The International Telecommunication Union (ITU), X.1811: Security guidelines for applying quantum-safe algorithms in IMT-2020 systems
October 2022, ENISA, Post-Quantum Cryptography - Integration study
October 2022, ENISA, Post-Quantum Cryptography: Anticipating Threats and Preparing the Future
February 2023, Global Systems for Mobile communications Association (GSMA), Post Quantum Telco Network Impact Assessment Whitepaper, Version 1.0
March 2023, Financial Services Information Sharing and Analysis Center (FS-ISAC), Preparing for a Post-Quantum World by Managing Cryptographic Risk
March 2023, The Netherland’s General Intelligence and Security Service (AIVD), Centrum Wiskunde & Informatica (CWI), and TNO, an independent not-for-profit research organisation, The PQC Migration Handbook
May 2023, ETSI, TR 103 949 - V1.1.1 - Quantum-Safe Cryptography (QSC) Migration; ITS and C-ITS migration study
August 2023, International Organization for Standardization/International Electrotechnical Commission (ISO/IEC), ISO/IEC 23837-1:2023 - Information security — Security requirements, test and evaluation methods for quantum key distribution — Part 1: Requirements
September 2023, GSMA, Guidelines for Quantum Risk Management for Telco, Version 1.0
March 2024, Internet Engineering Task Force (IETF), Post-Quantum Cryptography Recommendations for TLS-based Applications
August 2024, The United Kingdom’s National Cyber Security Centre (NCSC), Next steps in preparing for post-quantum cryptography
October 2024, Germany’s Federal Office for Information Security (BSI), Securing Tomorrow, Today: Transitioning to Post-Quantum Cryptography
October 2024, ETSI, CYBER; Quantum-Safe Cryptography (QSC); A Repeatable Framework for Quantum-Safe Migrations
March 2025, ETSI, ETSI launches new standard for Quantum-Safe Hybrid Key Exchanges to secure future post-quantum encryption
June 2025, European Union, Network and Information Systems Cooperation Group, A Coordinated Implementation Roadmap for the Transition to Post-Quantum Cryptography - Part 1, Version: 1.1, EU PQC Workstream
June 2025, Canadian Centre for Cyber Security, Roadmap for the migration to post-quantum cryptography for the Govenrment of Canda (ITSM.40.001)
September 2025, Australian Signals Directorate (ASD), Planning for post-quantum cryptography
What are some additional international resources?
GSMA, Post Quantum Government Initiatives by Country and Region provides a summary of the existing government and region PQC guidelines (last updated March 2025).
What are some Sector-Specific PQC Resources?
Financial Services Sector
Financial Services Information Sharing and Analysis Center (FS-ISAC), Post Quantum Cryptography Resources
X9, Effort to Create Post-Quantum Cryptography Assessment Guidelines
Bank for International Settlements (BIS), Quantum-readiness for the financial system: a roadmap
Mastercard, Migration to post-quantum cryptography white paper
Information Technology Sector
Microsoft, Microsoft’s Quantum-resistant cryptography is here
Google, Announcing quantum-safe digital signatures in Cloud KMS
Cloudflare, Cloudflare Advances Industry’s First Cloud-Native Quantum-Safe Zero Trust Solution
Bouncy Castle, A PQC Almanac
IBM and InfoSec Global, IBM Consulting and InfoSec Global collaborate on visibility and control of cryptographic assets
Telecom
Global Systems for Mobile communications Association (GSMA), PQ.03 Post Quantum Cryptography – Guidelines for Telecom Use Cases v2.0
Alliance for Telecommunications Industry Solutions (ATIS), Preparing 5G for the Quantum Era: An Analysis of 3GPP Architecture and the Transition to Quantum-Resistant Cryptography
Communications Sector Coordinating Council (CSCC), Committee Impact Report on Post Quantum Cryptography
What is meant by “Denial of Migration”?
Michael Osborne, CTO of IBM Quantum Safe, suggests that post-quantum cryptography (PQC) migration is being quietly sabotaged by a series of self-inflicted strategic wounds.
See Michael Osborne’s Denial of PQC Migration Attacks article.
What can I read as a technical decision-maker to help me evaluate how and when my organization’s environments need to react to the security threat posed by the development of quantum computers?
See SSH’s What Is Quantum-Safe Cryptography? article.
Is there a free online platform that walks you from understanding the threat to deploying quantum-resistant cryptography step by step?
Yes. See the PQC Today platform.
Is there a document that explains why engineers need to be aware of and understand post-quantum cryptography (PQC), detailing the impact of CRQCs on existing systems and the challenges involved in transitioning to post-quantum algorithms?
Yes. The Internet Engineering Task Force (IETF) has a draft document on this topic.
See the IETF Datatracker’s Post-Quantum Cryptography for Engineers draft.
What is the harvest now, decrypt later cybersecurity threat?
See Palo Alto Networks’ Harvest Now, Decrypt Later (HNDL) article.
Is there any testing that reveals the performance price of migrating to post-quantum cryptography and why measuring it now will save you millions later?
Yes. See VIAVI Solutions’ The Hidden Cost of Quantum-Safe Encryption white paper.
Has anyone defined what a cryptographic inventory is, and outlined a practical customer-led operating model for managing cryptographic posture?
Yes. Microsoft has defined cryptographic inventory concepts and outlined a practical customer-led operating model for managing cryptographic posture.
See Microsoft’s Building Your Cryptographic Inventory: A Customer Strategy for Cryptographic Posture Management blog post.
Are there methodologies to manage the complexity of PQC migration for various use cases?
Yes. Meta has published a framework, lessons, and takeaways for managing the complexity of post-quantum cryptography (PQC) migration across various use cases.
See Meta Engineering’s Post-Quantum Cryptography Migration at Meta: Framework, Lessons, and Takeaways article.
Has anyone framed the multi-year upgrade to post-quantum cryptography in the context of regular cybersecurity operations so that executive leaders can place it within regular reviews and prioritization discussions?
Yes. Deloitte has framed cryptographic resilience, including the multi-year upgrade to post-quantum cryptography, in the context of regular cybersecurity operations, executive reviews, and prioritization discussions. Meta has also published a framework, lessons, and takeaways for managing post-quantum cryptography (PQC) migration across complex organizational use cases.
See Deloitte’s Cryptographic Resilience Community Profile and Meta Engineering’s Post-Quantum Cryptography Migration at Meta: Framework, Lessons, and Takeaways article.
Are there lists of software applications, libraries, and hardware that include support for post-quantum cryptography?
Yes. There are several resources that list or categorize software applications, libraries, hardware, and product areas that include or may include support for post-quantum cryptography (PQC).
The PKI Consortium maintains a Post-Quantum Cryptography Capable Components Matrix.
The enterprise infrastructure stack shown on PQC Today’s Migration Path webpage lists products for each level in the stack.
CISA’s Product Categories and Technologies That Use Post-Quantum Cryptography Standards resource identifies categories where PQC products can be found.
Discovery and Inventory
What are some existing tools that can be used for cryptographic inventorying?
The following tools are not an exhaustive list, but rather ones that are open source or ones that we have in our lab through our collaborators. Please refer to their websites and repositories to learn more about their capabilities.
Open source tools
pqcscan for scanning SSH and TLS servers
sslscan2 to test SSL/TLS enabled services to discover supported cipher suites
crt.sh to find SSL/TLS certificates issued for specific domains or organizations
cyberzero PQC Edge Scanner to scan for PQC transition signals at the public edge of any domain
NCCoE collaborator tools
Cisco Mercury (also open source)
CodeQL (also open source)
Is there a Guide to Cryptography Bill of Materials (CBOM) for Post-Quantum Systems and Applications?
See CycloneDX’s Authoritative Guide to CBOM.
Can I use CodeQL for code scanning?
See GitHub’s Addressing Post-Quantum Cryptography with CodeQL blog post.
Are there any free utilities to scan SSH and TLS servers?
See Anvil Secure’s pqcscan utility.
What can I use for free to test SSL/TLS enabled services to discover supported cipher suites?
See rbsec’s sslscan utility.
What is a cryptographic inventory?
A cryptographic inventory is a descriptive record of the cryptography used across an organization’s systems, applications, services, devices, and data flows. It helps an organization identify where and how cryptography is being used so that cryptographic risks can be managed, policies can be applied consistently, and systems can be prepared for migration to post-quantum cryptography (PQC).
A cryptographic inventory may include information about:
Cryptographic algorithms in use, such as RSA, elliptic curve cryptography (ECC), AES, SHA-2, or post-quantum algorithms
Cryptographic protocols and services, such as TLS, SSH, VPNs, code signing, email encryption, and certificate-based authentication
Cryptographic keys, including key type, owner, associated algorithm, application, expiration date, and lifecycle status, without including the key material itself
Certificates and certificate chains
Systems, applications, or components that depend on cryptography
Data protected by cryptography, especially sensitive or long-lived data that may be vulnerable to “harvest now, decrypt later” threats
Related terms include cryptographic algorithm inventory, which focuses specifically on the algorithms in use, and cryptographic assets, which may include algorithms, keys, certificates, protocols, libraries, hardware security modules (HSMs), and other components that provide or depend on cryptographic protection.
Maintaining a cryptographic inventory is an important step in quantum readiness because organizations cannot effectively prioritize or migrate cryptography that they have not identified.
Are there tools that serve as a starting point for building a centralized inventory to track cryptographic migration efforts at the system or asset level?
Yes. The PQC Coalition provides a PQC Inventory Workbook that can serve as a starting point for building a centralized inventory to track cryptographic migration efforts at the system or asset level.
See the PQC Coalition’s PQC Inventory Workbook.
Risk Assessment and Planning
Where can you start your migration to PQC?
A good place to start your migration to PQC is to perform cryptographic asset discovery and inventory on your systems. Knowing the extent, location, and use of the current cryptography that you have employed will allow you to understand what needs to be migrated.
Additional Resources: Some example publications go into further detail on how to perform migration:
The Netherland’s General Intelligence and Security Service (AIVD), Centrum Wiskunde & Informatica (CWI), and TNO, an independent not-for-profit research organisation, The PQC Migration Handbook: Guidelines for Migrating to Post-Quantum Cryptography, Revised and Extended Second Edition, December 2024
Canadian Forum for Digital Infrastructure Resilience (CFDIR), Chapter Three of Canadian National Quantum-Readiness: Best Practices and Guidelines, version 04, July 2024
European Telecommunications Standards Institute (ETSI), TR 104 016 V1.1.1 – CYBER; Quantum-Safe Cryptography (QSC); A Repeatable Framework for Quantum-Safe Migrations
MITRE’s Post-Quantum Cryptography Coalition (PQCC), Post-Quantum Cryptography (PQC) Migration Roadmap
Public Key Infrastructure Consortium (PKIC), PQC Capabilities Matrix (PQCCM)
What are some timelines for activities which organizations must carry out to migrate to post-quantum cryptography in the coming years?
The following resources give information related to timelines and milestones for migrating to PQC:
NIST, IR 8547 (Initial Public Draft) Transition to Post-Quantum Cryptography Standards
NSA, The Commercial National Security Algorithm Suite 2.0 and Quantum Computing FAQ
The United Kingdom’s National Cyber Security Center, Timelines for migration to post-quantum cryptography
Canadian Centre for Cyber Security, Roadmap for the migration to post-quantum cryptography for the Govenrment of Canda (ITSM.40.001)
Is there a document that provides actionable guidelines to incorporate CRQC-readiness into existing risk management frameworks?
Here are some documents that discuss actionable guidelines:
What are the FAQs on OpenSSH Post-Quantum Cryptography?
See FAQ on OpenSSH’s Post-Quantum Cryptography webpage.
Is there a free public scanner that observes PQC transition signals at the public edge of any domain?
Yes. See CyberZero’s PQC Public Scanner.
Are there any quantum readiness surveys?
Yes. See Citi’s Quantum Readiness Survey.
Note that using this survey provides information to Citi. It is shared here as a model that organizations may wish to adapt for use with their own suppliers.
Who has changed their target for becoming fully post-quantum secure?
Cloudflare and Google have changed their timelines or targets for becoming fully post-quantum secure.
See Cloudflare’s Post-Quantum Roadmap blog post and Google’s Cryptography Migration Timeline blog post.
Migration Execution
What does NIST guidance say about transitioning from quantum-vulnerable cryptographic algorithms to post-quantum digital signature algorithms and key-establishment schemes?
NIST IR 8547 (Initial Public Draft) Transition to Post-Quantum Cryptography Standards identifies existing quantum-vulnerable cryptographic standards and the current quantum-resistant standards that will be used in the migration. This report should inform the efforts and timelines of federal agencies, industry, and standards organizations for migrating information technology products, services, and infrastructure to PQC. Comments received on this draft will be used to revise this transition plan and feed into other algorithm-specific and application-specific guidance for the transition to PQC.
The following questions are addressed in NIST IR 8547:
Where are the quantum-vulnerable algorithms in NIST’s existing cryptographic standards as well as the post-quantum algorithm standards that have been recently published?
See section 2 of NIST IR 8547
What are some migration considerations and use cases?
See section 3 of NIST IR 8547
What is the transition plan for quantum-vulnerable algorithms?
See Section 4.1 of NIST IR 8547
What are the post-quantum security categories?
See Table 1 of NIST IR 8547
What are the quantum-vulnerable digital signature algorithms?
See Table 2 of NIST IR 8547
What are the post-quantum digital signature algorithms?
See Table 3 of NIST IR 8547
What are the quantum-vulnerable key-establishment schemes?
See Table 4 of NIST IR 8547
What are the post-quantum key-establishment schemes?
See Table 5 of NIST IR 8547
What are security strength bit minimums for AES (FIPS 197)?
See Table 6 of NIST IR 8547
What are the collision security strength, collision security categories, preimage security strength, and preimage security categories for hash functions and eXtendable-Output Functions (XOFs)?
See Table 7 of NIST IR 8547
What has the National Cybersecurity Center of Excellence (NCCoE) published to support migration from the current set of public-key cryptographic algorithms to replacement algorithms that are resistant to quantum computer-based attacks?
What has the NCCoE published regarding interoperability and performance testing of Transport Layer Security?
The Transport Layer Security (TLS) protocol is arguably the most deployed online security protocol, so it is critical to make sure it supports post-quantum protection. Moreover, its wide use makes it a prime target for harvest-now-decrypt-later attacks. It is therefore no surprise that TLS has been one of the first protocols on which PQC was prototyped.
See Section 6 “Transport Layer Security” in the Preliminary Draft NIST SPECIAL PUBLICATION 1800-38C Migration to Post-Quantum Cryptography Quantum Readiness: Testing Draft Standards to see interoperability and performance results performed before December 2023 using the draft PQC KEM standards.
What is a Hardware Security Module (HSM)?
A Hardware Security Module (HSM) is a purpose-built physical security device designed to:
Generate cryptographic keys securely
Protect those keys throughout their entire lifecycle
Perform sensitive cryptographic operations inside secure hardware
See Crypto4A’s What Is a Hardware Security Module? article.
Is there a place where one can check to see if one’s browser is offering post-quantum encryption support?
See Cloudflare Radar’s Post-Quantum Encryption webpage.
What is an example of an all-in-one software web server, load balancer, reverse proxy, content cache, and API gateway?
F5 NGINX Plus is an example of an all-in-one software web server, load balancer, reverse proxy, content cache, and API gateway.
See F5’s NGINX Plus R33 Release Now Available article.
Are there examples of CRQC-ready cryptographic libraries?
Yes. See IDEMIA’s Quantum-Ready Cryptographic Libraries webpage.
Where can I find advice on the applicability of various post-quantum cryptographic algorithms for my use case?
See TNO’s PQChoiceAssistant.
How are operating system designers addressing the CRQC threat?
Operating system designers are addressing the cryptanalytically relevant quantum computer (CRQC) threat by implementing post-quantum cryptography (PQC) in operating systems and related security protocols.
See Google’s Security for the Quantum Era: Implementing Post-Quantum Cryptography in Android blog post.
What are some examples of rolling out support for post-quantum cryptography (PQC)?
Examples of organizations rolling out support for post-quantum cryptography (PQC) include:
Akamai rolled out support for PQC in Ghost to Origin (G2O) connections using Transport Layer Security (TLS) version 1.3.
Cloudflare has published updates on its ongoing PQC deployment work.
Google Cloud has described how it is helping customers prepare for a quantum-safe future.
Microsoft has made post-quantum cryptography APIs generally available on Microsoft platforms.
OpenSSL 3.5 includes support relevant to post-quantum cryptography adoption.
See Akamai’s Post-Quantum Cryptography Implementation Considerations for TLS article, Cloudflare’s Post-Quantum 2025 blog post, Google Cloud’s How We’re Helping Customers Prepare for a Quantum-Safe Future blog post, Microsoft’s Post-Quantum Cryptography APIs Now Generally Available on Microsoft Platforms blog post, and OpenSSL’s OpenSSL 3.5 Final Release announcement.
Migration Testing
Is there a workshop on Secure Protocol Implementations in the Quantum Era?
See the Secure Protocol Implementations in the Quantum Era (SPIQE) workshop webpage.
How are browser developers making HTTPS certificates secure against a cryptanalytically relevant quantum computer (CRQC)?
Chrome, in collaboration with other partners, is developing an evolution of HTTPS certificates based on Merkle Tree Certificates (MTCs). This work is currently in development in the PLANTS working group.
See Google’s Cultivating Robust and Efficient Post-Quantum TLS Certificates blog post.
What are some benchmarks that inform migrating the Internet to post-quantum key agreement?
See Cloudflare’s Post-Quantum 2024 blog post.
What is an example of early experimentation with post-quantum cryptography?
Google’s 2016 experiment with post-quantum cryptography is an example of early experimentation with post-quantum cryptography.
See Google’s Experimenting with Post-Quantum Cryptography blog post.
Is there a benchmarking framework designed to assess the computational and networking performance of PQC schemes across various system architectures?
Yes. See the IEEE article A Benchmarking Framework for Post-Quantum Cryptography.
Who in the U.S. Federal Government is driving federal quantum readiness by preparing for the use of post-quantum cryptography (PQC) to protect identities, credentials, and access at enterprise scale?
The Federal Identity, Credential, and Access Management (FICAM) program is helping to lead federal efforts to prepare for post-quantum cryptography (PQC) to protect identities, credentials, and access at enterprise scale.
See FICAM’s Post-Quantum Cryptography (PQC) webpage.
Validation and Monitoring
What are Federal Information Processing Standards (FIPS)?
FIPS are standards for federal computer systems that are developed by (NIST) and approved by the Secretary of Commerce in accordance with the Information Technology Management Reform Act of 1996 and Computer Security Act of 1987. These standards are developed when there are no acceptable industry standards or solutions for a particular government requirement. Although FIPS are developed for use by the Federal Government, many in the private sector voluntarily use these standards.
What are the current FIPS?
The list of current FIPS—those that have been published, plus draft FIPS posted for comment—can be found on NIST’s Computer Security Resource Center (CSRC).
What are the Federal Information Processing Standards (FIPS) for PQC?
There are currently three finalized Federal Information Processing Standards (FIPS) for Post-Quantum Cryptography:
These standards specify key establishment and digital signature schemes that are designed to resist future attacks by quantum computers, which threaten the security of current standards. The three algorithms specified in these standards are each derived from different submissions to the NIST Post-Quantum Cryptography Standardization Project.
Key Encapsulation Mechanism
FIPS 203 specifies a cryptographic scheme called the Module-Lattice-Based Key-Encapsulation Mechanism Standard, which is derived from the CRYSTALS-KYBER submission. A key encapsulation mechanism (KEM) is a particular type of key establishment scheme that can be used to establish a shared secret key between two parties communicating over a public channel.
Current NIST-approved key establishment schemes are specified in NIST Special Publications (SP): SP 800-56A, Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm-Based Cryptography, and SP 800-56B, Recommendation for Pair-Wise Key-Establishment Schemes Using Integer Factorization Cryptography.
NIST has also chosen Hamming Quasi-Cyclic (HQC) to be standardized. NIST will develop a standard based on HQC to augment its key-establishment portfolio.
Digital Signatures
FIPS 204 and 205 each specify digital signature schemes, which are used to detect unauthorized modifications to data and to authenticate the identity of the signatory. FIPS 204 specifies the Module-Lattice-Based Digital Signature Standard, which is derived from the CRYSTALS-Dilithium submission. FIPS 205 specifies the Stateless Hash-Based Digital Signature Standard, which is derived from the SPHINCS+ submission.
Current NIST-approved digital signature schemes are specified in FIPS 186-5, Digital Signature Standard, and SP 800-208, Recommendation for Stateful Hash-Based Signature Schemes.
NIST is also developing a FIPS that specifies a digital signature algorithm derived from FALCON as an additional alternative to these standards.
Does NIST have validation testing of approved (i.e., FIPS-approved and NIST-recommended) cryptographic algorithms and their individual components?
NIST’s Cryptographic Algorithm Validation Program (CAVP) offers two Automated Cryptographic Validation Test Systems (ACVTS) for interested users to test cryptographic algorithm implementations. A Demo ACVTS server is available at no cost to interested parties. More information on accessing the ACVTS can be found the CAVP page on Accessing the ACVTS.
The Production ACVTS server is only available to National Voluntary Laboratory Accreditation Program (NVLAP) accredited testing laboratories, and is the only way to create algorithm validation certificates listed on the Algorithm Validation Search Page. The CAVP, through ACVTS, will generate test vectors to match the capabilities of a given implementation under test. The CAVP is not responsible for running those test vectors through the implementation.
Does NIST have a security metric to use in procuring equipment containing validated cryptographic modules?
NIST’s Cryptographic Module Validation Program (CMVP) aims to promote the use of validated cryptographic modules and provide Federal agencies with a security metric to use in procuring equipment containing validated cryptographic modules.
Is there a way to use a suite of automated tools that would permit organizations to perform testing of their cryptographic products according to the requirements of FIPS 140-3, then directly report the results to NIST using appropriate protocols?
NIST’s NCCoE has an Automation of the NIST Cryptographic Module Validation Project.