Frequently Asked Questions about Post-Quantum Cryptography

Note

This page is supplementary material for the NIST Migration to Post-Quantum Cryptography Project

This Frequently Asked Questions (FAQ) resource is designed to offer answers to questions about the need to secure electronic information with post-quantum cryptography. This FAQ is not an exhaustive list and will be updated periodically. Please send new questions for consideration to be added to this resource to mailto:applied-crypto-pqc@nist.gov.

Last Updated: September 3, 2025

What is Post-Quantum Cryptography (PQC)?

Post-Quantum Cryptography (PQC) refers to cryptographic methods designed to resist attacks from both classical and quantum computers. As quantum computers advance, they could potentially break current encryption methods like RSA and elliptic curve cryptography (ECC), which rely on mathematical problems that are difficult for classical computers to solve. The aim of PQC is to develop encryption algorithms that remain secure against these emerging threats while still being compatible with existing systems and networks.

The National Institute of Standards and Technology (NIST) is leading global efforts to standardize these quantum-resistant algorithms to ensure the security of digital communications in the quantum era.

Additional Resources: On NIST’s What Is Post-Quantum Cryptography? webpage, you can learn more about the following:

• What is quantum computing?

• Why are quantum computers being developed if they can potentially cause so much harm?

• How does current cryptography work and how would a quantum computer crack it?

• Why do we need post-quantum encryption and how will PQC algorithms work?

• If cryptographically relevant quantum computers don’t exist yet, why is developing post-quantum encryption algorithms important now?

• What is “harvest now, decrypt later”?

• How did NIST design and select the algorithms it is standardizing?

• Why is NIST leading the effort to develop PQC standards?

• What can we be doing now to get ready for cryptanalytically relevant quantum computers?

What are some other terms used to describe post-quantum cryptography?

With the growing attention on quantum computing as an emerging technology, compounding the term “quantum” with “readiness”, “resistant”. “safe”, or “secure” has become another way to convey what is being achieved in this cryptographic migration.

What are some examples of the use of “quantum-readiness” to describe what is being achieved by migrating to post-quantum cryptography?

• Canadian Forum for Digital Infrastructure Resilience (CFDIR), Canadian National Quantum-Readiness Best Practices and Guidelines

• Cloud Security Alliance, Quantum Readiness Importance: A Comprehensive Guide

• Deloitte, Quantum Cyber Readiness

• U.S. Cybersecurity and Infrastructure Security Agency (CISA), Quantum-Readiness: Migration to Post-Quantum Cryptography

What are some examples of the use of “quantum-resistant” to describe what is being achieved by migrating to post-quantum cryptography?

• NIST, NIST Announces First Four Quantum-Resistant Cryptographic Algorithms

• The National Cryptologic Foundation, Convening to Act: Quantum Resistant Cryptography (QRC) in Software

• Microsoft, Microsoft’s quantum-resistant cryptography is here

• SSH, SSH in the World of Post-Quantum Cryptography (PQC)

• Technology Review, What are quantum-resistant algorithms—and why do we need them?

What are some examples of the use of “quantum-safe” to describe what is being achieved by migrating to post-quantum cryptography?

• IBM, What is quantum-safe cryptography?

• European Telecommunications Standards Institute (ESTI), Quantum-Safe Cryptography (QSC)

• Germany’s Federal Office for Information Security (BSI), Quantum Technologies and Quantum-Safe Cryptography

What is an example of the use of “quantum-secure” to describe what is being achieved by migrating to post-quantum cryptography?

• World Economic Forum, Quantum Readiness Toolkit: Building a Quantum-Secure Economy

When will a cryptanalytically relevant quantum computer exist?

Estimates for the development of a cryptanalytically relevant quantum computer (CRQC) vary widely:

• Near-term: Some believe that CRQCs may emerge by 2030, driven by rapid advancements.

• Mid-term: Many anticipate they could become feasible within 15 to 20 years, requiring significant progress in scaling and error correction.

• Long-term: Others believe it may take 30+ years due to the challenges of achieving fault-tolerant quantum systems.

Despite uncertainty in when a CRQC will come into existence, experts agree on the importance of preparing for quantum threats now to secure cryptographic systems for the future.

Additional Resources: The following resources provide additional assessments of the state of development of current technologies for the realization of a CRQC:

• Germany’s Federal Office for Information Security (BSI), The status of quantum computer development

• Global Risk Institute, Quantum Threat Timeline Report 2024

• EvolutionQ, The Quantum Threat Timeline: Why Organizations Must Act

• Cloud Security Alliance, Quantum-safe Security

What are some timelines for activities which organizations must carry out to migrate to post-quantum cryptography in the coming years?

The following resources give information related to timelines and milestones for migrating to PQC:

• NIST, IR 8547 (Initial Public Draft) Transition to Post-Quantum Cryptography Standards

• NSA, The Commercial National Security Algorithm Suite 2.0 and Quantum Computing FAQ

• The United Kingdom’s National Cyber Security Center, Timelines for migration to post-quantum cryptography

• Canadian Centre for Cyber Security, Roadmap for the migration to post-quantum cryptography for the Govenrment of Canda (ITSM.40.001)

What are some examples of the drivers for acting to migration to PQC?

The following industry resources advocate the critical need to counter the threat to public key cryptography from a cryptanalytically relevant quantum computer:

• U.S. Cybersecurity and Infrastructure Security Agency (CISA), Quantum-Readiness: Migration to Post-Quantum Cryptography

• Cloud Security Alliance, Quantum Readiness Importance: A Comprehensive Guide

• Deloitte, Cryptographic Resilience: A Cyber Security Framework (CSF) 2.0 Community Profile

Where can you start your migration to PQC?

A good place to start your migration to PQC is to perform cryptographic asset discovery and inventory on your systems. Knowing the extent, location, and use of the current cryptography that you have employed will allow you to understand what needs to be migrated.

Additional Resources: Some example publications go into further detail on how to perform migration:

• The Netherland’s General Intelligence and Security Service (AIVD), Centrum Wiskunde & Informatica (CWI), and TNO, an independent not-for-profit research organisation, The PQC Migration Handbook: Guidelines for Migrating to Post-Quantum Cryptography, Revised and Extended Second Edition, December 2024

• Canadian Forum for Digital Infrastructure Resilience (CFDIR), Chapter Three of Canadian National Quantum-Readiness: Best Practices and Guidelines, version 04, July 2024

• European Telecommunications Standards Institute (ETSI), TR 104 016 V1.1.1 – CYBER; Quantum-Safe Cryptography (QSC); A Repeatable Framework for Quantum-Safe Migrations

• MITRE’s Post-Quantum Cryptography Coalition (PQCC), Post-Quantum Cryptography (PQC) Migration Roadmap

  • PQC Inventory Workbook

What is cryptographic agility?

Migration to PQC brings a new focus on developing capabilities to replace crypto assets without disruption. The following are some crypto agility papers:

• DigiCert, What is crypto-agility?

• Financial Services Information Sharing and Analysis Center (FS-ISAC), Post Quantum Cryptography (PQC) Building Cryptographic Agility in the Financial Sector

• IBM, Crypto-agility and quantum-safe readiness

• InfoSec Global, Cryptographic Agility in Practice

• NIST, NIST Cybersecurity White Paper (CSWP 39), Considerations for Achieving Crypto Agility: Strategies and Practices (Initial Public Draft) discusses approaches to achieve crypto agility while maintaining interoperability.

• PostQuantum, Introduction to Crypto-Agility

• Alliance for Telecommunications Industry Solutions (ATIS), `Strategic Framework for Crypto Agility and Quantum Risk Assessment<https://atis.org/resources/strategic-framework-for-crypto-agility-and-quantum-risk-assessment/>`_

What are Federal Information Processing Standards (FIPS)?

FIPS are standards for federal computer systems that are developed by (NIST) and approved by the Secretary of Commerce in accordance with the Information Technology Management Reform Act of 1996 and Computer Security Act of 1987. These standards are developed when there are no acceptable industry standards or solutions for a particular government requirement. Although FIPS are developed for use by the Federal Government, many in the private sector voluntarily use these standards.

What are the current FIPS?

The list of current FIPS—those that have been published, plus draft FIPS posted for comment—can be found on NIST’s Computer Security Resource Center (CSRC).

What are the Federal Information Processing Standards (FIPS) for PQC?

There are currently three finalized Federal Information Processing Standards (FIPS) for Post-Quantum Cryptography:

• FIPS 203: Module-Lattice-Based Key-Encapsulation Mechanism Standard

• FIPS 204: Module-Lattice-Based Digital Signature Standard

• FIPS 205: Stateless Hash-Based Digital Signature Standard

These standards specify key establishment and digital signature schemes that are designed to resist future attacks by quantum computers, which threaten the security of current standards. The three algorithms specified in these standards are each derived from different submissions to the NIST Post-Quantum Cryptography Standardization Project.

Key Encapsulation Mechanism

FIPS 203 specifies a cryptographic scheme called the Module-Lattice-Based Key-Encapsulation Mechanism Standard, which is derived from the CRYSTALS-KYBER submission. A key encapsulation mechanism (KEM) is a particular type of key establishment scheme that can be used to establish a shared secret key between two parties communicating over a public channel.

Current NIST-approved key establishment schemes are specified in NIST Special Publications (SP): SP 800-56A, Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm-Based Cryptography, and SP 800-56B, Recommendation for Pair-Wise Key-Establishment Schemes Using Integer Factorization Cryptography.

NIST has also chosen Hamming Quasi-Cyclic (HQC) to be standardized. NIST will develop a standard based on HQC to augment its key-establishment portfolio.

Digital Signatures

FIPS 204 and 205 each specify digital signature schemes, which are used to detect unauthorized modifications to data and to authenticate the identity of the signatory. FIPS 204 specifies the Module-Lattice-Based Digital Signature Standard, which is derived from the CRYSTALS-Dilithium submission. FIPS 205 specifies the Stateless Hash-Based Digital Signature Standard, which is derived from the SPHINCS+ submission.

Current NIST-approved digital signature schemes are specified in FIPS 186-5, Digital Signature Standard, and SP 800-208, Recommendation for Stateful Hash-Based Signature Schemes.

NIST is also developing a FIPS that specifies a digital signature algorithm derived from FALCON as an additional alternative to these standards.

Does NIST have validation testing of approved (i.e., FIPS-approved and NIST-recommended) cryptographic algorithms and their individual components?

NIST’s Cryptographic Algorithm Validation Program (CAVP) offers two Automated Cryptographic Validation Test Systems (ACVTS) for interested users to test cryptographic algorithm implementations. A Demo ACVTS server is available at no cost to interested parties. More information on accessing the ACVTS can be found the CAVP page on Accessing the ACVTS.

The Production ACVTS server is only available to National Voluntary Laboratory Accreditation Program (NVLAP) accredited testing laboratories, and is the only way to create algorithm validation certificates listed on the Algorithm Validation Search Page. The CAVP, through ACVTS, will generate test vectors to match the capabilities of a given implementation under test. The CAVP is not responsible for running those test vectors through the implementation.

Example: CAVP List of Validated PQC Algorithms

Does NIST have a security metric to use in procuring equipment containing validated cryptographic modules?

NIST’s Cryptographic Module Validation Program (CMVP) aims to promote the use of validated cryptographic modules and provide Federal agencies with a security metric to use in procuring equipment containing validated cryptographic modules.

Is there a way to use a suite of automated tools that would permit organizations to perform testing of their cryptographic products according to the requirements of FIPS 140-3, then directly report the results to NIST using appropriate protocols?

NIST’s NCCoE has an Automation of the NIST Cryptographic Module Validation Project.

What does NIST guidance say about transitioning from quantum-vulnerable cryptographic algorithms to post-quantum digital signature algorithms and key-establishment schemes?

NIST IR 8547 (Initial Public Draft) Transition to Post-Quantum Cryptography Standards identifies existing quantum-vulnerable cryptographic standards and the current quantum-resistant standards that will be used in the migration. This report should inform the efforts and timelines of federal agencies, industry, and standards organizations for migrating information technology products, services, and infrastructure to PQC. Comments received on this draft will be used to revise this transition plan and feed into other algorithm-specific and application-specific guidance for the transition to PQC.

The following questions are addressed in NIST IR 8547:

• Where are the quantum-vulnerable algorithms in NIST’s existing cryptographic standards as well as the post-quantum algorithm standards that have been recently published?

  • See section 2 of NIST IR 8457

• What are some migration considerations and use cases?

  • See section 3 of NIST IR 8457

• What is the transition plan for quantum-vulnerable algorithms?

  • See Section 4.1 of NIST IR 8457

• What are the post-quantum security categories?

  • See Table 1 of NIST IR 8457

• What are the quantum-vulnerable digital signature algorithms?

  • See Table 2 of NIST IR 8457

• What are the post-quantum digital signature algorithms?

  • See Table 3 of NIST IR 8457

• What are the quantum-vulnerable key-establishment schemes?

  • See Table 4 of NIST IR 8457

• What are the post-quantum key-establishment schemes?

  • See Table 5 of NIST IR 8457

• What are security strength bit minimums for AES (FIPS 197)?

  • See Table 6 of NIST IR 8457

• What are the collision security strength, collision security categories, preimage security strength, and preimage security categories for hash functions and eXtendable-Output Functions (XOFs)?

  • See Table 7 of NIST IR 8457

What U.S. government policies, memorandums, and standards discuss migration to PQC?

The U.S. government’s approach to migrating to PQC is designed to safeguard national security and critical infrastructure against future quantum threats.

The following bullets offer a timeline that illustrates the directives and resources which were established for use by federal agencies:

• January 2022, National Security Memorandum-8 (NSM-8)

  • NSM-8 provides guidance for National Security System (NSS) and related assets that outlines updating the Commercial National Security Algorithm (CNSA) to include quantum-resistant protocols, additional protections for data, migration efforts, and reporting requirements.

• May 2022, National Security Memorandum-10 (NSM-10)

  • NSM-10 provides guidance for non-NSS and related assets which outlines the creation of cryptographic migration efforts with NIST NCCoE, the Federal Civilian Executive Branch (FCEB) annual cryptographic inventory of High Value Assets and High Impact Systems reported to CISA, migration efforts and reporting away from Cryptanalytically Relevant Quantum Computer (CRQC) vulnerable cryptography.

• September 2022, Announcing the Commercial National Security Algorithm Suite 2.0 (CNSA 2.0)

  • Release of CNSA 2.0 provides guidance for quantum-resistant algorithms (QRAs), timelines, and additional guidance sources for NSS and related assets. FAQ page was updated Dec 2024.

• November 2022, Office of Management and Budget M-23-02

  • M-23-02 provides direction for agencies to comply with NSM-10 and further defines what systems/assets and associated information to include in inventories. NIST will establish a mechanism to enable the exchange of PQC testing information and best practices. That mechanism is the NCCoE Migration to PQC project.

• December 2022, Quantum Computing Cybersecurity Preparedness Act 6 U.S.C. § 1526

  • The Quantum Computer Cybersecurity Preparedness Act reaffirms NSM-10 and M-23-02. It includes requirements for inventory of cryptographic systems, migration to PQC, and reporting in alignment with prior PQC memorandums.

• August 2024, The Secretary of Commerce approved three Federal Information Processing Standards (FIPS) for post-quantum cryptography

  • FIPS 203: ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism Standard)

  • FIPS 204: ML-DSA (Module-Lattice-Based Digital Signature Standard)

  • FIPS 205: SLH-DSA (Stateless Hash-Based Digital Signature Standard)

• October 2024, NIST Announces 14 Candidates to Advance to the Second Round of the Additional Digital Signatures for the Post-Quantum Cryptography Standardization Process

• November 2024, Transition to Post-Quantum Cryptography Standards | Draft NIST IR 8547 is Available for Comment

• December 2024, Updated The Commercial National Security Algorithm Suite 2.0 and Quantum Computing FAQ

• March 2025, NIST Selects HQC as Fifth Algorithm for Post-Quantum Encryption

What are some additional U.S. government resources?

• Cybersecurity and Infrastructure Security Agency (CISA), Post-Quantum Cryptography Initiative

• Department of Homeland Security (DHS), Post-Quantum Cryptography

• Homeland Security Operational Analysis Center (HSOAC), Preparing for Post-Quantum Critical Infrastructure: Assessments of Quantum Computing Vulnerabilities of National Critical Functions

• FedRAMP, Policy for Cryptographic Module Selection and Use

• General Services Administration (GSA), Post Quantum Cryptography Buyer’s Guide

What are some international resources, perspectives, and posts regarding PQC?

The following documents represent a timeline view of international perspectives regarding considerations for the transition to PQC.

• July 2020, European Telecommunications Standards Institute (ETSI), TR 103 619 - V1.1.1 - CYBER; Migration strategies and recommendations to Quantum Safe schemes

• May 2021, European Union Agency for Cybersecurity (ENISA), Post-Quantum Cryptography: Current state and quantum mitigation

• April 2021, The International Telecommunication Union (ITU), X.1811: Security guidelines for applying quantum-safe algorithms in IMT-2020 systems

• October 2022, ENISA, Post-Quantum Cryptography - Integration study

• October 2022, ENISA, Post-Quantum Cryptography: Anticipating Threats and Preparing the Future

• February 2023, Global Systems for Mobile communications Association (GSMA), Post Quantum Telco Network Impact Assessment Whitepaper, Version 1.0

• March 2023, Financial Services Information Sharing and Analysis Center (FS-ISAC), Preparing for a Post-Quantum World by Managing Cryptographic Risk

• March 2023, The Netherland’s General Intelligence and Security Service (AIVD), Centrum Wiskunde & Informatica (CWI), and TNO, an independent not-for-profit research organisation, The PQC Migration Handbook

• May 2023, ETSI, TR 103 949 - V1.1.1 - Quantum-Safe Cryptography (QSC) Migration; ITS and C-ITS migration study

• August 2023, International Organization for Standardization/International Electrotechnical Commission (ISO/IEC), ISO/IEC 23837-1:2023 - Information security — Security requirements, test and evaluation methods for quantum key distribution — Part 1: Requirements

• September 2023, GSMA, Guidelines for Quantum Risk Management for Telco, Version 1.0

• March 2024, Internet Engineering Task Force (IETF), Post-Quantum Cryptography Recommendations for TLS-based Applications

• August 2024, The United Kingdom’s National Cyber Security Centre (NCSC), Next steps in preparing for post-quantum cryptography

• October 2024, Germany’s Federal Office for Information Security (BSI), Securing Tomorrow, Today: Transitioning to Post-Quantum Cryptography

• October 2024, ETSI, CYBER; Quantum-Safe Cryptography (QSC); A Repeatable Framework for Quantum-Safe Migrations

• March 2025, ETSI, ETSI launches new standard for Quantum-Safe Hybrid Key Exchanges to secure future post-quantum encryption

• June 2025, European Union, Network and Information Systems Cooperation Group, A Coordinated Implementation Roadmap for the Transition to Post-Quantum Cryptography - Part 1, Version: 1.1, EU PQC Workstream

• June 2025, Canadian Centre for Cyber Security, Roadmap for the migration to post-quantum cryptography for the Govenrment of Canda (ITSM.40.001)

What are some additional international resources?

• GSMA, Post Quantum Government Initiatives by Country and Region provides a summary of the existing government and region PQC guidelines (last updated March 2025).

What are some Sector-Specific PQC Resources?

Financial Services Sector

• Financial Services Information Sharing and Analysis Center (FS-ISAC), Post Quantum Cryptography Resources

• X9, Effort to Create Post-Quantum Cryptography Assessment Guidelines

• Bank for International Settlements (BIS), Quantum-readiness for the financial system: a roadmap

Information Technology Sector

• Microsoft, Microsoft’s Quantum-resistant cryptography is here

  • Post-Quantum Cryptography Comes to Windows Insiders and Linux

• Google, Announcing quantum-safe digital signatures in Cloud KMS

• Cloudflare, Cloudflare Advances Industry’s First Cloud-Native Quantum-Safe Zero Trust Solution

• Bouncy Castle, A PQC Almanac

• IBM and InfoSec Global, IBM Consulting and InfoSec Global collaborate on visibility and control of cryptographic assets

Telecom

• Global Systems for Mobile communications Association (GSMA), PQ.03 Post Quantum Cryptography – Guidelines for Telecom Use Cases v2.0

• Alliance for Telecommunications Industry Solutions (ATIS), Preparing 5G for the Quantum Era: An Analysis of 3GPP Architecture and the Transition to Quantum-Resistant Cryptography

What has the National Cybersecurity Center of Excellence (NCCoE) published to support migration from the current set of public-key cryptographic algorithms to replacement algorithms that are resistant to quantum computer-based attacks?

What has the NCCoE published regarding interoperability and performance testing of Transport Layer Security?

The Transport Layer Security (TLS) protocol is arguably the most deployed online security protocol, so it is critical to make sure it supports post-quantum protection. Moreover, its wide use makes it a prime target for harvest-now-decrypt-later attacks. It is therefore no surprise that TLS has been one of the first protocols on which PQC was prototyped.

See Section 6 “Transport Layer Security” in the Preliminary Draft NIST SPECIAL PUBLICATION 1800-38C Migration to Post-Quantum Cryptography Quantum Readiness: Testing Draft Standards to see interoperability and performance results performed before December 2023 using the draft PQC KEM standards.