Frequently Asked Questions about Post-Quantum Cryptography

Contents

Frequently Asked Questions about Post-Quantum Cryptography#

Note

This page is supplementary material for the NIST Migration to Post-Quantum Cryptography Project

This Frequently Asked Questions (FAQ) resource is designed to offer answers to questions about the need to secure electronic information with post-quantum cryptography. This FAQ is not an exhaustive list and will be updated periodically. Please send new questions for consideration to be added to this resource to mailto:applied-crypto-pqc@nist.gov.

Last Updated: September 3, 2025

What is Post-Quantum Cryptography (PQC)?#

Post-Quantum Cryptography (PQC) refers to cryptographic methods designed to resist attacks from both classical and quantum computers. As quantum computers advance, they could potentially break current encryption methods like RSA and elliptic curve cryptography (ECC), which rely on mathematical problems that are difficult for classical computers to solve. The aim of PQC is to develop encryption algorithms that remain secure against these emerging threats while still being compatible with existing systems and networks.

The National Institute of Standards and Technology (NIST) is leading global efforts to standardize these quantum-resistant algorithms to ensure the security of digital communications in the quantum era.

Additional Resources: On NIST’s What Is Post-Quantum Cryptography? webpage, you can learn more about the following:

  • What is quantum computing?

  • Why are quantum computers being developed if they can potentially cause so much harm?

  • How does current cryptography work and how would a quantum computer crack it?

  • Why do we need post-quantum encryption and how will PQC algorithms work?

  • If cryptographically relevant quantum computers don’t exist yet, why is developing post-quantum encryption algorithms important now?

  • What is “harvest now, decrypt later”?

  • How did NIST design and select the algorithms it is standardizing?

  • Why is NIST leading the effort to develop PQC standards?

  • What can we be doing now to get ready for cryptanalytically relevant quantum computers?

What are some other terms used to describe post-quantum cryptography?#

With the growing attention on quantum computing as an emerging technology, compounding the term “quantum” with “readiness”, “resistant”. “safe”, or “secure” has become another way to convey what is being achieved in this cryptographic migration.

What are some examples of the use of “quantum-readiness” to describe what is being achieved by migrating to post-quantum cryptography?#

What are some examples of the use of “quantum-resistant” to describe what is being achieved by migrating to post-quantum cryptography?#

What are some examples of the use of “quantum-safe” to describe what is being achieved by migrating to post-quantum cryptography?#

What is an example of the use of “quantum-secure” to describe what is being achieved by migrating to post-quantum cryptography?#

When will a cryptanalytically relevant quantum computer exist?#

Estimates for the development of a cryptanalytically relevant quantum computer (CRQC) vary widely:

  • Near-term: Some believe that CRQCs may emerge by 2030, driven by rapid advancements.

  • Mid-term: Many anticipate they could become feasible within 15 to 20 years, requiring significant progress in scaling and error correction.

  • Long-term: Others believe it may take 30+ years due to the challenges of achieving fault-tolerant quantum systems.

Despite uncertainty in when a CRQC will come into existence, experts agree on the importance of preparing for quantum threats now to secure cryptographic systems for the future.

Additional Resources: The following resources provide additional assessments of the state of development of current technologies for the realization of a CRQC:

What are some timelines for activities which organizations must carry out to migrate to post-quantum cryptography in the coming years?#

The following resources give information related to timelines and milestones for migrating to PQC:

What are some examples of the drivers for acting to migration to PQC?#

The following industry resources advocate the critical need to counter the threat to public key cryptography from a cryptanalytically relevant quantum computer:

Where can you start your migration to PQC?#

A good place to start your migration to PQC is to perform cryptographic asset discovery and inventory on your systems. Knowing the extent, location, and use of the current cryptography that you have employed will allow you to understand what needs to be migrated.

Additional Resources: Some example publications go into further detail on how to perform migration:

What is cryptographic agility?#

Migration to PQC brings a new focus on developing capabilities to replace crypto assets without disruption. The following are some crypto agility papers:

What are Federal Information Processing Standards (FIPS)?#

FIPS are standards for federal computer systems that are developed by (NIST) and approved by the Secretary of Commerce in accordance with the Information Technology Management Reform Act of 1996 and Computer Security Act of 1987. These standards are developed when there are no acceptable industry standards or solutions for a particular government requirement. Although FIPS are developed for use by the Federal Government, many in the private sector voluntarily use these standards.

What are the current FIPS?#

The list of current FIPS—those that have been published, plus draft FIPS posted for comment—can be found on NIST’s Computer Security Resource Center (CSRC).

What are the Federal Information Processing Standards (FIPS) for PQC?#

There are currently three finalized Federal Information Processing Standards (FIPS) for Post-Quantum Cryptography:

These standards specify key establishment and digital signature schemes that are designed to resist future attacks by quantum computers, which threaten the security of current standards. The three algorithms specified in these standards are each derived from different submissions to the NIST Post-Quantum Cryptography Standardization Project.

Key Encapsulation Mechanism#

FIPS 203 specifies a cryptographic scheme called the Module-Lattice-Based Key-Encapsulation Mechanism Standard, which is derived from the CRYSTALS-KYBER submission. A key encapsulation mechanism (KEM) is a particular type of key establishment scheme that can be used to establish a shared secret key between two parties communicating over a public channel.

Current NIST-approved key establishment schemes are specified in NIST Special Publications (SP): SP 800-56A, Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm-Based Cryptography, and SP 800-56B, Recommendation for Pair-Wise Key-Establishment Schemes Using Integer Factorization Cryptography.

NIST has also chosen Hamming Quasi-Cyclic (HQC) to be standardized. NIST will develop a standard based on HQC to augment its key-establishment portfolio.

Digital Signatures#

FIPS 204 and 205 each specify digital signature schemes, which are used to detect unauthorized modifications to data and to authenticate the identity of the signatory. FIPS 204 specifies the Module-Lattice-Based Digital Signature Standard, which is derived from the CRYSTALS-Dilithium submission. FIPS 205 specifies the Stateless Hash-Based Digital Signature Standard, which is derived from the SPHINCS+ submission.

Current NIST-approved digital signature schemes are specified in FIPS 186-5, Digital Signature Standard, and SP 800-208, Recommendation for Stateful Hash-Based Signature Schemes.

NIST is also developing a FIPS that specifies a digital signature algorithm derived from FALCON as an additional alternative to these standards.

Does NIST have a security metric to use in procuring equipment containing validated cryptographic modules?#

NIST’s Cryptographic Module Validation Program (CMVP) aims to promote the use of validated cryptographic modules and provide Federal agencies with a security metric to use in procuring equipment containing validated cryptographic modules.

Is there a way to use a suite of automated tools that would permit organizations to perform testing of their cryptographic products according to the requirements of FIPS 140-3, then directly report the results to NIST using appropriate protocols?#

NIST’s NCCoE has an Automation of the NIST Cryptographic Module Validation Project.

What does NIST guidance say about transitioning from quantum-vulnerable cryptographic algorithms to post-quantum digital signature algorithms and key-establishment schemes?#

NIST IR 8547 (Initial Public Draft) Transition to Post-Quantum Cryptography Standards identifies existing quantum-vulnerable cryptographic standards and the current quantum-resistant standards that will be used in the migration. This report should inform the efforts and timelines of federal agencies, industry, and standards organizations for migrating information technology products, services, and infrastructure to PQC. Comments received on this draft will be used to revise this transition plan and feed into other algorithm-specific and application-specific guidance for the transition to PQC.

The following questions are addressed in NIST IR 8547:

  • Where are the quantum-vulnerable algorithms in NIST’s existing cryptographic standards as well as the post-quantum algorithm standards that have been recently published?

  • What are some migration considerations and use cases?

  • What is the transition plan for quantum-vulnerable algorithms?

  • What are the post-quantum security categories?

  • What are the quantum-vulnerable digital signature algorithms?

  • What are the post-quantum digital signature algorithms?

  • What are the quantum-vulnerable key-establishment schemes?

  • What are the post-quantum key-establishment schemes?

  • What are security strength bit minimums for AES (FIPS 197)?

  • What are the collision security strength, collision security categories, preimage security strength, and preimage security categories for hash functions and eXtendable-Output Functions (XOFs)?

What U.S. government policies, memorandums, and standards discuss migration to PQC?#

The U.S. government’s approach to migrating to PQC is designed to safeguard national security and critical infrastructure against future quantum threats.

The following bullets offer a timeline that illustrates the directives and resources which were established for use by federal agencies:

What are some additional U.S. government resources?#

What are some international resources, perspectives, and posts regarding PQC?#

The following documents represent a timeline view of international perspectives regarding considerations for the transition to PQC.

What are some additional international resources?#

What are some Sector-Specific PQC Resources?#

Financial Services Sector#

Information Technology Sector#

Telecom#

What has the National Cybersecurity Center of Excellence (NCCoE) published to support migration from the current set of public-key cryptographic algorithms to replacement algorithms that are resistant to quantum computer-based attacks?#

What has the NCCoE published regarding interoperability and performance testing of Transport Layer Security?#

The Transport Layer Security (TLS) protocol is arguably the most deployed online security protocol, so it is critical to make sure it supports post-quantum protection. Moreover, its wide use makes it a prime target for harvest-now-decrypt-later attacks. It is therefore no surprise that TLS has been one of the first protocols on which PQC was prototyped.

See Section 6 “Transport Layer Security” in the Preliminary Draft NIST SPECIAL PUBLICATION 1800-38C Migration to Post-Quantum Cryptography Quantum Readiness: Testing Draft Standards to see interoperability and performance results performed before December 2023 using the draft PQC KEM standards.