What is Post-Quantum Cryptography?
Post-quantum cryptography (PQC) refers to cryptographic algorithms designed to resist attacks from both classical and quantum computers. Today’s widely deployed public-key algorithms – RSA, ECDSA, and Diffie-Hellman – rely on mathematical problems that quantum computers can solve efficiently. PQC replaces them with algorithms grounded in problems believed to remain hard even for large-scale quantum machines.
Why Quantum Computers Threaten Current Cryptography
Shor’s Algorithm Breaks Public-Key Cryptography
In 1994, Peter Shor showed that a sufficiently large quantum computer can factor integers and compute discrete logarithms in polynomial time. This directly breaks:
- RSA – relies on the difficulty of factoring large semiprimes
- ECDSA / EdDSA – relies on the elliptic curve discrete logarithm problem
- Diffie-Hellman / ECDH – relies on the discrete logarithm problem
A quantum computer with roughly 4,000 error-corrected logical qubits could break RSA-2048 in hours. Classical computers would need billions of years for the same task.
Grover’s Algorithm Weakens Symmetric Cryptography
Grover’s algorithm provides a quadratic speedup for searching unstructured databases. Applied to cryptography, it effectively halves the security level of symmetric keys and hash functions:
| Algorithm | Classical Security | Post-Quantum Security |
|---|---|---|
| AES-128 | 128 bits | ~64 bits |
| AES-256 | 256 bits | ~128 bits |
| SHA-256 | 256-bit preimage | ~128-bit preimage |
The practical impact is straightforward: AES-256 remains safe, but AES-128 would need to be upgraded.
Timeline: “Harvest Now, Decrypt Later”
Estimates for when a cryptographically relevant quantum computer (CRQC) will exist vary widely – anywhere from the early 2030s to beyond 2040. However, the “harvest now, decrypt later” threat is real today: adversaries can record encrypted network traffic now and store it until a quantum computer becomes available to decrypt it. Data with long confidentiality requirements (government secrets, medical records, financial data) is already at risk.
NIST PQC Standardization
The U.S. National Institute of Standards and Technology (NIST) began its Post-Quantum Cryptography Standardization process in 2016. After multiple rounds of evaluation, the following standards have been published:
FIPS 203: ML-KEM (Module-Lattice Key Encapsulation)
- Based on: Module Learning With Errors (Module-LWE) lattice problem
- Purpose: Key encapsulation (replacing ECDH, RSA key exchange)
- Parameter sets: ML-KEM-512 (Level 1), ML-KEM-768 (Level 3), ML-KEM-1024 (Level 5)
- Formerly known as: CRYSTALS-Kyber
FIPS 204: ML-DSA (Module-Lattice Digital Signature Algorithm)
- Based on: Module Learning With Errors / Short Integer Solution (Module-LWE/SIS)
- Purpose: Digital signatures (replacing ECDSA, RSA signatures)
- Parameter sets: ML-DSA-44 (Level 2), ML-DSA-65 (Level 3), ML-DSA-87 (Level 5)
- Formerly known as: CRYSTALS-Dilithium
FIPS 205: SLH-DSA (Stateless Hash-Based Digital Signature Algorithm)
- Based on: Hash function security only – the most conservative assumption
- Purpose: Digital signatures with minimal cryptographic assumptions
- Parameter sets: Multiple variants using SHA-2 or SHAKE, at Levels 1/3/5, in fast (f) or small (s) modes
- Formerly known as: SPHINCS+
Falcon (FN-DSA, Pending FIPS 206)
- Based on: NTRU lattices, using Fast Fourier Transform (FFT) over the reals
- Purpose: Digital signatures with compact signature sizes
- Parameter sets: Falcon-512 (Level 1), Falcon-1024 (Level 5)
- Status: Selected by NIST for standardization; standard expected as FIPS 206
Korean PQC (KPQC) Standards
South Korea has conducted a parallel post-quantum standardization effort through the Korean Post-Quantum Cryptography (KPQC) competition, organized by the Korean Cryptographic Research Association. This process evaluated algorithms specifically suitable for Korean government and industry use cases.
Selected algorithms include:
- SMAUG-T – Lattice-based key encapsulation mechanism
- HAETAE – Lattice-based digital signature scheme
- AIMer – Signature scheme based on the MPC-in-the-head paradigm
- NTRU+ – Enhanced NTRU-based key encapsulation
These algorithms address both domestic Korean compliance requirements and provide additional diversity beyond the NIST selections.
Mathematical Foundations
Post-quantum algorithms draw security from several families of hard mathematical problems:
Lattice Problems (LWE, SIS)
The Learning With Errors (LWE) and Short Integer Solution (SIS) problems involve finding short vectors in high-dimensional lattices. No known quantum algorithm provides a significant speedup for these problems. ML-KEM, ML-DSA, Falcon, and NTRU all rely on lattice hardness.
Hash-Based Security
Hash-based signatures (SLH-DSA) rely only on the security of the underlying hash function. If the hash function is collision-resistant and preimage-resistant, the signature scheme is secure. This is the most conservative approach – it makes the fewest assumptions.
Code-Based Cryptography
Schemes like Classic McEliece use error-correcting codes (Goppa codes). Security relies on the difficulty of the syndrome decoding problem. Code-based cryptography has been studied since 1978 (McEliece cryptosystem) with no known quantum speedup.
MPC-in-the-Head
Algorithms like AIMer construct digital signatures by converting a multi-party computation (MPC) protocol into a non-interactive zero-knowledge proof. Security derives from the underlying symmetric primitives used in the MPC protocol.
How MetaMUI Implements PQC
MetaMUI Crypto Primitives provides 48 cryptographic algorithms across 10 platforms (C, Rust, Go, Python, Java, Kotlin, C#, Swift, TypeScript/WASM, Dart), covering both NIST and KPQC standards. Key design principles:
- Pure implementations – no external cryptographic library dependencies
- Hardware acceleration – SIMD (AVX2, AVX-512, NEON), GPU (Apple Metal) where applicable
- Cross-language interoperability – identical wire formats and test vectors across all platforms
- Standards compliance – NIST FIPS 203/204/205, KPQC, and RFC-based encodings
For guidance on which algorithm to use, see the Algorithm Selector. To understand how cross-platform verification works, see Cross-Language Interoperability.