Part 3: Anatomy of Post-Quantum Cryptography (PQC)

Post-quantum cryptography (PQC) is not science fiction—it is an urgent and emerging field that seeks to secure digital communications against future quantum attacks. As classical encryption standards like RSA and ECC face obsolescence under quantum pressure, a new generation of algorithms is being developed, standardised, and trialled globally. This article introduces the main types of post-quantum cryptographic techniques, highlights their real-world applications, and guides board-level readers on what to monitor, mandate, and fund in the coming years.

1. What Is Post-Quantum Cryptography?

PQC refers to cryptographic algorithms that are designed to run on classical computers but remain secure even if an adversary possesses a powerful quantum computer. These algorithms do not rely on the mathematical problems that quantum algorithms (like Shor's or Grover's) are designed to break.

Importantly, PQC is not about building quantum-resistant networks from scratch. It's about updating existing systems with algorithms that can resist quantum attacks while still functioning efficiently on today’s infrastructure.

2. The Leading Algorithm Families

Most PQC algorithms fall into five broad categories:

• Lattice-based cryptography: Based on the difficulty of solving shortest vector problems in high-dimensional lattices. Leading candidates include Kyber (encryption) and Dilithium (signatures). Efficient and well-studied.

• Code-based cryptography: Uses error-correcting codes, with long-standing schemes like Classic McEliece. Known for large public key sizes but excellent security records.

• Multivariate polynomial cryptography: Based on solving systems of multivariate quadratic equations. Compact and fast, but with mixed security performance.

• Hash-based signatures: Use Merkle trees to generate digital signatures. Secure and simple, but limited to signing fixed numbers of messages.

• Isogeny-based cryptography: Relies on the hardness of finding isogenies between elliptic curves. Compact keys but slower and less mature than other families.

Each class offers different trade-offs in speed, key size, and resilience to various attack vectors.

3. The NIST PQC Standardisation Process

The National Institute of Standards and Technology (NIST) in the U.S. is leading the global effort to standardise post-quantum cryptographic algorithms. Their multi-round process has involved international academic scrutiny, red-teaming, and public trials.

• In August 2024, NIST released the first three FIPS standards—FIPS 203 (ML-KEM/Kyber), FIPS 204 (ML-DSA/Dilithium), and FIPS 205 (SLH-DSA/SPHINCS⁺)

• On March 11, 2025, NIST selected a fourth candidate for general encryption—Hamming Quasi-Cyclic (HQC)—as a backup to Kyber. A draft standard incorporating HQC is expected around 2026, with final approval possibly in 2027

• NIST has scheduled the 6th PQC Standardization Conference for September 24–26, 2025, in Gaithersburg, aimed at finalizing additional schemes and discussing implementation challenges

• As of early 2025, NIST has completed an eight-year standardization cycle and is moving into implementation, validation, and ecosystem expansion .

4. Implementation Considerations

For decision makers, PQC is not just a technical upgrade—it involves strategic planning across products, platforms, and compliance frameworks.

• Key and signature sizes: PQC algorithms often have much larger keys or ciphertexts than their classical counterparts. This impacts bandwidth, storage, and performance.

• Software vs. hardware: Most PQC algorithms can run in software, but some may benefit from hardware acceleration for speed or energy efficiency.

• Side-channel resistance: As with all crypto, physical and timing attacks remain relevant. PQC must be robust not just in theory but in implementation.

• Hybrid approaches: Many organisations are adopting hybrid encryption schemes that combine classical and PQC algorithms, ensuring near-term compatibility and long-term resilience.

5. Strategic Implications for Boards

Boards should treat PQC adoption as a strategic priority with phased oversight:

• Mandate crypto-agility: Ensure systems are designed to support multiple algorithms and upgrades.

• Track vendor compliance: Audit third-party vendors for their PQC roadmaps and implementation plans.

• Prioritise data with long confidentiality timelines: Customer records, intellectual property, and health or legal archives are prime candidates for early PQC protection.

• Engage regulators and auditors: Coordinate with legal teams to align with national or international PQC adoption deadlines.

In short: PQC is the future of encryption. It must be funded, monitored, and integrated at the architectural level, not just as a security bolt-on.

Footnotes and References

1. NIST PQC Project Overview: https://csrc.nist.gov/projects/post-quantum-cryptography

2. CRYSTALS-Kyber and Dilithium announcement: https://www.nist.gov/news-events/news/2022/07/nist-announces-first-four-quantum-resistant-cryptographic-algorithms

3. PQC implementation guidance (NSA CNSA 2.0): https://media.defense.gov/2022/Sep/07/2003065093/-1/-1/0/CSI_CNSA_2.0_FACT_SHEET.PDF

4. McEliece and code-based crypto analysis: https://pqcrypto.org/

5. Post-Quantum Crypto Landscape (ENISA): https://www.enisa.europa.eu/topics/csirt-cert-services/crypto

Next in the Series: Part 4 — NIST, NSA & the Global Race for Quantum-Resilient Standards