Is post-quantum cryptography the same thing as quantum cryptography?

No. These are two distinct disciplines, frequently confused. Quantum cryptography exploits the properties of quantum physics, particularly entanglement and superposition, to secure communications. Quantum Key Distribution (QKD) is its best-known application. It requires dedicated hardware infrastructure, including quantum optical channels. Post-quantum cryptography, by contrast, refers to classical mathematical algorithms designed to resist attacks carried out by quantum computers. It is implemented on existing computing infrastructure, without specialized hardware. PQC is what NIST and ANSSI are standardizing, and it is the foundation of the migrations that organizations need to plan for today.

When should organizations start migrating to PQC?

The short answer: now. Not because quantum computers can already break current systems, but for two concrete reasons. First, the Harvest Now, Decrypt Later threat is already active. Adversaries are collecting encrypted data today with the intent to decrypt it in the future. If your data retains value over multiple years, it is already under pressure. Second, migration timelines are long. Migrating critical systems takes time, and classical algorithms like RSA will need to be replaced before sufficiently powerful quantum computers become available. Estimates from credible sources vary between 2030 and 2040. The lead time required for migration makes early action necessary. ANSSI, the NSA, and leading international standards bodies agree on this point: the post-quantum transition must begin today, starting with the most long-lived data and the most critical systems.

Which post-quantum algorithms are recommended?

The algorithms standardized by NIST in 2024 represent today's international benchmark: CRYSTALS-Kyber (renamed ML-KEM in FIPS 203) for key encapsulation and key exchange in communication protocols. CRYSTALS-Dilithium (renamed ML-DSA in FIPS 204) and Falcon for digital signatures. SPHINCS+ (renamed SLH-DSA in FIPS 205) as a hash-based signature alternative, resting on very conservative security assumptions. ANSSI recommends, as a first step, a hybrid approach: combining these post-quantum algorithms with classical algorithms such as RSA or elliptic curves. This hybrid posture ensures that even if a weakness were discovered in a PQC algorithm, the overall security of the system would not be compromised. For the most critical systems, the McEliece algorithm, though decades old, remains a solid option, given its long track record of resistance to attacks and its distinct mathematical foundation from lattice-based algorithms.

Does PQC slow systems down compared to classical algorithms?

Some PQC algorithms, particularly those based on lattices such as Kyber and Dilithium, perform very close to their classical counterparts for most use cases. They are already integrated into protocols like TLS 1.3 and have been tested at scale in web browsers worldwide. Other algorithms, such as McEliece, generate large public keys, which can create performance issues in constrained environments, for instance IoT devices or low-bandwidth protocols. The practical answer is this: for the vast majority of enterprise systems, the PQC algorithms standardized by NIST deliver acceptable performance. The impact depends on the implementation context and the system in question. This is precisely why it is recommended to run PQC deployment tests on a limited scope first, in order to measure the real impact before rolling out at scale.

Does post-quantum cryptography concern SMEs and mid-sized organizations?

Yes. The quantum threat does not exclusively target large enterprises or critical infrastructure. Any organization that encrypts sensitive data, signs digital documents, operates VPNs, or uses TLS certificates is exposed over time. SMEs that work with large enterprises or operate in regulated sectors (healthcare, finance, energy) will face the same requirements as their clients or regulators. The scope of the work depends on infrastructure size and complexity. But the fundamental starting point, conducting a cryptographic inventory and identifying priority assets, is accessible to any organization. It is the first step, and it does not require waiting until a dedicated PQC team is in place.

Post-Quantum Cryptography - CryptoNext Security

Post-Quantum Cryptography

What is post-quantum cryptography?

Post-quantum cryptography (or PQC, for Post-Quantum Cryptography) refers to the full set of cryptographic algorithms designed to resist attacks from quantum computers. This new generation of security solutions addresses an emerging threat: the arrival of quantum machines capable of breaking encryption systems in a matter of hours that would currently take classical computers millennia to crack.

The stakes of post-quantum cryptography go far beyond the technical. What is at stake is the integrity of our entire digital infrastructure: online communications, banking transactions, user authentication, official document signing, and the protection of medical and industrial data. The transition to these new cryptographic standards is one of the defining cybersecurity challenges of the decades ahead.

The challenge posed by the quantum computer

To understand why post-quantum cryptography is necessary, you first need to grasp what quantum computers actually mean for today’s security landscape .

A quantum computer exploits the properties of quantum mechanics to perform certain calculations exponentially faster than a classical computer. This computational power rests on phenomena such as quantum superposition and entanglement, enabling the simultaneous processing of a vast number of possible states.

The core problem lies in Shor’s algorithm, discovered in 1994, which allows a quantum computer to efficiently solve the problem of factoring large integers. Factorization is precisely the mathematical foundation of many widely deployed classical cryptographic systems, RSA foremost among them. Shor’s algorithm can also solve the discrete logarithm problem, threatening other cryptographic solutions commonly used to secure communications over the Internet.

In practice, public-key encryption algorithms like RSA, which currently secure a large share of online communications and protect our networks, would become vulnerable against a sufficiently advanced quantum computer. A message encrypted with RSA-2048, considered practically unbreakable today, could be decrypted in hours by a quantum machine with approximately 20 million qubits.

This prospect makes the transition to new cryptographic standards a matter of urgency, not choice.”

Current quantum computers remain limited in qubit count and stability. But technological progress is accelerating. The world’s major economic and military powers are investing heavily in quantum research, making the emergence of a cryptanalytically relevant quantum computer plausible within the next ten to twenty years.

The mathematical foundations of PQC

Post-quantum cryptography is built on mathematical problems that are fundamentally different from those underlying classical algorithms. These problems are considered hard to solve even for quantum computers, because they do not benefit from the exponential speedup that known quantum algorithms provide.

Several families of cryptographic algorithms emerge from PQC research, each resting on distinct mathematical foundations.

Error-correcting codes, of which the McEliece algorithm is the historical example, rely on the difficulty of decoding certain linear codes. Proposed in 1978, McEliece remains one of the oldest and most studied candidates in post-quantum cryptography. Its primary strength is its proven resistance to both classical and quantum attacks, built over more than forty years of cryptographic analysis. However, the large public key sizes in McEliece present a barrier to widespread deployment in constrained environments.

Lattice-based cryptography offers another promising and extensively studied approach. These mathematical structures make it possible to construct encryption and digital signature algorithms resistant to quantum attacks, while maintaining acceptable performance for large-scale deployment. Lattice problems, such as the Shortest Vector Problem (SVP) and the Closest Vector Problem (CVP), form the basis of many post-quantum candidates selected in international standardization processes.

Other families include multivariate polynomial cryptography, which exploits the difficulty of solving systems of polynomial equations in multiple variables; hash-based signature schemes, used to construct signature schemes from cryptographic hash functions; and isogeny-based cryptography, built on mappings between elliptic curves.

Each family presents its own trade-offs in terms of key size, execution speed, security level, and cryptographic maturity. The right choice depends on the deployment context: the constraints of an embedded system differ from those of a data center server, and signature speed requirements vary across applications.

The standardization process

Faced with the urgency of this cryptographic transition, standards bodies have launched rigorous and transparent evaluation processes.

The American NIST (National Institute of Standards and Technology) has been running an evaluation and selection process for post-quantum algorithms since 2016, in collaboration with the international research community. This open process drew 82 initial submissions, which then went through multiple rounds of public evaluation involving hundreds of researchers worldwide.

In France, ANSSI (Agence nationale de la sécurité des systèmes d’information) is actively supporting this transition. The agency regularly publishes guidance and reference documents to help organizations and public administrations navigate their post-quantum cryptographic migration. ANSSI also works with European and international counterparts to align approaches and ensure interoperability.

The standardization process evaluates each candidate algorithm across multiple dimensions: security against classical and quantum attacks; performance in terms of computation speed and resource consumption; key and signature sizes; ease of integration into existing systems; and robustness against side-channel attacks.

This multidimensional evaluation ensures that selected algorithms strike an optimal balance between security and practicality.

The first post-quantum standards were published in 2024, marking a pivotal milestone in this transition. These standards cover both public-key encryption and digital signature mechanisms, two essential pillars of modern information security. Among the standardized algorithms: CRYSTALS-Kyber for key encapsulation, and CRYSTALS-Dilithium, Falcon, and SPHINCS+ for digital signatures.

Migration and transition: a critical challenge for organizations

Migrating to post-quantum cryptography represents a significant technical and organizational challenge for businesses and institutions alike. This transition cannot happen overnight. It requires long-term strategic planning.

The scale of the task reflects how deeply cryptography is embedded in today’s digital infrastructure. Cryptography is present at multiple layers of every modern system: secure communication protocols (TLS/SSL), user and machine authentication mechanisms, data-at-rest protection in databases and storage systems, code signing and software update verification, digital certificate management for websites, protection of enterprise network communications, and financial transaction security.

Every component must be identified, assessed, and progressively upgraded.

The approach recommended by security experts rests on what is known as crypto-agility: designing systems capable of supporting multiple cryptographic algorithms simultaneously, and of switching from one algorithm to another without requiring a full architectural overhaul. This flexibility enables a gradual migration and significantly reduces the risk of service disruption. It also allows organizations to respond quickly should a vulnerability be discovered in a deployed algorithm.

For organizations, the first step is a comprehensive inventory of cryptographic usage across their infrastructure. This detailed mapping identifies the critical points requiring priority migration, and allows teams to prioritize efforts according to risk level and quantum threat exposure. Data with high strategic value or long confidentiality requirements deserves particular attention.

Symmetric cryptography and post-quantum security

It is worth noting that symmetric cryptography, which uses the same key for both encryption and decryption, is less vulnerable to quantum computers than public-key algorithms.

Grover’s algorithm, the most effective known quantum attack against symmetric encryption, provides only a quadratic speedup, in contrast to the exponential acceleration Shor’s algorithm achieves against asymmetric systems. In practice, this means doubling the symmetric key size is sufficient to maintain an equivalent security level against quantum computers. Moving from 128-bit to 256-bit keys preserves long-term security. This transition is straightforward compared to the full replacement of asymmetric algorithms.

Standard symmetric algorithms such as AES-256 are therefore considered secure in a post-quantum context, provided key sizes are appropriately adjusted.

This important distinction means that the post-quantum migration effort focuses primarily on asymmetric primitives: key exchange, public-key encryption, and digital signatures. Hybrid protocols, combining classical and post-quantum cryptography during the transition period, generally rely on the continued robustness of symmetric encryption to provide a second layer of protection.

Solutions and practical deployment

Several concrete solutions are emerging to facilitate the deployment of post-quantum cryptography in real-world environments.

Open-source cryptographic libraries, such as liboqs (Open Quantum Safe), are progressively integrating the newly standardized algorithms, allowing developers to test and implement them in their applications. These libraries offer interfaces compatible with existing cryptographic APIs, easing gradual integration.

Security protocols such as TLS, which secures web communications, are being extended to support post-quantum algorithms. Large-scale experiments are underway at major technology companies and cloud service providers to validate the compatibility and performance of these new solutions under real-world conditions. These tests help identify and resolve practical issues related to message size, connection latency, and compatibility with existing Internet infrastructure.

The protection of sensitive data demands particular attention to the concept of “Harvest Now, Decrypt Later”: malicious actors may currently be intercepting and storing encrypted communications in anticipation of future access to a quantum computer capable of decrypting them. This threat justifies an early migration to PQC for high-value or long-lived data, such as state secrets, medical records, or strategic intellectual property.

Practical solutions also include hybrid approaches combining classical and post-quantum algorithms, providing double protection during the transition period. This strategy allows organizations to benefit simultaneously from the maturity of classical solutions and the quantum resistance of new algorithms.

Perspectives and future challenges

The transition to post-quantum cryptography is a long-term undertaking that will fundamentally reshape the information security landscape. Experts estimate that the full migration of critical systems could span ten to twenty years, requiring coordinated effort across governments, enterprises, standards bodies, and the international research community.

Standards will continue to evolve as new algorithms are proposed and cryptographic analysis advances. Standardization is an iterative process that adapts to scientific discoveries, deployment feedback, and real-world operational needs. Additional candidates are currently under evaluation to diversify the available algorithm portfolio and address specific use cases.

For organizations, the stakes go beyond technical compliance. Post-quantum cryptography is becoming a competitive differentiator and a signal of trust for clients, partners, and users. Getting ahead of this transition means guaranteeing the long-term security of your information systems and the lasting protection of your strategic data. It also means hedging against regulatory risk: some sectors, including defense and healthcare, are already beginning to impose post-quantum requirements.

Post-quantum cryptography is already shaping security decisions today. It is a present reality that demands action from anyone responsible for digital security. Understanding its principles, tracking the evolution of standards, building team expertise, and actively preparing the migration: these are the foundations of a successful transition to a world where security holds up against the demands of the quantum era.

Organizations that begin now will have the time to migrate carefully. Those that wait will not.

More terms:

Asymmetric Cryptography Cryptographic Inventory Crypto-agility