Safeguard
Cryptography

Post-quantum cryptography

Post-quantum cryptography protects data from future quantum attacks. See how NIST-standardized, lattice-based algorithms defend today's software supply chain.

James
Principal Security Architect
8 min read

Post-quantum cryptography (PQC) is the set of cryptographic algorithms designed to remain secure against attacks from both classical and quantum computers. So what is post-quantum cryptography, precisely? It is not "quantum cryptography" (which uses quantum physics to secure communication channels) — it is ordinary math-based cryptography, run on the classical computers we use today, built on hard problems that even a large-scale quantum computer cannot efficiently solve. The urgency is concrete: a sufficiently powerful quantum computer running Shor's algorithm could break RSA, ECDSA, and Diffie-Hellman, the public-key systems that underpin TLS, code signing, and SSH. NIST finalized its first PQC standards in August 2024 — ML-KEM (key encapsulation) and ML-DSA (digital signatures) — giving vendors concrete algorithms to adopt now, years before large-scale quantum computers exist.

What Is Post-Quantum Cryptography and Why Does It Matter Now?

Post-quantum cryptography matters now because of a "harvest now, decrypt later" threat that is already active, not hypothetical. Nation-state actors and well-resourced adversaries are recording encrypted internet traffic, VPN sessions, and archived backups today, betting that a cryptographically relevant quantum computer will arrive within the next decade and let them decrypt everything they stored. Data with a long shelf life — medical records, source code, government communications, intellectual property, and signed software artifacts — is most at risk, because the confidentiality only needs to hold until decryption becomes feasible, not forever. A software vendor shipping a product today with a 15-year support lifecycle is effectively promising confidentiality against an adversary's capabilities in 2040, not 2026. That mismatch between deployment timelines and cryptographic lifespans is why standards bodies pushed to finalize PQC now rather than waiting for quantum computers to materialize.

The timeline pressure compounds because cryptographic migrations are historically slow. The industry-wide move from SHA-1 to SHA-256 took roughly a decade from the first practical attack warnings to near-universal deprecation, and that was a comparatively simple hash-function swap. Replacing RSA and ECC across code-signing infrastructure, hardware security modules, embedded firmware, TLS libraries, and certificate authorities is a substantially larger undertaking, touching systems that were never designed to be cryptographically agile. Estimates of when a cryptographically relevant quantum computer will exist vary widely — some experts say the mid-2030s, others argue it could be sooner or considerably later — but the asymmetry of the bet favors early action: migrating early costs engineering time, while migrating late risks retroactive exposure of everything recorded under the old algorithms.

How Do Quantum Computers Actually Break Current Encryption?

Quantum computers break current encryption by running Shor's algorithm, which factors large integers and computes discrete logarithms exponentially faster than the best known classical algorithms. RSA's security rests on the difficulty of factoring the product of two large primes; ECDSA and Diffie-Hellman rest on the discrete logarithm problem over elliptic curves. Shor's algorithm solves both classes of problems in polynomial time on a large, fault-tolerant quantum computer with enough stable logical qubits — a machine that does not yet exist at the scale required, but that multiple national labs and companies are actively racing to build. Symmetric encryption (AES) and hash functions (SHA-256) are far less exposed: Grover's algorithm only offers a quadratic speedup against them, which is why doubling AES key sizes (AES-128 to AES-256) is considered adequate mitigation, while public-key cryptography needs an entirely new mathematical foundation.

Researchers already demonstrate the mechanics at small scale: teams have used Shor's algorithm on early quantum hardware to factor toy numbers like 15 and 21, and IBM, Google, and others continue to publish incremental progress on qubit count and error correction. The gap between those demonstrations and a machine capable of factoring a 2048-bit RSA key is still enormous — current estimates suggest millions of physical qubits with robust error correction would be required — but the direction of travel, not the exact date, is what drives standards bodies and security teams to act. This is also why cryptographers distinguish between "quantum-safe" and "post-quantum": the former is sometimes used loosely, while the latter specifically refers to algorithms vetted through formal standardization against known quantum attack models.

What Are the NIST PQC Standards, and Which Algorithms Made the Cut?

The NIST PQC standards are a set of finalized algorithms selected after an eight-year, multi-round public competition that started in 2016 with 82 submissions. NIST published FIPS 203 (ML-KEM, derived from CRYSTALS-Kyber) for general encryption and key exchange, and FIPS 204 (ML-DSA, derived from CRYSTALS-Dilithium) for digital signatures, both in August 2024. A third signature scheme, FIPS 205 (SLH-DSA, based on stateless hash-based signatures), was standardized as a conservative backup built on different mathematical assumptions in case weaknesses are later found in lattice-based schemes. A fourth algorithm, HQC, was selected in 2025 as a backup key encapsulation mechanism based on error-correcting codes, diversifying away from lattices entirely. Federal agencies are already required to build migration plans under NSM-10, and CNSA 2.0 sets a 2030-2033 timeline for national security systems to complete the transition.

These standards matter beyond government mandates because they set the reference implementations that commercial vendors build against. Once NIST publishes a FIPS document, cryptographic libraries like OpenSSL, BoringSSL, and Bouncy Castle add conformant implementations, cloud providers expose them through their KMS and TLS-termination products, and auditors start asking vendors why they haven't adopted them. Financial services, healthcare, and critical infrastructure operators — sectors already subject to compliance frameworks like FedRAMP and PCI DSS — are the ones most likely to see PQC adoption requirements show up in vendor security questionnaires and procurement contracts over the next few years, well ahead of any regulatory deadline.

What Is Lattice-Based Cryptography and Why Did NIST Choose It?

Lattice-based cryptography is the mathematical foundation behind most of the new NIST standards, built on the hardness of problems like Learning With Errors (LWE) and Module-LWE — finding the shortest or closest vector in a high-dimensional lattice, a problem believed to resist both classical and quantum solvers. NIST favored lattice-based constructions like ML-KEM and ML-DSA because they offer a strong balance of small key sizes, fast computation, and decades of academic cryptanalysis, unlike some competing approaches (such as early code-based or multivariate schemes) that produced impractically large keys or signatures. For comparison, an ML-KEM-768 public key is roughly 1,184 bytes versus 32 bytes for an X25519 elliptic-curve key — a real, measurable overhead that protocol designers and embedded-systems engineers have to budget for in TLS handshakes, certificate chains, and firmware images with tight size constraints.

That overhead is not free of controversy. In 2022, a submission called SIKE — a promising, compact non-lattice candidate based on supersingular isogenies — was broken by classical cryptanalysis just months after advancing to the final round, using a single laptop core running for about an hour. The break didn't touch lattice-based schemes at all, but it was a pointed reminder that "post-quantum" doesn't mean "battle-tested for decades" the way RSA is, and it reinforced NIST's decision to keep a structurally different backup (hash-based SLH-DSA, code-based HQC) alongside the lattice-based primary standards, so a future weakness in lattice assumptions wouldn't leave the ecosystem with no fallback.

How Are Quantum-Resistant Algorithms Being Rolled Out in Practice?

Quantum-resistant algorithms are being rolled out through hybrid deployments that pair a classical algorithm with a post-quantum one, so a break in either scheme alone does not compromise the connection. Chrome and Cloudflare enabled X25519Kyber768 (later X25519MLKEM768) for a share of TLS 1.3 connections starting in 2023, Apple added PQ3 to iMessage in 2024 using a hybrid Kyber construction, and the IETF has draft standards for hybrid key exchange in TLS and SSH. Signal rolled out its PQXDH protocol combining X25519 with CRYSTALS-Kyber for session establishment. This hybrid pattern reflects a pragmatic reality: PQC algorithms are new enough that nobody wants to bet critical infrastructure on them alone, so the migration path runs through years of parallel operation before classical algorithms are eventually deprecated.

Code signing and software supply chain security face a distinct version of this rollout problem. Signing keys typically protect artifacts for the lifetime of the software they sign, which for firmware, industrial control systems, and long-lived enterprise applications can span a decade or more. NIST's SP 1800-38 guidance and early pilots from certificate authorities are starting to define how ML-DSA-signed certificates and dual-signed (classical plus post-quantum) software packages will work in practice, but tooling maturity lags behind the standards themselves — build systems, package managers, and signing infrastructure all need updates before PQC signatures become a practical default rather than an experimental option.

How Safeguard Helps

Safeguard helps engineering and security teams find out where classical, quantum-vulnerable cryptography is still embedded across their software supply chain — long before a mandate or an incident forces the question. Our platform inventories cryptographic usage across source code, dependencies, container images, and signing infrastructure, flagging RSA, ECDSA, and Diffie-Hellman usage in code-signing keys, TLS configurations, and SBOM components so teams can prioritize what needs migration first. For artifacts with long confidentiality requirements — firmware, archived releases, signed packages — Safeguard highlights exposure to harvest-now-decrypt-later risk and tracks progress as teams adopt NIST PQC standards like ML-KEM and ML-DSA in their build and signing pipelines. Rather than treating post-quantum migration as a one-time audit, Safeguard keeps continuous visibility into cryptographic posture as part of normal software supply chain monitoring, so new dependencies or signing keys that reintroduce quantum-vulnerable algorithms get caught before they ship, not years into a migration that started too late.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.