The problem in one paragraph
Almost every secure connection on the internet starts with public-key cryptography — RSA or elliptic-curve maths — to agree a secret key between your browser and a server. The security of both rests on problems that are hard for ordinary computers: factoring enormous numbers, and computing discrete logarithms. In 1994 Peter Shor showed that a sufficiently large quantum computer solves both efficiently. No such machine exists today, but the cryptography we use has to outlive the data it protects — and encrypted traffic can be recorded now and decrypted the day the machine arrives. That attack is called harvest now, decrypt later.
Post-quantum cryptography (PQC) is the fix: new public-key algorithms built on mathematical problems — mostly structured lattices — that neither classical nor quantum computers are known to solve efficiently. Crucially, PQC runs on ordinary hardware. It is not "quantum cryptography"; no lasers or entangled photons are involved. It is a software upgrade.
What survives and what doesn't
- RSA, Diffie–Hellman, elliptic curves (ECDH, ECDSA, Ed25519): broken by Shor's algorithm on a large quantum computer. These are the key exchange and signatures in virtually all TLS today.
- Symmetric ciphers (AES) and hashes (SHA-2, SHA-3): essentially fine. Grover's algorithm gives quantum computers a square-root speed-up at best, which AES-256 absorbs comfortably.
So the migration is targeted: replace the public-key parts — key exchange first, signatures later — while the symmetric machinery underneath stays put.
The NIST standards
After an eight-year public competition, NIST finalised the first three post-quantum standards in August 2024:
- ML-KEM (FIPS 203, formerly CRYSTALS-Kyber) — a key encapsulation mechanism, the replacement for Diffie–Hellman-style key exchange. This is the one doing real work on the internet today; see ML-KEM explained.
- ML-DSA (FIPS 204, formerly CRYSTALS-Dilithium) — a lattice-based digital signature, the intended successor to RSA and ECDSA signatures in certificates.
- SLH-DSA (FIPS 205, formerly SPHINCS+) — a hash-based signature: slower and bulkier, but built on the most conservative assumptions available, as a hedge in case lattices fall.
What actually changes in TLS
TLS 1.3 negotiates two independent things that PQC touches: the key exchange (how the session key is agreed) and the certificate signatures (how the server proves its identity). They are on completely different timelines:
- Key exchange — happening now. Browsers and servers negotiate hybrid groups such as X25519MLKEM768, which combine classical X25519 with ML-KEM-768 so the connection stays safe even if one of the two is broken. Chrome has offered it by default since April 2024, and OpenSSL 3.5 negotiates it out of the box. This is what protects recorded traffic.
- Certificates — not yet. No publicly trusted CA issues ML-DSA certificates, and no browser requires them. Identity, unlike confidentiality, cannot be harvested retroactively — a forged signature only matters at the moment of connection — so this half can safely trail behind. See post-quantum certificates.
Further reading
- FIPS 203: Module-Lattice-Based Key-Encapsulation Mechanism Standard (ML-KEM)
- FIPS 204: Module-Lattice-Based Digital Signature Standard (ML-DSA)
- FIPS 205: Stateless Hash-Based Digital Signature Standard (SLH-DSA)
- NIST IR 8547: Transition to Post-Quantum Cryptography Standards
Wondering where your own server stands? The post-quantum TLS test answers it with real handshakes in a couple of seconds.