What is post-quantum cryptography?

Why quantum computers threaten today's encryption, and what the replacement algorithms actually are.

The problem in one paragraph

Almost every secure connection on the internet starts with public-key cryptography — RSA or elliptic-curve maths — to agree a secret key between your browser and a server. The security of both rests on problems that are hard for ordinary computers: factoring enormous numbers, and computing discrete logarithms. In 1994 Peter Shor showed that a sufficiently large quantum computer solves both efficiently. No such machine exists today, but the cryptography we use has to outlive the data it protects — and encrypted traffic can be recorded now and decrypted the day the machine arrives. That attack is called harvest now, decrypt later.

Post-quantum cryptography (PQC) is the fix: new public-key algorithms built on mathematical problems — mostly structured lattices — that neither classical nor quantum computers are known to solve efficiently. Crucially, PQC runs on ordinary hardware. It is not "quantum cryptography"; no lasers or entangled photons are involved. It is a software upgrade.

What survives and what doesn't

So the migration is targeted: replace the public-key parts — key exchange first, signatures later — while the symmetric machinery underneath stays put.

The NIST standards

After an eight-year public competition, NIST finalised the first three post-quantum standards in August 2024:

What actually changes in TLS

TLS 1.3 negotiates two independent things that PQC touches: the key exchange (how the session key is agreed) and the certificate signatures (how the server proves its identity). They are on completely different timelines:

Further reading


Wondering where your own server stands? The post-quantum TLS test answers it with real handshakes in a couple of seconds.

Related guides