THREAT BRIEFING · 10.07.2026 DEENFRES

Security Glossary

What Is Post-Quantum Cryptography? Definition and Standards

By Alec Chizhik · July 10, 2026 · 6 min read

What is Post-Quantum Cryptography? Post-Quantum Cryptography refers to encryption and signature schemes that are designed to withstand attacks by quantum computers. They rely on mathematical problems for which neither classical nor quantum algorithms have known efficient solutions. These schemes run on current hardware and are intended to eventually replace or supplement RSA and elliptic curve cryptography.

Key Takeaways

  • Threat: The Shor algorithm breaks RSA and ECC on a sufficiently large quantum computer. Such a machine does not yet exist, the time horizon is open.
  • Standards: NIST published the first three final standards in August 2024: FIPS 203 (ML-KEM) for key encapsulation, FIPS 204 (ML-DSA) and FIPS 205 (SLH-DSA) for signatures.
  • Pressure: Due to ‘harvest now, decrypt later’ and long migration times, BSI (Federal Office for Information Security) recommends crypto‑agility, hybrid schemes and a cryptographic inventory as the first step.

Why Quantum Computers Threaten Modern Encryption

Asymmetric cryptography that currently secures Transport Layer Security (TLS) connections, VPNs and digital signatures relies on factoring and discrete logarithms. Shor’s algorithm efficiently solves exactly these problems on a quantum computer. A sufficiently powerful machine would mathematically break RSA, Diffie‑Hellman and ECC, regardless of key length.

A cryptographically relevant quantum computer does not exist today. Scaling, error correction and the number of stable logical qubits remain unresolved challenges. NIST and the Federal Office for Information Security (BSI) both stress that the timing cannot be predicted with any scientific rigor. Symmetric schemes such as AES‑256, by contrast, are considered far more robust and would only require longer keys.

Harvest now, decrypt later

The real risk emerges before the first functional quantum computer. Attackers can intercept, store, and later decrypt encrypted traffic today, once the technology becomes available. NIST explicitly cites this scenario as a reason to begin the transition now.

Data with long confidentiality lifespans are especially vulnerable: health data, engineering documents, trade secrets, and government information. The BSI (Federal Office for Information Security) identifies key negotiation processes as particularly threatened by this scenario. Those who protect such data should weigh the migration period of their own systems against the remaining lifespan of the secrets.

The Standards and the Path Forward

13. Aug. 2024

NIST publishes the first three finalized PQC standards

FIPS (Federal Information Processing Standards) 203 (ML‑KEM (Machine Learning Key Encapsulation Mechanism)), FIPS (Federal Information Processing Standards) 204 (ML‑DSA (Machine Learning Digital Signature Algorithm)), FIPS (Federal Information Processing Standards) 205 (SLH‑DSA (Stateless Hash‑Based Signature Algorithm))

With the finalized FIPS (Federal Information Processing Standards) specifications, the fundamental question is answered. ML‑KEM (Machine Learning Key Encapsulation Mechanism) takes over quantum‑secure key encapsulation, while ML‑DSA (Machine Learning Digital Signature Algorithm) and SLH‑DSA (Stateless Hash‑Based Signature Algorithm) cover digital signatures. According to the current state of knowledge, these procedures are considered secure against known quantum attacks and are already being integrated into protocols, libraries and products.

The BSI (Federal Office for Information Security) recommends hybrid combinations of classical and post‑quantum methods, as well as crypto‑agility, as a design principle for the transition. The technical guideline TR‑02102‑1, in its January 2026 version, incorporates quantum‑secure mechanisms such as ML‑KEM and advises the sole use of classical asymmetric methods only for a transitional period. At the European level, the BSI and partner authorities have likewise highlighted the shift to post‑quantum cryptography in a joint declaration of priority.

What Companies Need to Check Now

The first step requires no new technology: an inventory of the cryptography in use. Without an overview of the methods, protocols and certificates, neither prioritization nor migration is possible. Next, the question is which data must remain confidential for the longest period.

CHECK NOW

  • Create a cryptographic inventory: catalog procedures, protocols, certificates and dependencies
  • Prioritize data by confidentiality duration, longest lifespan first
  • Embed crypto‑agility as a procurement and design criterion
  • Ask vendors and service providers about their PQC roadmaps and ML‑KEM support
  • Evaluate hybrid approaches for transition where full migration is not yet possible

Distinguishing Related Concepts

Post-quantum cryptography (PQC) is often confused with quantum cryptography. Quantum cryptography, such as quantum key distribution, relies on physical quantum effects and requires specialized hardware. In contrast, post-quantum cryptography is based on classical mathematics that runs on existing computers and can be rolled out via software updates.

Equally important is the distinction by method type. Directly affected is asymmetric cryptography, namely key exchange and signatures. Symmetric encryption and hash functions remain secure with appropriate parameters. A PQC migration therefore selectively replaces public‑key components and leaves proven symmetric procedures in use.

Frequently Asked Questions

Every question is locked. A tap unlocks the answer.

When will the quantum computer that breaks RSA come?

No one can claim this seriously. A cryptographically relevant quantum computer does not currently exist, and both NIST and BSI explicitly consider the timeline to be open. Estimates vary widely.

Do I need to take action now?

Yes, at least with inventory and planning. Data intercepted today can be decrypted later, and crypto migrations typically take years, according to experience. Both together create the pressure to act.

What is ML-KEM?

ML-KEM (Machine Learning Key Encapsulation Mechanism) is the mechanism standardized in FIPS 203 for quantum-safe key encapsulation based on lattice problems. It is expected to replace the classical key exchange, for example in TLS.

What does the BSI recommend?

Cryptographic agility in new developments, hybrid combinations of classical and post-quantum methods, as well as the recommendations of TR-02102-1. A cryptographic inventory is regarded as the first practical step.

Does this also apply to digital signatures?

Yes. Signatures are supported by dedicated standards such as ML-DSA and SLH-DSA. It becomes critical especially for long validity periods, such as in document archiving or firmware signatures.

Editor’s Picks

Editor’s PickPost-Quantum becomes mandatory in cloud certificationEditor’s PickPost-Quantum Cryptography: Germany PreparesEditor’s PickPost-Quantum Cryptography: Enterprises Must Shift Encryption Now

More from the MBF Media Network

MyBusinessFuturePost-Quantum Cryptography: Why 2026 Is the Starting GunDigital ChiefsPost-Quantum Cryptography: The Countdown for Corporate IT Is Running

Further reading

A magazine by Evernine Media GmbH