Post-Quantum Cryptography (PQC) is the term used for classical cryptography schemes that are not vulnerable to attacks by a quantum computer, in contrast to quantum cryptography which uses quantum mechanical principles for cryptographic purposes. Being not vulnerable in this context means there is no quantum algorithm that can break the scheme (yet?).
PQC schemes include – but are not limited to – code-based, hash-based, lattice-based PQC, multivariate-quadratic-equations and secret-key PQC. Thus, classical symmetric encryption standards such as AES, that are secret-key based can technically be considered as PQC. More commonly, the term PQC is used when talking about the replacement of public-key encryption schemes that are vulnerable to quantum algorithms, such as RSA which is vulnerable due to Shor's algorithm.
The National Institute of Standards and Technology (NIST) initiated a PQC Standardisation process in 2016 which yielded the post-quantum encryption standards in 2024, which cover different problems. These are the Federal Information Processing Standard (FIPS) 203, FIPS 204, FIPS 205. [1]
FIPS 203 uses the post-quantum algorithm CRYSTALS-Kyber which is a module-lattice-based Key-Encapsulation Mechanism (KEM) which should be used for general encryption.
FIPS 204 uses the post-quantum algorithm CRYSTALS-Dilithium which is a module-lattice-based Digital Signature Algorithm (DSA) which should be used for digital signatures.
FIPS 205 uses the post-quantum algorithm SPHINCS+ which is a stateless hash-based DSA which should be used as a backup scheme if a vulnerability in CRYSTALS-Dilithium is found. [2]
In comparison to QKD, PQC only relies on the underlying computational problem being hard to solve on both a classical and quantum computer – i.e. computational security, while QKD exploits fundamental quantum physical concepts that guarantee information-theoretic security when using perfect equipment (for problems with actual implementations and other information regarding this topic see the rest of this website). Computational security only remains secure as long as there is no algorithm – quantum or classical – that can solve the computational problem efficiently. While information theoretic security of QKD only depends on the laws derived from quantum mechanics.
[1] https://csrc.nist.gov/projects/post-quantum-cryptography
[2] https://www.nist.gov/news-events/news/2024/08/nist-releases-first-3-finalized-post-quantum encryption-standards
back: QKD and cryptography next: Security proofs in QKD