PQC – Post-Quantum Cryptography
Post-Quantum Cryptography (PQC) is the field of cryptography concerned with cryptographic primitives and algorithms that cannot be broken by quantum computers.
As part of the PQC selection process initiated in 2016 by the U.S. National Institute of Standards and Technology (NIST), the first PQC algorithms selected for standardization since 2022 include ML-KEM, ML-DSA, SLH-DSA, Falcon, and HQC. The first three from this list have already been standardized by NIST. In addition, the hash-based schemes LMS and XMSS were previously standardized by the Internet Engineering Task Force (IETF).
Quantum Computers & Quantum Mechanical Principles
A quantum computer operates based on the quantum mechanical principles of superposition and quantum entanglement. The unit of information in a quantum computer is called a qubit. Unlike classical bits, which can only take the value 0 or 1 and therefore exist in one of two states, a qubit can exist in a superposition of these states. This means it can represent both 0 and 1 at the same time. Quantum entanglement is the second key principle of quantum mechanics that applies to qubits. It allows qubits to interact with and influence each other regardless of the distance or medium between them.
Together with other properties of quantum computers, these principles make it possible to solve certain types of problems much more efficiently than with conventional computers. One major advantage of quantum computers is their ability to simulate the physical microworld much more accurately. Because our world at the atomic level is governed by quantum mechanics, a computer that operates according to the same phenomena can model quantum behavior far better than a classical computer. Research in quantum computing has grown significantly in recent years. Quantum computers enable simulations and certain calculations to be performed much faster, which could help optimize applications and products in pharmaceutical, chemical, and other industries. However, a significant downside of quantum computers is their ability to efficiently solve the mathematical problems on which today’s cryptography is based.
Why Do Companies Need to Address PQC Today?
Experts expect that a Cryptographically Relevant Quantum Computer (CRQC)—a quantum computer capable of breaking currently used public-key algorithms such as RSA or elliptic-curve cryptography (EC)—could become available sometime in the 2030s.
The continuously updated study by the German Federal Office for Information Security (BSI) on the state of quantum computing development names 2040 as a realistic date for this event.
In 2025, the EU’s NIS Cooperation Group published a PQC roadmap titled “A Coordinated Implementation Roadmap for the Transition to Post-Quantum Cryptography.” It identifies 2030 and 2035 as key milestones for completing the migration of high-risk applications first, followed by medium- and low-risk applications, in line with the expected timeline for a CRQC. EU member states are expected to publish national PQC roadmaps by 2026 aligned with the EU roadmap.
A particularly concrete and immediate threat is the “Store Now, Decrypt Later” (SNDL) problem. Data encrypted today with RSA or EC could be recorded now and decrypted in the future using a quantum computer.
Furthermore, the transition of digital signatures and public-key infrastructures (PKIs) cannot be delayed. The reason lies in the long validity periods of root certificates and the long migration timelines for PKIs due to the complexity and diversity of the applications involved.
Similar timelines for PQC adoption are emerging in other parts of the world. In the United States, for example, the Commercial National Security Algorithm Suite 2.0 requires a complete and exclusive transition to PQC by 2033.
EU Implementation Roadmap for PQC (© MTG AG)
Standardization
Standardization of PQC algorithms is a critical step toward establishing post-quantum cryptography in practice.
In addition to NIST’s standardization of the PQC algorithms mentioned above, the work of the Internet Engineering Task Force (IETF) is particularly important. The IETF specifies X.509 certificate formats, the use of PQC in protocols such as TLS, and many other technical aspects of PQC.
Several IETF PQC standards in the form of RFCs have already been published, but the standardization process in this field is expected to continue for several more years.
Other leading institutions—including International Organization for Standardization (ISO), European Telecommunications Standards Institute (ETSI), and International Telecommunication Union Telecommunication Standardization Sector (ITU-T)—are also actively involved in PQC standardization.
Downloads & Links
Federal Office for Information Security – The status of quantum computer development
A Coordinated Implementation Roadmap for the Transition to Post-Quantum Cryptography
Post-Quantum Cryptography sichert die Security-Zukunft (de)
Post-Quantum-Sicherheit: Heute mitdenken – morgen profitieren (de)
Sind wir sicher? Kryptoagil gegen hackende Quantencomputer (de)
More Information on NIST & PQC
More Information on ETSI & PQC
More Information on IETF & PQC