Post-quantum cryptography glossary

A cryptographic attack strategy where adversaries intercept and store encrypted data with the intent to decrypt it in the future using quantum computers capable of breaking current RSA and ECC encryption algorithms. HNDL attacks are currently being conducted by nation-state actors with the infrastructure to archive encrypted traffic at scale.

The projected future threshold at which a cryptographically-relevant quantum computer (CRQC) becomes operational and capable of breaking widely deployed public-key cryptosystems such as RSA-2048 and ECC P-256. The CRQC threshold represents the point at which data encrypted with quantum-vulnerable algorithms becomes accessible to adversaries possessing a CRQC. Qtonic Quantum treats 2029 as a readiness/control date for migration planning, not as a present-day break claim.

A quantum algorithm discovered by Peter Shor in 1994 that can factor large integers and compute discrete logarithms in polynomial time on a quantum computer. Shor's algorithm renders RSA, DSA, ECDSA, ECDH, and all integer-factorization and discrete-log-based cryptosystems insecure once a sufficiently large quantum computer is available. It is the primary theoretical threat driving the global transition to post-quantum cryptography.

A quantum algorithm discovered by Lov Grover in 1996 that provides a quadratic speedup for unstructured search problems. In cryptography, Grover's algorithm effectively halves the security level of symmetric-key algorithms and hash functions. For example, AES-128 provides only 64 bits of security against a quantum adversary using Grover's algorithm, which is why NIST recommends AES-256 for quantum resilience.

A class of attacks that exploit information leaked through the physical implementation of a cryptographic system rather than weaknesses in the algorithm itself. Side-channel attacks measure timing variations, power consumption, electromagnetic emanations, or acoustic signatures to extract secret keys. PQC algorithms such as ML-KEM and ML-DSA require careful implementation to resist side-channel attacks, particularly timing attacks on polynomial operations.

The time period during which data encrypted with quantum-vulnerable algorithms remains sensitive and could be decrypted by a future CRQC. Calculated as the intersection of data retention requirements, time to complete PQC migration, and estimated CRQC arrival date. Organizations with long data retention requirements (healthcare, finance, government) face the widest quantum exposure windows and should prioritize PQC migration.

A risk framework proposed by Michele Mosca that determines when an organization must begin PQC migration. The inequality states: if X (data shelf life) + Y (migration time) > Z (time until CRQC), then migration must begin immediately. For example, if classified data must remain secret for 25 years and migration takes 5 years, the organization is already at risk if a CRQC arrives within 30 years. Mosca's inequality is widely used by CISOs to justify PQC migration timelines.

Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM) standardized as NIST FIPS 203 in August 2024. ML-KEM is a post-quantum cryptography (PQC) algorithm designed to replace RSA and ECDH for key establishment. Based on the hardness of solving lattice problems, which remain secure against both classical and quantum attacks. ML-KEM-768 provides security equivalent to AES-192.

Module-Lattice-Based Digital Signature Algorithm (ML-DSA) standardized as NIST FIPS 204 in August 2024. ML-DSA is a post-quantum digital signature scheme designed to replace RSA and ECDSA for authentication and integrity. Based on the hardness of lattice problems. ML-DSA provides three security levels (ML-DSA-44, ML-DSA-65, ML-DSA-87) corresponding to different security strengths.

Stateless Hash-Based Digital Signature Algorithm (SLH-DSA) standardized as NIST FIPS 205 in August 2024. SLH-DSA is a post-quantum digital signature scheme based on hash functions rather than lattices. Provides a mathematically conservative alternative to ML-DSA, with security based on well-understood hash function properties. Larger signature sizes than ML-DSA but requires no structured hardness assumptions.

FFT over NTRU-Lattice-Based Digital Signature Algorithm (FN-DSA), selected by NIST as a draft standard (FIPS 206). FN-DSA is based on the NTRU lattice and uses fast Fourier transforms for compact signature generation. It offers significantly smaller signatures than ML-DSA at comparable security levels, making it attractive for bandwidth-constrained environments such as TLS handshakes and IoT devices. Implementation is more complex than ML-DSA due to floating-point arithmetic requirements.

Hamming Quasi-Cyclic (HQC) is a code-based key encapsulation mechanism selected by NIST as an additional PQC standard candidate. HQC provides mathematical diversity from lattice-based schemes by relying on the hardness of decoding random quasi-cyclic codes. It serves as a backup KEM in case lattice-based assumptions are broken, offering defense-in-depth for the PQC ecosystem. HQC has larger key and ciphertext sizes than ML-KEM but provides conservative security guarantees.

Bit Flipping Key Encapsulation (BIKE) is a code-based KEM that was a NIST PQC Round 4 candidate. BIKE is based on quasi-cyclic moderate-density parity-check (QC-MDPC) codes and uses a bit-flipping decoder for decapsulation. While not selected as a primary NIST standard, BIKE remains an active area of research for its competitive performance characteristics and provides cryptographic diversity as a non-lattice-based construction.

FrodoKEM is a lattice-based key encapsulation mechanism based on the plain Learning With Errors (LWE) problem rather than structured lattices. Unlike ML-KEM which uses module lattices, FrodoKEM avoids algebraic structure that could potentially be exploited. This conservative design comes at the cost of significantly larger key sizes (up to 15KB) and slower performance. FrodoKEM is recommended by some agencies for high-assurance applications where maximum cryptographic conservatism is required.

The eXtended Merkle Signature Scheme (XMSS) is a stateful hash-based digital signature algorithm standardized in RFC 8391 and recommended by NIST SP 800-208. XMSS provides provable security based solely on hash function properties with minimal security assumptions. As a stateful scheme, the signer must maintain state to track which one-time keys have been used. State management failure can lead to catastrophic key reuse. XMSS is suitable for firmware signing and other contexts where state management is feasible.

Leighton-Micali Signature (LMS) is a stateful hash-based digital signature scheme standardized in RFC 8554 and recommended by NIST SP 800-208. LMS uses a hierarchical structure (HSS) for extended signing capacity. Like XMSS, LMS requires careful state management to prevent catastrophic one-time key reuse. LMS is widely adopted for firmware update signing in embedded systems and secure boot processes where the number of signatures is bounded and predictable.

The Rivest-Shamir-Adleman (RSA) algorithm is a widely deployed public-key cryptosystem based on the computational difficulty of factoring large integers. RSA is used for key exchange, digital signatures, and encryption across TLS, SSH, PGP, and most public-key infrastructure. RSA-2048 and RSA-4096 are completely broken by a CRQC running Shor's algorithm. RSA is the primary algorithm being replaced by ML-KEM (for key exchange) and ML-DSA (for signatures) in the PQC transition.

Elliptic Curve Cryptography (ECC) is a family of public-key algorithms based on the algebraic structure of elliptic curves over finite fields. ECC provides equivalent security to RSA with much smaller key sizes (256-bit ECC offers comparable security to 3072-bit RSA). Common ECC algorithms include ECDSA (signatures), ECDH (key exchange), and EdDSA (Ed25519). All ECC algorithms are completely broken by Shor's algorithm on a CRQC, requiring migration to PQC alternatives.

The Advanced Encryption Standard (AES) is a symmetric-key block cipher standardized by NIST as FIPS 197. AES operates on 128-bit blocks with key sizes of 128, 192, or 256 bits. While Grover's algorithm reduces AES security by half (AES-128 becomes 64-bit security against quantum), AES-256 retains 128-bit security against quantum adversaries and is considered quantum-safe. CNSA 2.0 mandates AES-256 for all national security systems.

SHA-3 (Secure Hash Algorithm 3) is a family of cryptographic hash functions standardized by NIST as FIPS 202, based on the Keccak sponge construction. SHA-3 provides an independent alternative to SHA-2 with a fundamentally different internal design. Grover's algorithm reduces SHA-3 collision resistance by a square root factor, but SHA3-256 retains 128-bit quantum security for collision resistance. SHA-3 also defines extendable-output functions (SHAKE128, SHAKE256) used extensively in PQC algorithm internals.

A Hybrid Key Encapsulation Mechanism combines a classical key exchange (such as X25519 or ECDH P-384) with a post-quantum KEM (such as ML-KEM-768) to provide security against both classical and quantum adversaries. The combined shared secret is derived using both component shared secrets, ensuring that the hybrid scheme is at least as secure as the strongest component. Hybrid KEMs are recommended as a transitional approach during PQC migration to protect against PQC algorithm vulnerabilities while maintaining classical security guarantees.

NIST Federal Information Processing Standard 203, published August 13, 2024, specifying the Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM). FIPS 203 defines three parameter sets: ML-KEM-512 (NIST Security Level 1), ML-KEM-768 (Level 3), and ML-KEM-1024 (Level 5). This is the primary standard for quantum-safe key establishment, replacing RSA and ECDH key exchange in federal systems. Compliance is mandatory for federal agencies by CNSA 2.0 timelines.

NIST Federal Information Processing Standard 204, published August 13, 2024, specifying the Module-Lattice-Based Digital Signature Algorithm (ML-DSA). FIPS 204 defines three parameter sets: ML-DSA-44 (NIST Security Level 2), ML-DSA-65 (Level 3), and ML-DSA-87 (Level 5). ML-DSA replaces RSA and ECDSA for digital signature operations. FIPS 204 is the primary standard for quantum-safe authentication and integrity verification.

NIST Federal Information Processing Standard 205, published August 13, 2024, specifying the Stateless Hash-Based Digital Signature Algorithm (SLH-DSA). FIPS 205 defines twelve parameter sets across three security levels, offering both fast and small variants. SLH-DSA provides a conservative alternative to ML-DSA based entirely on hash function security. NIST recommends SLH-DSA as a fallback option in case lattice-based assumptions are compromised.

NIST Draft Federal Information Processing Standard 206, specifying the FFT over NTRU-Lattice-Based Digital Signature Algorithm (FN-DSA). As of early 2026, FIPS 206 remains in draft status. FN-DSA offers significantly more compact signatures than ML-DSA, making it attractive for bandwidth-constrained applications. The final standard is expected to complement FIPS 204 by providing an additional lattice-based signature option with different performance trade-offs.

The Commercial National Security Algorithm Suite 2.0, published by the NSA in September 2022, mandates specific quantum-resistant algorithms and timelines for U.S. National Security Systems (NSS). CNSA 2.0 requires: ML-KEM-1024 for key establishment by 2030, ML-DSA-87 or SLH-DSA for software/firmware signing by 2025, AES-256 for symmetric encryption, and SHA-384 or SHA-512 for hashing. CNSA 2.0 is the most aggressive PQC migration mandate globally and directly influences commercial adoption timelines.

National Security Memorandum 10, signed by the President of the United States on May 4, 2022, directing federal agencies to begin migrating to quantum-resistant cryptography. NSM-10 requires agencies to inventory cryptographic systems, identify quantum-vulnerable assets, and develop PQC migration plans. It established the mandate that led to CNSA 2.0 implementation timelines and requires agencies to prioritize migration of the most sensitive systems. NSM-10 is the highest-level U.S. policy directive on PQC migration.

NIST Internal Report 8547, titled 'Transition to Post-Quantum Cryptography Standards,' published in November 2024. This report provides NIST's official guidance on deprecating classical cryptographic algorithms and transitioning to PQC standards. IR 8547 states that RSA, ECDSA, EdDSA, DH, and ECDH should be deprecated by 2030 and disallowed after 2035. It provides the authoritative NIST timeline for PQC migration across all federal and commercial systems.

The Payment Card Industry Data Security Standard version 4.0, effective March 2024, which introduces requirements relevant to PQC readiness. PCI DSS 4.0.1 mandates strong cryptography for cardholder data protection and requires organizations to maintain cryptographic inventories. While PCI DSS 4.0.1 does not yet mandate PQC specifically, its requirements for cryptographic agility and inventory align with PQC migration preparation. Financial institutions subject to PCI DSS should anticipate PQC requirements in future standard revisions.

NIST Special Publication 800-208, 'Recommendation for Stateful Hash-Based Signature Schemes,' provides guidance on implementing LMS and XMSS stateful hash-based signature schemes. Published in October 2020, SP 800-208 was one of the first NIST documents approving quantum-resistant algorithms for immediate use. It specifies parameter choices, state management requirements, and operational guidelines for deploying LMS/HSS and XMSS/XMSS-MT in production environments.

ISO/IEC 18033 is an international standard for encryption algorithms published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). The standard covers asymmetric ciphers, block ciphers, and stream ciphers. ISO/IEC working groups are actively developing companion standards for PQC algorithms. Organizations with international compliance requirements should monitor ISO/IEC PQC standardization efforts alongside NIST standards.

A quantitative risk metric (0-100) developed by Qtonic Quantum that measures an organization's accumulated exposure from quantum-vulnerable encryption. The Cryptographic Debt Score evaluates: (1) cryptographic asset inventory and quantum-vulnerable algorithm usage, (2) data sensitivity classifications and retention requirements, (3) adversary capability timelines and CRQC probability distributions, (4) PQC migration readiness and timeline feasibility. Scores above 60 indicate high risk requiring immediate PQC migration. Target score is below 30 by 2030.

A Cryptographically-Relevant Quantum Computer (CRQC) is a quantum computer with sufficient qubits and error correction to execute Shor's algorithm and break RSA-2048, ECC P-256, and other classical public-key cryptosystems. Resource estimates continue to evolve as hardware and circuit compilation improve. Logical qubit estimates remain implementation-dependent. Qtonic Quantum treats 2029 as a readiness/control date for migration planning, not as a present-day break claim.

Post-Quantum Cryptography (PQC) refers to cryptographic algorithms designed to be secure against attacks by both classical and quantum computers. PQC algorithms are based on mathematical problems believed to be hard for quantum computers, including lattice-based cryptography (ML-KEM, ML-DSA), hash-based signatures (SLH-DSA), code-based cryptography, and multivariate polynomial cryptography. NIST standardized the first three PQC algorithms in August 2024 as FIPS 203, 204, and 205.

The ability of an information system to rapidly switch between cryptographic algorithms, protocols, and key sizes without significant architectural changes. Crypto agility is essential for PQC migration because it enables organizations to replace quantum-vulnerable algorithms with quantum-safe alternatives incrementally. Systems lacking crypto agility require costly re-architecture. Best practices include abstracting cryptographic operations behind configurable interfaces and maintaining algorithm-independent data formats.

A Cryptographic Bill of Materials (CBOM) is a comprehensive, machine-readable inventory of all cryptographic assets, algorithms, protocols, key lengths, and certificate dependencies within an organization's systems. CBOMs enable organizations to identify quantum-vulnerable cryptography across their entire infrastructure. The CBOM concept extends the Software Bill of Materials (SBOM) framework to cryptographic components. Maintaining an accurate CBOM is a prerequisite for effective PQC migration planning and compliance with NSM-10 requirements.

A family of cryptographic constructions based on the computational hardness of lattice problems, particularly the Learning With Errors (LWE) and Module-LWE problems. Lattice-based cryptography is the mathematical foundation for ML-KEM (FIPS 203) and ML-DSA (FIPS 204), making it the dominant approach in NIST's PQC standardization. Lattice problems are believed to resist both classical and quantum attacks. The efficiency of structured lattice schemes enables practical deployment at scale.

A family of cryptographic constructions based on the hardness of decoding random error-correcting codes, originating from McEliece's 1978 cryptosystem. Code-based schemes provide mathematical diversity from lattice-based approaches and have withstood over 45 years of cryptanalysis. NIST selected HQC as an additional KEM standard based on code-based cryptography. Code-based schemes generally have larger key sizes than lattice-based alternatives but offer strong conservative security guarantees.

A class of digital signature schemes whose security relies solely on the properties of cryptographic hash functions. Hash-based signatures include stateful schemes (LMS, XMSS) and stateless schemes (SLH-DSA/SPHINCS+). Their security proofs rely on minimal assumptions — only that the underlying hash function is secure — making them the most mathematically conservative PQC signature approach. NIST standardized SLH-DSA (FIPS 205) and approved LMS/XMSS in SP 800-208.

A family of cryptographic constructions based on the difficulty of computing isogenies between supersingular elliptic curves. The most notable scheme, SIKE/SIDH, was broken in 2022 by Castryck and Decru's attack, which recovered private keys in minutes on a classical computer. This cryptanalytic break eliminated SIKE from NIST's PQC competition and demonstrated the importance of cryptographic diversity and caution with newer mathematical assumptions. Active research continues on alternative isogeny constructions such as CSIDH and SQIsign.

A family of cryptographic schemes based on the hardness of solving systems of multivariate polynomial equations over finite fields (the MQ problem). Multivariate schemes can produce very short signatures but typically have large public keys. The Rainbow signature scheme, a prominent multivariate candidate in NIST's PQC competition, was broken in 2022. Despite this setback, the multivariate approach remains an active area of PQC research with schemes such as UOV (Unbalanced Oil and Vinegar) under development.

Quantum Key Distribution (QKD) is a method of distributing encryption keys using quantum mechanical properties, specifically the no-cloning theorem and quantum measurement disturbance. QKD enables two parties to detect eavesdropping on key exchange. While theoretically information-theoretically secure, QKD has significant practical limitations: it requires specialized quantum hardware, dedicated fiber optic links, is limited to short distances without quantum repeaters, and does not provide authentication. NIST and NSA have stated that PQC, not QKD, is the recommended path for quantum-safe communications.

A Key Encapsulation Mechanism (KEM) is a cryptographic primitive used to securely establish a shared secret key between two parties using public-key cryptography. Unlike traditional key exchange (e.g., Diffie-Hellman), a KEM generates a random shared secret and encapsulates it using the recipient's public key. The recipient decapsulates using their private key to recover the shared secret. KEMs are the standard construction for PQC key establishment — ML-KEM (FIPS 203) replaced traditional key exchange with a KEM-based approach.

A cryptographic mechanism that provides authentication, integrity, and non-repudiation for digital messages and documents. Digital signatures use asymmetric cryptography where a private key generates the signature and a corresponding public key verifies it. Classical signature algorithms (RSA, ECDSA, EdDSA) are broken by Shor's algorithm. PQC replacements include ML-DSA (FIPS 204), SLH-DSA (FIPS 205), and FN-DSA (draft FIPS 206), each offering different performance and security trade-offs.

A comprehensive catalog of all cryptographic algorithms, protocols, key sizes, certificates, and their deployments across an organization's infrastructure. Building a cryptographic inventory is the essential first step in PQC migration, as a federal-agency planning focus under NSM-10 and related OMB guidance. The inventory identifies where quantum-vulnerable algorithms (RSA, ECC, DH) are used, enabling prioritized migration planning. Automated discovery tools and CBOM generation are recommended for large-scale inventory efforts.

The process of transitioning an organization's cryptographic infrastructure from quantum-vulnerable classical algorithms (RSA, ECC, DH) to quantum-resistant PQC algorithms (ML-KEM, ML-DSA, SLH-DSA). PQC migration involves: cryptographic inventory and discovery, risk assessment and prioritization, algorithm selection and testing, hybrid deployment for backwards compatibility, and full cutover. NIST IR 8547 recommends completing migration by 2035. Enterprise PQC migration typically spans 3-7 years depending on infrastructure complexity.

A composite metric quantifying an organization's risk exposure from quantum computing threats to its cryptographic infrastructure. Quantum Risk Scores incorporate factors including: quantum-vulnerable algorithm prevalence, data sensitivity and retention periods, CRQC timeline probability distributions, migration readiness level, and regulatory compliance gaps. Qtonic Quantum's Cryptographic Debt Score is a specific implementation of quantum risk scoring that weights these factors for actionable prioritization.

A deployment strategy that combines classical and post-quantum cryptographic algorithms in a single protocol exchange to provide security against both classical and quantum adversaries. In a hybrid scheme, the overall security is at least as strong as the strongest individual component. Hybrid approaches are recommended by NIST, NSA, and BSI during the PQC transition period to mitigate the risk of undiscovered vulnerabilities in new PQC algorithms while maintaining proven classical security. Common examples include X25519+ML-KEM-768 for key exchange.

Extensions to TLS 1.3 (RFC 8446) that incorporate post-quantum key encapsulation mechanisms for quantum-safe handshakes. Major implementations include Google Chrome and Cloudflare's deployment of X25519+ML-KEM-768 hybrid key exchange since 2024. Post-quantum TLS increases handshake sizes due to larger PQC public keys and ciphertexts, but real-world performance impact is minimal for most applications. IETF working groups are standardizing PQ TLS extensions including hybrid key exchange and PQC certificate authentication.

The milestone at which a quantum computer performs a specific computational task faster than any classical computer. Google's Sycamore processor claimed quantum supremacy in 2019 by completing a sampling task in 200 seconds that would allegedly take a classical supercomputer 10,000 years. Quantum supremacy is distinct from quantum advantage and does not imply the ability to break cryptography. The sampling tasks used to demonstrate supremacy have no direct cryptographic relevance. A CRQC capable of breaking RSA requires orders of magnitude more qubits than current supremacy demonstrations.

The point at which a quantum computer provides a meaningful practical speedup over classical computers for real-world computational problems. Quantum advantage is a higher bar than quantum supremacy, requiring demonstrated utility rather than artificial benchmarks. As of early 2026, no quantum computer has achieved widely recognized quantum advantage for commercially relevant problems. The timeline from quantum advantage to cryptographically-relevant quantum computing (CRQC) involves substantial additional engineering challenges.

A fault-tolerant quantum bit constructed from many physical qubits using quantum error correction codes. Logical qubits maintain quantum coherence long enough to perform useful computation, unlike noisy physical qubits which rapidly lose information to decoherence. Breaking RSA-2048 with Shor's algorithm is estimated to require approximately 4,000-10,000 logical qubits. Current quantum error correction ratios require roughly 1,000-10,000 physical qubits per logical qubit, placing the hardware threshold for a CRQC at millions of physical qubits.

Techniques for protecting quantum information from errors caused by decoherence and quantum noise, essential for building reliable quantum computers. Quantum error correction encodes a single logical qubit across multiple physical qubits using codes such as the surface code or color code. Without error correction, quantum computations fail after microseconds. Achieving error rates below the fault-tolerance threshold is the primary engineering challenge separating current noisy intermediate-scale quantum (NISQ) devices from cryptographically-relevant quantum computers.

The fundamental unit of quantum information, analogous to a classical bit but capable of existing in a superposition of the 0 and 1 states simultaneously. Qubits can be entangled with other qubits, enabling quantum parallelism. Physical qubit implementations include superconducting circuits (Google, IBM), trapped ions (IonQ, Quantinuum), photonic systems, and neutral atoms. As of early 2026, the largest quantum processors contain approximately 1,000-1,200 physical qubits, far below the millions needed for a CRQC.

A multi-year standardization process initiated by NIST in 2016 to evaluate and standardize post-quantum cryptographic algorithms. The process involved 82 initial submissions, narrowed through four rounds of public evaluation and cryptanalysis. In August 2024, NIST published the first three PQC standards: FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA). Additional standards are in development, including FIPS 206 (FN-DSA) and an HQC standard. The NIST PQC standardization process is the most significant cryptographic standardization effort since the AES competition.

A designation indicating that a cryptographic algorithm, protocol, or system is believed to be secure against attacks by both classical and quantum computers. An algorithm is considered quantum-safe if no known quantum algorithm provides a significant speedup in breaking it. The NIST PQC standards (ML-KEM, ML-DSA, SLH-DSA) are quantum-safe. Symmetric algorithms like AES-256 and hash functions like SHA-384 are also quantum-safe when used with sufficient key/output lengths. 'Quantum-safe' does not guarantee absolute security — it reflects the current state of cryptanalytic knowledge.

A risk assessment metric that quantifies an organization's specific exposure to Harvest Now, Decrypt Later attacks. The HNDL Score evaluates: volume of quantum-vulnerable encrypted data in transit, data sensitivity classifications, estimated adversary collection capability, data retention and secrecy requirements, and time-to-quantum estimates. A high HNDL Score indicates that data currently being transmitted is likely being collected and will be decryptable when CRQCs become available. Organizations handling classified, financial, or healthcare data typically have elevated HNDL Scores.