Why post-quantum, why now
The threat in one paragraph
A sufficiently large quantum computer running Shor's algorithm breaks every classical public-key scheme in widespread use today: RSA, ECDSA, EdDSA, Diffie-Hellman. Anything authenticated, encrypted, or signed with those primitives — TLS sessions, JWTs, SSH keys, certificate chains, blockchain transactions, code-signing identities — is no longer secure once such a machine exists. Nobody can tell you exactly when that day arrives, but the design and procurement decisions you make now will outlive any honest answer.
The "harvest now, decrypt later" problem
Adversaries can already record ciphertexts, signatures, and public-key handshakes today and break them later. That means high-value, long-lived secrets (state communications, financial records, identity material, on-chain public keys) are effectively at risk now — not when the quantum computer lands. Migration cannot wait for the threat to materialize.
The standards have landed
The "which algorithms?" question is no longer open:
| Standard | Algorithms | Type | Status |
|---|---|---|---|
| FIPS 203 | ML-KEM-512 / 768 / 1024 | Key encapsulation | Final (Aug 2024) |
| FIPS 204 | ML-DSA-44 / 65 / 87 | Digital signatures | Final (Aug 2024) |
| FIPS 205 | SLH-DSA (SHA2 and SHAKE, 128s/128f/192s/192f/256s/256f) | Hash-based signatures | Final (Aug 2024) |
| FIPS 206 | FN-DSA (Falcon) | Lattice signatures | Draft |
NIST finalized ML-KEM, ML-DSA, and SLH-DSA in August 2024 and selected Falcon for a future standard. Implementations are catching up across runtimes and protocols. The systems-engineering work — touching every layer of the stack that consumes signatures or KEMs — starts now.
The PQ scaling cliff
Adopting PQ is not just an algorithm swap. PQ signatures and public keys are much larger than their classical counterparts:
| Scheme | Public key | Signature |
|---|---|---|
| Ed25519 (classical) | 32 B | 64 B |
| ML-DSA-44 | 1,312 B | 2,420 B |
| ML-DSA-65 | 1,952 B | 3,309 B |
| ML-DSA-87 | 2,592 B | 4,627 B |
| SLH-DSA-SHA2-128s | 32 B | 7,856 B |
These sizes cascade into every layer of a real system: bandwidth, storage, mempool propagation, consensus block size, calldata cost on L2s, certificate chain depth, JWT/JWS envelope size, hardware wallet display memory. The PQ scaling cliff is the engineering reality that "just turn on PQ" is not a one-line change in protocols sized around 32–96 byte primitives.
Related
- Supported algorithms — sizes, OIDs, and security levels for all supported schemes
- How the pieces fit — what we built on top of these primitives
- Threat model — what is and is not protected