PQC — Post-Quantum Cryptography
Post-Quantum Cryptography (PQC) refers to cryptographic algorithms that are designed to be secure against attacks from both classical and quantum computers. As large-scale quantum computers become feasible, they will be able to break widely used public-key algorithms (RSA, ECC, DH) in minutes — threatening the security of every digital system from banking to national defense.
Why Post-Quantum Cryptography Is Urgent
| Current Algorithm | Quantum Threat | Timeline |
|---|---|---|
| RSA-2048 | Broken by Shor’s algorithm | Estimated 2030–2035 |
| ECDSA / ECDH (P-256) | Broken by Shor’s algorithm | Estimated 2030–2035 |
| AES-256 | Weakened (Grover’s), still safe at 256-bit | Manageable — double key sizes |
| SHA-256 | Weakened (Grover’s), still safe | Manageable — use SHA-384/512 |
“Harvest now, decrypt later” — Adversaries are already collecting encrypted data today, planning to decrypt it once quantum computers are available. Any data with a secrecy requirement beyond 2030 needs PQC protection now.
NIST PQC Standards (Finalized 2024)
After an 8-year evaluation process, NIST standardized three primary PQC algorithms:
Key Encapsulation Mechanism (KEM)
| Standard | Algorithm | Family | Key Size | Performance |
|---|---|---|---|---|
| FIPS 203 (ML-KEM) | CRYSTALS-Kyber | Lattice-based | 800–1568 bytes | Very fast |
Digital Signatures
| Standard | Algorithm | Family | Signature Size | Performance |
|---|---|---|---|---|
| FIPS 204 (ML-DSA) | CRYSTALS-Dilithium | Lattice-based | 2420–4627 bytes | Fast |
| FIPS 205 (SLH-DSA) | SPHINCS+ | Hash-based | 7856–49856 bytes | Slower, but minimal assumptions |
Comparison with Classical Algorithms
| Metric | RSA-2048 | ECDSA P-256 | ML-DSA-65 (PQC) | SLH-DSA (PQC) |
|---|---|---|---|---|
| Public key size | 256 bytes | 64 bytes | 1952 bytes | 32–64 bytes |
| Signature size | 256 bytes | 64 bytes | 3309 bytes | 17088 bytes |
| Quantum-safe | ❌ No | ❌ No | ✅ Yes | ✅ Yes |
| Standardized | Yes (legacy) | Yes (legacy) | Yes (FIPS 204) | Yes (FIPS 205) |
PQC for Embedded Systems & IoT
PQC has specific challenges for embedded and IoT devices:
Challenges
- Larger key and signature sizes — ML-DSA signatures are ~50× larger than ECDSA, impacting bandwidth and storage.
- Higher computational cost — Lattice operations require more RAM and CPU cycles than ECC.
- OTA update impact — Signed firmware updates become larger, affecting update time over constrained networks (LoRaWAN, NB-IoT).
- Hardware acceleration — Dedicated PQC accelerator IP blocks may be needed for constrained devices.
Solutions
- Hybrid cryptography — Run both classical (ECDSA) and PQC (ML-DSA) signatures during the transition period.
- Hardware PQC accelerators — FPGA and ASIC implementations of lattice operations for IoT.
- Secure element updates — Vendors like STMicroelectronics, Infineon, and NXP are adding PQC firmware upgrade paths to existing secure elements.
- FPGA-based PQC — FPGAs enable field-upgradeable cryptographic cores without silicon respins.
PQC and EU Regulations
The EU Cyber Resilience Act (CRA) requires products to use state-of-the-art cryptography. As NIST PQC standards are now final, PQC adoption is becoming a compliance consideration:
- Products with long operational lifetimes (10–15 years for industrial IoT) must protect data that will still be confidential when quantum computers arrive.
- European Cybersecurity Certification Scheme (EUCC) is expected to require PQC readiness for high-assurance certifications.
Migration Timeline
| Phase | Period | Action |
|---|---|---|
| Assessment | 2024–2025 | Inventory all cryptographic dependencies (CBOM) |
| Hybrid deployment | 2025–2028 | Dual classical + PQC for critical systems |
| PQC-primary | 2028–2030 | PQC as default, classical as fallback |
| PQC-only | 2030+ | Full migration, deprecate RSA/ECC |
Related Terms
- Secure Boot — Firmware verification that must migrate to PQC signatures.
- HSM — Hardware modules that need PQC algorithm support.
- EU Cyber Resilience Act — Regulation requiring state-of-the-art cryptography.