Post-Quantum Cryptography
Post-quantum cryptography (PQC) provides algorithms designed to be secure against attacks by both classical and quantum computers. cryptopp-modern implements the NIST PQC standards ML-KEM (FIPS 203), ML-DSA (FIPS 204), and SLH-DSA (FIPS 205), along with the stateful hash-based signature schemes LMS/HSS from NIST SP 800-208.
The Quantum Threat
Quantum computers threaten the cryptographic algorithms that secure most of today’s internet:
| Algorithm | Threat | Impact |
|---|---|---|
| RSA, DSA | Shor’s algorithm | Vulnerable to sufficiently capable quantum computer; long-term confidentiality not assured |
| ECDSA, ECDH, Ed25519, X25519 | Shor’s algorithm | Vulnerable to sufficiently capable quantum computer; long-term confidentiality not assured |
| AES-128 | Grover’s algorithm | Security margin reduced; prefer AES-256 for PQ planning |
| AES-256, SHA-256, SHA-3 | Grover’s algorithm | Security margin reduced, but these remain standard choices |
For compliance-oriented applications, use SHA-256 or SHA-3.
Key point: Public-key cryptography based on factoring or discrete logarithms is vulnerable to quantum attack. Symmetric cryptography remains viable with 256-bit keys.
“Harvest Now, Decrypt Later”
Adversaries may be collecting encrypted traffic today, planning to decrypt it once quantum computers become available. Data with long-term confidentiality requirements should transition to PQC now:
| Data Type | Sensitivity Window | Action |
|---|---|---|
| State secrets, medical records | 25+ years | Migrate now |
| Financial data, legal documents | 10-25 years | Begin migration |
| Session keys, ephemeral data | Hours to days | Classical may be acceptable for now |
Available Algorithms
Key Encapsulation (Key Exchange)
| Algorithm | Standard | Security Basis | Best For |
|---|---|---|---|
| X-Wing | IETF Draft | Hybrid (X25519 + ML-KEM) | Defence in depth (transition strategy) |
| ML-KEM | FIPS 203 | Module lattices | Pure post-quantum |
Digital Signatures
| Algorithm | Standard | Security Basis | Stateful | Best For |
|---|---|---|---|---|
| ML-DSA | FIPS 204 | Module lattices | No | General-purpose signatures |
| SLH-DSA | FIPS 205 | Hash functions only | No | Conservative security |
| LMS/HSS | SP 800-208 | Hash functions only | Yes | Bounded signing (firmware, code, certificates) |
LMS/HSS is not a drop-in replacement for ordinary signature APIs. Signing state must be managed durably. See the LMS/HSS page for details.
Choosing an Algorithm
For Key Exchange
Need defence against both classical AND quantum attacks today?
├── YES → A hybrid approach may be appropriate
│ X-Wing (X25519 + ML-KEM-768) is one such design
│ Aims to remain secure if either component holds
│ Note: X-Wing remains an IETF draft, not a final standard
│
└── NO → Building a pure post-quantum system?
├── YES → Use ML-KEM-768 (FIPS 203)
│ NIST standard, smaller than X-Wing
│
└── NO → Use X25519 (classical)
Smallest keys, well-understood securityFor Digital Signatures
What are your priorities?
├── Conservative security (no lattice assumptions)?
│ ├── Can you manage signer state reliably?
│ │ ├── YES, and signing volume is bounded
│ │ │ └── Consider LMS/HSS (SP 800-208)
│ │ │ Hash-only security, small signatures (~2.6 KB)
│ │ │ BUT: stateful, each signature consumes state
│ │ │
│ │ └── NO, or signing volume is unpredictable
│ │ └── Use SLH-DSA (FIPS 205)
│ │ Stateless, no state management needed
│ │ Larger signatures (~17 KB)
│ │
│ └── Not sure about state management?
│ └── Use SLH-DSA, safer default for most applications
│
├── Balanced performance and size?
│ └── Use ML-DSA-65
│ NIST standard (FIPS 204)
│ ~3.3 KB signatures, fast signing/verification
│
└── Maximum security level needed?
└── Use ML-DSA-87 or SLH-DSA-256 variants
256-bit security, larger keys and signaturesSize and Performance Comparison
Key Encapsulation
| Property | X-Wing | ML-KEM-768 | X25519 (classical) |
|---|---|---|---|
| Public Key | 1216 bytes | 1184 bytes | 32 bytes |
| Ciphertext | 1120 bytes | 1088 bytes | 32 bytes |
| Shared Secret | 32 bytes | 32 bytes | 32 bytes |
| Post-Quantum | Yes | Yes | No |
| Fallback if lattices broken | Yes (X25519) | No | N/A |
Digital Signatures
| Property | ML-DSA-65 | SLH-DSA-SHA2-128f | Ed25519 (classical) |
|---|---|---|---|
| Public Key | 1952 bytes | 32 bytes | 32 bytes |
| Signature | 3309 bytes | 17,088 bytes | 64 bytes |
| Post-Quantum | Yes | Yes | No |
| Security Basis | Lattices | Hash functions | Elliptic curves |
Sizes vary by parameter set. The SLH-DSA row shows the “fast” (f) variant; the “small” (s) variant trades signing speed for roughly half the signature size (~8 KB). SLH-DSA achieves small public keys (32-64 bytes) because hash-based schemes derive verification data from the signature itself.
Migration Strategy
Phase 1: Hybrid Mode (Common transition approach)
Use hybrid algorithms that combine classical and post-quantum cryptography:
- Key Exchange: X-Wing (X25519 + ML-KEM-768)
- Signatures: Consider dual signatures for some critical applications
Benefits:
- Secure against both classical and quantum attacks
- A well-designed hybrid approach can reduce transition risk if one component later proves weaker than expected
- Gradual transition without breaking compatibility
Note that swapping algorithm primitives is only part of the picture. Protocols such as TLS, SSH, and application-level formats each have their own PQC adoption timelines and integration details.
Phase 2: Pure Post-Quantum (Future)
Once PQC algorithms are thoroughly analysed and quantum computers become a near-term threat:
- Key Exchange: ML-KEM-768 or ML-KEM-1024
- Signatures: ML-DSA-65 or SLH-DSA
Security Levels
NIST defines security categories (often compared to AES work factors):
| Level | Compared To | Algorithms |
|---|---|---|
| 1 | AES-128 work factor | ML-KEM-512, SLH-DSA-128* |
| 2 | SHA-256 collision | ML-DSA-44 |
| 3 | AES-192 work factor | ML-KEM-768, ML-DSA-65, SLH-DSA-192* |
| 5 | AES-256 work factor | ML-KEM-1024, ML-DSA-87, SLH-DSA-256* |
For many applications, Level 3 is a practical default, balancing security margin and size.
Quick Examples
For LMS/HSS usage examples, see the LMS/HSS API reference and the Stateful Signing Integration Guide. Stateful signing has different operational requirements from the examples below.
Hybrid Key Exchange with X-Wing
#include <cryptopp/xwing.h>
#include <cryptopp/osrng.h>
#include <cryptopp/secblock.h>
using namespace CryptoPP;
AutoSeededRandomPool rng;
// Recipient generates key pair
XWingDecapsulator recipient(rng);
// Share public key with sender
SecByteBlock publicKey(recipient.GetKey().GetPublicKeySize());
recipient.GetKey().GetPublicKey(publicKey.begin());
// Sender encapsulates
XWingEncapsulator sender(publicKey.begin(), publicKey.size());
SecByteBlock ciphertext(sender.CiphertextLength());
SecByteBlock sharedSecret(sender.SharedSecretLength());
sender.Encapsulate(rng, ciphertext.begin(), sharedSecret.begin());
// Recipient decapsulates
SecByteBlock recipientSecret(recipient.SharedSecretLength());
recipient.Decapsulate(ciphertext.begin(), recipientSecret.begin());
// sharedSecret == recipientSecret
// IMPORTANT: Treat sharedSecret as key material.
// Feed it into a KDF (e.g., HKDF), then use an AEAD
// (AES-GCM or ChaCha20-Poly1305) for data encryption.
Post-Quantum Signatures with ML-DSA
#include <cryptopp/mldsa.h>
#include <cryptopp/osrng.h>
#include <cryptopp/secblock.h>
#include <string>
using namespace CryptoPP;
AutoSeededRandomPool rng;
// Generate key pair
MLDSASigner<MLDSA_65> signer(rng);
MLDSAVerifier<MLDSA_65> verifier(signer);
// Sign a message
std::string message = "Important document";
SecByteBlock signature(signer.SignatureLength());
size_t sigLen = signer.SignMessage(rng,
(const byte*)message.data(), message.size(),
signature.begin());
// Verify the signature
bool valid = verifier.VerifyMessage(
(const byte*)message.data(), message.size(),
signature.begin(), sigLen);
// For protocols: define what you sign (context string,
// transcript hash, domain separation) to avoid cross-protocol attacks.
Common Questions
When will quantum computers break current cryptography?
Unknown. Estimates vary widely, and the real risk is that encrypted data captured today may be decrypted later if quantum capabilities improve.
Should I use PQC now?
For new applications with long-term confidentiality or authenticity requirements, often yes. A hybrid approach combining classical and post-quantum algorithms can be a practical transition strategy.
Are PQC algorithms slower?
Lattice-based algorithms such as ML-KEM and ML-DSA are generally practical on modern systems, with different size and performance trade-offs from RSA and ECC. Hash-based signatures (SLH-DSA, LMS/HSS) are slower but rely only on hash function security.
Why are PQC keys and signatures so large?
The mathematical structures that resist quantum attacks require more data to represent. This is a fundamental tradeoff for quantum resistance.
Standards Compliance
| Algorithm | Standard | Status |
|---|---|---|
| ML-KEM | FIPS 203 | Final (August 2024) |
| ML-DSA | FIPS 204 | Final (August 2024) |
| SLH-DSA | FIPS 205 | Final (August 2024) |
| X-Wing | IETF Draft | Draft |
See Also
- ML-KEM API Reference - Key encapsulation
- ML-DSA API Reference - Digital signatures
- SLH-DSA API Reference - Stateless hash-based signatures
- LMS/HSS API Reference - Stateful hash-based signatures
- Stateful Signing Guide - State contract, backends, common mistakes
- X-Wing API Reference - Hybrid key encapsulation
- Public-Key Cryptography - Classical algorithms