Post-Quantum Cryptography

Introduction: What is Post-Quantum Cryptography?

Current widely used asymmetric cryptography relies on the assumption that one-way functions exist—problems that are easy to compute in one direction but infeasible to reverse. Examples include integer factorization and the discrete logarithm. On classical computers, both problems can only be solved in exponential time, making them practically infeasible for sufficiently large inputs. The fastest known algorithm for factoring large integers is the General Number Field Sieve (GNFS) with runtime $\mathcal{O}\!\left(e^{\log(N)^{\frac{1}{3}}\cdot\log(\log(N))^{\frac{2}{3}}}\right)$ .

In 1997, Peter Shor introduced an algorithm that can solve the factorization problem in polynomial time, provided a sufficiently powerful quantum computer is available. The number of required qubits depends on computation time and error rates. Estimates suggest that breaking RSA-2048 would require around $10^{7}$ qubits in 100 days or $10^{9}$ qubits in one hour. Although IBM has demonstrated a quantum computer with 6100 qubits, current systems are still far from the scale needed to break modern cryptographic schemes.

Quantum computers operate fundamentally differently from classical machines, enabling new types of algorithms. If large-scale quantum computers become practical, they could efficiently solve factorization and discrete logarithms, rendering current asymmetric cryptographic systems insecure.

Another important quantum algorithm, developed by Lov Grover, provides a quadratic speedup for searching unsorted data (O(√N) instead of O(N)). This affects symmetric cryptography by effectively reducing its security strength, meaning that key sizes must be doubled to maintain the same level of security against quantum attacks.

Why Post-Quantum Security Matters — Now

Physicists and quantum computing researchers broadly agree: within the next 10 to 15 years, a quantum computer with enough qubits will exist to break widely deployed schemes such as RSA and ECDSA. That timeline makes the threat concrete and near-term, not theoretical.

This gives rise to the "Harvest now – decrypt later" attack strategy. Adversaries are already capturing encrypted data in transit today, storing it cheaply, and waiting until quantum hardware is powerful enough to decrypt it retrospectively. For financial data—invoices, audit trails, tax records subject to retention periods of 10 years or more—the risk is immediate: data you encrypt today must still be confidential a decade from now.

Quantum Computing

Classical computers store and process information using bits — the fundamental unit of classical information. A bit is always in exactly one of two states: 0 or 1. Every calculation, from adding numbers to rendering graphics, reduces to sequences of such binary operations.

A quantum computer replaces bits with qubits (quantum bits). Unlike a classical bit, a qubit can exist in a superposition of both 0 and 1 simultaneously — not as an unknown value, but as a genuine combination of both at once, characterised by complex-valued amplitudes. Only when a qubit is measured does it collapse to a definite 0 or 1, with probabilities determined by the amplitudes.

This property of superposition — together with entanglement (correlations between qubits that have no classical counterpart) and interference (the ability to amplify correct computation paths and cancel wrong ones) — is what gives quantum computers their potential to solve certain problems exponentially faster than any classical machine.

Computing with Single Qubits

In quantum computing, states are typically written in the form |x⟩, known as Dirac notation or ket notation, named after the British physicist and Nobel laureate Paul Dirac.

Definition — Qubit

A qubit occupies states of the form

\alpha \cdot |{0}\rangle + \beta \cdot |{1}\rangle

where α and β ∈ ℂ are called amplitudes. They satisfy the normalisation condition

|\alpha|^2 + |\beta|^2 = 1

States can equivalently be written as a linear combination of two-dimensional basis vectors:

\begin{pmatrix} \alpha \\ \beta \end{pmatrix} = \alpha \cdot \begin{pmatrix} 1 \\ 0 \end{pmatrix} + \beta \cdot \begin{pmatrix} 0 \\ 1 \end{pmatrix} = \alpha \cdot |{0}\rangle + \beta \cdot |{1}\rangle

Remark: Because of the normalisation rule above, all valid quantum states lie on the boundary of the unit circle.

When the superposition of a qubit is destroyed by measurement, it collapses to either |0⟩ or |1⟩. Which value it takes is governed by the amplitudes: with probability |α|² the qubit adopts state |0⟩, and with probability |β|² it adopts state |1⟩.

Unlike a coin toss—which is theoretically predictable given all parameters—there is no known way to predict the outcome of measuring a qubit. There are, however, deterministic special cases: the state 0⋅|0⟩ + 1⋅|1⟩ behaves like a classical bit set to 1, and 1⋅|0⟩ + 0⋅|1⟩ behaves like a classical bit set to 0.

To exploit superposition for computation, a state vector is transformed by multiplying it with a computation matrix—without performing a measurement, so superposition is preserved.

Definition — 1-Qubit Gate

A single-qubit computational step on a quantum computer is represented by a unitary 2×2 matrix. Given a unitary matrix

A = \begin{pmatrix} a & b \\ c & d \end{pmatrix}

the successor state α'|0⟩ + β'|1⟩ is obtained by:

\begin{pmatrix} \alpha' \\ \beta' \end{pmatrix} = A \cdot \begin{pmatrix} \alpha \\ \beta \end{pmatrix} = \begin{pmatrix} a\alpha + b\beta \\ c\alpha + d\beta \end{pmatrix}

A fundamental example is the Hadamard gate H, named after the French mathematician Jacques Hadamard. It implements a 1-qubit random number generator:

H = \frac{1}{\sqrt{2}} \begin{pmatrix} 1 & 1 \\ 1 & -1 \end{pmatrix}

Applied to |1⟩:

\begin{pmatrix} \alpha' \\ \beta' \end{pmatrix} = H \cdot \begin{pmatrix} 0 \\ 1 \end{pmatrix} = \begin{pmatrix} \tfrac{1}{\sqrt{2}} \\ -\tfrac{1}{\sqrt{2}} \end{pmatrix}

Applied to |0⟩:

\begin{pmatrix} \alpha' \\ \beta' \end{pmatrix} = H \cdot \begin{pmatrix} 1 \\ 0 \end{pmatrix} = \begin{pmatrix} \tfrac{1}{\sqrt{2}} \\ \tfrac{1}{\sqrt{2}} \end{pmatrix}

In both cases the output probabilities are equal:

|\alpha'|^2 = |\beta'|^2 = \tfrac{1}{2}

After measurement the qubit therefore takes each of |0⟩ and |1⟩ with probability ½.

Quantum Registers

A single qubit provides very limited computational power. Just as classical computers group bits into registers, we can combine multiple qubits into a quantum register.

Definition — Quantum Register (notation)

If a quantum register consists of n qubits |x₀⟩ through |xₙ₋₁⟩, we write |xₙ₋₁ xₙ₋₂ … x₁ x₀⟩.

Definition — Register State

An n-qubit register R can be in a superposition of all 2ⁿ basis states simultaneously:

R = \sum_{i=0}^{2^n - 1} \alpha_i\, |{i}\rangle

A measurement yields state |i⟩ with probability |αᵢ|².

In vector form, the state vector of an n-qubit register has 2ⁿ components, and computational steps are represented by unitary 2ⁿ×2ⁿ matrices. This exponential growth is what gives quantum computers their potential advantage over classical machines for certain problem classes.

Prime Factorisation and RSA

In 1977, Ron Rivest, Adi Shamir, and Len Adleman invented the RSA asymmetric encryption scheme while attempting to disprove a theoretical framework on public-key cryptography proposed by Whitfield Diffie and Martin Hellman. Key generation works as follows:

Choose two random primes p and q and compute $n = p \cdot q \quad \text{and} \quad \phi = (p-1)\cdot(q-1)$
Choose $e \in \mathbb{N} \text{ with } \gcd(e,\phi)=1$
Find $d \in \mathbb{N} \text{ with } e \cdot d \equiv 1 \pmod{\phi}$

The private key is (d, n) and the public key is (e, n). Efficient algorithms exist for every step above. To encrypt a message x, compute

c \equiv x^e \pmod{n}

To decrypt c:

x \equiv c^d \pmod{n}

It is widely believed—though not proven—that recovering the private key (d, n) from the public key (e, n) is exactly as hard as factoring n into p and q on a classical computer (unless d is already known).

x plaintext

→ easy (encrypt with e)

← hard without d

← easy with d

f(x) ciphertext

The Period-Finding Problem

Definition — Period

Let f be a function and p > 0 the smallest number such that for all x:

f(x + p) = f(x)

Then p is called the period of f.

Theorem

Let n be odd and not a prime power. Then for at least half of all a with 0 ≤ a ≤ n−1 and gcd(a, n) = 1:

The period p of $f(x) = a^x \bmod n$ is even.
n ∤ a^p/2 + 1, i.e. a^p/2 ¬≡ −1 (mod n).

This condition on n is always satisfied in RSA.

From this theorem, an algorithm for finding a non-trivial factor of n can be derived:

Choose a uniformly at random from {2, …, n−1}.
Compute z = gcd(a, n). If z > 1, output z and stop.
Find the period p of $f(x) = a^x \bmod n$ .
If p is odd, return to step i).
Compute gcd(a^p/2−1, n) and gcd(a^p/2+1, n). If no proper factor is found, return to step i); otherwise output the factor.

No efficient algorithm exists for step iii) on classical computers—but one does on quantum computers.

Shor's Algorithm: Quantum Period Finding

Shor's algorithm, named after its inventor Peter Shor, is a quantum algorithm that determines the period in polynomial time. It works as follows, where f(x) = a^x mod N and N = 2ⁿ:

Definition — Oracle / Black Box

A function f : {0,1} → {0,1} is constant if f(0) = f(1), and balanced otherwise. An oracle (or black box) always answers queries f(b) truthfully in one step.

Initialise two registers R₁ and R₂: $R = R_1, R_2 \leftarrow |0\cdots 0\rangle\,|0\cdots 0\rangle$
Apply the Hadamard transform to R₁, placing it in superposition over all possible x-values: $R \leftarrow \frac{1}{\sqrt{N}} \sum_{x=0}^{N-1} |x\rangle\,|0\cdots 0\rangle$
Apply the oracle U𝑓 to compute the period function and write the result into R₂: $R \leftarrow \frac{1}{\sqrt{N}} \sum_{x=0}^{N-1} |x\rangle\,|f(x)\rangle$
Measure y = R₂.
Apply the Quantum Fourier Transform QFTₙ to R₁: $R_1 \leftarrow \mathrm{QFT}_N\,|x\rangle$
Measure z = R₁ and output the result.

If p ∣ N, the measured value z is a multiple $z = j \cdot \frac{N}{p}$ . When gcd(j, p) = 1, the period can be recovered:

p = \frac{N}{\gcd(z, N)}

If gcd(j, p) ≠ 1, the measurement yielded a wrong multiple and the circuit must be run again. Since the period can now be computed efficiently, and efficient classical algorithms exist for all other steps, RSA can be broken by a sufficiently powerful quantum computer.

The Solution: Lattice-Based Cryptography

To counter the quantum threat, the industry is transitioning to algorithms built on fundamentally different mathematical foundations. The leading candidate family is Lattice-Based Cryptography, whose hardness assumptions are believed to resist both classical and quantum attacks. The NIST Post-Quantum Cryptography standardisation project selected two lattice-based algorithms as primary standards in 2024: ML-KEM (CRYSTALS-Kyber) for key encapsulation and ML-DSA (CRYSTALS-Dilithium) for digital signatures.

What Is a Lattice?

A lattice ℒ is a regular, discrete grid of points in n-dimensional space, generated by taking all integer linear combinations of a set of basis vectors. Given a basis matrix B = [b₁ | … | bₙ] the lattice is:

\mathcal{L}(B) = \left\{ B\mathbf{x} \;\middle|\; \mathbf{x} \in \mathbb{Z}^n \right\}

Definition — Shortest Vector Problem (SVP)

Given a basis B of a lattice ℒ, find the shortest non-zero vector v ∈ ℒ. Formally, compute the first successive minimum:

\lambda_1(\mathcal{L}) = \min_{\mathbf{v} \in \mathcal{L} \setminus \{\mathbf{0}\}} \|\mathbf{v}\|

SVP is known to be NP-hard in its exact form. Approximating it within polynomial factors is believed to remain hard even for quantum computers — no quantum speedup analogous to Shor's algorithm is known for lattice problems.

The Learning With Errors (LWE) Problem

Most modern lattice schemes are based on the Learning With Errors (LWE) problem, introduced by Oded Regev in 2005. The central idea: given a system of linear equations modulo a prime q, with a small amount of random noise added to each equation, recover the secret vector s.

Formally, an adversary is given many samples (aᵢ, bᵢ) where aᵢ ∈ ℤᵧ is chosen uniformly at random and:

\mathbf{b} = A\mathbf{s} + \mathbf{e} \pmod{q}

Here s ∈ ℤᵧⁿ is the fixed secret, and e is a small noise vector drawn from a narrow Gaussian distribution χ. Without the noise the system would be trivially solvable by Gaussian elimination. With noise, recovering s is as hard as solving worst-case lattice problems (via Regev's reduction).

Why LWE Is Quantum-Resistant

Shor's algorithm exploits the periodic structure of modular exponentiation via the Quantum Fourier Transform. LWE and related problems have no such algebraic structure to exploit: the noise destroys any periodicity. The best known quantum algorithms for LWE (lattice sieving, BKZ reduction) offer only a sub-exponential — not polynomial — speedup over classical solvers, requiring astronomically large resources for typical parameter sizes.

ML-KEM (CRYSTALS-Kyber): Key Encapsulation

ML-KEM is based on the Module-LWE variant, which works over modules of polynomial rings ℤ_q[X]/(Xⁿ+1) for improved efficiency. The scheme has three phases:

Key Generation

Sample a public matrix A uniformly at random. Draw a secret s and a noise vector e from the centred binomial distribution χ_η. Compute the public key:

\mathbf{b} = A\mathbf{s} + \mathbf{e}, \quad A \in \mathbb{Z}_q^{k\times k},\; \mathbf{s},\mathbf{e} \xleftarrow{\$} \chi_\eta^k

Public key: (A, b). Private key: s.

Encapsulation (Encryption)

To encapsulate a shared secret encoded as a bit m ∈ {0,1}, sample random r, e₁, e₂ from χ_η and compute the ciphertext (u, v):

\mathbf{u} = A^\top \mathbf{r} + \mathbf{e}_1, \quad v = \mathbf{b}^\top \mathbf{r} + e_2 + \left\lfloor \tfrac{q}{2} \right\rceil \cdot m

Intuition: u is an LWE encryption of randomness under A^T; v is the message bit lifted to 0 or ⌊q/2⌉ and masked by the LWE sample b^Tr.

Decapsulation (Decryption)

Using the private key s, subtract the inner product from v to cancel the masking term:

\hat{m} = \mathrm{decode}\!\left(v - \mathbf{s}^\top \mathbf{u}\right)

Because v − s^Tu ≈ ⌊q/2⌉ ⋅ m (the noise terms are small), rounding recovers m exactly with overwhelming probability. An attacker without s faces a Module-LWE instance — computationally infeasible.

ML-DSA (CRYSTALS-Dilithium): Digital Signatures

ML-DSA provides digital signatures using a "Fiat-Shamir with aborts" construction over Module-LWE. The key insight is that signing uses rejection sampling to hide the secret, giving signatures that reveal no information about s.

Signing

The signer holds a secret key (s₁, s₂) and public key t = As₁ + s₂. To sign a message μ:

Sample a masking vector y from a uniform distribution over a bounded range.
Compute the commitment w = Ay and extract its high-order bits w₁.
Compute the challenge hash c = H(μ ‖ w₁) — a sparse polynomial with ternary coefficients.
Compute the response: $\mathbf{z} = \mathbf{y} + c\mathbf{s}_1$
Reject and retry if z exceeds a bound (to prevent leaking s₁).

Output signature (σ) = (z, c).

Verification

Given the public key (A, t), message μ, and signature (z, c), a verifier checks:

A\mathbf{z} - c\mathbf{t} \pmod{q} \stackrel{?}{=} \mathbf{w}_1

This works because Az − ct = A(y + cs₁) − c(As₁ + s₂) = Ay − cs₂ ≈ w (since s₂ is small). Security reduces to Module-LWE and Module-SIS hardness.

We implement both ML-KEM-768 (NIST security level 3, ~AES-192 equivalent) and ML-DSA-65 in our encryption pipeline to protect financial document data at rest and in transit against both classical and quantum adversaries.

The Practical Use Case: Protecting Financial Data

Financial records, invoices, and audit trails often have strict retention requirements—sometimes up to 10 or 15 years.

Data encrypted today must withstand the cryptographic attacks of the 2030s and 2040s. By applying post-quantum encryption schemas now, pdftables.io ensures that your sensitive financial data remains mathematically protected against future quantum decryption.

Try It: Post-Quantum Encapsulation / Signature Simulation

This interactive demo uses native WebAssembly (via the @noble/post-quantum library) to simulate Post-Quantum cryptographic operations right in your browser.

String to Process:

Algorithm (NIST Standard):

Output (Hex):