Part IV · 2 — The new families
If Shor breaks factoring and discrete logarithm, the way out is to ground asymmetry in problems that quantum cannot solve. After years of public competition, NIST standardized the winners in 2024 — almost all based on lattices.
2.1 The idea: new hard problems
Post-quantum cryptography (PQC) does not use quantum computers — it runs on ordinary classical hardware. What changes is the hard problem underneath the primitive. The goal is problems that are hard for both classical and quantum machines. Candidate families:
| Family | Hard problem | Maturity |
|---|---|---|
| Lattices | shortest vector / LWE | ✅ the basis of the standards |
| Hash-based | only hash resistance | ✅ signatures, ultraconservative |
| Code-based | decode a random code | ✅ KEM (McEliece) |
| Isogenies | paths between curves | ❌ SIKE broken in 2022 |
| Multivariate | polynomial systems | ⚠️ several broken |
2.2 Lattices, by intuition
A lattice is an infinite grid of points in high-dimensional space. Two problems on it are hard even for quantum:
- SVP — find the nonzero point closest to the origin.
- LWE (Learning With Errors) — solve a linear system to which a small
noise has been added. Without the noise it is trivial algebra; with it, it becomes infeasible in high dimension.
The beauty: the math is fast (small vectors and matrices), which makes lattice schemes competitive in speed — the price is larger keys and signatures than elliptic curves'.
2.3 The NIST standards (2024)
NIST finalized the first standards in August 2024. The names changed (from competition name to FIPS name):
| Standard | Was | Type | Basis | Use |
|---|---|---|---|---|
| ML-KEM (FIPS 203) | Kyber | KEM (key exchange) | lattice | the default for secrecy |
| ML-DSA (FIPS 204) | Dilithium | signature | lattice | the default for signing |
| SLH-DSA (FIPS 205) | SPHINCS+ | signature | hash only | conservative hedge, slow |
| FN-DSA (FALCON) | Falcon | signature | lattice | compact signatures |
- ML-KEM replaces ECDH: it encapsulates a session key. It is the number-one
focus of the migration (because of HNDL).
- ML-DSA replaces Ed25519/RSA for signatures; SLH-DSA exists for those who
want to trust only hash security (without betting on lattices), accepting large, slow signatures.
2.4 The lesson of SIKE: humility
Not every candidate survived. SIKE (isogeny-based) was one of the most elegant promises — tiny keys — and it was broken in 2022 by an ordinary PC, in an afternoon, with classical math. It was already in the final stretch of the NIST process.
The moral reinforces Kerckhoffs's principle: only public, prolonged cryptanalysis earns confidence. That is why the recommended migration is hybrid — combining the new with the classical, so that a future break of either side does not bring everything down (next section).
Dense reference: parameters, sizes, and performance of ML-KEMML-DSA SLH-DSA/FALCON, McEliece, and HQC in
08-post-quantum. Next: The migration — what to do, in what order, and why hybrid mode.