**Post-Quantum Cryptography: Current Landscape and Near-Term Realities**
The digital world’s foundation—public-key cryptography—is under threat. For decades, RSA and Elliptic Curve Cryptography (ECC) have secured our communications and identities. However, these classical algorithms are vulnerable to sufficiently powerful quantum computers. While large-scale, fault-tolerant quantum computers capable of breaking RSA and ECC do not yet exist, experts believe they will arrive sooner than previously anticipated.
The cryptographic community’s answer is **post-quantum cryptography (PQC)**—algorithms designed to withstand both classical and quantum attacks. The U.S. National Institute of Standards and Technology (NIST) has led a multi-year standardization effort, culminating in the selection of **ML-KEM** (formerly CRYSTALS-Kyber) for general encryption and **ML-DSA** (formerly CRYSTALS-Dilithium) as the primary digital signature standard. These standards were finalized in 2024 after an open, global competition.
Cloudflare, a major internet infrastructure provider, reports that the majority of its traffic already uses ML-KEM encryption, effectively mitigating “harvest now, decrypt later” attacks. The company is actively working toward full quantum-safe authentication, targeting a complete rollout by **2029**.
However, ML-DSA, the standardized signature scheme, comes with significant trade-offs. It produces much larger signatures and public keys than RSA or ECC, and many performance optimizations possible with classical algorithms are no longer available. These limitations have spurred continued research into alternative post-quantum signature candidates.
### A Closer Look at the Signature Algorithm Landscape
The table below compares candidate algorithms that advanced to NIST’s third round of evaluation with classical vulnerable algorithms and already-standardized post-quantum options. The data highlights a key challenge: no single post-quantum algorithm matches the all-around performance of Ed25519 (an ECC variant), which remains the fastest and most compact option—ignoring its quantum vulnerability.
| **Family** | **Name (Variant)** | **Public Key** | **Signature** | **Signing** | **Verification** |
| :— | :— | :— | :— | :— | :— |
| **Elliptic curves** | Ed25519 | ❌ (Quantum-vulnerable) | 64 B | 0.15 ms | 1.3 ms |
| **Factoring** | RSA-2048 | ❌ | 272 B | 256 B | 80 B / 0.4 ms |
| **Lattices** | **ML-DSA (44)** ✅ | 1,312 B | 2,420 B | 1× (baseline) | 1× (baseline) |
| **Symmetric/Hash** | SLH-DSA (128s) ✅ | 32 B | 7,856 B | 40× | 14,000× |
| | SLH-DSA (128f) | 32 B | 17,088 B | 720× | 110× |
| | LMS / XMSS | 48 B | 1,112 B | 2.9× | 8.4 B / 0.08s |
| **Isogenies** | SQIsign (I) 🤔 | 65 B | 148 B | 300×⚠️ | 50× |
| **Multivariate** | ML-DSA (44) ✅ | 1,312 B | 2,420 B | 1× | 1× |
| | FN-DSA (512) 📝 | 897 B | 666 B | 3×⚠️ | 0.7 ms |
| | HAWK (512) 🤔 | 1,024 B | 555 B | 0.25× | 1.2 ms |
| | MAYO (one) | 1,600 B | 550 B | 5.5× | ~1 ms |
| | SRH-DSA | 1,016 B | 248 B | 1.2× | 1.7× |
| | UOV (Is-pkc) 🤔 | 66 kB | 96 B | 0.3× | 20× |
| | MQOM (L1-gf16) 🤔 | 60 B | 3,280 B | 8× | 20× |
| | FAEST (EM-128f) 🤔 | 32 B | 5,060 B | 4.2× | 9× |
| **Code-based** | SDitH (SDitH2-L1) 🤔 | 70 B | 4,484 B | 15× | 40× |
*Abbreviations: ✅ = Standardized; 📝 = Draft expected soon; 🤔 = Advanced to Round 3; ❌ = Quantum-vulnerable; ⚠️ = Timing side-channel risks; 🔧 = Stateful.*
**Key Observations from the Table:**
1. **Ed25519 Dominance:** Ed25519 (an ECC algorithm) is the performance champion across most metrics, underscoring the current efficiency gap.
2. **The “Generalist” vs. “Specialist” Divide:** ML-DSA performs adequately across the board but doesn’t excel in any single metric. In contrast, “specialist” algorithms excel in one area (e.g., small signatures for UOV, small public keys for MAYO) at the cost of other drawbacks like slow signing, huge public keys, or complex implementation.
3. **The Stateful Problem:** The most efficient hash-based schemes (SLH-DSA, LMS) are **stateful**, meaning the signer must track a counter for each key. A single mistake can completely break security, making them difficult to deploy at scale.
### Why the Continued Search for Better Signatures?
Given ML-DSA’s standardization, one might ask: why keep searching?
1. **Performance and Size:** For resource-constrained environments (e.g., IoT devices) or protocols where bandwidth is critical (e.g., TLS handshakes), the size of ML-DSA signatures (kilobytes) can be prohibitive.
2. **Implementation Risks:** Algorithms like **FN-DSA** (Falcon) offer competitive performance but are notoriously difficult to implement securely without leaking secrets through timing side-channels.
3. **Diversity and Resilience:** Relying on a single mathematical approach (lattice-based) for all signatures creates a single point of failure. Diverse algorithms based on different hard problems (lattices, hashes, codes, isogenies) ensure that if one class is broken, others remain secure.
4. **Evolving Cryptanalysis:** As the table shows, cryptanalysis is active. An algorithm that looks secure today may be broken tomorrow (e.g., SIKE was broken in 2022). Continued research acts as a safety net.
### The Road Ahead and The Reality of Timelines
The report provides a sobering assessment of the timeline for new algorithms:
* **The Bottleneck is Not Algorithms:** The primary challenge is not finding new schemes, but **standardizing, implementing, and integrating** them into real-world protocols like TLS and PKI.
* **ML-DSA’s Trajectory:** ML-DSA followed a development path from submission (2017) to standardization (2024) to practical integration (2025-2026). This multi-year journey is the norm.
* **New Algorithms Will Be Slower:** Adoption of any new algorithm will lag behind ML-DSA. For instance, **FN-DSA**’s draft standard is recent; wide deployment is not expected before **2033**. **Multivariate** schemes (MAYO, SNOVA) face a similar timeline, complicated by past cryptanalytic breaks.
* **A Warning Against Complacency:** The report explicitly warns against waiting for “perfect” post-quantum signatures. **”You go to war with the algorithms you have, not the ones you wish you had.”**
### Conclusion: A Multi-Pronged Strategy
The path to a quantum-safe future is not a single switch but a layered defense:
1. **Deploy ML-DSA and ML-KEM Now:** This is the foundational, standardized solution.
2. **Prepare for Hybrid Deployments:** For the long transition period, use a combination of classical and post-quantum algorithms to ensure security against both current and future threats.
3. **Invest in Diversity:** Support the development and standardization of alternative algorithms (like proof-of-knowledge schemes from the FAEST/MQOM family) to increase resilience and provide options for niche use cases where size or performance is paramount.
4. **Plan for the Long Haul:** The migration to post-quantum cryptography is a decades-long project. Starting now, with the tools available, is the only rational course of action to protect digital security against the coming quantum tide.



