Curated
Resources

The definitive modern resource estimate for breaking RSA-2048 with Shor's algorithm. Required reading for anyone framing the CRQC timeline. Published in Quantum 5, 433. arXiv:1905.09749.

Seminal survey article in Nature introducing the PQC landscape to a broad scientific audience. Covers the four main families and explains why each offers quantum resistance. An excellent starting point for newcomers to the field.

The foundational NIST report that launched the standardization competition. Explains why quantum computing threatens current cryptography and sets the requirements for PQC candidates. Useful historical context.

The paper that broke SIKE (Supersingular Isogeny Diffie-Hellman) in classical polynomial time, eliminating a NIST Round 3 finalist overnight. A landmark in cryptanalysis and a reminder that all assumptions must be independently stress-tested.

Open-source project providing prototype implementations of PQC algorithms in C (liboqs), with forks of OpenSSL, BoringSSL, OpenSSH, and WireGuard. The go-to starting point for experimenting with PQC in real protocols. Not production-hardened; use only for testing and research.

Annual expert survey on the probability and timeline of a CRQC. Mosca's inequality explained and applied. ~1 in 7 chance by 2031; ~1 in 2 by 2036. Essential for board-level risk communication.

The preprint server for cryptography research. Searching "post-quantum" yields the latest cryptanalysis, new algorithm proposals, and efficiency improvements before formal publication. Follow this to stay current on the research frontier.

The authoritative hub for the NIST PQC standardization. Links to all FIPS documents, round documents, public comment archives, and news. Bookmark this.

The official standard for the Module-Lattice Key Encapsulation Mechanism (formerly CRYSTALS-Kyber). Specifies ML-KEM-512, ML-KEM-768, and ML-KEM-1024. Contains algorithm specification, security analysis, and test vectors.

The official standard for the Module-Lattice Digital Signature Algorithm (formerly CRYSTALS-Dilithium). Specifies ML-DSA-44, -65, and -87. The primary replacement for ECDSA and RSA-PSS.

The official standard for the Stateless Hash-Based Digital Signature Algorithm (formerly SPHINCS+). 12 parameter sets from SHA2-128s to SHAKE-256s. Security based purely on hash function assumptions.

Standardizes XMSS and LMS/HSS for use today in firmware and code signing. Includes guidance on key state management and HSM requirements. Available for immediate deployment.

Detailed technical analysis of all Round 3 finalists and alternates. Explains why Kyber, Dilithium, Falcon, and SPHINCS+ were selected and the cryptanalytic basis for each decision. Essential background reading.

Working group coordinating PQC integration across all IETF protocols. Produces guidance documents and tracks all PQC-related drafts across TLS, LAMPS, IPsec, SSH, and other WGs. Follow the mailing list ([email protected]) to track active standards work.

Defines the framework for combining classical (X25519) and PQC (ML-KEM) key exchange in TLS 1.3. The basis for the X25519MLKEM768 deployment in Chrome and Cloudflare. Tracks through IETF TLS WG.

Long-term Archive and Mail Security WG. Specifying ML-KEM and ML-DSA OIDs in X.509 SubjectPublicKeyInfo, CMS EnvelopedData / SignedData, and composite certificate formats for the TLS Certificate migration. Track drafts on ML-DSA-X509 and composite-sigs.

Enables combining ML-KEM with classical ECDH in IKEv2 key exchange, providing post-quantum protection for VPN tunnels. Supported in strongSwan 5.9.12+. The recommended approach for enterprise VPN quantum hardening.

IRTF RFC standardizing XMSS for stateful hash-based signatures. Available for firmware and code signing today. Read alongside NIST SP 800-208 for deployment guidance.

BSI's annual cryptographic recommendations for German federal systems. The 2024 edition explicitly approves ML-KEM and ML-DSA for new deployments and provides minimum key lengths, sunset dates for RSA/ECDH, and hash function recommendations. Authoritative German government guidance.

BSI's portal for all quantum-related publications, including the detailed migration document for German industry (Migration zu Post-Quanten-Kryptografie, 2024) and sector-specific guidance for finance, healthcare, and critical infrastructure.

Issues and maintains the GM/T standards series (SM2, SM3, SM4). SM2 and SM4 are within PQC migration scope. OSCCA publishes notices on pending PQC algorithm trials and national cryptographic policy updates.

OSCCA public call for domestic PQC algorithm submissions (2021). Background on China's parallel PQC standardization track. Domestic candidates include lattice-based and code-based schemes evaluated independently of NIST process.

Cloudflare has produced the most comprehensive public engineering documentation of a real-world PQC deployment. Posts cover their Kyber/ML-KEM TLS deployment, performance benchmarks across global PoPs, client compatibility data, and implementation war stories. Essential reading for practitioners.

Google's posts on Chrome's X25519Kyber768 → X25519MLKEM768 rollout, V8 / TLS stack integration, and Android PQC plans. Includes performance data on real user traffic at scale. Also covers Google's Gemini infrastructure quantum-hardening roadmap.

IBM contributed to the development of CRYSTALS-Kyber and CRYSTALS-Dilithium (now ML-KEM and ML-DSA). Their blog covers algorithm design rationale, CBOM tooling (IBM Open Cryptography Workbench), and enterprise migration case studies. IBM Quantum Safe Explorer product documentation linked here.

Detailed technical write-up of Apple's PQ3 protocol for iMessage: ML-KEM-based ratchet providing periodic post-quantum re-keying. Achieves Level 3 security in their model (post-compromise quantum security). Contains protocol diagrams, threat model, and formal verification approach.

Signal's blog post introducing PQXDH, which adds ML-KEM-1024 to the initial key establishment phase of Signal Protocol. Achieves post-quantum forward secrecy against HNDL for messages sent after PQXDH establishment. Clear explanation of the threat model and design decisions.

AWS's PQC documentation hub: ML-KEM in S2N-TLS, AWS KMS PQ preview, CloudFront hybrid TLS, and the open-source S2N-TLS and AWS-LC libraries with PQC support. Includes migration guidance for AWS-hosted workloads.

Microsoft Research's PQC project page: SymCrypt PQC integration, ML-KEM / ML-DSA in Windows, and research on topological qubits (Majorana). Azure Quantum documentation on the timeline. SymCrypt (Windows crypto library) already includes ML-KEM and ML-DSA.

Industry-wide forum for PKI practitioners discussing PQC certificate migration. Publishes the PQC Capabilities Matrix (tracking CA and client support), hosts the PQC Conference series, and produces practical guidance documents for certificate lifecycle management in the PQC era. Active mailing list and regular virtual meetups.

The official mailing list for NIST PQC standardization discussions. Cryptographers, implementers, and standards authors post analysis, concerns, and questions directly. Archives contain the full technical discussion history from 2016 onwards — invaluable for understanding design decisions.

Community around the liboqs open-source PQC library. GitHub discussions, Slack channel, and regular contributor calls. Good resource if you are integrating PQC into software stacks using OQS-OpenSSL or OQS-BoringSSL.

Annual academic conference focused on post-quantum cryptography. Proceedings contain peer-reviewed research on new algorithms, attacks, and implementation techniques. Hosted since 2006 — one of the oldest dedicated PQC venues.

NSA's advisory specifying which PQC algorithms to use for NSS (National Security Systems) and providing migration timelines through 2035. Mandates ML-KEM, ML-DSA, SLH-DSA, and XMSS/LMS. The most authoritative US government mandate on PQC adoption.

CISA's quantum readiness hub for critical infrastructure and civilian agencies. Includes the Quantum-Readiness Roadmap, sector-specific factsheets (financial, healthcare, energy, water), and the joint NSA/CISA/NIST guidance document on HNDL risk. Practical and non-technical board-level framing included.

ENISA's comprehensive study on PQC integration in EU critical infrastructure. Covers threat landscape, algorithm recommendations, and migration guidance for energy, finance, telecoms, and healthcare sectors. Aligned with NIS2 requirements.

UK National Cyber Security Centre guidance on preparing for quantum-safe cryptography. Includes the four-stage migration model, risk assessment guidance, and sector-specific considerations. Regularly updated to track NIST and IETF progress.