Logo Teldat
boton
Contact us

• Cybersecurity Glossary

What is Post-Quantum Cryptography (PQC)?

Post-Quantum Cryptography (PQC) is the set of cryptographic algorithms designed to remain secure against attacks from both classical and quantum computers. Classical public-key systems RSA, Diffie-Hellman, and ECC rely on mathematical problems that quantum computers can solve efficiently using Shor’s algorithm. PQC algorithms replace those foundations with problems that remain hard for quantum machines: lattice problems, hash functions, and error-correcting codes. NIST finalized the first three PQC standards in August 2024 (FIPS 203, 204, 205), and migration has become a regulatory requirement. For enterprise networks protected by IPsec and SD-WAN tunnels, the transition to quantum safe cryptography is no longer optional.

Post-Quantum Cryptography definition

Post-Quantum Cryptography (PQC) is a family of cryptographic algorithms designed to resist attacks from quantum computers while running on classical hardware. The term distinguishes these algorithms from quantum cryptography which requires quantum hardware such as QKD devices because PQC can be deployed on existing network infrastructure without physical modifications.

Modern public-key cryptography rests on the computational hardness of two problems: integer factorization (RSA) and discrete logarithms (Diffie-Hellman, ECC). Both are solved efficiently by Shor’s algorithm on a quantum computer with enough stable qubits. PQC replaces those foundations with problems in different mathematical domains lattice geometry, hash functions, and linear error-correcting codes for which no efficient quantum algorithm is known.

NIST launched a formal standardization process in 2016 and published the first finalized standards in August 2024: FIPS 203 (ML-KEM, for key encapsulation), FIPS 204 (ML-DSA, for digital signatures), and FIPS 205 (SLH-DSA, for hash-based signatures). The U.S. government has mandated federal agencies to begin migration, with RSA and ECDSA scheduled for deprecation by 2030 and full disallowance by 2035.

NIST standards: ML-KEM, ML-DSA, SLH-DSA

NIST’s 2024 standards define the first quantum safe algorithms for production deployment. Each addresses a different cryptographic function, and together they cover the two categories that enterprise networks rely on most: key exchange and digital signatures.

1
ML-KEM (FIPS 203)
Formerly CRYSTALS-Kyber. The primary NIST standard for key encapsulation, designed to replace ECDH in TLS, IKEv2, and IPsec handshakes. Based on the Module Learning With Errors (MLWE) lattice problem. ML-KEM-768 offers a 128-bit security level and is the algorithm integrated into Teldat Quantum SD-WAN for post-quantum key exchange.
2
ML-DSA (FIPS 204)
Formerly CRYSTALS-Dilithium. The NIST standard for general-purpose digital signatures, replacing RSA and ECDSA in certificate signing, code signing, and device authentication. Also based on lattice hardness assumptions. Produces larger signatures than ECDSA but remains practical for network infrastructure use.
3
SLH-DSA (FIPS 205)
Formerly SPHINCS+. A stateless hash-based signature scheme built entirely on hash function security the most conservative PQC approach. Suitable for long-lived credentials such as root certificates and firmware signing keys, where algorithm longevity matters more than signature size.
4
FALCON
A lattice-based signature scheme offering compact signatures and fast verification, particularly suited for constrained environments. Under NIST evaluation as a fourth standard. Recommended where bandwidth and processing constraints make ML-DSA signatures too large.
5
Hybrid key exchange
The recommended near-term approach: combining a classical algorithm (ECDH P-256 or X25519) with ML-KEM in the same IKEv2 or TLS handshake. If either component is broken, the other still protects the session. Described in RFC 9370 for IKEv2. Teldat SD-WAN supports hybrid deployment during the migration window.
6
PS-PPK (Pre-Shared Post-Quantum Keys)
A near-term IPsec extension standardized in RFC 8784. Adds a pre-shared symmetric secret to existing IKEv2 exchanges without replacing the underlying key agreement algorithm. Immediately neutralizes harvest-now-decrypt-later attacks on SD-WAN tunnels using hardware already in the field.

PQC vs Classical cryptography

Classical cryptography and post-quantum cryptography are not competing for the same function PQC replaces the quantum-vulnerable components while symmetric encryption (AES-256) remains safe with no changes. The table below covers the attributes that matter most for enterprise network migration planning.

Dimension Classical cryptography Post-Quantum Cryptography
Mathematical basis Integer factorization (RSA) / discrete logarithm (ECC, DH) Lattice problems (MLWE), hash functions, linear codes no known efficient quantum algorithm
Quantum vulnerability Broken by Shor’s algorithm on a cryptographically relevant quantum computer Designed to resist both classical and quantum attacks
Key / ciphertext size Compact: 256-bit ECC key, 2048-bit RSA key Larger: ML-KEM-768 public key ≈ 1.2 KB; ML-DSA signature ≈ 2.4 KB
Performance Highly optimized after decades of deployment Comparable on modern CPUs; some hardware acceleration recommended at scale
Standardization Mature: PKCS, RFC, decades of production use NIST FIPS 203/204/205 finalized August 2024; ecosystem maturing
Migration effort No migration needed for symmetric (AES-256 stays safe) Key exchange and signature algorithms must be replaced or augmented via hybrid
TLS / IPsec support Fully integrated in all current implementations Hybrid support in OpenSSL 3.x, BoringSSL, wolfSSL, IKEv2 via RFC 9370
Regulatory status RSA/ECDSA deprecated by U.S. federal mandate from 2030 ML-KEM, ML-DSA, SLH-DSA: recommended for immediate deployment

Why the urgency? The harvest-now-decrypt-later threat means the migration clock started before quantum computers exist at scale. Data captured today with a long confidentiality horizon VPN traffic, healthcare records, financial transactions can be decrypted later. Organizations that start migration now have time to phase in PQC without disrupting production networks.

The harvest-now-decrypt-later threat

The quantum threat is not purely future: one of its most dangerous dimensions is already active. Understanding the attack landscape helps security teams prioritize which systems to protect first.

1
Harvest now, decrypt later (HNDL)
Adversaries including nation-state actors are capturing and storing encrypted network traffic today. When a cryptographically relevant quantum computer (CRQC) becomes available, they will decrypt the stored data. IPsec tunnels, TLS sessions, and VPN traffic carrying sensitive data with long confidentiality requirements are the primary targets. The attack is happening now; the decryption happens later.
2
The Mosca theorem
A formal framework for migration urgency: if the time needed to migrate your systems (X) plus the required confidentiality horizon of your data (Y) exceeds the time until a CRQC exists (Z), migration is already overdue. For many organizations handling multi-year sensitive data over SD-WAN networks, X + Y > Z today.
3
IPsec and SD-WAN tunnel exposure
Enterprise SD-WAN relies on IKEv2/IPsec tunnels with ECDH or RSA key exchange. A CRQC running Shor’s algorithm could recover the session keys from stored handshake traffic, decrypting every packet in the tunnel retrospectively. Every branch office connected via SD-WAN becomes exposed simultaneously if the key exchange is compromised.
4
PKI and certificate lifetimes
Root certificates and intermediate CAs signed with RSA or ECDSA today may remain valid for 10 to 20 years. A CRQC could forge signatures on those certificates before they expire, enabling authentication bypass and man-in-the-middle attacks on the entire PKI chain. PQC signature schemes must be phased into certificate hierarchies now.
5
Timeline acceleration
Expert timelines for CRQCs have shortened significantly. Google’s 2024 research revised down the number of physical qubits needed to break 256-bit elliptic curve cryptography. NIST, NSA (CNSA 2.0), and ENISA all recommend starting migration immediately not when quantum computers arrive.
6
Symmetric encryption: a different story
AES-256 is not broken by quantum computers. Grover’s algorithm reduces its effective security from 256 bits to 128 bits, which remains considered safe. The primary migration burden falls on public-key algorithms: key exchange (replace with ML-KEM) and digital signatures (replace with ML-DSA or SLH-DSA).

The action threshold: NIST’s NCCoE recommends that organizations begin migration if their data has a confidentiality requirement exceeding five years. For SD-WAN operators, this means deploying PS-PPK now as an immediate HNDL mitigation, followed by ML-KEM integration as part of a structured quantum transition roadmap.

Migration challenges

Transitioning enterprise cryptography to PQC is a multi-year effort. Each challenge below has a defined mitigation none of them is a reason to delay, but all of them require planning.

1
Crypto-agility
Systems with hardcoded algorithm choices cannot swap to PQC without architectural changes. Building crypto-agility the ability to replace cryptographic primitives without re-engineering the system is the prerequisite for any migration. Networks managed through centralized platforms like Teldat CNM have a structural advantage here.
2
Larger key and ciphertext sizes
ML-KEM-768 public keys are roughly 5× larger than a P-256 ECC key. ML-DSA signatures are approximately 10× larger than ECDSA. This affects TLS handshake sizes, certificate stores, and link bandwidth on constrained WAN connections. Hybrid deployments add overhead from both algorithms simultaneously.
3
Interoperability during transition
Not all endpoints will migrate simultaneously. Hybrid key exchange allows quantum-safe and classical algorithms to coexist in the same handshake, maintaining connectivity with non-migrated endpoints while adding quantum resistance for the sessions that matter. This is the IETF-recommended approach via RFC 9370.
4
PKI migration complexity
Root CAs, intermediate CAs, device certificates, and code signing certificates each have different lifetimes and replacement procedures. A phased PKI migration starting with new long-lived credentials issued with ML-DSA is more practical than a simultaneous replacement of all existing certificates.
5
Performance on constrained hardware
IoT devices and industrial controllers may lack the compute resources for lattice operations. Firmware updates, hardware co-processors for cryptographic offload, or network-layer protection (via a quantum-safe SD-WAN gateway) are viable approaches for endpoints that cannot be upgraded directly.
6
Regulatory and audit readiness
NIST NCCoE, NSA CNSA 2.0, and the EU NIS2 framework are issuing PQC migration guidance with specific timelines. Organizations subject to these frameworks need documented migration roadmaps, cryptographic inventories, and audit trails for algorithm transitions not just technical deployments.

Deployment framework

A phased approach allows organizations to address the most urgent risks immediately while building toward full PQC migration over time. The steps below follow current NIST NCCoE and NSA CNSA 2.0 guidance, adapted for enterprise network operators.

1
Cryptographic inventory
Catalog every cryptographic primitive in use: TLS library versions, IKEv2/IPsec configurations, certificate authorities, SSH key types, and application-layer encryption. This inventory drives prioritization. Tools like NIST’s Migration to Post-Quantum Cryptography Project provide inventory frameworks.
2
Risk classification by data sensitivity
Classify data flows by confidentiality horizon. Traffic that must remain secret for more than five years is already at risk from harvest-now-decrypt-later. Prioritize quantum-safe key exchange for those data flows first VPN tunnels carrying intellectual property, healthcare data, or financial records.
3
Deploy PS-PPK as an immediate mitigation
Pre-Shared Post-Quantum Keys (RFC 8784) add a symmetric secret to existing IKEv2 exchanges without replacing the full cryptographic stack. This neutralizes harvest-now-decrypt-later attacks immediately. Teldat SD-WAN supports PS-PPK deployment today, managed centrally through CNM.
4
Migrate key exchange to ML-KEM
Roll out ML-KEM (FIPS 203) for IKEv2 key exchange across SD-WAN tunnels, starting with the most sensitive links. Use hybrid mode (ML-KEM + ECDH) to maintain interoperability with endpoints that have not yet migrated. Teldat Quantum SD-WAN integrates ML-KEM natively.
5
Update PKI with PQC signatures
Begin issuing new certificates with ML-DSA (FIPS 204) or SLH-DSA (FIPS 205) signatures for long-lived credentials. Use hybrid certificates during the transition to maintain compatibility with classical verifiers. Prioritize root CA renewal, as those certificates have the longest lifetimes.
6
Evaluate QKD for high-assurance links
Quantum Key Distribution generates cryptographic keys using quantum mechanical properties, making interception physically detectable. Evaluate QKD for the highest-sensitivity links as the technology matures. Teldat’s Quantum SD-WAN roadmap includes QKD compatibility through standardized interfaces with QKD provider infrastructure.

Teldat Quantum SD-WAN solutions

Teldat has built post-quantum protection directly into its SD-WAN infrastructure, allowing organizations to address quantum threats at the network layer without waiting for a full cryptographic overhaul of every application and endpoint. The Quantum SD-WAN roadmap is built on four technological pillars, each addressing a different phase of the quantum threat timeline:

1
PS-PPK (Pre-Shared Post-Quantum Keys)
The first pillar of Teldat’s Quantum SD-WAN roadmap. PS-PPK introduces an additional cryptographic layer into IPsec tunnel establishment by combining traditional key material with pre-shared post-quantum keys. This protects against harvest-now-decrypt-later attacks immediately, without requiring changes to network architecture. Based on RFC 8784 and recommended by NIST, NSA, and ENISA as an effective near-term safeguard.
2
ML-KEM integration
The second pillar: integrating NIST’s ML-KEM (FIPS 203) into the IKEv2 key exchange process to replace the quantum-vulnerable ECDH key agreement. Teldat integrates ML-KEM into its SD-WAN platform alongside classical algorithms in a hybrid deployment model, following RFC 9370. Managed centrally through Teldat CNM with no manual per-device configuration.
3
QKD compatibility
The third pillar: support for Quantum Key Distribution. QKD uses the physical properties of quantum mechanics to generate cryptographic keys that are provably secure against any computational attack. Teldat SD-WAN devices are designed to consume QKD-generated keys through standardized interfaces, integrating them into IPsec and SD-WAN overlay engines for quantum safe key generation.
4
CNM centralized management
All Quantum SD-WAN capabilities are managed through Teldat Cloud Net Manager (CNM), providing centralized configuration, key rotation policy management, and monitoring of post-quantum cryptographic status across the entire SD-WAN fabric. CNM enables organizations to manage the quantum transition from PS-PPK to ML-KEM to QKD from a single management console.
5
Teldat’s cloud delivered security service extends quantum safe protection beyond the WAN edge, combining Secure Web Gateway, CASB, and ZTNA with post-quantum ready transport security. As TLS libraries adopt PQC standards, be.Safe Pro SSE will incorporate quantum safe encryption for all cloud delivered security services, closing the gap between WAN and cloud security posture.
6
Teldat edge routers include embedded Next Generation Firewall capabilities that complement the quantum safe SD-WAN overlay. NGFW provides intrusion prevention, application control, and threat intelligence at each network node, adding defense in depth that remains effective regardless of the underlying cryptographic transition phase.

The Teldat quantum advantage: As a network hardware manufacturer and cybersecurity provider, Teldat delivers quantum safe SD-WAN capabilities from a unified ecosystem. PS-PPK for immediate protection, ML-KEM for standards-based quantum resistance, QKD for future-proof key generation, embedded NGFW for defense in depth, and CNM for centralized management are all integrated into a single platform. Organizations can begin their quantum transition today without replacing their network infrastructure or managing multiple vendor solutions.

Frequently asked questions about Post-Quantum Cryptography – (FAQ’s)

❯ What is Post-Quantum Cryptography in simple terms?

Post-Quantum Cryptography (PQC) is a set of cryptographic algorithms designed to be secure against attacks from both classical and quantum computers. Unlike current public-key systems that rely on factoring large numbers or discrete logarithm problems both solvable by a quantum computer using Shor’s algorithm PQC algorithms are based on mathematical problems for which no efficient quantum algorithm is known, such as finding short vectors in high-dimensional lattices.

❯ Why is current encryption vulnerable to quantum computers?

Classical public-key cryptography RSA, Diffie-Hellman, and ECC relies on the computational hardness of integer factorization and discrete logarithm problems. Shor’s algorithm, running on a sufficiently powerful quantum computer, solves both problems in polynomial time, effectively breaking the key exchange and signature mechanisms that protect virtually all encrypted communications today. Symmetric ciphers like AES-256 are much less affected and remain safe with no algorithm change.

❯ What is ML-KEM and why does it matter?

ML-KEM (Module Lattice Key Encapsulation Mechanism), standardized as NIST FIPS 203, is the primary post-quantum algorithm for key exchange. It replaces ECDH in TLS and IKEv2/IPsec handshakes, providing a quantum-resistant key agreement based on the hardness of the Module Learning With Errors (MLWE) lattice problem. It is the algorithm at the core of Teldat Quantum SD-WAN post-quantum key exchange.

❯ What is the harvest-now-decrypt-later threat?

Harvest-now-decrypt-later (HNDL) is an active attack strategy where adversaries capture and store encrypted network traffic today, then decrypt it once a quantum computer powerful enough to break the key exchange becomes available. It is particularly dangerous for data with long confidentiality requirements SD-WAN tunnel traffic, classified communications, healthcare records, financial contracts. The attack is occurring now; the decryption happens in the future.

❯ How does Teldat protect against quantum threats?

Teldat Quantum SD-WAN provides a layered quantum transition roadmap: PS-PPK (Pre-Shared Post-Quantum Keys, RFC 8784) for immediate harvest-now-decrypt-later mitigation on existing tunnels; ML-KEM (FIPS 203) integration for NIST-standardized post-quantum key exchange in IKEv2/IPsec; and QKD compatibility for future quantum safe key generation. All capabilities are managed centrally through Teldat CNM, with be.Safe Pro SSE extending protection to cloud delivered security services.

❯ When should organizations start migrating to PQC?

Now. NIST, NSA (CNSA 2.0), and ENISA all recommend beginning migration immediately, given the active harvest-now-decrypt-later threat and the long timelines involved in enterprise cryptographic migration. The recommended first step is a cryptographic inventory to identify quantum-vulnerable algorithms in use, followed by PS-PPK deployment as an immediate near-term mitigation, and then phased integration of ML-KEM for key exchange and ML-DSA for digital signatures.

Prepare your network for the Quantum Era with Teldat

From PS-PPK for immediate harvest-now-decrypt-later protection to ML-KEM for NIST standardized post-quantum key exchange, Teldat Quantum SD-WAN delivers quantum safe network security from a single integrated platform.