QNu Labs

Back to guides

Guide: Post-Quantum Cryptography (PQC) and How it Works

The guide details the concept of PQC, its methodology, and industry applications.

Table of Contents

The Context

Technology based on quantum computers has the potential to revolutionise a wide range of fields of IT and industry—in the positive and negative sense. A significant increase in computing power delivers more capacity for analysing and processing large data quantities, opening up new findings, application areas, and business models.

Introducing Post-Quantum Cryptography (PQC)

Data sent over public communication channels are secured using cryptography. It protects all kinds of electronic communications as well as passwords, digital signatures, and health records.

As the foundation of identification, authentication, confidentiality, digital signatures, and verification, cryptography is a critical enabler of enterprise security.


There are two main types of encryption. Symmetric encryption requires a sender and a receiver to have identical digital keys to encrypt and decrypt data; asymmetric, or public-key, encryption uses a publicly available key to let people encrypt messages for a recipient who is the sole holder of the private key needed to unscramble them. Sometimes these two approaches are used together. For instance, web browsers use public-key cryptography to check websites’ validity and then establish a symmetric key to encrypt communications.

Quantum computers use the principles of quantum physics, such as superposition, to compute data much faster than conventional computers. Without ‘quantum-safe’ cryptography defences in place, applications ranging from autonomous vehicles to military hardware, online financial transactions, and communications could be targeted by hackers with access to quantum computers.

Any business or government planning to store data for decades needs to evaluate the risks of this technology because the encryption could be compromised later. Robust defences on historical data take many years, so it would be better to apply these now. A big push to develop post-quantum cryptography is warranted.

PQC methods are encryption systems (cryptosystems) that can be used on conventional computers, such as PCs and mobile devices, and can withstand attacks by quantum computers.

Even though quantum systems are not expected to be available to everyone for ten to 15 years, IT managers and managing directors have to put the issue of “post-quantum cryptography” on their agenda now. One reason is that it takes time to put existing encryption methods on a new foundation.

A further point is that data encrypted with older methods is prone to quantum attacks. As a result, attackers can gain access to such data. Therefore, companies and public institutions must ensure that all confidential data at risk is protected against such attacks by PQC methods. That involves a lot of time and effort—from capturing and categorising such information resources to encrypting it again using PQC solutions. A cryptography solution has to be adaptive to new requirements, such as post-quantum encryption solutions. That’s only possible at acceptable cost and effort if a cryptography environment is agile, i.e., it supports crypto agility.


Crypto agility Explained

Crypto agility means that applications, end-user devices, and Hardware Security Modules in the field of encryption should use flexible, “agile” protocols and update methods that enable a switchover to post-quantum cryptographic primitives, for example. That has to be quick and easy to reduce the attack surface and limit the time and effort involved for users.

Crypto agility offers another advantage: It bridges the gap between encryption techniques that are not yet “quantum-safe” and those that already meet the new requirements. That goes for chips, secrets, and software code. Initial hybrid approaches that use PQC and common cryptography methods to date are being developed. Google has chosen this approach for its PQC algorithm New Hope.

Expectations from PQC

The new cryptography method has to integrate with existing protocols. A new cryptosystem must weigh:

The proposed cryptosystems also require careful cryptanalysis to determine the weaknesses that an adversary could exploit.

The National Institute of Standards and Technology (NIST), an American agency, prepared a cybersecurity framework laying out the ground rules for PQC.

The algorithms are designed for two main tasks for which encryption is typically used: general encryption, used to protect information exchanged across a public network; and digital signatures, used for identity authentication.

For general encryption, used to access secure websites, NIST selected the CRYSTALS-Kyber algorithm. The advantages are comparatively small encryption keys that two parties can exchange easily, as well as the speed of operation.

For digital signatures, often used to verify identities during a digital transaction or to sign a document remotely, NIST selected three algorithms.

Three of the selected algorithms are based on a family of maths problems called structured lattices, and one uses a hash function.


QNu’s HODOS-PQC is a quantum-resilient public key cryptography-based software that is a hard problem for large-scale quantum computers to solve.

HODOS is developed with NIST PQC studies as a reference. It is the next generation of protocols that will help replace today’s RSA-based systems with an improved quantum-resistant transport layer.

It is based on NIST-selected mathematical functions, which are far harder to backtrack as compared to the prime factorization and elliptic curve functions on which the current PKI is based.

Upon measurement, it collapses to one of these states, which is intrinsically random and there is no way to predict which state the photon will collapse to. This gives the inherent randomness from the photons, which any external parameters cannot influence.


Tropos (QRNG) addresses this issue without changing how tokens are currently used.

The Time is Now

Data is the most valuable asset for any organisation. Sensitive data has a shelf life exceeding 10 years, while critical data can be stored for over 25 years.

This shows that today’s encryption still poses a risk in the coming years. Moving to HODOS-PQC will help secure your data and reduce the risk of data theft for today and tomorrow.