Post-quantum cryptography

Quantum computing


Here's the one-minute introduction: "Imagine that it's fifteen years from now. Somebody announces that he's built a large quantum computer. RSA is dead. DSA is dead. Elliptic curves, hyperelliptic curves, class groups, whatever, dead, dead, dead. So users are going to run around screaming and say 'Oh my God, what do we do?' Well, we still have secret-key cryptography, and we still have some public-key systems. There's hash trees. There's NTRU. There's McEliece. There's multivariate-quadratic systems. But we need more experience with these. We need algorithms. We need paddings, like OAEP. We need protocols. We need software, working software for these systems. We need speedups. We need to know what kind of key sizes to use. So come to PQCrypto and figure these things out before somebody builds a quantum computer."

For a twenty-minute introduction, read the following paper: Daniel J. Bernstein. "Introduction to post-quantum cryptography." [PDF mirror] This paper is the introductory chapter of the following book: Daniel J. Bernstein, Johannes Buchmann, Erik Dahmen (editors). Post-quantum cryptography. Springer, Berlin, 2009. ISBN 978-3-540-88701-0.

For much more information, read the rest of the book! There are five detailed chapters surveying the state of the art in quantum computing, hash-based cryptography, code-based cryptography, lattice-based cryptography, and multivariate-quadratic-equations cryptography. The book has a 2009 publication date but was already available in November 2008 from booksellers such as Amazon.

For earlier analyses of the impact of quantum computers on cryptography, see the following papers:

See also this site's separate lists of papers on hash-based cryptography, code-based cryptography, lattice-based cryptography, and multivariate-quadratic-equations cryptography.

Conferences and workshops

PQCrypto is the main conference series devoted to post-quantum cryptography:

  • PQCrypto 2006. Katholieke Universiteit Leuven, Belgium, May 23--26, 2006. Almost all of the accepted papers are available on the conference site.
  • PQCrypto 2008. University of Cincinnati, USA, October 17--19, 2008. All of the accepted papers are available in the proceedings: Johannes Buchmann, Jintai Ding (editors). Post-quantum cryptography, second international workshop, PQCrypto 2008, Cincinnati, OH, USA, October 17--19, 2008, proceedings. Lecture Notes in Computer Science 5299, Springer, 2008. ISBN 978-3-540-88402-6.
  • PQCrypto 2010. Darmstadt (close to Frankfurt), Germany, May 25--28, 2010.
  • PQCrypto 2011. Taipei, Taiwan, November 29--December 2, 2011.
  • PQCrypto 2013. Limoges, France, June 4--7, 2013.
  • PQCrypto 2014. Institute for Quantum Computing, University of Waterloo, Canada, October 1--3, 2014.
  • PQCrypto 2016. Fukuoka, Japan, February 2016.
  • PQCrypto 2017. Netherlands, 26--28 June 2017, preceded by summer school 19--23 June 2017.
  • PQCrypto 2018. Pier Sixty-Six, Fort Lauderdale, Florida, 9--11 April 2018, tentatively followed by NIST workshop 12--13 April 2018.
  • Proposals for subsequent PQCrypto events: Please contact steeringcommittee at

Several workshops have emphasized security analysis of post-quantum cryptography:

Post-quantum cryptography is also appearing more and more frequently at general cryptographic conferences.

Survey talks

The following presentations are available online:
  • PQCrypto 2008: Daniel J. Bernstein's invited talk "A brief survey of post-quantum cryptography" (PDF slides).
  • INDOCRYPT 2008: Tanja Lange's invited talk "Post-quantum cryptography" (PDF slides).

Challenges for cryptanalysts

About this site was founded by Daniel J. Bernstein and Tanja Lange. Bernstein added the bibliography. Pierre-Louis Cayrel and Christiane Peters contributed many references and URLs.


This is version 2017.01.22 of the index.html web page.