The history of post‑quantum cryptography (PQC) is a race between the development of quantum computers and the creation of algorithms that can resist them. The starting point was December 20, 2016, when NIST launched a public competition for post‑quantum algorithms. Eight years later, in August 2024, the first final standards (FIPS 203, 204, 205) were published. During this time, cryptographers built algorithms based on lattices (CRYSTALS‑Kyber, CRYSTALS‑Dilithium, Falcon), hash functions (SPHINCS+), and error‑correcting codes (HQC). In parallel, the blockchain industry began migrating: Cellframe has been built on NIST algorithms since 2017, QRL has run on XMSS hash‑based signatures since 2018, and Algorand executed the first live PQC transaction on mainnet in 2025.
From Threat to Action: How It All Began
Post‑quantum cryptography was born not from curiosity but from fear. In 1994, Peter Shor showed that a quantum computer could break RSA and ECDSA in minutes. But at that time, quantum computers were science fiction. By the 2010s, they were no longer fiction.
Major blockchains (Bitcoin, Ethereum) are built on ECDSA – an algorithm vulnerable to Shor’s algorithm. By 2015, NIST realised that within 10–15 years the threat could become real. The solution: find algorithms resistant to quantum attacks and standardise them.
Key dates before the competition
| Year | Event |
|---|---|
| 1994 | Peter Shor discovers an algorithm that can break RSA and ECDSA |
| 2000s | Quantum computers remain a lab curiosity |
| 2015 | NIST realises the threat could become real within 10–15 years |
| 2016 | NIST launches a competition for post‑quantum algorithms |
2016–2022: The NIST Competition and Algorithm Selection
On December 20, 2016, NIST officially announced a competition for post‑quantum cryptographic algorithms. Over eight years, 82 candidates were narrowed down to 4 winners – and this changed global cryptography.
Major milestones of the competition
| Phase | Year | What happened |
|---|---|---|
| Competition launch | Dec 20, 2016 | NIST opens the call for PQC algorithms, inviting researchers worldwide |
| First submissions | 2017 | 82 candidates (23 signature schemes, 59 encryption/KEM) |
| First round | 2019 | 26 finalists selected after initial analysis |
| Third round | 2020 | 15 finalists and alternate candidates |
| Winners announced | 2022 | NIST selects 4 algorithms for standardisation: CRYSTALS‑Kyber, CRYSTALS‑Dilithium, Falcon, SPHINCS+ |
| Fourth round | 2022–2025 | Analysis of KEM algorithms: BIKE, Classic McEliece, HQC, SIKE |
| HQC selected | March 2025 | HQC chosen as second KEM standard (backup for ML‑KEM) |
In 2025, NIST published its fourth‑round report, selecting HQC as a backup KEM. As NIST explained, diversity of mathematical foundations is critical: if one type of attack (e.g., against lattices) becomes viable, backup algorithms will continue to protect data.
2024: A Historic Day – The First Standards
On August 13, 2024, NIST officially published FIPS 203 (ML‑KEM), FIPS 204 (ML‑DSA), and FIPS 205 (SLH‑DSA). The world received its first post‑quantum cryptographic standards.
Final NIST standards (2024)
| Standard | Algorithm (old name) | New name | Mathematical basis | Type |
|---|---|---|---|---|
| FIPS 203 | CRYSTALS‑Kyber | ML‑KEM | Lattices (Module‑LWE) | KEM (key exchange) |
| FIPS 204 | CRYSTALS‑Dilithium | ML‑DSA | Lattices (Module‑LWE) | Digital signature |
| FIPS 205 | SPHINCS+ | SLH‑DSA | Hash functions | Digital signature (backup) |
CRYSTALS‑Kyber and CRYSTALS‑Dilithium are based on lattice problems (Module‑LWE) that even a quantum computer cannot solve efficiently. SPHINCS+ uses hash functions – an even more conservative approach.
This day became historic: from August 13, 2024, the world moved from “someday” to “now”. Governments began drafting migration roadmaps, software vendors started implementing the standards.
2025–2026: Additions and Roadmaps
In March 2025, NIST added a fifth algorithm – HQC, based on error‑correcting codes. And in March 2026, Google Quantum AI shocked the industry by cutting its estimate of required qubits by 20× and moving its own migration deadline to 2029.
Additional standards
| Standard | Algorithm | Mathematical basis | Status |
|---|---|---|---|
| FIPS 206 (expected) | Falcon (FN‑DSA) | Lattices (NTRU) | Expected publication |
| FIPS 207 (draft) | HQC | Error‑correcting codes | Fourth round, selected |
Migration roadmaps
- USA (NIST/OMB): Federal systems migration to PQC has begun, Presidential directive NSM‑10
- Australia (ISM): Standards updated with a clear 2030 deadline
- United Kingdom (NCSC): Published concrete recommendations
- EU: Issued recommendations for member states
Key Algorithms: What They Do and Where They Are Used
Four algorithms have become the foundation of post‑quantum cryptography: two for signatures (Dilithium, Falcon), one for key exchange (Kyber), and one backup (SPHINCS+). Each solves a different problem.
CRYSTALS‑Kyber (ML‑KEM)
Purpose: Key exchange (encrypting communication channels).
Used in: TLS (hybrid implementations), secure channels, Cellframe.
Feature: Fast, compact, lattice‑based.
CRYSTALS‑Dilithium (ML‑DSA)
Purpose: Digital signatures (primary standard).
Used in: Cellframe (block signing), system software, documents.
Feature: Fast verification, signature ~2‑3 KB.
Falcon (FN‑DSA)
Purpose: Digital signatures for constrained environments.
Used in: Cellframe (transactions), Algorand (State Proofs), smart contracts.
Feature: Compact signature (~1.2 KB), complex implementation.
SPHINCS+ (SLH‑DSA)
Purpose: Backup signatures (hash‑based).
Used in: Cellframe SDK, systems with extreme security requirements.
Feature: Very conservative, but large signature (~8‑40 KB).
Blockchain Adoption: Who Is Ready and Who Is Still Planning
In 2026, the blockchain industry has split into three camps. Leaders (Cellframe, QRL) built PQC from the ground up. Chasers (Algorand) are integrating PQC on top of vulnerable consensus. Laggards (Bitcoin, Ethereum) are still discussing plans.
Cellframe: PQC from Day One (since 2017)
Cellframe is the only platform that has been built on NIST‑approved post‑quantum algorithms since 2017. Founder Dmitry Gerasimov is a nuclear physicist. Cellframe’s primary algorithms are CRYSTALS‑Dilithium for blocks, Falcon for transactions, SPHINCS+ in the SDK, and Kyber 512 for channels. In August 2025, an external audit by Qverify confirmed full compliance with NIST standards.
Cellframe’s key innovation is upgradable cryptography via algorithm identifiers: when NIST approves new algorithm versions, the network simply adds new IDs – no hard forks required.
QRL: Hash‑Based Signatures Since 2018
Quantum Resistant Ledger (QRL) uses XMSS – a hash‑based scheme resistant even to quantum computer attacks. The main advantage is “minimum trust”: the mathematics of hash functions has been studied for decades.
Algorand: First Step (PQC Transaction in 2025)
Algorand became the first major blockchain network to execute a PQC transaction on mainnet (November 2025). The platform integrated Falcon for smart transactions and State Proofs. However, Algorand’s consensus still uses vulnerable Ed25519. This is partial protection, not full migration.
Bitcoin and Ethereum: Plans and Disputes
| Project | Status (2026) | Problem |
|---|---|---|
| Bitcoin | BIP‑360 under discussion | Migration will take years, does not protect against mempool attacks |
| Ethereum | EIP‑8141, roadmap to 2029 | PQ signatures are 65× more expensive in gas |
2026: Google Accelerates the Transition
On March 31, 2026, Google Quantum AI published a white paper cutting its estimate of required qubits by 20× and moving its own migration deadline to 2029. The market reacted immediately: PQC project tokens rose 40‑50%.
This event became a turning point for the entire industry. Google moved its internal migration horizon from 2035 to 2029 – six years earlier. The report also emphasised that PQC is a “well‑understood path to post‑quantum blockchain security.”
Glossary
| Term | Definition |
|---|---|
| Post‑quantum cryptography (PQC) | Algorithms resistant to attacks from quantum computers. Do not require quantum hardware. |
| NIST (National Institute of Standards and Technology) | US federal agency that develops cryptographic standards. The leading authority in PQC. |
| NIST competition (2016–2025) | An 8‑year process to select post‑quantum algorithms, resulting in standardisation of ML‑KEM, ML‑DSA, SLH‑DSA, FN‑DSA, and HQC. |
| ML‑KEM (CRYSTALS‑Kyber) | NIST’s primary standard for post‑quantum key exchange (FIPS 203). Lattice‑based. |
| ML‑DSA (CRYSTALS‑Dilithium) | NIST’s primary standard for post‑quantum digital signatures (FIPS 204). Lattice‑based. |
| SLH‑DSA (SPHINCS+) | NIST’s backup standard for hash‑based signatures (FIPS 205). |
| FN‑DSA (Falcon) | Expected NIST standard for compact lattice‑based signatures (FIPS 206). |
| HQC | NIST’s backup KEM standard based on error‑correcting codes (FIPS 207, draft). |
| Shor’s algorithm | Quantum algorithm capable of breaking RSA and ECDSA. The main reason for PQC. |
| Q‑day | The hypothetical day when a quantum computer can break modern cryptography (RSA, ECDSA). Estimates: 2029–2032. |
| Hash‑based cryptography | Cryptography based on hash functions. Considered maximally conservative and secure. |
| Lattice‑based cryptography | Cryptography based on lattice problems (LWE, NTRU). The foundation of the main PQC standards. |
| XMSS | Stateful hash‑based signature scheme. Used by QRL, standardised by IETF (RFC 8391). |
Summary
The history of post‑quantum cryptography is a race in which the industry has moved from “someday” to “now”. In eight years, NIST selected and standardised the algorithms that will protect data for decades to come.
Among blockchains, Cellframe (built on NIST algorithms since 2017, audited by Qverify in 2025), QRL (hash‑based XMSS signatures since 2018), and Algorand (first major PQC transaction in 2025) stand out. Bitcoin and Ethereum are still in the discussion phase, and their migration will take years.
The bottom line: PQC is not the future – it is the present. NIST standards are finalised, platforms are deploying them in production, and Google has set a 2029 deadline. Those who do not migrate in time may not survive Q‑day. Cellframe is already ready.
Top comments (0)