Post-quantum cryptography (PQC) is the field of encrypting sensitive data, stored or in transit, against decryption methods enabled by quantum computers. Unlike their normal counterparts that use binary 0s and 1s, these machines are capable of using qubits. These allow quantum computers to run special algorithms (such as Shor’s algorithm to find the prime factors of an integer) to crack encryption algorithms that security experts have long believed to be secure.

Quantum computers pose a massive threat because they solve certain mathematical problems up to 100 million times faster than classical computers. They even outpace our fastest supercomputers by 13,000 times, highlighting the need for quantum-resistant security solutions.

How does post-quantum cryptography (PQC) work?

Let’s first consider the hardware element of quantum computing. Quantum computers, that we know of, do not currently have enough qubits to break current encryption algorithms. While Google and NASA have claimed to have made a 56-qubit quantum computer, it would take thousands of qubits to factor the numbers involved in current encryption algorithms. Governments have been spending large sums of money on quantum research, and it isn’t certain if an intelligence agency has (or soon will) achieve more.

Due to their unique (and very particular) operational needs, including massive space requirements and extreme cooling, these quantum machines are only accessible to massive government agencies or organizations with immense funding. However, this might not always be the case. As technological advancements and mandates make quantum computing more accessible, all industries could see a wider emergence of sophisticated threats.

PQC algorithms thus rely on mathematical problems which aren’t believed to be more easily solved by a quantum computer versus a classical computer. Researchers have deemed newer hash-based, lattice, code-based, isogeny-based, and multivariate PQC algorithms to be pretty safe. Instead of facing data decryption in mere hours, organizations who use PQC have a fighting chance against hackers that are better equipped than ever. And they don’t need the same quantum hardware to protect themselves.

Consequently, new post-quantum algorithms exist to combat two probable scenarios:

  • Harvest now, decrypt later (HNDL): Hackers/governments can obtain data which has been encrypted with algorithms which are vulnerable to quantum computing, but can’t currently be decrypted, with the intention of unraveling its secrets in the future. In these situations, bad actors can sit on harvested data until quantum decryption is advanced and accessible enough to break. This type of cyber attack is a ticking time bomb that’s hard to anticipate. However, the financial benefits of grabbing, selling, and exploiting sensitive data makes the wait worthwhile. PQC recognizes this potential risk and is developed for a future where quantum decryption becomes more viable.

  • Legacy vulnerabilities: Once quantum decryption becomes a real threat, older SSL/TLS encryption algorithms safeguarding 99% of the web will suddenly become obsolete. Organizations must strategically replace old encryption methods, digital certificates, and other measures. This process is complex and expensive, but may be critical for long-term security.

How does post-quantum cryptography work at the technical level?

Organizations worldwide currently use many popular data encryption algorithms, which are considered either symmetric or asymmetric depending on whether they use one key or a public/private key pair:

  • Asymmetric

    • RSA (Rivest, Shamir, and Adleman)

    • ECDSA (Elliptic Curve Digital Signature Algorithm)

  • Symmetric

    • AES (Advanced Encryption Standard)

    • ChaCha20

    • Blowfish

Current quantum computing algorithms are able to attack the mathematical problems that asymmetric cryptography is based on, but aren’t thought to assist against symmetric algorithms.

Implementing new post-quantum cryptographic methods

PQC makes encryption much more mathematically sophisticated. These methods are designed to defend against Shor’s Algorithm and Grover’s algorithms. These two quantum methods that excel at finding prime factors of an integer in polynomial time. This basically means that such a problem is solvable within a mathematically relevant period of time, not 10,000 years from now.

Post-quantum algorithms eliminate the shortcuts that quantum computers can use to easily crack existing algorithms. They defend against traditional (or classical) decryption methods and newer quantum methods, alike.

PQC uses one or more of the following mathematical problems:

  • Lattice-based cryptography: Lattices combine sets of existing vectors to form new vectors in a multi-dimensional space. Lattice data consists of connections between numbers in a given space, and is hard to decrypt since determining the relationship between those vectors is an abstract problem. For example, quantum computers aren’t great at finding the shortest or closest vectors in a lattice, relative to other vectors within. These relationships offer hints as to how data is encrypted.

  • Hash-based signatures: Hash functions are resistant to quantum attacks as long as each key pair is only used to sign a single message. These can be combined into trees to allow the signing of more than one message.

  • Code-based cryptography: Error correcting codes can be used to build encryption algorithms which aren’t thought to be vulnerable to quantum computers.

  • Multivariate cryptography: Quantum computers must solve challenging, non-linear polynomial equations over finite fields. This is effective but can produce longer keys, which could be problematic at scale.

As these methods have evolved over time, security experts have standardized new-and-improved algorithms to beat quantum decryption before it becomes mainstream:

  • ML-KEM (formerly Kyber): Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM) enables two parties to publicly and securely share a secret key using a set of algorithms. Entities can use this key alongside symmetric-key algorithms for encryption and authentication. It’s available in 512, 768, and 1024-bit variants.

  • ML-DSA (formerly Dilithium): Module-Lattice-Based Digital Signature Algorithm (ML-DSA) uses a set of lattice algorithms to create and verify digital signatures. It also enables document signing.

  • SLH-DSA (formerly SPHINCS+): Stateless Hash-Based Digital Signature Algorithm (SLH-DSA) uses hashing as a backup to ML-DSA, when that solution is preferred but unavailable.

These algorithms will continue to evolve as time passes. They’re also not completely new by now, having existed since 2024. Each is defined under its own FIPS standard and has been documented extensively. Aside from these recent algorithms, there’s also evidence suggesting that AES-256 can adequately protect against quantum computers. In a pinch, some of our current methods can offer some security for an uncertain length of time.

What are the benefits of post-quantum cryptography (PQC)?

PQC will become an essential tool in each security administrator’s toolbox, and offers the following advantages:

  • It gives infrastructure teams and organizations a lasting way to ensure their systems and data are protected.

  • It introduces updated, more stringent cryptographical standards without rendering existing standards immediately useless.

  • It helps organizations protect against breaches, man-in-the-middle (MITM) attacks, and other violations of data privacy.

  • It gives teams a repeatable, standards-based method for implementing encryption wherever it’s needed, especially in sensitive industries or sectors.

  • Adoption will drive future regulatory compliance as security experts view such algorithms as indispensable.

You’ve mastered one topic, but why stop there?

Our blog delivers the expert insights, industry analysis, and helpful tips you need to build resilient, high-performance services.

By clicking "Get new posts first" above, you confirm your agreement for HAProxy to store and processes your personal data in accordance with its updated Privacy Policy, which we encourage you to review.

Thank you! Your submission was successful.

Does HAProxy support post-quantum cryptography?

Yes! HAProxy supports the TLS 1.3 X25519MLKEM768 hybrid key exchange algorithm, which uses both elliptic curve (currently widely used and trusted, though vulnerable to quantum cryptography) and ML-KEM (newer and thus less-trusted but secure against quantum computers) algorithms. Using HAProxy with a supporting cryptographic library (AWS-LC or OpenSSL 3.5+) will allow HAProxy to negotiate encryption keys that are resistant to quantum computers, with most modern clients.

To make your HAProxy instance quantum safe, add the following line to the global section of the configuration:

ssl-default-bind-curves X25519MLKEM768:X25519:P-256

This prioritizes the hybrid key exchange algorithm, or falls back to the elliptic curve exchanges if the client doesn’t support it. You could also remove the other two algorithms so that your HAProxy instance won’t speak to clients in a way that isn’t quantum safe.

HAProxy terminates the TLS handshake at the proxy layer, so you can adopt quantum-safe key exchange without touching your backend servers. See how it works with our SSL/TLS termination solution, then request a demo to test it in your own environment.

FAQs

Quantum computers powerful enough to break today’s encryption do not exist yet, but the threat is already here through “harvest now, decrypt later” attacks. Attackers can collect encrypted data today and store it until quantum decryption becomes viable. Post-quantum cryptography protects that data now so it stays secure when that day arrives.