Encryption > Glossary > Post-quantum cryptography
What is post-quantum cryptography?
Quantum computers don’t yet exist at the scale needed to break today’s encryption, but adversaries are already collecting your encrypted data now to decrypt it later.
Post-quantum cryptography is how we close that window before it can put you at risk.
The ‘harvest now, decrypt later’ threat
Although quantum computers capable of breaking public-key encryption like RSA and elliptic-curve cryptography aren’t here yet, they could still have a real impact on current security problems when they catch up. Today’s most sophisticated attackers are running a strategy called “harvest now, decrypt later,” where they intercept and archive your encrypted communications now, then wait for quantum computers powerful enough to crack them.
Anything sensitive you send today, such as medical records, legal communications, or private correspondence, could be at risk later. This is why the transition to quantum-resistant algorithms needs to happen long before the threat materializes, because swapping out encryption across the entire internet takes years.
How quantum computers work
Here’s the difference between traditional and quantum computers:
A traditional computer works with bits
Each bit is either 0 or 1, and a traditional computer must try encryption keys one by one. It’s sequential, like trying every key on a ring.
A quantum computer works with qubits
A qubit (quantum bit) can be both 0 and 1 simultaneously (superposition), letting quantum algorithms explore many possibilities at once. It’s like trying all keys on the ring at the same time.
Most public-key cryptography today relies on mathematical problems that are easy in one direction and hard in reverse, like multiplying two large prime numbers together (easy) versus factoring the result back into primes (hard).
Shor’s algorithm(neues Fenster), designed for quantum computers, attacks exactly that hardness. It would undermine RSA and elliptic-curve cryptography (including Curve25519), which are the backbone of encrypted email, TLS, and VPNs(neues Fenster) today.
The state of quantum computing
The good news: No quantum computer today comes close to threatening real-world encryption. The gap between current machines and what would be needed is enormous.
4,099
Logical (ideal) qubits estimated to break RSA-2048
1,500 – 2,000
Logical (ideal) qubits estimated to break elliptic‑curve cryptography
50M+
Physical qubits needed with realistic error correction to do the same
None
Machines today capable of breaking real-world encryption
Scaling to the millions of physical qubits needed is an enormous engineering challenge that no institution has solved. However, most experts believe a cryptographically relevant quantum computer is a matter of when, not if. Timeline estimates range from a decade to several decades. The uncertainty is precisely why the transition to post-quantum cryptography needs to start now.
What is post-quantum cryptography?
Post-quantum cryptography (PQC) is a new generation of encryption algorithms designed to be secure against both classical and quantum computers. Unlike quantum key distribution (which requires special hardware), PQC algorithms run on ordinary computers and can be deployed as software updates — meaning they can replace today’s vulnerable algorithms without new infrastructure.
In 2024, the US National Institute of Standards and Technology (NIST) finalized its first PQC standards. The leading candidate algorithms are based on lattice problems — a different class of mathematics that Shor’s algorithm cannot speed up. Unlike factoring large integers, the hardness of lattice problems is not known to collapse under quantum attack.
Why not just replace classical algorithms?
Standardized, widely deployed post-quantum cryptography is still new and hasn’t had the decades of public scrutiny that RSA and elliptic-curve cryptography have. The safest approach is hybrid cryptography: Layer a post-quantum algorithm on top of a classical one. Your data is protected unless an attacker simultaneously breaks both, which requires both a quantum breakthrough and a classical one.
How Proton has already acted
Post-quantum protection launched in Proton Mail in May 2026, available on all plans. Once enabled, Proton Mail generates post-quantum-ready keys for new encrypted emails, protecting your messages against both today’s threats and tomorrow’s quantum computers.
Leading PQC standardization
Working alongside cryptographers from the German Federal Office of Information Security (BSI), Proton co-authored the first post-quantum extension for OpenPGP(neues Fenster) — the open standard used for encrypted email worldwide. This ensures post-quantum protection works between Proton and other providers, not just within Proton’s own ecosystem.
Best-in-class algorithms
Using a combination of classical and post-quantum algorithms (hybrid cryptography), this new standard offers the highest security. Your data will be safe unless the attacker breaks both classical and quantum cryptography. The post-quantum component uses lattice-based algorithms, as they offer good security and performance.
- CRYSTALS-Kyber + X25519 for encryption
- CRYSTALS-Dilithium + Ed25519 for digital signatures
Persistent symmetric keys
We’re also working on a new standard(neues Fenster) to re-encrypt emails with safer keys and retire old ones without losing access. This ensures emails received in the past are safe from quantum computers.
Alice re-encrypts the messages she received in the past to ensure they are safe from quantum computers.
Take charge of your data
Proton was built to protect your data from the start — and from what’s coming next. With end-to-end encryption, post-quantum protection, open-source apps, and independent audits, your information stays yours.
