Loading...
Post-quantum cryptography (PQC) is moving from evaluation to deployment as NIST finalizes standards for ML-KEM, ML-DSA, and SLH-DSA. This survey maps the space from foundations to practice. We first develop a taxonomy across lattice-, code-, hash-, multivariate-, isogeny-, and MPC-in-the-Head families, summarizing security assumptions, cryptanalysis, and standardization status. We then compare performance and communication costs using representative, implementation-grounded measurements, and review hardware acceleration (AVX2, FPGA/ASIC) and implementation security with a focus on side-channel resistance. Building upward, we examine protocol integration (TLS, DNSSEC), PKI and certificate hygiene, and deployment in constrained and high-assurance environments (IoT, cloud, finance, blockchain). We also discuss complementarity with quantum technologies (QKD, QRNGs) and the limits of near-term quantum computing. Throughout, we emphasize crypto-agility, hybrid migration, and evidence-based guidance for operators. We conclude with open problems spanning parameter agility, leakage-resilient implementations, and domain-specific rollout playbooks. This survey aims to be a practical reference for researchers and practitioners planning quantum-safe systems, bridging standards, engineering, and operations.
Public-key infrastructure today rests largely on problems that large-scale quantum computers could undermine (for example, integer factorization and discrete logarithms). Post-quantum cryptography (PQC) replaces those assumptions with alternatives believed to resist both classical and known quantum attacks. As NIST advances ML-KEM (key encapsulation), ML-DSA (module-lattice signatures, formerly Dilithium), and SLH-DSA (stateless hash-based signatures), organizations must move from “watching the standards” to concrete migration plans—without breaking interoperability, performance, or assurance.
This survey is written for researchers and operators who need a single thread from mathematical families through implementations, protocols, and rollout.
Figure 1: Canonical digital signature flow—hash the message, sign with a private key (and fresh randomness), transmit the message and signature, verify with the public key. ML-DSA instantiates the sign/verify primitives using module-lattice structures designed for quantum-safe security.
The paper organizes candidate constructions by underlying hardness:
For each family, the survey ties assumptions, attacks, and standardization status together so readers can compare options on security grounds, not marketing claims.
Benchmarks in the literature vary widely; this work emphasizes implementation-grounded comparisons of compute cost and bandwidth, then surveys acceleration (e.g. SIMD, dedicated hardware) and side-channel resistance—because a standard on paper is only as trustworthy as the constant-time, leakage-aware code that ships.
Building upward, the survey covers TLS, DNSSEC, certificate chains, and hygiene in PKI; constrained devices and IoT; cloud and financial stacks; and blockchain settings where long-lived keys and forks complicate upgrades. Themes include hybrid classical+PQC handshakes during transition, crypto-agility for future algorithm swaps, and evidence-based guidance rather than one-size-fits-all checklists.
QKD and QRNGs appear in operational discussions; the survey clarifies how they complement PQC (and where they do not replace sound key agreement or authentication). It also situates expectations relative to near-term quantum computing capabilities versus the threat models that motivate migration today.
Closing sections highlight parameter agility, leakage-resilient implementations, and domain-specific playbooks for migration. The preprint is under active peer review for ACM Computing Surveys; see arXiv:2510.10436 for the latest version.
We also maintain awesome-pqc—a curated list of PQC papers, tools, implementations, and tutorials aligned with the survey’s themes (NIST standards, implementation security, hybrid migration, and deployment).