Definition. Cryptographic algorithms designed to remain secure against attacks by a sufficiently powerful quantum computer. The relevant NIST standards (FIPS 203 ML-KEM, FIPS 204 ML-DSA) are based on mathematical problems from lattice cryptography (Module Learning With Errors), considered computationally hard even for quantum computers.

Why relevant. Classical asymmetric algorithms (RSA, ECDSA, ECDH) are vulnerable to Shor's algorithm on a large-scale quantum computer. While such machines don't exist today, the "harvest now, decrypt later" attack is already active: adversaries collect encrypted traffic today to decrypt it once a quantum computer becomes available. Operators handling data with long confidentiality requirements need to start migrating now.

Related.ML-DSA, ML-KEM, Crypto Agility, Lattice-based cryptography, Harvest-now-decrypt-later