A curated list of resources about post-quantum cryptography.
To contribute, please file a PR. Please list items alphabetically.
If you notice errors or obsolete content, please file PR or an Issue.
Standardization projects:
- NIST Post-Quantum Cryptography
- PQC Digital Signature Schemes (in progress)
KEMs (encryption, key agreement):
- HQC - Selected in 2025, code-based
- ML-KEM (Kyber) - Selected in 2022, lattice-based
Signature schemes:
- FN-DSA (Falcon) - Selected in 2022, lattice-based
- Presentation FIPS 2026 Status Update
- Presentation Falcon, Towards FN-DSA
- Falcon official software
- ML-DSA (Dilithium) - Selected in 2022, lattice-based
- SLH-DSA (SPHINCS+) - Selected in 2022, hash-based
- CISA Quantum-Readiness: Migration to Post-Quantum Cryptography
- CISA Strategy for Migrating to Automated Post-Quantum Cryptography Discovery and Inventory Tools
- DHS PQC approach and roadmap
- NIST and NCCoE's Migration to PQC
- NIST Migration to Post-Quantum Cryptography
- NSA PQC FAQ
- GSMA: Post Quantum Government Initiatives by Country and Region
- ISO/IEC JTC 1/SC 27 Working Group on PQC Standardization
- Quantum Computing Cybersecurity Preparedness Act
Australia:
Canada:
China:
Czech Republic:
EU:
France:
Germany:
- BSI Cryptographic Mechanisms Recommendations (TR-02102-1)
- BSI Post-Quantum Cryptography Recommendations
India:
Israel:
Japan:
- Guidelines (including PQC) by CRYPTREC
Malaysia:
Netherlands:
Singapore:
South Korea:
- KpqC Competitions and Algorithms
- Standardized algorithms:
United Kingdom:
RFCs:
- RFC 8391: XMSS: eXtended Merkle Signature Scheme
- RFC 8554: Leighton-Micali Hash-Based Signatures
- RFC 8784: Mixing Preshared Keys in the Internet Key Exchange Protocol Version 2 (IKEv2) for Post-quantum Security
- RFC 9370 Multiple Key Exchanges in the Internet Key Exchange Protocol Version 2 (IKEv2)
- RFC 9881: Internet X.509 Public Key Infrastructure -- Algorithm Identifiers for the Module-Lattice-Based Digital Signature Algorithm (ML-DSA)
- RFC 9935: Internet X.509 Public Key Infrastructure - Algorithm Identifiers for the Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM)
- RFC 9794: Terminology for Post-Quantum Traditional Hybrid Schemes
Internet-Drafts:
- I-D Composite ML-DSA for use in X.509 Public Key Infrastructure
- I-D Downgrade Prevention for the Internet Key Exchange Protocol Version 2 (IKEv2)
- I-D Framework to Integrate Post-quantum Key Exchanges into Internet Key Exchange Protocol Version 2 (IKEv2)
- I-D Hybrid key exchange in TLS 1.3
- I-D Hybrid Post-Quantum Key Encapsulation Methods (PQ KEM) for Transport Layer Security 1.2 (TLS)
- I-D Merkle Tree Certificates
- I-D ML-KEM Post-Quantum Key Agreement for TLS 1.3
- I-D Post-Quantum and Post-Quantum/Traditional Hybrid Algorithms for HPKE
- I-D Post-quantum hybrid ECDHE-MLKEM Key Agreement for TLSv1.3
- I-D Post-quantum Key Exchange with ML-KEM in the Internet Key Exchange Protocol Version 2 (IKEv2)
- I-D Use of Composite ML-DSA in TLS 1.3
- I-D Use of ML-DSA in TLS 1.3
- I-D Use of the FN-DSA Signature Algorithm in the Cryptographic Message Syntax (CMS)
Apple:
AWS:
- AWS KMS post-quantum TLS
- AWS PQC Initiative
- AWS post-quantum cryptography migration plan
- s2n-tls PQC implementation
- Verifying and optimizing post-quantum cryptography at Amazon
Cloudflare:
- A look at the latest post-quantum signature standardization candidates
- Cloudflare targets 2029 for full post-quantum security
- Keeping the Internet fast and secure: introducing Merkle Tree Certificates
- PQC solutions overview
- State of the post-quantum Internet in 2025
- You don’t need quantum hardware for post-quantum security
Google:
- Announcing quantum-safe digital signatures in Cloud KMS - Implementation details for ML-DSA and SLH-DSA in cloud environments.
- Building superconducting and neutral atom quantum computers
- FIDO2/WebAuthn post-quantum security keys
- Google Cloud Post-Quantum Cryptography (PQC) - Organizational PQC strategy, architecture, and hybrid cryptographic deployments.
- Post-quantum cryptography in Chrome
- Quantum frontiers may be closer than they appear
Hashicorp:
IBM:
Kubernetes:
Meta:
- Post-Quantum Cryptography Migration at Meta: Framework, Lessons, and Takeaways
- Post-quantum readiness for TLS at Meta
Microsoft:
Palo Alto Networks:
Red Hat:
- Post-quantum cryptography in Red Hat Enterprise Linux 10
- What’s new in post-quantum cryptography in RHEL 10.1
Signal:
Tencent:
Does not include TLS implementations listed later:
- AWS-LC - Rust bindings in aws-lc-rs
- Botan - C++
- Bouncy Castle - Java/C#
- CIRCL (Cloudflare Interoperable, Reusable Cryptographic Library) - Go
- Google Tink - Multi-language (C++, Go, Java, Obj-C, Python)
C:
- algorand/falcon - Deterministic FALCON implementation
- liboqs - From Open Quantum Safe
- mupq/pqm4 - PQC library for the ARM Cortex-M4
- PQ Code Package - A Linux Foundation PQCA project building high-assurance implementations of standards-track algorithms
Go:
- Go crypto/mlkem - Official Go implementation of Kyber/ML-KEM
JavaScript:
- paulmillr/noble-post-quantum - ML-KEM, ML-DSA, SLH-DSA, Falcon, and hybrids
.NET:
Rust:
- libcrux - Formally verified code
- RustCrypto/KEMs - ML-KEM, FrodoKem
- RustCrypto/signatures - ML-DSA, SLH-DSA, LMS
Zig:
- std.crypto - ML-DSA and ML-KEM in the standard library
- A Decade of Lattice-Based Cryptography by Chris Peikert
- A Survey on Code-Based Cryptography by Violetta Weger, Niklas Gassner and Joachim Rosenthal
- Mathematics of Isogeny-Based Cryptography by Luca de Feo
- Post-Quantum Cryptography by Daniel J. Bernstein, Johannes Buchmann and Erik Dahmen
- Post-quantum cryptography—dealing with the fallout of physics success by Daniel J. Bernstein and Tanja Lange
- Securing Elliptic Curve Cryptocurrencies against Quantum Vulnerabilities: Resource Estimates and Mitigations by Google Quantum AI
- The Learning with Errors Problem by Oded Regev
- awesome-quantum-software
- PQC Crypto Registry - By Project Eleven
- PQCrypto Usage & Deployment
- PQC Forum - NIST's discussion list
- Quantum Algorithm Zoo