Lab

Post-quantum cryptography guide

Plain-language explanations of post-quantum cryptography (PQC), security notes, and privacy promises.

Educational demo - don't copy/paste into production

All cryptography runs locally in your browser. Keys and plaintext never leave your device, but this is still a simplified demo.

What this is

Plain-language notes that explain post-quantum cryptography (PQC) terms, sizes, and tradeoffs without the academic jargon. Use it to interpret the demo results and make migration decisions.

Who it's for

  • Leaders building PQC migration plans.
  • Engineers who need context for the demos.
  • Security teams writing stakeholder briefings.

Why we are migrating at all

RSA's security rests on integer factorization: the public modulus N = p×q is easy to publish but believed hard to split back into its primes. Elliptic curves rest on the related discrete logarithm. A large enough quantum computer running Shor's algorithm turns both into a period-finding problem it solves in polynomial time, so it breaks them completely. That is the entire reason for the migration.

Grover's algorithm is a separate and much smaller threat. It speeds up brute-force search only quadratically, which halves the effective security of symmetric ciphers and hashes. The fix there is simply larger parameters (AES-256, SHA-384), not a new algorithm. See the Shor vs Grover lab for an interactive view of both.

The one-way function changed

Post-quantum cryptography swaps the trapdoor. Instead of "easy to multiply primes, hard to factor," lattice schemes use "easy to add a small error, hard to remove it." Recovering the secret means solving the Shortest or Closest Vector Problem in a high-dimensional lattice, which has no periodic structure for Shor to exploit. The best known quantum attacks are only Grover-grade, so lattices are believed quantum-resistant and now anchor the NIST standards.

  • Build the geometric intuition in the Lattices lab (SVP, CVP, and the GGH trapdoor).
  • See the noisy-equation assumption behind ML-KEM, and one side of the ML-DSA security story, in the LWE lab.

What NIST standardized

NIST finalized the first post-quantum standards as FIPS 203, 204, and 205:

  • ML-KEM (FIPS 203), derived from CRYSTALS-Kyber.
  • ML-DSA (FIPS 204), derived from CRYSTALS-Dilithium.
  • SLH-DSA (FIPS 205), derived from SPHINCS+.

ML-KEM is a KEM

ML-KEM encapsulates a shared secret. It does not encrypt messages by itself. In the demo, the shared secret is turned into a symmetric AES-256 key with HKDF-SHA-256, and then AES-GCM encrypts the message.

Sizes and performance

  • ML-KEM keys and ciphertexts are larger than classical RSA or ECDH.
  • ML-DSA signatures are a few kilobytes, but signing is fast.
  • SLH-DSA signatures are very large and signing is slower by design.

Each demo shows actual sizes from the selected parameter set.

Security notes

  • This is an educational demo, not production-ready crypto.
  • Use domain separation and authenticated encryption for real systems.
  • Parameter sets trade speed, size, and security level.

Privacy promise

  • Keys and plaintext stay in your browser.
  • No secrets are sent to the server.
  • No keys or messages are stored in URL fragments.
  • Closing the tab forgets in-memory keys.

Implementation

This demo uses the open source @noble/post-quantum library (version 0.5.4) for ML-KEM, ML-DSA, and SLH-DSA operations.