Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Taking Measure

Just a Standard Blog

The Future Is Now: Spreading the Word About Post-Quantum Cryptography

artist's concept of the inside of a quantum computer. A grid of blue computer chips with beams of light moving between them.
Credit: Yurchanka Siarhei/

I consider myself a quiet guy — on a Friday night you can usually find me at home doing crossword puzzles. Public speaking doesn’t come naturally to me, and I’ve never really liked it. Like many people, I get really nervous. So, how did I find myself standing at a podium in front of hundreds of people in Fukuoka, Japan?

I had never traveled that far away from home before. I was also pretty jet-lagged, as I had flown to Fukuoka the day prior. But there I was, giving the opening talk at PQCrypto 2016, the latest in a series of conferences in post-quantum cryptography (PQC). To add to my anxiety, I thought most of the audience knew more about PQC than I did.

Despite these circumstances, I managed to do what I was there to do: announce that the National Institute of Standards and Technology (NIST) was kicking off an international competition to find new quantum-resistant cryptographic systems. The attendees reacted very favorably, knowing this would boost their research in the coming years. As it did, and the NIST PQC competition grew, it took me along for the ride.

Let me back up and explain a little bit.

I came to NIST in 2010 as a postdoc with a one-year-old Ph.D. in mathematics. My dissertation involved something called elliptic curves, which turn out to have some very useful applications in the cryptosystems we use to secure our communications on the internet and elsewhere. In particular, elliptic curve cryptosystems have very short keys and signatures, which take up less memory in comparison to other cryptosystems. It was fascinating to me that such a purely mathematical concept had such an important application in the real world.

NIST publishes cryptography standards so that government agencies know how to safely use crypto. These standards are documents that specify exactly how to implement various cryptographic algorithms in a standard way, so that a user’s computer will be able to securely communicate with the intended recipient’s computer. NIST’s crypto standards are well regarded and are used by most public and private organizations around the world.

It was these kinds of applications that led me to NIST. I spent my first few years here continuing my mathematical research and working on a few projects related to crypto standards. In 2012, my manager Lily Chen asked me to become involved with a new project dealing with post-quantum cryptography. One of the project leaders was moving, and I was asked to take his place. I accepted, even though I knew almost nothing about what PQC was.

a grid of various elliptic curves
A catalog of elliptic curves.
Credit: Tos, Public domain, via Wikimedia Commons

The goal of the project was to find cryptosystems which would be safe to use, even in the advent of quantum computers. What’s a quantum computer? Good question. A really detailed answer wouldn’t fit in this blog post. Informally, quantum computers are machines that would harness the properties of quantum physics to solve certain real-world problems that are beyond the power of our present machines. A lot of very intelligent people have been working on building one, with companies like Google, IBM, Intel, Honeywell and Microsoft all racing to be the first to actually construct a quantum computer large enough to tackle some of these problems. While a quantum computer would lead to some amazing scientific breakthroughs, there would also be a pretty catastrophic impact on some of the cryptosystems we rely on today. In particular, quantum computers would break a few of NIST’s standardized crypto algorithms, potentially exposing the sensitive information of anybody using those algorithms. Thus, we were tasked to find new ones to replace them.

As a young professional, I didn’t have a lot of experience in managing anything. I was lucky that we had a great team of researchers assembled, all of whom were much smarter than I was. Initially, we mostly read the latest papers in the field, talked to experts and started to do some of our own research. In 2015, we organized a workshop and shortly thereafter published a short report (NISTIR 8105) outlining NIST’s view of PQC. All this built momentum, and it was at this point we decided to start taking more concrete action toward standardization.

We decided that we would do a PQC competition like what NIST has done in the past for two of our crypto standards (AES and SHA-3). These competitions are major undertakings and have been quite successful at galvanizing the crypto community to focus evaluation and analysis on selected algorithms. The perfect way to announce this was the upcoming PQCrypto workshop in Japan, where the majority of the researchers in the field would be attending. That’s how I ended up there.

We are now several years into the competition and hope to select the new quantum-safe algorithms that NIST will standardize in another year or two. I’ve learned a lot in this time. I’ve learned the technical details and the science that underlies PQC, of course. But, I’ve also grown a great deal professionally. I’ve organized conferences, managed a diverse team of dedicated experts, written many papers and reports, and interacted with the public as we have steered through the PQC standardization process. There have been many challenges, but so far we feel we have been largely successful at coordinating our efforts with the crypto community, standards organizations and even other nations.

As awareness of the threat that quantum computers pose to cryptography has grown, NIST has been invited to share what it is doing at many venues and with numerous organizations. It’s been a unique opportunity to travel to many different countries and speak to a variety of people who want to know how “quantum” will impact them. One of my favorite experiences was speaking to representatives of the auto industry. They are concerned about the impact to security since the crypto that is programmed into cars has to have a long lifespan. I hadn’t really known much about the security challenges for cars before.

At some point, I know that the project will slow down, and post-quantum cryptography won’t be as high priority as it is right now. Part of me would be just fine with that, so I can go back to a quieter workflow. Yet, I must admit I have enjoyed having some time in the spotlight and the opportunity to develop some new skills and meet new people. I’m grateful that NIST is a place where such exciting (often unexpected) experiences await.

About the author

Dustin Moody

Dustin Moody is a mathematician in the NIST Computer Security Division. Dustin leads the post-quantum cryptography project at NIST. He received his Ph.D. from the University of Washington in 2009. His area of research deals with elliptic curves and their applications in cryptography.

Related posts


Although my computer skills are very poor, I understand the importance of these Quantum computers. Those are the mother machine centralized key places.
My question now is if I can purchase my own personal quantum computer.

Some quantum technologies are available, but they are not at a state that will be too useful to the average consumer. When they are more mature, they will likely be extremely expensive and use special hardware. They are still being developed, and it will take several more years.

Similar to when an encryption standard is deprecated and IT security departments have to reissue their security certificates created with the new encryptions standards/algorithms, I am hoping that before this genie is released from it's bottle, the world is warned and given twelve months to update to your new encryption standard. That, will be a massive undertaking and time will be needed to prepare our systems and software. I realize that the company that creates this new QC system will be giddy to announce and leverage, but if that design information is leaked or stolen all sorts of black ops decryption can occur. Oi vey..

We are working hard to ensure that everybody will be aware of this transition. As you noted, changing cryptographic algorithms is a challenge, and we expect that to be the case for the change to quantum-resistant algorithms. NIST announced our Post-Quantum Cryptography Standardization competition-like process in 2016, and we have been providing regular updates as to the progress. The cryptosystems under evaluation were all submitted freely and openly by submitters from around the world. The complete algorithm specifications (including the implementation code) can be found at our project website:

Very interesting article Dustin. It's mind bogging to think what computers have already done to our world, much less what the future holds. Scary IMO. I earned a BS in Computer Science at the University of MD 1976. They had an excellent program. Then a MS in Computer Science while serving in the Air Force in Florida 7 years later. The two things I like to say is nothing is private now days and complex software is never perfect. I wish you good luck with tour task.

Thank you for sharing and securing the future of computers. Mathematics, indeed the queen and servant of sciences, including computer science. Keep up the good work and please share more.

What is the significance of the elliptic curves in your blog?

Can you help a chemist understand how quantum computing would work?


When introducing myself, I mentioned that my area of research deals with elliptic curves. They are such a beautiful mathematical structure! It's interesting to me that they have been used to create cryptosystems. NIST has standardized some elliptic curve cryptosystems, see FIPS 186-4 and SP 800-56B. It turns out these particular cryptosystems would be broken by a quantum computer, hence need to be replaced. That is the point of our post-quantum crypto project.

It would be difficult to explain how a quantum computer works, solely in the comments. I'm also not the best person to explain it, as I'm a mathematician by training, and not a physicist. A quick google search will get you to some articles that would do a good job explaining it.

Thanks for the article - how soon do you think we may have a post quantum standard and do you think it will be something mortals can understand. Thanks

We expect that we will announce the algorithms to be standardized sometime around the end of this year, or the beginning of next year. It'll take a some time to then write the draft standard, submit it for public comments, resolve the comments, and get it approved for publication. I would estimate that it'll be about 2024 before the standard is finalized.

I do think mortals will be able to understand most of it! We try to write them that way! There will be the technical specifications of how to implement the algorithms, which may involve some higher level mathematics, but I think mortals who study the details will hopefully be able to get it.

Add new comment

Enter the characters shown in the image.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
Please be respectful when posting comments. We will post all comments without editing as long as they are appropriate for a public, family friendly website, are on topic and do not contain profanity, personal attacks, misleading or false information/accusations or promote specific commercial products, services or organizations. Comments that violate our comment policy or include links to non-government organizations/web pages will not be posted.