Post-Quantum Cryptography MCQ 60 Tests With Answers (2026)
PerfectNotes TeamUpdated: March 2026~15 min practice 60 Questions · 3 Levels 60 Questions · 3 Levels
Post-Quantum Cryptography MCQ practice questions are essential for preparing for competitive exams, certifications (CISSP, CSSLP), and technical interviews. This comprehensive MCQ platform provides 60 carefully curated practice questionscovering quantum computing threats, Shor's and Grover's algorithms, NIST standardization outcomes, and advanced post-quantum migration strategies.
These questions are organized into three progressive difficulty levels of 20 questions each: Basics (covering quantum computing threats, qubits, Shor's and Grover's algorithms, and PQC fundamentals), Concepts (covering NIST PQC standards, Module-LWE, crystals-kyber, crystals-dilithium, stateful vs. stateless signatures, and McEliece), and Advanced (covering scenario-based key encapsulation mechanisms, side-channel concerns, crypto-agility, and hybrid classical-quantum deployments). Each question includes a verified, in-depth explanation to reinforce learning.
Practice in Study Mode to reveal answers and detailed explanations instantly, or use Exam Mode for timed testing and real-time scoring to simulate CISSP or specialized cryptography exam conditions. The interactive engine tracks your progress and identifies knowledge gaps across lattice math, hash-based signatures, and enterprise migration frameworks.
Contents
- 1.Basics (20 Questions)Shor's & Grover's Algorithms · Qubits & Superposition · Hybrid Deployments
- 2.Concepts (20 Questions)Lattice-Based Math · Learning with Errors (LWE) · Stateful Signatures
- 3.Advanced (20 Questions)Scenario-based · complex mechanics
- 4.Conclusionsummary · next steps · study tips
- 5.Key Takeawaysquick-fire bullet recap of essential facts
- 6.Quick Review Summaryconcept · definition · key fact table
- 7.FAQcommon questions answered
Post-Quantum Cryptography — Basics
1What is the fundamental definition of Post-Quantum Cryptography (PQC)?
CorrectC: Classical cryptographic algorithms designed to be secure against attacks from both classical and quantum computers
PQC algorithms run on traditional classical computers (laptops, servers, IoT) but are built on mathematical problems believed to be hard for both classical and quantum computers. Unlike QKD, PQC requires no quantum hardware.
IncorrectC: Classical cryptographic algorithms designed to be secure against attacks from both classical and quantum computers
PQC algorithms run on traditional classical computers (laptops, servers, IoT) but are built on mathematical problems believed to be hard for both classical and quantum computers. Unlike QKD, PQC requires no quantum hardware.
2Which specific mathematical problems does Shor's Algorithm primarily defeat?
CorrectA: Integer factorization and discrete logarithms
Shor's Algorithm solves integer factorization and discrete logarithms in polynomial time, completely undermining RSA, Diffie-Hellman, DSA, and ECC—all of which rely on these two problems.
IncorrectA: Integer factorization and discrete logarithms
Shor's Algorithm solves integer factorization and discrete logarithms in polynomial time, completely undermining RSA, Diffie-Hellman, DSA, and ECC—all of which rely on these two problems.
3How does Grover's Algorithm practically impact current cryptographic frameworks?
CorrectD: It quadratically speeds up unstructured search, effectively halving the security strength of symmetric keys and hash functions.
Grover's Algorithm provides a quadratic speedup for unstructured database search. It halves the effective bit-security of symmetric algorithms and hashes (e.g., AES-256 retains ~128-bit security), but it does not break them outright.
IncorrectD: It quadratically speeds up unstructured search, effectively halving the security strength of symmetric keys and hash functions.
Grover's Algorithm provides a quadratic speedup for unstructured database search. It halves the effective bit-security of symmetric algorithms and hashes (e.g., AES-256 retains ~128-bit security), but it does not break them outright.
4What is the fundamental difference between a classical Bit and a Qubit?
CorrectB: A qubit can exist in a superposition of states, representing 0, 1, or any quantum proportion of both simultaneously.
A classical bit is strictly 0 or 1, while a qubit leverages quantum superposition to exist in a coherent combination of both states until measured. This enables quantum algorithms to process exponentially many states in parallel.
IncorrectB: A qubit can exist in a superposition of states, representing 0, 1, or any quantum proportion of both simultaneously.
A classical bit is strictly 0 or 1, while a qubit leverages quantum superposition to exist in a coherent combination of both states until measured. This enables quantum algorithms to process exponentially many states in parallel.
5What is the primary objective of the NIST Post-Quantum Cryptography Standardization Process?
CorrectC: To solicit, evaluate, and standardize one or more quantum-resistant public-key cryptographic algorithms
Launched in 2016, the NIST PQC process collected submissions from global cryptographers, subjected them to years of public cryptanalysis, and ultimately published FIPS 203, 204, and 205 in 2024 as finalized quantum-resistant standards.
IncorrectC: To solicit, evaluate, and standardize one or more quantum-resistant public-key cryptographic algorithms
Launched in 2016, the NIST PQC process collected submissions from global cryptographers, subjected them to years of public cryptanalysis, and ultimately published FIPS 203, 204, and 205 in 2024 as finalized quantum-resistant standards.
6What does "Q-Day" (or Y2Q) refer to in the cybersecurity industry?
CorrectB: The hypothetical future date when a Cryptographically Relevant Quantum Computer (CRQC) successfully breaks current public-key cryptography
Q-Day is the hypothetical date when a CRQC with enough stable qubits becomes operational, enabling it to break RSA-2048 or ECC-256 and invalidating vast quantities of currently encrypted data.
IncorrectB: The hypothetical future date when a Cryptographically Relevant Quantum Computer (CRQC) successfully breaks current public-key cryptography
Q-Day is the hypothetical date when a CRQC with enough stable qubits becomes operational, enabling it to break RSA-2048 or ECC-256 and invalidating vast quantities of currently encrypted data.
7How are symmetric encryption algorithms like AES-256 expected to fare in a post-quantum environment?
CorrectA: They are generally considered quantum-safe, as Grover's algorithm only reduces their effective security bit-strength, not their underlying mathematics.
Grover's Algorithm halves the effective key length of symmetric ciphers. AES-256 drops to ~128-bit effective security—still considered safe. No known quantum algorithm breaks the AES structure itself, so AES-256 is a recommended quantum-safe cipher.
IncorrectA: They are generally considered quantum-safe, as Grover's algorithm only reduces their effective security bit-strength, not their underlying mathematics.
Grover's Algorithm halves the effective key length of symmetric ciphers. AES-256 drops to ~128-bit effective security—still considered safe. No known quantum algorithm breaks the AES structure itself, so AES-256 is a recommended quantum-safe cipher.
8What is the immediate threat modeled by the "Store Now, Decrypt Later" (SNDL) strategy?
CorrectD: Adversaries intercepting and archiving encrypted traffic today with the intent to decrypt it once a CRQC is available in the future
SNDL (Harvest Now, Decrypt Later) is an urgent threat: nation-states and well-resourced adversaries collect TLS and VPN traffic today knowing that once a CRQC exists—potentially in years—they can retroactively decrypt it all.
IncorrectD: Adversaries intercepting and archiving encrypted traffic today with the intent to decrypt it once a CRQC is available in the future
SNDL (Harvest Now, Decrypt Later) is an urgent threat: nation-states and well-resourced adversaries collect TLS and VPN traffic today knowing that once a CRQC exists—potentially in years—they can retroactively decrypt it all.
9What mathematical reliance makes RSA completely vulnerable to a sufficiently large quantum computer?
CorrectB: The difficulty of factoring extremely large composite prime numbers
RSA's security is entirely based on the hardness of factoring n=p×q. Shor's Algorithm solves this in polynomial time O((log n)³) on a quantum computer, completely destroying RSA regardless of key size.
IncorrectB: The difficulty of factoring extremely large composite prime numbers
RSA's security is entirely based on the hardness of factoring n=p×q. Shor's Algorithm solves this in polynomial time O((log n)³) on a quantum computer, completely destroying RSA regardless of key size.
10What mathematical reliance makes Elliptic Curve Cryptography (ECC) vulnerable to quantum attacks?
CorrectD: The Elliptic Curve Discrete Logarithm Problem (ECDLP)
ECC's security rests on the ECDLP: given Q=kP on an elliptic curve, finding k is classically intractable. Shor's Algorithm solves the discrete logarithm problem in polynomial time, breaking ECDLP and all ECC-based schemes.
IncorrectD: The Elliptic Curve Discrete Logarithm Problem (ECDLP)
ECC's security rests on the ECDLP: given Q=kP on an elliptic curve, finding k is classically intractable. Shor's Algorithm solves the discrete logarithm problem in polynomial time, breaking ECDLP and all ECC-based schemes.
11What does the term "Quantum Supremacy" or "Quantum Advantage" indicate?
CorrectA: The milestone where a quantum computer performs a specific calculation that is practically impossible for any classical computer to execute in a reasonable timeframe
Quantum supremacy marks the point where a quantum device solves a specific task faster than any feasible classical computer. Google's 2019 Sycamore experiment was a landmark claim, though the tasks used were not cryptographically relevant.
IncorrectA: The milestone where a quantum computer performs a specific calculation that is practically impossible for any classical computer to execute in a reasonable timeframe
Quantum supremacy marks the point where a quantum device solves a specific task faster than any feasible classical computer. Google's 2019 Sycamore experiment was a landmark claim, though the tasks used were not cryptographically relevant.
12In the context of PQC, what does KEM stand for?
CorrectC: Key Encapsulation Mechanism
KEM stands for Key Encapsulation Mechanism—a cryptographic primitive that uses asymmetric cryptography to securely encapsulate (wrap) a random symmetric key so only the intended recipient can recover it.
IncorrectC: Key Encapsulation Mechanism
KEM stands for Key Encapsulation Mechanism—a cryptographic primitive that uses asymmetric cryptography to securely encapsulate (wrap) a random symmetric key so only the intended recipient can recover it.
13What is the primary role of a Key Encapsulation Mechanism (KEM)?
CorrectD: A cryptographic mechanism used to securely establish a shared symmetric key between two parties over an insecure channel
A KEM allows a sender to encapsulate a random shared secret under the recipient's public key; only the recipient can decapsulate it using their private key. The resulting shared secret then seeds a symmetric cipher for bulk encryption.
IncorrectD: A cryptographic mechanism used to securely establish a shared symmetric key between two parties over an insecure channel
A KEM allows a sender to encapsulate a random shared secret under the recipient's public key; only the recipient can decapsulate it using their private key. The resulting shared secret then seeds a symmetric cipher for bulk encryption.
14What is the explicit goal of implementing Post-Quantum Digital Signatures?
CorrectA: To provide quantum-resistant authentication, non-repudiation, and data integrity verification
PQ digital signatures (e.g., ML-DSA, SLH-DSA) ensure that code signing, certificate issuance, TLS mutual authentication, and document integrity remain trustworthy even after a CRQC can forge classical ECDSA or RSA signatures.
IncorrectA: To provide quantum-resistant authentication, non-repudiation, and data integrity verification
PQ digital signatures (e.g., ML-DSA, SLH-DSA) ensure that code signing, certificate issuance, TLS mutual authentication, and document integrity remain trustworthy even after a CRQC can forge classical ECDSA or RSA signatures.
15What defines "Hybrid Cryptography" in the current migration landscape?
CorrectB: Combining a traditional classical algorithm (like ECC) with a post-quantum algorithm (like ML-KEM) to provide defense-in-depth against both current and future threats
Hybrid cryptography runs both a classical (e.g., ECDH) and a post-quantum (e.g., ML-KEM) algorithm simultaneously, combining their outputs. The session is secure if at least one algorithm is unbroken—protecting against both classical and quantum adversaries today.
IncorrectB: Combining a traditional classical algorithm (like ECC) with a post-quantum algorithm (like ML-KEM) to provide defense-in-depth against both current and future threats
Hybrid cryptography runs both a classical (e.g., ECDH) and a post-quantum (e.g., ML-KEM) algorithm simultaneously, combining their outputs. The session is secure if at least one algorithm is unbroken—protecting against both classical and quantum adversaries today.
16Why can the quantum threat not be mitigated simply by drastically increasing the key sizes of RSA or ECC?
CorrectC: Because Shor's algorithm scales polynomially; key sizes would need to be impractically massive to remain secure, entirely crippling system performance
Shor's Algorithm has polynomial complexity O((log n)³). To achieve 128-bit security against it, RSA would need keys of roughly 2^128 bits—astronomically large and completely non-functional. The algorithm's scaling makes size increases futile.
IncorrectC: Because Shor's algorithm scales polynomially; key sizes would need to be impractically massive to remain secure, entirely crippling system performance
Shor's Algorithm has polynomial complexity O((log n)³). To achieve 128-bit security against it, RSA would need keys of roughly 2^128 bits—astronomically large and completely non-functional. The algorithm's scaling makes size increases futile.
17What does "Quantum Entanglement" refer to in quantum mechanics?
CorrectB: A phenomenon where quantum particles become inextricably linked, such that the state of one instantaneously determines the state of the other, regardless of distance
Quantum entanglement links two particles so measuring one instantly collapses the other into a correlated state, even across vast distances. QKD systems exploit this property to detect eavesdropping, but PQC itself is classical math, not quantum physics.
IncorrectB: A phenomenon where quantum particles become inextricably linked, such that the state of one instantaneously determines the state of the other, regardless of distance
Quantum entanglement links two particles so measuring one instantly collapses the other into a correlated state, even across vast distances. QKD systems exploit this property to detect eavesdropping, but PQC itself is classical math, not quantum physics.
18What does "Quantum Superposition" mean?
CorrectC: The principle that allows a quantum system to exist in multiple states simultaneously until it is formally measured or observed
Superposition allows a qubit to be a quantum combination of |0⟩ and |1⟩ simultaneously. When measured, the superposition collapses to one definite state. Algorithms like Shor's exploit this to evaluate many inputs at once.
IncorrectC: The principle that allows a quantum system to exist in multiple states simultaneously until it is formally measured or observed
Superposition allows a qubit to be a quantum combination of |0⟩ and |1⟩ simultaneously. When measured, the superposition collapses to one definite state. Algorithms like Shor's exploit this to evaluate many inputs at once.
19What is "Forward Secrecy" when evaluating a PQC Key Exchange?
CorrectD: The property that ensures the compromise of a long-term private key does not compromise past session keys established using that private key
Forward secrecy (PFS) ensures each session uses a fresh ephemeral key. Even if a long-term private key is later stolen by an adversary possessing a CRQC, past recorded sessions remain undecryptable—directly countering the SNDL threat.
IncorrectD: The property that ensures the compromise of a long-term private key does not compromise past session keys established using that private key
Forward secrecy (PFS) ensures each session uses a fresh ephemeral key. Even if a long-term private key is later stolen by an adversary possessing a CRQC, past recorded sessions remain undecryptable—directly countering the SNDL threat.
20Which of the following statements is true regarding Post-Quantum Cryptography?
CorrectA: It runs on traditional, classical computers (laptops, servers, IoT devices) while relying on math that resists attacks launched from quantum computers.
PQC is classical software. Algorithms like ML-KEM and ML-DSA run on any CPU and require no quantum hardware. Only the underlying mathematical problems are chosen to be hard for quantum computers to solve.
IncorrectA: It runs on traditional, classical computers (laptops, servers, IoT devices) while relying on math that resists attacks launched from quantum computers.
PQC is classical software. Algorithms like ML-KEM and ML-DSA run on any CPU and require no quantum hardware. Only the underlying mathematical problems are chosen to be hard for quantum computers to solve.
Post-Quantum Cryptography — Concepts
1What is the fundamental "hard problem" that secures Lattice-based cryptography?
CorrectD: The Shortest Vector Problem (SVP) and Closest Vector Problem (CVP) in high-dimensional spaces
Lattice cryptography's security reduces to SVP (finding the shortest non-zero lattice vector) and CVP (finding the lattice vector closest to a target). Both are believed to resist polynomial-time quantum algorithms, even Shor's.
IncorrectD: The Shortest Vector Problem (SVP) and Closest Vector Problem (CVP) in high-dimensional spaces
Lattice cryptography's security reduces to SVP (finding the shortest non-zero lattice vector) and CVP (finding the lattice vector closest to a target). Both are believed to resist polynomial-time quantum algorithms, even Shor's.
2What is the primary, proven use case for Hash-based cryptography in the post-quantum era?
CorrectC: Digital signatures, providing high security reliant solely on the collision resistance of the underlying hash function
Hash-based signatures (LMS, XMSS, SPHINCS+) rely exclusively on the collision and preimage resistance of hash functions. Their security assumption is the most minimal and well-established of all PQC families, making them extremely conservative choices.
IncorrectC: Digital signatures, providing high security reliant solely on the collision resistance of the underlying hash function
Hash-based signatures (LMS, XMSS, SPHINCS+) rely exclusively on the collision and preimage resistance of hash functions. Their security assumption is the most minimal and well-established of all PQC families, making them extremely conservative choices.
3What mathematical problem forms the basis of Multivariate cryptography?
CorrectB: Solving systems of non-linear polynomial equations with multiple variables over a finite field
Multivariate cryptography is based on the Multivariate Quadratic (MQ) problem—solving degree-2 polynomial equations over a finite field GF(q) in n variables. This is NP-hard in general, supporting schemes like Rainbow and UOV.
IncorrectB: Solving systems of non-linear polynomial equations with multiple variables over a finite field
Multivariate cryptography is based on the Multivariate Quadratic (MQ) problem—solving degree-2 polynomial equations over a finite field GF(q) in n variables. This is NP-hard in general, supporting schemes like Rainbow and UOV.
4Which historical 1978 cryptosystem forms the foundation for modern Code-based post-quantum cryptography?
CorrectA: The McEliece cryptosystem, relying on the hardness of decoding general linear codes
McEliece (1978) encodes plaintext as a codeword from a secret Goppa code, adds deliberate errors, and publishes a scrambled version as the public key. Security relies on the hardness of decoding general linear codes without the trapdoor.
IncorrectA: The McEliece cryptosystem, relying on the hardness of decoding general linear codes
McEliece (1978) encodes plaintext as a codeword from a secret Goppa code, adds deliberate errors, and publishes a scrambled version as the public key. Security relies on the hardness of decoding general linear codes without the trapdoor.
5What is the primary function of the NIST-standardized algorithm ML-KEM (formerly Kyber)?
CorrectC: It is a Module-LWE-based Key Encapsulation Mechanism chosen by NIST for general encryption and key establishment
ML-KEM (FIPS 203) is based on the Module Learning With Errors (MLWE) problem. It is NIST's primary standard for key encapsulation and public-key encryption, replacing RSA and ECDH in protocols like TLS 1.3.
IncorrectC: It is a Module-LWE-based Key Encapsulation Mechanism chosen by NIST for general encryption and key establishment
ML-KEM (FIPS 203) is based on the Module Learning With Errors (MLWE) problem. It is NIST's primary standard for key encapsulation and public-key encryption, replacing RSA and ECDH in protocols like TLS 1.3.
6What is the primary function of the NIST-standardized algorithm ML-DSA (formerly Dilithium)?
CorrectD: A Module-LWE-based digital signature algorithm selected by NIST as a primary standard for secure authentication
ML-DSA (FIPS 204) is based on Module-LWE and the Module Short Integer Solution (MSIS) problem. It is NIST's primary quantum-resistant digital signature standard, replacing ECDSA and RSA signatures.
IncorrectD: A Module-LWE-based digital signature algorithm selected by NIST as a primary standard for secure authentication
ML-DSA (FIPS 204) is based on Module-LWE and the Module Short Integer Solution (MSIS) problem. It is NIST's primary quantum-resistant digital signature standard, replacing ECDSA and RSA signatures.
7What is the defining characteristic of SLH-DSA (formerly SPHINCS+)?
CorrectA: It is a stateless hash-based digital signature scheme, meaning it does not require the signer to carefully track previously used keys
SLH-DSA (FIPS 205) is a stateless hash-based signature scheme. Unlike LMS/XMSS, it uses a hypertree with FORS few-time signatures to eliminate state tracking entirely, at the cost of larger signatures (~8–50 KB depending on parameters).
IncorrectA: It is a stateless hash-based digital signature scheme, meaning it does not require the signer to carefully track previously used keys
SLH-DSA (FIPS 205) is a stateless hash-based signature scheme. Unlike LMS/XMSS, it uses a hypertree with FORS few-time signatures to eliminate state tracking entirely, at the cost of larger signatures (~8–50 KB depending on parameters).
8Which underlying mathematical structure powers FN-DSA (formerly Falcon)?
CorrectB: NTRU lattices combined with Fast Fourier Sampling over structured lattices
FN-DSA (Falcon) is built on NTRU lattices and uses the GPV (Gentry-Peikert-Vaikuntanathan) framework with Fast Fourier Sampling for Gaussian sampling, producing compact ~666-byte (Falcon-512) and ~1280-byte (Falcon-1024) signatures.
IncorrectB: NTRU lattices combined with Fast Fourier Sampling over structured lattices
FN-DSA (Falcon) is built on NTRU lattices and uses the GPV (Gentry-Peikert-Vaikuntanathan) framework with Fast Fourier Sampling for Gaussian sampling, producing compact ~666-byte (Falcon-512) and ~1280-byte (Falcon-1024) signatures.
9Why was the promising Isogeny-based scheme SIKE abruptly removed from the NIST PQC standardization process?
CorrectA: It was thoroughly broken by a classical mathematical attack utilizing the Kani theorem before the standardization process concluded
In 2022, Castryck and Decru published a devastating classical attack using the 'glue-and-split' theorem (Kani's theorem) on abelian surfaces. It broke SIKE's parameters in under an hour on a laptop, eliminating it from NIST consideration.
IncorrectA: It was thoroughly broken by a classical mathematical attack utilizing the Kani theorem before the standardization process concluded
In 2022, Castryck and Decru published a devastating classical attack using the 'glue-and-split' theorem (Kani's theorem) on abelian surfaces. It broke SIKE's parameters in under an hour on a laptop, eliminating it from NIST consideration.
10In lattice cryptography, what does the Shortest Vector Problem (SVP) ask an attacker to do?
CorrectC: Given a basis of a vector space (lattice), find the non-zero vector in that lattice with the smallest Euclidean length
SVP asks: given a lattice basis B, find the shortest non-zero vector v in the lattice. Even in ~1024-dimensional spaces, no known classical or quantum algorithm solves this efficiently—the security foundation of ML-KEM, ML-DSA, and Falcon.
IncorrectC: Given a basis of a vector space (lattice), find the non-zero vector in that lattice with the smallest Euclidean length
SVP asks: given a lattice basis B, find the shortest non-zero vector v in the lattice. Even in ~1024-dimensional spaces, no known classical or quantum algorithm solves this efficiently—the security foundation of ML-KEM, ML-DSA, and Falcon.
11What is the core concept of Learning With Errors (LWE)?
CorrectD: A foundational mathematical problem where one attempts to solve a system of linear equations that have had small, random "noise" or errors introduced
LWE: given a matrix A and vector b = As + e (where s is the secret and e is small random noise), recovering s is computationally infeasible. The noise destroys the linear structure needed to solve the system, making it hard even for quantum computers.
IncorrectD: A foundational mathematical problem where one attempts to solve a system of linear equations that have had small, random "noise" or errors introduced
LWE: given a matrix A and vector b = As + e (where s is the secret and e is small random noise), recovering s is computationally infeasible. The noise destroys the linear structure needed to solve the system, making it hard even for quantum computers.
12What is the critical operational limitation of Stateful Hash-based Signatures (like LMS/XMSS)?
CorrectB: They fail completely if a private key is accidentally used more than once to sign different messages, requiring strict operational state management
Stateful HBS use one-time signature keys (WOTS+ leaves) in a Merkle tree. Reusing a leaf index for two different messages gives an attacker enough information to forge arbitrary signatures. Strict, synchronized state tracking across all HSMs is mandatory.
IncorrectB: They fail completely if a private key is accidentally used more than once to sign different messages, requiring strict operational state management
Stateful HBS use one-time signature keys (WOTS+ leaves) in a Merkle tree. Reusing a leaf index for two different messages gives an attacker enough information to forge arbitrary signatures. Strict, synchronized state tracking across all HSMs is mandatory.
13How does SPHINCS+ (SLH-DSA) functionally differ from XMSS?
CorrectB: XMSS requires strict state management to prevent key reuse, whereas SPHINCS+ is stateless and eliminates this operational risk at the cost of larger signatures
XMSS maintains a state counter to track used leaf indices; accidental reuse of a leaf is catastrophic. SPHINCS+ (SLH-DSA) uses a randomized, hypertree + FORS design to sign statelessly, avoiding the operational risk entirely—though at the cost of much larger signatures.
IncorrectB: XMSS requires strict state management to prevent key reuse, whereas SPHINCS+ is stateless and eliminates this operational risk at the cost of larger signatures
XMSS maintains a state counter to track used leaf indices; accidental reuse of a leaf is catastrophic. SPHINCS+ (SLH-DSA) uses a randomized, hypertree + FORS design to sign statelessly, avoiding the operational risk entirely—though at the cost of much larger signatures.
14In August 2024, NIST reached a major milestone regarding PQC. What was it?
CorrectA: They formally published FIPS 203, FIPS 204, and FIPS 205 as finalized, official Federal Information Processing Standards
In August 2024, NIST published three finalized PQC standards: FIPS 203 (ML-KEM/Kyber), FIPS 204 (ML-DSA/Dilithium), and FIPS 205 (SLH-DSA/SPHINCS+). This concluded the 8-year standardization process and provides the cryptographic community with deployable quantum-resistant standards.
IncorrectA: They formally published FIPS 203, FIPS 204, and FIPS 205 as finalized, official Federal Information Processing Standards
In August 2024, NIST published three finalized PQC standards: FIPS 203 (ML-KEM/Kyber), FIPS 204 (ML-DSA/Dilithium), and FIPS 205 (SLH-DSA/SPHINCS+). This concluded the 8-year standardization process and provides the cryptographic community with deployable quantum-resistant standards.
15How do the public keys of Lattice-based encryption schemes generally compare to classical RSA public keys?
CorrectC: Lattice schemes generally have substantially larger public keys than RSA and ECC, but boast highly efficient, fast computation speeds
ML-KEM-768 has a ~1184-byte public key vs RSA-2048's 256-byte public key—significantly larger. However, lattice operations (NTT-based polynomial multiplication) are far faster than RSA modular exponentiation, making lattice schemes efficient in practice.
IncorrectC: Lattice schemes generally have substantially larger public keys than RSA and ECC, but boast highly efficient, fast computation speeds
ML-KEM-768 has a ~1184-byte public key vs RSA-2048's 256-byte public key—significantly larger. However, lattice operations (NTT-based polynomial multiplication) are far faster than RSA modular exponentiation, making lattice schemes efficient in practice.
16How do the ciphertext payload sizes of PQC KEMs compare to classical Elliptic Curve Cryptography (ECC)?
CorrectD: PQC ciphertexts (like those in ML-KEM) are considerably larger than ECC payloads, potentially causing network fragmentation in protocols like TLS
ML-KEM-768 produces 1088-byte ciphertexts vs ECDH's ~32–65 byte shared points. This expansion significantly impacts TLS record sizes, UDP datagram fragmentation, and DNSSEC record limits—engineering challenges for PQC migration.
IncorrectD: PQC ciphertexts (like those in ML-KEM) are considerably larger than ECC payloads, potentially causing network fragmentation in protocols like TLS
ML-KEM-768 produces 1088-byte ciphertexts vs ECDH's ~32–65 byte shared points. This expansion significantly impacts TLS record sizes, UDP datagram fragmentation, and DNSSEC record limits—engineering challenges for PQC migration.
17What is the primary difference between standard LWE and Module-LWE (used in Kyber/Dilithium)?
CorrectD: Module-LWE strikes a balance between the high efficiency of Ring-LWE and the conservative security assumptions of standard LWE by operating over vectors of polynomials
Standard LWE uses large random matrices (O(n²) key sizes). Ring-LWE uses a single polynomial ring (compact but relies on ideal lattice assumptions). Module-LWE uses small matrices of polynomials over a ring, balancing Ring-LWE's efficiency with LWE's more conservative security assumptions.
IncorrectD: Module-LWE strikes a balance between the high efficiency of Ring-LWE and the conservative security assumptions of standard LWE by operating over vectors of polynomials
Standard LWE uses large random matrices (O(n²) key sizes). Ring-LWE uses a single polynomial ring (compact but relies on ideal lattice assumptions). Module-LWE uses small matrices of polynomials over a ring, balancing Ring-LWE's efficiency with LWE's more conservative security assumptions.
18How does Post-Quantum Cryptography (PQC) differ from Quantum Key Distribution (QKD)?
CorrectB: QKD utilizes quantum physics (entanglement/photons) for secure key transmission, whereas PQC relies on classical mathematical algorithms resistant to quantum computing
QKD (e.g., BB84) transmits quantum states (photons) through optical fiber; eavesdropping disturbs the quantum states and is detectable. PQC runs entirely on classical hardware using hard math. QKD requires specialized hardware; PQC is a software solution.
IncorrectB: QKD utilizes quantum physics (entanglement/photons) for secure key transmission, whereas PQC relies on classical mathematical algorithms resistant to quantum computing
QKD (e.g., BB84) transmits quantum states (photons) through optical fiber; eavesdropping disturbs the quantum states and is detectable. PQC runs entirely on classical hardware using hard math. QKD requires specialized hardware; PQC is a software solution.
19What does the term "Cryptographic Agility" mean for an organization preparing for PQC?
CorrectA: The architectural ability of a system to quickly and seamlessly swap out cryptographic primitives or algorithms without requiring extensive, breaking infrastructure overhauls
Cryptographic agility means designing systems with interchangeable algorithm slots. If a PQC algorithm is broken post-deployment (as SIKE was), organizations should be able to swap it for another without a full infrastructure rebuild—critical given rapidly evolving post-quantum research.
IncorrectA: The architectural ability of a system to quickly and seamlessly swap out cryptographic primitives or algorithms without requiring extensive, breaking infrastructure overhauls
Cryptographic agility means designing systems with interchangeable algorithm slots. If a PQC algorithm is broken post-deployment (as SIKE was), organizations should be able to swap it for another without a full infrastructure rebuild—critical given rapidly evolving post-quantum research.
20What is the primary advantage of Ring-LWE (RLWE) over standard LWE?
CorrectC: It uses algebraic rings (polynomials) to dramatically reduce key sizes and increase computational efficiency compared to standard LWE matrices
Standard LWE matrices are O(n²) in size. Ring-LWE represents keys as polynomials in Z_q[x]/(x^n+1), reducing key sizes to O(n) while achieving comparable security—enabling the compact keys in schemes like ML-KEM and ML-DSA.
IncorrectC: It uses algebraic rings (polynomials) to dramatically reduce key sizes and increase computational efficiency compared to standard LWE matrices
Standard LWE matrices are O(n²) in size. Ring-LWE represents keys as polynomials in Z_q[x]/(x^n+1), reducing key sizes to O(n) while achieving comparable security—enabling the compact keys in schemes like ML-KEM and ML-DSA.
Post-Quantum Cryptography — Advanced
1Why are Side-Channel Attacks a massive area of ongoing concern for newly deployed PQC algorithms?
CorrectB: Because PQC algorithms use complex polynomial math and rejection sampling, they often present larger attack surfaces for power analysis and timing attacks, requiring highly optimized constant-time implementations
PQC operations like Gaussian sampling, NTT butterfly operations, and rejection sampling involve data-dependent branches and memory accesses. Without careful constant-time implementation, power analysis, cache-timing, and electromagnetic side-channels can leak the secret key.
IncorrectB: Because PQC algorithms use complex polynomial math and rejection sampling, they often present larger attack surfaces for power analysis and timing attacks, requiring highly optimized constant-time implementations
PQC operations like Gaussian sampling, NTT butterfly operations, and rejection sampling involve data-dependent branches and memory accesses. Without careful constant-time implementation, power analysis, cache-timing, and electromagnetic side-channels can leak the secret key.
2When comparing the two NIST-selected lattice signature schemes, what is a primary trade-off between Falcon and Dilithium?
CorrectA: Falcon generally produces smaller signature sizes and faster verification than Dilithium, but features a highly complex, floating-point-heavy key generation and signing process that is harder to implement securely
Falcon-512 (~666 bytes) produces far smaller signatures than ML-DSA Level 2 (~2420 bytes). However, Falcon's signing requires Gaussian sampling over NTRU lattices using floating-point arithmetic, making constant-time implementation extremely complex—a significant implementation security concern.
IncorrectA: Falcon generally produces smaller signature sizes and faster verification than Dilithium, but features a highly complex, floating-point-heavy key generation and signing process that is harder to implement securely
Falcon-512 (~666 bytes) produces far smaller signatures than ML-DSA Level 2 (~2420 bytes). However, Falcon's signing requires Gaussian sampling over NTRU lattices using floating-point arithmetic, making constant-time implementation extremely complex—a significant implementation security concern.
3What is a core structural difference between NTRU-based schemes and standard LWE-based schemes?
CorrectD: NTRU relies on finding short vectors in a specific class of polynomial rings (ideal lattices) without injecting explicit "error" terms, whereas LWE relies on solving linear equations with added Gaussian noise
NTRU keys are short polynomials f and g; the public key h = g·f⁻¹ mod q in a polynomial ring. Security is based on finding short polynomials in NTRU lattices—no noise needed. LWE adds explicit Gaussian error e to b = As + e to make the system hard to invert.
IncorrectD: NTRU relies on finding short vectors in a specific class of polynomial rings (ideal lattices) without injecting explicit "error" terms, whereas LWE relies on solving linear equations with added Gaussian noise
NTRU keys are short polynomials f and g; the public key h = g·f⁻¹ mod q in a polynomial ring. Security is based on finding short polynomials in NTRU lattices—no noise needed. LWE adds explicit Gaussian error e to b = As + e to make the system hard to invert.
4In the Winternitz One-Time Signature (WOTS) scheme, what is the role of the Winternitz parameter 'w'?
CorrectC: It dictates the time/memory trade-off; a larger 'w' dramatically shrinks the signature size but exponentially increases the computational time required to generate it
In WOTS, each message chunk is signed by a hash chain of length w. Larger w means shorter chains (fewer signature elements, smaller signatures) but each chain is longer (more hash computations per signing). Common values are w=4 or w=16.
IncorrectC: It dictates the time/memory trade-off; a larger 'w' dramatically shrinks the signature size but exponentially increases the computational time required to generate it
In WOTS, each message chunk is signed by a hash chain of length w. Larger w means shorter chains (fewer signature elements, smaller signatures) but each chain is longer (more hash computations per signing). Common values are w=4 or w=16.
5What does IND-CCA2 security ensure in the context of Post-Quantum Key Encapsulation Mechanisms?
CorrectB: Indistinguishability under adaptive Chosen Ciphertext Attack; ensuring that an attacker who can dynamically request decryptions of chosen ciphertexts still cannot learn anything about the encapsulated key
IND-CCA2 is the gold standard for KEM security. An adversary is given a decryption oracle for any ciphertext except the challenge. If they still cannot distinguish the real key from a random one, the scheme is IND-CCA2 secure—the standard required by NIST FIPS 203.
IncorrectB: Indistinguishability under adaptive Chosen Ciphertext Attack; ensuring that an attacker who can dynamically request decryptions of chosen ciphertexts still cannot learn anything about the encapsulated key
IND-CCA2 is the gold standard for KEM security. An adversary is given a decryption oracle for any ciphertext except the challenge. If they still cannot distinguish the real key from a random one, the scheme is IND-CCA2 secure—the standard required by NIST FIPS 203.
6What is the fundamental purpose of applying the Fujisaki-Okamoto (FO) transform to a PQC algorithm?
CorrectD: To generically upgrade a weakly secure public-key encryption scheme (IND-CPA) into a highly secure Key Encapsulation Mechanism (IND-CCA) by re-encrypting the payload during decapsulation to verify integrity
The FO transform adds a hash-based integrity check during decapsulation: the decrypted plaintext is re-encrypted and compared to the ciphertext. Any mismatch causes decapsulation to output a random pseudorandom key, preventing CCA-style oracle queries. This lifts IND-CPA to IND-CCA2 in the random oracle model.
IncorrectD: To generically upgrade a weakly secure public-key encryption scheme (IND-CPA) into a highly secure Key Encapsulation Mechanism (IND-CCA) by re-encrypting the payload during decapsulation to verify integrity
The FO transform adds a hash-based integrity check during decapsulation: the decrypted plaintext is re-encrypted and compared to the ciphertext. Any mismatch causes decapsulation to output a random pseudorandom key, preventing CCA-style oracle queries. This lifts IND-CPA to IND-CCA2 in the random oracle model.
7What role does "Rejection Sampling" play in Lattice-based signature schemes like Dilithium?
CorrectC: A technique used during the signing process to ensure the output signature is statistically independent of the secret key, rejecting and regenerating the signature if it risks leaking partial secret information
Dilithium's signing algorithm generates a random nonce y and computes a candidate signature z = y + cs (where c is a challenge and s is the secret). If z's distribution would reveal information about s, the signature is rejected and signing restarts—ensuring the output distribution is independent of s.
IncorrectC: A technique used during the signing process to ensure the output signature is statistically independent of the secret key, rejecting and regenerating the signature if it risks leaking partial secret information
Dilithium's signing algorithm generates a random nonce y and computes a candidate signature z = y + cs (where c is a challenge and s is the secret). If z's distribution would reveal information about s, the signature is rejected and signing restarts—ensuring the output distribution is independent of s.
8How does the McEliece cryptosystem utilize binary Goppa codes?
CorrectA: They serve as the hidden algebraic structure (the secret key) that allows the recipient to efficiently decode the intentionally added errors in the ciphertext
McEliece's private key is a binary Goppa code capable of correcting t errors. The public key is a scrambled generator matrix hiding this structure. Encryption adds exactly t errors; the recipient uses the efficient Goppa decoder (Patterson's algorithm) to correct them and recover the plaintext.
IncorrectA: They serve as the hidden algebraic structure (the secret key) that allows the recipient to efficiently decode the intentionally added errors in the ciphertext
McEliece's private key is a binary Goppa code capable of correcting t errors. The public key is a scrambled generator matrix hiding this structure. Encryption adds exactly t errors; the recipient uses the efficient Goppa decoder (Patterson's algorithm) to correct them and recover the plaintext.
9In the context of quantum cryptanalysis, what is "Quantum Resource Estimation"?
CorrectC: Determining the precise number of logical quantum gates (e.g., Toffoli gates) and quantum memory required for an algorithm to successfully break a specific cryptographic parameter set
Quantum resource estimation is critical for setting security levels. NIST's security levels (I–V) are defined by the quantum circuit complexity needed to break them. For example, Level 1 requires quantum resources exceeding AES-128 exhaustive search—roughly 2^143 quantum operations including quantum memory overhead.
IncorrectC: Determining the precise number of logical quantum gates (e.g., Toffoli gates) and quantum memory required for an algorithm to successfully break a specific cryptographic parameter set
Quantum resource estimation is critical for setting security levels. NIST's security levels (I–V) are defined by the quantum circuit complexity needed to break them. For example, Level 1 requires quantum resources exceeding AES-128 exhaustive search—roughly 2^143 quantum operations including quantum memory overhead.
10Within the SPHINCS+ algorithm, what is the role of the FORS (Forest of Random Subsets) structure?
CorrectD: A few-time signature scheme used as the innermost layer of the SPHINCS+ hypertree to sign the actual message digest, heavily relying on the collision resistance of the underlying hash
FORS is SPHINCS+'s few-time signature component. It signs the message's compressed index by revealing k secret values chosen from k binary trees of height a. FORS security relies on hash preimage resistance and is the performance-critical inner layer beneath the hypertree structure.
IncorrectD: A few-time signature scheme used as the innermost layer of the SPHINCS+ hypertree to sign the actual message digest, heavily relying on the collision resistance of the underlying hash
FORS is SPHINCS+'s few-time signature component. It signs the message's compressed index by revealing k secret values chosen from k binary trees of height a. FORS security relies on hash preimage resistance and is the performance-critical inner layer beneath the hypertree structure.
11Which mathematical breakthrough allowed researchers to completely break the Supersingular Isogeny Diffie-Hellman (SIDH) protocol in 2022?
CorrectA: It utilized the "glue and split" theorem from abelian surfaces to map the SIDH isogeny graph into a solvable classical problem, breaking the scheme completely in polynomial time
Castryck and Decru's 2022 attack used the 'glue-and-split' theorem (Kani's theorem) on products of elliptic curves (abelian surfaces). SIDH's fatal flaw was publishing auxiliary torsion point information, which enabled a classical polynomial-time recovery of the secret isogeny.
IncorrectA: It utilized the "glue and split" theorem from abelian surfaces to map the SIDH isogeny graph into a solvable classical problem, breaking the scheme completely in polynomial time
Castryck and Decru's 2022 attack used the 'glue-and-split' theorem (Kani's theorem) on products of elliptic curves (abelian surfaces). SIDH's fatal flaw was publishing auxiliary torsion point information, which enabled a classical polynomial-time recovery of the secret isogeny.
12What is a "Lattice Trapdoor"?
CorrectB: A piece of secret structural information (the private key) that allows its holder to efficiently solve a complex lattice problem (like CVP) that appears practically unsolvable to anyone else
A lattice trapdoor is a short, well-structured basis (the private key) embedded within a 'bad' basis (the public key). The trapdoor holder can efficiently solve CVP (find the nearest lattice point); anyone else sees only hard problems. Used in Falcon (GPV framework) and Regev encryption.
IncorrectB: A piece of secret structural information (the private key) that allows its holder to efficiently solve a complex lattice problem (like CVP) that appears practically unsolvable to anyone else
A lattice trapdoor is a short, well-structured basis (the private key) embedded within a 'bad' basis (the public key). The trapdoor holder can efficiently solve CVP (find the nearest lattice point); anyone else sees only hard problems. Used in Falcon (GPV framework) and Regev encryption.
13When designing a Hybrid KEM, why is a Key Derivation Function (KDF) combiner considered vastly superior to simple concatenation?
CorrectB: A robust combiner passes both the classical and post-quantum shared secrets through a KDF to ensure the final derived key remains secure even if one of the underlying algorithms is catastrophically broken
Simple concatenation doesn't ensure security if one component is broken—an attacker knowing one component can isolate and derive the combined key. A KDF combiner (e.g., HKDF over both secrets) cryptographically mixes them: the output remains pseudorandom even if one input is known to the adversary.
IncorrectB: A robust combiner passes both the classical and post-quantum shared secrets through a KDF to ensure the final derived key remains secure even if one of the underlying algorithms is catastrophically broken
Simple concatenation doesn't ensure security if one component is broken—an attacker knowing one component can isolate and derive the combined key. A KDF combiner (e.g., HKDF over both secrets) cryptographically mixes them: the output remains pseudorandom even if one input is known to the adversary.
14In Stateful Hash-based Signatures (LMS/XMSS), what is the primary architectural purpose of a multi-tree (hypertree) structure?
CorrectB: To exponentially increase the total number of messages that can be signed with a single root public key by stacking multiple Merkle trees, overcoming the strict single-use limitation of the underlying WOTS+ leaves
A single Merkle tree of height h supports 2^h signatures. A hypertree stacks d layers each of height h/d, where each layer's WOTS+ leaves authenticate the root of the next layer—supporting 2^h total signatures without generating a massive single-layer tree upfront.
IncorrectB: To exponentially increase the total number of messages that can be signed with a single root public key by stacking multiple Merkle trees, overcoming the strict single-use limitation of the underlying WOTS+ leaves
A single Merkle tree of height h supports 2^h signatures. A hypertree stacks d layers each of height h/d, where each layer's WOTS+ leaves authenticate the root of the next layer—supporting 2^h total signatures without generating a massive single-layer tree upfront.
15What is a known Chosen Ciphertext Attack (CCA) anomaly specific to deterministic lattice-based algorithms?
CorrectC: If a decryption failure occurs in a poorly implemented lattice KEM, an attacker can intentionally craft invalid ciphertexts and analyze the failure responses to iteratively deduce the secret key
This is the 'reaction attack' or 'failure oracle attack.' Without the FO transform's random output on failure, a deterministic lattice KEM leaks a binary signal (fail/succeed) per decapsulation query. An attacker crafts near-boundary ciphertexts to extract secret key bits one by one. The FO transform in FIPS 203 prevents this.
IncorrectC: If a decryption failure occurs in a poorly implemented lattice KEM, an attacker can intentionally craft invalid ciphertexts and analyze the failure responses to iteratively deduce the secret key
This is the 'reaction attack' or 'failure oracle attack.' Without the FO transform's random output on failure, a deterministic lattice KEM leaks a binary signal (fail/succeed) per decapsulation query. An attacker crafts near-boundary ciphertexts to extract secret key bits one by one. The FO transform in FIPS 203 prevents this.
16In Module-LWE schemes like ML-KEM, what is the critical function of the Number Theoretic Transform (NTT)?
CorrectD: It is an optimized, discrete version of the Fast Fourier Transform used to drastically accelerate the multiplication of large polynomials, which is the core performance bottleneck in lattice-based cryptography
Polynomial multiplication in Z_q[x]/(x^256+1) is O(n²) naively. The NTT converts polynomials to the frequency domain—like FFT—reducing multiplication to O(n log n) pointwise products. This is why ML-KEM is fast despite large parameters: NTT operations dominate ~80% of the runtime.
IncorrectD: It is an optimized, discrete version of the Fast Fourier Transform used to drastically accelerate the multiplication of large polynomials, which is the core performance bottleneck in lattice-based cryptography
Polynomial multiplication in Z_q[x]/(x^256+1) is O(n²) naively. The NTT converts polynomials to the frequency domain—like FFT—reducing multiplication to O(n log n) pointwise products. This is why ML-KEM is fast despite large parameters: NTT operations dominate ~80% of the runtime.
17What does the Syndrome Decoding Problem ask an attacker to solve in Code-based cryptography?
CorrectA: Given a parity-check matrix and a syndrome, finding the minimum-weight error vector that corresponds to that syndrome—a proven NP-hard problem
The Syndrome Decoding Problem: given parity-check matrix H and syndrome s = He^T, find the minimum Hamming weight vector e. For random H, this is NP-hard. McEliece's trapdoor is the hidden Goppa structure that makes decoding feasible only for the key holder.
IncorrectA: Given a parity-check matrix and a syndrome, finding the minimum-weight error vector that corresponds to that syndrome—a proven NP-hard problem
The Syndrome Decoding Problem: given parity-check matrix H and syndrome s = He^T, find the minimum Hamming weight vector e. For random H, this is NP-hard. McEliece's trapdoor is the hidden Goppa structure that makes decoding feasible only for the key holder.
18What is the Unbalanced Oil and Vinegar (UOV) scheme?
CorrectC: A prominent multivariate digital signature scheme where the variables are partitioned into "Oil" and "Vinegar" sets to ensure the central map can be easily inverted by the legitimate key holder
UOV partitions variables into 'Oil' (o variables) and 'Vinegar' (v variables, v > o). The signer assigns random values to vinegar variables, making the remaining oil subsystem linear and easily invertible. The public key is an obfuscated composition hiding this oil-vinegar structure. UOV underlies MAYO and HuFu.
IncorrectC: A prominent multivariate digital signature scheme where the variables are partitioned into "Oil" and "Vinegar" sets to ensure the central map can be easily inverted by the legitimate key holder
UOV partitions variables into 'Oil' (o variables) and 'Vinegar' (v variables, v > o). The signer assigns random values to vinegar variables, making the remaining oil subsystem linear and easily invertible. The public key is an obfuscated composition hiding this oil-vinegar structure. UOV underlies MAYO and HuFu.
19What is the Decapsulation Failure Rate (DFR) in Lattice KEMs?
CorrectB: A highly marginal, non-zero probability inherent to certain lattice algorithms where a legitimately encapsulated key cannot be successfully decapsulated by the correct private key due to overlapping noise distributions
In LWE-based KEMs, encapsulation adds noise; decapsulation removes it by rounding. Occasionally the accumulated noise exceeds the rounding boundary, causing the decapsulated key to differ from the encapsulated one. ML-KEM's DFR is below 2^-139—negligible in practice but non-zero by design.
IncorrectB: A highly marginal, non-zero probability inherent to certain lattice algorithms where a legitimately encapsulated key cannot be successfully decapsulated by the correct private key due to overlapping noise distributions
In LWE-based KEMs, encapsulation adds noise; decapsulation removes it by rounding. Occasionally the accumulated noise exceeds the rounding boundary, causing the decapsulated key to differ from the encapsulated one. ML-KEM's DFR is below 2^-139—negligible in practice but non-zero by design.
20In advanced cryptographic proofs, what is the Bounded Quantum Storage Model (BQSM)?
CorrectD: Theoretical assumptions in security proofs that an adversary has limited physical quantum memory (QRAM) available, heavily influencing the practical security estimates of schemes against future quantum attacks
The BQSM assumes adversaries have a bounded amount of quantum random-access memory (QRAM). Under this model, some classical protocols can be proven secure even against computationally unbounded quantum adversaries. It critically influences security parameter selection by bounding the quantum resources available to an attacker.
IncorrectD: Theoretical assumptions in security proofs that an adversary has limited physical quantum memory (QRAM) available, heavily influencing the practical security estimates of schemes against future quantum attacks
The BQSM assumes adversaries have a bounded amount of quantum random-access memory (QRAM). Under this model, some classical protocols can be proven secure even against computationally unbounded quantum adversaries. It critically influences security parameter selection by bounding the quantum resources available to an attacker.
Key Takeaways — Post-Quantum Cryptography
- Quantum Threat is Real: Shor's algorithm breaks RSA/ECC in polynomial time on large quantum computers (10-30 years away).
- Harvest Now, Decrypt Later: Attackers record encrypted data today; decrypt retroactively when quantum computers exist. For 20+ year sensitive data, migrate now.
- NIST Standardization 2022: Kyber (encryption), Dilithium (signatures), SPHINCS+ (hash-based), SLH-DSA selected. Adoption ongoing; full standardization still in progress.
- Lattice-Based Algorithms Best: Kyber/Dilithium offer good performance, reasonable key sizes, security confidence. Hash-based algorithms (SPHINCS) stateless but large signatures.
- Hybrid Approach During Transition: Use classical (RSA/ECC) + PQC simultaneously. Provides defense-in-depth; allows gradual migration; reduces risk of new PQC weaknesses.
- Crypto-Agility Essential: Organizations must design systems to switch algorithms quickly without massive re-engineering. NIST and industry pushing crypto-agility standards.
- Migration is Complex: Requires updating TLS stacks, hardware, testing, vendor coordination. Start planning now; 5-10 year transition timeline likely.
Quick Review & Summary
Use this summary table to consolidate key concepts before or after attempting the questions above.
| PQC Category | Example Algorithm | Advantages / Disadvantages |
|---|---|---|
| Lattice-Based | Kyber (enc), Dilithium (sig) | Fast, reasonable keys, NIST selected, limited deployment yet |
| Hash-Based | SPHINCS+, SLH-DSA | Proven secure, stateless, large signatures (10-40KB) |
| Code-Based | Classic McEliece | Proven secure since 1978, very large keys (1MB+) |
| Multivariate | Rainbow | Compact signatures, vulnerability to algebraic attacks found |
| Isogeny-Based | CSIDH, SiKE | Compact, theoretical interest, slow, not NIST selected |
Frequently Asked Questions
Q. Why does quantum computing threaten current encryption?
Q. What is Post-Quantum Cryptography (PQC)?
Q. Which algorithms did NIST standardize for post-quantum cryptography?
Q. What is the Harvest Now, Decrypt Later (HNDL) threat?
Q. What is crypto agility and why is it important for PQC?
Q. How does lattice-based cryptography provide quantum resistance?
Q. When should organizations begin their post-quantum migration?
Struggling with some questions? Re-read the full Theory Guide: Post-Quantum Cryptography
Conclusion: Quantum-Ready Cryptography Today
Post-quantum cryptography addresses the existential threat quantum computers pose to RSA and ECC. These 60 MCQs span quantum computing fundamentals, PQC algorithm categories (lattice, hash, code-based), NIST standardization progress, and migration strategies.
The best way to ensure retention is combining MCQ practice + theory review + interview preparation. Use these questions in Study Mode to learn concepts immediately, then test yourself in Exam Mode for certification and interview readiness.
After completing this MCQ set, explore our post-quantum cryptography interview questions for deeper technical discussions, and review the full theory notes for detailed explanations of each concept covered here.