Why Every Security Pro Needs This Cheat Sheet
Post-quantum cryptography is no longer a future problem. It is a 2026 compliance reality. The NSA's Commercial National Security Algorithm Suite 2.0 (CNSA 2.0) requires all new National Security System acquisitions to be quantum-resistant from 1 January 2027. NIST has already finalised the first three post-quantum cryptography standards. Cloudflare and Google have rolled hybrid PQC into production traffic, and certification bodies have added post-quantum cryptography questions to the CISSP 2026 exam outline.
If you are studying for CISSP, Security+, CySA+, or any cybersecurity certification, you need to know this material cold. This post-quantum cryptography cheat sheet covers the algorithms, the deadlines, the threat model, the deployment patterns, and the exam-relevant facts every security professional needs before 2027. Read it once, bookmark it, and use it as a quick reference.
The Quantum Threat in 60 Seconds
A cryptographically relevant quantum computer (CRQC) will be able to break RSA, ECC, and Diffie-Hellman key exchange using Shor's algorithm. Symmetric encryption like AES-256 and hash functions like SHA-384 remain largely secure (Grover's algorithm only halves their effective strength).
Exam Tip: Shor's algorithm breaks asymmetric algorithms (RSA, ECC, DH). Grover's algorithm weakens symmetric algorithms by half. AES-128 effectively becomes 64-bit strength; AES-256 effectively becomes 128-bit strength. This is why CNSA 2.0 mandates AES-256, not AES-128.
Q-Day Estimates
Q-Day is the day a CRQC exists. Estimates have moved closer in 2026:
- Google's view: as early as 2030
- General industry consensus: 2030 to 2035
- NSM-10 deadline: full quantum resistance across National Security Systems by 2035
Recent research between May 2025 and March 2026 reduced the estimated qubit count needed to break RSA-2048 from 20 million qubits to potentially as low as 100,000 qubits using newer architectures. The timeline is compressing.
Why You Cannot Wait
The "harvest now, decrypt later" (HNDL) attack model means adversaries are already collecting encrypted traffic in 2026 to decrypt once Q-Day arrives. Any data with a confidentiality lifetime longer than 5 to 10 years is already at risk. Cryptographic migrations historically take 10 to 20 years. The maths is not on your side.
The Three NIST Post-Quantum Cryptography Standards
On 13 August 2024, NIST published the first three finalised post-quantum cryptography standards as Federal Information Processing Standards (FIPS). Every security professional must know these by name, by purpose, and by their pre-standardisation aliases.
| Standard | Algorithm Name | Former Name | Purpose | Mathematical Basis |
|---|---|---|---|---|
| FIPS 203 | ML-KEM | CRYSTALS-Kyber | Key encapsulation | Module-Lattice (MLWE) |
| FIPS 204 | ML-DSA | CRYSTALS-Dilithium | Digital signatures | Module-Lattice (MLWE) |
| FIPS 205 | SLH-DSA | SPHINCS+ | Digital signatures (backup) | Stateless hash-based |
FIPS 203: ML-KEM
ML-KEM stands for Module-Lattice-Based Key-Encapsulation Mechanism. It replaces RSA and ECDH for key establishment. ML-KEM comes in three parameter sets: ML-KEM-512, ML-KEM-768, and ML-KEM-1024, in increasing order of security and decreasing performance.
FIPS 204: ML-DSA
ML-DSA stands for Module-Lattice-Based Digital Signature Algorithm. It is NIST's primary digital signature recommendation, replacing RSA signatures and ECDSA. Parameter sets include ML-DSA-44, ML-DSA-65, and ML-DSA-87.
FIPS 205: SLH-DSA
SLH-DSA stands for Stateless Hash-Based Digital Signature Algorithm. It is the conservative backup signature scheme based purely on hash functions, with no known structural vulnerabilities. Performance is significantly slower than ML-DSA, but it is the recommended choice when long-term cryptographic conservatism matters more than speed.
Exam Tip: Remember the alias mapping. CISSP and Security+ may use either the old names (Kyber, Dilithium, SPHINCS+) or the new FIPS names (ML-KEM, ML-DSA, SLH-DSA). Know both.
CNSA 2.0 Approved Algorithms and Deadlines
The NSA's CNSA 2.0 suite specifies the exact algorithms and parameter sets required for US National Security Systems. These are the strictest mandated post-quantum cryptography requirements in the world, and they drive defence contractor compliance.
| Function | Approved Algorithm | Notes |
|---|---|---|
| Key establishment | ML-KEM-1024 | FIPS 203 |
| Digital signatures | ML-DSA-87 | FIPS 204 |
| Symmetric encryption | AES-256 | Quantum-resistant at 128-bit effective strength |
| Hashing | SHA-384 or SHA-512 | Resistant to Grover's algorithm |
The CNSA 2.0 Migration Timeline
| Year | Requirement |
|---|---|
| 1 January 2027 | All new NSS acquisitions must be CNSA 2.0 compliant |
| 2030 | Legacy networking equipment must complete transition to CNSA 2.0 |
| 2031 | CNSA 2.0 becomes mandatory across covered categories |
| 2033 | Operating systems, custom applications, and cloud services must reach exclusive CNSA 2.0 use |
| 2035 | Full quantum resistance required across all National Security Systems (NSM-10) |
Exam Tip: The 1 January 2027 deadline is the most likely exam fact. CISSP and CySA+ questions favour specific dates and the algorithms each deadline applies to. Memorise the year-to-requirement mapping.
Quantum-Vulnerable Algorithms You Must Retire
Use this list to identify what needs to be replaced. If your environment uses any of these for long-lived data or new deployments after 2026, you have a migration project.
Asymmetric Algorithms (Broken by Shor's Algorithm)
- RSA (all key sizes, including RSA-2048 and RSA-4096)
- ECC / ECDSA (all curves, including P-256, P-384, and P-521)
- ECDH (elliptic curve Diffie-Hellman)
- DH (classical Diffie-Hellman)
- DSA (Digital Signature Algorithm)
- ElGamal
Symmetric Algorithms Weakened by Grover's Algorithm
- AES-128 (effective strength reduced to 64 bits, no longer adequate)
- 3DES (already deprecated for other reasons)
- SHA-256 (effective collision resistance reduced; use SHA-384 or higher for new systems)
Algorithms That Remain Safe
- AES-256 (effective strength remains 128 bits, considered quantum-safe)
- SHA-384 and SHA-512 (collision resistance remains adequate)
- HMAC with SHA-384 or SHA-512
- All three NIST PQC standards: ML-KEM, ML-DSA, SLH-DSA
Hybrid PQC: How Production Deployment Actually Works
Few organisations are migrating to pure post-quantum algorithms today. The dominant pattern is hybrid cryptography, where a classical algorithm (typically X25519 ECDH) and a post-quantum algorithm (ML-KEM-768) are combined in a single key exchange. If either algorithm holds, the connection is secure.
Hybrid TLS in the Wild
- Cloudflare: Hybrid X25519+ML-KEM768 is enabled by default on TLS 1.3 connections to Cloudflare. Over one-third of human-generated traffic to Cloudflare now uses hybrid PQC.
- Google Chrome: Hybrid ML-KEM enabled by default since late 2024. Edge and Firefox followed.
- OpenSSL 3.4+: Native integration of ML-KEM and ML-DSA.
- As of April 2026: an estimated 5-10% of all TLS connections globally use hybrid PQC.
Why Hybrid Matters for Exams
CISSP and CySA+ questions on PQC frequently test the rationale for hybrid deployment. The two reasons are:
- Defence in depth: if a flaw is found in the new post-quantum algorithm, the classical algorithm still protects the session
- Compatibility: hybrid allows gradual rollout without breaking older clients
Exam Tip: The exam-relevant TLS cipher name to remember is X25519MLKEM768 (sometimes written X25519+ML-KEM-768). This is the dominant hybrid PQC cipher in 2026 production traffic.
The PQC Migration Plan: 7 Steps
Whether you are working on real migration or answering scenario-based exam questions, the steps are the same.
1. Cryptographic Inventory
Identify every place your organisation uses asymmetric cryptography: TLS endpoints, VPNs, code signing, document signing, PKI, SSH, S/MIME, IPsec, and embedded systems. You cannot migrate what you have not catalogued.
2. Risk Prioritisation
Classify each cryptographic use by data confidentiality lifetime. Data that must remain confidential beyond 2030 (medical records, classified information, intellectual property, long-term financial records) is the highest priority for HNDL protection.
3. Algorithm Selection
Choose target algorithms based on use case:
- Key establishment: ML-KEM-768 (commercial) or ML-KEM-1024 (CNSA 2.0)
- Signatures: ML-DSA-65 (commercial) or ML-DSA-87 (CNSA 2.0)
- Conservative signatures (firmware, root CAs): SLH-DSA
4. Vendor Engagement
Most cryptography is consumed via vendors: TLS libraries, HSMs, PKI software, browsers, and operating systems. Request PQC roadmaps from every vendor. If a vendor cannot commit to PQC support by 2027-2028, identify alternatives.
5. Hybrid Deployment First
Roll out hybrid PQC (classical + post-quantum) before going PQC-only. This is what Cloudflare, Google, and major OS vendors are doing. Hybrid mode buys you defence in depth while the new algorithms mature.
6. Crypto Agility
Build systems that can swap algorithms without major refactoring. ML-KEM today may not be the final answer in 2030. Crypto agility is a stated CNSA 2.0 design principle.
7. Test, Monitor, and Decommission
Test every PQC implementation against interop suites. Monitor for downgrade attacks. Decommission classical-only endpoints once hybrid is proven stable in production.
Quick Reference: PQC for Each Major Certification
| Certification | PQC Domain Coverage | Likely Question Types |
|---|---|---|
| CISSP | Security Architecture and Engineering (Domain 3) | Algorithm purpose, FIPS standards, migration strategy |
| CompTIA Security+ SY0-701 | General Security Concepts, Security Architecture | Quantum threat basics, algorithm names |
| CompTIA CySA+ CS0-003 | Security Operations | Cryptographic vulnerability identification |
| CompTIA SecAI+ CY0-001 | Securing AI Systems | Cryptographic controls for AI data |
| ITIL 5 Foundation | Limited, contextual | Service management implications of cryptographic change |
For deeper exam-specific prep, see our guides on how to pass CompTIA Security+ on your first attempt and the best IT certifications for 2026.
The 10 Facts You Must Memorise for Exam Day
If you only remember ten things from this post-quantum cryptography cheat sheet, make it these:
- FIPS 203 = ML-KEM (key encapsulation, formerly Kyber)
- FIPS 204 = ML-DSA (signatures, formerly Dilithium)
- FIPS 205 = SLH-DSA (hash-based signatures, formerly SPHINCS+)
- Shor's algorithm breaks RSA, ECC, and DH
- Grover's algorithm halves symmetric strength (AES-128 becomes 64-bit effective)
- CNSA 2.0 deadline: 1 January 2027 for new NSS acquisitions
- NSM-10 deadline: full quantum resistance by 2035
- CNSA 2.0 key establishment: ML-KEM-1024
- CNSA 2.0 signatures: ML-DSA-87
- Dominant production hybrid cipher: X25519+ML-KEM-768
Exam Tip: When in doubt on a PQC exam question, the answer that mentions "hybrid" or "crypto agility" is usually correct. Both reflect current industry best practice and are favoured by exam writers.
Common Misconceptions to Avoid
These trip up candidates and real-world practitioners alike:
- "AES is broken by quantum computers." False. AES is weakened but not broken. AES-256 remains quantum-safe.
- "PQC is a future problem." False. CNSA 2.0 requires compliance from 1 January 2027. HNDL means today's encrypted data is already at risk.
- "Quantum Key Distribution (QKD) is the same as PQC." False. QKD uses quantum physics for key exchange and requires special hardware. PQC uses classical algorithms designed to resist quantum attack, runs on existing hardware, and is the NIST and NSA recommended path.
- "We will know when Q-Day arrives." False. Nation-state adversaries may achieve a CRQC quietly and use it for years before public disclosure.
- "Hybrid PQC is a workaround." False. Hybrid is the recommended deployment pattern from Cloudflare, Google, and the IETF for the 2025-2030 transition window.
Ready to Start Practising?
Post-quantum cryptography is the fastest-moving topic on the 2026 certification exam landscape. CISSP added it to the 2026 outline. Security+ touches on it within Security Architecture. CySA+ tests cryptographic vulnerability identification. CNSA 2.0 makes it a compliance requirement from 1 January 2027.
The candidates who pass these exams are the ones who practise with realistic, scenario-based questions that mirror how PQC will actually be tested. Knowing the algorithms is necessary but not sufficient. You need to apply them to migration scenarios, vendor risk decisions, and architecture trade-offs.
CertCrush offers practice exams for CISSP, Security+, CySA+, SecAI+, and more, with PQC scenarios built into the current exam objectives. Every question includes a detailed explanation covering the reasoning, the algorithm choice, and the migration implications.
Create your free account and start mastering post-quantum cryptography before the 2027 deadline arrives.