RFC 9958 - Post-Quantum Cryptography for Engineers

Light

Dark

Auto

RFC 9958<br>PQC for Engineers<br>June 2026

Banerjee, et al.<br>Informational<br>[Page]

Stream:<br>Internet Engineering Task Force (IETF)<br>RFC:<br>9958<br>Category:<br>Informational<br>Published:

June 2026

ISSN:<br>2070-1721<br>Authors:

A. Banerjee

Nokia

T. Reddy.K

Nokia

D. Schoinianakis

Nokia

T. Hollebeek

DigiCert

M. Ounsworth

Entrust

RFC 9958

Post-Quantum Cryptography for Engineers

Abstract

The advent of a cryptographically relevant quantum computer (CRQC) would render state-of-the-art, traditional public key algorithms deployed today obsolete, as the mathematical assumptions underpinning their security would no longer hold. To address this, protocols and infrastructure must transition to post-quantum algorithms, which are designed to resist both traditional and quantum attacks. This document explains why engineers need to be aware of and understand post-quantum cryptography (PQC), and it details the impact of CRQCs on existing systems and the challenges involved in transitioning to post-quantum algorithms. Unlike previous cryptographic updates, this shift may require significant protocol redesign due to the unique properties of post-quantum algorithms.¶

Status of This Memo

This document is not an Internet Standards Track specification; it is<br>published for informational purposes.¶

This document is a product of the Internet Engineering Task Force<br>(IETF). It represents the consensus of the IETF community. It has<br>received public review and has been approved for publication by the<br>Internet Engineering Steering Group (IESG). Not all documents<br>approved by the IESG are candidates for any level of Internet<br>Standard; see Section 2 of RFC 7841.¶

Information about the current status of this document, any<br>errata, and how to provide feedback on it may be obtained at<br>https://www.rfc-editor.org/info/rfc9958.¶

Copyright Notice

Copyright (c) 2026 IETF Trust and the persons identified as the<br>document authors. All rights reserved.¶

This document is subject to BCP 78 and the IETF Trust's Legal<br>Provisions Relating to IETF Documents<br>(https://trustee.ietf.org/license-info) in effect on the date of<br>publication of this document. Please review these documents<br>carefully, as they describe your rights and restrictions with<br>respect to this document. Code Components extracted from this<br>document must include Revised BSD License text as described in<br>Section 4.e of the Trust Legal Provisions and are provided without<br>warranty as described in the Revised BSD License.¶

Table of Contents

1. Introduction

Quantum computing is no longer just a theoretical concept in computational science and physics; it is now an active area of research with practical implications. Considerable research efforts and enormous corporate and government funding for the development of practical quantum computing systems are currently being invested. At the time this document is published, cryptographically relevant quantum computers (CRQCs) that can break widely used asymmetric algorithms (also known as public key algorithms) are not yet available. However, there is ongoing research and development in the field of quantum computing, with the goal of building more powerful and scalable quantum computers.¶

One common myth is that quantum computers are faster than conventional CPUs and GPUs in all areas. This is not the case; much as GPUs outperform general-purpose CPUs only on specific types of problems, quantum computers also have a niche set of problems on which they excel. Unfortunately for cryptographers, integer factorization and discrete logarithms, the mathematical problems underpinning much of classical public key cryptography, happen to fall within the niche in which quantum computers are expected to excel. As quantum technology advances, there is the potential for future quantum computers to have a significant impact on current cryptographic systems. Predicting the date of emergence of a CRQC is a challenging task, and there is ongoing uncertainty regarding when they will become practically feasible [CRQCThreat].¶

Extensive research has produced several post-quantum cryptographic algorithms that offer the potential to ensure cryptography's survival in the quantum computing era. However, transitioning to a post-quantum infrastructure is not a straightforward task, and there are numerous challenges to overcome. It requires a combination of engineering efforts, proactive assessment and evaluation of available technologies, and a careful approach to product development and deployment.¶

PQC is sometimes referred to as "quantum-proof", "quantum-safe", or "quantum-resistant". It is the development of cryptographic algorithms designed to secure communication and data in a world where quantum computers are powerful enough to break traditional cryptographic systems, such as RSA (Rivest-Shamir-Adleman) and ECC (Elliptic Curve Cryptography). PQC algorithms are intended to be resistant to attacks by...