⚛ Research Frontier

Post-Quantum Payment Channel Networks

What quantum computers break, why it matters for Lightning Network, and how PCN can be made quantum-resistant.

~10–20yr
CRQC estimate
4,000×
Size cost (signatures)
4 NIST
PQ standards (2024)
Harvest Now
Immediate threat
Classical bit
0
Deterministic
0 or 1
Qubit
q
α|0⟩ + β|1⟩
Superposition until
measured
N qubits = 2N states
50 qubits = 250 ≈ 1015 states simultaneously
Quantum algorithms exploit this
for massive parallelism
1
The Quantum Threat — What's at Risk?
Shor's Algorithm (1994)

Problem: Given N = p×q, find the prime factors p and q.

Speedup achieved:

Classical
Exponential
Quantum
O((log N)³)

This is an exponential speedup — Shor's turns hard problems into easy ones.

Why it matters: Elliptic curve discrete log (ECDLP) is also polynomial-time on a quantum computer.

❌ RSA ❌ ECDSA ❌ Schnorr ❌ ECDH ❌ DH
Grover's Algorithm (1996)

Problem: Find x such that f(x) = target in an unstructured search space of size N.

Speedup achieved:

Classical
O(N)
Quantum
O(√N)

Only a quadratic speedup — not exponential. Halves security level in bits.

Fix: Double the hash output size. SHA-256 → 256-bit output still gives 128-bit quantum security.

🔶 SHA-256 weakened 🔶 SHA-3 weakened ✅ Symmetric keys OK

Lightning Network Cryptography — Quantum Impact

Click any row for a detailed explanation of what breaks and why.

Component Cryptography Shor's Threat Grover's Threat Action
Node identity keys secp256k1 ECDSA ❌ BROKEN ✅ N/A Replace key scheme
ECDSA on secp256k1: Node keys sign channel announcements and gossip messages. Shor's algorithm can compute the private key from the public key in polynomial time. An adversary with a CRQC could impersonate any LN node, forge routing messages, and drain channels. This is the most fundamental break — the entire identity layer collapses.
Schnorr signatures secp256k1 Schnorr ❌ BROKEN ✅ N/A Replace with PQ sig
Taproot / MuSig2: Schnorr signatures (BIP-340) are used in Taproot channels. They rely on the same ECDLP hardness as ECDSA. Shor's algorithm directly extracts the private key. Schnorr also underlies MuSig2 (used in 2-of-2 channel funding) and adaptor signatures for PTLCs — the entire Taproot channel model breaks.
HTLC hash lock SHA-256 ✅ Safe 🔶 Weakened Monitor / upgrade
SHA-256 in HTLCs: The hash lock H(r) only needs preimage resistance. Grover's algorithm reduces SHA-256's effective security from 256-bit to 128-bit. For practical payment security, 128-bit is still far beyond brute force. However, if SHA-256 were replaced with a 128-bit output hash (bad practice), it would drop to 64-bit quantum security — definitely insecure. Current 256-bit output is adequate.
HTLC preimage SHA-256 ✅ Safe 🔶 Weakened 128-bit quantum security
Payment preimage r: Random 256-bit preimage r satisfying SHA-256(r) = H. Finding r by brute force classically requires 2^256 operations. Grover's reduces this to 2^128 quantum operations — still computationally infeasible. The 32-byte preimage space is large enough. No immediate action required, but long-term if SHA-256 is deprecated, HTLCs must be renegotiated.
Adaptor signatures / PTLCs Schnorr (secp256k1) ❌ BROKEN ✅ N/A PQ adaptor sigs needed
Adaptor signatures for PTLCs: An adaptor signature σ̃ on a statement T allows completing it to a valid signature σ only by learning the discrete log t of T. This linear structure (σ = σ̃ + t) is unique to Schnorr over elliptic curves. If Shor's breaks ECDLP, an adversary can compute t from T directly, instantly redeeming all PTLC-locked funds without cooperation. The Erwig et al. (FC 2021) construction aims to fix this — see Section 4.
Onion routing (Sphinx) ECDH + ChaCha20 ❌ BROKEN (ECDH) ✅ ChaCha20 OK Replace ECDH layer
Sphinx packet construction: Each hop derives a shared secret via ECDH(node_pubkey, ephemeral_privkey). Shor's algorithm can recover the ephemeral private key from the ephemeral public key (recorded in the onion packet), allowing decryption of all hops in the packet. Once the private key is known, all layered encryption collapses. ChaCha20 (symmetric cipher) and HMAC-SHA256 remain safe — only the ECDH key agreement needs replacement, e.g., with ML-KEM (Kyber).
Channel funding (2-of-2) P2WSH multisig → Taproot ❌ BROKEN ✅ N/A Requires L1 PQ fork
Channel funding transaction: A 2-of-2 multisig output (either P2WSH or Taproot) uses ECDSA/Schnorr keys. A quantum adversary can compute either party's private key, construct a valid unilateral close transaction, and steal all channel funds. This is an on-chain problem: fixing it requires Bitcoin consensus changes to support post-quantum public key formats (larger keys, larger signatures, higher fees).
Peer encryption (BOLT #8 Noise) ECDH + ChaCha20-Poly1305 ❌ BROKEN (ECDH) ✅ ChaCha20 OK PQ Noise hybrid needed
BOLT #8 Noise_XK handshake: The Lightning peer transport layer uses a Noise protocol framework variant with ECDH for key agreement and ChaCha20-Poly1305 for authenticated encryption. The ECDH step is vulnerable to Shor's. A recorded handshake can be decrypted retrospectively when a CRQC becomes available — the "harvest now, decrypt later" attack. The symmetric encryption layer (ChaCha20-Poly1305) is quantum-safe. Solution: hybrid Noise_XK with ML-KEM alongside classical ECDH.
2
Timeline — When Is the Threat Real?
Threat level
Negligible
2019 Google Sycamore — quantum supremacy for a specific task 53 qubits
2021 IBM Eagle — largest superconducting processor 127 qubits
2022 IBM Osprey — pushing noise boundaries 433 qubits
2023 IBM Condor — first 1,000+ qubit processor 1,121 qubits
2024 IBM Flamingo — modular scaling ~1,400 qubits
2025 NIST PQ standards finalized — industry migration begins ~2,000 noisy
2027 IBM targets 100,000 logical qubits from error correction ~10k phys.
2030 Estimated inflection: error-corrected logical qubits viable ~100k phys.
2034 Possible CRQC range begins — 4,000 logical qubits for 256-bit ECC ~20M phys.*
2040 Pessimistic CRQC deadline — all classical asymmetric crypto at risk ?? qubits

*Breaking 256-bit ECC requires ~4,000 error-corrected logical qubits. With current error rates (~1%), each logical qubit needs ~1,000–5,000 physical qubits → ~20 million physical qubits total. Current best: ~1,400 noisy physical qubits. Gap is ~4 orders of magnitude in quality. Estimates vary widely — 10–20 years is the expert consensus range.

☠ "Harvest Now, Decrypt Later" — The Immediate Threat

Even today, a well-resourced adversary can record all encrypted Lightning Network traffic — peer handshakes, onion packets, channel announcements. When a cryptographically relevant quantum computer (CRQC) eventually exists, they decrypt everything retroactively. Historical payment flows, channel partner identities, and routing patterns are exposed. This threat applies to today's LN traffic, not just future traffic. Cryptographic agility (ability to upgrade protocols) matters now, not after CRQCs exist.

3
NIST Post-Quantum Standards (Finalized 2024)
ML-KEM
Module-Lattice Key Encapsulation (Kyber)
Type: Lattice-based (Module-LWE problem)
Use:Key exchange (replaces ECDH)
Pub key:~800 bytes (vs 32 ECDH)
Ciphertext:~768 bytes
Security:Learning With Errors (LWE)
LN use:Replace ECDH in Sphinx + BOLT #8
ML-DSA
Module-Lattice Digital Signature (Dilithium)
Type: Lattice-based (Module-LWE/SIS)
Use:Signatures (replaces ECDSA/Schnorr)
Pub key:1,312 bytes (vs 33 ECDSA)
Sig size:2,420 bytes (vs 64 Schnorr)
Speed:Fast sign + verify
LN use:Node keys, channel sigs, gossip
SLH-DSA
Stateless Hash-Based Signature (SPHINCS+)
Type: Hash-based (Merkle trees)
Use:Signatures (very conservative)
Pub key:64 bytes (tiny!)
Sig size:~8,080 bytes (large)
Security:Only hash function security
LN use:Fallback / conservative choice
FN-DSA
Falcon (NTRU Lattice Signature)
Type: Lattice (NTRU problem)
Use:Compact signatures
Pub key:897 bytes
Sig size:666 bytes (best ratio)
Complexity:Hard to implement safely
LN use:Candidate for compact sigs
Public Key Size Comparison (bytes, log-scaled visualization)
ECDSA (secp256k1)
33
33 B
ML-KEM (Kyber-768)
800
800 B
ML-DSA (Dilithium3)
1312
1,312 B
FN-DSA (Falcon-512)
897
897 B
SLH-DSA (SPHINCS+)
64
64 B
Signature Size Comparison (bytes)
Schnorr (BIP-340)
64
64 B
FN-DSA (Falcon-512)
666
666 B
ML-DSA (Dilithium3)
2420
2,420 B
SLH-DSA (SPHINCS+-SHA256-256)
8080
8,080 B

Why size matters for Lightning

Bitcoin transactions have weight limits. Larger PQ keys and signatures directly increase transaction fees for channel open/close operations. A Dilithium signature (2,420 bytes) is 37× larger than Schnorr (64 bytes). With current Bitcoin fee markets, this could make channel operations significantly more expensive. Falcon-512 (666 bytes) is the most practical candidate — still 10× Schnorr, but much better than Dilithium.

4
Paper Deep Dive — Post-Quantum Adaptor Signatures (Erwig et al., FC 2021)
FC 2021
"Two-Party Adaptor Signatures From Identification Schemes"
Andreas Erwig, Sebastian Faust, Kristina Hostáková, Monosij Maitra, Siavash Riahi
Financial Cryptography and Data Security 2021

Core contribution: A generic construction of post-quantum adaptor signatures from any identification scheme (Sigma protocol), instantiated with lattice-based schemes to yield quantum-resistant adaptor signatures — the key primitive for PTLC-based PCN.

Why Adaptor Signatures Are Critical for PCN

PTLCs (Point Time-Lock Contracts) replace HTLCs in modern Lightning Network design. They rely on adaptor signatures to atomically link payment across hops. If Schnorr signatures are broken by quantum computers, the entire PTLC mechanism fails — routing payments become insecure.

Adaptor Signature Recall

A pre-signature σ̃ on statement T is "complete-able" to a full signature σ only by knowing the witness w (the discrete log of T). Learning σ from σ̃ reveals w; having w lets you compute σ from σ̃. This bidirectional "bind" enables atomic cross-hop payment correlation without a trusted third party.

The Challenge: Why PQ Adaptor Sigs Are Hard

Schnorr's linear structure makes adaptor signatures natural:

σ = σ̃ + t (where T = g^t, the statement)

Lattice-based signatures (Dilithium) and hash-based signatures (SPHINCS+) have no such linear relation. The adaptor cannot simply be "completed" by adding a secret — entirely different algebraic structure is needed.

❌ Schnorr Adaptor (Quantum-Broken)
1
Compute pre-signature: σ̃ = (R + T, s̃) where s̃ = k + ex (no t yet)
2
Verify pre-signature against T — check algebraic relation holds
3
Complete: σ = (R + T, s̃ + t). Extracting t from σ and σ̃ is trivial.
σ = σ̃ + t

Shor's computes t from T = g^t directly. Structure collapses.

✅ PQ Adaptor (Lattice-Based)
1
Start with a secure Σ-protocol (ID scheme) for a lattice problem.
2
Pre-signature commits to the witness w via a homomorphic binding: σ̃ includes commitment to w without revealing it.
3
Completion: provide w explicitly. Verification checks both signature validity and witness extraction.
σ = Complete(σ̃, w) — non-linear, w extracted from σ

Security reduces to Module-LWE hardness. Quantum-resistant.

Erwig et al. Construction Summary

Framework: Given any Σ-protocol (commit-challenge-respond) for a hard problem:

  1. Pre-sign by running the protocol up to the response phase with a "masked" response
  2. The mask is the witness w — verifier can check the structure without seeing w
  3. Completion reveals w, allowing the masked response to be unmasked into a full response
  4. Extractor: given full response and pre-response, recovers w

Instantiation: Using a Dilithium-like identification scheme over Module lattices. Security proof reduces to Module-LWE and Module-SIS hardness assumptions.

Property Schnorr adaptor Dilithium adaptor (Erwig et al.)
Pre-signature size64 bytes~2,400 bytes
Verification timeVery fastModerate
Witness extractionTrivial subtractionRequires dedicated algorithm
Security assumptionECDLP (broken by Shor's)Module-LWE (quantum-hard)
Bitcoin-compatible✅ Yes❌ Requires protocol redesign
PTLC-compatible✅ Works today (Schnorr path)🔶 Research stage, not deployed
Quantum-safe❌ No✅ Yes
Two-party construction✅ Natural✅ Yes (shown in paper)

Open Challenge: Efficiency Gap

The Erwig et al. construction proves feasibility, but a 2,400-byte pre-signature for each hop in a PTLC route is impractical. A 10-hop route requires 24,000 bytes of adaptor signature material. Research focus: reducing pre-signature size (Falcon-style lattice sigs offer ~666 bytes per sig) and designing more efficient PQ witness commitment schemes.

5
What Needs to Change in Lightning Network

Click each layer to expand the migration checklist and dependency details.

Layer 1 Bitcoin Protocol (On-chain) VERY HIGH COMPLEXITY
  • Bitcoin soft fork to support PQ signature algorithms (new witness version)
  • New address format encoding PQ public keys (256×+ byte keys vs 33-byte secp256k1)
  • Script extensions for PQ multisig (2-of-2 for channel funding)
  • Transaction weight reconsideration (PQ sigs are 40× larger → fee model revision)
  • Consensus on which PQ algorithm(s) Bitcoin supports (Dilithium? Falcon? Hash-based?)
  • Hybrid PQ+classical multisig for transition period security
⚠ All Lightning changes depend on this. Bitcoin consensus is extremely slow — this is the critical path bottleneck. Real-world timeline: 5–15 years after decision to act.
Layer 2 Lightning Channel State Machine HIGH COMPLEXITY
  • Channel funding: migrate to PQ 2-of-2 multisig once L1 supports it
  • Commitment transactions: PQ signatures for each channel state update
  • Revocation keys: revocation scheme requires PQ key derivation
  • HTLC output scripts: update preimage/hash scripts if needed
  • Penalty transactions: PQ-sign pre-signed breach remediation txs
  • Splicing: PQ-native splice-in/splice-out protocol
Directly follows from L1 PQ support. BOLT #2 (channel establishment), #3 (transaction formats), and #5 (on-chain transactions) all need revision.
Routing Routing, Onion, and Peer Transport MEDIUM COMPLEXITY
  • Sphinx onion: replace ECDH with ML-KEM key encapsulation (BOLT #4)
  • Node identity authentication: replace secp256k1 Schnorr with PQ signature (gossip layer)
  • BOLT #8 peer transport: replace Noise_XK ECDH with hybrid PQ Noise variant
  • Route blinding: ensure blinded path descriptors use PQ keys
  • BOLT #12 offers: PQ signatures for invoice authentication
  • Trampoline routing: PQ-sign trampoline payment packets
Can proceed partially independently of L1. ML-KEM adoption in Sphinx is a software-only change requiring BOLT #4 update. Immediate priority for "harvest now, decrypt later" mitigation.
PTLC Adaptor Signatures and PTLCs MEDIUM-HIGH COMPLEXITY
  • Deploy PQ adaptor signatures (Erwig et al. or successor with better efficiency)
  • PQ PTLC construction: witness-binding without ECDLP structure
  • PQ atomic swaps: cross-chain atomicity without discrete log relation
  • PQ DLCs: discreet log contracts on PQ basis
  • Efficiency improvements: reduce adaptor sig size to <500B per hop
Research is at an early stage. The Erwig et al. (FC 2021) construction is a proof of concept — sizes are impractical (~2.4KB per hop). New algebraic techniques (e.g., lattice-based commitments, ring signatures) may improve efficiency.
6
Hybrid Approach — Classical + PQ

The pragmatic near-term strategy: combine classical and post-quantum cryptography so security holds if either remains unbroken. This protects against harvest-now-decrypt-later while also hedging against undiscovered flaws in new PQ schemes.

Classical Path
ECDH(Alice_secp256k1, Bob_secp256k1)
Broken by Shor's (future)
produces shared secret K₁ (32 bytes)
XOR combine
PQ Path
ML-KEM(Bob_Kyber_pk) → (ciphertext, K₂)
Quantum-resistant (Module-LWE)
produces shared secret K₂ (~32 bytes)
session_key = K₁ ⊕ K₂ (or HKDF(K₁ ∥ K₂))
Security holds if EITHER ECDH or ML-KEM is secure. An adversary must break BOTH to decrypt.
Security guarantee

If Kyber is broken but ECDH is safe: session key still secure.
If ECDH broken by Shor's but Kyber safe: session key still secure.
Both must be simultaneously broken.

TLS 1.3 Analogy

This mirrors TLS 1.3 hybrid PQ experiments (X25519 + Kyber768). BOLT #8 Noise_XK upgrade would follow the same pattern: run both handshakes, derive combined key via HKDF.

Draft: PQ Noise_XK_Hybrid for BOLT #8

A proposed BOLT #8 replacement performs both a classical Noise_XK handshake (ECDH with secp256k1 or X25519) and a parallel ML-KEM encapsulation. The final session key is derived via HKDF from the concatenation of both shared secrets. This is a software-only change to the LN peer transport — no Bitcoin consensus required. Prototype implementations exist (e.g., in academic proof-of-concept LN implementations), but no BOLT PR has been formally submitted.

7
Quantum-Resistant Routing (PQ Sphinx)
Current Sphinx (BOLT #4)
Shared secret derivation ❌ ECDH → broken
Stream cipher ✅ ChaCha20
MAC layer ✅ HMAC-SHA256
Hash-based padding ✅ SHA-256
Packet size (1 hop) 1,366 bytes
PQ Sphinx (Proposed)
Shared secret derivation 🔶 ML-KEM (Kyber)
Stream cipher ✅ ChaCha20 (keep)
MAC layer ✅ HMAC-SHA256 (keep)
Hash-based padding ✅ SHA-256 (keep)
Packet size (1 hop) ~2,200+ bytes

In Sphinx, each routing hop performs an ECDH key exchange using an ephemeral key embedded in the packet header. Replacing ECDH with ML-KEM changes the structure because KEM (Key Encapsulation Mechanism) is not a Diffie-Hellman protocol — it uses a different API: Encapsulate(pk) → (ciphertext, shared_key) instead of ECDH(my_sk, their_pk) → shared_key.

Onion Packet Size Comparison (per-hop key material)
Current ECDH ephemeral key
33
33 bytes
ML-KEM ciphertext
~1,088 bytes
~1,088 B
Full Sphinx packet (current, 20 hops)
1,366
1,366 bytes
Est. PQ Sphinx (20 hops)
~22,000+ bytes
>22,000 B

Trade-off: Packet Overhead vs Security

The current Sphinx packet (1,366 bytes) is carefully sized. Adding ML-KEM per-hop ciphertexts (~1,088 bytes each) would balloon a 20-hop packet to >22KB — a 16× increase. This may require reducing maximum hop count, increasing the minimum channel balance for routing, or redesigning the onion packet format (BOLT #4 revision). One approach: "compressed" KEM where intermediate nodes share a common encapsulation; another: reduce to 10 hops maximum in PQ mode.

8
Research Frontiers & Open Problems
✅ Solved
Generic PQ Adaptor Signature Construction
A generic framework from identification schemes, proven secure under Module-LWE.
Erwig et al. FC 2021 Lattice Sigma protocols
What:Generic construction of PQ two-party adaptor signatures from any Σ-protocol ID scheme.
Approach:Module-LWE based identification scheme → adaptor via masked response technique.
Remaining:Signature sizes (~2.4KB) are too large for practical PCN use. Efficiency work needed.
Venue:Financial Cryptography (FC)
✅ Solved
ML-KEM Standardized for Key Exchange
NIST FIPS 203 (2024) finalizes Kyber as ML-KEM — a drop-in ECDH replacement for non-interactive KEM.
NIST FIPS 203 Kyber Module-LWE
What:KEM standard for key agreement in protocols (TLS, Noise, Sphinx).
LN impact:Direct replacement for ECDH in BOLT #8 handshake and Sphinx header construction.
Challenge:KEM API differs from DH — protocols must be redesigned, not just key-swapped.
🔶 In Progress
Hybrid Lightning Handshake Protocol
Combining classical ECDH + ML-KEM in BOLT #8 Noise_XK for immediate harvest-now-decrypt-later mitigation.
BOLT #8 Noise protocol Hybrid KEM
What:Hybrid Noise_XK: run ECDH and ML-KEM in parallel, derive session key via HKDF from both.
Approach:session_key = HKDF(ECDH_output ∥ KEM_output). Software-only, no L1 change.
Status:Academic PoC exists; no formal BOLT PR. TLS 1.3 already does this (RFC 9420).
Venue:Lightning developer mailing list, FC, IEEE S&P
❌ Open Problem
Efficient PQ PTLC Construction
Current PQ adaptor sigs are 37× too large for practical per-hop PTLC use. Need sub-200-byte pre-signatures.
PTLC Lattice compact sigs Routing
What needed:PQ adaptor signatures small enough for 20-hop routes (<200B per pre-sig).
Approaches:Falcon-based adaptor sigs (666B full sig → smaller pre-sig?), lattice commitment schemes, Fiat-Shamir lattice variants.
Timeline:5–10 years. Requires new algebraic insight into lattice signature structure.
Venue:CRYPTO, EUROCRYPT, FC
❌ Open Problem
PQ Channel Factories
Multi-party channel factories (Burchert et al.) require threshold signatures. PQ threshold signatures are an open problem.
Channel factories Threshold crypto Multi-party
What needed:Efficient t-of-n PQ threshold signatures for factory funding outputs.
Approaches:Lattice threshold signatures exist but are large; FROST-style PQ constructions are nascent.
Difficulty:Lattice threshold schemes require distributed key generation — much more complex than Schnorr-based FROST.
Venue:CCS, CRYPTO, FC
❌ Open Problem
Privacy-Preserving PQ Routing
ML-KEM replaces ECDH in Sphinx, but anonymity properties (unlinkability, correlation resistance) must be re-proved in the PQ model.
Sphinx Anonymity UC security
What needed:Formal security proof that PQ Sphinx achieves anonymity in the quantum random oracle model (QROM).
Approaches:Extend Danezis-Goldberg Sphinx security analysis to QROM. KEM-based Sphinx formalization.
Challenge:QROM proofs are technically harder than standard ROM proofs. New proof techniques needed.
Venue:CCS, USENIX Security, PoPETs, FC
❌ Open Problem
Migration Path for Existing Channels
How to upgrade existing secp256k1 LN channels to PQ cryptography without closing and reopening (expensive on-chain).
Protocol upgrade Splicing Backwards compat
What needed:Mechanism to "rebind" existing channel output to PQ keys without channel close.
Approaches:Extended splicing protocol, cooperative channel upgrade transaction, PQ key overlay.
Challenge:Channel close requires on-chain transaction (fees + timelock). ~800K channels × $5–50 fee = $4M–$40M migration cost.
Venue:Lightning-dev mailing list, BOLT specification
❌ Open Problem
PQ Watchtower Protocols
Watchtowers hold encrypted revocation data. With PQ, blob sizes grow enormously (Dilithium sigs 37× larger), threatening storage economics.
Watchtowers Storage Encrypted blobs
What needed:Efficient PQ blob encryption + compact revocation tokens that don't explode storage.
Approaches:Symmetric-only revocation proofs, hash-based revocation, compact PQ commitments.
Timeline:Follows from PQ channel state machine design. ~3–7 years.
Venue:FC, IEEE S&P, CCS
Research Priority Matrix
Do Now (No L1 change needed)
  • • Hybrid BOLT #8 (ECDH + ML-KEM)
  • • PQ Sphinx packet format
  • • QROM anonymity proofs
Medium Term (After L1 PQ fork)
  • • PQ channel funding scripts
  • • PQ commitment transactions
  • • Watchtower protocol update
Research Needed First
  • • Compact PQ adaptor sigs
  • • PQ threshold / multisig
  • • Efficient PQ PTLCs
Long-term / Speculative
  • • PQ channel factories
  • • Seamless channel migration
  • • Full PQ LN re-specification
Key References
[Erwig+ FC 2021] — "Two-Party Adaptor Signatures From Identification Schemes." Erwig, Faust, Hostáková, Maitra, Riahi. Financial Cryptography 2021. PQ adaptor signature framework.
[NIST FIPS 203 2024] — "ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism Standard)." NIST, August 2024. Standardizes Kyber.
[NIST FIPS 204 2024] — "ML-DSA (Module-Lattice-Based Digital Signature Standard)." NIST, August 2024. Standardizes Dilithium.
[Shor 1994] — "Algorithms for Quantum Computation: Discrete Logarithms and Factoring." FOCS 1994. The foundational algorithm threatening RSA and ECC.
[Grover 1996] — "A Fast Quantum Mechanical Algorithm for Database Search." STOC 1996. Quadratic speedup for unstructured search.
[Danezis+ 2009] — "Sphinx: A Compact and Provably Secure Mix Format." Danezis, Goldberg. IEEE S&P 2009. Onion routing used in Lightning Network.
[Gidney & Ekerå 2021] — "How to factor 2048-bit RSA integers in 8 hours using 20 million noisy qubits." Quantum 5, 433. Best estimate for CRQC requirements.