Home/Notes/Lattice cryptography replaces RSA

Note · 2026-02-07

Why lattice-based cryptography will replace RSA, sooner than you think

Lattice math survives Shor's algorithm. NIST picked it for a reason. The migration window is shorter than most utility procurement cycles assume.

·~7 min read·1000 words

NIST standardised the first post-quantum cryptography algorithms as FIPS 203 (ML-KEM, ex-Kyber), FIPS 204 (ML-DSA, ex-Dilithium), and FIPS 205 (SLH-DSA, ex-SPHINCS+). Three of three primary picks are lattice-based or hash-based, with lattice as the default for performance. The NSA CNSA 2.0 timeline calls for adoption in critical infrastructure by 2030 to 2033. Most utilities cannot complete one firmware-rotation cycle in that window. The migration is now, not later.

Why RSA breaks

RSA security rests on the difficulty of factoring large semiprimes. Shor's algorithm factors them in polynomial time on a sufficiently large fault-tolerant quantum computer. The same algorithm breaks Diffie-Hellman and elliptic curve cryptography. The whole asymmetric-cryptography stack from 1977 onward sits on this single trapdoor.

The known-quantum attack is not the only concern. The harvest-now-decrypt-later threat says: even if a CRQC arrives in 2035 instead of 2030, every encrypted byte adversaries are storing today becomes recoverable that day. For data with a 10-year confidentiality requirement, the deadline already passed.

Why lattice math survives

Lattice problems (Learning With Errors, Module-LWE, NTRU) do not have a known polynomial-time quantum algorithm. The best known quantum speedup is roughly the square root provided by Grover's algorithm, which is mitigated by simply using larger parameters. The math is also old enough (Ajtai 1996, Regev 2005) that thousands of cryptanalysts have looked for shortcuts and not found any.

That is not a proof of security. It is the standard cryptographic confidence interval: if dozens of years of attempted cryptanalysis have not broken it, you ship it. RSA itself is in the same epistemic position, just with the caveat that we now know it falls to a quantum algorithm we cannot yet run.

The NIST winners

Three primary standards, all FIPS-finalised in 2024:

  • FIPS 203, ML-KEM (formerly CRYSTALS-Kyber). Module-lattice key encapsulation. Replaces RSA-OAEP and ECDH key exchange. Compact public keys (800 to 1184 bytes), fast operations.
  • FIPS 204, ML-DSA (formerly CRYSTALS-Dilithium). Module-lattice digital signatures. Replaces RSA-PSS and ECDSA. Signature sizes 2420 bytes for ML-DSA-2, larger for stronger parameter sets.
  • FIPS 205, SLH-DSA (formerly SPHINCS+). Hash-based digital signatures. Slower and larger than ML-DSA, but security relies only on hash-function properties, the most conservative possible.

Two of the three lattice-based, one hash-based. SLH-DSA exists for cases where you want to bet only on hash security, accepting larger signatures.

How fast does this have to ship

NSA CNSA 2.0 timeline: PQC adoption in National Security Systems by 2030 to 2033. NIST migration guidance: similar window. Reality on the ground:

  • Industrial control systems run on hardware with 15 to 25-year lifecycles.
  • Hardware security modules sized for RSA do not fit Dilithium-2 in working memory. Replacement, not upgrade.
  • Embedded vendor firmware update cycles measured in years.
  • Smart-meter fleets in the millions per utility, with field-replacement programmes that take a decade.

Add it up: the industrial-side migration takes 10 to 20 years from start. Starting in 2026 lands the finish line in 2036 to 2046. Starting in 2030 lands it in 2040 to 2050, well past the CRQC arrival window most planners assume. The honest budgeting question is what to deploy in 2026 that survives 2035, not whether the 2030 milestone can be hit.

What constrained-device migration actually looks like

For Arduino-class IoT (ATmega328P with 2 KB SRAM), the conventional wisdom said PQC was infeasible until tighter implementations arrived. That turned out to be wrong. The peer-reviewed FIPS 203/204 implementation I shipped runs ML-KEM key encapsulation and ML-DSA signing on this exact target with 136 ms signing latency and 1850 TPS gateway throughput, end-to-end <300 ms sense-to-ledger latency including the PQC handshake, on hardware that costs under fifty dollars per node.

That demolishes the "we cannot afford PQC on constrained devices" excuse. The constraint is procurement and standards, not silicon.

Where the standards layer comes in

The cryptography is the easy part once NIST publishes the standard. The protocol layer is harder. TLS 1.3 already has hybrid PQC. EDHOC, the IoT-grade authenticated key exchange, is being post-quantumed in the IETF LAKE Working Group as PQ-EDHOC. ISA/IEC 62443 is being updated to acknowledge PQC requirements for industrial automation. Each of these is a multi-year working-group effort, and most are not finished.

For deeper context see my standing perspective on post-quantum cryptography and the IoT PQ-EDHOC topic page. The five pre-cleared press paragraphs at /press/ include the harvest-now-decrypt-later quote and the 2030-as-goal-not-forecast quote.

The asymmetric-crypto refresh, in one paragraph

RSA is going to be replaced. ML-KEM does the key exchange. ML-DSA does the signatures. SLH-DSA is the conservative backup. Lattice math survives Shor. The migration is bounded by procurement and standards, not by mathematics. The clock started in 2024 when NIST shipped the standards. The honest finish line is 2035 to 2045, depending on the sector. Plan accordingly.

Related

This article was originally published on Medium. The canonical version lives here.