PQC Field Guide Post-Quantum Cryptography
Post-Quantum Cryptography · Field Guide

The Post-Quantum
Cryptography Field Guide

A Practitioner's Handbook

A concise, opinionated handbook for security architects, engineers, and leaders preparing real systems for the quantum era — grounded in NIST standards, federal mandates, and field-tested migration practice.

Start reading How to read this guide Download PDF
  • 9chapters
  • ~210min read
  • 8reference appendices
Start here

How to read this guide

It's a 9-chapter guide (~210 min) with reusable reference appendices — but you don't need to read it cover to cover. Here's how it's laid out, and where to focus based on your role.

01

Front matter3

Orientation — why it matters, how to read it, who wrote it.

02

Chapters 1–99

The core: threat → algorithms → mandates → discovery → migration → operations.

03

Reference8

Reusable tools — scoring, maturity model, checklists, templates, glossary.

Find your path

CISO / Security Leader

Brief the board, justify budget, understand compliance exposure.

  1. 1The Quantum Threat
  2. 2What's Vulnerable
  3. 4Regulatory Landscape
  4. 6Migration Roadmap
Start this path

Security Architect

Design a crypto-agile architecture and plan the migration phases.

  1. 3The New Algorithms
  2. 5Crypto Discovery
  3. 6Migration Roadmap
  4. 7Hybrid Mode
  5. 8Protocol Deep Dives
Start this path

Network / Security Engineer

Know what changes in TLS, IPsec, SSH and PKI — and what breaks.

  1. 3The New Algorithms
  2. 7Hybrid Mode
  3. 8Protocol Deep Dives
  4. 9Day-2 Operations
Start this path

Federal / DoD Program Manager

Compliance timelines, procurement language, and ATO impact.

  1. 4Regulatory Landscape
  2. 5Crypto Discovery
  3. 6Migration Roadmap
  4. Compliance Checklist
Start this path

Watch for these in the text

  • ⚠ Mandate Alert — A specific compliance requirement with dates and sources.
  • Plain-Language Sidebar — The “brief the general” version of a complex concept.
  • F5 Perspective — Optional vendor mapping — skip it without missing core content.
Full reading guide & chapter reference

FIPS 203 / 204 / 205

The new ML-KEM, ML-DSA, and SLH-DSA standards in plain language.

Harvest Now, Decrypt Later

Why the quantum threat is a present-tense risk, not a future one.

CNSA 2.0 & NIST timelines

What's mandated, for whom, and by when — U.S. and international.

Discovery → Migration → Day-2

A phased, crypto-agile roadmap from inventory to long-term assurance.

Chapters

From the quantum threat to day-2 operations — read cover to cover or jump to what you need.

01 The Quantum Threat: Why This Matters Now Before we can understand why post-quantum cryptography matters, we need to understand the strange and beautiful science that makes it necessary. This chapter is a guided tour—from the birth of quantum mechanics over a ce 32 min read 02 What’s Vulnerable and What’s Not Chapter 1 explained why quantum computing threatens our cryptographic infrastructure. This chapter answers the next logical question: what, specifically, is at risk? 12 min read 03 The New Algorithms: A Practitioner’s Guide In Chapter 1, we learned that quantum computing breaks the math behind today’s encryption—not the concept of encryption itself. In Chapter 2, we mapped exactly which algorithms and protocols are vulnerable. Now we answer 13 min read 04 The Regulatory Landscape If the first three chapters answered “why should we care?” and “what’s at risk?”, this chapter answers the question that gets CISOs and program managers out of their chairs: “Who says we have to do this, and by when?” 18 min read 05 Know What You Have: Cryptographic Discovery Every PQC migration plan begins with the same question: “Where is cryptography in my environment?” The answer, invariably, is “more places than you think.” 13 min read 06 Building Your Migration Roadmap You’ve catalogued the threat (Chapters 1–2), learned the replacements (Chapter 3), mapped the mandates (Chapter 4), and inventoried your exposure (Chapter 5). Now comes the question that separates planning from action: “ 20 min read 07 Hybrid Mode: Bridging Classical and Quantum-Safe In an ideal world, you’d flip a switch and every system in your environment would instantly use post-quantum algorithms. In the real world, migration happens gradually—and during that transition, classical and post-quant 14 min read 08 Protocol Deep Dives: TLS, IPsec, SSH, and PKI This is the engineering chapter. The previous seven chapters built the case for why migration matters, what algorithms replace the vulnerable ones, and how to plan the program. This chapter goes inside the protocols them 29 min read 09 Day-2 Operations: Monitoring, Rotation, and Long-Term Assurance Deploying post-quantum cryptography is a milestone, not a finish line. Once PQC is live in your environment—hybrid TLS on the edge, updated SSH key exchanges, new certificate chains in the pipeline—a new set of operation 14 min read

Reference & Appendices

Practical, reusable tools: scoring methodology, maturity model, checklists, templates, glossary, and full bibliography.

About the author

Arnulfo “Noof” Hernandez

Written from the field — working with public-sector and enterprise customers on real post-quantum migrations. Everything here is grounded in primary sources: NIST standards, NSA guidance, and IETF drafts.

Read author bio

Ready to dig in?

Begin with the quantum threat and why it matters now.

Open Chapter 1