A review on post-quantum cryptography and related cyber threats for critical infrastructures

Post-quantum cryptography (PQC) is widely discussed for different applications and environments due to the rapid research and development it is undergoing currently. (Bernstein & Lange, 2017) algorithm, which is a famous quantum algorithm, expected to break widely used public-key cryptographic schemes like elliptic-curve cryptography, Diffie-Hellman key exchange and the RSA (Rivest-Shamir-Adleman) algorithm when quantum computers have advanced enough (Bene & Kiss, 2023). To ensure the world has functional public key solutions, the field of cryptography requires new developments before quantum computers become sufficiently advanced.

Important information technology (IT) networks and operational technology (OT) environments support and establish critical infrastructures providing a functioning society and economy. These environments, particularly OT environments, are vulnerable to cyber-attacks due to their nature of inhabiting computationally weak legacy components. Additionally, further development in quantum computing (QC) presents an even greater risk for those environments, and the need for suitable cryptosystems is necessary.

Since Shor’s algorithm can solve large prime number factoring and discrete-logarithm problems in polynomial time, the new PQC algorithms are based on different hard problems (Mailloux et al., 2016). The cryptographic schemes created for PQC include hash-based, lattice-based, isogeny-based, code-based, multivariate and graph-based schemes (Bene & Kiss, 2023; del Moral et al., 2024).

Global actors have started to prepare for the threat of currently used public-key cryptography schemes being broken. Several countries such as China, Germany and South-Korea are now developing their own PQC algorithms to replace the classical ones. The PQC standardization process of NIST (National Institute of Standards and Technology) is one of the currently active PQC standardization processes. (del Moral et al., 2024.)

The NIST’s standardization process started in 2017 (NIST Staff, 2024). After the third round, NIST selected the key encapsulation mechanism algorithm CRYSTALS-Kyber and digital signature algorithms CRYSTALS-Dilithium, Falcon and SPHINCS+ for standardization, and from which NIST suggests using CRYSTALS-Kyber and CRYSTALS-Dilithium for most different use cases (Alagic et al., 2022). The status report published on March 11, 2025, states that HQC (Hamming Quasi-Cyclic) was selected for standardization (NIST IR 8545, 2025). As the process is still ongoing, more algorithms may still be standardized in the future.

This article discusses the status of QC in cybersecurity and focuses on applications in critical infrastructures presenting cyber threats arising there.

Post-quantum cryptography algorithms

Cryptography algorithms focusing on different security areas are hash-based, lattice-based, isogeny-based, code-based, multivariate, multiparty computation, and graph-based (del Moral et al., 2024). For instance, hash-based algorithms rely on mathematical functions, called hash functions, mapping something of undetermined length into an object of specific length, a value providing authenticity and integrity in communication. In the following, we present concrete algorithm examples for the algorithm types. Moreover, examples of the different algorithm approaches are presented in the table below.

Algorithm approach	Examples
hash-based	SPHINCS+
lattice-based	CRYSTALS-Kyber, CRYSTALS-Dilithium, Falcon
isogeny-based	SIDH
code-based	McEliece, BIKE, HQC
multivariate	Rainbow, LUOV, GeMMS, MQDSS
graph-based	PCC

Table 1: List of PQC algorithms that are currently being researched, and the algorithm approach they are based on.

Hash-based: SPHINCS+

Hash functions are used in digital signatures. The basic idea of SPHINCS+ is the authentication of a huge number of few-time signatures key pairs using a so-called hypertree (Aumasson et al., 2022). SPHINCS+ is similar to SPHINCS, a high-security post-quantum stateless hash-based signature scheme. The signature scheme is stateless, which means that it allows to be a drop-in replacement for current signature schemes (Bernstein et al., 2015).

Lattice-based: CRYSTALS-Kyber, CRYSTALS-Dilithium, Falcon

Kyber is a key encapsulation mechanism and is lattice-based, which means that security is based on lattice-involved hard problems including the learning-with-errors problem (Bos et al., 2017). Dilithium is a digital signature scheme, and the hardness of an attack is based on the same principle as Kyber (Ducas et al., 2017). Falcon is also a digital signature scheme, which uses Fast Fourier sampling in addition to lattices (Fouque et al., 2020).

Isogeny-based: SIDH

SIDH (Supersingular Isogeny Diffie–Hellman protocol) is a key exchange algorithm, which vulnerability has already been proven. Castryck et al. (2022) presented a key recovery attack on SIDH by using Kani’s “reducibility criterion” for isogenies that can be easily and fast implemented.

Code-based: McEliece, BIKE, HQC

The classic McEliece algorithm has larger key sizes requiring more resources for generating keys, however small ciphertext sizes. BIKE (Bit Flipping Key Encapsulation) and HQC (Hamming Quasi-Cyclic) have both smaller key and ciphertext sizes (Kuznetsov et al., 2023). BIKE is based on QC-MDPC (Quasi-Cyclic Moderate Density Parity-Check) codes submitted to the NIST PQC Standardization Process (Aragon et al., 2022). HQC is a code-based public key encryption scheme designed to provide security against attacks by both classical and quantum computers (Aguilar-Melchor et al., 2024).

Multivariate: Rainbow, LUOV, GeMMS, MQDSS

Another category are multivariate signature schemes including Rainbow, which was found to be vulnerable, hence, was dropped from the NIST competition (Beullens, 2022), and LUOV (Lifted Unbalanced Oil and Vinegar), which are based on the Oil and Vinegar signature scheme. Other multivariate signatures are GeMMS (Great Multivariate Short Signature) (Tao et al., 2020), which was dropped from the NIST competition after the third round, and MQDSS (Multivariate Quadratic Digital Signature Scheme), which was dropped from the competition after the second round.

Graph-based: PCC

PCC (Perfect Code Cryptosystem) is based on combinatorics relying on the difficulty of determining perfect dominating sets in given graphs (Ryu et al., 2024). However, this algorithm approach is yet inefficient regarding memory and speed, and hence, there has not been a lot in the focus of research so far.

Quantum computing cyber threats for critical infrastructures

Critical infrastructure refers to the obligatory infrastructure that provides states with their vital needs. Sectors like health, energy, finance, transportation and telecommunications are all part of critical infrastructure as the sectors are necessary components of a modern functioning society (Viganó et al., 2020). Critical infrastructures are essential to provide a functioning economy as they facilitate social and economic key resources (del Moral et al., 2024). In particular, combinations of AI and QC pose cyber-threats to critical infrastructures involving questions of ethical issues in national security (Viganó et al., 2020).

Operational technology refers to hardware and software used to monitor and control physical assets in an industrial network environment (Knapp, 2024). The lifetime of OT devices is usually much longer than the lifetime of IT devices. OT devices can be used even for decades before being replaced by new units. Every critical infrastructure includes OT devices. Critical infrastructures are dependent on each other, so malfunctioning in one sector may lead to issues in other sectors. For instance, interruptions in the energy sector could lead to power outages in other critical sectors (Stouffer et al., 2023).

OT device communication environments often include legacy components which are computationally slow (del Moral et al., 2024). Therefore, the implementation of cryptosystems is challenging, even more with the rise of quantum computers. Difficulties in the implementation of new PQC algorithms to OT systems arise because the older hardware may not support the algorithms due to strict availability requirements. The new PQC algorithms require more computing power than the currently widely used public key cryptography that is vulnerable to quantum computing. Too much latency in some operations of OT systems may cause failures, so it is vital that the hardware is computationally capable of processing relevant PQC algorithms in a certain time limit frame (del Moral et al., 2024).

Critical infrastructures are progressively more connected to the internet. Many programmable logic controllers (PLCs) can be directly accessed from the internet, increasing the risk of unauthorized access to the PLCs (Rashid et al., 2019). Code signing is used by publishers, for example, to sign their applications and firmware, so the end-users can be confident that the code is of authentic origin. If threat actors can forge valid digital signatures, they can assume the publisher’s role and spread the publisher’s software infected with malicious code (Tan et al., 2022).

In embedded systems, secure boot validates certificates of images like boot loader that are run during the boot process, before the code in the images is executed (Marzougui & Krämer, 2019). If the digital signature scheme is compromised, a third party who has access to an advanced quantum computer, can create authentic certificates for any image, and the images will pass secure boot certificate validation.

The upcoming standardized PQC algorithms are designed from a perspective of information technology, so the adaptability and availability requirements of OT have received less attention in the algorithm design processes. Lattice-based PQC algorithms may be the most optimal for OT

devices in the critical infrastructure sector because of their low computational costs and small key sizes when compared to PQC algorithms based on different hard problems. Future OT hardware chips can be designed to implement certain PQC algorithms for optimized efficiency, but if any of the implemented algorithms are later found vulnerable, all the chips must be renewed, which will result in high financial costs. (del Moral et al., 2024.)

OT systems are becoming more like IT systems as capabilities and technology from IT are being applied to OT systems. Because of this, OT environments are starting to become more connected to external environments, which increases the amount of security risks (Stouffer et al., 2023).

Possible OT incidents include blockage of information flow between systems and modification of the information flow. OT environments are increasingly using wireless connections to transfer information, so physical access to the environment is not required to interfere with the flow of information, because wireless traffic can be captured and tampered with from a distance (Stouffer et al., 2023). However, general information applying to all OT systems and wireless traffic might be outside of quantum computers’ range, since the vulnerable public key algorithms are most likely not used by them.

Some end devices in IoT (internet of things) environments may have limited computational power meaning the devices might not be able to encrypt data that they forward to the cloud. Resource efficient edge nodes can encrypt the data before it is sent to the cloud through the internet. Less resource intensive, but secure implementations of PQC algorithms are being developed for IoT to make the data transmitting quantum resistant (Karakaya & Ulu, 2024). In this context, lattice-based approaches have been highlighted, and Mani et al. (2024) note that important areas for improving security are supply chains, protected patch management, cyberattacks, authentication and validation processes, and secure transactions. Critical Infrastructures showing vulnerabilities and security risks include Supervisory Control and Data Acquisition systems in Industrial Control Systems (Alqudhaibi et al., 2023). One promising approach for critical infrastructures is hardware-enforced cyber security (Szymanski, 2024).

Conclusions

In this article, we discussed recent PQC algorithms, their relations for critical infrastructures, and the NIST standardization process in PQC. The countermeasures for cyber threats in critical infrastructures are crucial due to their importance regarding societal and economic stability. Weak legacy components impose still a great risk for successful cyber attacks and need to be considered when improving environments like OT systems. PQC algorithms are still under investigation and the NIST standardization process is ongoing. Currently, new algorithms are submitted, tested, some proven to be vulnerable like SIDH, and some have been selected for standardization like CRYSTALS-Kyber, CRYSTALS-Dilithium, Falcon and SPHINCS+. Research in this field is essential due to the urgency of the potential construction of large-scale computers imposes which will lead to the breaking of current public-key cryptosystems. NIST is preparing for that era to come.

Tags:

critical infrastructure cryptography cyber security quantum computing

Authors:

Monika Wolfmayr

Senior Researcher

Jamk University of Applied Sciences

I work as a senior researcher in the IT-Institute of Jamk University of Applied Sciences. My job includes research and development activities in the field of scientific computing, optimization algorithms, image processing, and mathematical modeling.

Tuomo Viljakainen

Specialist

Jamk University of Applied Sciences

I am a technical specialist in the IT-Institute of Jamk University of Applied Sciences. My background is in vulnerability research and application security and my work mainly focuses on JYVSECTEC's cyber exercises.

References:

Aguilar-Melchor, C., Aragon, N., Bettaieb, S., Bidoux, L., Blazy, O., Bos, J., Deneuville, J.-C., Dion, A., Gaborit, P., Lacan, J., Persichetti, E., Robert, J.-M., Véron, P. & Zémor, G. (2024). Hamming Quasi-Cyclic (HQC) Fourth round version. HQC website. https://pqc-hqc.org/doc/hqc-specification_2024-02-23.pdf

Alagic, G., Apon, D., Cooper, D., Dang, Q., Dang, T., Kelsey, J., Lichtinger, J., Liu, Y.-K., Miller, C., Moody, D., Peralta, R., Perlner, R., Robinson, A. & Smith-Tone, D. (2022). Status Report on the Third Round of the NIST Post-Quantum Cryptography Standardization Process. U.S. Department of Commerce, National Institute of Standards and Technology. https://doi.org/10.6028/NIST.IR.8413

Alqudhaibi, A., Albarrak, M., Aloseel, A., Jagtap, S. & Salonitis, K. (2023). Predicting Cybersecurity Threats in Critical Infrastructure for Industry 4.0: A Proactive Approach Based on Attacker Motivations. Sensors 2023, 23(9), Article 4539. https://doi.org/10.3390/s23094539

Aragon, N., Barreto, P. S. L. M., Bettaieb, S., Bidoux, L., Blazy, O., Deneuville, J.-C., Gaborit, P., Ghosh, S., Gueron, S., Güneysu, T., Aguilar-Melchor, C., Misoczki, R., Persichetti, E., Richter- Brockmann, J., Sendrier, N., Tillich, J.-P., Vasseur, V. & Zémor, G. (2022). BIKE: Bit Flipping Key Encapsulation – Round 4 Submission. BIKE team. https://bikesuite.org/files/v5.0/BIKE_Spec.2022.10.04.1.pdf

Aumasson, J.-P., Bernstein, D.-J., Beullens, W., Dobraunig, C., Eichlseder, M., Fluhrer, S., Gazdag, S.-L., Hülsing, A., Kampanakis, P., Kölbl, S., Lange, T., Lauridsen, M.-M., Mendel, F., Niederhagen, R., Rechberger, C., Rijneveld, J., Schwabe, P. & Westerbaan, B. (2022). SPHINCS+ Submission to the NIST post-quantum project, v.3.1. https://sphincs.org/data/sphincs+-r3.1-specification.pdf

Bene, F. & Kiss, A. (2023). Public Key Infrastructure in the Post-Quantum Era. In 2023 IEEE 17th International Symposium on Applied Computational Intelligence and Informatics (SACI) (pp. 77–82). Timisoara, Romania. https://doi.org/10.1109/SACI58269.2023.10158562

Bernstein, D. J., Hopwood, D., Hülsing, A., Lange, T., Niederhagen, R., Papachristodoulou, L., Schneider, M., Schwabe, P. & Wilcox-O’Hearn, Z. (2015). SPHINCS: practical stateless hash-based signatures. In E. Oswald, & M. Fischlin (Eds.), Lecture Notes in Computer Science: Vol. 9056. Advances in Cryptology – EUROCRYPT 2015 (pp. 368–397). Springer. https://doi.org/10.1007/978-3-662-46800-5_15

Bernstein, D. J. & Lange, T. (2017). Post-quantum cryptography. Nature, 549(7671), 188–194. https://doi.org/10.1038/nature23461

Beullens, W. (2022). Breaking Rainbow Takes a Weekend on a Laptop. IACR Cryptology ePrint Archive. https://eprint.iacr.org/2022/214

Bos, J., Ducas, L., Kiltz, E., Lepoint, T., Lyubashevsky, V., Schanck, J.-M., Schwabe, P., Seiler, G. & Stehlé, D. (2017). CRYSTALS – Kyber: a CCA-secure module-lattice-based KEM. IACR Cryptology ePrint Archive. https://doi.org/10.1109/EuroSP.2018.00032

Castryck, W. & Decru, T. (2022). An efficient key recovery attack on SIDH. In C. Hazay, & M. Stam (Eds.), Advances in Cryptology – EUROCRYPT 2023. Lecture Notes in Computer Science: Vol. 14008 (pp. 423–447). Springer. https://doi.org/10.1007/978-3-031-30589-4_15

del Moral, J. O., iOlius, A. D., Vidal, G., Crespo, P. M. & Martinez, J. E. (2024). Cybersecurity in Critical Infrastructures: A Post-Quantum Cryptography Perspective. IEEE Internet of Things Journal, 11(18). https://doi.org/10.1109/JIOT.2024.3410702

Ducas, L., Kiltz, E., Lepoint, T., Lyubashevsky, V., Schwabe, P., Seiler, G. & Stehlé, D. (2017). CRYSTALS-Dilithium: A Lattice-Based Digital Signature Scheme. IACR Cryptology ePrint Archive. https://eprint.iacr.org/2017/633

Fouque, P.-A. Hoffstein, J., Kirchner, P., Lyubashevsky, V., Pornin, T., Prest, T., Ricosset, T., Seiler, G., Whyte, W., & Zhang, Z. (2020). Falcon: Fast-Fourier Lattice-based Compact Signatures over NTRU Specification v1.2. https://falcon-sign.info/falcon.pdf

Karakaya, A. & Ulu, A. (2024). A survey on post-quantum based approaches for edge computing security. WIREs Computational Statistics, 16(1). https://doi.org/10.1002/wics.1644

Knapp, E. D. (2024). Industrial Network Security: Securing Critical Infrastructure Networks for Smart Grid, SCADA, and Other Industrial Control Systems (3rd ed.). Syngress.

Kuznetsov, O., Kandiy, S., Frontoni, E. & Smirnov, O. (2023). Trade-offs in Post-Quantum Cryptography: A Comparative Assessment of BIKE, HQC, and Classic McEliece. In S. Volodymyr, V. Ustimenko, & M. Nazarkevych (eds). CEUR Workshop Proceedings, vol 3504. https://ceur-ws.org/Vol-3504/paper1.pdf

Mailloux, L. O., Lewis II, C. D., Riggs, C., & Grimaila, M. R. (2016). Post-Quantum Cryptography: What Advancements in Quantum Computing Mean for IT Professionals. IT Professional, 18(5), 42–47. https://doi.org/10.1109/MITP.2016.77

Mani, V. R. S. (2024). Security Challenges to IOT and Cloud-Based Systems in the Era of Quantum Attacks. In A. Prasad, T. P. Singh, & S. D. Sharma (Eds.), Communication Technologies and Security Challenges in IoT (pp. 227–239). Springer. https://doi.org/10.1007/978-981-97-0052-3_11

Marzougui, S. & Krämer, J. (2019). Post-quantum Cryptography in Embedded Systems. Proceedings of the 14th International Conference on Availability, Reliability and Security, Article 48. https://doi.org/10.1145/3339252.3341475

NIST Staff. (2024, March 26). Post-Quantum Cryptography overview. U.S. Department of Commerce, National Institute of Standards and Technology. https://csrc.nist.gov/projects/post-quantum-cryptography

NIST IR 8545. (2025, March 11). Status Report on the Fourth Round of the NIST Post-Quantum Cryptography Standardization Process. U.S. Department of Commerce, National Institute of Standards and Technology. https://csrc.nist.gov/pubs/ir/8545/final

Rashid, A., Gardiner, J., Green, B. & Craggs, B. (2019). Everything Is Awesome! Or Is It? Cyber Security Risks in Critical Infrastructure. In G. Assenza, V. Cozzani, F. Flammini, N. Gotcheva, T. Gustafsson, A. Hansson, J. Heikkila, M. Iaiani, S. Katsikas, M. Nissilä, G. Oliva, E. Richter, M. Roelofs, M. S. Azari, R. Setola, W. Stejin, A. Tugnoli, D. Vanderbeek, L. Westerdahl, M. Ylönen, & H. Young (Eds.), Lecture notes in computer science: Vol. 11353. White Paper on Industry Experiences in Critical Information Infrastructure Security: A Special Session at CRITIS 2019 (pp. 197–207). Springer. https://doi.org/10.1007/978-3-030-37670-3_1

Ryu, J. Kim, Y., Yoon, S., Kang, J.-S. & Yeom, Y. (2024). IPCC7: Post-Quantum Encryption Scheme Based on a Perfect Dominating Set in 3-Regular Graph. IEEE Access, 12, 4575–4596. https://ieeexplore.ieee.org/document/10380586

Stouffer, K., Pease, M., Tang, C., Zimmerman, T., Pillitteri, V., Lightman, S., Hahn, A., Saravia, S., Sherule, A. & Thompson, M. (2023). NIST Special Publication NIST SP 800-82r3 – Guide to Operational Technology (OT) Security. U.S. Department of Commerce, National Institute of Standards and Technology. https://doi.org/10.6028/NIST.SP.800-82r3

Szymanski. T. H. (2024). A Quantum-Safe Software-Defined Deterministic Internet of Things (IoT) with Hardware-Enforced Cyber-Security for Critical Infrastructures. Information 2024, 15(4), Article 173. https://doi.org/10.3390/info15040173

Tan, T. G., Szalachowski, P. & Zhou, J. (2022). Challenges of post-quantum digital signing in real-world applications: a survey. Internation Journal of Information Security, 21, 937–952. https://doi.org/10.1007/s10207-022-00587-6

Tao, C., Petzoldt, A. & Ding, J. (2020). Improved key recovery of the HFEv-signature scheme. Cryptology ePrint Archive. https://eprint.iacr.org/2020/1424

Viganó, E., Loi, M. & Yaghmaei, E. (2020). Cybersecurity of Critical Infrastructure. In M. Christen, B. Gordijn, & M. Loi (eds.), The Ethics of Cybersecurity (pp. 157–178). Springer. https://doi.org/10.1007/978-3-030-29053-5

Tags:

critical infrastructure cryptography cyber security quantum computing

Published

5 August 2025

Arena Pro

ISSN 2984-0783

URN

https://urn.fi/urn:nbn:fi:jamk-issn-2984-0783-225

License

CC BY 4.0 (Images not included)

Reference instructions

Wolfmayr, M. & Viljakainen, T. (2025). A review on post-quantum cryptography and related cyber threats for critical infrastructures. Jamk Arena Pro. https://urn.fi/urn:nbn:fi:jamk-issn-2984-0783-225

Finnish Future Farm

Finnish Future Farm brings together smart farming technologies, national and international networks, funding, and solutions in Saarijärvi, Central Finland. One of the project’s key goals is to develop the Bioeconomy Campus into a centre of excellence and meeting place for smart agriculture, promoting the adoption of new precision farming technologies and methods.

The project also supports international collaboration and innovation through a startup community and accelerator ecosystem focused on smart agriculture.

The project runs from 1 September 2023 to 30 June 2026, and is primarily funded by the Just Transition Fund (JTF) granted by the Regional Council of Central Finland.