Expert technical analysis on quantum computing, post-quantum cryptography, and quantum-safe infrastructure for Ireland and the EU.
Curated by Michael English, Co-Founder & CTO of IMPT.io
Reading list for Irish and EU technology professionals navigating the post-quantum transition
Meta Description: Essential post-quantum cryptography research papers curated by Michael English (IMPT.io CTO). From Shor's algorithm to NIST standards — the literature that defines quantum-safe security.
Target Keywords: post-quantum cryptography research papers, quantum computing research Ireland EU, PQC papers NIST, lattice cryptography academic papers, quantum security research Michael English
Post-quantum cryptography has a rich academic literature spanning 30 years, from Peter Shor's foundational quantum algorithms to the NIST standardisation documents published in August 2024. This index organises the key papers by category, with summaries and relevance notes for practitioners.
I maintain this list as part of my ongoing work on quantum-safe infrastructure at IMPT.io. If you're building quantum-safe systems or advising organisations on PQC migration, these papers form the intellectual foundation you need.
Shor, P.W. (1994). "Algorithms for quantum computation: discrete logarithms and factoring."
Proceedings 35th Annual Symposium on Foundations of Computer Science, IEEE. pp. 124–134.
DOI: 10.1109/SFCS.1994.365700
Summary: The paper that started everything. Shor presents polynomial-time quantum algorithms for integer factorisation and discrete logarithm computation, breaking the security foundations of RSA and ECC. The algorithm uses quantum Fourier transform to find the period of specific functions.
Why it matters: Every post-quantum cryptography development traces back to this paper. Understanding Shor's algorithm at a high level is essential for explaining the quantum threat to non-technical stakeholders.
Grover, L.K. (1996). "A fast quantum mechanical algorithm for database search."
Proceedings of the 28th Annual ACM Symposium on Theory of Computing (STOC), pp. 212–219.
DOI: 10.1145/237814.237866
Summary: Grover's unstructured search algorithm provides quadratic speedup, reducing brute-force search from O(N) to O(√N). Applied to symmetric key search, this halves effective key length (AES-128 → 64-bit quantum security). The symmetric cryptography mitigation is straightforward: use AES-256, SHA-3, and BLAKE3.
Why it matters: Explains why symmetric cryptography is not completely quantum-broken — only weakened, and fixable by doubling key sizes.
Calderbank, A.R. & Shor, P.W. (1996). "Good quantum error-correcting codes exist."
Physical Review A, 54(2), 1098–1105.
DOI: 10.1103/PhysRevA.54.1098
Summary: Demonstrates that quantum information can be protected from decoherence and gate errors using classical error-correcting code techniques adapted to quantum systems. Established the theoretical foundation for fault-tolerant quantum computing.
Why it matters: Without quantum error correction, large-scale quantum computers cannot run Shor's algorithm reliably. This paper proves it's theoretically possible.
Ajtai, M. (1996). "Generating hard instances of lattice problems."
Proceedings of the 28th Annual ACM Symposium on Theory of Computing (STOC), pp. 99–108.
DOI: 10.1145/237814.237838
Summary: Proves that solving random instances of the Shortest Integer Solution (SIS) problem is as hard as solving the Shortest Vector Problem (SVP) in the worst case. This worst-case hardness guarantee is what makes lattice-based cryptography uniquely provably secure.
Why it matters: The security guarantee underlying ML-KEM and ML-DSA is stronger than RSA's — RSA's security is based on average-case factoring hardness, while lattice schemes inherit worst-case hardness. Ajtai's reduction is why we can trust lattice cryptography.
Regev, O. (2005). "On lattices, learning with errors, random linear codes, and cryptography."
Proceedings of the 37th Annual ACM Symposium on Theory of Computing (STOC), pp. 84–93.
DOI: 10.1145/1060590.1060603
Also published in Journal of the ACM, 56(6), 2009.
Summary: Introduces the Learning With Errors (LWE) problem and proves it is as hard as worst-case SVP under quantum attack. Presents a public-key encryption scheme based on LWE. Won the 2018 Gödel Prize. The most important paper in modern cryptography.
Why it matters: LWE is the mathematical foundation of ML-KEM (FIPS 203) and ML-DSA (FIPS 204). Regev's reduction to worst-case quantum-hard lattice problems is the bedrock security guarantee.
Lyubashevsky, V., Peikert, C., & Regev, O. (2013). "On ideal lattices and learning with errors over rings."
Journal of the ACM, 60(6), Article 43.
DOI: 10.1145/2535925
Summary: Extends LWE to polynomial rings, enabling Number Theoretic Transform (NTT) acceleration of cryptographic operations. Provides the hardness reduction for Ring-LWE under quantum attacks. Foundational for all ring/module lattice cryptography.
Why it matters: Module-LWE (used in ML-KEM and ML-DSA) is a direct extension of Ring-LWE. This paper explains why the NTT optimisations are possible and why they don't weaken security.
Bos, J., Ducas, L., Kiltz, E., Lepoint, T., Lyubashevsky, V., Schanck, J.M., Schwabe, P., Seiler, G., & Stehlé, D. (2018). "CRYSTALS – Kyber: A CCA-Secure Module-Lattice-Based KEM."
2018 IEEE European Symposium on Security and Privacy (EuroS&P), pp. 353–367.
DOI: 10.1109/EuroSP.2018.00032
Summary: The original CRYSTALS-Kyber paper presenting the algorithm now standardised as ML-KEM in FIPS 203. Describes the module lattice structure, the Fujisaki-Okamoto transformation achieving IND-CCA2 security, and performance benchmarks.
Why it matters: The primary reference for understanding ML-KEM's construction, security proofs, and design decisions. Essential reading for implementers.
Ducas, L., Kiltz, E., Lepoint, T., Lyubashevsky, V., Schwabe, P., Seiler, G., & Stehlé, D. (2018). "Crystals-Dilithium: A Lattice-Based Digital Signature Scheme."
IACR Transactions on Cryptographic Hardware and Embedded Systems (TCHES), 2018(1), pp. 238–268.
DOI: 10.13154/tches.v2018.i1.238-268
Summary: Presents CRYSTALS-Dilithium, now standardised as ML-DSA (FIPS 204). Based on the Fiat-Shamir with Aborts paradigm, using Module-LWE and Module-SIS for security. Details parameter selection for three security levels and performance analysis.
Why it matters: The specification reference for ML-DSA implementations. Contains the security proofs and implementation guidance for the signature scheme replacing ECDSA.
Bernstein, D.J., Hülsing, A., Kölbl, S., Niederhagen, R., Rijneveld, J., & Schwabe, P. (2019). "The SPHINCS+ Signature Framework."
Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (CCS).
DOI: 10.1145/3319535.3363229
Summary: Presents SPHINCS+, now standardised as SLH-DSA (FIPS 205). A stateless hash-based signature scheme combining W-OTS+ one-time signatures with a hypertree structure. Security reduces only to hash function properties, providing algorithm-diversity value.
Why it matters: The specification for SLH-DSA, whose security depends entirely on hash function hardness — no lattice assumptions. Valuable as a diversity option alongside ML-DSA.
Gidney, C. & Ekerå, M. (2021). "How to factor 2048 bit RSA integers in 8 hours using 20 million noisy qubits."
Quantum, 5, 433.
DOI: 10.22331/q-2021-04-15-433
Summary: The most important recent paper for understanding CRQC requirements. Provides concrete, refined estimates of the quantum resources needed to break RSA-2048: approximately 20 million physical qubits (at realistic noise levels) running for 8 hours. Significantly updated earlier estimates that assumed error-free qubits.
Why it matters: Gives practitioners a concrete target against which to assess current quantum hardware progress. The 20 million qubit threshold is the benchmark for all CRQC timeline discussions.
Roetteler, M., Naehrig, M., Svore, K.M., & Lauter, K. (2017). "Quantum Resource Estimates for Computing Elliptic Curve Discrete Logarithms."
ASIACRYPT 2017, Lecture Notes in Computer Science, vol. 10625.
DOI: 10.1007/978-3-319-70697-9_6
Summary: Provides resource estimates for quantum computers attacking ECDLP for various standard curves. For P-256 (secp256r1) and secp256k1 (Bitcoin/Ethereum): approximately 2,330 logical qubits needed. Confirms all standard elliptic curves are eventually quantum-vulnerable.
Why it matters: Quantifies the quantum threat to blockchain and TLS authentication infrastructure specifically, enabling risk prioritisation.
Chen, Y. & Nguyen, P.Q. (2011). "BKZ 2.0: Better Lattice Security Estimates."
ASIACRYPT 2011, Lecture Notes in Computer Science, vol. 7073.
DOI: 10.1007/978-3-642-25385-0_1
Summary: Updated analysis of the BKZ algorithm for lattice basis reduction, providing better security estimates for lattice-based cryptography. BKZ 2.0 analysis informs ML-KEM and ML-DSA parameter selection to ensure adequate security margins.
Why it matters: Understanding BKZ complexity estimates is essential for evaluating lattice cryptography security levels and choosing appropriate parameter sets.
Stebila, D., Fluhrer, S., & Gueron, S. (2023). "Hybrid key exchange in TLS 1.3."
Internet Engineering Task Force (IETF) Draft: draft-ietf-tls-hybrid-design-10
Available at: https://datatracker.ietf.org/doc/draft-ietf-tls-hybrid-design/
Summary: Specifies how to combine classical ECDH with post-quantum key exchange in TLS 1.3. Defines the X25519MLKEM768 cipher suite now deployed by Google Chrome and Cloudflare. Includes security analysis of the hybrid construction.
Why it matters: The practical deployment specification for adding post-quantum protection to HTTPS. Following this standard ensures interoperability with Chrome, Firefox, and edge networks.
Ounsworth, M., et al. (2024). "Internet X.509 Public Key Infrastructure: Algorithm Identifiers for ML-DSA."
IETF Draft: draft-ietf-lamps-dilithium-certificates
Available at: https://datatracker.ietf.org/doc/draft-ietf-lamps-dilithium-certificates/
Summary: Defines Object Identifiers (OIDs) and encoding formats for ML-DSA keys and signatures in X.509 certificates. Essential for deploying PQC in PKI infrastructure.
Why it matters: Without standardised OIDs for ML-DSA, certificate authorities cannot issue PQC certificates and TLS stacks cannot parse them. This draft defines the glue between FIPS 204 and real-world PKI.
European Union Agency for Cybersecurity (ENISA). (2021). "Post-Quantum Cryptography: Current State and Quantum Mitigation."
Available at: https://www.enisa.europa.eu/publications/post-quantum-cryptography-integration-study
Summary: Comprehensive EU assessment of the PQC landscape, migration challenges, and recommendations for EU organisations. Covers cryptographic inventory methodology, algorithm selection guidance, and sector-specific migration priorities.
Why it matters: The primary EU regulatory guidance document for PQC migration. Directly relevant to NIS2 and DORA compliance in Ireland.
National Cyber Security Centre Ireland. (2023). "Post-Quantum Cryptography: Threat Advisory Notice."
Available at: https://www.ncsc.gov.ie/
Summary: Ireland-specific guidance on quantum threats and mitigation, aligned with ENISA and UK NCSC recommendations. Recommends cryptographic inventories for public sector bodies and adoption of NIST finalised algorithms.
Why it matters: The Irish government's official position on quantum risk. Essential for any Irish organisation documenting its regulatory compliance posture.
National Security Agency. (2022). "Commercial National Security Algorithm Suite 2.0 (CNSA 2.0)."
NSA Cybersecurity Advisory CSA-NSA-22-091
Available at: https://media.defense.gov/2022/Sep/07/2003071834/-1/-1/0/CSACNSA2.0ALGORITHMS.PDF
Summary: NSA's mandatory cryptographic requirements for US National Security Systems, mandating PQC adoption by 2025–2033 across different system types. The most aggressive and binding government PQC mandate published.
Why it matters: Sets the global benchmark for migration timelines. Irish government and defence-adjacent organisations should treat CNSA 2.0 timelines as upper bounds.
Arute, F., et al. (Google AI Quantum). (2019). "Quantum supremacy using a programmable superconducting processor."
Nature, 574, 505–510.
DOI: 10.1038/s41586-019-1666-5
Summary: Google's demonstration of quantum advantage on a 53-qubit Sycamore processor: a specific random circuit sampling task completed in 200 seconds vs. ~10,000 years for classical supercomputers. Scientifically contested by IBM but broadly accepted as a genuine milestone.
Why it matters: The first credible claim of quantum advantage over classical computers. Not a cryptographic threat, but signals genuine quantum hardware progress.
Acharya, R., et al. (Google Quantum AI). (2024). "Quantum error correction below the surface code threshold."
Nature, (published December 2024).
Summary: Google's 105-qubit Willow processor achieves below-threshold quantum error correction: logical error rates decrease as code distance increases, for the first time in superconducting systems. A critical prerequisite for fault-tolerant quantum computing.
Why it matters: Below-threshold QEC removes a fundamental barrier to building a CRQC. While 20 million physical qubits remain far from current hardware, Willow's demonstration that QEC works in principle moves the CRQC from theoretical to engineering challenge.
For executives and board members: Read sections 1.1 (Shor), 6.1 (ENISA), and 6.2 (NCSC Ireland). These three documents establish the threat, the EU regulatory expectation, and Ireland's specific guidance.
For CISOs and security architects: Add 2.2 (LWE by Regev), 4.1 (Gidney & Ekerå on CRQC requirements), and 5.1 (Hybrid TLS). These give you the technical depth to make algorithm selection and migration architecture decisions.
For developers and engineers: Focus on sections 3.1–3.3 (the algorithm papers) and 5.1–5.2 (protocol integration). These contain the implementation details.
For policy and compliance: Sections 6.1–6.3 are your primary references for regulatory alignment.
Michael English maintains this research index as part of IMPT.io's quantum security programme. Papers are selected for practical relevance to Irish and EU enterprise security practitioners.
impt.io | Based in Clonmel, Co. Tipperary, Ireland
Keywords: post-quantum cryptography research Ireland, quantum computing papers EU, PQC literature review, lattice cryptography academic, quantum security papers index, Michael English quantum research