China is reportedly planning to develop its own national post-quantum cryptography standards within the next three years, even as most of the world has already begun migrating to those finalized by the US in 2024.
Post-quantum cryptography deals with algorithms that can protect data from the threat proposed by future quantum computers, which are expected to be able to decrypt data encrypted with legacy algorithms far faster than conventional computers. Governments are pushing for their widespread adoption today to reduce the scope for so-called “harvest now, decrypt later” attacks.
Chinese post-quantum cryptography experts have focused on a different type of algorithm to those favored elsewhere, said Wang Xiaoyun, a professor at Tsinghua University’s Institute for Advanced Study, on the sidelines of the National People’s Congress in Beijing last week, Reuters reported.
The algorithms could be ready within three years, and finance and energy would be priority sectors for migration, given the sensitivity of their data.
China is not simply adopting what the rest of the world is implementing, Wang said, because its researchers have focused on structureless lattice algorithms which they think are stronger than the algebraic lattice designs used elsewhere. The latter, Wang said, “have some degree of security degradation” while structureless lattice algorithms “basically do not have this problem,” she said, according to the Reuters report.
The US, UK, EU, and Australia have all aligned on three standards published by the US National Institute of Standards and Technology (NIST): ML-KEM, ML-DSA, and SLH-DSA — and have set migration deadlines between 2030 and 2035. The UK’s National Cyber Security Centre has advised organizations to identify vulnerable systems by 2028 and complete full transition by 2035.
Meanwhile, China’s Institute of Commercial Cryptography Standards launched a global call for post-quantum algorithm proposals in February 2025. No algorithm selections have been announced. If Wang’s three-year estimate holds, China’s standards would arrive roughly five years after NIST’s.
Serious concern
Wang is not an outsider raising a fringe concern. She is the cryptographer who demonstrated collision attacks against MD5 and SHA-1 in 2004 and 2005, two hash functions the broader community had considered secure. Her work triggered their phase-out from most major software systems. Her track record matters here.
“When she raises questions about algebraic lattices, it is not some nationalist talking point or fringe theory,” said Dr. Arindam Sarkar, head of computer science and electronics at Ramakrishna Mission Vidyamandira, India. “It comes from someone who has a track record of finding weaknesses that everyone else missed.”
Sarkar explained the underlying concern. “Structured lattices have patterns that could potentially be exploited in the future,” he said. “It is like having a lock that follows a predictable pattern versus one that is deliberately irregular. The patterned lock might be perfectly secure today, but if someone figures out the underlying pattern twenty years from now, trouble follows.”
NIST itself hedged against the possibility of lattice weaknesses: In March 2025, it selected HQC, a code-based algorithm built on different mathematics, as a backup fourth standard. Dustin Moody, a mathematician who heads NIST’s Post-Quantum Cryptography project, said at the time: “We want to have a backup standard that is based on a different math approach than ML-KEM. As we advance our understanding of future quantum computers and adapt to emerging cryptanalysis techniques, it’s essential to have a fallback in case ML-KEM proves to be vulnerable.”
Security, sovereignty, or both
China’s preference for domestic cryptographic standards is not new. It has previously developed its own classical encryption algorithms and mandated their use domestically, requiring foreign technology companies operating in China to support them alongside international standards, according to an analysis published by the Post-Quantum Cryptography Coalition.
Sarkar said the motivations behind China’s structureless lattice push are not purely technical. “Every major technological power wants some degree of cryptographic independence,” he said. “The security arguments are genuine, but so is the desire to control your own destiny. That does not make the Chinese approach invalid. It makes them a normal player in a world where cryptography is increasingly strategic.”
The harvest window problem
Security agencies and financial regulators assess that nation-state actors are already intercepting and storing encrypted data today, intending to decrypt it once capable quantum computers arrive. The Federal Reserve has assessed this “Harvest Now, Decrypt Later” threat as a live data-privacy risk. The National Endowment for Democracy has specifically identified China as conducting such operations. NIST has warned that sensitive data “retains its value for many years,” making early migration critical.
“The five-year gap creates a genuinely difficult position for anyone operating in China,” Sarkar said. “Do you deploy NIST algorithms now to protect against immediate harvest threats, knowing they might not satisfy future Chinese compliance requirements? Or do you wait for Chinese standards and leave that harvest window wide open?”
Don’t wait
Sarah Almond, director analyst at Gartner, said the compliance challenge extends beyond China. “Many regions globally are adopting NIST PQC standards,” she said. “China is one region, among others, which are launching its own PQC standardization initiatives. But it is not new for certain regions to adopt their own cryptographic standards.” Enterprises assessing vendor quantum readiness, Almond said, should ask whether support for regional standards will be provided in base products, as a paid feature, or not at all.
Sarkar advised against waiting. “Start hybrid deployments immediately,” he said. “Layer NIST-approved post-quantum algorithms alongside your existing classical cryptography. Build systems that can swap out algorithms as requirements become clearer. The worst possible position is to be frozen, doing nothing, while that harvest clock keeps ticking.”
No Responses