up:: 00 Field Guide Map

Foundations

Foundations is the groundwork the rest of the Field Guide stands on: what security actually means, and how the cryptography that protects the modern world really works. Security comes down to three promises about a piece of information, that only the right people can read it (confidentiality), that nobody altered it without you knowing (integrity), and that it genuinely came from who it claims to (authentication). Cryptography is the math that keeps those promises.

It divides into two big families, symmetric cryptography built on a single shared secret and public-key cryptography built on a matched public/private pair, stitched together by hash functions, digital signatures, key-encapsulation, and the certificate system called PKI. Almost the entire quantum transition is a story about replacing one of those two families, the public-key half, while the symmetric half carries forward with minor adjustments. If cryptography has always felt like a black box, this is the section that opens it.

Map of content

A short overview of the cryptographic groundwork, and the index that routes you to every note in this section. Skim it to get oriented, then follow the links to go deep.

The short version:

  • Security is three promises about information: confidentiality (only the right people read it), integrity (nobody altered it undetected), and authentication (it came from who it claims). Cryptography is how those promises get kept.
  • Cryptography has two families. Symmetric uses one shared secret and is fast, so AES-256 does the bulk encrypting; public-key uses a matched public/private pair, so RSA and ECDH let strangers agree on secrets and prove identity.
  • The building blocks are encryption (secrecy), hashing (tamper-evident fingerprints), signatures (proof of origin), key exchange and KEMs (agreeing a secret over an open line), and KDFs (turning a raw secret into usable keys).
  • PKI is the trust layer: signed certificates that bind a public key to an identity, chained up to a handful of roots your device already trusts. Every HTTPS padlock rests on it.
  • The quantum threat is lopsided. Shor’s algorithm breaks the public-key family outright, and Grover’s algorithm only dents the symmetric family, so the whole transition is a public-key replacement job, best done with crypto-agility so the next change is easy too.

What lives here, and how the pieces fit together

Two hubs sit under this one, and you read them in order:

  1. Security Basics answers the plainest question underneath everything else: what are we protecting, and what does “secure” even mean? This is where confidentiality, integrity, availability, and authentication get defined, the goals that every lock in the Guide exists to serve.
  2. Classical Cryptography is the locks themselves: symmetric ciphers, public-key cryptography, hashing, signatures, and the certificate system behind the padlock icon, in plain terms, with a note on which ones the quantum threat comes for.

You need Security Basics to understand why the quantum threat matters, and Classical Cryptography to understand what it breaks. Everything in The Threat is aimed squarely at the locks you meet here. The rest of this page is the guided tour that ties the two together, from the goals down to the mechanisms and back up to what quantum actually touches.

What does “security” actually mean?

Security is the practice of keeping information confidential, unaltered, and provably from its claimed source, and it is usually framed as three goals that every control serves one of. NIST categorizes information systems against exactly these three properties, which is why they are the vocabulary the whole field speaks:

  1. Confidentiality means only authorized people can read the data. Encryption is the main tool here. This is the promise a stolen laptop or an intercepted message breaks.
  2. Integrity means the data has not been altered, and any change is detectable. Hashes and signatures do this work. This is the promise a tampered software update or a forged record breaks.
  3. Availability means the data and the system are there when you need them. Backups, redundancy, and resilience serve it. A ransomware lockout or a denial-of-service flood breaks this one.

Sitting on top of the three is authentication, the question of whether a person, a message, or a server really is who or what it claims to be. Authentication is the thread that lets confidentiality and integrity mean anything in practice, because encrypting a message to the wrong party, or trusting a signature from an impostor, defeats the point. Together these ideas are known as the CIA triad plus authentication, and they are the lens the rest of the Guide looks through.

Here is why this framing matters before a single algorithm appears. A quantum computer is frightening precisely because it quietly dissolves two of these promises at once. It attacks confidentiality, by making today’s recorded traffic decryptable in the future, and it attacks authentication and integrity, by letting an attacker forge the signatures that prove identity. The math is almost beside the point. The reason to care is that the two things security exists to protect, secrecy and trust, are the two things quantum comes for.

Source: NIST, “Standards for Security Categorization of Federal Information and Information Systems,” FIPS 199, February 2004, csrc.nist.gov/pubs/fips/199/final.

What is cryptography, and what does it protect?

Cryptography is the use of hard mathematical problems to enforce the security goals above, turning “only the right people can read this” and “prove this came from you” from wishes into guarantees backed by math. A cryptographic algorithm is a recipe that is easy to run in the intended direction and infeasible to reverse without the right secret, and that one-way gap is where all the protection lives. Encryption enforces confidentiality, hashes and signatures enforce integrity and authentication, and key exchange sets up the secrets the rest of it needs.

The word “infeasible” is doing real work in that definition. Cryptography almost never proves that breaking a scheme is impossible; it rests on problems believed to be so expensive to solve that no attacker can afford it within the lifetime of the data. Factoring a 2048-bit RSA number would take a classical computer longer than the age of the universe, so RSA is safe against classical attack, though not proven unbreakable. That distinction between “believed hard” and “proven impossible” is the seam the quantum threat pries open: a quantum computer makes some of those believed-hard problems suddenly cheap, which is a change in the assumption rather than a bug in the code.

Everything from here down is the machinery cryptography uses to keep the three promises, starting with the single most useful distinction in the field.

What’s the difference between symmetric and public-key cryptography?

Symmetric cryptography uses one shared secret key that both sides hold, and public-key cryptography uses a matched pair where a public key is shared openly and a private key is kept secret. Hold that one split and the whole field organizes itself, because the two families do different jobs, rest on different math, and meet very different fates under a quantum computer.

Symmetric cryptography is fast and does the heavy lifting of actually encrypting data, but it has one classic problem: two strangers who have never met cannot use it until they somehow agree on that shared secret, and sending the secret over an open line just hands it to any eavesdropper watching. Public-key cryptography exists to solve exactly that problem. With a public/private key pair, two strangers can agree on a secret across a channel anyone can watch, and the same math also lets one party prove its identity with a signature that anyone can check. The tradeoff is speed: public-key operations are far slower, so real systems use public-key cryptography only to bootstrap trust and a shared key, then hand the bulk work to fast symmetric encryption.

Symmetric cryptographyPublic-key (asymmetric) cryptography
KeysOne shared secret, held by both sidesA matched pair, public key shared, private key secret
SpeedFast, built for bulk dataSlow, used sparingly to set up trust and keys
Core jobEncrypting the actual data (confidentiality)Agreeing a shared key and proving identity (authentication)
ExamplesAES-256, SHA-256-based constructionsRSA, ECDH, DH, ECC
Rests onA key too large to search by brute forceA number-theory problem: factoring or the discrete log
Quantum attackGrover’s algorithm (square-root speedup)Shor’s algorithm (breaks it outright)
Quantum fixUse a bigger key (AES-256), and you are doneReplace the algorithm entirely with a post-quantum standard

Sources: NIST, “Advanced Encryption Standard (AES),” FIPS 197, updated May 2023, csrc.nist.gov/pubs/fips/197/final.

R. Rivest, A. Shamir, and L. Adleman, “A Method for Obtaining Digital Signatures and Public-Key Cryptosystems,” Communications of the ACM, 1978, ACM.

What are the building blocks of modern cryptography?

Modern security is assembled from a small set of primitives, each doing one narrow job, and understanding what each one is for is most of the battle. There are only about seven you meet everywhere, and they compose like parts of a machine:

  1. Encryption scrambles data so only a key holder can read it, serving confidentiality. Symmetric encryption (AES-256) does the bulk of it; public-key encryption exists mainly to move keys around.
  2. Hash functions turn any input into a fixed-size fingerprint (a digest) that is fast to compute forward and infeasible to reverse. SHA-256 is the everyday default. Hashing proves data is intact, and it is keyless, so it hides nothing on its own.
  3. Message authentication codes (MACs) wrap a hash with a shared secret so two parties can confirm a message is both intact and from someone holding the key. HMAC is the standard construction.
  4. Digital signatures are the public-key version of a MAC. Signing with a private key and verifying with the public key proves authenticity, integrity, and non-repudiation, so any stranger can check the proof without sharing a secret. RSA and ECDSA sign the certificates behind every padlock.
  5. Key exchange and KEMs let two parties agree on a shared secret over an open channel. ECDH is the classical workhorse, and a KEM is the cleaner interface the post-quantum standard ML-KEM is built on.
  6. Key derivation functions take that raw shared secret and cast it into one or more clean, correctly-sized keys the cipher can actually use. HKDF is the common one, and it is the exact spot where hybrid post-quantum handshakes fuse a classical and a post-quantum secret.
  7. PKI and certificates are the trust layer that binds a public key to a real identity with a signed X.509 certificate, so your browser knows the key it just received really belongs to your bank.
Building blockThe job it doesEveryday exampleQuantum status
Encryption (symmetric)Keep data secretAES-256 on a hard drive or a sessionSurvives, Grover only halves the margin
Hash functionFingerprint data to prove it is intactSHA-256 on a downloaded fileSurvives, no Shor-style break exists
MACProve a message is intact and from a key holderHMAC on an API requestSurvives, hash-based
Digital signatureProve who produced somethingRSA / ECDSA on a certificateBroken, Shor recovers the private key
Key exchange / KEMAgree a shared secret over an open lineECDH in a TLS handshakeBroken, Shor recovers the secret
Key derivation (KDF)Turn a raw secret into usable keysHKDF inside TLS 1.3Survives, hash-based
PKI / certificatesBind a public key to an identityX.509 behind the HTTPS padlockBroken, it runs on signatures

Sources: NIST, “Secure Hash Standard (SHS),” FIPS 180-4, August 2015, csrc.nist.gov/pubs/fips/180-4/final.

NIST, “Recommendations for Key-Encapsulation Mechanisms,” SP 800-227, September 2025, csrc.nist.gov.

IETF, “Internet X.509 Public Key Infrastructure Certificate and CRL Profile,” RFC 5280, May 2008, RFC 5280.

How do these pieces combine to secure a real connection?

The pieces almost never work alone. A single ordinary event, loading an HTTPS page, uses nearly all of them together, and watching one TLS handshake is the fastest way to see how the machine fits. When your browser connects to your bank:

  1. PKI proves identity. The server sends its X.509 certificate, and your browser checks the chain of signatures up to a root certificate authority it already trusts, confirming this really is your bank and not an impostor.
  2. A signature authenticates the handshake. The server signs the handshake with the private key its certificate vouches for, which stops an attacker in the middle from impersonating it.
  3. Key exchange agrees a secret. Both sides run an ephemeral ECDH exchange (or a KEM in the post-quantum version) to derive a shared secret over the open connection, without ever sending that secret across it.
  4. A KDF turns the secret into keys. The raw shared secret is fed through a key derivation function, the HKDF-based TLS 1.3 key schedule, which casts it into the actual symmetric keys the session will use.
  5. Symmetric encryption does the work. Every request and response after that is encrypted with fast AES-256 under those derived keys, with a MAC-like check proving each record is intact.
  6. Forward secrecy limits the damage. Because the key exchange in step 3 is ephemeral and thrown away when the session ends, stealing the server’s long-term key next year unlocks none of this year’s recorded traffic.

That single handshake shows the division of labor cleanly: public-key cryptography and PKI establish trust and a shared key, then hand off to symmetric cryptography for the bulk work. It also previews the quantum problem exactly, because steps 1 through 3 all rest on the public-key math Shor’s algorithm breaks, while step 5 rests on the symmetric math that survives.

Source: E. Rescorla, “The Transport Layer Security (TLS) Protocol Version 1.3,” RFC 8446, August 2018, datatracker.ietf.org.

What is PKI, and why does trust need its own infrastructure?

Public Key Infrastructure is the trust system that lets a computer believe a public key genuinely belongs to a claimed identity, by wrapping that key in a certificate a trusted authority has signed and chaining certificates up to a small set of roots the verifier already trusts. Public-key cryptography lets anyone encrypt to your public key or verify your signatures, but only if they have the correct key, and PKI is the system that delivers the correct one and proves it.

The mechanics are a chain of signatures. A root CA is trusted directly, its key baked into your operating system and browser. The root signs intermediate CAs, which sign end-entity certificates for specific sites and devices. Your browser believes a website because it can trace each signature in that chain back to a root in its trust store. Break any signature in the chain and everything below it becomes forgeable, which is why the keys at the top of the chain are the ones that matter most.

PKI earns its own hub because it is the highest-stakes surface in the whole transition. A single CA signing key vouches for a huge population of certificates, and its matching public key is already published in trust stores and handshakes by design. A quantum computer running Shor’s algorithm recovers the private key from that published public key, which lets an attacker forge certificates for any name at all, the failure known as PKI collapse. The deep mechanics live in the PKI note; the point for Foundations is that trust does not happen by accident, it runs on an infrastructure of signatures, and that infrastructure is what the quantum threat aims at.

Source: IETF, “Internet X.509 Public Key Infrastructure Certificate and CRL Profile,” RFC 5280, May 2008, RFC 5280.

Which of these does the quantum threat actually break?

The quantum threat is lopsided, and this is the single most important thing to carry out of Foundations: a quantum computer breaks the public-key family outright and only dents the symmetric family, so “quantum breaks all encryption” aims the alarm at the wrong layer. Two different quantum algorithms explain the split:

  1. Shor’s algorithm gives an exponential speedup against the specific number-theory problems public-key cryptography rests on, factoring and the discrete logarithm. It dissolves those problems entirely, so RSA, ECDH, DH, and ECDSA stop working at every key size. Bigger keys do not help, because Shor’s cost grows only slowly with key length.
  2. Grover’s algorithm gives only a square-root speedup against blind brute-force search, which halves the effective strength of a symmetric key or a hash. That takes AES-256 from 256-bit down to about 128-bit security, which stays far out of reach, and it is answered by using a bigger key rather than a new algorithm.
LayerExampleQuantum attackResultThe fix
Public-key encryption / key exchangeRSA, ECDHShorBroken outrightReplace with ML-KEM
Digital signaturesRSA, ECDSAShorBroken outrightReplace with ML-DSA / SLH-DSA
Symmetric encryptionAES-256GroverHalved margin, still safeUse a 256-bit key
Hash functionsSHA-256GroverHalved margin, still safeUse a wide digest (SHA-2 / SHA-3)

So the accurate headline is narrow: quantum computers shatter the public-key half of cryptography and merely dent the symmetric half. That is why the entire transition is a public-key replacement job, and why the confidentiality half is urgent right now even though the machine is years out. Traffic protected by a classical key exchange today can be recorded and decrypted later, the harvest-now-decrypt-later problem, so the clock is already running. The signature half is a real-time forgery risk once the machine exists, and the reason to move early is that rebuilding PKI takes years, per Mosca’s theorem. Where this all leads next is The Threat, and what replaces the broken half is the new standards.

Source: NIST, “Report on Post-Quantum Cryptography,” NISTIR 8105, April 2016, csrc.nist.gov/pubs/ir/8105/final.

Common misconceptions

  1. “Quantum breaks all encryption.” It breaks the public-key half. Symmetric encryption (AES-256) and hashing (SHA-256) survive with larger sizes, so the migration belongs on the public-key layer, not on your disk encryption.
  2. “A digital signature encrypts the message.” A signature proves who produced something and that it is unaltered while leaving the content fully readable. Secrecy is a separate job that encryption handles, so a broken signature is a forgery risk, not a data leak.
  3. “Hashing and encryption are the same thing.” Encryption is reversible with a key; a hash is one-way and keyless, so a digest can never be turned back into the input. One protects secrecy, the other proves integrity.
  4. “Symmetric crypto is the weak, old kind and public-key is the strong, modern kind.” They do different jobs. Symmetric encryption is faster and stronger against quantum, and public-key cryptography solves the problem symmetric cannot, agreeing a secret between strangers. Real systems need both.
  5. “If my traffic uses forward secrecy, it is quantum-safe.” Forward secrecy stops a stolen long-term key from unlocking past sessions, and it is delivered by ephemeral ECDH, which Shor’s algorithm still breaks. Restoring safety against a quantum adversary takes hybrid post-quantum key exchange.
  6. “PKI is just an algorithm I can swap out.” PKI is an infrastructure of authorities, certificates, and trust stores, with algorithms living inside it. Getting a new root trusted across every device is what makes the migration take years.

Questions people ask

What is the difference between cryptography and encryption? Encryption is one job inside cryptography, scrambling data for confidentiality. Cryptography is the whole toolkit, which also includes hashing for integrity, signatures for authentication, and key exchange for agreeing secrets. Encryption keeps data secret; the rest of cryptography proves things about it.

Do I need to understand all of this to start a post-quantum migration? You need the one split: which cryptography a quantum computer breaks and which it does not. Public-key algorithms (RSA, ECDH, ECDSA) have to move; symmetric algorithms (AES-256, SHA-256) carry forward. Knowing that keeps a team from burning effort replacing the parts that do not need replacing.

What is the CIA triad? It is the three classic security goals: confidentiality (only the right people read it), integrity (nobody altered it undetected), and availability (it is there when you need it). Cryptography is the main tool for the first two, and authentication rides on top as the check that a party is genuinely who it claims.

Why do systems use both symmetric and public-key cryptography? Because each covers the other’s weakness. Public-key cryptography lets two strangers agree on a key over an open line, which symmetric cannot, but it is slow, so once the shared key exists the system switches to fast symmetric encryption for the bulk data. A TLS session does exactly this on every connection.

Is AES-256 going to be broken by a quantum computer? No. The best quantum attack, Grover’s algorithm, only halves its brute-force margin, leaving AES-256 with about 128 bits of effective security, which is far out of reach. The quantum exposure in a system using AES sits in the RSA or ECDH key exchange that delivers the AES key, not in AES.

What does a hash function actually do? A hash function turns any input into a fixed-size fingerprint that changes completely if one bit of the input changes, and that you cannot reverse. It is how a system proves a file, a certificate, or a message has not been tampered with, and it is the piece signatures are computed over.

Where do I go after Foundations? The Threat explains how quantum computing breaks the public-key foundations you just met, and The New Standards covers what NIST published to replace them. If you already know your AES from your RSA, you can skip straight ahead.

Go deeper

Start here, the two on-ramps: Security Basics MOC (what security means: Confidentiality, Integrity, Availability, Authentication) · Classical Cryptography MOC (the locks themselves: symmetric, public-key, hashing, signatures, PKI)

The building blocks (the primitives this hub anchors): Digital Signature · Cryptographic Hash Function · Message Authentication Code (MAC) · HMAC · FIPS 198-1 · KEM (Key Encapsulation Mechanism) · Key Derivation Function (KDF) · CSPRNG and DRBG · Forward Secrecy

The classical algorithms these are made of: RSA · Elliptic-Curve Diffie-Hellman (ECDH) · Diffie-Hellman (DH) · Elliptic-Curve Cryptography (ECC) · Pairing-Based Cryptography · AES-256 · SHA-256 · XOR · Public Key Infrastructure (PKI) · Certificate Authority

The advanced constructions built on top (“is my X quantum-safe?“): Zero-Knowledge Proofs (hash-based STARKs survive, pairing-based SNARKs break) · Fully Homomorphic Encryption (FHE) (lattice-based, already post-quantum) · Secure Multi-Party Computation and Threshold Cryptography (information-theoretic secret sharing safe, discrete-log threshold signatures broken)

The body behind the standards: NIST (the U.S. agency that sets the cryptographic standards and ran the post-quantum competition)

Field notes: What Came Before Digital Trust (the physical ancestors of every digital-trust primitive here, the wax seal, signet ring, cipher disk, and sealed courier, and why quantum is a threat to trust itself)

The Failures That Weren’t Broken Math (the biggest cryptographic failures in history broke at the human seams, trust, governance, and implementation, more than the math)

Where this leads next: The Threat is how a quantum computer breaks the public-key half of everything above, and The New Standards is what replaces it.


Everything here is the map, given freely. When your team needs its own cryptography sorted into what survives the quantum transition and what has to move, sized and sequenced against your own systems, that’s the work I do, and there’s an alignment briefing for it.

Last verified 2026-07-09 · Maintained by Addie LaMarr, LaMarr Labs.