Did you catch the math?

A CRQC arrives and recovers the session keys from every handshake whose key exchange relies solely on classical math. Which of these TLS 1.3 configurations is still safe?

• RSA key transport
  Classic RSA-only key exchange.
• X25519 (pure classical ECDH)
  Modern default in TLS 1.3 — pre-PQC.
• X25519 + ML-KEM-768 (hybrid)
  The IANA X-Wing group, code point 0x11EC.
• ECDSA-only signed cert + ECDHE
  Modern but entirely elliptic-curve.

You inspect four certificates' signature algorithm OIDs. Which one is post-quantum?

• rsassaPss (RSA-PSS, 2048-bit)
  OID 1.2.840.113549.1.1.10
• ecdsa-with-SHA384 (P-384)
  OID 1.2.840.10045.4.3.3
• Ed25519
  OID 1.3.101.112
• ML-DSA-65
  NIST FIPS 204 signature algorithm

Which FIPS standard publishes SLH-DSA (SPHINCS+)?

• FIPS 203
  ML-KEM
• FIPS 204
  ML-DSA
• FIPS 205
  SLH-DSA
• FIPS 206 (draft)
  FN-DSA / FALCON

NIST diversified across five mathematical families. One of them was broken on a desktop in roughly an hour back in 2022. Which?

• Lattice
  Foundation of ML-KEM, ML-DSA, FN-DSA.
• Hash
  Foundation of SLH-DSA, LMS, XMSS.
• Code
  HQC, Classic McEliece.
• Isogeny
  SIKE — Supersingular Isogeny KEM.

A medical record must stay confidential for X = 30 years. Your hospital's migration plan needs Y = 5 years. Best CRQC estimate is Z = 15 years. Verdict?

• Safe — plenty of headroom
  X + Y comfortably below Z.
• Tight — start migrating soon
  X + Y close to Z.
• Already failed for this data class
  X + Y > Z.
• Unknowable until Q-Day
  Mosca's offers no verdict.

If a future cryptanalytic result breaks the lattice family entirely, which standardized signature scheme keeps working — built only from hash primitives?

• ML-DSA
  Lattice-based (MLWE).
• FN-DSA
  NTRU lattices + FFT sampling.
• SLH-DSA
  Stateless hash-based (FIPS 205).
• ECDSA
  Elliptic curves.

The IANA-registered X-Wing hybrid (group 0x11EC) used by Chrome and Cloudflare combines X25519 with which ML-KEM variant?

• ML-KEM-512
  2×2 module grid · AES-128 equivalent.
• ML-KEM-768
  3×3 module grid · AES-192 equivalent.
• ML-KEM-1024
  4×4 module grid · AES-256 equivalent.
• ML-DSA-65
  That's a signature scheme, not a KEM.

For U.S. national-security systems under CNSA 2.0, which signature algorithm and tier is mandated?

• ECDSA P-384
  Classical — falls to Shor's.
• ML-DSA-44
  Entry-level PQC tier.
• ML-DSA-65
  Middle tier.
• ML-DSA-87
  Highest tier.

In May 2025 Craig Gidney published a result that dramatically reduced the resource estimate for breaking RSA-2048. To roughly what number of noisy qubits?

• 20 million
  The previous best estimate (2019).
• Under 1 million
  Gidney 2025 — a 20× reduction in six years.
• Under 100,000
  Iceberg Quantum LDPC result (Feb 2026).
• Around 10,000
  Neutral-atom estimate (Mar 2026).

Multiple regulators converge on 2030. For U.S. federal systems under NSM-10 and EO 14144, what specifically must be done by January 2030?

• Federal TLS 1.3 with PQC-capable suites
  EO 14144 baseline.
• Full migration of all systems
  That's 2035, not 2030.
• Crypto inventory only
  Earlier requirement.
• No mandate — research only
  Not the case.