There is a specific type of research paper that appears quietly, sits in a specialized journal, is read by a few hundred people worldwide, and then, years later, turns out to have been subtly correct about everything. This type of paper was published in the Journal of Cryptology in 2015 and is titled “Advancing the theoretical foundations of ring learning with errors, or ring-LWE.” There were no headlines about it. It was not intended for a broad readership. However, in 2026, that paper’s fingerprints can be found on almost every serious design document that is being circulated in the field as security engineers at large institutions rush to improve the encryption that powers the internet.
It is helpful to know what the cryptographic community is genuinely afraid of in order to understand why that matters. Shor’s algorithm, a quantum process that can factor big integers and solve discrete logarithm problems with astounding efficiency, will be able to be executed by quantum computers once they are large enough. The mathematical complexity that makes RSA, Diffie-Hellman, and elliptic-curve cryptography secure vanishes under such computational strain. This is no longer a theoretical concern. The issue is now institutional in nature. After conducting a formal competition for years to find quantum-resistant algorithms, NIST released its first post-quantum standards in August 2024. However, those standards did not appear out of thin air. The 2015 paper is near the origin, and they represent ten years of theoretical work.
Fundamentally, the ring-LWE framework offered a security proof that the cryptographic community sorely needed. Not just an algorithm that appeared to be challenging to crack, but a mathematical argument showing that doing so would necessitate resolving issues that are known to be extremely challenging, even for quantum machines. Formally, the security is reduced to lattice problems’ worst-case hardness. Compared to “nobody has broken this yet,” which is essentially what older schemes like RSA had offered, that is a different kind of assurance. Although this distinction may seem academic, engineers creating protocols that must endure for twenty or thirty years, such as safeguarding government communications, financial infrastructure, or medical records, cannot afford to rely on the “nobody’s tried hard enough” standard. They require evidence.
The two lattice-based algorithms that NIST eventually standardized, ML-KEM, also referred to as Kyber, and ML-DSA, also known as Dilithium, are clearly influenced by that theoretical work. Both are descended from the ring-LWE line. Both are currently being tested and incorporated into cellular networking standards, TLS protocol stacks, and the security layers of systems that the majority of people use without realizing it. The large parameter sizes common to these algorithms have been identified by researchers reviewing PQC implementation across internet, web, and cellular networks as a real challenge. This observation can be partially attributed to the mathematical structure the 2015 work helped formalize.
Another problem is what security experts now refer to as “harvest now, decrypt later.” Adversaries can intercept and store encrypted communications today, then wait for quantum capability to arrive and decrypt them retroactively. It’s no secret that state-level actors have been doing this. Current data may be sensitive for decades to come. Organizations have been forced by that threat model to migrate much earlier than anyone had anticipated in, say, 2010. The theoretical soundness of any replacement algorithms selected is also given a great deal of weight. When the stakes involve records that will still exist in 2045, a scheme that appears secure but lacks a rigorous reduction proof is insufficient.
In light of this history, it’s remarkable how long it took for the industry as a whole to take notice of the paper after it was published. The majority of network engineers outside of specialized academic circles continued to treat quantum risk as an abstract concept despite the fact that the PQCrypto conference series had been in existence since 2006 and that workshops on quantum safety were being held by European telecommunications standards bodies. The harvest-now-decrypt-later threat model began to appear in corporate risk assessments alongside more well-known categories like ransomware around 2022, when NIST announced its first shortlisted algorithms.
The exact speed at which the entire migration will proceed is still unknown. Building systems that can switch cryptographic primitives without requiring architectural changes is known as “crypto-agility,” but it can be challenging to apply across legacy infrastructure. That won’t be resolved by the 2015 paper. It did, however, offer a strong enough mathematical foundation for further development. Another, and perhaps more pressing, question is whether the industry is growing quickly enough.
