Curriculum
Five progressive tiers from quantum threat fundamentals to enterprise PQC migration execution.
1
Foundations — Why Classical Cryptography Breaks
Build the mathematical intuition to understand the quantum threat at a technical level. This tier moves beyond surface-level awareness to give practitioners the depth needed for real implementation decisions.
Challenge Topics:
- Shor’s algorithm and its impact on RSA, DH, and ECC key security
- Grover’s algorithm and the effect on symmetric key length requirements
- Introduction to lattice problems: Learning With Errors (LWE) and Ring-LWE
- Hash-based signature fundamentals (Merkle trees, XMSS structure)
- Why increasing RSA key size does not solve the quantum problem
2
Threat Recognition — Find Quantum-Vulnerable Cryptography
Develop the skills to identify quantum-vulnerable cryptographic deployments in real-world environments. This tier trains the crypto inventory and assessment capabilities that every organization needs as a starting point for migration.
Challenge Topics:
- Identifying RSA and ECC usage in TLS certificate chains and configurations
- Auditing SSH server and client key types across infrastructure
- Reading cryptographic algorithm identifiers in X.509 certificates and ASN.1
- Finding vulnerable crypto in application source code (Python, Java, Go, C/C++)
- Analyzing JWT and JOSE configurations for quantum-vulnerable algorithm use
- Building a Cryptographic Bill of Materials (CBOM) from live system analysis
3
PQC Algorithms — Hands-On with NIST Standards
Work directly with the three finalized NIST PQC standards. Build operational fluency with ML-KEM, ML-DSA, and SPHINCS+ through challenges that require correct algorithm use, parameter selection, and output validation.
Challenge Topics:
- ML-KEM (FIPS 203 / CRYSTALS-Kyber): key generation, encapsulation, decapsulation
- ML-DSA (FIPS 204 / CRYSTALS-Dilithium): signing, verification, parameter sets (2/3/5)
- SPHINCS+ / SLH-DSA (FIPS 205): stateless hash-based signature operations
- FALCON (FN-DSA): compact lattice signatures for bandwidth-constrained environments
- Parameter set selection: balancing security level vs. key/signature size tradeoffs
- Identifying incorrect algorithm usage and parameter mismatches
4
Secure Implementation — Validate and Harden PQC Code
PQC algorithms are new and implementation errors are common. This tier develops the skills to audit PQC implementations for correctness, identify subtle vulnerabilities, and harden deployed systems against implementation attacks.
Challenge Topics:
- Identifying weak random number generation in PQC key generation routines
- Side-channel vulnerability patterns in lattice-based implementations
- Nonce reuse and state management vulnerabilities in stateful signature schemes
- Library integration errors: misuse of liboqs, pqclean, and BouncyCastle PQC APIs
- Validating TLS 1.3 hybrid key exchange configurations (X25519Kyber768)
- Hardening PQC configurations against downgrade attacks
5
Migration — Hybrid Schemes, CBOM, and Enterprise Transition
The final tier addresses the full migration challenge: designing hybrid cryptographic systems that maintain backward compatibility while deploying PQC protection, managing the transition at enterprise scale, and meeting regulatory requirements.
Challenge Topics:
- Designing hybrid key exchange schemes (classical + PQC combined)
- Hybrid signature patterns for gradual migration without breaking existing verifiers
- Cryptographic Bill of Materials (CBOM): generation, formats (CycloneDX), and tooling
- Building a migration roadmap from crypto inventory to compliant deployment
- CNSA 2.0 compliance mapping: which systems require migration by which date
- Certificate lifecycle management during PQC transition (dual-algorithm certificates)
Ready to Start?
Access all five tiers with an individual subscription or bring your team through a structured cohort. Both options are available at play.quantumctf.com.