Can lattice-based cryptography survive a quantum adversary?

Most public-key cryptography in use today (RSA, ECC) will be broken by a sufficiently large quantum computer via Shor's algorithm. Lattice problems such as Learning With Errors are the leading post-quantum candidates.

Whether worst-case lattice problems really are quantum-hard, and whether new attacks on practical LWE parameters might emerge, are active research questions. NIST has begun standardising lattice-based schemes, increasing the stakes.