History
The NIST PQC Standardization Competition
In 2016, NIST launched a global open competition to identify quantum-resistant cryptographic algorithms. It ended eight years later with four standards (three finalized, one pending).
| Year | Event |
|---|---|
| 2016 | NIST publishes call for nominations; 69 complete submissions received |
| 2019 | Round 2: 26 candidates; public cryptanalysis begins in earnest |
| 2020 | Round 3: 7 finalists (Kyber, Dilithium, Falcon, SPHINCS+, NTRU, Classic McEliece, SABER) + 8 alternates |
| 2022 | SIKE (isogeny-based) catastrophically broken by Castryck–Decru in one hour on a classical laptop; confirms importance of cryptanalysis |
| Jul 2022 | NIST selects Kyber (KEM) and Dilithium, Falcon, SPHINCS+ (signatures) for standardization |
| Aug 2024 | FIPS 203, 204, 205 finalized — ML-KEM, ML-DSA, SLH-DSA standardized. Additional-signatures round 2 begins. |
| 2024– | Round 4 KEMs (BIKE, HQC, Classic McEliece) under continued evaluation. FN-DSA (Falcon) → FIPS 206 in final drafting. |
NIST FIPS — finalized 2024
The Three (Plus One) NIST PQC Standards
FIPS 203 ML-KEM — Module Lattice Key Encapsulation Mechanism
Based on the CRYSTALS-Kyber submission. ML-KEM is a Key Encapsulation Mechanism (KEM): it establishes a shared secret between two parties. It is the primary replacement for ECDH and RSA key transport in protocols like TLS.
Mathematical basis: Module-LWE
Security relies on the hardness of the Module Learning With Errors (Module-LWE) problem: given a matrix A and a vector b = As + e (where s is a secret vector and e is a small error), recover s. This is believed hard for both classical and quantum computers. The "module" structure allows flexible parameter sets.
Parameter sets
| Level | Security | Public key | Ciphertext | Shared secret |
|---|---|---|---|---|
| ML-KEM-512 | NIST Level 1 (~AES-128) | 800 B | 768 B | 32 B |
| ML-KEM-768 | NIST Level 3 (~AES-192) ✦ recommended | 1184 B | 1088 B | 32 B |
| ML-KEM-1024 | NIST Level 5 (~AES-256) | 1568 B | 1568 B | 32 B |
Compare: X25519 public key = 32 bytes. ML-KEM-768 encapsulation key = 1184 bytes. The size increase is significant but manageable in TLS 1.3 handshakes. Chrome and Cloudflare deploy X25519MLKEM768 (a hybrid combining both).
FIPS 204 ML-DSA — Module Lattice Digital Signature Algorithm
Based on CRYSTALS-Dilithium. ML-DSA is the primary general-purpose digital signature replacement for RSA-PSS and ECDSA.
Mathematical basis: Module-LWE + Module-SIS
Uses the Fiat-Shamir with Aborts paradigm over module lattices. Security relies on both the Module-LWE and Module-SIS (Short Integer Solution) problems. The signature is a short vector that convinces a verifier of knowledge of the signing key.
| Level | Security | Public key | Signature size |
|---|---|---|---|
| ML-DSA-44 | NIST Level 2 | 1312 B | 2420 B |
| ML-DSA-65 | NIST Level 3 ✦ recommended | 1952 B | 3309 B |
| ML-DSA-87 | NIST Level 5 | 2592 B | 4627 B |
Compare: ECDSA P-256 signature = 64 bytes. ML-DSA signatures are 40–70× larger. This affects certificate chain sizes (X.509 with ML-DSA), code-signing performance, and TLS Certificate messages. Hybrid certificates (ECDSA + ML-DSA composite) are an active IETF work item to ease transition.
FIPS 205 SLH-DSA — Stateless Hash-Based Digital Signature Algorithm
Based on SPHINCS+. SLH-DSA offers a security assumption that relies only on the security of the hash function — it has minimal structural assumptions, making it highly conservative.
Mathematical basis: hash-based Merkle forests
SLH-DSA constructs a large hypertree of Winternitz OTS (one-time signature) instances, authenticated by Merkle trees. The stateless property means there is no key state to manage (unlike XMSS/LMS), but signatures are large. Security reduces entirely to the collision resistance and preimage resistance of SHA-256 or SHAKE-256.
| Variant | Hash | Security | Public key | Signature | Sign time |
|---|---|---|---|---|---|
| SLH-DSA-SHA2-128s | SHA-256 | Level 1, small | 32 B | 7856 B | slow |
| SLH-DSA-SHA2-128f | SHA-256 | Level 1, fast | 32 B | 17088 B | fast |
| SLH-DSA-SHA2-256s | SHA-512 | Level 5, small | 64 B | 29792 B | slow |
SLH-DSA is preferred when you want minimal trust assumptions (hash-only security). It is slower and produces larger signatures than ML-DSA, making it less suited for high-throughput signing but excellent for root CA certificates, firmware signing, and scenarios where signature verification is rare.
FIPS 206 (draft) FN-DSA — Falcon (NTRU Lattice Signatures)
Based on the Falcon submission. Falcon uses NTRU lattices and a hash-and-sign paradigm with Gaussian sampling. It offers significantly smaller signatures than ML-DSA — Falcon-512 signatures are ~666 bytes — but requires a constant-time Gaussian sampler which is complex to implement correctly and securely. FIPS 206 is in final draft (as of 2024).
Mathematical families
Post-Quantum Hard Problems
PQC algorithms are built on mathematical problems that are believed hard for both classical and quantum computers. The diversity of families provides hedge against future cryptanalysis.
Lattice-Based ML-KEM ML-DSA FN-DSA
Hard problems: Learning With Errors (LWE), Ring-LWE, Module-LWE, Short Integer Solution (SIS), NTRU. Lattices are geometric objects in high-dimensional space; finding short vectors is computationally infeasible. The best known quantum algorithms (e.g., quantum lattice sieving) provide no significant speedup over classical for well-parameterized instances. Dominant family in NIST standardization.
Hash-Based SLH-DSA XMSS / LMS
Security reduces to the collision resistance and one-wayness of the underlying hash function (SHA-256, SHAKE-256). Zero structural algebraic assumptions. Highly conservative and well-understood. Limitations: stateless schemes (SLH-DSA) have large signatures; stateful schemes (XMSS, LMS) are fast with small signatures but require careful key-state management. XMSS (RFC 8391) and LMS (RFC 8554) are standardized for firmware and code signing today.
Code-Based BIKE HQC
Security based on decoding random linear codes — the Syndrome Decoding Problem (SDP), hard since 1978. Classic McEliece (1978, using Goppa codes) has 50+ years of cryptanalytic resistance and very small ciphertexts, but enormous public keys (261 KB for Level 1). BIKE and HQC use quasi-cyclic codes for smaller keys. Round 4 NIST candidates; no finalized standard yet.
Isogeny-Based SIKE — Broken
Supersingular isogeny problems looked promising (tiny key sizes). SIKE was a Round 3 alternate. In July 2022, Castryck and Decru broke SIKE in under an hour on a standard laptop using only classical algorithms — the SIDH problem was shown to be vulnerable to an attack exploiting torsion point information. A cautionary example of why cryptanalytic diversity and patience matter.
Global standards landscape
Beyond NIST: IETF, BSI, CSTC, and ETSI
IETF — Protocol standardization
The IETF's role is to standardize PQC in concrete protocols. Several working groups are active:
- PQUIP WG — Post-Quantum Use in Protocols. Coordinates cross-WG work; produces guidance on how to integrate PQC algorithms into IETF protocols.
- TLS WG —
draft-ietf-tls-hybrid-designdefines hybrid key exchange for TLS 1.3. ML-KEM is already deployed by Chrome asX25519MLKEM768(IANA code point 0x11EC). - LAMPS WG — Long-term Archive and Mail Security. Specifies ML-KEM and ML-DSA in X.509 certificates (SubjectPublicKeyInfo OIDs), CMS (RFC 5652), and S/MIME.
- IPsec / IKEv2 —
RFC 8784(KEM-based PSK for IKEv2) andRFC 9370(Multiple Key Exchanges in IKEv2) provide a path to PQC in VPNs. - SSH — OpenSSH 9.x implements
mlkem768x25519-sha256hybrid KEX (RFC-track draft). Enabled by default in OpenSSH 9.9 (2024).
BSI (Germany) — Recommendations
The Bundesamt für Sicherheit in der Informationstechnik updates TR-02102-1 annually. The 2024 edition explicitly approves ML-KEM (Kyber) and ML-DSA (Dilithium) for use in new systems, recommends AES-256, SHA-384+, and advises beginning migration plans. The separate document "Kryptographisch relevanter Quantencomputer" (2024) provides German government planning horizons and sector-specific guidance.
China CSTC / OSCCA — National standards
China's Cryptography Standardization Technical Committee (CSTC) and the Office of the State Commercial Cryptography Administration (OSCCA) maintain the SM-series standards:
- SM2 — Elliptic-curve public-key cryptography (256-bit, GF(p)). Used in Chinese TLS, code signing, and PKI. Like ECDSA/ECDH, vulnerable to Shor's algorithm.
- SM3 — 256-bit hash function. Quantum-safe with sufficient output size (equivalent to SHA-256 in Grover analysis).
- SM4 — 128-bit block cipher. Vulnerable to Grover the same way as AES-128; recommend a 256-bit mode or transition planning.
CSTC has published trial PQC algorithm standards (GBT/T drafts) and is evaluating domestic candidates; specific public FIPS-equivalent Chinese PQC standards are expected to follow NIST's finalization. Organizations deploying SM2 should include it in PQC migration scope.
ETSI — Quantum-Safe Cryptography ISG
ETSI's Quantum-Safe Cryptography Industry Specification Group (ISG QSC) produces technical reports and specifications for telecommunications, including quantum key distribution (QKD) integration, migration guidance for telecoms operators, and harmonization with NIST/IETF work. Key publications: TS 103 744 (migration guidelines), TS 104 002 (hybrid approaches).
Stateful hash-based signatures for today
Two algorithms are standardized for immediate use in narrow applications (code signing, firmware, secure boot):
- XMSS (
RFC 8391, NIST SP 800-208) — eXtended Merkle Signature Scheme. Quantum-safe today. Requires key-state management: each leaf can only be used once. Suitable for HSMs with state management. - LMS / HSS (
RFC 8554, NIST SP 800-208) — Leighton-Micali Signature. Hierarchical variant. Used by AWS, Cisco, and others for firmware signing.
Algorithm comparison
At a Glance: Key and Signature Sizes
Sizes below are approximate at NIST security Level 3 (comparable to AES-192 / ~128-bit post-quantum security) where applicable.
| Algorithm | Type | Public key | Secret key | CT / Sig | PQ standard |
|---|---|---|---|---|---|
| X25519 | Classical KEM | 32 B | 32 B | 32 B | No (broken by Shor's) |
| RSA-3072 | Classical KEM/Sig | 384 B | 1.7 KB | 384 B / 384 B | No |
| ML-KEM-768 | PQC KEM | 1184 B | 2400 B | 1088 B | FIPS 203 |
| ML-KEM-1024 | PQC KEM | 1568 B | 3168 B | 1568 B | FIPS 203 |
| Ed25519 (ECDSA) | Classical Sig | 32 B | 64 B | 64 B | No |
| ML-DSA-65 | PQC Sig | 1952 B | 4032 B | 3309 B | FIPS 204 |
| FN-DSA (Falcon-512) | PQC Sig | 897 B | 1281 B | 666 B | FIPS 206 (draft) |
| SLH-DSA-128s | PQC Sig (hash) | 32 B | 64 B | 7856 B | FIPS 205 |
| LMS / XMSS | PQC Sig (stateful) | ~60 B | ~100 B | ~2500 B | RFC 8391/8554 |
Next: Migration Playbook
Now that you understand what the standards are, learn how to deploy them — a five-phase migration framework with protocol-level guidance for TLS, SSH, VPN, and code signing.
Migration Playbook →