NIST Post-Quantum Cryptography Standards
A technical overview of NIST's three finalized PQC standards — ML-KEM (FIPS 203), ML-DSA (FIPS 204), and SLH-DSA (FIPS 205) — covering key sizes, performance, and migration implications.
Key Takeaways
- ML-KEM (FIPS 203) replaces RSA key transport and ECDH key agreement for key encapsulation
- ML-DSA (FIPS 204) replaces RSA and ECDSA for digital signatures using lattice-based cryptography
- SLH-DSA (FIPS 205) provides a hash-based signature alternative that avoids lattice assumptions entirely
- Post-quantum key sizes and signatures are significantly larger than classical equivalents
- NIST's standardization process ran from 2016 to 2024 with 69 initial submissions narrowed to three final standards
- Organizations should begin testing PQC algorithms against their TLS and certificate infrastructure now
The Road to Post-Quantum Standards
NIST launched its post-quantum cryptography standardization process in 2016. The goal was clear: identify and standardize algorithms that resist attacks from both classical and quantum computers.
The process received 69 submissions from research teams worldwide. Over three evaluation rounds spanning eight years, NIST assessed each candidate for security, performance, and implementation characteristics. Cryptographers published thousands of papers analyzing the submissions.
In August 2024, NIST published three final standards:
- ML-KEM — FIPS 203 — Key encapsulation mechanism
- ML-DSA — FIPS 204 — Digital signature algorithm
- SLH-DSA — FIPS 205 — Stateless hash-based digital signature algorithm
Each standard addresses a specific cryptographic function that quantum computers threaten.
ML-KEM: FIPS 203
ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism) replaces RSA key transport and ECDH key agreement. When two parties establish an encrypted session — a TLS handshake, a VPN tunnel, an encrypted email exchange — ML-KEM securely generates and transmits the shared symmetric key.
How ML-KEM Works
ML-KEM builds on the Module Learning With Errors (MLWE) problem. The sender encapsulates a random secret using the recipient’s public key. The recipient decapsulates it with their private key. An eavesdropper cannot recover the secret without solving the underlying lattice problem.
The algorithm operates in three steps:
- Key generation produces a public key and private key pair.
- Encapsulation takes the public key and produces a ciphertext and shared secret.
- Decapsulation takes the private key and ciphertext to recover the shared secret.
Security Levels and Key Sizes
ML-KEM defines three parameter sets mapped to NIST security levels:
| Parameter Set | Security Level | Public Key | Ciphertext | Shared Secret |
|---|---|---|---|---|
| ML-KEM-512 | 1 (AES-128 equivalent) | 800 bytes | 768 bytes | 32 bytes |
| ML-KEM-768 | 3 (AES-192 equivalent) | 1,184 bytes | 1,088 bytes | 32 bytes |
| ML-KEM-1024 | 5 (AES-256 equivalent) | 1,568 bytes | 1,568 bytes | 32 bytes |
ML-KEM-768 is the recommended default for most applications. It balances security margin with performance overhead.
Performance Characteristics
ML-KEM operations are fast. Key generation, encapsulation, and decapsulation each complete in microseconds on modern hardware. In many benchmarks, ML-KEM-768 outperforms ECDH P-256 in raw computation speed.
The trade-off is bandwidth. ML-KEM-768 adds roughly 2 KB to a TLS handshake compared to ECDH. For most web applications, this overhead is negligible. For constrained IoT devices or high-frequency trading systems, it requires evaluation.
ML-DSA: FIPS 204
ML-DSA (Module-Lattice-Based Digital Signature Algorithm) replaces RSA and ECDSA for digital signatures. Certificates, code signing, document authentication, and any system that verifies identity or data integrity through signatures will transition to ML-DSA.
How ML-DSA Works
ML-DSA also builds on the MLWE problem, but applies it to signature generation and verification. The signer uses their private key to produce a signature over a message. Any party with the corresponding public key can verify the signature’s authenticity.
The algorithm uses a “Fiat-Shamir with Aborts” technique. The signer generates candidate signatures and rejects those that would leak information about the private key. This rejection sampling ensures security but means signing time varies slightly between operations.
Security Levels and Sizes
| Parameter Set | Security Level | Public Key | Signature | Private Key |
|---|---|---|---|---|
| ML-DSA-44 | 2 (SHA-256 collision equivalent) | 1,312 bytes | 2,420 bytes | 2,560 bytes |
| ML-DSA-65 | 3 (AES-192 equivalent) | 1,952 bytes | 3,309 bytes | 4,032 bytes |
| ML-DSA-87 | 5 (AES-256 equivalent) | 2,592 bytes | 4,627 bytes | 4,896 bytes |
ML-DSA-65 is the recommended default. It provides strong security with manageable signature sizes.
Impact on Certificate Infrastructure
ML-DSA signatures are 50x larger than ECDSA P-256 signatures. A certificate chain with three ML-DSA-65 certificates adds roughly 10 KB compared to under 1 KB for an equivalent ECDSA chain.
This size increase affects TLS handshake latency, especially on mobile networks. Certificate transparency logs grow faster. Hardware security modules (HSMs) need firmware updates to support the new algorithm.
QCecuring’s CLM platform tracks every certificate in your infrastructure. When you begin reissuing certificates with ML-DSA signatures, CLM automates the renewal process and validates that new certificates deploy correctly across all endpoints.
SLH-DSA: FIPS 205
SLH-DSA (Stateless Hash-Based Digital Signature Algorithm) provides a digital signature scheme built entirely on hash functions. It does not use lattice mathematics.
Why Hash-Based Signatures Matter
ML-KEM and ML-DSA both depend on the hardness of lattice problems. If future research discovers an efficient algorithm for solving MLWE — classical or quantum — both standards would be compromised simultaneously.
SLH-DSA eliminates this single-point-of-failure risk. Its security depends only on the properties of the underlying hash function (SHA-256 or SHAKE-256). Hash functions have decades of cryptanalysis behind them and resist quantum attacks with only a quadratic speedup from Grover’s algorithm.
NIST recommends SLH-DSA as a conservative alternative for high-assurance applications where algorithm diversity is a priority.
Security Levels and Sizes
SLH-DSA offers multiple parameter sets optimized for either small signatures or fast operations:
| Parameter Set | Security Level | Public Key | Signature |
|---|---|---|---|
| SLH-DSA-128s | 1 | 32 bytes | 7,856 bytes |
| SLH-DSA-128f | 1 | 32 bytes | 17,088 bytes |
| SLH-DSA-192s | 3 | 48 bytes | 16,224 bytes |
| SLH-DSA-256s | 5 | 64 bytes | 29,792 bytes |
The “s” variants minimize signature size. The “f” variants optimize for signing speed. Public keys are compact, but signatures are large — significantly larger than ML-DSA.
Performance Trade-offs
SLH-DSA signing is slower than ML-DSA. The “s” variants can take tens of milliseconds per signature. Verification is faster but still slower than ML-DSA verification.
These characteristics make SLH-DSA best suited for applications where signatures are generated infrequently but verified often — root CA certificates, firmware signing, and long-lived document signatures. For high-throughput TLS certificate signing, ML-DSA is the better choice.
Choosing the Right Standard
The three standards serve complementary roles:
| Use Case | Recommended Standard | Rationale |
|---|---|---|
| TLS key exchange | ML-KEM (FIPS 203) | Fast encapsulation, reasonable ciphertext size |
| TLS certificates | ML-DSA (FIPS 204) | Balanced signature size and verification speed |
| Code signing | ML-DSA (FIPS 204) | Signatures verified many times after one signing |
| Root CA certificates | SLH-DSA (FIPS 205) | Maximum algorithm diversity for long-lived trust anchors |
| Firmware signing | SLH-DSA (FIPS 205) | Conservative security for rarely updated artifacts |
Most organizations will deploy ML-KEM and ML-DSA as their primary PQC algorithms. SLH-DSA serves as a backup for critical trust anchors.
Preparing Your Infrastructure
Adopting NIST PQC standards requires changes across your certificate and key management infrastructure.
Audit your certificate inventory. Identify every certificate, its algorithm, its expiration date, and the systems that depend on it. QCecuring’s CLM platform automates this discovery across cloud, on-premises, and hybrid environments.
Test PQC algorithms in staging environments. Deploy ML-KEM and ML-DSA in non-production TLS configurations. Measure handshake latency, certificate chain sizes, and client compatibility.
Update HSMs and crypto libraries. Verify that your hardware security modules and software libraries support FIPS 203, 204, and 205. Major vendors began shipping PQC-capable firmware in 2024.
Plan hybrid deployments. During the transition period, many organizations will run hybrid configurations — combining a classical algorithm (ECDSA) with a post-quantum algorithm (ML-DSA) in the same certificate. This ensures backward compatibility while adding quantum resistance.
Secure your software supply chain. Code signing with post-quantum algorithms protects software integrity against future quantum attacks. Transition signing keys to ML-DSA or SLH-DSA as your signing infrastructure supports them.
The transition to PQC standards is a multi-year effort. Starting with a complete cryptographic inventory gives you the visibility to plan, prioritize, and execute the migration systematically.
Related Solutions for: NIST Post-Quantum Cryptography Standards
Product Link
Certificate Lifecycle ManagementProduct Link
Code SigningRelated Topics
Frequently Asked Questions
Common questions about nist post-quantum cryptography standards
What are the three NIST PQC standards? +
NIST finalized ML-KEM (FIPS 203) for key encapsulation, ML-DSA (FIPS 204) for digital signatures, and SLH-DSA (FIPS 205) as a hash-based digital signature scheme. ML-KEM and ML-DSA are lattice-based. SLH-DSA relies on hash functions.
What is the difference between ML-KEM and ML-DSA? +
ML-KEM handles key encapsulation — securely exchanging symmetric keys between parties during a TLS handshake or encrypted session. ML-DSA handles digital signatures — authenticating identities and verifying data integrity in certificates, code signing, and document signing.
Why did NIST create SLH-DSA if ML-DSA already exists? +
SLH-DSA provides algorithm diversity. ML-DSA and ML-KEM both rely on lattice-based assumptions. If a breakthrough weakens lattice problems, SLH-DSA remains secure because it depends only on hash function security. NIST recommends SLH-DSA as a conservative backup.
How do PQC key sizes compare to RSA and ECC? +
PQC keys and signatures are larger. ML-KEM-768 public keys are 1,184 bytes versus 294 bytes for ECDH P-256. ML-DSA-65 signatures are 3,309 bytes versus 64 bytes for ECDSA P-256. These increases affect TLS handshake sizes and certificate chain bandwidth.
When should organizations adopt NIST PQC standards? +
Organizations should begin testing now. NIST recommends transitioning to PQC algorithms before cryptographically relevant quantum computers arrive. Systems protecting data with long secrecy lifetimes — financial records, health data, government secrets — should prioritize early adoption.
Ready to Secure Your Enterprise?
Experience how our cryptographic solutions simplify, centralize, and automate identity management for your entire organization.