NIST Post-Quantum Cryptography Standards

The National Institute of Standards and Technology launched its post-quantum cryptography standardization process in 2016 in response to the recognition that Shor’s algorithm, running on a sufficiently large fault-tolerant quantum computer, would break RSA and elliptic-curve cryptography (ECC) by solving integer factoring and discrete logarithm problems in polynomial time. NIST solicited candidate algorithms from the global cryptographic community, receiving 69 initial submissions. The process ran through multiple evaluation rounds, combining security analysis, performance benchmarking, and public scrutiny over eight years. By 2022 four finalists were selected for standardization, and in August 2024 NIST published the final Federal Information Processing Standards (FIPS) documents.

The four standards each rest on different mathematical hardness assumptions. ML-KEM (FIPS 203, formerly CRYSTALS-Kyber) is a key encapsulation mechanism based on the hardness of the Module Learning With Errors (MLWE) problem, used to establish shared symmetric keys. ML-DSA (FIPS 204, formerly CRYSTALS-Dilithium) is a digital signature scheme also based on module lattice problems. SLH-DSA (FIPS 205, formerly SPHINCS+) is a hash-based signature scheme whose security relies solely on the collision resistance of a hash function, making it conservative against mathematical breakthroughs. FN-DSA (FIPS 206, formerly FALCON) is a signature scheme based on NTRU lattices, offering smaller signature sizes at the cost of more complex constant-time implementation. The lattice-based schemes are generally faster but depend on the hardness of lattice problems, while hash-based SLH-DSA trades larger signature sizes for minimal mathematical assumptions.

Migration to post-quantum standards presents significant engineering challenges. Cryptographic algorithms are embedded deep in protocols such as TLS, SSH, IPsec, and code signing infrastructure, and replacing them requires coordinated updates across hardware, firmware, operating systems, and applications. The recommended transition strategy is hybrid mode: running a classical algorithm (RSA or ECDH) alongside a post-quantum algorithm in parallel, so that security holds as long as either system is unbroken. This hybrid approach increases bandwidth and compute overhead but provides a safety margin during the transition period when confidence in the new algorithms is still accumulating. The US National Security Agency’s CNSA 2.0 suite (2022) specifies which algorithms government and defense contractors must use, mandating ML-KEM for key establishment and ML-DSA or LMS (a stateful hash-based scheme) for signatures, with transition timelines extending to 2035.

The urgency of migration is driven by the harvest-now-decrypt-later threat: adversaries can record encrypted internet traffic today and store it for decryption once a cryptographically relevant quantum computer becomes available. Data with long-term sensitivity (state secrets, medical records, financial contracts) is therefore already at risk even though the quantum computer does not yet exist. Estimates of when a cryptographically relevant machine will exist range from 10 to 30 years depending on assumptions about hardware progress, but the long lead times for large-scale cryptographic migrations mean organizations with sensitive data must begin transitioning now. Inventory of cryptographic assets, prioritization of high-sensitivity systems, and pilot deployments of ML-KEM in TLS are the recommended first steps for most enterprises.