Topic hub

NIST PQC Standards

The finalised NIST post-quantum standards, their parameter sets, and what NIST is still working on. Written for engineers picking algorithms this quarter, not next decade.

Standardisation timeline

  • 2016 — NIST opens the PQC standardisation project.
  • 2022 — First four algorithms selected: Kyber, Dilithium, Falcon, SPHINCS+.
  • Aug 2024 — FIPS 203, 204 and 205 finalised.
  • Ongoing — Round-4 KEM selection and signature on-ramp.

Primary sources on the Sources page.

FIPS 203 · ML-KEM (Kyber)

Lattice-based key encapsulation. Three parameter sets:

  • ML-KEM-512 — NIST security level 1.
  • ML-KEM-768 — level 3, the recommended default for most deployments.
  • ML-KEM-1024 — level 5, for long-life secrets and high-assurance workloads.

Public keys are on the order of 800–1500 bytes; ciphertexts similar. Fast on commodity CPUs.

FIPS 204 · ML-DSA (Dilithium)

Lattice-based signatures. Parameter sets ML-DSA-44, -65 and -87 targeting NIST levels 2, 3 and 5. Suitable as a general-purpose replacement for ECDSA and RSA-PSS in most application-layer signing.

FIPS 205 · SLH-DSA (SPHINCS+)

Stateless hash-based signatures. Larger signatures (10s of KB depending on parameter set) but security rests only on hash-function assumptions — the most conservative option in the standardised set. Common uses: firmware and code-signing roots, long-lived certificates, air-gapped signing.

FN-DSA (Falcon)

Compact lattice-based signatures with the smallest signature sizes among the standardised set, but with implementation complexity around floating-point sampling. Expected to be standardised as FIPS 206.

Round-4 and on-ramp

NIST is evaluating additional key-encapsulation candidates (Classic McEliece, BIKE, HQC) to diversify the algorithmic base beyond lattices, and has opened an on-ramp for additional signature schemes.

Picking a set

  • Default general-purpose stack: ML-KEM-768 + ML-DSA-65.
  • Long-life roots of trust or firmware: SLH-DSA at your target NIST level.
  • Size-constrained signatures (embedded, blockchain L1s): consider FN-DSA once standardised.
  • All new protocols should be crypto-agile — expect to switch parameter sets, not just algorithms.

Frequently asked questions

What are the NIST post-quantum standards?

As of August 2024, NIST has finalised three post-quantum standards: FIPS 203 (ML-KEM, based on Kyber) for key encapsulation, FIPS 204 (ML-DSA, based on Dilithium) for general-purpose digital signatures, and FIPS 205 (SLH-DSA, based on SPHINCS+) for hash-based signatures. A fourth signature scheme, FN-DSA (Falcon), is expected as FIPS 206.

What is ML-KEM?

ML-KEM is a lattice-based key encapsulation mechanism used to establish shared keys — the post-quantum replacement for RSA-KEM and elliptic-curve Diffie-Hellman in protocols like TLS and IPsec. Three parameter sets are standardised: ML-KEM-512, ML-KEM-768 (the default target for most deployments), and ML-KEM-1024.

What is ML-DSA?

ML-DSA is a lattice-based digital signature scheme intended as the default general-purpose post-quantum signature. It has moderate signature and key sizes and is a suitable drop-in for many uses of RSA-PSS or ECDSA. Parameter sets are ML-DSA-44, ML-DSA-65 and ML-DSA-87.

What is SLH-DSA?

SLH-DSA is a stateless hash-based signature scheme whose security relies only on the properties of an underlying hash function. Signatures are large (several kilobytes) but the security assumptions are unusually conservative, which makes SLH-DSA attractive for firmware, code-signing and other long-life roots of trust.

Are these standards final?

The three FIPS documents (203, 204, 205) are final. NIST continues a fourth round to select an additional KEM (round-4 candidates include Classic McEliece, BIKE and HQC) and has an ongoing on-ramp for additional signature schemes to broaden the algorithmic base.