Post-Quantum Cryptography Standards
NIST PQC standards establish ML-KEM and ML-DSA as quantum-resistant replacements for RSA and ECC, providing concrete migration targets for organizations preparing for the quantum era.
Continue your mission
NIST PQC standards establish ML-KEM and ML-DSA as quantum-resistant replacements for RSA and ECC, providing concrete migration targets for organizations preparing for the quantum era.
# Post-Quantum Cryptography Standards
Post-quantum cryptography (PQC) standards define cryptographic algorithms designed to resist attacks from both classical and quantum computers. These standards exist because every public-key cryptographic system currently protecting internet traffic, financial transactions, and classified communications will become trivially breakable once sufficiently powerful quantum computers emerge. The mathematical foundations underlying RSA, elliptic curve cryptography, and Diffie-Hellman key exchange all collapse under quantum algorithms like Shor's algorithm, which can solve the integer factorization and discrete logarithm problems that make these systems secure.
Following a multi-year evaluation process that began in 2016, NIST standardized the first PQC algorithms in August 2024 through FIPS 203, FIPS 204, and FIPS 205. The standardization established ML-KEM (Module Lattice-Based Key Encapsulation Mechanism, derived from CRYSTALS-Kyber) for key encapsulation, ML-DSA (Module Lattice-Based Digital Signature Algorithm, derived from CRYSTALS-Dilithium) for digital signatures, and SLH-DSA (Stateless Hash-Based Digital Signature Algorithm, derived from SPHINCS+) as a backup signature scheme. A fourth standard, FN-DSA (Fast NTRU Digital Signature Algorithm, derived from FALCON), was standardized in August 2024 for scenarios requiring compact signatures.
These standards represent the first cryptographic algorithms approved for federal use that are explicitly designed to withstand both classical and quantum attacks. They form the foundation for migrating the entire public-key infrastructure of governments and enterprises before quantum computers achieve cryptographically relevant capabilities, an event intelligence agencies estimate could occur within the next 10-20 years.
PQC algorithms derive their security from mathematical problems that remain hard even for quantum computers. Unlike current public-key systems that rely on number theory problems quantum computers can solve efficiently, PQC systems use problems from lattice theory, hash function properties, and other mathematical domains where no efficient quantum algorithms are known.
ML-KEM, the standardized key encapsulation mechanism, operates on the Module Learning with Errors (MLWE) problem. The algorithm generates a public key consisting of a matrix A and a vector b, where b = As + e, and s is the secret key and e represents small random errors added to mask the relationship. The hardness assumption states that distinguishing between (A, As + e) and (A, random) is computationally intractable, even for quantum adversaries. To establish a shared secret, one party generates a ciphertext that encrypts a random value using the public key, and the legitimate recipient can decrypt it using knowledge of the secret s, while the error terms prevent attackers from recovering the shared secret without solving the underlying MLWE instance.
ML-DSA builds digital signatures using a different lattice problem called Module Short Integer Solution (MSIS). The signer generates a signature that proves knowledge of a short secret vector without revealing it. Verification checks that the signature satisfies specific mathematical relationships that only the holder of the private key could have constructed. The signature scheme includes rejection sampling and other techniques to prevent side-channel attacks and ensure that signatures do not leak information about the private key.
SLH-DSA takes a fundamentally different approach, basing security entirely on hash function properties rather than number-theoretic or lattice assumptions. It constructs signatures using a forest of Merkle trees, where each signature reveals a path through the tree structure that validates the message. Since the security depends only on the collision resistance and preimage resistance of the underlying hash function, SLH-DSA provides a conservative backup in case lattice assumptions prove weaker than expected. However, this conservative approach results in significantly larger signature sizes, often 10-50 times larger than lattice-based alternatives.
FN-DSA optimizes for compact signatures in bandwidth-constrained environments. Based on NTRU lattices, it produces signatures roughly 40% smaller than ML-DSA signatures while maintaining equivalent security levels. The algorithm uses a technique called "tree signatures" to achieve these size reductions, though at the cost of more complex implementation and slightly slower signing operations.
All PQC algorithms face fundamental trade-offs between security, performance, and data sizes. ML-KEM key sizes range from 800 bytes to 1,568 bytes depending on security level, compared to 256 bytes for equivalent elliptic curve keys. ML-DSA signatures range from 2,420 bytes to 4,627 bytes, while ECDSA signatures are typically 64 bytes. These size increases create cascading infrastructure impacts: TLS handshakes consume more bandwidth, certificate chains exceed MTU limits more frequently, and embedded devices require additional memory and storage capacity.
Performance characteristics vary significantly across algorithms and use cases. Lattice-based algorithms generally perform well on modern processors with vector instruction sets but may struggle on constrained devices. Hash-based signatures like SLH-DSA have predictable performance based on the underlying hash function but require significantly more computational work for signature generation. Implementation optimizations, including hardware acceleration and algorithm-specific processor instructions, continue to improve performance across all standardized algorithms.
The quantum threat represents the largest cryptographic transition in internet history. Every system using public-key cryptography must migrate to quantum-resistant algorithms before quantum computers achieve sufficient scale to break current systems. Unlike previous cryptographic transitions that organizations could delay or ignore, the quantum transition is both mandatory and time-bounded. Once cryptographically relevant quantum computers exist, current encryption provides no protection.
The business impact extends far beyond IT departments. Organizations store data today that adversaries could decrypt retroactively once quantum computers become available. Financial records, trade secrets, personal health information, and classified government communications collected now will remain sensitive for decades. This "harvest now, decrypt later" attack model means organizations cannot wait until quantum computers exist to begin migration.
Regulatory frameworks increasingly mandate quantum readiness. The National Security Memorandum on Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems requires federal agencies to complete cryptographic inventories and begin transitions by specific deadlines. The Cybersecurity and Infrastructure Security Agency (CISA) includes quantum readiness in critical infrastructure security guidance. Financial regulators are incorporating quantum risk into cybersecurity examination procedures. Organizations that delay migration face regulatory penalties, insurance coverage limitations, and potential customer contract violations.
Migration complexity multiplies with delay. Early adopters can plan systematic transitions, test algorithm performance, and address interoperability issues during normal technology refresh cycles. Organizations that wait face compressed timelines, emergency procurement processes, and integration challenges that increase costs and introduce security risks. The standardization of specific algorithms provides procurement certainty and vendor ecosystem development that reduces future migration costs.
Common misconceptions underestimate both timeline urgency and scope requirements. Some organizations assume quantum computers remain purely theoretical or decades away, despite significant government and private investment in quantum research. Others believe migration only affects systems storing highly sensitive data, not recognizing that PKI systems, software updates, and routine communications all depend on public-key cryptography. Technical teams sometimes focus exclusively on algorithm replacement without addressing the broader infrastructure changes required to support larger key and signature sizes.
CDA's Data Protection and Sovereignty domain treats PQC migration as a foundational requirement for maintaining long-term data control. The Sovereign Data Protocol demands that organizations maintain exclusive access to their data across its entire lifecycle, including protection against future quantum decryption capabilities. This perspective drives a more aggressive migration timeline than typical compliance-driven approaches and emphasizes cryptographic agility as a permanent organizational capability rather than a one-time project.
The CDA methodology begins with comprehensive cryptographic dependency mapping that extends beyond obvious PKI systems to include embedded cryptography in industrial controls, legacy application integrations, and vendor-managed services. Many organizations discover cryptographic dependencies in unexpected locations: manufacturing equipment, building automation systems, and third-party APIs that may not support PQC migration on acceptable timelines. This mapping phase often reveals that organizations have less direct control over their cryptographic posture than assumed.
CDA prioritizes systems protecting long-lived secrets and high-value data for early migration, but our approach differs from conventional risk-based prioritization. Rather than focusing exclusively on current threat levels, we emphasize future data sovereignty. Systems that appear low-risk today may process data that remains sensitive for decades. Healthcare research data, financial records, and engineering designs require protection timelines that extend well beyond typical IT planning horizons.
Implementation strategy emphasizes crypto agility as a permanent capability. The PQC transition will not be the last major cryptographic migration organizations face. Quantum computing may reveal weaknesses in current PQC algorithms, new attack techniques may emerge, or performance improvements may favor different algorithmic approaches. Organizations that build migration capabilities rather than simply implementing new algorithms maintain data sovereignty across future cryptographic changes.
CDA's approach to vendor management during PQC transition focuses on maintaining data control. We require vendors to provide specific migration timelines, support hybrid classical/quantum-resistant configurations during transition periods, and demonstrate cryptographic agility in their product roadmaps. Vendor lock-in during cryptographic transitions creates data sovereignty risks that may not manifest until organizations need to change algorithms quickly in response to new threats.
Testing and validation methodology addresses both security and sovereignty concerns. Beyond verifying that PQC implementations function correctly, we test organizational capabilities to change algorithms independently, verify that data remains accessible across cryptographic transitions, and ensure that security monitoring can detect algorithm-specific attacks. These tests often reveal dependencies on vendor-controlled cryptographic infrastructure that compromise long-term data sovereignty.
• NIST's 2024 PQC standards (ML-KEM, ML-DSA, SLH-DSA, FN-DSA) provide the first cryptographic algorithms approved for federal use that resist both classical and quantum attacks, establishing concrete migration targets for organizations.
• PQC algorithms require significantly larger key and signature sizes than current systems, creating infrastructure impacts that extend beyond simple algorithm replacement to network capacity, storage requirements, and device capabilities.
• The "harvest now, decrypt later" threat model means organizations must begin migration immediately to protect data that remains sensitive for decades, rather than waiting until quantum computers become available.
• Successful PQC migration requires comprehensive cryptographic dependency mapping that includes embedded systems, legacy applications, and vendor-managed services often overlooked in traditional security assessments.
• Crypto agility represents a permanent organizational capability rather than a one-time project, as future cryptographic transitions will be necessary as quantum computing and attack techniques continue evolving.
• Cryptographic Inventory and Assessment • Federal Cryptography Compliance Requirements • Quantum-Safe PKI Implementation • Legacy System Cryptographic Modernization • Third-Party Risk Management for Cryptographic Services
• NIST. "Post-Quantum Cryptography: FIPS 203, 204, and 205." Federal Information Processing Standards, August 2024.
• National Security Agency. "Quantum-Readiness: Migration to Post-Quantum Cryptography." Cybersecurity Information Sheet, September 2024.
• Cybersecurity and Infrastructure Security Agency. "Post-Quantum Cryptography Initiative." CISA Insights, 2024.
• Mosca, Michele. "Cybersecurity in an Era with Quantum Computers: Will We Be Ready?" IEEE Security & Privacy, vol. 16, no. 5, 2018.
CDA Theater missions that address topics covered in this article.
Cryptographic technique that encrypts data while preserving its original format and length, enabling protection without breaking legacy system compatibility.
Guide to HTTP/2 security covering binary framing, HPACK compression attacks, rapid reset vulnerability, stream multiplexing risks, and mitigation strategies.
Explanation of Certificate Transparency framework, covering log servers, Signed Certificate Timestamps, monitoring capabilities, and detection of fraudulent certificates.
Written by CDA Editorial
Found an issue? Help improve this article.