This week marks a significant milestone in the field of cybersecurity.
NIST (National Institute of Standards and Technology) has officially released the first three final standards for Post-Quantum Cryptography (PQC) algorithms. After years of rigorous evaluation and public feedback, these standards are now ready for use, signaling a new era in cryptography designed to withstand the potential threats posed by quantum computing.
Since 2016, NIST has been at the forefront of standardizing cryptography that can resist attacks from quantum computers. In 2022, they announced the leading candidates that would be finalized:
- CRYSTALS-Kyber
- CRYSTALS-Dilithium
- SPHINCS+
- FALCON
Earlier this year, NIST already published draft standards for the first three of these algorithms, inviting feedback from the global cryptographic community. Now, after incorporating valuable input and making necessary refinements, NIST has released the final standards.
In this blog post, we’ll provide a concise overview of these standards and guide you to more detailed resources on each algorithm.
NIST’s final Post-Quantum Cryptography Standards Released
ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism)
Use Case: Key Encapsulation
Based on: CRYSTALS-Kyber
Type: Lattice-based cryptography
Standard: FIPS-203
A Key-Encapsulation Mechanism (KEM) is a set of algorithms that enables two parties to establish a shared secret key over a public channel. This key can be used for secure communication tasks like encryption and authentication. ML-KEM, which relies on the Module Learning with Errors problem for its security, is believed to be secure even against quantum computers.
In the newly published standard, there are three ML-KEM parameter sets—ML-KEM-512, ML-KEM-768, and ML-KEM-1024—increasing in security but decreasing in performance. These have the following key and ciphertext sizes (in bytes):
Parameter | Encapsulation Key Size | Decapsulation Key Size | Ciphertext Size | Shared Key Size |
ML-KEM-512 | 800 | 1,632 | 768 | 32 |
ML-KEM-768 | 1,184 | 2,400 | 1,088 | 32 |
ML-KEM-1024 | 1,568 | 3,168 | 1,568 | 32 |
ML-DSA (Module-Lattice-Based Digital Signature Standard)
Use Case: Digital Signatures
Based on: CRYSTALS-Dilithium
Type: Lattice-based cryptography
Standard: FIPS-204
Digital signatures allow to verify data integrity and authenticate the signer's identity. They also provide non-repudiation, meaning the signer cannot later deny the signature and the document cannot be tampered with. ML-DSA is a set of algorithms for generating and verifying digital signatures, which is believed to be secure even against quantum computer threats.
The newly published standard FIPS-204 includes parameter sets for ML-DSA-44, ML-DSA-65 and ML-DSA-87 with the following key sizes (in bytes):
Parameter | Private Key Size | Public Key Size | Signature Size |
ML-DSA-44 | 2,560 | 1,312 | 2,420 |
ML-DSA-65 | 4,032 | 1,952 | 3,309 |
ML-DSA-87 | 4,896 | 2,592 | 4,627 |
SLH-DSA (Stateless hash-based signature standard)
Use Case: Digital Signatures
Based on: SPHINCS+
Type: Hash-based cryptography
Standard: FIPS-205
SLH-DSA is a hash-based digital signature algorithms which is believed to be secure against quantum computing attacks. The newly published standard FIPS-205 approves 12 parameter sets for use with SLH-DSA;
Six parameters using SHA2:
SLH-DSA-SHA2-128s, SLH-DSA-SHA2-128f, SLH-DSA-SHA2-192s, SLH-DSA-SHA2-192f, SLH-DSA-SHA2-256s, SLH-DSA-SHA2-256f
Six parameters using SHAKE:
SLH-DSA-SHAKE128s, SLH-DSA-SHAKE-128f, SLH-DSA-SHAKE-192s, SLH-DSA-SHAKE-192f, SLH-DSA-SHAKE-256s, and SLH-DSA-SHAKE-256f
FIPS-205 lists the following key and signature sizes for SLH-DSA (in bytes):
Parameter | Security Category | Public Key size | Signature Size |
SLH-DSA-SHA2-128s | 1 | 32 | 7,856 |
SLH-DSA-SHA2-128f | 1 | 32 | 17,088 |
SLH-DSA-SHA2-192s | 3 | 48 | 16,224 |
SLH-DSA-SHA2-192f | 3 | 48 | 35,664 |
SLH-DSA-SHA2-256s | 5 | 64 | 29,792 |
SLH-DSA-SHA2-256f | 5 | 64 | 49,856 |
Test and validate the new Post Quantum Cryptography standards
To make transition to the new standards and Post Quantum Cryptography even more achievable for organizations, NIST will develop a validation program to test implementations of the new Post Quantum Cryptography standards.
Click here for more information on the validation program.
Example values will be published here.
What’s Next: The Time to Implement Post Quantum Cryptography is Now
Now is the perfect moment to integrate Post Quantum Cryptography (PQC) into your environment. Equipped with the new standards published, you have a strong case for implementation. Review these standards and identify where they can be applied, especially if you've already started with hybrid approaches using preliminary versions of these algorithms.
Also, keep an eye out for the upcoming draft standard for FALCON, a lattice-based digital signature scheme selected in 2022.
To diversify beyond lattice-based algorithms, NIST is continuing the selection process with additional rounds. In April 2024, during the 5th NIST PQC Standardization conference, updates were provided on algorithms like BIKE, Classic McEliece, Falcon, and HQC. Experts offered feedback, which will shape the ongoing standardization process.
Moreover, a separate round is underway to standardize more digital signature schemes, with 40 submissions currently in the first evaluation phase. This comprehensive process is expected to take several years, ensuring robust and secure standards for the future.
Ready for the Quantum Age with crypto-agile Hardware Security Modules
As you can see, there is a lot going on in the field of PQC and more standards will follow in the future. This makes it even more important to be crypto agile – that is, to adapt flexibly to changes in the cryptographic landscape.
Utimaco offers crypto-agile, PQC-ready Hardware Security Modules that prepare you for the quantum age. We have already supported the pre-standard versions of ML-DSA (CRYSTALS-Dilithium) and ML-KEM (CRYSTALS-Kyber) – so switching to the new standards will be seamless with Utimaco by your side!
Lena Backes is an IT Marketing expert with more than 10 years of experience working in the B2B sector. In her professional career, she has gained extensive knowledge in various areas, including cybersecurity, network management, enterprise streaming, and software asset management. In her current role she is responsible for product positioning of Utimaco’s cybersecurity products and solutions, with a particular focus on data protection, blockchain technology, and post quantum cryptography.