digital mark

NIST’s final PQC standards are here – What you need to know

This week marks a significant milestone in the field of cybersecurity. 

NIST (National Institute of Standards and Technology) has officially released the first three final standards for Post-Quantum Cryptography (PQC) algorithms. After years of rigorous evaluation and public feedback, these standards are now ready for use, signaling a new era in cryptography designed to withstand the potential threats posed by quantum computing.

Since 2016, NIST has been at the forefront of standardizing cryptography that can resist attacks from quantum computers. In 2022, they announced the leading candidates that would be finalized:

  • CRYSTALS-Kyber
  • CRYSTALS-Dilithium
  • SPHINCS+
  • FALCON

Earlier this year, NIST already published draft standards for the first three of these algorithms, inviting feedback from the global cryptographic community. Now, after incorporating valuable input and making necessary refinements, NIST has released the final standards.  

In this blog post, we’ll provide a concise overview of these standards and guide you to more detailed resources on each algorithm.

NIST’s final Post-Quantum Cryptography Standards Released

ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism)

Use Case: Key Encapsulation
Based on: CRYSTALS-Kyber
Type: Lattice-based cryptography
Standard: FIPS-203  

A Key-Encapsulation Mechanism (KEM) is a set of algorithms that enables two parties to establish a shared secret key over a public channel. This key can be used for secure communication tasks like encryption and authentication. ML-KEM, which relies on the Module Learning with Errors problem for its security, is believed to be secure even against quantum computers.  

In the newly published standard, there are three ML-KEM parameter sets—ML-KEM-512, ML-KEM-768, and ML-KEM-1024—increasing in security but decreasing in performance. These have the following key and ciphertext sizes (in bytes):

Parameter Encapsulation Key Size Decapsulation Key Size Ciphertext Size Shared Key Size 
ML-KEM-512 800 1,632 768 32 
ML-KEM-768 1,184 2,400 1,088 32 
ML-KEM-1024 1,568 3,168 1,568 32 

Learn more about ML-KEM.
 

ML-DSA (Module-Lattice-Based Digital Signature Standard)

Use Case: Digital Signatures
Based on: CRYSTALS-Dilithium
Type: Lattice-based cryptography
Standard: FIPS-204

Digital signatures allow to verify data integrity and authenticate the signer's identity. They also provide non-repudiation, meaning the signer cannot later deny the signature and the document cannot be tampered with. ML-DSA is a set of algorithms for generating and verifying digital signatures, which is believed to be secure even against quantum computer threats.

The newly published standard FIPS-204 includes parameter sets for ML-DSA-44, ML-DSA-65 and ML-DSA-87 with the following key sizes (in bytes):

Parameter Private Key Size Public Key Size Signature Size 
ML-DSA-44 2,560 1,312 2,420 
ML-DSA-65 4,032 1,952 3,309 
ML-DSA-87 4,896 2,592 4,627 

Learn more about ML-DSA.

SLH-DSA (Stateless hash-based signature standard)

Use Case: Digital Signatures
Based on: SPHINCS+  
Type: Hash-based cryptography
Standard: FIPS-205

SLH-DSA is a hash-based digital signature algorithms which is believed to be secure against quantum computing attacks. The newly published standard FIPS-205 approves 12 parameter sets for use with SLH-DSA;  

  • Six parameters using SHA2:

SLH-DSA-SHA2-128s, SLH-DSA-SHA2-128f, SLH-DSA-SHA2-192s, SLH-DSA-SHA2-192f, SLH-DSA-SHA2-256s, SLH-DSA-SHA2-256f

  • Six parameters using SHAKE:

SLH-DSA-SHAKE128s, SLH-DSA-SHAKE-128f, SLH-DSA-SHAKE-192s, SLH-DSA-SHAKE-192f, SLH-DSA-SHAKE-256s, and SLH-DSA-SHAKE-256f

FIPS-205 lists the following key and signature sizes for SLH-DSA (in bytes):

Parameter 

Security Category 

Public Key size 

Signature Size 

SLH-DSA-SHA2-128s 
SLH-DSA-SHAKE-128s 

1 

32 

7,856 

SLH-DSA-SHA2-128f 
SLH-DSA-SHAKE-128f 

1 

32 

17,088 

SLH-DSA-SHA2-192s 
SLH-DSA-SHAKE-192s 

3 

48 

16,224 

SLH-DSA-SHA2-192f 
SLH-DSA-SHAKE-192f 

3 

48 

35,664 

SLH-DSA-SHA2-256s 
SLH-DSA-SHAKE-256s 

5 

64 

29,792 

SLH-DSA-SHA2-256f 
SLH-DSA-SHAKE-256f 

5 

64 

49,856 

Learn more about SLH-DSA. 

Test and validate the new Post Quantum Cryptography standards

To make transition to the new standards and Post Quantum Cryptography even more achievable for organizations, NIST will develop a validation program to test implementations of the new Post Quantum Cryptography standards.  

Click here for more information on the validation program.

Example values will be published here.

What’s Next: The Time to Implement Post Quantum Cryptography is Now

Now is the perfect moment to integrate Post Quantum Cryptography (PQC) into your environment. Equipped with the new standards published, you have a strong case for implementation. Review these standards and identify where they can be applied, especially if you've already started with hybrid approaches using preliminary versions of these algorithms.

Also, keep an eye out for the upcoming draft standard for FALCON, a lattice-based digital signature scheme selected in 2022.

To diversify beyond lattice-based algorithms, NIST is continuing the selection process with additional rounds. In April 2024, during the 5th NIST PQC Standardization conference, updates were provided on algorithms like BIKE, Classic McEliece, Falcon, and HQC. Experts offered feedback, which will shape the ongoing standardization process.

Moreover, a separate round is underway to standardize more digital signature schemes, with 40 submissions currently in the first evaluation phase. This comprehensive process is expected to take several years, ensuring robust and secure standards for the future.

Ready for the Quantum Age with crypto-agile Hardware Security Modules

As you can see, there is a lot going on in the field of PQC and more standards will follow in the future. This makes it even more important to be crypto agile – that is, to adapt flexibly to changes in the cryptographic landscape.

Utimaco offers crypto-agile, PQC-ready Hardware Security Modules that prepare you for the quantum age. We have already supported the pre-standard versions of ML-DSA (CRYSTALS-Dilithium) and ML-KEM (CRYSTALS-Kyber) – so switching to the new standards will be seamless with Utimaco by your side!

Contact our PQC experts for more information.

Lena Backes is an IT Marketing expert with more than 10 years of experience working in the B2B sector. In her professional career, she has gained extensive knowledge in various areas, including cybersecurity, network management, enterprise streaming, and software asset management. In her current role she is responsible for product positioning of Utimaco’s cybersecurity products and solutions, with a particular focus on data protection, blockchain technology, and post quantum cryptography.

Downloads

Downloads

To find more blog posts related with below topics, click on one of the keywords:
PQC

How can we help you?

Talk to one of our specialists and find out how Utimaco can support you today.
You have selected two different types of downloads, so you need to submit different forms which you can select via the two tabs.

Your download request(s):

    By submitting below form you will receive links for your selected downloads.

    Your download request(s):

      For this type of documents, your e-mail address needs to be verified. You will receive the links for your selected downloads via e-mail after submitting below form.

      About Utimaco's Downloads

      Visit our Downloads section and select from resources such as brochures, data sheets, white papers and much more. You can view and save almost all of them directly (by clicking the download button).

      For some documents, your e-mail address needs to be verified. The button contains an e-mail icon.

      Download via e-mail

       

      A click on such a button opens an online form which we kindly ask you to fill and submit. You can collect several downloads of this type and receive the links via e-mail by simply submitting one form for all of them. Your current collection is empty.