NIST SP 800-56 Series (Key Establishment)
The NIST SP 800-56 series is the set of NIST Special Publications that standardize classical key establishment, the schemes that let two parties agree on a shared secret, and it is precisely the family of algorithms post-quantum cryptography is replacing. It has three parts: SP 800-56A covers key establishment based on discrete-logarithm cryptography, which is Diffie-Hellman and ECDH; SP 800-56B covers key establishment based on integer-factorization cryptography, which is RSA; and SP 800-56C covers the key-derivation step that turns the raw shared secret into usable keying material.
The first two specify exactly the quantum-vulnerable key exchange that Shor’s algorithm breaks, and the third is the piece that survives and gets reused, because the combiner in a hybrid X25519 plus ML-KEM handshake is a key-derivation construction of exactly the kind 800-56C governs.
The short version:
- It’s NIST’s classical key-establishment standard, in three parts, and it’s the family ML-KEM replaces for the key-exchange job.
- SP 800-56A Rev. 3 (April 2018) covers discrete-logarithm key establishment, meaning Diffie-Hellman and ECDH, and it’s the harvestable scheme in most TLS handshakes.
- SP 800-56B Rev. 2 (March 2019) covers integer-factorization key establishment, meaning RSA key agreement and key transport.
- SP 800-56C Rev. 2 (August 2020) covers key derivation, extracting and expanding usable keys from the shared secret, and this is the piece a hybrid combiner builds on.
- The 56A and 56B schemes are quantum-vulnerable and on the deprecation clock; the 56C key-derivation machinery carries forward into the post-quantum world, which is why the series matters for the transition rather than only for history.
Think of key establishment like two people needing to agree on a secret passphrase while a crowd listens. SP 800-56A and 56B are two different tricks for doing that in the open, one built on a math puzzle about discrete logarithms and one on a puzzle about factoring huge numbers, and a quantum computer solves both puzzles, so both tricks fail. SP 800-56C is the separate, humble step of taking whatever secret the two ended up sharing and running it through a blender to produce clean, correctly-sized keys for the actual conversation. The blender still works no matter which trick produced the secret, which is exactly why the post-quantum handshake keeps using it while throwing out the two broken tricks.
What is the SP 800-56 series?
The SP 800-56 series is NIST’s authoritative specification for classical pair-wise key establishment, split into three companion documents by the math the scheme rests on and by the job it does. Each has its own identity, and stating them precisely matters because these are the exact standards a deprecation deadline points at:
| Document | Title | Current revision and date | What it specifies |
|---|---|---|---|
| SP 800-56A | Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography | Rev. 3, April 2018 | Diffie-Hellman and MQV over finite fields and elliptic curves (ECDH) |
| SP 800-56B | Recommendation for Pair-Wise Key-Establishment Using Integer Factorization Cryptography | Rev. 2, March 2019 | RSA-based key agreement and key transport |
| SP 800-56C | Recommendation for Key-Derivation Methods in Key-Establishment Schemes | Rev. 2, August 2020 | Deriving keying material from the shared secret 56A or 56B produced |
Source: NIST SP 800-56A Rev. 3, April 2018, SP 800-56A; NIST SP 800-56B Rev. 2, March 2019, SP 800-56B; NIST SP 800-56C Rev. 2, August 2020, SP 800-56C.
The reason to treat the three as one family is that a real key-establishment deployment uses two of them together: a scheme from 56A or 56B agrees on a raw shared secret, and then 56C derives the actual session keys from it. The first two are the quantum-vulnerable part, and the third is the durable part, which is the split that makes the series so relevant to the migration.
What do SP 800-56A and 56B specify, and why are they quantum-vulnerable?
SP 800-56A and 56B specify the two classical ways two parties establish a shared secret over a public channel, and both are broken by a quantum computer because both rest on a math problem Shor’s algorithm solves efficiently. They divide by the hard problem underneath:
- SP 800-56A, discrete-logarithm cryptography. It standardizes Diffie-Hellman and the MQV variants, over both finite fields and elliptic curves, so it’s the standard behind ECDH key exchange. Its security rests on the discrete-logarithm problem, and Shor’s algorithm solves that problem, so a capable quantum computer recovers the shared secret. This is the scheme in the ECDHE handshake that carries most TLS traffic, which is why it’s the harvestable surface migrating first.
- SP 800-56B, integer-factorization cryptography. It standardizes RSA-based key agreement and key transport, where security rests on the difficulty of factoring a large modulus. Shor’s algorithm factors that modulus, so RSA key establishment is broken by the same quantum capability.
Both are on the deprecation schedule the mandates set, with NIST guidance moving to disallow classical public-key key establishment as the transition proceeds. The important nuance is that these standards aren’t wrong or newly weak; they’re mathematically sound against classical attackers and remain in force today. The quantum computer changes the threat model, which is why the replacement is a scheduled migration to ML-KEM rather than an emergency, and why the 56A and 56B schemes run in a hybrid alongside the post-quantum KEM during the overlap.
What does SP 800-56C specify, and why does it survive the transition?
SP 800-56C specifies how to derive usable keying material from the raw shared secret a key-establishment scheme produces, through extraction and expansion using approved hash functions and message authentication codes, and it survives the transition because that key-derivation step is algorithm-agnostic. The shared secret from a Diffie-Hellman exchange, an RSA exchange, or a post-quantum KEM is a block of bytes with useful entropy but the wrong shape for direct use, and 56C is the standard for turning it into correctly-sized, independent session keys.
The construction it defines is a two-step key-derivation pattern, extraction then expansion, and that pattern is exactly what a hybrid handshake needs:
- Extraction condenses the raw shared secret into a uniform pseudorandom key.
- Expansion stretches that key into as much keying material as the protocol needs.
The load-bearing connection to the migration is the combiner. When a hybrid handshake runs classical X25519 and ML-KEM together, it has two shared secrets and needs to mix them into one session key so the result is safe if either half survives, and that mixing is a key-derivation construction of exactly the kind SP 800-56C governs. NIST’s guidance on multi-algorithm KEMs and approved key combiners in SP 800-227 builds on this key-derivation foundation, so 56C is where the durable half of classical key establishment meets the post-quantum world.
Source: NIST SP 800-56C Rev. 2, “Recommendation for Key-Derivation Methods in Key-Establishment Schemes,” August 2020, SP 800-56C; the approved-key-combiner framing is in NIST SP 800-227, SP 800-227.
How does the SP 800-56 series relate to the post-quantum standards?
The series is the classical incumbent that the post-quantum standards replace for key establishment, and mapping the two side by side shows exactly what changes and what carries over. FIPS 203 standardizes the post-quantum KEM that supersedes the 56A and 56B schemes, SP 800-227 is the general KEM guidance that plays the role 56A/56B played for the classical schemes, and SP 800-56C’s key-derivation machinery is reused inside the hybrid.
| Job | Classical standard | Post-quantum successor |
|---|---|---|
| Discrete-log key exchange (DH, ECDH) | SP 800-56A Rev. 3 | ML-KEM (FIPS 203) |
| Integer-factorization key exchange (RSA) | SP 800-56B Rev. 2 | ML-KEM (FIPS 203) |
| General framework for the scheme | SP 800-56A / 56B themselves | SP 800-227 |
| Key derivation from the shared secret | SP 800-56C Rev. 2 | SP 800-56C Rev. 2 (reused in the combiner) |
The pattern to hold onto is that the transition replaces the way the shared secret is agreed, not the way it’s turned into keys. The 56A and 56B agreement schemes give way to a KEM, while the 56C derivation step carries forward and does new work joining a classical and a post-quantum secret in a hybrid. That’s why understanding the 56 series is understanding both what’s being retired and what’s being kept.
Common misconceptions
- “SP 800-56 is one document.” It’s three companion Special Publications: 56A for discrete-log (DH/ECDH), 56B for integer-factorization (RSA), and 56C for key derivation. They cover different math and different jobs.
- “These standards are obsolete now that ML-KEM exists.” They’re current and in force, and mathematically sound against classical attackers. A quantum computer changes the threat model, which is why 56A and 56B are on a scheduled deprecation path rather than being wrong today.
- “The whole series gets replaced by FIPS 203.” The key-agreement parts (56A, 56B) do. The key-derivation part (56C) carries forward and is reused inside the hybrid combiner, so part of the series survives the transition.
- “SP 800-56C is just a footnote.” It’s the durable half. The hybrid handshake that mixes a classical and a post-quantum shared secret into one session key is a key-derivation construction of exactly the kind 56C governs, so it’s load-bearing for the migration.
- “ECDH isn’t covered here because it’s elliptic-curve.” SP 800-56A explicitly covers discrete-logarithm cryptography over both finite fields and elliptic curves, so ECDH is a 56A scheme.
Questions people ask
What is the NIST SP 800-56 series? It’s NIST’s standard for classical key establishment, in three parts: SP 800-56A for Diffie-Hellman and ECDH, SP 800-56B for RSA-based key establishment, and SP 800-56C for deriving keys from the shared secret. It’s the family post-quantum cryptography replaces for the key-exchange job.
Which part covers ECDH? SP 800-56A Rev. 3 (April 2018), which covers discrete-logarithm key establishment over both finite fields and elliptic curves, so both classic Diffie-Hellman and ECDH are 56A schemes.
Which part covers RSA key establishment? SP 800-56B Rev. 2 (March 2019), which covers key establishment based on integer-factorization cryptography, meaning RSA key agreement and key transport.
Are these standards being deprecated? The key-agreement schemes in 56A and 56B are, because they’re broken by Shor’s algorithm and sit on the classical-deprecation schedule the mandates set. They remain current and secure against classical attackers today, so the move is a planned migration to ML-KEM, not an emergency.
What does SP 800-56C have to do with hybrid post-quantum handshakes? Everything, because a hybrid handshake produces two shared secrets, a classical one and a post-quantum one, and mixing them into a single session key is a key-derivation construction of exactly the kind 56C governs. The combiner a hybrid uses builds on this key-derivation foundation.
Does the whole series get thrown out for post-quantum? No. The key-agreement parts (56A, 56B) are replaced by ML-KEM and SP 800-227, but the key-derivation part (56C) carries forward and does new work inside the hybrid combiner, so the series is partly retired and partly reused.
Is Diffie-Hellman itself broken today? Not by a classical computer. The Diffie-Hellman and ECDH schemes in SP 800-56A are secure against the machines that exist now. The concern is a future quantum computer running Shor’s algorithm, combined with harvest-now-decrypt-later, which is why key exchange migrates first.
Everything here is the map, given freely. When your team needs its classical key-establishment surfaces found across the estate, its harvestable Diffie-Hellman and RSA exchanges prioritized, and its hybrids built on approved key-derivation combiners, that’s the work I do, and there’s an alignment briefing for it.
Last verified 2026-07-14 · Maintained by Addie LaMarr, LaMarr Labs.