up:: The New Standards MOC

The NIST PQC Competition

The NIST PQC competition is the open, multi-round standardization process that NIST ran to choose the post-quantum algorithms the world would migrate to, starting with a public call in 2016 and winnowing 69 first-round candidates down to the finalized standards through four rounds of public cryptanalysis. It is the reason the new standards carry the confidence they do: every winner survived years of the global research community trying to break it in the open, and several promising candidates fell along the way, which is exactly the point. The primary key-establishment standard is ML-KEM (from CRYSTALS-Kyber), the signature standards are ML-DSA, SLH-DSA, and FN-DSA, and a code-based backup KEM, HQC, was added afterward.

Source: NIST, “Status Report on the Third Round of the NIST Post-Quantum Cryptography Standardization Process,” NIST IR 8413, July 2022, csrc.nist.gov/pubs/ir/8413/upd1/final.

The short version:

  • NIST issued the call for proposals on December 20, 2016, seeking public-key algorithms that could resist a quantum computer, for both key establishment and digital signatures.
  • 82 submissions arrived by the November 2017 deadline, and 69 met the acceptance criteria and entered Round 1 in December 2017.
  • The process ran as public elimination: 26 candidates advanced to Round 2 in January 2019, 15 to Round 3 in July 2020 (7 finalists plus 8 alternates), and NIST announced its first selections on July 5, 2022.
  • The selected algorithms became ML-KEM, ML-DSA, SLH-DSA, and FN-DSA, with the first three finalized on August 13, 2024 as FIPS 203, 204, and 205.
  • A fourth round for key establishment produced one more selection, the code-based HQC, on March 11, 2025, and a separate signature “on-ramp” is still running to add non-lattice signatures.
  • The whole design decides trust by open attack rather than by fiat, so a break found during the process is the process working, not a failure of it.

Why did NIST run a competition instead of just picking algorithms?

NIST ran an open competition because a cryptographic standard earns trust the same way the algorithms it replaced did: by surviving years of the entire research community trying to break it in public. The two workhorses of classical public-key cryptography, RSA and elliptic-curve cryptography, held for decades precisely because tens of thousands of researchers attacked them and failed, and a post-quantum replacement needs that same accumulated scrutiny before anyone bets the internet on it. A closed, committee-chosen algorithm carries no such record.

The model was proven. NIST had already used an open competition to select the AES block cipher in 2001 and the SHA-3 hash function in 2012, and both are trusted today because the public process was rigorous and transparent. Applying the same approach to post-quantum cryptography meant the winners would arrive with a documented history of public cryptanalysis, and the losers would fail loudly and early, where the failure is cheap. That transparency is why a security team can point a regulator at these standards with a straight face.

Source: NIST, “Post-Quantum Cryptography Standardization,” project page, csrc.nist.gov.

How did the call for proposals start, and what was NIST asking for?

NIST published its formal Call for Proposals on December 20, 2016, opening a standardization process for public-key cryptographic algorithms believed to be secure against both classical and quantum computers. The call asked for submissions in two categories, because public-key cryptography does two separable jobs and each needed a quantum-safe replacement:

  1. Key establishment, the job of agreeing on a shared secret over an open channel, done today by RSA key transport, Diffie-Hellman, and ECDH.
  2. Digital signatures, the job of proving identity and integrity, done today by RSA signatures and ECDSA.

Each submission had to specify one or more parameter sets, provide a reference implementation, document its security analysis, and target NIST’s security-strength categories (levels 1 through 5, benchmarked against the difficulty of attacking AES and SHA). The submission deadline was November 30, 2017.

Source: NIST, “Submission Requirements and Evaluation Criteria for the Post-Quantum Cryptography Standardization Process,” December 2016, csrc.nist.gov.

How many algorithms entered the competition?

82 complete submissions arrived by the November 2017 deadline, and after checking each against the submission requirements and minimum acceptability criteria, NIST accepted 69 as First-Round Candidates on December 20, 2017. That set of 69 is the true starting field, and it was deliberately broad, spanning every major post-quantum math family so that the eventual winners would not all rest on the same assumption.

The 69 candidates covered the whole landscape of proposed approaches:

FamilyWhat it rests onRepresentative first-round candidates
LatticeHard problems in high-dimensional latticesCRYSTALS-Kyber, CRYSTALS-Dilithium, FALCON, NTRU, FrodoKEM, SABER
Code-basedDecoding a random-looking error-correcting codeClassic McEliece, BIKE, HQC
Hash-basedThe strength of a hash function aloneSPHINCS+
MultivariateSolving systems of quadratic equationsRainbow, GeMSS
Isogeny-basedWalks between elliptic curvesSIKE

That breadth is the deliberate hedge. NIST wanted more than one kind of hard math on the shelf, because a break in any single family should never take the whole transition down with it, and the history of the competition is largely the story of that insurance paying off.

Source: NIST, “Status Report on the First Round of the NIST Post-Quantum Cryptography Standardization Process,” NIST IR 8240, January 2019, csrc.nist.gov/pubs/ir/8240/final.

What happened in each round?

The competition ran as a public elimination bracket, and each round narrowed the field as the global cryptography community published attacks and NIST weighed security, performance, and implementation maturity. The full arc:

RoundStartedFieldWhat advanced
CallDecember 20, 201682 submissions received69 accepted for Round 1
Round 1December 201769 candidates26 advanced (17 KEM/encryption, 9 signature)
Round 2January 30, 201926 candidates15 advanced (7 finalists, 8 alternates)
Round 3July 22, 202015 candidates4 selected for standardization
Round 4July 20224 KEM alternatesHQC selected March 11, 2025

The narrowing was ruthless by design. Round 2 cut the field by roughly 60% down to 26, then Round 3 split its 15 candidates into a first tier of 7 finalists considered ready for near-term standardization and a second tier of 8 alternates kept for a possible later round. That finalist-versus-alternate split is why the process didn’t simply end in 2022, because the alternates on the encryption side flowed into a fourth round.

Sources: NIST, “Status Report on the Second Round,” NIST IR 8309, July 2020, csrc.nist.gov/pubs/ir/8309/final; NIST, “PQC Standardization Process: Third Round Candidate Announcement,” July 22, 2020, nist.gov.

Which algorithms did NIST select in 2022?

On July 5, 2022, at the end of Round 3, NIST announced the first four algorithms it would standardize, one for key establishment and three for signatures. The selection, documented in NIST IR 8413:

Selected algorithmJobBecameFamily
CRYSTALS-KyberKey establishmentML-KEMLattice
CRYSTALS-DilithiumSignatures (primary)ML-DSALattice
FALCONSignatures (compact)FN-DSALattice
SPHINCS+Signatures (conservative)SLH-DSAHash-based

Three of the four rest on lattice math, which is efficient and well-studied but concentrates the standardized world on one assumption. SPHINCS+ was the deliberate exception, a hash-based scheme whose security rests only on the strength of a hash function, kept in the lineup as the conservative hedge for long-lived signing keys even though its signatures are large. That concentration on lattices is precisely what later drove NIST to add a code-based backup KEM and to open a separate signature on-ramp for non-lattice designs.

Source: NIST IR 8413, July 2022, csrc.nist.gov/pubs/ir/8413/upd1/final.

When were the standards finalized?

The selected algorithms had to be turned into published Federal Information Processing Standards before anyone could formally deploy them for compliance, and that drafting-and-comment step took two more years. NIST finalized the first three on August 13, 2024:

StandardAlgorithmFinalized
FIPS 203ML-KEM (was CRYSTALS-Kyber)August 13, 2024
FIPS 204ML-DSA (was CRYSTALS-Dilithium)August 13, 2024
FIPS 205SLH-DSA (was SPHINCS+)August 13, 2024
FIPS 206FN-DSA (from FALCON)Draft, not yet final

FN-DSA, the FALCON-derived compact signature, took longer because it needs floating-point arithmetic and careful sampling that are difficult to implement safely, so its standard is still in draft. The three finalized standards are the ones a program deploys today, and FN-DSA is the one to track rather than build on.

Source: NIST, “NIST Releases First 3 Finalized Post-Quantum Encryption Standards,” August 13, 2024, nist.gov.

What was Round 4 and the HQC selection?

Round 4 was a separate, extended round for key establishment only, run to answer a question the 2022 selections left open: if every standardized KEM rests on lattices, what happens if lattice math is ever weakened? NIST advanced four alternate KEM candidates on different foundations into this round, BIKE, Classic McEliece, HQC, and SIKE, specifically to find a backup on non-lattice math.

The round delivered the competition’s most memorable object lesson before it delivered its winner. In 2022, SIKE, the isogeny-based candidate, was broken outright by an ordinary classical computer in about an hour, ending a family that had looked healthy for roughly a decade. That collapse is the sharpest argument in the field for hedging across math families, and it is treated in full in The SIKE Break. Of the survivors, NIST selected HQC on March 11, 2025 as the fifth post-quantum algorithm and the code-based backup to ML-KEM, with a draft standard expected around 2026 and a final around 2027.

Source: NIST, “NIST Selects HQC as Fifth Algorithm for Post-Quantum Encryption,” March 11, 2025, nist.gov.

What is the additional-signatures on-ramp?

The on-ramp is a second, later signature competition NIST opened in September 2022, after the main process had already chosen its winners, to widen the signature shelf beyond the lattice-heavy set it produced. NIST asked specifically for general-purpose signatures built on math other than structured lattices, plus schemes with short signatures and fast verification, so that a future break in lattice cryptography would not leave the signing world without alternatives.

That call drew 40 submissions into a Round 1 in 2023, narrowed to 14 in Round 2 in October 2024 and 9 in Round 3 in May 2026, spanning isogeny, symmetric, multivariate, and MPC-in-the-head designs. None of the on-ramp candidates is a finished standard, so they are research candidates to track rather than algorithms to deploy, and the full treatment lives in NIST Additional Digital Signature Schemes. The through-line with Round 4 is identical: both exist to buy mathematical diversity so the transition never rests on a single hard problem.

Source: NIST, “Request for Additional PQC Digital Signature Schemes,” September 6, 2022, csrc.nist.gov.

Common misconceptions

  • “NIST invented the post-quantum algorithms.” It didn’t. Research teams around the world submitted them, and NIST ran the evaluation and standardization. CRYSTALS-Kyber and CRYSTALS-Dilithium came from an international academic-industry collaboration, and NIST’s role was to run the open contest and publish the standards.
  • “The competition ended in 2022 when the winners were picked.” The 2022 announcement was the Round 3 selection, and the process kept running: FN-DSA is still in draft, Round 4 produced HQC in 2025, and the signature on-ramp is in its third round in 2026.
  • “A broken candidate means the process failed.” The opposite. SIKE and Rainbow breaking during the competition is the public-cryptanalysis model working as designed, finding the weakness before standardization rather than after, when it would be catastrophic.
  • “All the standards are lattice-based, so it’s all one bet.” Three of the four 2022 selections are lattice, but SLH-DSA is hash-based, HQC is code-based, and the on-ramp is hunting for more non-lattice signatures. The diversity is deliberate.
  • “These algorithms are proven unbreakable now that they’re standards.” Standardization means “survived intense public scrutiny and is the best available,” not “mathematically proven safe forever.” That gap is exactly why crypto-agility is the architectural companion to the standards.

Questions people ask

How long did the NIST PQC competition take? From the December 2016 call to the first finalized standards in August 2024 is nearly eight years, and the process is still going, with HQC selected in 2025 and the signature on-ramp running into 2026 and beyond. Cryptographic standardization is deliberately slow because trust accumulates only through sustained public attack.

Which algorithms won? For key establishment, CRYSTALS-Kyber (now ML-KEM), with HQC added later as a backup. For signatures, CRYSTALS-Dilithium (now ML-DSA), SPHINCS+ (now SLH-DSA), and FALCON (now FN-DSA, still in draft).

How many algorithms started the competition? 82 were submitted by the November 2017 deadline, and 69 were accepted into Round 1 in December 2017. The field narrowed to 26 in Round 2, then 15 in Round 3, then 4 selected in 2022.

Why was there a fourth round? To find a key-establishment backup on math other than lattices, since all the 2022 KEM and most signature selections were lattice-based. Round 4 evaluated four alternate KEMs and selected the code-based HQC in March 2025.

Is the competition the same thing as the standards? They are two steps. The competition selects the algorithms through public cryptanalysis; the standards (FIPS 203, 204, 205, and forthcoming ones) are the published documents that turn a winning algorithm into something you can deploy and audit against.

Did any famous candidate get broken? Yes. Rainbow, a multivariate signature finalist, was broken during Round 3, and SIKE, an isogeny KEM in Round 4, was broken by a classical computer in 2022. Both breaks are the reason NIST hedges across multiple math families, and The SIKE Break covers the isogeny collapse in depth.

Go deeper

The output of the competition: the new standards indexes every finalized and selected algorithm, and PQC at a Glance puts them side by side with sizes.

The standards themselves: FIPS 203 (ML-KEM) · FIPS 204 (ML-DSA) · FIPS 205 (SLH-DSA) · FIPS 206 (FN-DSA) · HQC (Hamming Quasi-Cyclic)

The cautionary tale and the ongoing tracks: The SIKE Break · NIST Additional Digital Signature Schemes · Cryptographic Monoculture

The math families that competed: Lattice-Based Cryptography · Code-Based Cryptography · Hash-Based Cryptography · Multivariate Cryptography · Isogeny-Based Cryptography


Everything here is the map, given freely. When your team needs the standards this competition produced sequenced into a migration for your own systems, that’s what an alignment briefing is for.

Last verified 2026-07-12 · Maintained by Addie LaMarr, LaMarr Labs.