up:: The Transition MOC

The New Standards

The new standards are the quantum-safe algorithms NIST has published to replace the public-key cryptography a quantum computer breaks, and they split into exactly two jobs: key establishment, now ML-KEM, and digital signatures, now ML-DSA with SLH-DSA and FN-DSA alongside it. NIST finalized the first three in August 2024 and added a code-based backup, HQC, in 2025.

Map of content

A short overview of the new post-quantum standards, and the index that routes you to every note in this section. Skim it to get oriented, then follow the links to go deep.

The short version:

  • Public-key cryptography did two jobs, and each has a replacement: key establishment moves to ML-KEM, and signatures move to ML-DSA (the default), with SLH-DSA (conservative) and FN-DSA (compact) as the alternatives.
  • NIST finalized ML-KEM, ML-DSA, and SLH-DSA on August 13, 2024, the first three post-quantum standards.
  • The main line is lattice-based. NIST added a code-based KEM, HQC, as a backup on different math, because betting everything on one assumption is the real risk.
  • The symmetric world barely changes: AES-256 and the SHA-2 and SHA-3 hashes stay, so the whole transition is about replacing public-key.
  • “Post-quantum” is not “proven safe forever,” so you build to swap again (crypto-agility).

What are the post-quantum cryptography standards?

They are a small, deliberately chosen set. NIST ran a multi-year open competition and standardized the winners as Federal Information Processing Standards, with a code-based backup selected afterward:

StandardAlgorithmJobStatus
FIPS 203ML-KEM (was CRYSTALS-Kyber)Key establishmentFinal, Aug 13 2024
FIPS 204ML-DSA (was CRYSTALS-Dilithium)Signatures (default)Final, Aug 13 2024
FIPS 205SLH-DSA (was SPHINCS+)Signatures (conservative)Final, Aug 13 2024
FIPS 206FN-DSA (from FALCON)Signatures (compact)Draft, not yet final
HQCHQCKey establishment (backup)Selected Mar 11 2025, standard expected ~2027

Source: NIST, “NIST Releases First 3 Finalized Post-Quantum Encryption Standards,” August 13, 2024, nist.gov; “NIST Selects HQC as Fifth Algorithm for Post-Quantum Encryption,” March 11, 2025, nist.gov.

What does each standard replace?

Public-key cryptography did two separable jobs, and the transition tackles them separately, which is the single most useful thing to understand about the new standards:

The old jobThe classical algorithmsThe replacement
Key establishment (agree a shared secret)RSA key transport, DH, ECDHML-KEM (a KEM), with HQC as backup
Digital signatures (prove identity and integrity)RSA signatures, ECDSA, Ed25519ML-DSA, SLH-DSA, FN-DSA

Key establishment is the urgent half, because it is the part exposed to Harvest Now, Decrypt Later: traffic recorded today can be decrypted once a machine exists. Signatures only fail once a quantum computer is real, so signing and PKI migrate on a slower, deliberate track.

How do I choose between ML-DSA, SLH-DSA, and FN-DSA?

Three signature standards exist because they trade off differently, and the choice is almost always about size and how much conservatism you want, not about speed:

If you need…UseWhy
A general-purpose signatureML-DSAThe default. Lattice-based, well-balanced, what NIST recommends for most uses
Maximum conservatism, long-lived keysSLH-DSARests only on hash-function strength (no lattice assumption), so it is the hedge for roots of trust and firmware. The cost is large signatures
The smallest signaturesFN-DSAFALCON-derived, compact, good where bandwidth is tight, but it is still a draft and has a tricky (floating-point) implementation

The practical rule most programs land on: ML-DSA everywhere by default, SLH-DSA for the small set of long-lived, high-assurance signing keys, and FN-DSA held for later where size genuinely constrains.

What are the algorithm families, and why does NIST want more than one?

Every post-quantum algorithm rests on a hard math problem, and NIST deliberately standardized across more than one family so that a break in one does not take down the whole transition:

FamilyStandards on itThe bet
LatticeML-KEM, ML-DSA, FN-DSAThe main line: efficient, well-studied, based on Module-LWE and NTRU lattices
Code-basedHQC, Classic McElieceA different, decades-old assumption (decoding random codes); the backup so a lattice break isn’t fatal
Hash-basedSLH-DSA, XMSSThe most conservative: security rests only on hash functions
Isogeny-based(none standardized)Promising until its flagship broke, see below

The reason for the spread is the sharpest lesson in the field. Isogeny-based cryptography was a promising, compact family until its leading scheme, SIDH/SIKE, was broken by an ordinary classical computer in 2022 and withdrawn from the competition. A family can look solid for years and then fall, which is exactly why the standards hedge across different math, and why crypto-agility is the architectural companion to any of these choices.

When were they finalized, and what is still coming?

  • August 13, 2024: NIST finalized FIPS 203, FIPS 204, and FIPS 205, the first three post-quantum standards.
  • March 11, 2025: NIST selected HQC as a code-based backup KEM on different math from ML-KEM, with a draft standard expected around 2026 and a final around 2027.
  • In progress: FN-DSA, the FALCON-derived compact signature, is still a draft. Track it; don’t build on it yet.

Are these proven safe forever?

No, and any vendor who implies otherwise is overselling. “Post-quantum” means “believed secure against the quantum attacks we know,” not “mathematically proven unbreakable.” These assumptions are younger than RSA’s, the isogeny break shows a family can fall, and future cryptanalysis, classical or quantum, could force another change. The correct response isn’t to wait for certainty that will never come; it’s to migrate to the standards now and build so the next algorithm change is a configuration update, which is the whole point of crypto-agility.

Common misconceptions

  • “Quantum breaks all encryption, so we need to replace everything.” It breaks public-key. Symmetric encryption (AES-256) and hashes (SHA-2, SHA-3) survive with minor adjustments. The new standards only replace the public-key layer.
  • “There’s one post-quantum algorithm.” There are several, on purpose: one KEM plus a backup, and three signatures, across multiple math families.
  • “Pick the most conservative one to be safe.” SLH-DSA is the conservative signature, but its large signatures make it the wrong default for high-volume use. ML-DSA is the general-purpose choice; conservatism is reserved for where it’s worth the cost.
  • “These are proven unbreakable.” They’re believed secure rather than mathematically proven, which is exactly why crypto-agility matters.

Questions people ask

Which one do I actually deploy first? ML-KEM for key exchange (usually as a hybrid with a classical algorithm), because that closes the harvesting exposure. Signatures follow on a slower track.

Is HQC a replacement for ML-KEM? No, a backup. ML-KEM is the primary KEM; HQC exists so that a break in the lattice math doesn’t leave you with no key-establishment option.

Why isn’t FALCON/FN-DSA final yet? It’s harder to implement safely (it needs floating-point arithmetic and careful sampling), so its standard is still in progress. ML-DSA and SLH-DSA were finalized first.

Do these change my symmetric crypto? Barely. Keep AES-256 and SHA-256/384/512. The transition is a public-key story.

Are these NSA-approved for national-security systems? The relevant selections and parameter levels are set by CNSA 2.0 (which requires the strongest parameter sets), separate from the general NIST standards.

Go deeper

The standards: FIPS 203 (ML-KEM) · FIPS 204 (ML-DSA) · FIPS 205 (SLH-DSA) · FIPS 206 (FN-DSA) · HQC (Hamming Quasi-Cyclic)

The one-screen comparison: PQC at a Glance puts every finalized and selected standard side by side, with key, ciphertext, and signature sizes and a choose-among-them guide.

The parameter sets: ML-KEM-512 · ML-KEM-768 · ML-KEM-1024 · ML-DSA-44 · ML-DSA-65 · ML-DSA-87 · SLH-DSA parameter sets · FN-DSA-512 · FN-DSA-1024 · HQC-128 · HQC-192 · HQC-256

The families: Lattice-Based Cryptography · Code-Based Cryptography · Hash-Based Cryptography · Isogeny-Based Cryptography · Multivariate Cryptography

How the standards were chosen: The NIST PQC Competition tells the full standardization history, the 2016 call, the four rounds of public cryptanalysis that took 69 candidates down to the winners, the July 2022 selections, the August 2024 finalization, HQC in 2025, and the signature on-ramp.

The cautionary tale: The SIKE Break shows how a decade-old NIST isogeny candidate fell to a classical computer in 2022, and why the standards hedge across math families. Isogeny Cryptography After SIKE covers what survived that 2022 break and where the isogeny family stands now.

The building blocks: KEM (Key Encapsulation Mechanism) · NIST SP 800-227 (KEM Guidance) (NIST’s general KEM guidance, the September 2025 companion to FIPS 203, defining the three-algorithm KEM interface, the IND-CCA2 target, the ECDH-KEM construction, and the approved key combiners behind hybrids) · NIST SP 800-56 Series (Key Establishment) (the classical key-establishment standards ML-KEM replaces, 800-56A for Diffie-Hellman and ECDH, 800-56B for RSA, and 800-56C for the key-derivation step a hybrid combiner reuses) · Fujisaki-Okamoto (FO) Transform · Module Learning With Errors (Module-LWE) · NTRU · NTRU Prime (sntrup761) · FrodoKEM · Classic McEliece · Stateful Hash-Based Signatures (XMSS - LMS) · NIST SP 800-208 · SABER and the Round-3 Finalists (the KEMs NIST did not select)

The lattice and signature math substrate: Learning With Errors (LWE) · Learning With Rounding (LWR) (the deterministic lattice assumption behind SABER) · Ring-LWE · Module Learning With Errors (Module-LWE) · Number-Theoretic Transform (NTT) · Short Integer Solution (SIS) · Lattice Trapdoors and Hash-and-Sign (the GPV paradigm behind Falcon/FN-DSA) · Fiat-Shamir Transform · Rejection Sampling · IND-CCA2 and IND-CPA

How the lattice standards are attacked and estimated: Lattice Reduction (LLL and BKZ) · Core-SVP and Lattice Security Estimation · Decryption Failures in Lattice KEMs · Side-Channel and Fault Attacks on PQC

Choosing, diversifying, and what is next: Post-Quantum Cryptography (PQC) · Security Level (NIST) · Cryptographic Monoculture · NIST Additional Digital Signature Schemes · BIKE · Post-Quantum Blockchains (quantum-resistant ledgers and on-chain signature migration)

The signature on-ramp candidates (Round 3, not yet standardized): SQIsign · UOV and MAYO · HAWK and FAEST

The deadlines that make these mandatory are in the mandates; how to actually roll them out is in migration architecture.


Everything here is the map, given freely. When your team needs the standards turned into a migration sequenced against your own systems, that’s the work I do, and there’s an alignment briefing for it.

Last verified 2026-07-09 · Maintained by Addie LaMarr, LaMarr Labs.