Key insight

After an eight-year open, public competition, NIST published three finished post-quantum standards in August 2024: FIPS 203 (ML-KEM) for key exchange, FIPS 204 (ML-DSA) for signatures, and FIPS 205 (SLH-DSA) as a hash-based signature backup on different mathematics. NIST IR 8547 sets the migration clock: deprecate the old algorithms around 2030, disallow after 2035.

In one sentence

The replacements aren’t a vendor’s product — they’re publicly vetted standards, and there are three of them: one for key exchange, two for signatures (one of which is a deliberately different-maths backup).

Why a competition, not a product

You can’t just invent new cryptography and trust it. The only way to gain confidence is to publish it and invite the whole world to try to break it for years. That’s exactly what NIST did: in 2016 it opened a public call for post-quantum algorithms. Dozens were submitted; cryptographers everywhere attacked them in the open. Some prominent candidates fell spectacularly — which is the point. Better they fail in a competition than in production. The survivors earned trust the only way cryptography can: by surviving sustained, public attack.

Myth: “A quantum-safe algorithm is a product I buy.” These are open, royalty-free standards anyone can implement. Vendors ship implementations of them, but the algorithms themselves are public specifications — like AES.

The three standards

StandardAlgorithmJobReplacesBuilt on
FIPS 203ML-KEMKey exchange (agree a shared secret)Diffie–Hellman, ECDH, RSA key transportStructured lattices
FIPS 204ML-DSADigital signatures (prove who signed)RSA, ECDSA signaturesStructured lattices
FIPS 205SLH-DSADigital signatures (backup)— (conservative alternative)Hash functions

Mapping back to the two damages: ML-KEM fixes confidentiality (it’s what harvest-now attacks target, so it’s the most urgent), and ML-DSA / SLH-DSA fix authenticity (certificates, code signing, identity).

Three standards, two jobs ML-KEM handles key exchange for confidentiality; ML-DSA and SLH-DSA handle signatures for authenticity, with SLH-DSA as a different-maths backup. Confidentiality ML-KEMFIPS 203 · key exchange Most urgent — harvest-now Authenticity ML-DSA · FIPS 204 (lattice) SLH-DSA · FIPS 205 (hash)
One standard for confidentiality, two for authenticity — the second signature scheme deliberately uses different mathematics.

Why two signature standards?

ML-DSA (lattice-based) is fast with compact signatures — the everyday workhorse. But lattice cryptography is relatively new. SLH-DSA is hash-based: slower, with much larger signatures, but built on hash functions we’ve trusted and studied for decades. It exists as an insurance policy — if a surprise weakness were ever found in lattices, SLH-DSA would still stand because it shares no mathematical foundation with ML-DSA. This is cryptographic diversity: don’t put all trust in one hard problem.

The migration timeline (IR 8547)

Alongside the standards, NIST published draft Internal Report 8547, a transition plan. The headline dates for the old public-key algorithms (RSA, ECDSA, ECDH, DH):

Around 2030After 2035
Deprecated — discouraged; use only with justification.Disallowed — forbidden for US federal systems.
Don’t read 2035 as “the deadline.” Recall Mosca’s inequality: if your data must stay secret for 10 years and migration takes several more, your real deadline is now, not 2035. The NIST dates are the latest acceptable, not a target to aim at.

Other bodies echo this. The NSA’s CNSA 2.0 suite selects the strongest parameter sets (AES-256, SHA-384, ML-KEM-1024, ML-DSA-87) and sets aggressive adoption dates for national-security systems.

A note on the confusing names

You’ll see two names for each algorithm — the competition name and the final standard name:

Competition nameFinal standard name
CRYSTALS-KyberML-KEM (FIPS 203)
CRYSTALS-DilithiumML-DSA (FIPS 204)
SPHINCS+SLH-DSA (FIPS 205)

Same algorithms, renamed on standardisation. If you see “Kyber” in older docs, it means ML-KEM.

NIST (National Institute of Standards and Technology)
The US standards body that ran the competition and published the PQC standards.
FIPS (Federal Information Processing Standard)
A formal US government cryptographic standard (e.g. FIPS 203/204/205).
ML-KEM
Module-Lattice Key-Encapsulation Mechanism (FIPS 203) — post-quantum key exchange.
ML-DSA
Module-Lattice Digital Signature Algorithm (FIPS 204) — lattice-based signatures.
SLH-DSA
Stateless Hash-based Digital Signature Algorithm (FIPS 205) — the hash-based backup.
RSA / ECDSA / ECDH / DH
The old public-key algorithms being retired: RSA (Rivest–Shamir–Adleman), ECDSA (Elliptic-Curve Digital Signature Algorithm), ECDH (Elliptic-Curve Diffie–Hellman) and DH (Diffie–Hellman).
AES (Advanced Encryption Standard) / SHA (Secure Hash Algorithm)
The symmetric cipher and hash family that survive quantum — CNSA 2.0 just uses larger sizes (AES-256, SHA-384).
IR (Internal Report)
A NIST report series; IR 8547 is the post-quantum transition timeline.
CNSA 2.0
The NSA’s Commercial National Security Algorithm suite selecting the strongest PQC parameters.
NSA (National Security Agency)
The US agency that sets algorithm requirements for national-security systems.

What to carry forward

Next: ML-KEM Explained → — how key encapsulation actually works, and what ML-KEM-512/768/1024 mean.

Understand it in your own words

Paste into any AI assistant to check yourself:

I'm learning the NIST post-quantum standards. Quiz me one question at a
time, correcting me gently:

1. Why did NIST run an 8-year open competition instead of just picking an
   algorithm? Why is it a good sign that some candidates were broken?
2. Name the three standards (FIPS 203/204/205), their algorithm names, and
   the job each does.
3. Why are there TWO signature standards? What does SLH-DSA protect against
   that ML-DSA can't?
4. What do "deprecate ~2030" and "disallow after 2035" mean, and why is
   2035 NOT my real deadline?
5. What are the old competition names for ML-KEM, ML-DSA, and SLH-DSA?

References & further reading

  1. NIST, FIPS 203: Module-Lattice-Based Key-Encapsulation Mechanism Standard (Aug 2024). csrc.nist.gov/pubs/fips/203
  2. NIST, FIPS 204: Module-Lattice-Based Digital Signature Standard (Aug 2024). csrc.nist.gov/pubs/fips/204
  3. NIST, FIPS 205: Stateless Hash-Based Digital Signature Standard (Aug 2024). csrc.nist.gov/pubs/fips/205
  4. NIST, IR 8547: Transition to Post-Quantum Cryptography Standards (draft). csrc.nist.gov/pubs/ir/8547
  5. NSA, CNSA 2.0 algorithm suite and timeline. nsa.gov/cybersecurity