Key insight
After an eight-year open, public competition, NIST published three finished post-quantum standards in August 2024: FIPS 203 (ML-KEM) for key exchange, FIPS 204 (ML-DSA) for signatures, and FIPS 205 (SLH-DSA) as a hash-based signature backup on different mathematics. NIST IR 8547 sets the migration clock: deprecate the old algorithms around 2030, disallow after 2035.
The replacements aren’t a vendor’s product — they’re publicly vetted standards, and there are three of them: one for key exchange, two for signatures (one of which is a deliberately different-maths backup).
Why a competition, not a product
You can’t just invent new cryptography and trust it. The only way to gain confidence is to publish it and invite the whole world to try to break it for years. That’s exactly what NIST did: in 2016 it opened a public call for post-quantum algorithms. Dozens were submitted; cryptographers everywhere attacked them in the open. Some prominent candidates fell spectacularly — which is the point. Better they fail in a competition than in production. The survivors earned trust the only way cryptography can: by surviving sustained, public attack.
The three standards
| Standard | Algorithm | Job | Replaces | Built on |
|---|---|---|---|---|
| FIPS 203 | ML-KEM | Key exchange (agree a shared secret) | Diffie–Hellman, ECDH, RSA key transport | Structured lattices |
| FIPS 204 | ML-DSA | Digital signatures (prove who signed) | RSA, ECDSA signatures | Structured lattices |
| FIPS 205 | SLH-DSA | Digital signatures (backup) | — (conservative alternative) | Hash functions |
Mapping back to the two damages: ML-KEM fixes confidentiality (it’s what harvest-now attacks target, so it’s the most urgent), and ML-DSA / SLH-DSA fix authenticity (certificates, code signing, identity).
Why two signature standards?
ML-DSA (lattice-based) is fast with compact signatures — the everyday workhorse. But lattice cryptography is relatively new. SLH-DSA is hash-based: slower, with much larger signatures, but built on hash functions we’ve trusted and studied for decades. It exists as an insurance policy — if a surprise weakness were ever found in lattices, SLH-DSA would still stand because it shares no mathematical foundation with ML-DSA. This is cryptographic diversity: don’t put all trust in one hard problem.
The migration timeline (IR 8547)
Alongside the standards, NIST published draft Internal Report 8547, a transition plan. The headline dates for the old public-key algorithms (RSA, ECDSA, ECDH, DH):
| Around 2030 | After 2035 |
|---|---|
| Deprecated — discouraged; use only with justification. | Disallowed — forbidden for US federal systems. |
Other bodies echo this. The NSA’s CNSA 2.0 suite selects the strongest parameter sets (AES-256, SHA-384, ML-KEM-1024, ML-DSA-87) and sets aggressive adoption dates for national-security systems.
A note on the confusing names
You’ll see two names for each algorithm — the competition name and the final standard name:
| Competition name | Final standard name |
|---|---|
| CRYSTALS-Kyber | ML-KEM (FIPS 203) |
| CRYSTALS-Dilithium | ML-DSA (FIPS 204) |
| SPHINCS+ | SLH-DSA (FIPS 205) |
Same algorithms, renamed on standardisation. If you see “Kyber” in older docs, it means ML-KEM.
- NIST (National Institute of Standards and Technology)
- The US standards body that ran the competition and published the PQC standards.
- FIPS (Federal Information Processing Standard)
- A formal US government cryptographic standard (e.g. FIPS 203/204/205).
- ML-KEM
- Module-Lattice Key-Encapsulation Mechanism (FIPS 203) — post-quantum key exchange.
- ML-DSA
- Module-Lattice Digital Signature Algorithm (FIPS 204) — lattice-based signatures.
- SLH-DSA
- Stateless Hash-based Digital Signature Algorithm (FIPS 205) — the hash-based backup.
- RSA / ECDSA / ECDH / DH
- The old public-key algorithms being retired: RSA (Rivest–Shamir–Adleman), ECDSA (Elliptic-Curve Digital Signature Algorithm), ECDH (Elliptic-Curve Diffie–Hellman) and DH (Diffie–Hellman).
- AES (Advanced Encryption Standard) / SHA (Secure Hash Algorithm)
- The symmetric cipher and hash family that survive quantum — CNSA 2.0 just uses larger sizes (AES-256, SHA-384).
- IR (Internal Report)
- A NIST report series; IR 8547 is the post-quantum transition timeline.
- CNSA 2.0
- The NSA’s Commercial National Security Algorithm suite selecting the strongest PQC parameters.
- NSA (National Security Agency)
- The US agency that sets algorithm requirements for national-security systems.
What to carry forward
- The replacements are open, publicly-vetted standards from an 8-year competition — not a vendor product.
- Three finished standards (Aug 2024): FIPS 203 ML-KEM (key exchange), 204 ML-DSA (signatures), 205 SLH-DSA (backup signatures).
- Two signature standards on purpose: lattice workhorse + hash-based insurance = cryptographic diversity.
- IR 8547 timeline: deprecate old ~2030, disallow after 2035 — but Mosca says start now.
Next: ML-KEM Explained → — how key encapsulation actually works, and what ML-KEM-512/768/1024 mean.
Understand it in your own words
Paste into any AI assistant to check yourself:
I'm learning the NIST post-quantum standards. Quiz me one question at a
time, correcting me gently:
1. Why did NIST run an 8-year open competition instead of just picking an
algorithm? Why is it a good sign that some candidates were broken?
2. Name the three standards (FIPS 203/204/205), their algorithm names, and
the job each does.
3. Why are there TWO signature standards? What does SLH-DSA protect against
that ML-DSA can't?
4. What do "deprecate ~2030" and "disallow after 2035" mean, and why is
2035 NOT my real deadline?
5. What are the old competition names for ML-KEM, ML-DSA, and SLH-DSA?
References & further reading
- NIST, FIPS 203: Module-Lattice-Based Key-Encapsulation Mechanism Standard (Aug 2024). csrc.nist.gov/pubs/fips/203
- NIST, FIPS 204: Module-Lattice-Based Digital Signature Standard (Aug 2024). csrc.nist.gov/pubs/fips/204
- NIST, FIPS 205: Stateless Hash-Based Digital Signature Standard (Aug 2024). csrc.nist.gov/pubs/fips/205
- NIST, IR 8547: Transition to Post-Quantum Cryptography Standards (draft). csrc.nist.gov/pubs/ir/8547
- NSA, CNSA 2.0 algorithm suite and timeline. nsa.gov/cybersecurity