NIST Post-Quantum Cryptography Standards: Complete Timeline and Guide
NIST spent eight years evaluating post-quantum cryptography candidates — the longest cryptographic standardization process in its history. In August 2024, the results became final: three new federal standards that will replace RSA, ECDSA, and ECDH across every industry that depends on public-key cryptography.
This article covers what was standardized, why it matters, and what the compliance timeline looks like for your organization.
The Standardization Process
In 2016, NIST issued a public call for post-quantum cryptographic algorithms. The response was enormous: 82 submissions from 25 countries, representing the global cryptographic research community. Over the next eight years, NIST conducted the most rigorous public evaluation of cryptographic algorithms ever attempted.
NIST Post-Quantum Cryptography Standardization
NIST issues a public call for post-quantum cryptographic algorithms. 82 submissions received from 25 countries.
69 candidates accepted for evaluation after initial screening. Public review and cryptanalysis begins.
26 candidates advance. Community cryptanalysis eliminates algorithms with discovered weaknesses.
15 finalists and alternates announced. Kyber, Dilithium, and SPHINCS+ emerge as frontrunners.
NIST selects Kyber (KEM), Dilithium (signatures), and SPHINCS+ (backup signatures) for standardization.
FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA) published as official federal standards.
Migration begins across government, finance, healthcare, and technology sectors. CNSA 2.0 mandates take effect.
Why does NIST's decision matter globally? Because NIST standards become the foundation for interoperability. When your bank, your cloud provider, your TLS library, and your hardware security module all need to agree on which algorithms to support, they follow NIST. The European Union (ETSI), Japan (CRYPTREC), and other national standards bodies have aligned their recommendations with NIST's selections.
The process was deliberately public and adversarial. Every candidate was published openly. Researchers worldwide attempted to break each algorithm. Candidates that fell to cryptanalysis were eliminated. The survivors endured eight years of the world's best cryptographic minds trying to find weaknesses.
The Three Standards
FIPS 203: ML-KEM (Based on Kyber)
What it does: Key Encapsulation Mechanism (KEM) — securely establishes a shared secret between two parties.
Use case: Replaces RSA and ECDH for key exchange. When two systems need to agree on a symmetric encryption key, ML-KEM provides a quantum-safe way to do it.
Parameter sets:
- ML-KEM-512 — NIST Level 1 (roughly AES-128 equivalent). Smallest keys, fastest performance.
- ML-KEM-768 — NIST Level 3 (roughly AES-192 equivalent). The most widely recommended parameter set, balancing security and performance.
- ML-KEM-1024 — NIST Level 5 (roughly AES-256 equivalent). Maximum security, larger keys.
The underlying mathematics is the Module-LWE (Module Learning With Errors) problem — a lattice-based hard problem that no known quantum algorithm can efficiently solve. The Kyber (ML-KEM) deep dive covers the intuition behind lattice cryptography.
FIPS 204: ML-DSA (Based on Dilithium)
What it does: Digital signatures — proves that a message was signed by a specific key holder and has not been tampered with.
Use case: Replaces RSA and ECDSA signatures for code signing, document signing, TLS certificate verification, and API response integrity.
Parameter sets:
- ML-DSA-44 — NIST Level 2. Smallest signatures.
- ML-DSA-65 — NIST Level 3. The most widely recommended parameter set.
- ML-DSA-87 — NIST Level 5. Maximum security.
ML-DSA is also based on the Module-LWE problem family, sharing its mathematical foundation with ML-KEM. The Dilithium (ML-DSA) deep dive explains how lattice-based signatures work.
FIPS 205: SLH-DSA (Based on SPHINCS+)
What it does: Stateless hash-based digital signatures — an alternative signature scheme based on different mathematical foundations.
Use case: Conservative backup option for signatures. If a future breakthrough weakens lattice-based cryptography, SLH-DSA provides an independent fallback based solely on hash functions.
Key tradeoff: SLH-DSA signatures are significantly larger and slower than ML-DSA. It is intended as insurance, not as a primary replacement for ECDSA. Most organizations will use ML-DSA for day-to-day operations and may keep SLH-DSA available as a contingency.
| Property | Kyber768 | Dilithium3 |
|---|---|---|
| NIST Name | ML-KEM-768 | ML-DSA-65 |
| NIST Standard | FIPS 203 | FIPS 204 |
| Operation | Key Encapsulation (Encrypt/Decrypt) | Digital Signatures (Sign/Verify) |
| Security Level | NIST Level 3 (~AES-192) | NIST Level 3 (~AES-192) |
| Public Key Size | 1,184 bytes | 1,952 bytes |
| Private Key Size | 2,400 bytes | 4,000 bytes |
| Ciphertext Size | 1,088 bytes | 3,293 bytes |
| Shared Secret Size | 32 bytes | N/A |
| Latency Target | < 15ms (p95) | < 30ms (p95) |
What Qpher Implements
Qpher implements the Level 3 parameter sets of both primary standards:
- Kyber768 (ML-KEM-768) for key encapsulation — quantum-safe encryption
- Dilithium3 (ML-DSA-65) for digital signatures — quantum-safe integrity
Why Level 3? It represents the sweet spot between security and API performance. Level 3 provides security roughly equivalent to AES-192 against both classical and quantum attacks. This exceeds the security requirements of all but the most sensitive government applications, while maintaining the low latency that API consumers expect: KEM operations under 15ms (p95) and signature operations under 30ms (p95).
For a detailed look at how Qpher implements these standards, see the Core Concepts page.
Compliance Timeline
The publication of FIPS 203, 204, and 205 starts a compliance clock. Government mandates drive the initial wave, but private-sector requirements follow closely behind.
| Year | Milestone |
|---|---|
| Aug 2024 | NIST publishes FIPS 203, 204, 205 — standards are final |
| 2025 | NSA CNSA 2.0 requires PQC for all new national security systems |
| 2026 | Federal agencies begin active migration of existing systems |
| 2030 | CNSA 2.0 target: PQC-only for software and firmware signing |
| 2033 | CNSA 2.0 target: PQC-only for web browsers, cloud services, and networking |
| 2035 | Full PQC migration expected across regulated industries |
You do not have to be a government contractor to be affected. When banks, healthcare systems, and cloud providers adopt PQC mandates, they require it from their vendors and partners. If your software handles sensitive data for any regulated customer, PQC compliance will eventually flow down to you through contractual requirements.
The compliance timeline is not a suggestion. Organizations subject to CNSA 2.0 (U.S. national security systems) face hard deadlines. Federal civilian agencies follow OMB mandates with their own timelines. Private-sector industries — finance (PCI DSS), healthcare (HIPAA), and others — will issue their own PQC requirements as standards mature.
The organizations that begin migration planning now will have a smooth, multi-year transition. Those that wait until mandates take effect will face rushed, expensive, and error-prone migrations under regulatory pressure.
Next Steps
The beginner learning path is complete. You now understand:
- How quantum computers threaten encryption
- Why the threat is urgent today (HNDL)
- What NIST standardized and when you need to comply (this article)
Ready to understand how the algorithms work under the hood? The intermediate path starts with a developer-friendly deep dive into Kyber768 — how lattice cryptography makes quantum-safe encryption possible.
For a hands-on introduction to Qpher's PQC API, see the Core Concepts overview.