NIST PQC STANDARDS · FIPS 203–206 · 2024

Post-Quantum
Cryptography
Explained

NIST's approved quantum-resistant algorithms — one by one. Interactive infographics for India's quantum-ready future.

5 PQC Algorithms
2030 Q-Day Estimate
FIPS 203 · 204 · 205
8yr NIST Process
SCROLL TO EXPLORE

// WHY IT MATTERS

The Quantum Threat Timeline

Current RSA & ECC encryption will be broken once cryptographically relevant quantum computers exist. The race is on.

2016 — NIST Call 2022 — Selection 2024 — FIPS Published ~2030 — Q-Day Risk
2016 — NIST global call for PQC algorithms
2022 — 4 algorithms selected from 69 submissions
2024 — FIPS 203, 204, 205 officially published
~2030 — Experts estimate quantum computer capable of breaking RSA
Shor's Algorithm

Peter Shor's 1994 quantum algorithm can factor large integers exponentially faster than any classical method — rendering RSA and ECC completely insecure once quantum hardware matures.

🕵️
Harvest Now, Decrypt Later

Nation-state actors are already harvesting today's encrypted data to decrypt it after quantum computers arrive. Your data transmitted in 2024 could be read by 2030.

🏥
Critical Infrastructure at Risk

Healthcare IoMT devices, financial systems, defense communications, and power grids all rely on RSA/ECC. A quantum breach means catastrophic simultaneous failure across sectors.

🔒
Grover's Algorithm

Grover's algorithm provides a quadratic speedup for symmetric key search, effectively halving security levels. AES-128 becomes ~AES-64 against a quantum computer — still breakable.

// NIST FIPS STANDARDS

PQC Algorithms — One by One

Tap each algorithm to explore its mathematics, use cases, key sizes, and performance characteristics.

🔑
ML-KEM
formerly CRYSTALS-Kyber
FIPS 203 · LIVE

Module-Lattice-Based Key Encapsulation Mechanism. The primary standard for general encryption — replacing RSA and Diffie-Hellman for secure key exchange. Used in TLS handshakes, VPNs, and secure messaging. Google, Apple, and Cloudflare have already begun deployment.

TLS / HTTPS VPN Key Exchange Secure Email Cloud Storage Signal Protocol
Hard Problem Basis
Module-LWE: solve As + e ≡ b (mod q)
Learning With Errors over module lattices — believed quantum-resistant
Category
Key Encapsulation
Math Basis
Lattice / LWE
Public Key
800–1568 bytes
Security Level
AES-128 to AES-256
Parameter Sets
ML-KEM-512/768/1024
Status
✓ Finalized
ALICE Public Key Pk → Bob BOB Encapsulate ct → Alice 🔑 ML-KEM Shared Secret K KeyGen() Encaps(pk) Decaps(sk) QUANTUM RESISTANT ✓
✍️
ML-DSA
formerly CRYSTALS-Dilithium
FIPS 204 · LIVE

Module-Lattice-Based Digital Signature Algorithm. The primary standard for digital signatures — protecting code signing, document signing, certificate authorities, and identity authentication against quantum forgery attacks.

Code Signing PKI / X.509 Document Auth SSH/TLS Certs Blockchain
Hard Problem Basis
Module-SIS: find short s, e: As = t (mod q)
Short Integer Solution over module lattices — sign without revealing secret key
Category
Digital Signature
Math Basis
Lattice / SIS
Signature Size
2420–4627 bytes
Public Key
1312–2592 bytes
Parameter Sets
ML-DSA-44/65/87
Status
✓ Finalized
SIGNER sk (secret) msg + sig VERIFIER pk (public) verify(sig) msg ∥ σ ✍️ ML-DSA Hash(msg) Sign with Lattice sk σ valid ✓ ML-DSA-44 128-bit sec ML-DSA-65 192-bit sec ★ ML-DSA-87 256-bit sec UNFORGEABLE ✓
🌲
SLH-DSA
formerly SPHINCS+
FIPS 205 · LIVE

Stateless Hash-Based Digital Signature Algorithm. The backup signature standard — based entirely on hash functions, not lattices. Provides critical diversity: if lattice-based schemes are ever broken, SLH-DSA remains unaffected, making it the long-term insurance policy.

Long-term Archives Root CA Signing Government Records Legal Documents Backup Auth
Hard Problem Basis
One-Way Hash: H(x) → y, infeasible to find x
Security based purely on hash functions (SHA-256 / SHAKE-256) — not on mathematical structure
Category
Digital Signature
Math Basis
Hash Functions
Signature Size
8 KB – 50 KB
Public Key
32–64 bytes
Parameter Sets
12 sets (s/f variants)
Status
✓ Finalized
ROOT NODE LAYER 1-L LAYER 1-R L2-LL L2-LR L2-RL L2-RR WOTS+ One-Time Signatures (Leaves) SIGN ← OTS SLH-DSA Hash-based only No lattice dependency Ultra-conservative ✓ HASH-PROOF SECURE ✓
🦅
FN-DSA
formerly FALCON
FIPS 206 · DRAFT

FFT-over-NTRU-Lattice-Based Digital Signature Algorithm. The compact alternative signature — provides the smallest signature sizes among all selected algorithms. Ideal for bandwidth-constrained environments like DNSSEC, IoT devices, and embedded hardware.

DNSSEC IoT Devices Embedded Systems Mobile Auth Low-Bandwidth
Hard Problem Basis
NTRU: fh = g (mod q) in cyclotomic ring
NTRU lattice structure + Fast Fourier Transform for efficient Gaussian sampling
Category
Digital Signature
Math Basis
NTRU Lattice
Signature Size
~666 – 1280 bytes
Public Key
897 – 1793 bytes
Parameter Sets
Falcon-512, Falcon-1024
Status
◑ Draft FIPS 206
FFT Sampling Signature Size Comparison RSA-2048 256B ML-DSA-65 3293B FN-DSA-512 666B ★ SLH-DSA-s 8KB+ 🦅 FN-DSA Smallest Signatures COMPACT NTRU SECURE ✓
📡
HQC
Hamming Quasi-Cyclic
ROUND 4 · SELECTED

Hamming Quasi-Cyclic — a code-based key encapsulation mechanism selected in March 2025 as a backup KEM to ML-KEM. Provides algorithmic diversity through error-correcting code theory rather than lattice math — critical if lattice-based schemes face unexpected weaknesses.

Backup KEM Crypto Diversity Lattice Hedge Future TLS Defense Apps
Hard Problem Basis
QC-SD: Syndrome Decoding in quasi-cyclic codes
Security based on hardness of decoding random quasi-cyclic codes — classical CS problem since 1978
Category
Key Encapsulation
Math Basis
Error-Correcting Codes
Public Key
~2–7 KB
Ciphertext
~4–14 KB
Selected
March 11, 2025
Status
⧖ Standardizing
Quasi-Cyclic Code Structure 1 0 1 1 0 1 0 0 1 1 0 1 0 1 1 0 0 1 1 0 1 0 0 1 1 0 1 0 1 1 0 1 1 1 0 1 0 0 1 1 0 1 0 1 1 0 1 0 0 0 1 0 0 1 1 0 1 0 1 1 0 1 0 0 ← cyclic + Error: e = 0 0 0 1 0 0 0 0 1 0 0 0 0 0 0 0 Decode: Recover original codeword via BCH SHARED SECRET K Code-based KEM ≠ Lattice math WHY HQC MATTERS If lattices fall, code-based cryptography survives NEW · MAR 2025 ✓

// SIDE BY SIDE

Algorithm Comparison

Performance, key sizes, and trade-offs across all NIST-approved PQC standards at a glance.

Algorithm FIPS Type Math Basis Key / Sig Size Speed Status
🔑 ML-KEM 203 Key Encap. Module-LWE Lattice
800–1568B pk
Very Fast
Finalized
✍️ ML-DSA 204 Signature Module-SIS Lattice
2420–4627B sig
Fast
Finalized
🌲 SLH-DSA 205 Signature Hash Functions
8KB–50KB sig
Slower
Finalized
🦅 FN-DSA 206 Signature NTRU Lattice
666–1280B sig ★
Fast
Draft
📡 HQC TBD Key Encap. Error-Correcting Codes
2–14KB
Medium
Standardizing

// INDIAN QUANTUM RESEARCH ORGANISATION

India's Quantum-Ready Future
Starts Here

Translating NIST standards into teachable modules. Protecting India's digital infrastructure — from healthcare IoMT to defense communications.

⚛ Visit IQRO → Join the Mission
यं विद्यां स विद्यां विन्दते अपराम् · IQRO © 2026 · BRAHMCS