The NIST post-quantum cryptography standards, explained
Three finalized standards (FIPS 203/204/205), one forthcoming (Falcon/FIPS 206), and why the transition is a multi-year job.
Why post-quantum at all
The public-key cryptography that secures most of the internet — RSA and elliptic-curve — relies on math problems a large enough quantum computer could solve efficiently (via Shor’s algorithm). No such machine exists today, and timelines are genuinely uncertain, so this is a planning problem, not an emergency.
What makes it pressing is “harvest now, decrypt later”: an adversary can record encrypted data today and decrypt it once a capable quantum computer arrives. Anything that must stay confidential — or verifiable — for years should move to quantum-resistant algorithms well before then.
The three finalized standards (2024)
FIPS 203 — ML-KEM (from CRYSTALS-Kyber): a key-encapsulation mechanism for establishing shared secrets, i.e. the key exchange that sets up an encrypted channel.
FIPS 204 — ML-DSA (from CRYSTALS-Dilithium): a lattice-based digital signature scheme, the workhorse for signing. THRONDAR signs every answer with ML-DSA-87, its highest-strength (NIST security category 5) parameter set.
FIPS 205 — SLH-DSA (from SPHINCS+): a hash-based signature scheme. It’s larger and slower, but rests on a completely different (and very conservative) security assumption than the lattice schemes — useful as a diversity option.
The forthcoming one: Falcon / FIPS 206
NIST also selected Falcon, to be standardized as FN-DSA under FIPS 206. As of mid-2026 that standard is still in preparation — selected but not yet published. That’s an important honesty point: it’s correct to call Falcon “forthcoming,” and incorrect to call it a finalized NIST standard.
Falcon produces compact signatures, which is why systems use it as a second, independent signature alongside ML-DSA — but any product should describe it as draft/forthcoming, not certified.
How migration actually works
Two practical patterns dominate. Hybrid: pair a classical algorithm (like X25519) with a post-quantum one (like ML-KEM-1024) during the transition, so you’re no worse off than today even if one is later weakened. Diversity: use more than one signature family (a lattice scheme plus a hash-based one) so a break in one doesn’t take down your whole provenance.
The first concrete step for most organizations isn’t swapping algorithms — it’s inventory. You can’t migrate what you can’t see, so you build a Cryptographic Bill of Materials (CBOM): a machine-readable list of every primitive you use, mapped to its standard and role.
Verification attests an answer’s origin and integrity, not its factual accuracy. Algorithm names denote the public standards the primitives are based on (ML-DSA-87 / FIPS 204, ML-KEM-1024 / FIPS 203; Falcon / FN-DSA, FIPS 206 forthcoming), not a FIPS-140 / CMVP validation.