Post Quantum Cryptography

NIST PQC Standards: ML-KEM, ML-DSA, SLH-DSA 2026

Executive summary — In August 2024, NIST finalised the first three post-quantum standards, turning years of analysis into concrete algorithms enterprises can deploy. Understanding NIST PQC standards means understanding what each one is for and what it costs in bytes and performance. This article compares FIPS 203, 204, and 205 with real figures.

The migration to post-quantum cryptography stopped being theoretical when NIST published its first finalised standards. Three documents now anchor the transition: FIPS 203 for key establishment, FIPS 204 for the primary digital signature, and FIPS 205 for a hash-based signature that hedges against future mathematical surprises. Each standardises an algorithm that survived years of public cryptanalysis, and together they cover the two operations that classical RSA and elliptic-curve cryptography provide today.

FIPS 203: ML-KEM for Key Establishment

FIPS 203 standardises ML-KEM, a module-lattice key-encapsulation mechanism derived from the algorithm formerly known as CRYSTALS-Kyber. Its job is to let two parties agree on a shared secret over an untrusted channel, the role RSA key transport and elliptic-curve Diffie-Hellman play now. ML-KEM is efficient: public keys range from roughly 800 to about 1,568 bytes depending on the security level, ciphertexts fall in a similar range, and every variant produces a 32-byte shared secret. Those sizes are larger than elliptic-curve equivalents but small enough for routine use in TLS and VPNs, which is why key establishment is the first place most enterprises will deploy PQC.

FIPS 204: ML-DSA for General Signing

FIPS 204 standardises ML-DSA, a lattice-based signature scheme derived from CRYSTALS-Dilithium, and it is the default choice for most signing. Its sizes are the practical headline. At NIST Level 2, ML-DSA-44 produces a 2,420-byte signature with a 1,312-byte public key; at Level 3, ML-DSA-65 yields a 3,309-byte signature and a 1,952-byte public key; at Level 5, ML-DSA-87 reaches a 4,627-byte signature with a 2,592-byte public key. These are an order of magnitude larger than the 64-byte signatures of elliptic-curve schemes, which has real consequences for certificates, protocol handshakes, and anything that stores signatures at volume.

Planning a quantum-safe cryptographic transition? eMudhra post-quantum cryptography helps enterprises adopt the NIST standards across their PKI, certificates, and signing infrastructure with crypto-agility built in.

FIPS 205: SLH-DSA as the Conservative Hedge

FIPS 205 standardises SLH-DSA, a stateless hash-based signature scheme derived from SPHINCS+. Its security rests only on the strength of hash functions, not on lattice problems, which makes it the conservative fallback: if a future breakthrough ever weakened lattice assumptions, both ML-KEM and ML-DSA could be affected while SLH-DSA would remain untouched. The trade-off is size. SLH-DSA public keys are tiny, just 32 to 64 bytes, but its signatures are very large, from around 17,088 bytes at the 128-bit fast variant up to roughly 49,856 bytes at the 256-bit fast variant. Those figures make SLH-DSA impractical for high-volume signing but valuable for long-lived, low-frequency roots of trust such as firmware and code-signing anchors.

Choosing Between Them

The three standards are complementary, not competing. Most systems will use ML-KEM for key establishment and ML-DSA for signatures, reserving SLH-DSA for the small number of extremely long-lived keys where algorithm diversity justifies the size cost. The engineering challenge is rarely the mathematics; it is that the larger keys and signatures ripple through certificate sizes, handshake budgets, storage, and hardware limits. This is why understanding post-quantum cryptography at a conceptual level should precede any deployment decision.

From Standards to Migration

Standardised algorithms are necessary but not sufficient. An enterprise cannot migrate what it cannot see, so the first practical step is discovery: an inventory of where cryptography is used across applications, certificates, and protocols. That inventory becomes a crypto bill of materials, which then drives a prioritised replacement plan. Crypto-agility, the ability to swap algorithms without re-architecting systems, is the property that turns a one-time migration into a repeatable capability, because these standards will themselves be revised over time.

Because certificate authorities sit at the centre of this transition, the readiness of the CA platform matters as much as the algorithms. Organisations should assess their providers against a quantum-ready CA comparison and ensure their certificate lifecycle tooling can issue, track, and rotate PQC certificates through certificate lifecycle management before the volume of quantum-safe certificates grows.

BUILD A QUANTUM-SAFE FOUNDATION
eMudhra helps enterprises adopt the NIST PQC standards across PKI and signing with crypto-agility built in. Explore eMudhra post-quantum cryptography or talk to the eMudhra team.

eMudhra Limited
About the Author

eMudhra Limited

eMudhra Editorial represents the collective voice of eMudhra, providing expert insights on the latest trends in digital security, cryptographic identities, and digital transformation. Our team of industry specialists curates and delivers thought-provoking content aimed at helping businesses navigate the evolving landscape of cybersecurity and trust services with confidence.

Ready to Try?

Talk to our team about how eMudhra can help secure your digital workflows with PKI, eSignatures and identity solutions.

Connect with sales