NIST PQC Standards Guide

NIST Post-Quantum Cryptography Standards Guide

A comprehensive overview of the National Institute of Standards and Technology (NIST) post-quantum cryptography standardization process and recommendations.

Note: This guide summarizes official NIST documentation and provides practical implementation guidance based on current standards.

NIST PQC Standardization Process

In 2016, NIST initiated a process to solicit, evaluate, and standardize quantum-resistant cryptographic algorithms. This multi-year, multi-round process involved the global cryptographic community in developing secure alternatives to current public-key cryptographic standards that are vulnerable to quantum attacks.

2016-2017

Call for Proposals

NIST solicited proposals for quantum-resistant public-key cryptographic algorithms.

69 eligible submissions received

2017-2019

Round 1

Initial evaluation of submissions for security, performance, and implementation characteristics.

26 algorithms advanced to Round 2

2019-2020

Round 2

More detailed analysis and performance benchmarking across various platforms.

7 finalists and 8 alternates selected

2020-2022

Round 3

Final evaluation focusing on security analysis, implementation optimization, and side-channel resistance.

First standards selected in 2022

Current Status: In July 2022, NIST announced the first set of quantum-resistant algorithms selected for standardization, with additional selections made in 2023.

Selected PQC Algorithms

NIST has selected the following algorithms for standardization, categorized by their cryptographic function:

Public-Key Encryption and Key-Establishment Algorithms

Algorithm	Type	Security Basis	Key Features	Status
CRYSTALS-Kyber	Lattice-based KEM	Module Learning With Errors (MLWE)	Excellent performance Reasonable key and ciphertext sizes Conservative security parameters	Selected for standardization

Digital Signature Algorithms

Algorithm	Type	Security Basis	Key Features	Status
CRYSTALS-Dilithium	Lattice-based signature	Module Learning With Errors (MLWE)	Good overall performance Balanced signature and key sizes Similar security basis as Kyber	Selected for standardization
FALCON	Lattice-based signature	NTRU lattices	Smaller signatures than Dilithium More complex implementation Different security basis than Dilithium	Selected for standardization
SPHINCS+	Hash-based signature	Hash function security	Conservative security assumptions Larger signatures Slower than lattice-based options	Selected for standardization

Additional Algorithms Under Consideration

Algorithm	Type	Security Basis	Status
BIKE	Code-based KEM	Quasi-Cyclic Moderate Density Parity-Check Codes	Under consideration
Classic McEliece	Code-based KEM	Goppa codes	Under consideration
HQC	Code-based KEM	Quasi-Cyclic codes	Under consideration
SIKE	Isogeny-based KEM	Supersingular isogeny graphs	Broken in 2022

NIST Security Levels

NIST defines five security levels for post-quantum algorithms, based on the computational resources required to break them relative to breaking AES and SHA:

Security Level	Description	Classical Equivalent	Quantum Resistance
Level 1	At least as hard to break as AES-128	128-bit security	Resistant to quantum attacks requiring similar resources to breaking AES-128 with Grover's algorithm
Level 2	At least as hard to break as SHA-256	128-bit security	Resistant to quantum attacks requiring similar resources to collision finding in SHA-256
Level 3	At least as hard to break as AES-192	192-bit security	Resistant to quantum attacks requiring similar resources to breaking AES-192 with Grover's algorithm
Level 4	At least as hard to break as SHA-384	192-bit security	Resistant to quantum attacks requiring similar resources to collision finding in SHA-384
Level 5	At least as hard to break as AES-256	256-bit security	Resistant to quantum attacks requiring similar resources to breaking AES-256 with Grover's algorithm

Note: Most organizations should target at least NIST Level 1 for general applications and Level 3 or higher for highly sensitive data with long-term security requirements.

Implementation Guidance

Algorithm Selection Recommendations

Based on NIST's selections and current security understanding, we recommend the following approaches:

Key Establishment

Primary Recommendation: CRYSTALS-Kyber

Use Kyber-768 (NIST Level 3) for most applications
Use Kyber-1024 (NIST Level 5) for highly sensitive data
Consider hybrid approaches combining Kyber with traditional ECDH during transition

Ensure implementations are from trusted libraries with side-channel protections.

Digital Signatures

Primary Recommendation: CRYSTALS-Dilithium

Use Dilithium3 (NIST Level 3) for most applications
Use Dilithium5 (NIST Level 5) for highly sensitive data
Consider FALCON for applications where signature size is critical
Consider SPHINCS+ where conservative security assumptions are required

For critical infrastructure, consider dual signatures with different algorithm families.

Performance Considerations

Algorithm	Public Key Size	Private Key Size	Signature/Ciphertext Size	Performance Notes
Kyber-768	1,184 bytes	2,400 bytes	1,088 bytes (ciphertext)	Fast key generation and encapsulation/decapsulation
Dilithium3	1,952 bytes	4,000 bytes	3,293 bytes (signature)	Good overall performance, larger signatures than ECDSA
FALCON-512	897 bytes	1,281 bytes	666 bytes (signature)	Smaller signatures, more complex implementation
SPHINCS+-128s	32 bytes	64 bytes	7,856 bytes (signature)	Very large signatures, slower signing/verification

Standardization Timeline and Resources

Current Status and Timeline

July 2022: NIST announced first selections (CRYSTALS-Kyber, CRYSTALS-Dilithium, FALCON, SPHINCS+)
Completed
2023: Draft standards for selected algorithms published for public comment
Completed
2023-2024: Additional KEM selections from Round 4
In progress
2024: Final standards published for first selected algorithms
Upcoming
2025-2026: FIPS certification for compliant implementations
Planned

Official NIST Resources

NIST PQC Project Page

Official NIST Post-Quantum Cryptography project website with latest updates and publications.

NIST SP 800-208 (Draft)

Recommendation for Stateful Hash-Based Signature Schemes.

NIST IR 8413 (Draft)

Status Report on the Third Round of the NIST Post-Quantum Cryptography Standardization Process.

Implementation Resources

Open-Source Libraries

liboqs - Open Quantum Safe project's C library
CRYSTALS-Kyber reference implementation
CRYSTALS-Dilithium reference implementation
SPHINCS+ reference implementation

Testing and Benchmarking

OQS OpenSSL Provider - OpenSSL integration for PQC
OQS-BoringSSL - BoringSSL fork with PQC support
NIST PQC Benchmarking - Performance testing guidelines

Need Expert Guidance on NIST PQC Standards?

Our team of quantum security experts is available to provide personalized guidance for your organization's PQC implementation strategy.

Book a Consultation