The NIST PQC standards: what each one does and why it matters
NIST has standardised five post-quantum algorithms across two categories. Here's what each one does, when to use it, and what the full suite means for your migration.
Context
Why NIST — and why these algorithms
In 2016, NIST opened a global competition to find encryption algorithms that a quantum computer couldn't break. 82 submissions came in from cryptographers worldwide. Over eight years of analysis, public scrutiny, and attack attempts — including one algorithm being broken entirely in a weekend — the field was narrowed to five finalists.
FIPS 203, 204, and 205 were published in August 2024. FIPS 206 followed. HQC was selected as a fifth algorithm in March 2025. These are now finalised standards — not draft proposals, not emerging technology. The question for UK financial institutions isn't whether to adopt them. It's in what order.
“This is not emerging technology. NIST has already decided. The question is whether your estate is aligned — and when the regulators start asking.”
The framework
Two categories. Two separate problems.
The five standards split cleanly into two categories — and they solve different problems with different urgency profiles. Understanding the split is the foundation of any migration plan.
KEMs
Key Encapsulation Mechanisms
Replace RSA and ECDH for encrypting data in transit. The lockbox. This is where HNDL exposure lives — the most urgent migration priority for most organisations.
Signatures
Digital Signature Algorithms
Replace RSA and ECDSA for proving authenticity and integrity. The wax seal. Broken signatures mean forged certificates, malicious updates, and compromised trust chains.
These are structurally separate migration workstreams with different timelines, different system owners, and different risk profiles. Read more on why the split matters.
The standards
The five algorithms
FIPS 203
ML-KEM
Module-Lattice-Based Key Encapsulation Mechanism · formerly CRYSTALS-Kyber
The primary replacement for RSA and ECDH in key exchange. ML-KEM protects data confidentiality in transit — HTTPS, TLS, VPNs, encrypted APIs. It's fast, well-studied, and has broad tooling support across major libraries and cloud providers. This is the algorithm most organisations will deploy first.
Use when
Migrating any system that exchanges keys over a public network. Internet-facing infrastructure, API gateways, VPN endpoints — ML-KEM is the default choice.
FIPS 204
ML-DSA
Module-Lattice-Based Digital Signature Algorithm · formerly CRYSTALS-Dilithium
The primary replacement for RSA and ECDSA signatures. ML-DSA protects authenticity and integrity — code signing, certificate chains, document signatures, authentication tokens. Like ML-KEM, it's lattice-based and offers a strong balance of security, speed, and signature size.
Use when
The default signature algorithm for most use cases. Certificate authorities, code signing pipelines, authentication systems, and any infrastructure that issues or verifies signatures.
FIPS 205
SLH-DSA
Stateless Hash-Based Digital Signature Algorithm · formerly SPHINCS+
A conservative fallback signature algorithm built on hash functions rather than lattice mathematics. Slower and produces larger signatures than ML-DSA, but its security rests on a fundamentally different mathematical basis. If lattice cryptography is ever broken, SLH-DSA remains sound.
Use when
High-value, long-lived signatures where you need mathematical diversity — root certificate authorities, regulatory filings, legal documents. Not a daily-use algorithm, but an important hedge.
FIPS 206
FN-DSA
Fast Fourier Lattice-Based Compact Signatures over NTRU · formerly Falcon
A compact signature algorithm producing significantly smaller signatures than ML-DSA. Technically demanding to implement correctly — timing side-channel vulnerabilities require careful engineering. Designed for environments where signature size is a hard constraint.
Use when
Constrained environments with strict bandwidth or storage limits. IoT devices, embedded systems, smart cards. For most FS applications, ML-DSA is the safer default.
Selected Mar 2025
HQC
Hamming Quasi-Cyclic · Code-Based KEM
A backup KEM built on error-correcting code mathematics — a completely different mathematical family from ML-KEM. Selected precisely because its security assumptions don't overlap. If a breakthrough attack ever threatens lattice-based cryptography, HQC provides a fallback that remains secure.
Use when
Not a primary deployment target — HQC is a strategic hedge. Its value is diversity: it ensures that a single mathematical breakthrough can't compromise the entire PQC migration.
Quick reference
Side by side
| Algorithm | Type | Basis | Priority |
|---|---|---|---|
| ML-KEM | KEM | Lattice | Deploy first |
| ML-DSA | Signature | Lattice | Deploy first |
| SLH-DSA | Signature | Hash | High-value signatures |
| FN-DSA | Signature | NTRU lattice | Constrained environments |
| HQC | KEM | Code | Strategic fallback |
For your migration
What the full suite means in practice
For most UK financial institutions, the migration priority is straightforward: ML-KEM for key exchange, ML-DSA for signatures. These two algorithms cover the vast majority of your cryptographic estate and have the broadest tooling support.
SLH-DSA belongs in your root certificate authority and any long-lived regulatory signatures — deployed alongside ML-DSA for mathematical diversity, not instead of it. FN-DSA is relevant only if you operate constrained devices with hard size limits. HQC is a strategic consideration for your architecture team, not an immediate deployment target.
The NCSC's 2028 milestone requires you to have a migration plan that maps your cryptographic estate to the appropriate algorithm for each system. That mapping starts with discovery — knowing what you currently have before deciding what to replace it with.
Next step
Want to map these standards to your estate?
Book a free 30-minute call. We'll identify which NIST algorithms apply to which systems in your environment and tell you exactly what a formal Quantum Readiness Assessment would cover.