NIST Post-Quantum Cryptographic Standards: Technical Reference

FIPS 203 (ML-KEM) · FIPS 204 (ML-DSA) · FIPS 205 (SLH-DSA) · Finalized August 2024

Module Learning With Errors (MLWE)

Ring: R_q = Z_q[X]/(X^n + 1) where n=256, q=3329

KeyGen():

ρ, σ ← {0,1}^256

A ← Sam(ρ) ∈ R_q^(k×k)

s, e ← β_η(σ) ∈ R_q^k

t := As + e

return (pk=(t,ρ), sk=s)

Security reduces to worst-case lattice problems via Regev's reduction (STOC 2005). Quantum speedup for SVP remains marginal—best known: 2^(0.265n) vs classical 2^(0.292n).

ML-KEM Parameter Sets (FIPS 203)

Param	512	768	1024
k (rank)	2	3	4
η₁, η₂	3, 2	2, 2	2, 2
(d_u, d_v)	10, 4	10, 4	11, 5
\|pk\| bytes	800	1,184	1,568
\|ct\| bytes	768	1,088	1,568
δ (failure)	2^-139	2^-164	2^-174
Security	I	III	V

NTT-based multiplication: O(n log n). Decapsulation includes FO re-encryption for IND-CCA2.

ML-DSA Parameter Sets (FIPS 204)

Param	44	65	87
(k, l)	4, 4	6, 5	8, 7
q	8,380,417
γ₁	2^17	2^19	2^19
γ₂	(q-1)/88	(q-1)/32	(q-1)/32
\|pk\| bytes	1,312	1,952	2,592
\|sig\| bytes	2,420	3,293	4,595
Security	II	III	V

Fiat-Shamir with aborts. Expected iterations: ~4.25 (ML-DSA-65). Rejection sampling leaks timing—constant-time impl. required.

SLH-DSA Signature Sizes (FIPS 205)

Variant	\|pk\|	\|sig\|	Sign ops/s
128s (SHA2)	32	7,856	~7
128f (SHA2)	32	17,088	~75
192s (SHA2)	48	16,224	~3
256s (SHA2)	64	29,792	~1
256f (SHA2)	64	49,856	~10

WOTS+ OTS with hypertree. Security assumption: hash function collision/preimage resistance only. SHAKE256 variants available.

Performance: Cycles on Haswell (AVX2)

Operation	ML-KEM-768	ML-DSA-65
KeyGen	~29,000	~98,000
Encaps/Sign	~37,000	~260,000*
Decaps/Verify	~45,000	~105,000

*Signing variance due to rejection. Compare: X25519 ~60k, Ed25519 sign ~80k, verify ~200k cycles.

TLS 1.3 Handshake Overhead (Cloudflare prod data)

X25519+ML-KEM-768 hybrid: +1,608 bytes ClientHello

Cold connection latency: +15.5ms (amortized)

Resumed sessions: negligible impact

Quantum Computing Trajectory

Threshold for RSA-2048 ~4,099 logical qubits

Threshold for ECC P-256 ~2,330 logical qubits

2025: IBM Kookaburra 1,386 physical qubits

2029: IBM 200 logical qubits (fault-tolerant)

2028: IonQ 1,600 error-corrected logical qubits

2033: IBM 100,000 physical qubits target

Physical-to-logical ratio depends on error correction. Current estimates: 1,000-10,000 physical qubits per logical qubit for cryptographic operations.

Implementation Attack Surface

Timing Side-Channels

NTT butterfly operations, coefficient reduction, rejection sampling loops. Barrett reduction preferred over Montgomery for constant-time.

Power Analysis

Polynomial multiplication leaks Hamming weight. Masking countermeasures add 2-5x overhead.

Fault Injection

Skip rejection sampling → signature forgery. Randomize iteration counts, verify outputs.

Constant-time conditional:

mask = (a - q) >> 31;

a = (a & mask) | ((a-q) & ~mask);

Library Implementation Status

Library	KEM	DSA	Notes
OpenSSL 3.5+	●	○	ML-KEM native
BoringSSL	●	○	Chrome production
LibOQS 0.10+	●	●	Reference + optimized
AWS-LC	●	●	FIPS validated (pending)
pqcrypto (Rust)	●	●	liboqs bindings

● Production-ready ○ Experimental/planned

Hybrid Key Exchange (TLS 1.3)

struct HybridKeyShare {

opaque x25519_share[32];

opaque mlkem768_ct[1088];

}

shared_secret = HKDF(

x25519_ss || mlkem_ss,

salt="hybrid-kex",

info="tls13"

)

Concatenate-then-KDF. Secure if either primitive holds. Chrome negotiates as x25519_mlkem768 (0x11EC).

Sources: NIST FIPS 203/204/205, CRYSTALS specifications, Cloudflare engineering blog, IBM/IonQ roadmaps Dec 2024 | Lime Security