NIST Standards Finalized August 2024

Post-Quantum Cryptography Migration

The advent of cryptographically relevant quantum computers (CRQCs) renders the mathematical assumptions underlying RSA, ECDSA, and ECDH computationally tractable. Shor's algorithm achieves polynomial-time factorization; Grover's algorithm halves symmetric key security. The transition to lattice-based and hash-based cryptography is not speculative—it is underway.

FIPS 203 (ML-KEM) FIPS 204 (ML-DSA) FIPS 205 (SLH-DSA) NSA CNSA 2.0 Hybrid TLS Cryptographic Agility
Harvest Now, Decrypt Later: The Threat is Present

Nation-state adversaries are harvesting encrypted traffic today for future decryption once quantum capabilities mature. Data with long-term confidentiality requirements—state secrets, medical records, financial transactions, intellectual property—faces retrospective compromise.

Mosca's theorem quantifies the urgency: if x = time data must remain confidential, y = time to deploy PQC, and z = time until CRQC exists, then migration must begin when x + y > z. For most organizations, this inequality is already satisfied.

The Lattice Assumption: Mathematical Foundations

NIST's post-quantum standards derive security from the hardness of lattice problems—specifically, the Module Learning With Errors (M-LWE) problem for ML-KEM and ML-DSA. Unlike RSA's reliance on integer factorization or ECDSA's dependence on the discrete logarithm problem, lattice problems are not known to admit efficient quantum algorithms.

The M-LWE problem can be stated informally: given a matrix A sampled uniformly at random and a vector b = As + e where s is a secret vector and e is a "small" error vector, distinguish this from a uniformly random pair. The "module" variant operates over polynomial rings Rq = Zq[X]/(Xn + 1), enabling more compact representations.

NIST PQC Standards: Algorithm Comparison
STANDARD ALGORITHM BASIS PUBLIC KEY CIPHERTEXT/SIG USE CASE FIPS 203 Aug 2024 ML-KEM (CRYSTALS-Kyber) Module-LWE 800 B (512) 1,184 B (768) 1,568 B (1024) 768–1,568 B Key Exchange TLS, SSH, VPN FIPS 204 Aug 2024 ML-DSA (CRYSTALS-Dilithium) Module-LWE 1,312 B (44) 1,952 B (65) 2,592 B (87) 2,420–4,595 B Digital Signatures Certs, Code Sign FIPS 205 Aug 2024 SLH-DSA (SPHINCS+) Hash-Based 32–64 B 7,856–49,856 B (Large signatures) Firmware Signing Root Certs FIPS TBD HQC Selected Mar 2025 Code-Based ~2,249 B ~4,481 B Backup KEM

NSA CNSA 2.0: The Federal Mandate

The NSA's Commercial National Security Algorithm Suite 2.0 (updated May 2024) establishes mandatory timelines for post-quantum migration across National Security Systems. Unlike advisory guidance, CNSA 2.0 represents binding requirements for defense contractors and federal agencies handling classified information.

CNSA 2.0 Migration Timeline

2025
Software & Firmware Signing
Begin preferring CNSA 2.0 algorithms (ML-DSA-87 or SLH-DSA) for software and firmware signing. Dual-signing with legacy algorithms permitted.
2025–2027
Web Browsers & Cloud Services
Hybrid key exchange (X25519 + ML-KEM-768) deployment. Chrome, Firefox, Edge already shipping hybrid TLS.
2030
Exclusive CNSA 2.0 for Signing
Software, firmware, and code signing must use only CNSA 2.0 algorithms. RSA and ECDSA deprecated for new signatures.
2033
Exclusive CNSA 2.0 for Browsers/Cloud
Web services and cloud platforms must support only post-quantum key exchange. Legacy TLS cipher suites prohibited.
2035
Complete NSS Migration
All National Security Systems must operate exclusively with CNSA 2.0 algorithms. Classical asymmetric cryptography fully deprecated.

Foundational Research

STOC 1994
Algorithms for Quantum Computation: Discrete Logarithms and Factoring
Peter Shor
Bell Labs / DOI: 10.1109/SFCS.1994.365700
EUROCRYPT 2016
CRYSTALS-Kyber: A CCA-Secure Module-Lattice-Based KEM
Bos, Ducas, Kiltz, et al.
NIST PQC Round 3 Winner
CCS 2018
CRYSTALS-Dilithium: Digital Signatures from Module Lattices
Ducas, Kiltz, Lepoint, et al.
NIST PQC Round 3 Winner
IETF Draft
Hybrid Key Exchange in TLS 1.3
Stebila, Fluhrer, Gueron
draft-ietf-tls-hybrid-design-16

Hybrid Cryptography: Defense in Depth

Hybrid schemes combine classical and post-quantum algorithms such that the resulting construction is secure if either component remains unbroken. This provides insurance against both quantum attacks (breaking classical) and potential cryptanalytic advances against lattice assumptions (breaking PQC).

The IETF draft draft-ietf-tls-hybrid-design defines hybrid key exchange for TLS 1.3, where the final shared secret derives from concatenation: SS = KDF(SS_classical || SS_pqc). Chrome ships X25519Kyber768Draft00 enabled by default; Firefox supports mlkem768x25519 with manual enablement.

OpenSSL 3.x with OQS Provider — Hybrid TLS Configuration 
# Enable hybrid key exchange with ML-KEM + X25519
openssl s_server \
    -cert server.crt \
    -key server.key \
    -groups x25519_mlkem768:x25519:secp384r1 \
    -provider oqsprovider \
    -provider default \
    -accept 4433

# Verify hybrid negotiation
openssl s_client \
    -connect localhost:4433 \
    -groups x25519_mlkem768 \
    -provider oqsprovider \
    -provider default

Migration Complexity: The Hidden Iceberg

Enterprise PQC migration extends far beyond algorithm substitution. NIST IR 8547 (November 2024) projects the US federal government migration cost at $7.1 billion. Key challenges include:

  • Protocol dependencies: DNSSEC migration lags, creating bottlenecks for signed infrastructure
  • IoT constraints: Devices with 10-20 year lifecycles and limited memory (ML-KEM-768 requires ~15KB working memory)
  • HSM upgrades: Many deployed HSMs lack PQC algorithm support; hardware refresh required
  • Certificate chain expansion: ML-DSA signatures are 10-15x larger than ECDSA, impacting TLS handshake size
  • Testing infrastructure: Formal verification tools require extension for lattice-based primitives
$7.1B
Est. Federal Migration Cost
12-15
Years for Large Enterprise
15KB
ML-KEM-768 Memory Req.
2028-33
Est. CRQC Timeline

Post-Quantum Migration Services

Cryptographic Inventory
Discovery of cryptographic assets: certificates, keys, algorithms, protocols. Identification of quantum-vulnerable components and data classification by sensitivity.
Agility Framework Design
Architecture patterns enabling algorithm substitution without application changes. Abstraction layers, configuration-driven crypto, and runtime algorithm negotiation.
Hybrid Deployment
TLS 1.3 hybrid key exchange (X25519 + ML-KEM). Dual-signature certificate chains. Backward-compatible migration preserving interoperability with legacy systems.
CNSA 2.0 Compliance
Gap analysis against NSA CNSA 2.0 requirements. Migration roadmap aligned with 2025/2030/2033/2035 milestones. Documentation for DFARS/CMMC compliance.
Library Integration
Open Quantum Safe (liboqs) integration with OpenSSL 3.x. BoringSSL and NSS configuration. Language bindings for Java, Python, Go, Rust applications.
Performance Testing
Latency impact assessment for PQC algorithms. TLS handshake benchmarking. Memory and CPU profiling for constrained environments.

Begin Post-Quantum Assessment

Our cryptographic engineers conduct inventory analysis, identify quantum-vulnerable assets, and design migration roadmaps aligned with NIST and CNSA 2.0 timelines.

Start a Conversation

Tell us about your security requirements. We respond within 24 hours.

Encrypted transmission