The NIST post-quantum standards, explained for engineering teams

3 min read · Post-quantum
TL;DR

NIST has finalized its first post-quantum standards: ML-KEM for key encapsulation, ML-DSA for digital signatures, and SLH-DSA as a conservative hash-based signature alternative. Key exchange should move first, hybrid modes are the sensible default, and the practical blocker for most teams is knowing where their current cryptography actually is.

NIST has published its first finalized post-quantum cryptography standards, ending a selection process that ran for nearly a decade. If your team has been waiting for the standards to settle before acting, this is the milestone you were waiting for. Here is what actually shipped, without the number theory.

The three standards

ML-KEM (FIPS 203) is a key encapsulation mechanism: the replacement for the RSA and elliptic-curve key exchange that protects data in transit. Based on structured lattices, it is fast, its keys and ciphertexts are larger than elliptic-curve equivalents but entirely practical, and it is the workhorse of the transition. When people say “post-quantum TLS,” they mostly mean ML-KEM in the handshake.

ML-DSA (FIPS 204) is a digital signature scheme, also lattice-based: the general-purpose replacement for RSA and ECDSA signatures in certificates, tokens, and software signing. Signatures are larger than what you are used to, which matters for constrained protocols but is manageable in most application contexts.

SLH-DSA (FIPS 205) is a stateless hash-based signature scheme. It is slower and produces large signatures, but its security rests only on hash functions, the most conservative assumption available. It is the choice for cases where long-term confidence outweighs performance, such as firmware signing roots.

What is not threatened

Keep perspective: symmetric cryptography largely survives the quantum transition. AES-256 remains secure, as do modern hash functions. The break lands specifically on today’s public-key algorithms: RSA, elliptic-curve schemes, and finite-field Diffie-Hellman. That scoping is good news, because it bounds the migration to key establishment, signatures, and the certificate estate.

Hybrid is the sensible default

For key exchange, the emerging practice is hybrid: combine a classical scheme and ML-KEM so that breaking the session requires breaking both. This hedges in two directions at once: against the future quantum computer, and against the smaller-but-real possibility of a weakness being found in the young lattice schemes. Mainstream TLS libraries and browsers already support hybrid key exchange, which means for internet-facing traffic, adoption is increasingly a configuration decision rather than a development project.

What engineering teams should actually do

  1. Upgrade the easy layer. Where you terminate TLS with modern libraries, enabling hybrid post-quantum key exchange may already be available. Take it.
  2. Find the hard layer. The real work hides in application-level cryptography: hard-coded RSA in services, elliptic-curve signing in tokens, crypto choices inside vendor binaries. This requires a real cryptographic inventory, not a code search.
  3. Sequence by exposure. Key exchange protecting long-lived data first, signatures second, trust roots early because rotation is slow.
  4. Buy crypto-agility with every change. Replace hard-coded algorithm choices with configuration as you touch each system. The teams that did this after the last deprecation cycle are having a much easier decade.
  5. Track a number. Percentage of cryptographic assets that are quantum-safe, per service, per quarter. Programs that report a number keep moving; programs that report intentions do not.

The compliance undertow

Even if the threat timeline leaves you unmoved, the compliance one should not: government timelines like CNSA 2.0 phase in quantum-resistant requirements on a published multi-year schedule, and regulated sectors historically inherit such requirements within a few years. When the question arrives from a regulator or an enterprise customer, “what fraction of your cryptography is quantum-safe” will need a number for an answer.

BOMNexa computes that number from your actual artifacts: every algorithm found, classified against these standards, with a migration report naming what to change and where. It runs entirely offline, and the readiness walkthrough shows the method end to end.

See this working in your own network
A 30-minute live session, no slides, your questions.
Request a demo