Deploy Bravely — Secure your AI transformation with Prisma AIRS
Table of contents

A Complete Guide to Post-Quantum Cryptography Standards

5 min. read
Table of contents

PQC standards are formal documents that specify which post‑quantum algorithms are approved, how they must be implemented, and what requirements guide their use in real systems.

They include algorithm definitions, deployment instructions, validation criteria, and migration guidance. PQC standards also ensure organizations adopt quantum‑resistant cryptography in a consistent, compliant way.

 

What qualifies as a PQC standard?

Bold black text at the top reads 'What a PQC standard actually means' followed by a smaller subtitle in parentheses reading 'and what it's often confused with.' The layout is split into a wide left panel and a narrower right panel. The left panel has a rounded rectangle containing a large icon of a document and the heading 'The official meaning:' in bold. Text below explains that a PQC standard is a formal document issued by a government or international body to guide post-quantum cryptography adoption. Three small gray boxes underneath display icons and short labels: 'Establish approved algorithms,' 'Define deployment methods,' and 'Provide testing or compliance rules.' At the bottom left, three pill-shaped labels list examples: 'FIPS 203 (ML-KEM),' 'SP 800-208 (LMS/XMSS),' and 'RFC 9794 (hybrid KEM terminology).' On the right side, an orange sidebar titled 'Common misuses & conflations' contains two boxed sections. The first box, labeled 'Misuse #1,' is titled 'Confusing algorithm specs with implementation standards' with text noting that ML-KEM is an algorithm and FIPS 203 is the standard. The second box, labeled 'Misuse #2,' is titled 'Treating informal guidance as finalized mandates' with text explaining that drafts like SP 800-227 or ETSI specs may guide adoption but are not enforceable.

Not all post-quantum cryptography (PQC) guidance is created equal.

Some documents define algorithms. Others explain how to use them. Others still provide migration timelines or validation requirements.

So when we talk about standards, what are we really referring to?

In post-quantum cryptography, standards are formal documents issued by government or international bodies.

They serve one or more purposes:

  • Establish approved algorithms
  • Define how to deploy those algorithms in real systems
  • Provide testing rules, compliance frameworks, or policy mandates for national security systems

They all count as standards because they formally shape how organizations adopt and implement PQC.

 

What is post-quantum cryptography (PQC)?

Post-quantum cryptography is about preparing for what happens when quantum computers can break today's encryption. Not just in theory—but in practice.

PQC refers to cryptographic systems that are designed to resist attacks from cryptographically relevant quantum computers. In other words, systems that can't be broken by algorithms like Shor's once quantum hardware scales.

Infographic titled 'Post-quantum cryptography explained'. The diagram is divided into five horizontal sections labeled Part 1 through Part 4, with a concluding takeaway bar. Part 1, labeled 'The problem', contains two red boxes: one labeled 'RSA & ECC today' with text 'Secure against classical computers by using factoring and discrete logarithms', and the other labeled 'Quantum threat' with text 'Shor's algorithm on a quantum computer could break RSA and ECC'. Part 2, labeled 'The solution', shows a blue box reading 'Post-quantum cryptography (PQC)' with text 'New encryption methods based on math problems that remain hard for both classical and quantum computers'. Part 3, labeled 'Algorithm families', presents three purple boxes. The first, 'Lattice-based', reads 'Foundation of ML-KEM & ML-DSA; uses high-dimensional algebraic structures'. The second, 'Hash-based', reads 'Relies on secure one-way hash functions; basis of SPHINCS+'. The third, 'Multivariate', reads 'Uses polynomial equations; still in research stages'. Part 4, labeled 'NIST standards', includes three gray circular icons with accompanying text: 'ML-KEM (FIPS 203) Standard for key establishment', 'ML-DSA (FIPS 204) Standard for digital signatures', and 'SLH-DSA (FIPS 205) Stateless hash-based digital signature scheme'. A dark gray bar at the bottom labeled 'Takeaway' contains the statement 'PQC is the standards-led path forward — practical and deployable today'.

That definition spans three layers:

  1. Algorithms
  2. Standards that formally approve them
  3. Frameworks that guide implementation and compliance

The goal of PQC is simple. Replace vulnerable algorithms before attackers can decrypt what's encrypted today. That's why migration has already started.

Note:
PQC is not the same as quantum key distribution (QKD). QKD uses physics to detect eavesdroppers in key exchange. PQC does not. It relies entirely on mathematically hard problems that remain difficult even for quantum systems.
| Further reading:

 

What PQC standards exist today?

Post-quantum cryptography doesn't rely on just one standard. It's a full ecosystem.

Again, different documents serve different roles. Some define algorithms, others enable migration, and others shape protocol integration or validation pathways.

Knowing what exists, and what stage each standard is in, helps determine readiness and plan compliant adoption.

Here's how today's key PQC standards break down:

Post-quantum cryptography (PQC) standards at a glance
Standard name Governing body Focus Status Use case focus
FIPS 203 NIST Key encapsulation (ML-KEM) Final General-purpose key exchange
FIPS 204 NIST Digital signatures (ML-DSA) Final General-purpose authentication
FIPS 205 NIST Stateless hash-based signatures (SLH-DSA) Final Fallback digital signature use
FIPS 206 NIST FN-DSA (Falcon) Initial public draft in development Compact lattice-based signatures (good for constrained environments)
SP 800-208 NIST Stateful hash-based signatures (LMS, XMSS) Final Firmware and software signing
SP 1800-38 NIST (NCCoE) Migration to PQC Preliminary draft / ongoing NCCoE project Practical migration guidelines
SP 800-56C Rev. 2 NIST Key derivation for key-establishment schemes (can combine multiple shared secrets) Final General key derivation for classical and hybrid key exchange
SP 800-227 NIST Recommendations for key-encapsulation mechanisms (including ML-KEM and future KEMs) Final KEM selection, parameter sets, and transition considerations
ISO/IEC 23837-1:2023 ISO/IEC Security requirements and evaluation methods for QKD modules Final Assurance for QKD deployments within a broader quantum-safe architecture
ETSI TS 103 744 ETSI Hybrid key exchange constructions Final European guidance on migration strategies
RFC 9794 IETF Terminology for post-quantum/traditional schemes Informational (final) Shared language for hybrid schemes
Note:
Even if a standard is marked “final,” real-world implementation often depends on supporting guidance or protocol updates. That's why understanding the entire standardization landscape—not just the algorithms—is essential.

 

How do global standards and policies differ on PQC?

Not every country is adopting the same PQC roadmap.

Some focus on speed. Others prioritize flexibility, resilience, or local cryptographic independence.

That's why alignment is limited. And implementation looks different depending on where you operate.

Understanding those differences matters. Especially for organizations operating across regions or trying to deploy standards-compliant cryptography at scale.

Here's how the major standards bodies currently approach PQC:

Global summary of PQC algorithms and policy guidance
Country/Agency Recommended/Accepted KEMs Recommended/Accepted signatures Hybrid policy Special notes
U.S. (NIST, CNSA 2.0) ML-KEM-1024 ML-DSA-87, LMS/XMSS Hybrid key establishment allowed during transition; long-term goal is pure CNSA 2.0 PQC for NSS. Pure PQC required by 2035 for NSS.
UK (NCSC) ML-KEM-768 ML-DSA-65, SLH-DSA, LMS/XMSS Allowed as interim only. Prefers pure PQC where feasible.
Germany (BSI) ML-KEM-768/1024, FrodoKEM, McEliece ML-DSA (3 & 5), SLH-DSA, LMS/XMSS Recommended (except HBS). Endorses multi-tree variants for long-term signatures.
France (ANSSI) ML-KEM-768/1024, FrodoKEM ML-DSA, SLH-DSA, FN-DSA, LMS/XMSS Recommended. Supports stateful and stateless hash-based signatures.
Netherlands (NLNCSA) ML-KEM-1024, FrodoKEM, McEliece ML-DSA, SLH-DSA, LMS/XMSS, HSS Recommended. Accepts wide range of hash-based and structured schemes.
Canada (CCCS) ML-KEM ML-DSA, SLH-DSA, LMS/HSS Neutral. No strong position on hybrid use.
Australia (ASD) ML-KEM-768 (until 2029), ML-KEM-1024 ML-DSA-65 (until 2029), ML-DSA-87 Not recommended. Favors pure PQC by 2030.
Korea NTRU-HRSS, SMAUGT HAETAE, AlMar Not published. National algorithm suite differs from NIST.
China National PQC candidates under development National PQC signature schemes under evaluation Not publicly specified. Continues domestic ECC (e.g., SM2) for classical crypto while developing separate PQC standards.
EU Commission ML-KEM and others based on ETSI guidance ML-DSA, SLH-DSA, LMS/XMSS Recommended. Encourages member states to adopt by 2030.

Most countries now accept ML-KEM in some form, creating a de facto baseline for interoperability.

Signature algorithm preferences differ more widely. While some authorities endorse stateless schemes like SLH‑DSA, others mandate stateful options such as LMS or XMSS, which require strict state management to avoid key reuse.

Hybrid cryptography policies also differ. Some governments allow or recommend it as a temporary bridge. Others, like the U.S., discourage it in favor of fully post-quantum systems.

Note:
Misaligned standards increase the complexity of PQC adoption. Organizations may need to support multiple algorithms, manage regional compliance differences, and tailor deployments based on where and how cryptography is used.

 

What are the standard algorithms for PQC?

Standards aren't just about guidance. They also name the specific cryptographic algorithms that meet post-quantum security requirements.

These are the building blocks. And each one is designed to resist attacks from cryptographically relevant quantum computers.

There are two core categories: key establishment and digital signatures.

Some algorithms are already standardized. Others are still in review or regionally accepted. And parameter sets matter because different use cases may call for different security levels.

Let's break them down.

| Further reading: Brief: Cryptographically Relevant Quantum Computers (CRQC)
Standardized and proposed PQC algorithms by type and use
Algorithm Type Standard Recommended use
ML-KEM Key encapsulation FIPS 203 General-purpose key exchange
FrodoKEM Key encapsulation Not standardized by NIST Regional use in EU; conservative fallback
Classic McEliece Key encapsulation Not standardized by NIST Code-based alternative with large keys
HQC (planned) Key encapsulation NIST backup KEM (standard in development) Future fallback option
ML-DSA Signature FIPS 204 General-purpose digital signatures
SLH-DSA Signature FIPS 205 Stateless fallback signature scheme
LMS/XMSS Signature SP 800-208 Firmware signing; long-lived trust anchors
FN-DSA Signature Under evaluation Potential future addition

 

What is the role of hybrid cryptography in current standards?

Most organizations won't flip a switch and go fully post-quantum overnight.

That's where hybrid cryptography comes in.

Hybrid cryptography combines classical and post-quantum algorithms.

The goal is resilience: even if one algorithm is later broken, the other still provides security. That makes hybrids a useful transitional tool during migration.

Chart titled 'Why organizations are turning to hybrid cryptography' divided into four colored quadrants surrounding a central circular icon with an abstract network symbol. The top left orange box is labeled 'Redundancy & resilience' with the text 'Remains secure if one algorithm fails or is broken.' The top right blue box reads 'Migration readiness' with the text 'Enables a gradual shift toward post-quantum cryptography.' The bottom left light blue box is labeled 'Interoperability' with the text 'Bridges classical and post-quantum systems without disruption.' The bottom right teal box reads 'Protection from harvest now, decrypt later' with the text 'Keeps sensitive data secure against future quantum decryption.'

But regional policies vary:

  • NIST permits hybrid key exchange using schemes like ML-KEM + X25519, but it doesn't yet support hybrid signatures.
  • Meanwhile, other authorities—especially in Europe—recommend hybrid adoption as a practical interim step. Some even encourage hybrid TLS deployments now.

Here's how different regions approach hybrid cryptography:

Regional positions on hybrid cryptography
Region Policy stance
U.S. (CNSA 2.0) Allowed for key exchange only; discouraged for signatures
UK (NCSC) Permitted as interim for both KEM and signatures
EU (ETSI, EU Commission) Recommended during migration
Germany (BSI) Endorsed with caution
France (ANSSI) Supports both hybrid KEM and signatures
Canada (CCCS) Neutral stance
Australia (ASD) Discourages hybrid long-term use

Hybrid crypto is a bridge. Not a destination. The goal remains full PQC adoption. But in the meantime, it helps reduce risk, preserve interoperability, and give implementers time to transition.

| Further reading: What Is Hybrid Cryptography? | The Bridge to Post-Quantum Security

 

What is the timeline for PQC adoption?

Chart titled 'Global quantum readiness timelines'. A horizontal infographic compares post-quantum cryptography migration milestones for the USA, UK, and EU, each shown with a colored country silhouette and vertical timeline. Under a bold heading, text reads 'Governments worldwide are converging on quantum migration milestones targeting full PQC implementation by the mid-2030s' with a subheading explaining that timelines differ in pace but are coordinated through aligned standards and mandates. On the left, a dark-blue map of the United States labeled 'USA (NSM-10 / NIST / CISA)' lists milestones: 2024, NIST finalizes FIPS 203 (ML-KEM), 204 (ML-DSA), and 205 (SLH-DSA); 2025–2027, agencies inventory cryptographic systems and submit migration roadmaps; 2030, early PQC deployment in federal systems; and 2035, full migration across federal infrastructure. Centered, a light-blue outline of the United Kingdom labeled 'UK (UK NCSC)' shows milestones: 2028, complete cryptographic discovery and migration planning; 2031, begin early migrations across government and key sectors; and 2035, full transition across systems and supply chains. On the right, a navy-blue map of Europe labeled 'EU (ENISA / ETSI)' lists milestones: 2025–2027, Member States adopt NIST-aligned algorithms; 2030, harmonization of standards across critical sectors; and 2035, EU-wide interoperability of quantum-safe encryption. Notes appear beneath each column indicating NSM-10 establishes phased U.S. milestones, the UK is aligned with U.S. targets, and ENISA emphasizes cross-border consistency and shared infrastructure security.

PQC adoption isn't theoretical anymore. It's underway.

Standards are only part of the equation. Timelines drive urgency. And while some deadlines are fixed, others are only guidelines.

Understanding who's mandating what, and when, is key to staying ahead of compliance risk.

PQC standardization and migration timeline
Milestone Year Who
First PQC algorithms selected for standardization 2022 NIST
First FIPS finalized (203–205) 2024 NIST
CNSA 2.0 migration begins 2025 NSA
Final NIST KEM recommendations (SP 800-227) 2025–2026 NIST
Hybrid TLS deployment expands 2025+ Global (IETF, vendors)
Recommended deprecation of classical PKC 2030 NIST, ASD
Classical algorithms disallowed in NSS 2035 CNSA 2.0

The U.S. has the clearest deadlines.

CNSA 2.0 sets a hard requirement: pure post-quantum algorithms must be in place by 2035 for national security systems. The initial migration is already underway for key exchange and firmware signing.

Australia follows a similar path. ASD recommends eliminating classical public-key crypto by 2030.

Europe is moving, but less rigidly. ETSI encourages hybrid adoption and full PQC integration by 2035, but doesn't enforce exact cutoff dates

Note:
Even when timelines are labeled as recommendations, major vendors—including cloud providers, security platforms, and software and hardware companies that implement cryptography—often treat them as deadlines. Which means most organizations will feel the pressure well before enforcement begins.
| Further reading: What Is Q-Day, and How Far Away Is It—Really?

 

What should organizations do now to stay compliant?

Bold black text at the top reads 'PQC readiness checklist: 5 steps to stay compliant.' A vertical line runs down the center with five green check-mark circles placed along it, each corresponding to paired text blocks on the left and right. On the right side, the top item is titled 'Inventory cryptographic assets' in dark green, with smaller text describing mapping all crypto in use across systems and devices, followed by a gray pill-shaped label reading 'Refer to: NIST SP 800-175B.' The second right-side item is titled 'Enable crypto-agility' with text advising avoidance of hardcoded algorithms and building flexibility to swap crypto components, accompanied by a gray label reading 'Refer to: SP 800-131A Rev. 3 (draft).' The third right-side item reads 'Check regional guidance' with details about varying regulations across international bodies and a gray label reading 'Refer to: Regional guidance.' On the left side, the top item is titled 'Map assets to affected protocols' with text identifying where public-key crypto is used and a gray label reading 'Refer to: SP 800-175B, SP 800-131A Rev. 2.' The middle-left item is titled 'Test hybrid deployments' with text suggesting trial use of ML-KEM or ML-DSA combinations and a gray label reading 'Refer to: SP 800-56C Rev. 2, RFC 9794.' All text is arranged in alternating left-right alignment along the central column of check-mark icons.

Standards are finalized. Timelines are published.

Which means: the pressure is on. Organizations need to act before migration bottlenecks, audit gaps, or vendor lag create risk exposure.

Here's what to prioritize now:

  1. Inventory your cryptographic assets

    You can't replace what you haven't mapped. Start by identifying all systems, protocols, and libraries that use cryptography. Especially in TLS endpoints, VPNs, email systems, and embedded firmware.

    Refer to: NIST SP 800-175B

  2. Map assets to affected protocols

    Focus on the protocols most at risk: TLS, IKE, S/MIME, and code signing. These depend on public-key cryptography, which quantum computers will break first.

    Refer to: NIST SP 800-175B, SP 800-131A Rev. 2

  3. Enable crypto-agility wherever possible

    Hardcoded algorithms will slow your migration. Design systems to support swapping cryptographic components without rewriting application logic.

    Refer to: NIST SP 800-131A Rev. 3 (draft)

  4. Start testing ML-KEM and ML-DSA in hybrid deployments

    Don't wait for production deadlines. Hybrid combinations like ML-KEM + X25519 or ML-DSA with fallback can help validate early compatibility.

    Refer to: SP 800-56C Rev. 2, RFC 9794

  5. Monitor your local authority's guidance

    Each country's path looks different. Check BSI, ANSSI, CCCS, ASD, and others for region-specific requirements that may go beyond NIST.

    Refer to: Regional guidance (BSI, ANSSI, ASD, CCCS, etc.)

Staying compliant with PQC standards isn't just about paperwork. It's about building resilience before timelines harden and options disappear.

| Further reading:

Get your quantum readiness assessment
The assessment includes:
  • Overview of your cryptographic landscape
  • Quantum-safe deployment recommendations
  • Guidance for securing legacy apps & infrastructure

Get my assessment

 

PQC standards FAQs

Post-quantum cryptography standards define approved algorithms, deployment methods, validation processes, and compliance requirements. Key standards include FIPS 203–205, SP 800‑208, SP 800‑227, ISO/IEC 23837-1, ETSI TS 103 744, and RFC 9794.
PQC readiness refers to an organization’s preparedness to adopt post-quantum cryptography. It includes asset discovery, protocol mapping, crypto-agility, hybrid testing, and alignment with applicable standards and timelines.
Official PQC standards include FIPS 203 (ML‑KEM), FIPS 204 (ML‑DSA), FIPS 205 (SLH‑DSA), and SP 800‑208 (LMS/XMSS), plus guidance like SP 800‑227 and hybrid-focused documents such as RFC 9794 and ETSI TS 103 744.
CNSA 2.0 requires pure post-quantum algorithms by 2035 for U.S. national security systems. Australia targets 2030. Other regions recommend hybrid use or offer voluntary guidance, but major vendors are moving sooner.
Standardized algorithms include ML‑KEM (FIPS 203), ML‑DSA (FIPS 204), SLH‑DSA (FIPS 205), and LMS/XMSS (SP 800‑208). FN‑DSA and HQC are under development. FrodoKEM and Classic McEliece are regionally accepted in some countries.
Yes. Hybrid standards like SP 800‑56C Rev. 2 and RFC 9794 define how to combine classical and post-quantum algorithms. Adoption varies globally, with some regions encouraging hybrids and others discouraging them.
Yes. NIST, BSI, ANSSI, ASD, and other agencies differ on algorithms, parameter sets, and hybrid use. ML‑KEM is broadly accepted, but signature and policy preferences vary, requiring region-specific compliance.
Related content
YouTube playlist: A CISO's Guide to Quantum Security
Binge a 6-video series breaking down why quantum computing is closer than you think but not as difficult.
Podcast: Threat Vector | Is the Quantum Threat Closer Than You Think?
Hear how to start your transition to quantum-resistant cryptography now.
Podcast: Packet Pushers | The Why and How of Making Your Infrastructure Quantum-Safe
Get the facts on making your organization post-quantum safe.
Interactive experience: Is Your Organization Ready for a Quantum-Safe Future?
Dive into an immersive overview on quantum threats, PQC, and NIST’s new standards.

Get the latest news, invites to events, and threat alerts