# One Event, Three Assumptions, Five Answers: A Field Guide to the Post-Quantum Toolkit

> A field guide to the five NIST post-quantum primitives -- ML-KEM, ML-DSA, SLH-DSA, FN-DSA, HQC: math intuition, exact sizes, failures, and decision rules.

*Published: 2026-07-14*
*Canonical: https://paragmali.com/blog/one-event-three-assumptions-five-answers-a-field-guide-to-th*
*© Parag Mali. All rights reserved.*

---
<TLDR>
Shor's 1994 algorithm condemned RSA, Diffie-Hellman, and elliptic curves [@shor-1994], and "harvest now, decrypt later" means the clock is already running on today's traffic. NIST's answer is not one replacement but a **toolkit**: three finalized standards -- ML-KEM for key exchange, ML-DSA and SLH-DSA for signatures, all published on 2024-08-13 [@fips-203] [@fips-204] [@fips-205] -- and two more still on the way, FN-DSA (Falcon) and HQC, both pre-final [@fips-206-perlner-2025] [@nist-ir-8545]. The five are spread deliberately across lattices, hash functions, and codes so that no single mathematical break takes everything down. There is no free lunch: every choice trades size against speed against how conservative the assumption is. And, tellingly, **nothing in the toolkit has been mathematically broken.** Every real-world failure so far has been an implementation leak -- KyberSlash's secret-dependent division [@kyberslash-site], Falcon's floating-point hazard [@fouque-gsnorm-2019] -- while the era's two famous cryptanalytic breaks, SIKE and Rainbow, hit schemes that never made the cut [@castryck-decru-sidh-2022] [@beullens-rainbow-2022].
</TLDR>

## 1. Somebody Is Already Saving Your Handshake

Right now, somewhere, a machine may be recording this very TLS session -- not to read today, but to decrypt on the afternoon a large quantum computer finally boots. That is not a thriller premise. It is the stated design assumption behind a change that is already shipping in production TLS software, where the default key exchange offered is no longer plain X25519 but a hybrid whose second half is called ML-KEM [@openssl-35-notes]. The strange part is not that the field replaced the math. It is that replacing it took **five** different algorithms, resting on **three** unrelated hard problems, to answer a **single** result published in 1994 -- and that, so far, not one of the five has actually been broken.

The single result is Shor's algorithm. In 1994 Peter Shor showed that a large, fault-tolerant quantum computer could factor integers and compute discrete logarithms in polynomial time [@shor-1994]. That one capability condemns essentially every public-key system deployed on the internet: RSA rests on factoring, Diffie-Hellman and elliptic-curve cryptography rest on discrete logarithms. (This series covered those primitives directly in [Part 14 on RSA](/blog/rsa-is-a-trapdoor-not-a-cryptosystem-oaep-pss-and-the-25-yea/), [Part 15 on elliptic curves](/blog/the-curve-was-hard-the-gap-was-soft-a-field-guide-to-using-e/), and [Part 18 on Diffie-Hellman](/blog/nobody-broke-the-discrete-log-a-field-guide-to-diffie-hellma/).) The moment a cryptographically relevant quantum computer exists, all three fall together.

<Definition term="Harvest now, decrypt later (HNDL)">
An attack strategy in which an adversary records encrypted traffic today, stores it, and decrypts it years later once a quantum computer becomes available. It means the quantum threat is not purely in the future: any secret that must stay confidential past the arrival of quantum computing is already exposed the moment it crosses the wire.
</Definition>

Harvest now, decrypt later is why this is urgent before any quantum computer exists. If your threat model includes an adversary who can afford disk space and patience, then a session key protecting a 20-year secret is already at risk today [@nist-pqc-project]. That is the reasoning behind migrating key establishment first, and it is why the hybrid X25519MLKEM768 key share now ships as a default key share in OpenSSL 3.5, and was enabled by default in OpenSSH 9.9 before becoming the default key exchange in OpenSSH 10.0 [@openssl-35-notes] [@openssh-99-notes] [@openssh-pq].

So the threat is one thing, sharp and singular. Why is the answer five things? NIST did not standardize one post-quantum cipher; it assembled a **toolkit** -- three finalized standards and two more in progress -- and spread it across three unrelated families of hard problem: structured lattices, hash functions, and error-correcting codes. The bet is that a mathematical breakthrough against one family is unlikely to touch the others. To see why the answer is a toolkit, not a single cipher: its parts are older than the threat they answer.

## 2. The Threat, and the Three Old Ideas That Outlived It

Here is the twist that makes the whole story make sense: the replacements predate the threat. The oldest members of the toolkit were invented for reasons that had nothing to do with quantum computers, and they turned out to be quantum-safe by accident.

Robert McEliece published a code-based public-key cryptosystem in 1978, hiding a secret, efficiently decodable error-correcting code (a binary Goppa code) behind a scrambled generator matrix so that an attacker faces the task of decoding a random-looking linear code [@mceliece-1978]. One year later, Ralph Merkle showed how to build digital signatures out of nothing but a hash function, chaining one-time keys under a binary hash tree whose root is the public key [@merkle-thesis-1979]; he polished the construction a decade later as "A Certified Digital Signature" [@merkle-cds-1989]. Both predate Shor by fifteen-plus years. Both are still standing.

Then, in 1994, the threat arrived. Shor's quantum algorithm solves factoring and discrete logarithm in polynomial time, condemning RSA, Diffie-Hellman, and elliptic curves the moment a large quantum computer runs it [@shor-1994]. Two years later Lov Grover found a quantum search algorithm with a quadratic speedup [@grover-1996]. Grover is the good news that bounds the damage: a mere square-root speedup means doubling a symmetric key or hash-output length restores the security margin, which is exactly why hash-based signatures are considered the most conservative branch of the toolkit.<Sidenote>Shor is catastrophic (exponential to polynomial); Grover is survivable (a square-root factor). The asymmetry is the reason symmetric ciphers and hash functions merely need bigger parameters, while public-key cryptography needed entirely new hard problems.</Sidenote>

Lattices arrived on a separate track, and again for their own reasons. In 1996 Miklos Ajtai proved a startling worst-case-to-average-case reduction: breaking a *random* instance of a certain lattice problem is as hard as breaking the *worst* case [@ajtai-1996]. That single result promoted lattices from a curiosity to a rigorous foundation. In 1998 Hoffstein, Pipher, and Silverman published NTRU, the first lattice scheme compact and fast enough to consider deploying, working over a small polynomial ring with tiny coefficients [@ntru-1998].<Sidenote>NTRU was first announced at the CRYPTO 1996 rump session but formally published at ANTS-III in 1998, so you will see both dates in the literature. Merkle's hash-tree work has the same two-date character: the 1979 thesis, then the 1989 CRYPTO paper.</Sidenote>

Oded Regev tied the knot in 2005 with Learning With Errors (LWE), a versatile assumption whose hardness reduces (quantumly) to worst-case lattice problems and whose one-sentence intuition -- add noise to linear algebra -- runs through every lattice member of the toolkit [@regev-lwe-2005].

The last pieces are the mechanisms that make these foundations into safe schemes. The Fujisaki-Okamoto transform (1999) upgrades a weak encryption scheme into a strong one by re-encrypting on decryption and checking consistency [@fo-1999]. The GPV framework (2008) showed how to build lattice hash-and-sign signatures using a trapdoor and discrete-Gaussian sampling [@gpv-2007]. Lyubashevsky's "Fiat-Shamir with aborts" (2009) offered a rival way to sign, rejecting and restarting whenever a candidate would leak the key [@lyubashevsky-fswa-2009]. Ring-LWE (2010) moved LWE into polynomial rings for compact keys and fast arithmetic [@lpr-ringlwe-2010]. And in 2015, SPHINCS made hash-based signatures *stateless*, removing the operational footgun that had kept Merkle's idea out of ordinary hands [@sphincs-2015].

<Mermaid caption="The building blocks of the post-quantum toolkit were invented across four decades, most of them before Shor's 1994 algorithm made them urgent.">
timeline
    title Post-quantum foundations predate the 1994 threat
    1978 : McEliece code-based encryption
    1979 : Merkle hash-based signatures
    1994 : Shor algorithm breaks RSA and ECC
    1996 : Grover search : Ajtai hard lattices
    1998 : NTRU ring lattices
    2005 : Regev Learning With Errors
    2008 : GPV lattice hash-and-sign
    2009 : Fiat-Shamir with aborts
    2010 : Ring-LWE efficiency
    2015 : SPHINCS stateless hashing
</Mermaid>

Read the timeline as three columns hiding in one line. Codes and hashes (1978, 1979) are the ancient, conservative branches. Lattices (1996 to 2010) are the young, efficient branch that took the most theoretical work to make safe. The mechanisms (FO, GPV, Fiat-Shamir-with-aborts) are the connective tissue that turns a hard problem into a usable cipher.

| Year | Who | Idea | Why it mattered |
|------|-----|------|-----------------|
| 1978 | McEliece | Code-based encryption | Oldest surviving PQC family; ancestor of HQC [@mceliece-1978] |
| 1979 | Merkle | Hash-based signatures | Weakest possible assumption; ancestor of SLH-DSA [@merkle-thesis-1979] |
| 1994 | Shor | Quantum factoring and discrete log | The single threat the toolkit answers [@shor-1994] |
| 1996 | Ajtai | Worst-case lattice hardness | Made lattices a rigorous foundation [@ajtai-1996] |
| 2005 | Regev | Learning With Errors | The assumption under ML-KEM and ML-DSA [@regev-lwe-2005] |
| 2015 | Bernstein et al. | Stateless hash signatures | Made hash signatures deployable [@sphincs-2015] |

Each of these old ideas was quantum-safe. And none was deployable as written. To see why, watch each one walk straight into a different wall.

## 3. Three Walls: Why the Old Ideas Could Not Ship

A cipher can be perfectly correct -- decrypting every honest message, verifying every honest signature -- and still be unusable, or worse, still hand over its secret key. The first generation of post-quantum schemes taught that lesson three times, each on a different axis.

**The first wall is size.** McEliece's cryptosystem has resisted cryptanalysis for more than forty-five years, which is a stronger track record than RSA has. But its public key is an entire generator matrix. In the modern Classic McEliece parameter sets, that means a public key from roughly 261 KB (for the `mceliece348864` set) up to about 1.36 MB (for `mceliece8192128`) [@classic-mceliece]. A megabyte of key material per connection is a non-starter for a TLS handshake that budgets a few kilobytes. McEliece is not broken; it is simply too big to carry. Its security was never the problem. Its shape was.

**The second wall is state.** Merkle's hash-tree signatures, engineered into the modern XMSS and LMS schemes and standardized by NIST in SP 800-208, are compact and rest on the most conservative assumption in cryptography [@nist-sp-800-208]. But they are *stateful*: the signer must advance a one-time-key index after every signature and must never, ever reuse one.

> **Note:** NIST SP 800-208 warns that if an attacker obtains two signatures made with the same one-time key, "it would become computationally feasible for that attacker to forge signatures on arbitrary messages" [@nist-sp-800-208]. Restore a virtual machine from a snapshot, clone a key into a backup, or run two signer replicas, and you can silently reuse an index. The math is impeccable; the operational requirement -- perfect, rollback-proof, monotonic state, forever -- is what ordinary systems cannot guarantee.

**The third wall is the subtle one, and it reframes the whole problem: leakage.** The natural way to sign with a lattice is hash-and-sign in the style of GGH and its NTRU instantiation, NTRUSign: hash the message to a target point, then use your secret "good" basis to round to a nearby lattice point. A verifier checks the point is on the lattice and close to the target. It verifies perfectly. It is also fatally broken.

In 2006, Phong Nguyen and Oded Regev showed why in a paper with a wonderful title: "Learning a Parallelepiped" [@nguyen-regev-2006]. Every signature is the difference between the hashed target and a lattice point, and those differences are distributed over the *fundamental parallelepiped* of the secret basis. Collect a few hundred signatures, and you can reconstruct the shape of that parallelepiped -- which is to say, you can recover the secret key. The signer was leaking the key a little at a time, in the statistical shape of its own outputs, while every individual signature passed verification.

<Definition term="Transcript leakage">
When the distribution of a scheme's public outputs (its signatures or its decryption behavior) depends on the secret key, an attacker who collects enough outputs can infer the key -- even though each individual output is valid. The break is statistical, not logical: nothing is forged, yet the key is recovered from the shape of honest data.
</Definition>

Put the three walls side by side and a pattern appears. McEliece fails on size, stateful hashes fail on operational state, and NTRUSign fails on leakage -- three completely different axes. The naive strategy of "pick the oldest unbroken idea and ship it" runs aground because being unbroken is not the same as being safe to deploy. The NTRUSign failure is the sharpest version of the lesson, because it severs two ideas most people treat as one.

> **Key idea:** Correctness is not security. A scheme can verify every honest signature and still surrender its secret key through the statistical shape of a few hundred outputs. The real design goal is not "find math no one has broken." It is "make the outputs reveal nothing about the secret."

That reframing is the hinge of the entire toolkit. Once you decide the enemy is any correlation between your public outputs and your private key, the design problem becomes concrete: engineer the transcript, the ciphertext, and the failure behavior so they are provably independent of the secret. That single idea, applied four different ways, is the modern toolkit.

## 4. The Competition: One Fix, Four Times

The forcing function was not a single genius. It was an open, adversarial competition. NIST issued its public Call for Proposals in December 2016 and spent the next years pruning dozens of submissions across multiple rounds, documenting the reasoning in status reports as it went [@nistir-8413]. What emerged was not one lineage but four convergent tracks, running inside three unrelated hardness assumptions, each track advancing by fixing the specific flaw that sank its predecessor.

<Mermaid caption="Four convergent tracks and the specific limitation each generation fixed, converging on the five toolkit primitives, with two whole families pruned in public.">
flowchart LR
    subgraph TA["Track A -- codes"]
      A1[McEliece 1978] --> A2[Niederreiter] --> A3[QC-MDPC BIKE] --> A4[HQC]
    end
    subgraph TB["Track B -- hashes"]
      B1[Lamport OTS] --> B2[Merkle WOTS] --> B3[XMSS LMS] --> B4[SPHINCS+]
    end
    subgraph TC["Track C -- lattice KEM"]
      C1[NTRU] --> C2[LWE] --> C3[Ring-LWE] --> C4[Module-LWE]
    end
    subgraph TD["Track D -- lattice signatures"]
      D1[GGH NTRUSign] --> D2[GPV Falcon]
      D1 --> D3[Fiat-Shamir Dilithium]
    end
    A4 --> TK[Five toolkit tips]
    B4 --> TK
    C4 --> TK
    D2 --> TK
    D3 --> TK
    P1[SIKE isogeny] -.broke 2022.-> XX[Pruned families]
    P2[Rainbow multivariate] -.broke 2022.-> XX
</Mermaid>

**Track A, codes, is a war on key size.** McEliece's matrix is enormous, so Niederreiter published the "dual" version that sends a compact syndrome instead of a full codeword -- smaller ciphertext, but the public key is still a matrix. Quasi-cyclic MDPC codes then collapsed that key to a few kilobytes by making the matrix reconstructable from a single row, an idea realized in the BIKE scheme [@mdpc-mceliece-2013].

<Definition term="Syndrome decoding">
The hard problem under every code-based scheme: given a random-looking parity-check matrix and a syndrome (the matrix applied to an unknown low-weight error), recover the error. Decoding a general random linear code is NP-hard; a code-based cryptosystem hides a secret, efficiently decodable code so that only the key holder can decode, while an attacker faces the random-code version.
</Definition>

But BIKE walked into a wall of its own. Its iterative bit-flipping decoder occasionally fails, and -- this is the trap -- *those failures depend on the secret key*. In 2016 Guo, Johansson, and Stankovski turned that into a full reaction attack: feed the decoder crafted ciphertexts, watch which ones fail, and recover the private key from the pattern of failures [@gjs-mdpc-2016]. The very feature that shrank the key opened a side channel.

<Definition term="Decryption Failure Rate (DFR)">
The probability that correct decapsulation fails on an honest ciphertext. For post-quantum KEMs this is not merely a correctness nuisance: if the failure rate is non-negligible and correlated with the secret, each failure leaks information, and enough failures recover the key. DFR is therefore a security parameter, and a good scheme drives it to a cryptographically negligible level with a bound that does not depend on the secret.
</Definition>

HQC is the fix: keep the quasi-cyclic key size, but decode with a *public*, fixed code whose failure rate can be bounded analytically and does not depend on the secret. That is precisely why NIST chose HQC over BIKE -- its DFR analysis was judged more mature [@nist-ir-8545].

**Track B, hashes, is a war on state**, and the whole story is the fight against one number: the leaf index. Lamport's one-time signature signs once per key; Merkle put many one-time keys under a tree so one root signs many messages; XMSS and LMS engineered that into standardized, stateful schemes [@nist-sp-800-208]; and SPHINCS removed the state entirely by choosing a random leaf from a space so vast that collisions are negligible, backed by a few-time signature to absorb the rare clash [@sphincs-2015]. SPHINCS+ then hardened it with tweakable hashes and a tighter few-time scheme called FORS [@sphincs-plus-framework-2019].

**Track C, lattice KEMs, is a war over structure.** NTRU was fast but rested on a heuristic assumption; LWE bought a worst-case hardness reduction but needed a full random matrix as its key; Ring-LWE compressed that matrix to a single polynomial with fast NTT arithmetic [@lpr-ringlwe-2010]; and Module-LWE dialed the ring structure partway back down, trading a sliver of efficiency for a hedge against the possibility that too much algebraic structure helps the attacker [@crystals-kyber].

**Track D, lattice signatures, is where the tree forks and both branches survive.** The GGH/NTRUSign transcript leak forced a choice, and the field kept two answers: GPV hash-and-sign, which samples from a discrete Gaussian whose shape is provably independent of the secret basis (this becomes Falcon), and Fiat-Shamir with aborts, which rejects and restarts until the transcript is key-independent (this becomes Dilithium) [@gpv-2007] [@lyubashevsky-fswa-2009].

Stare at those four tracks and the same move appears in every one.

> **Key idea:** Every surviving generation makes the transcript or the failure channel provably independent of the secret. Gaussian sampling and rejection sampling remove the signature-transcript leak; the Fujisaki-Okamoto transform removes the decryption-failure oracle; statelessness removes the operational-state leak; HQC's public decoder removes BIKE's secret-dependent failures. The toolkit is not five unrelated tricks. It is one principle instantiated five ways.

The competition also pruned in public, and the prunings are the best argument for the whole strategy.

<Aside label="SIKE and Rainbow: the breaks that prove the portfolio">
Two schemes that had survived years of scrutiny fell in 2022, within months of each other. Ward Beullens broke Rainbow, a multivariate signature finalist, in what his paper title advertised as a weekend on a laptop [@beullens-rainbow-2022]. Then Wouter Castryck and Thomas Decru broke SIKE, an isogeny-based KEM, with a key-recovery attack that runs in about ten minutes on a single core [@castryck-decru-sidh-2022]. Both schemes had strong theory and years of failed attacks behind them. Both were destroyed by a single new idea. And both were *outside* the final toolkit -- Rainbow was not selected, and SIKE advanced to NIST's fourth round only to be broken before it could be selected. That is the empirical case for diversity in one sentence: no amount of survived cryptanalysis is a proof, so you hedge across unrelated assumptions rather than bet everything on one.
</Aside>

This is the moment to state the honest ending up front -- the argument the rest of the article defends.

<PullQuote>
Nothing in the toolkit has been mathematically broken. Every real-world failure so far has been an implementation leak -- and the two famous algorithmic breaks of the era hit schemes that never made the cut.
</PullQuote>

It helps to see every notable failure of the era in one place, sorted by what actually went wrong. Two of these are implementation leaks in surviving schemes (the math is intact); two are historical breaks of superseded designs; and two are the non-toolkit cryptanalytic breaks that justify the hedge.

| Failure | Scheme | Root cause | Lesson | In the toolkit? |
|---------|--------|-----------|--------|-----------------|
| Parallelepiped leak | GGH / NTRUSign | Signature distribution depends on the secret basis [@nguyen-regev-2006] | Make the transcript key-independent | No -- superseded ancestor |
| Reaction attack | QC-MDPC / BIKE | Secret-dependent decoding failures form an oracle [@gjs-mdpc-2016] | Bound the DFR with a public decoder | No -- not selected |
| SIKE key recovery | SIDH isogenies | Torsion-point structure enables recovery [@castryck-decru-sidh-2022] | A decade unbroken is not a proof | No -- non-toolkit |
| Rainbow weekend break | Multivariate | Structural attack on the oil-and-vinegar map [@beullens-rainbow-2022] | Diversify assumptions | No -- non-toolkit |
| KyberSlash | ML-KEM (Kyber) | Secret-dependent division timing [@kyberslash-site] | Constant-time reduction; math untouched | Yes -- implementation leak |
| Gram-Schmidt leak | FN-DSA (Falcon) | Floating-point sampler leaks basis norms [@fouque-gsnorm-2019] | Use a vetted constant-time sampler | Yes -- implementation hazard |

Notice that the bottom two rows -- the only failures inside the toolkit -- are both in the "implementation" column, never the "math" column. That distinction is the spine of everything that follows. By 2024 the pruned tree had five surviving tips. Three of them became law on a single day.

## 5. Three Standards in One Day

On 2024-08-13, NIST published three Federal Information Processing Standards at once: FIPS 203 (ML-KEM) for key encapsulation, FIPS 204 (ML-DSA) and FIPS 205 (SLH-DSA) for signatures [@fips-203] [@fips-204] [@fips-205]. That single date is when post-quantum cryptography crossed from an open competition into the law of the land, the thing an auditor can require and a protocol can mandate.

Each standard is the hardened descendant of a competition submission, and each carries one defining idea forward.

<Definition term="Key-Encapsulation Mechanism (KEM)">
A KEM is a three-function object -- key generation, encapsulate, decapsulate -- that lets two parties agree on a random shared secret. Encapsulate takes a public key and returns a ciphertext plus a shared secret; decapsulate takes the ciphertext and the private key and returns the same shared secret. It is the post-quantum replacement for the key-exchange half of Diffie-Hellman, and it composes with a symmetric cipher through the KEM-DEM pattern this series covered in [Part 19 on HPKE](/blog/the-standard-was-boring-that-was-the-point-a-field-guide-to-/). Crucially, a KEM is not a drop-in for a static-static Diffie-Hellman handshake -- a distinction we return to in the limits.
</Definition>

**ML-KEM** is Module-LWE encryption wrapped in a Fujisaki-Okamoto transform with *implicit rejection*, so that an invalid ciphertext yields a pseudo-random shared secret rather than an error -- there is no decapsulation-failure oracle to probe [@fips-203]. **ML-DSA** is a Fiat-Shamir-with-aborts signature built entirely from uniform integers, chosen deliberately so the implementation needs no floating point and is easy to make constant-time [@fips-204]. **SLH-DSA** is a stateless hash-based signature whose security rests on nothing but its hash function -- the conservative backstop [@fips-205].

<Sidenote>ML-KEM is the standardized CRYSTALS-Kyber; ML-DSA is Dilithium; SLH-DSA is SPHINCS+. These are the same schemes under new NIST names, with standardization edits (tweaked hashing, encodings, and parameter cleanups), not fresh designs. If you have working knowledge of Kyber, you already understand ML-KEM.</Sidenote>

Two things follow that people routinely get wrong. First, the renaming is not a redesign: "Kyber" and "ML-KEM" are essentially the same scheme [@crystals-kyber]. Second, the toolkit is not finished -- only three of the five are standardized, and the fourth and fifth are genuinely pre-final.

> **Note:** FN-DSA (Falcon), destined for FIPS 206, was still in development as of this writing, with a final expected around late 2026 or 2027 [@fips-206-perlner-2025]. HQC was only *selected* for standardization on 2025-03-11, with a draft FIPS still pending [@nist-ir-8545]. Do not deploy either in production yet. Every FN-DSA and HQC size in this article is pre-final and may change.

The migration is already underway on the finalized three. But a standard is a promise about an interface, not a proof of security. To defend a design in a review, you need what is under each name: the math, the exact sizes, and the specific way each one can still fail.

## 6. The Five Primitives in Depth

One workhorse, one default, one backstop, one compact hopeful, one insurance policy. That is the toolkit in five phrases: ML-KEM is the workhorse KEM, ML-DSA the default signature, SLH-DSA the conservative backstop, FN-DSA the compact hopeful, and HQC the non-lattice insurance policy. Three of the five are lattice schemes, so learn the lattice intuition once and reuse it three times.

<Definition term="Learning With Errors (LWE) and Module-LWE">
LWE is "add noise to linear algebra." Given a random matrix $A$ and the product $b = A\mathbf{s} + \mathbf{e}$ where $\mathbf{e}$ is small random noise, recovering the secret $\mathbf{s}$ is believed hard, classically and quantumly. Module-LWE is the same idea over a small polynomial ring, arranged as a rank-$k$ module so the security level is set by $k$ rather than by resizing everything. Raising $k$ adds structure-diluting hedge; lowering it saves bytes. ML-KEM and ML-DSA both live here; only the rank and the noise change.
</Definition>

All byte sizes below are exact for the finalized three and explicitly pre-final for FN-DSA and HQC. Cycle counts come from the pqm4 Cortex-M4 benchmark harness unless labeled otherwise [@pqm4-benchmarks].<Sidenote>Never compare a Cortex-M4 cycle count against an AVX2 desktop number directly -- they are different machines. HQC's own figures are measured on an Intel i7-11850H and Falcon's on an Intel i5-8259U, so those live on a different scale than the M4 numbers used for cross-scheme comparison.</Sidenote>

### 6.1 ML-KEM (FIPS 203): the workhorse

ML-KEM is the standardization of CRYSTALS-Kyber, finalized as FIPS 203, and it is the only post-quantum primitive deployed at scale today [@fips-203] [@crystals-kyber]. Its security rests on Module-LWE over the ring $R_q = \mathbb{Z}_q[X]/(X^{256}+1)$ with modulus $q = 3329$; the module rank $k \in \{2,3,4\}$ selects ML-KEM-512, ML-KEM-768, and ML-KEM-1024.

The scheme has two layers. The inner layer is an IND-CPA encryption scheme over the ring. The outer layer upgrades it to a CCA-secure KEM using the Fujisaki-Okamoto transform.

<Definition term="Fujisaki-Okamoto transform with implicit rejection">
The FO transform turns a weak (chosen-plaintext-secure) encryption scheme into a strong (chosen-ciphertext-secure) KEM by re-encrypting on decapsulation and checking the result. The modern twist -- *implicit rejection* -- is that a failed check returns a deterministic pseudo-random shared secret derived from a secret seed $z$, never an error. Because every ciphertext yields a well-formed key, an attacker who submits tampered ciphertexts learns nothing from the response, closing the decapsulation-failure oracle that broke earlier schemes [@fo-1999] [@hhk-fo-2017].
</Definition>

<Mermaid caption="ML-KEM decapsulation always returns a key: a valid ciphertext yields the true shared secret, a tampered one yields a pseudo-random reject key, so there is no failure oracle to probe.">
sequenceDiagram
    participant S as Sender
    participant R as Receiver
    R->>S: public encapsulation key ek
    Note over S: pick random m, derive shared key K and coins r
    S->>R: ciphertext c that encapsulates m
    Note over R: decrypt c to m-prime, re-derive K-prime and r-prime
    Note over R: re-encrypt m-prime to c-prime and compare
    alt c-prime equals c
        Note over R: return true shared secret K-prime
    else mismatch
        Note over R: return pseudo-random key from secret z, no error
    end
</Mermaid>

That implicit-rejection branch is the load-bearing idea. It is worth seeing in code just how little a tampered ciphertext reveals.

<RunnableCode lang="js" title="Why an invalid ML-KEM ciphertext yields no oracle">{`
// Illustrative only -- NOT production crypto.
// ML-KEM decapsulation never reports "invalid". On a re-encryption mismatch it
// returns a pseudo-random key derived from a per-key secret z, so a tampered
// ciphertext produces a well-formed but useless key -- no distinguishable signal.

function toyHash(s) {
  let h = 2166136261 >>> 0;
  for (const c of String(s)) h = Math.imul(h ^ c.charCodeAt(0), 16777619) >>> 0;
  return (h >>> 0).toString(16).padStart(8, '0');
}

const z = 'per-key-secret-z'; // implicit-rejection secret, never leaves the device

// Receiver decrypts c to m', re-encrypts m', and compares the result to c.
function decapsulate(c, mDecrypted, cReencrypted) {
  if (cReencrypted === c) {
    return toyHash('real-shared-secret:' + mDecrypted); // the genuine key
  }
  return toyHash(z + ':' + c);                           // pseudo-random reject key
}

// Honest ciphertext: re-encryption matches, real key returned.
console.log('honest   :', decapsulate('c123', 'm', 'c123'));
// Tampered ciphertext: mismatch -> still a key, still no error.
console.log('tampered :', decapsulate('c999', 'm-garbled', 'c123'));
// The reject key is deterministic per (z, c) and looks like any other key,
// so the attacker cannot tell rejection from success. The oracle is closed.
`}</RunnableCode>

The exact bytes are what a protocol actually carries. For ML-KEM the encapsulation key / decapsulation key / ciphertext / shared secret sizes are 800 / 1632 / 768 / 32 for ML-KEM-512, 1184 / 2400 / 1088 / 32 for ML-KEM-768, and 1568 / 3168 / 1568 / 32 for ML-KEM-1024 [@fips-203]. The decryption-failure rates are $2^{-138.8}$, $2^{-164.8}$, and $2^{-174.8}$ respectively -- negligible by design, which as we saw is a security requirement, not a mere nicety [@fips-203]. On Cortex-M4, ML-KEM-768 costs roughly 642k / 659k / 708k cycles for keygen / encapsulate / decapsulate [@pqm4-benchmarks].

> **Note:** Several Kyber implementations divided a *secret* numerator by the public modulus $q = 3329$ inside compression, and on many CPUs division time depends on the inputs -- so the timing leaked secret data. That is KyberSlash [@kyberslash-site] [@kyberslash-eprint-2024]. The FIPS 203 mathematics was never in question; the fix is constant-time (Barrett-style) reduction. It is the toolkit's headline real-world failure, and it is an implementation bug, exactly as the thesis predicts.

<MarginNote>The three small prime moduli to remember: $q = 3329$ for ML-KEM, $q = 8380417$ for ML-DSA, and $q = 12289$ for Falcon. KyberSlash lived in the division by 3329.</MarginNote>

ML-KEM excels because it is small, fast, and easy to implement over small integers mod a fixed prime. It is the default post-quantum KEM in shipping software: the X25519MLKEM768 hybrid is a default key share in OpenSSL 3.5, and it was enabled by default in OpenSSH 9.9 before becoming the default key exchange in OpenSSH 10.0 [@openssl-35-notes] [@openssh-99-notes] [@openssh-pq]. Where it is least comfortable is its assumption: Module-LWE is younger and more structured than code- or hash-based hardness, which is the entire reason the field wants a non-lattice KEM in reserve.

### 6.2 ML-DSA (FIPS 204): the default signature

ML-DSA is the standardized CRYSTALS-Dilithium, and it is the signature you should reach for by default [@fips-204] [@crystals-dilithium]. It builds on the same Module-LWE ring world as ML-KEM (here with $q = 8380417$), but it signs by a completely different route than the hash-and-sign that leaked in NTRUSign.

<Definition term="Fiat-Shamir with aborts">
Turn an interactive identification protocol into a signature by replacing the verifier's challenge with a hash (Fiat-Shamir), then add a rejection step: whenever the candidate signature would correlate with the secret, discard it and restart with fresh randomness. The signatures that survive are, by construction, distributed independently of the secret key. The cost is that signing runs a variable number of attempts [@lyubashevsky-fswa-2009].
</Definition>

The signer commits to a masking vector $\mathbf{y}$, derives a sparse challenge $c$ by hashing the commitment together with the message, and forms $\mathbf{z} = \mathbf{y} + c\mathbf{s}_1$. If $\mathbf{z}$ strays outside a safe range, releasing it would leak the secret, so the signer aborts and tries again.

<Mermaid caption="ML-DSA signing is a reject-and-restart loop: only masking choices that keep the signature inside a safe, key-independent range are released.">
flowchart TD
    A[Sample fresh masking vector y] --> B[Derive sparse challenge c by hashing commitment and message]
    B --> C[Form candidate z as y plus c times secret s1]
    C --> D&#123;"Is z inside the safe range?"&#125;
    D -- No, would leak the secret --> A
    D -- Yes --> E[Publish signature challenge, z, hint]
</Mermaid>

You can watch the loop behave. The number of attempts varies from signature to signature, and every released value stays inside the safe bound -- the mechanism that makes the transcript reveal nothing about the key.

<RunnableCode lang="js" title="Fiat-Shamir with aborts: count the restarts, bound the output">{`
// Illustrative only -- NOT production crypto.
// Keep sampling a masking value y until z = y + c*s1 lands in a safe range.
// Candidates that would correlate z with the secret are rejected; only
// key-independent z escape. Signing time therefore varies run to run.

const GAMMA1 = 100;   // masking range
const BETA   = 20;    // how far c*s1 can push z
const secret = 37;    // s1, unknown to the verifier
const c = 1;          // toy sparse challenge
const rand = (n) => Math.floor(Math.random() * n);

function signOnce() {
  let attempts = 0;
  while (true) {
    attempts++;
    const y = rand(2 * GAMMA1) - GAMMA1;       // uniform masking
    const z = y + c * secret;
    if (Math.abs(z) < GAMMA1 - BETA) return { z, attempts }; // safe -> release
    // otherwise abort and retry with fresh y
  }
}

let total = 0, n = 20000, maxAbsZ = 0;
for (let i = 0; i < n; i++) {
  const r = signOnce();
  total += r.attempts;
  maxAbsZ = Math.max(maxAbsZ, Math.abs(r.z));
}
console.log('avg attempts / signature:', (total / n).toFixed(2));
console.log('max |z| ever released   :', maxAbsZ, 'bound is', GAMMA1 - BETA);
console.log('variable attempt count is why ML-DSA signing time is not constant');
`}</RunnableCode>

The Dilithium team chose this uniform-integer, rejection-based route deliberately, rather than Falcon's Gaussian sampler, and they were blunt about why.

<PullQuote>
"Gaussian sampling is hard to implement securely and efficiently." -- the CRYSTALS-Dilithium team, on why ML-DSA uses uniform integers and no floating point [@crystals-dilithium].
</PullQuote>

The private key / public key / signature sizes are 2560 / 1312 / 2420 for ML-DSA-44, 4032 / 1952 / 3309 for ML-DSA-65, and 4896 / 2592 / 4627 for ML-DSA-87, targeting NIST categories 2, 3, and 5 [@fips-204]. Verification is fast and constant-time; signing is fast but variable-time because of the abort loop, which is the single most important operational fact about the scheme. On Cortex-M4, ML-DSA-65 signing averages near 6.19M cycles but ranges from about 2.92M to 26.0M across a thousand runs [@pqm4-benchmarks].

<Sidenote>FIPS 204 supports both hedged (randomized) and deterministic signing; the hedged mode is the default and is more resilient to fault and bad-randomness mishaps. It also adds a context string of up to 255 bytes so applications can domain-separate their signatures and prevent cross-protocol reuse.</Sidenote>

ML-DSA excels as the general-purpose default: no floating point, easy constant-time code, moderate sizes, fast verification. Its weak spot is the signature-size wall this series flagged for interfaces in [Part 17 on digital signatures](/blog/the-math-held-the-interface-leaked-a-field-guide-to-digital-/) -- a 3309-byte signature is roughly fifty times an Ed25519 signature, and that multiplies through certificate chains.

### 6.3 SLH-DSA (FIPS 205): the conservative backstop

SLH-DSA is the standardized SPHINCS+, and it makes the most conservative bet in the toolkit: its security rests on nothing but the properties of its hash function, the same primitives this series covered in [Part 10 on cryptographic hashes](/blog/the-fingerprint-two-files-shared-a-field-guide-to-cryptograp/) [@fips-205] [@sphincs-plus-spec]. If every lattice and code assumption fell tomorrow, a signature that depends only on a hash would still stand.

<Definition term="Merkle hypertree (WOTS+ and FORS)">
SLH-DSA composes three hash-based gadgets. WOTS+ is a one-time signature that signs by revealing points along hash chains. FORS ("Forest Of Random Subsets") is a *few-time* signature that signs the message digest and tolerates rare index collisions. A hypertree stacks many layers of Merkle trees, each layer's WOTS+ keys authenticating the roots below, up to one public root. Picking the FORS instance pseudo-randomly from the message removes the state that made XMSS dangerous [@sphincs-plus-framework-2019].
</Definition>

<Mermaid caption="SLH-DSA composes a few-time FORS signature, a one-time WOTS+ authenticator, and a hypertree of Merkle layers up to a single public root -- all from hashing, with no state.">
flowchart TD
    M[Message digest] --> R[Randomizer picks a FORS instance pseudo-randomly]
    R --> F[FORS few-time signature over the digest]
    F --> W[WOTS+ one-time key authenticates the FORS root]
    W --> H[Hypertree of Merkle layers, each signs the layer below]
    H --> PK[Single long-lived public root]
</Mermaid>

The trade is stark. Public keys are tiny (32 to 64 bytes), but signatures are enormous and signing is slow. FIPS 205 defines twelve parameter sets -- three security levels, each with a "small" (`s`) and "fast" (`f`) variant, over SHA-2 and SHAKE. The public key / signature sizes run 32 / 7856 for 128s, 32 / 17088 for 128f, 48 / 16224 for 192s, 48 / 35664 for 192f, 64 / 29792 for 256s, and 64 / 49856 for 256f [@fips-205]. Signing hashes whole subtrees and costs hundreds of millions to billions of Cortex-M4 cycles, orders of magnitude slower than lattice signing [@pqm4-benchmarks]. The `s`/`f` knob only trades one pain for the other: smaller signatures mean slower signing.

That profile makes SLH-DSA the right tool for low-volume, high-assurance signing -- firmware, boot chains, and software-update roots -- where you sign rarely, verify occasionally, and value a rock-bottom assumption over compactness.

<Aside label="The stateful cousins: XMSS and LMS">
If you can guarantee perfect state, the stateful hash signatures XMSS and LMS (NIST SP 800-208) are markedly smaller than SLH-DSA [@nist-sp-800-208]. The catch is the catch from Section 3: reuse a one-time leaf index and you enable forgery. They are the right call only in a tightly controlled setting -- a hardware security module or a firmware signer that can enforce monotonic, rollback-proof state. For everyone else, SLH-DSA trades bytes for the removal of that footgun, which is usually the better deal.
</Aside>

### 6.4 FN-DSA / Falcon: the compact hopeful (pre-final)

> **Note:** Falcon is destined to become FIPS 206, but that document was still in development as of this writing, with a final expected around late 2026 or 2027 [@fips-206-perlner-2025] [@digicert-fndsa]. Every name and size below is pre-final and comes from the Falcon specification, not from a FIPS [@falcon-spec]. Do not ship FN-DSA in production yet.

Falcon instantiates the GPV hash-and-sign framework over NTRU lattices ($q = 12289$, dimension $n = 512$ or $1024$), and it produces the smallest signatures and keys of any standardized-track scheme [@falcon-spec] [@gpv-2007].

<Definition term="GPV hash-and-sign">
The safe way to do lattice hash-and-sign. A secret trapdoor lets the signer sample a short lattice vector near a hashed target from a discrete Gaussian whose distribution is provably independent of the secret basis. That independence is exactly what NTRUSign lacked -- it closes the parallelepiped leak by construction, rather than hoping the outputs happen not to correlate with the key.
</Definition>

<Mermaid caption="Falcon signs by hashing to a ring point and sampling a short vector near the lattice, and the fast-Fourier Gaussian sampling step is where the floating-point hazard lives.">
flowchart LR
    M[Message] --> HP[Hash message to a point c in the ring]
    HP --> TS[Use NTRU trapdoor basis to target c]
    TS --> GS[Fast-Fourier Gaussian sampling, the delicate floating-point step]
    GS --> SV[Short vector s1, s2 near the lattice]
    SV --> SIG[Signature is a salt plus compressed s2]
</Mermaid>

The payoff is compactness. Falcon-512 has an 897-byte public key and a 666-byte signature (roughly RSA-2048's classical security level, as this series discussed in Part 14, at a fraction of the byte size); Falcon-1024 is 1793 / 1280 [@falcon-spec]. On a desktop i5-8259U the reference code signs about 5948 times per second and verifies about 27933 times per second for Falcon-512 [@falcon-spec]. A Falcon-512 signature is under a third the size of ML-DSA-44's.

So why is it the last of the five to standardize? Because the Gaussian sampler runs on floating-point arithmetic, and making floating point constant-time across compilers and CPUs is genuinely hard. Timing or precision leakage of the sampler's Gram-Schmidt norms can recover the secret key [@fouque-gsnorm-2019]. Mitigations exist -- Pornin's constant-time integer implementation and isochronous Gaussian sampling among them -- but they are intricate and platform-sensitive [@pornin-ctfalcon-2019] [@howe-isochronous-2019].

<Sidenote>Want concrete evidence that FN-DSA is pre-final? When researchers fetched the expected FIPS 206 Initial Public Draft URL during the source verification for this article, it returned HTTP 404 -- the draft was not yet published. The compact math is done; the standardization and safe-implementation work is not.</Sidenote>

Falcon is the right tool when signature and key bandwidth is the binding constraint *and* you can guarantee a vetted constant-time implementation -- and even then, not before FIPS 206 lands. Until it does, prefer ML-DSA.

### 6.5 HQC: the non-lattice insurance policy (pre-final)

> **Note:** NIST selected HQC on 2025-03-11 as a code-based KEM to stand alongside ML-KEM, with a draft FIPS expected in 2026 and a final around 2027 [@nist-ir-8545]. The parameters below come from the HQC specification and are pre-final [@hqc-spec]. Do not deploy it in production yet.

HQC ("Hamming Quasi-Cyclic") is the toolkit's deliberate non-lattice hedge. Its security rests on the hardness of decoding random quasi-cyclic codes -- syndrome decoding, unrelated to lattices -- so a future lattice break would leave it untouched [@hqc-spec]. It solves the problem that sank BIKE by separating the secret from the decoder: HQC encrypts by adding a low-weight error and decodes with a *public*, fixed code (a concatenation of Reed-Muller and Reed-Solomon codes) whose decoding-failure rate can be bounded analytically and does not depend on the secret. That bounded, secret-independent DFR is exactly why NIST preferred it over BIKE [@nist-ir-8545] [@gjs-mdpc-2016].

The cost is bandwidth. The encapsulation key / decapsulation key / ciphertext / shared secret sizes are 2241 / 2321 / 4433 / 32 for HQC-1, 4514 / 4602 / 8978 / 32 for HQC-3, and 7237 / 7333 / 14421 / 32 for HQC-5 [@hqc-spec]. The ciphertext is roughly four to nine times ML-KEM's. HQC is the reserve KEM, not the first choice: you carry the extra kilobytes precisely because its assumption is unrelated to everything else in the box.

### 6.6 Tier C: the signposts

Four more schemes sit just outside the toolkit and are worth knowing by name.

**Classic McEliece** is the most conservative code-based KEM, unbroken since 1978, but with public keys from roughly 261 KB to over a megabyte [@classic-mceliece]. It was not selected for the FIPS set and is advancing on an ISO track; choose it only where a huge, static, long-lived key is acceptable and maximal conservatism is the goal.

**BIKE** is the quasi-cyclic KEM that HQC beat out; its secret-dependent decoding-failure rate was judged less mature than HQC's bounded public decoder, so NIST did not select it [@bike-suite] [@nist-ir-8545].

**XMSS and LMS** are the standardized stateful hash signatures -- compact, conservative, and safe only where perfect state is guaranteed [@nist-sp-800-208].

**CSIDH** is the one post-quantum candidate for a non-interactive Diffie-Hellman-style shared key, but its quantum security is contested -- subexponential quantum attacks push it toward much larger parameters [@peikert-csieves-2019] -- and its isogeny cousin SIKE was broken in 2022 [@castryck-decru-sidh-2022]. Treat it as research, not deployment.

Now the exact bytes, all in one place. The table below is the empirical anchor for every trade discussed next -- the literal number of bytes a protocol must carry for each choice.

| Primitive | Param set | Family | Public/enc key (B) | Ciphertext or signature (B) | NIST cat | Status |
|-----------|-----------|--------|--------------------|------------------------------|----------|--------|
| ML-KEM | 512 | lattice KEM | 800 | 768 | 1 | Final [@fips-203] |
| ML-KEM | 768 | lattice KEM | 1184 | 1088 | 3 | Final [@fips-203] |
| ML-KEM | 1024 | lattice KEM | 1568 | 1568 | 5 | Final [@fips-203] |
| HQC | 1 | code KEM | 2241 | 4433 | 1 | Pre-final [@hqc-spec] |
| HQC | 3 | code KEM | 4514 | 8978 | 3 | Pre-final [@hqc-spec] |
| HQC | 5 | code KEM | 7237 | 14421 | 5 | Pre-final [@hqc-spec] |
| ML-DSA | 44 | lattice sig | 1312 | 2420 | 2 | Final [@fips-204] |
| ML-DSA | 65 | lattice sig | 1952 | 3309 | 3 | Final [@fips-204] |
| ML-DSA | 87 | lattice sig | 2592 | 4627 | 5 | Final [@fips-204] |
| FN-DSA/Falcon | 512 | lattice sig | 897 | 666 | 1 | Pre-final [@falcon-spec] |
| FN-DSA/Falcon | 1024 | lattice sig | 1793 | 1280 | 5 | Pre-final [@falcon-spec] |
| SLH-DSA | 128s | hash sig | 32 | 7856 | 1 | Final [@fips-205] |
| SLH-DSA | 128f | hash sig | 32 | 17088 | 1 | Final [@fips-205] |
| SLH-DSA | 192s | hash sig | 48 | 16224 | 3 | Final [@fips-205] |
| SLH-DSA | 192f | hash sig | 48 | 35664 | 3 | Final [@fips-205] |
| SLH-DSA | 256s | hash sig | 64 | 29792 | 5 | Final [@fips-205] |
| SLH-DSA | 256f | hash sig | 64 | 49856 | 5 | Final [@fips-205] |

Two footnotes complete the picture. For the KEMs, the decapsulation (secret) keys are larger than the encapsulation keys -- 1632 / 2400 / 3168 bytes for ML-KEM and 2321 / 4602 / 7333 bytes for HQC -- and both produce a 32-byte shared secret [@fips-203] [@hqc-spec]. For ML-DSA, the private keys are 2560 / 4032 / 4896 bytes [@fips-204]. Now the uncomfortable question: given all five, which do you actually deploy, and what do you give up to get it?

## 7. Choosing Inside the Toolkit

There is no universal winner, and looking for one is the wrong frame. In practice you make two decisions -- which KEM, and which signature -- plus one deployment choice about hybrids. Everything else follows from the bytes in the master table and the assumption you are willing to trust.

The KEM decision is really ML-KEM versus HQC, because the other code-based options are signposts rather than shipping choices.

| Dimension | ML-KEM-768 (final) | HQC-3 (pre-final) | Classic McEliece (signpost) | BIKE (signpost) |
|-----------|--------------------|--------------------|------------------------------|------------------|
| Assumption | Module-LWE (lattice) | quasi-cyclic syndrome decoding (code) | Goppa-code decoding | QC-MDPC decoding |
| Enc. key | 1184 B | 4514 B | 261 KB to ~1.36 MB | few KB |
| Ciphertext | 1088 B | 8978 B | ~100 to 200 B | few KB |
| Best-known attack | lattice sieving $\approx 2^{0.292\beta}$ | information-set decoding (exp.) | information-set decoding (exp.) | ISD, plus a reaction attack given a failure oracle |
| DFR | $2^{-164.8}$ | bounded, secret-independent | negligible | secret-dependent (the problem) |
| Maturity | final and deployed | selected 2025, pre-final | ISO track, not in FIPS | not selected |
| Best suited for | default KEM everywhere | non-lattice diversity backup | huge static keys, max conservatism | superseded by HQC |

ML-KEM wins on size and ubiquity. HQC's entire reason to exist is that its assumption is unrelated to ML-KEM's, so a lattice break would not take both down -- and you pay roughly eight times the ciphertext for that insurance [@fips-203] [@hqc-spec] [@nist-ir-8545].

The signature decision spans three finalists on very different paradigms.

| Dimension | ML-DSA-65 (final) | FN-DSA / Falcon-512 (pre-final) | SLH-DSA-128s (final) |
|-----------|-------------------|----------------------------------|-----------------------|
| Construction | Fiat-Shamir with aborts | GPV hash-and-sign over NTRU | stateless hash-based |
| Assumption | Module-LWE and Module-SIS | NTRU and SIS (lattice) | hash function only |
| Public key | 1952 B | 897 B | 32 B |
| Signature | 3309 B | 666 B | 7856 B |
| Signing | fast, variable-time | fast, floating-point sampler | very slow |
| Implementation risk | low (no floating point) | high (constant-time floating point is hard) | low (hashing only) |
| Maturity | final, the default | FIPS 206 in development | final |
| Best suited for | general-purpose default | size-critical, constant-time guaranteed | firmware and roots, low volume |

There is no free lunch in that table [@fips-204] [@falcon-spec] [@fips-205]. Falcon is smallest but hardest to implement safely and not yet final; SLH-DSA is the safest to trust but by far the largest and slowest; ML-DSA is the sensible middle and the recommended default.

To feel the gap, anchor on the classical world this series has used throughout. An Ed25519 signature is 64 bytes; an X25519 public key is 32. Nothing in the post-quantum toolkit comes close, as Part 15 on elliptic curves makes vivid.

The smallest post-quantum signature, Falcon-512 at 666 bytes, is about ten times larger and carries a floating-point hazard; the most conservative, SLH-DSA-128s at 7856 bytes, is about one hundred and twenty times larger; and the default KEM ciphertext, ML-KEM-768 at 1088 bytes, is about thirty-four times an X25519 share [@falcon-spec] [@fips-205] [@fips-203]. Every column of these tables buys one property -- small size, easy constant-time code, a conservative assumption, or non-lattice diversity -- by giving up another.

> **Key idea:** No post-quantum primitive wins on every axis. The five are not a menu awaiting a single winner; they are deliberate coverage of a trade surface, chosen so that whatever your binding constraint -- bytes, speed, assumption conservatism, or implementation safety -- one of them is the defensible answer.

<PullQuote>
The toolkit is five points on a trade surface, not an arbitrary menu.
</PullQuote>

One more choice cuts across both decisions: hybrid versus pure. The shipping default, X25519MLKEM768, runs a classical X25519 exchange and a post-quantum ML-KEM-768 encapsulation together and combines both shared secrets, so the session stays secure as long as *either* half holds [@openssl-35-notes]. During a migration that is the conservative posture: it defends against a future quantum computer and against an implementation bug in the young post-quantum half at once -- a belt-and-suspenders design, the security-definition thinking of Part 1 made concrete. These trades feel like engineering. Underneath them sits something humbler: we cannot prove any of it is hard.

## 8. What We Cannot Prove

Here is the headline most readers do not expect: none of the five rests on an unconditional hardness proof. "Standardized by NIST" does not mean "proven secure." It means "no efficient attack is known, backed by decades of failed attempts and, for lattices, an unusually strong reduction." That is a different and more honest claim.

The lattice story is the one people most often overstate. Ajtai and then Regev proved worst-case-to-average-case reductions: breaking random instances is as hard as breaking the worst case [@ajtai-1996] [@regev-lwe-2005]. That is remarkable, and it is genuinely reassuring.

But three caveats matter. First, those reductions are cleanest for *plain* LWE, while the standards use *structured* Module-LWE and NTRU, whose reductions are weaker or looser. Second, the actual parameters are not chosen from the reduction at all; they are sized against the best-known attack, lattice sieving, whose cost is heuristically $\approx 2^{0.292\beta}$ classically and roughly $2^{0.265\beta}$ quantumly under debated memory assumptions [@bdgl-sieving-2015]. Third, at the approximation factors these schemes use, the underlying lattice problems sit in $\mathsf{NP} \cap \mathsf{coNP}$, so they are not NP-hard under standard assumptions [@aharonov-regev-2005]. A genuine super-polynomial lower bound for any of them would prove $\mathsf{P} \neq \mathsf{NP}$ -- which no one can currently do.

Codes and hashes are no different in kind. General syndrome decoding is NP-hard, but HQC's security depends on the *average-case* hardness of decoding random quasi-cyclic codes, which is an assumption, not a theorem [@hqc-spec]. SLH-DSA reduces tightly to standard properties of its hash function, with no algebraic structure to exploit -- the most conservative bet in the box, but still a bet [@fips-205].

> **Note:** Realize what this means taken together: the security of the entire toolkit is a *monitored cryptanalytic bet*, not a proof. The strong lattice reductions do not cover the structured schemes actually deployed; the parameters are justified empirically; and a real hardness proof for any of them would settle the biggest open question in computer science. This is precisely why the field standardized a diversified portfolio and keeps a non-lattice spare. The humility is not a weakness in the design -- it *is* the design.

Two results in this area are not assumptions but hard walls, and they pull in opposite directions. The first is Shor's algorithm itself: no choice of RSA, Diffie-Hellman, or elliptic-curve parameters can ever be post-quantum, because the attack is a capability of the adversary, not a bound you can tune [@shor-1994]. The second constrains the replacements.

<Definition term="NIKE (non-interactive key exchange)">
A NIKE lets two parties who know only each other's long-term public keys compute a shared secret with no interaction -- the static-static magic of Diffie-Hellman, where two published keys silently agree. A KEM does not provide this: encapsulation produces a fresh ciphertext that must be sent, so at least one message is required. There is no efficient, well-trusted post-quantum NIKE (the only candidate, CSIDH, has contested quantum security under subexponential quantum attack [@peikert-csieves-2019]).
</Definition>

That second wall -- KEM is not NIKE -- is why post-quantum migration is not a mechanical find-and-replace. Any protocol that relied on Diffie-Hellman's non-interactive static-static agreement has to be redesigned around an interactive KEM handshake, as Part 18 on Diffie-Hellman foreshadowed. It is a design-level impossibility, not a tuning problem.

One more subtlety links two sections: for the FO-transformed KEMs, the decryption-failure rate is a *security* bound, not merely a correctness figure. A noticeable, secret-correlated failure rate is an oracle -- the exact mechanism behind the BIKE reaction attack -- which is why ML-KEM specifies rates like $2^{-164.8}$ and HQC insists on an analytically bounded one [@gjs-mdpc-2016].

Put it all together and the shape of the toolkit becomes inevitable. The theoretically perfect primitive would have elliptic-curve-sized keys and signatures, fast constant-time software with no floating point, a conservative and well-understood assumption, and strong chosen-ciphertext or unforgeability guarantees. No known construction reaches all four corners at once: lattices are small and fast on a young, structured assumption; hashes are conservative but huge; codes offer diversity but cost kilobytes. The five primitives are the field's best simultaneous coverage of that surface. If we cannot prove hardness, the honest posture is to keep asking what we still cannot do -- and to keep a spare.

## 9. The Frontier the Toolkit Does Not Close

A field guide should be honest about what remains open. Seven problems sit on the near horizon, and together they explain why the toolkit is best understood as a monitored bet with an insurance policy attached.

**The signature-size wall.** No post-quantum signature reaches the 64-byte classical world while keeping a conservative assumption *and* an easy constant-time implementation. Falcon-512 is 666 bytes but floating-point; ML-DSA-44 is 2420 bytes; SLH-DSA-128s is 7856 bytes and up. Certificate chains, TLS handshakes, DNSSEC responses, and firmware manifests all multiply signature size by depth, so a few-kilobyte signature reshapes protocols. NIST's ongoing "Additional Digital Signature Schemes" on-ramp is the active response, hunting for small-signature options on different assumptions [@nist-pqc-project].<Sidenote>This on-ramp is deliberately looking beyond lattices -- for schemes whose assumptions differ from ML-DSA and Falcon -- so that a future small-signature standard also widens the toolkit's assumption diversity rather than deepening its lattice exposure.</Sidenote>

**Constant-time Falcon without floating point.** Falcon's fast-Fourier Gaussian sampler is defined over floating-point arithmetic, and a portable, high-precision, provably constant-time sampler is hard to guarantee across compilers and CPUs. This is the chief obstacle to shipping FN-DSA safely and the reason it standardizes last [@pornin-ctfalcon-2019] [@howe-isochronous-2019]. The motivating attack -- key recovery from Gram-Schmidt norm leakage -- is concrete, not hypothetical [@fouque-gsnorm-2019].

**Shrinking code-based ciphertexts.** HQC buys assumption diversity at 4.4 to 14.4 KB ciphertexts, and the smaller-key alternative (BIKE) was set aside precisely because its secret-dependent failure rate is a reaction-attack surface. An open goal is a code-based KEM with McEliece-like conservatism, ML-KEM-like size, and a provable secret-independent DFR [@nist-ir-8545].

**Formally verified, side-channel-hardened implementations of all five.** KyberSlash showed that even widely used reference code can leak through timing [@kyberslash-site]. Machine-checked constant-time implementations of ML-KEM exist, but ML-DSA's variable-time abort loop and FN-DSA's floating point are materially harder to verify end to end. The standards are only as safe as the code that runs them.

**Is the algebraic structure free?** Ring-LWE, Module-LWE, and NTRU all add ring structure for compact keys and fast transforms. No attack exploits that structure at the standardized parameters, but there is no proof it is as hard as unstructured LWE -- and all three lattice primitives share the exposure, so a structural breakthrough could touch most of the toolkit at once. The Module-LWE design dilutes structure as a hedge, but the conjecture that it is essentially as hard as plain LWE remains believed and unproven.

**Migrating static-static protocols.** Because a KEM is not a NIKE, any protocol that assumed non-interactive Diffie-Hellman agreement must be redesigned, not reconfigured. Interactive hybrid handshakes cover key establishment well; a practical, trusted post-quantum NIKE does not exist.

**The real quantum cost of sieving.** The quantum sieving exponent near $2^{0.265\beta}$ depends on memory and qRAM models whose real-world cost is uncertain, and NIST's security categories inherit that uncertainty [@bdgl-sieving-2015]. Conservative defaults -- recommending Category-3 ML-KEM-768 rather than the smaller set -- absorb the doubt, but a settled cost model would tighten every lattice parameter.

None of that blocks you from shipping the right thing today. Here is exactly what to ship.

## 10. Exact Decision Rules

Enough theory. Here are defensible defaults you can carry into a design review, phrased as "use X with these parameters in case Y."

<Mermaid caption="A decision tree for picking a primitive and parameter set: start from what you are doing, then let your binding constraint pick the leaf.">
flowchart TD
    Q1&#123;"Signing or key exchange?"&#125;
    Q1 -- Key exchange --> K1&#123;"Bandwidth very tight and Category 1 acceptable?"&#125;
    K1 -- Yes --> KEM512[ML-KEM-512 in a hybrid]
    K1 -- No --> K2&#123;"Long-term or Category 5 secret?"&#125;
    K2 -- Yes --> KEM1024[ML-KEM-1024 in a hybrid]
    K2 -- No --> KEM768[ML-KEM-768 hybrid, the default]
    Q1 -- Signing --> S1&#123;"Low-volume firmware or root of trust?"&#125;
    S1 -- Yes --> SLH[SLH-DSA-128s or 128f]
    S1 -- No --> S2&#123;"Is signature size the hard limit?"&#125;
    S2 -- No --> MLDSA[ML-DSA-65, the default]
    S2 -- Yes --> FN[Consider FN-DSA, vetted constant-time only, after FIPS 206]
</Mermaid>

- **Key establishment (TLS, SSH, VPN):** use **ML-KEM-768 in a hybrid** (X25519MLKEM768). It is the shipping default and the conservative middle category [@openssl-35-notes] [@openssh-99-notes]. Drop to ML-KEM-512 only under tight bandwidth with Category-1 acceptance; step up to ML-KEM-1024 for Category-5 or long-lived secrets.
- **General-purpose signatures:** use **ML-DSA-65** (Category 3). No floating point, easy constant-time, moderate sizes [@fips-204].
- **Firmware, boot, root-of-trust (low volume, maximum conservatism):** use **SLH-DSA-128s** for smaller signatures or **128f** for faster signing. You sign rarely, so absorb the large signature in exchange for a hash-only assumption [@fips-205].
- **When signature size is the binding constraint:** consider **FN-DSA / Falcon** -- but only with a vetted constant-time implementation, and **not in production until FIPS 206 is final** [@fips-206-perlner-2025]. Until then, prefer ML-DSA.
- **For KEM assumption diversity:** plan for **HQC** as a standardized non-lattice backup **once its FIPS lands**, not today [@nist-ir-8545]. If you need maximal conservatism now and can absorb a huge static key, Classic McEliece is the code-based option outside the FIPS set [@classic-mceliece].

The single most useful thing you can build is an intuition for how many bytes each choice adds. Run the numbers.

<RunnableCode lang="js" title="How many bytes does post-quantum add to a handshake and a cert chain?">{`
// Illustrative only. Estimate the extra bytes post-quantum adds versus classical
// X25519 / Ed25519, for a KEM share and for a 3-certificate chain.

const sizes = {
  'Ed25519':      { sig: 64,   pk: 32 },
  'ML-DSA-65':    { sig: 3309, pk: 1952 },
  'Falcon-512':   { sig: 666,  pk: 897 },
  'SLH-DSA-128s': { sig: 7856, pk: 32 },
};

// A chain of 3 certificates, each carrying one signature + one public key.
function chainBytes(name) {
  const s = sizes[name];
  return (s.sig + s.pk) * 3;
}

for (const n of ['Ed25519','ML-DSA-65','Falcon-512','SLH-DSA-128s']) {
  console.log(n.padEnd(14), String(chainBytes(n)).padStart(6), 'bytes over a 3-cert chain');
}

console.log('---');
const x25519Share = 32 + 32;            // classical key share, round trip
const mlkemAdds   = 1184 + 1088;        // ML-KEM-768 key + ciphertext
console.log('KEM share, classical X25519 :', x25519Share, 'bytes');
console.log('KEM share, ML-KEM-768 hybrid:', x25519Share + mlkemAdds, 'bytes');
`}</RunnableCode>

Rules pick the primitive; discipline keeps it safe. A short pitfall list, drawn straight from the failure catalog:

- **Do not divide a secret by the modulus in variable time.** That was KyberSlash; use constant-time (Barrett) reduction and a library whose constant-time behavior has been tested [@kyberslash-site].
- **Prefer hedged (randomized) signing for ML-DSA, and feed it a good RNG.** The randomized mode is the default and is more resilient to fault and nonce mishaps [@fips-204].
- **Use context strings** to domain-separate signatures across applications and prevent cross-protocol reuse [@fips-204].
- **Keep implicit rejection constant-time.** Never let a KEM surface a decapsulation failure as a distinguishable error or timing tell.
- **Do not hand-roll any of these.** Every primitive has subtle side channels; use standard libraries.

> **Note:** During migration, run post-quantum alongside classical (X25519MLKEM768) so a break or bug in either half is survivable, and migrate *key establishment* before signatures -- harvest-now-decrypt-later already threatens today's recorded traffic, while forged signatures require an attacker who is present in the future [@openssl-35-notes].

On availability: the finalized three are production-ready across the toolchain. OpenSSL 3.5 ships X25519MLKEM768 as a default key share, OpenSSH enabled `mlkem768x25519-sha256` by default in 9.9 and made it the default in 10.0, and ML-KEM and ML-DSA are broadly available across open-source libraries -- liboqs, BoringSSL, AWS-LC, Microsoft SymCrypt, Bouncy Castle, and pyca/cryptography -- with formally verified ML-KEM through the libcrux line [@openssl-35-notes] [@openssh-pq] [@open-quantum-safe]. FN-DSA and HQC are experimental only until their FIPS documents are final. For a sense of how this looks in real deployments, this blog's companion posts trace [the post-quantum migration on Windows](/blog/post-quantum-cryptography-on-windows-the-thirty-year-migrati/) and [the moment ML-KEM arrived in an ordinary `pip install`](/blog/the-thirty-year-migration-ships-in-a-pip-install-how-post-qu/). The forthcoming Part 21 on crypto-agility and cryptographic bills of materials covers how to keep these choices swappable as the toolkit evolves.

<Aside label="The compliance clock">
Post-quantum migration now has deadlines attached. NIST's guidance and its IR 8547 transition plan point toward deprecating quantum-vulnerable algorithms by 2035, and comparable government profiles set similar horizons [@nist-pqc-project]. The practical reading is simple: inventory where you use RSA, Diffie-Hellman, and ECC now, because a decade is not long for a full cryptographic transition, and the harvest-now clock started before the standards were even published.
</Aside>

<Spoiler kind="hint" label="A command to see what your OpenSSL already supports">
If you have OpenSSL 3.5 or later installed, you can list its post-quantum groups and signature algorithms with `openssl list -kem-algorithms` and `openssl list -signature-algorithms`. Seeing `ML-KEM-768` and `X25519MLKEM768` in that output is the concrete, on-your-own-machine version of this entire article: the migration is not a forecast, it is already in your crypto library [@openssl-35-notes].
</Spoiler>

The rules above answer "what." These next answer the questions that come up in review.

## 11. Questions From the Review Room

<FAQ title="Frequently asked questions">
<FAQItem question="Are these algorithms already broken?">
No. There is no cryptanalytic break of any of the five. The only real-world failures are implementation leaks -- KyberSlash's secret-dependent division timing [@kyberslash-site] and Falcon's floating-point Gram-Schmidt leakage [@fouque-gsnorm-2019] -- and both are fixed by better code, not new math. The era's two famous breaks, SIKE and Rainbow, hit schemes that were never selected for the toolkit [@castryck-decru-sidh-2022] [@beullens-rainbow-2022].
</FAQItem>
<FAQItem question="If I use TLS today, is my data safe?">
Against a classical attacker, yes. Against harvest-now-decrypt-later, not for long-lived secrets: an adversary can record today's session and decrypt it once a quantum computer arrives, which is why you migrate key establishment first and why hybrids are already shipping [@nist-pqc-project] [@openssl-35-notes].
</FAQItem>
<FAQItem question="Can I just swap a KEM in where I used Diffie-Hellman?">
Not in general. A KEM is not a non-interactive key exchange -- there is no trusted post-quantum static-static agreement -- so protocols that relied on that property must be redesigned around an interactive KEM handshake rather than reconfigured in place.
</FAQItem>
<FAQItem question="Are FN-DSA and HQC standardized yet?">
No. FN-DSA (Falcon) was still in development toward FIPS 206 as of this writing [@fips-206-perlner-2025], and HQC was only selected on 2025-03-11 with a draft FIPS pending [@nist-ir-8545]. Do not ship either in production yet.
</FAQItem>
<FAQItem question="Why five algorithms instead of one?">
Because no single primitive wins on size, speed, assumption conservatism, and maturity at once, and because spreading the toolkit across three unrelated hard problems -- lattices, hashes, and codes -- means one mathematical break cannot take everything down. The 2022 breaks of SIKE and Rainbow, both outside the toolkit, are the empirical argument for that hedge [@nist-ir-8545] [@castryck-decru-sidh-2022].
</FAQItem>
<FAQItem question="Kyber versus ML-KEM: are they the same thing?">
Essentially yes. ML-KEM (FIPS 203) is the standardized CRYSTALS-Kyber with standardization edits, and the same relationship holds for Dilithium to ML-DSA and SPHINCS+ to SLH-DSA [@fips-203] [@crystals-kyber]. If you learned Kyber, you already know ML-KEM.
</FAQItem>
<FAQItem question="Do I need a quantum computer to test this, and is it the same as quantum key distribution?">
No and no. All five primitives run on ordinary classical hardware today [@nist-pqc-project]. Quantum key distribution is a physics-layer technique that uses quantum hardware to exchange keys; post-quantum cryptography is classical software designed to resist quantum *attacks*. They solve related problems by completely different means.
</FAQItem>
</FAQ>

Step back to the shape of the whole thing. One event in 1994 condemned all deployed public-key cryptography [@shor-1994]. The field's answer was not a single replacement but a portfolio hedged across three unrelated assumptions and tuned to five different binding constraints, three of them already law and two still in progress. The most striking fact remains the quietest one: after a decade of open, adversarial cryptanalysis, nothing in the toolkit has been broken -- only its early code has leaked.

The real test is still ahead. When the next break comes, and history suggests one eventually will, the entire point of this design is that it lands on one assumption family while the others carry the load. That is not a promise that the math is unbreakable. It is a bet, made in the open, that diversity outlasts any single idea -- and a spare, HQC, waiting in reserve for the day the bet is called.

<StudyGuide slug="the-post-quantum-toolkit" keyTerms={[
  { term: "ML-KEM (FIPS 203)", definition: "The standardized Module-LWE key-encapsulation mechanism; the deployed post-quantum KEM, small and fast, secured by FO with implicit rejection." },
  { term: "ML-DSA (FIPS 204)", definition: "The default post-quantum signature; a Fiat-Shamir-with-aborts lattice scheme using uniform integers and no floating point." },
  { term: "SLH-DSA (FIPS 205)", definition: "The conservative backstop signature; stateless hash-based, resting only on hash-function security, with tiny keys but very large signatures." },
  { term: "FN-DSA / Falcon", definition: "Pre-final (FIPS 206 in development). GPV hash-and-sign over NTRU with the smallest signatures, but a hard-to-implement floating-point sampler." },
  { term: "HQC", definition: "Pre-final (selected 2025-03-11). A code-based KEM providing non-lattice assumption diversity, with a public decoder and a bounded, secret-independent failure rate." },
  { term: "Harvest now, decrypt later", definition: "Recording encrypted traffic today to decrypt once quantum computers exist; the reason key establishment migrates first." },
  { term: "Fujisaki-Okamoto with implicit rejection", definition: "The transform giving KEMs chosen-ciphertext security by returning a pseudo-random key on failure, closing the decapsulation-failure oracle." },
  { term: "Fiat-Shamir with aborts", definition: "Signing by reject-and-restart so the released transcript is provably independent of the secret key." },
  { term: "Transcript leakage", definition: "When public outputs statistically depend on the secret key, so enough valid outputs recover it, as in the NTRUSign parallelepiped break." },
  { term: "KEM is not NIKE", definition: "A key-encapsulation mechanism cannot replace non-interactive static-static Diffie-Hellman, so some protocols need redesign, not a drop-in swap." }
]} />
