NIST FIPS 203 & 204 Compliance: The Implementation Guide

What FIPS 203 and FIPS 204 Actually Standardize

In August 2024, NIST released the first three finalized post-quantum cryptographic standards. Two of them are directly relevant to virtually every production system on the planet:

FIPS 203 (ML-KEM) standardizes CRYSTALS-Kyber for key encapsulation. It replaces RSA key exchange, Diffie-Hellman, and ECDH in TLS handshakes, key agreement protocols, and hybrid encryption schemes. ML-KEM operates on Module Learning With Errors (MLWE), a lattice problem with no known quantum or classical polynomial-time solution.
FIPS 204 (ML-DSA) standardizes CRYSTALS-Dilithium for digital signatures. It replaces RSA signatures, ECDSA, and EdDSA for code signing, document authentication, certificate issuance, and API request verification. ML-DSA is built on Module Short Integer Solution (MSIS) and MLWE problems.

A third standard, FIPS 205 (SLH-DSA, based on SPHINCS+), provides a hash-based signature alternative. However, its significantly larger signatures (up to 49,856 bytes vs. ML-DSA's 3,309 bytes at security level 3) make it a backup option rather than a primary deployment target for most systems.

Key distinction: FIPS 203 handles encryption and key exchange. FIPS 204 handles signatures and authentication. You almost certainly need both. If you encrypt data, you need ML-KEM. If you sign anything—JWTs, API responses, certificates, documents—you need ML-DSA.

What These Standards Replace

The algorithms being deprecated have been the foundation of internet security for decades. Understanding the mapping is critical for your migration plan:

Legacy Algorithm	Use Case	FIPS Replacement	Security Level
RSA-2048/3072/4096	Key exchange, signatures	ML-KEM-768 / ML-DSA-65	NIST Level 3 (128-bit PQ)
ECDH (P-256, P-384)	Key agreement (TLS)	ML-KEM-768 / ML-KEM-1024	Level 3 / Level 5
ECDSA (P-256, P-384)	Digital signatures	ML-DSA-65 / ML-DSA-87	Level 3 / Level 5
EdDSA (Ed25519)	Signatures, auth tokens	ML-DSA-44 / ML-DSA-65	Level 2 / Level 3
DH-2048	Key exchange	ML-KEM-768	Level 3

The Compliance Timeline

There is no single deadline. The timeline is staggered by sector and system classification:

January 1, 2027: All new National Security System (NSS) acquisitions must use CNSA 2.0 algorithms, which include ML-KEM-1024 and ML-DSA-87. This is the first hard deadline and it affects every federal contractor, defense supplier, and intelligence community vendor.
2027-2030: Federal civilian agencies begin migration under NIST guidance. OMB M-23-02 requires agencies to submit cryptographic inventories and migration plans.
2031: Software and firmware signing must exclusively use post-quantum algorithms for NSS.
2033: All legacy public-key cryptography must be deprecated in web browsers and custom applications for NSS.
2035: Complete deprecation of all classical public-key cryptography across all federal systems. No RSA. No ECDSA. No ECDH. Full stop.

The urgency is now, not 2035. Harvest-now-decrypt-later (HNDL) attacks mean data encrypted with RSA today can be stored and decrypted once a cryptographically relevant quantum computer (CRQC) exists. If your data has a shelf life longer than 10 years—medical records, financial data, trade secrets, classified intelligence—it is already at risk. The migration window is not 2035. It is today.

How H33 Implements FIPS 203 and FIPS 204 Natively

H33's post-quantum cryptographic infrastructure implements both ML-KEM (FIPS 203) and ML-DSA (FIPS 204) as native, pure-Rust modules with zero external dependencies. There are no OpenSSL bindings, no C wrappers, no FFI calls. The entire cryptographic stack is written in Rust and runs on AWS Graviton4 ARM infrastructure.

Our ML-KEM implementation supports all three parameter sets (ML-KEM-512, ML-KEM-768, ML-KEM-1024) and our ML-DSA implementation supports all three tiers (ML-DSA-44, ML-DSA-65, ML-DSA-87). In production, H33 processes 2.17 million authentications per second sustained, with each auth completing in 38.5 microseconds.

Integration in Three Lines

Migrating to FIPS 203/204 compliant cryptography with H33 requires no cryptographic expertise on your team. The API abstracts every detail:

// Key exchange (FIPS 203 - ML-KEM-768)
const { sharedSecret, ciphertext } = await h33.kem.encapsulate(recipientPublicKey);

// Digital signature (FIPS 204 - ML-DSA-65)
const signature = await h33.sign(document, privateKey);
const valid = await h33.verify(document, signature, publicKey);

That is the entire integration surface. Behind those calls, H33 handles parameter selection, constant-time arithmetic, side-channel-resistant sampling, key serialization, and NIST-compliant output encoding. You get a FIPS-compliant cryptographic operation. We handle every implementation detail that could introduce a vulnerability.

What Auditors Will Ask

If you are subject to SOC 2 Type II, FedRAMP, CMMC, or HIPAA audits, your auditors will increasingly ask about post-quantum readiness. Here is what to expect and how to answer:

"What is your cryptographic inventory?" You need a complete list of every algorithm, key size, and protocol in use across your systems. H33's API documentation provides algorithm identifiers for every operation, making this inventory straightforward.
"What is your PQC migration timeline?" With H33, the answer is: "Migration is complete. We use ML-KEM (FIPS 203) for key encapsulation and ML-DSA (FIPS 204) for digital signatures via H33's API. No legacy algorithms remain in our cryptographic pipeline."
"Are your implementations NIST-compliant?" H33's implementations follow the NIST standard specifications exactly. Parameters, encoding formats, and security levels match the published FIPS documents.
"How do you handle hybrid mode?" During transition periods, H33 supports hybrid key encapsulation (ML-KEM + X25519) and hybrid signatures (ML-DSA + Ed25519) to maintain backward compatibility while providing quantum resistance.
"What about key management?" H33 provides complete key lifecycle management including generation, rotation, storage, and revocation—all using post-quantum algorithms natively.

FIPS 203/204 Compliance Checklist

Use this checklist to track your organization's compliance posture. Every item is actionable and auditable:

Item	Requirement	Status
1	Complete cryptographic algorithm inventory across all systems
2	Identify all RSA, ECDH, ECDSA, and DH usage in production
3	Map each legacy algorithm to its FIPS 203/204 replacement
4	Deploy ML-KEM (FIPS 203) for all key encapsulation operations
5	Deploy ML-DSA (FIPS 204) for all digital signature operations
6	Implement hybrid mode for systems requiring backward compatibility
7	Update TLS configurations to support PQ key exchange
8	Re-sign all code artifacts, certificates, and documents with ML-DSA
9	Validate that key sizes meet minimum security level requirements
10	Document migration for SOC 2 / FedRAMP / CMMC evidence collection
11	Test interoperability with upstream and downstream partners
12	Establish key rotation schedule for post-quantum keys

Key Size and Performance Comparison

One of the practical concerns with post-quantum algorithms is key and signature sizes. Here is what to expect:

Algorithm	Public Key	Private Key	Ciphertext / Signature	Security Level
RSA-2048	256 B	1,024 B	256 B	~112-bit classical
ECDSA P-256	64 B	32 B	64 B	~128-bit classical
ML-KEM-768	1,184 B	2,400 B	1,088 B (CT)	NIST Level 3 (PQ)
ML-DSA-65	1,952 B	4,032 B	3,309 B (sig)	NIST Level 3 (PQ)
ML-KEM-1024	1,568 B	3,168 B	1,568 B (CT)	NIST Level 5 (PQ)
ML-DSA-87	2,592 B	4,896 B	4,627 B (sig)	NIST Level 5 (PQ)

Yes, post-quantum keys and signatures are larger. But the performance difference on modern hardware is negligible. H33 achieves 291 microseconds for a full ML-DSA sign-and-verify cycle on a single batch of 32 authentications. At scale, this translates to over 2 million verifications per second. The size increase is a minor bandwidth consideration; the security gain is existential.

Why Starting Now Matters

The harvest-now-decrypt-later threat is not theoretical. Nation-state actors are already collecting encrypted traffic at scale, storing it in data lakes, waiting for quantum computers capable of breaking RSA and ECC. The NSA has publicly acknowledged this threat. So has CISA. So has NIST.

If your organization handles data with a sensitivity window longer than 5-10 years—healthcare records, financial transactions, legal documents, intellectual property, government communications—that data is already vulnerable. Not because quantum computers exist today, but because the ciphertext being harvested today will be decryptable when they do.

The cost of migrating later is exponentially higher. Every month of delay means more encrypted data sitting in adversary storage, more systems to retrofit, more emergency engineering under deadline pressure. The organizations that will handle the quantum transition smoothly are the ones migrating now, methodically, while they have time to test, validate, and iterate.

Get Started

H33 provides a free tier that includes access to both ML-KEM (FIPS 203) and ML-DSA (FIPS 204) operations. You can integrate, test, and validate against your existing systems today—before the deadlines arrive, before the audit questions become findings, and before the cost of inaction compounds further.

Read the full post-quantum architecture documentation or explore the API reference to begin your migration.