In August 2024, NIST made history by releasing the first-ever post-quantum cryptographic standards. FIPS 203 (ML-KEM) and FIPS 204 (ML-DSA) represent years of rigorous research and testing, providing organizations with standardized, quantum-resistant algorithms they can confidently deploy.
FIPS 203: Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM)
FIPS 203, derived from the CRYSTALS-Kyber algorithm, standardizes a key encapsulation mechanism (KEM) for securely exchanging cryptographic keys. Key exchange is fundamental to virtually all secure communications—every time you visit an HTTPS website or send an encrypted message, a key exchange occurs.
ML-KEM offers three security levels:
- ML-KEM-512: Roughly equivalent to AES-128 security
- ML-KEM-768: Roughly equivalent to AES-192 security
- ML-KEM-1024: Roughly equivalent to AES-256 security
The algorithm is based on the hardness of the Module Learning With Errors (MLWE) problem, a lattice-based mathematical challenge that remains difficult for both classical and quantum computers.
How ML-KEM Works Under the Hood
Unlike classical Diffie-Hellman key exchange, ML-KEM operates in three phases: key generation, encapsulation, and decapsulation. During key generation, the server produces a public/private key pair rooted in a structured lattice. A client uses the public key to encapsulate a shared secret—essentially encrypting a random value such that only the holder of the private key can recover it. The private key holder then decapsulates to extract the same shared secret. Both sides now possess identical keying material without ever transmitting it in the clear.
The security guarantee comes from the Module Learning With Errors (MLWE) problem: given a matrix A and a noisy product b = As + e, recovering the secret vector s is computationally intractable on both classical and quantum hardware. This noise-injection technique is what makes lattice-based KEMs fundamentally different from number-theoretic schemes like RSA or ECDH, which rely on integer factorisation or discrete logarithm problems that Shor's algorithm efficiently solves.
Classical Diffie-Hellman is an interactive key exchange—both parties contribute randomness. ML-KEM is a key encapsulation: one party generates the shared secret and ships an encrypted capsule. The distinction matters because KEMs are composable, easier to prove secure, and map cleanly onto TLS 1.3 handshakes, which is why NIST chose this structure over a traditional DH-style protocol.
FIPS 204: Module-Lattice-Based Digital Signature Algorithm (ML-DSA)
FIPS 204, derived from CRYSTALS-Dilithium, provides quantum-resistant digital signatures. Digital signatures authenticate the source of messages and ensure data hasn't been tampered with—essential for everything from software updates to financial transactions.
ML-DSA also offers three security levels:
- ML-DSA-44: Category 2 security (comparable to SHA-256/AES-128)
- ML-DSA-65: Category 3 security (comparable to AES-192)
- ML-DSA-87: Category 5 security (comparable to AES-256)
Performance Characteristics
ML-DSA-65 (Dilithium3) achieves signing in approximately 60µs and verification in 39µs on modern hardware—fast enough for real-time authentication at scale.
Signing and Verification in Practice
ML-DSA signing works through a "Fiat-Shamir with aborts" paradigm. The signer samples a masking vector, computes a commitment, derives a challenge hash, and then checks whether the resulting signature would leak information about the secret key. If it would, the attempt is aborted and retried. This rejection-sampling loop typically converges in 4–7 iterations, yielding consistent ~60µs signing times.
Verification is deterministic and faster: reconstruct the commitment from the public key, the message, and the signature, then check that the challenge hash matches. No rejection sampling, no retries—a single-pass computation in ~39µs.
H33 deploys ML-DSA (Dilithium) as the attestation layer in its full-stack authentication pipeline. On Graviton4 hardware (c8g.metal-48xl, 96 cores), the complete pipeline—BFV fully homomorphic encryption, ZKP lookup, and Dilithium attestation—delivers 2,172,518 authentications per second at ~42µs per auth. The Dilithium sign-and-verify step itself takes approximately 244µs per 32-user batch, amortised across a single BFV ciphertext.
Key Size Considerations
One significant change from classical cryptography is key size. Post-quantum algorithms require larger keys:
| Parameter | Post-Quantum | Classical Equivalent | Size Ratio |
|---|---|---|---|
| ML-KEM-768 public key | 1,184 bytes | X25519: 32 bytes | 37x |
| ML-DSA-65 public key | 1,952 bytes | Ed25519: 32 bytes | 61x |
| ML-DSA-65 signature | 3,293 bytes | Ed25519: 64 bytes | 51x |
While larger, these sizes are manageable for most applications. A single ML-DSA-65 signature at 3,293 bytes is still smaller than a typical JPEG thumbnail. The increased security against quantum attacks far outweighs the modest increase in bandwidth and storage requirements.
For systems running at scale, the key-size overhead is dominated by computation, not network transfer. H33's in-process DashMap ZKP cache resolves lookups in 0.085µs—the additional bytes in post-quantum signatures add negligible latency compared to the cryptographic operations themselves.
The Underlying Math: Why Lattices Resist Quantum Attack
Both FIPS 203 and FIPS 204 derive their security from lattice problems—specifically, the Module Learning With Errors (MLWE) and Module Short Integer Solution (MSIS) problems. Unlike RSA (factoring) or ECDSA (discrete log), no known quantum algorithm solves these lattice problems in polynomial time. Shor's algorithm, which devastates RSA and elliptic-curve cryptography, operates on the algebraic structure of cyclic groups—a structure that lattice problems do not expose.
The best known quantum attack against MLWE is Grover-enhanced lattice sieving, which provides only a modest square-root speedup on the combinatorial search step. For the parameter sets chosen by NIST, this still requires at least 2128 operations at Security Category 1 and 2256 at Category 5—well beyond any foreseeable quantum computer.
Migration Strategies
NIST recommends a phased approach to adopting these standards:
- Inventory: Identify all systems using public-key cryptography
- Prioritize: Focus first on systems protecting long-lived secrets
- Hybrid deployment: Run classical and PQC algorithms in parallel during transition
- Full migration: Eventually deprecate classical algorithms entirely
Hybrid Deployment in Practice
Hybrid mode is not optional—it is the recommended path for any production system that cannot tolerate a single-algorithm failure. In a hybrid TLS handshake, the client and server negotiate both an ML-KEM key encapsulation and a classical X25519 exchange. The final session key is derived from both results, meaning the connection remains secure even if one algorithm is later found to be broken.
H33 implements this principle at the authentication layer. Every auth call passes through BFV fully homomorphic encryption for biometric matching (lattice-based, post-quantum secure), a STARK-based ZKP lookup for proof verification, and a Dilithium signature for attestation. No single component failure compromises the pipeline. The entire stack runs in a single API call at ~42µs per authentication.
Compliance Timeline
Federal agencies and their contractors face mandatory compliance timelines. NIST's internal guidance targets 2030 for deprecating standalone classical algorithms in new systems and 2035 for full retirement of legacy deployments. The broader industry should anticipate similar requirements from regulators and customers. Financial services, healthcare, and defence-adjacent contractors are already facing audit questions about post-quantum readiness.
Starting your migration now provides ample time to test, iterate, and ensure a smooth transition. Organizations that wait until 2029 will face compressed timelines, scarce PQC expertise, and the risk of "harvest now, decrypt later" attacks on data collected today.
The Bottom Line
FIPS 203 and 204 represent a watershed moment in cryptography. They provide the standardized foundation organizations need to begin their quantum-resistant journey with confidence. The algorithms are fast, the parameter sets are conservative, and production-grade implementations already exist. The only remaining variable is when you start.
Ready to Go Quantum-Secure?
Start protecting your users with post-quantum authentication today. 1,000 free auths, no credit card required.
Get Free API Key →