NIST Post-Quantum Migration Guide (2026)

The NIST post-quantum cryptography standards are finalized. FIPS 203 (ML-KEM/Kyber) and FIPS 204 (ML-DSA/Dilithium) are production-ready. Federal agencies have a hard deadline. Private sector organizations face mounting pressure from regulators, insurers, and customers.

The question is no longer whether to migrate. It's how — without rebuilding your entire infrastructure.

This guide covers the complete migration path: what needs to change, what doesn't, what breaks if you get it wrong, and how to do it in weeks instead of years.

Why Migration Can't Wait

Quantum computers capable of breaking RSA-2048 and ECC P-256 are estimated to arrive between 2030 and 2035. But the threat is already here — adversaries are executing "harvest now, decrypt later" (HNDL) attacks, capturing encrypted data today with the intention of decrypting it once quantum hardware matures.

Every day your systems transmit data encrypted with classical algorithms, that data becomes a future liability. Medical records, financial transactions, legal communications, authentication tokens — all of it is being collected.

NIST finalized the post-quantum standards in August 2024 specifically because this window is closing. The migration timeline is not a suggestion. It's a countdown.

What Actually Needs to Change

Most organizations assume post-quantum migration means replacing everything. It doesn't. Here's what actually changes:

Must Change

• Key exchange — RSA and ECDH key exchanges must be replaced with ML-KEM (FIPS 203). This affects TLS handshakes, API authentication, and session establishment.
• Digital signatures — RSA and ECDSA signatures must be replaced with ML-DSA (FIPS 204). This affects code signing, document signing, certificate chains, and API request authentication.
• Certificate infrastructure — X.509 certificates need to support post-quantum algorithms. This is the most operationally complex part of migration.
• Key encapsulation in transit — Any system transmitting encryption keys using classical algorithms needs to be upgraded.

Does Not Change

• Symmetric encryption — AES-256 is already quantum-resistant. Your data-at-rest encryption stays.
• Hash functions — SHA-256 and SHA-3 are quantum-resistant. Your integrity checks stay.
• Application logic — Your business logic, APIs, databases, and user interfaces don't change.
• Network architecture — Your VPCs, load balancers, CDNs, and routing stay the same.

The migration surface is narrower than most organizations think. It's the asymmetric cryptography layer — key exchange and signatures — that needs to be replaced. Everything else stays.

The Three Migration Approaches

1. Full Rebuild ($2M–$18M, 12–24 months)

Replace your entire cryptographic stack. Rewrite TLS configurations, re-issue all certificates, update every SDK, retrain every team. This is what most consultants recommend because it's the most billable approach.

For most organizations, this is unnecessary and dangerous. You're introducing migration risk across every system simultaneously.

2. Hybrid Mode ($500K–$2M, 6–12 months)

Run classical and post-quantum algorithms in parallel. TLS connections negotiate both ML-KEM and ECDH. Signatures include both ML-DSA and ECDSA. If the post-quantum layer fails, the classical layer catches it.

This is the recommended approach for organizations with existing infrastructure they can't afford to break. It's also what NIST recommends during the transition period.

3. API Abstraction ($0–$200/mo, days)

Route your cryptographic operations through an API that handles post-quantum algorithms on the backend. Your application code doesn't change. Your infrastructure doesn't change. The API handles ML-KEM, ML-DSA, and FIPS compliance.

This is what H33 provides. One API call replaces your encryption, signing, and key exchange layer with NIST-compliant post-quantum cryptography. No library changes. No certificate re-issuance. No infrastructure rebuild.

Step-by-Step Migration Plan

Phase 1: Audit (Week 1)

Identify every system that uses asymmetric cryptography. This includes:

• TLS termination points (load balancers, reverse proxies, API gateways)
• Certificate chains (internal CA, public CA, client certificates)
• API authentication (JWT signing, HMAC, OAuth token generation)
• Code signing (CI/CD pipelines, package managers)
• Document signing (contracts, compliance reports, audit trails)
• Key exchange (session establishment, inter-service communication)

H33's HICS scanner can automate this audit. Run hics scan . against your codebase to identify classical cryptography dependencies.

Phase 2: Prioritize (Week 2)

Not everything needs to migrate at once. Prioritize by data sensitivity and exposure window:

• Immediate — Systems handling data with long-term confidentiality requirements (medical records, financial data, legal communications)
• Soon — Authentication and session management (exposed to HNDL attacks)
• Planned — Internal systems, development environments, non-sensitive data flows

Phase 3: Integrate (Weeks 3–4)

For each system, choose your integration method:

API integration (recommended for most systems):

POST /v1/decision
{
  "input": encrypted_data,
  "policy": "pq_sign_and_verify"
}
→ returns: result + H33-74 proof

One endpoint. H33 handles ML-KEM key exchange, ML-DSA signing, and FIPS 204 compliance automatically. No cryptographic decisions required.

SDK integration (for latency-sensitive paths):

cargo add h33-client
# or
npm install @h33/sdk
# or
pip install h33

Phase 4: Verify (Week 5)

Every H33 API call returns an H33-74 attestation — a 74-byte proof that the operation was executed with NIST-compliant post-quantum cryptography. This proof is independently verifiable and anchored to Bitcoin mainnet.

Your auditors, regulators, and insurers can verify compliance without trusting your word. The proof is mathematical.

Phase 5: Attest Continuously (Ongoing)

Migration is not a one-time event. Controls drift. Configurations change. New services get deployed with classical cryptography.

HATS continuously attests that your post-quantum controls are operating as declared. If a service falls back to RSA or ECDH, HATS detects it in real time and produces a cryptographic record of the deviation.

Key Size and Performance Considerations

Post-quantum algorithms have larger key sizes than their classical counterparts:

Algorithm	Public Key	Signature	Security Level
RSA-2048	256 bytes	256 bytes	112-bit (broken by quantum)
ML-DSA-65 (Dilithium)	1,952 bytes	3,309 bytes	NIST Level 3 (quantum-safe)
FALCON-512	897 bytes	690 bytes	NIST Level 1 (quantum-safe)
SLH-DSA-128f (SPHINCS+)	32 bytes	17,088 bytes	NIST Level 1 (quantum-safe)

Larger keys mean more bandwidth and storage. But the performance impact is manageable. H33's production pipeline processes ML-DSA signing and verification in under 400 microseconds — fast enough for real-time authentication at 1.6M+ operations per second.

What Happens If You Don't Migrate

Regulatory pressure is accelerating. The White House issued NSM-10 requiring federal agencies to inventory cryptographic systems. OMB M-23-02 requires agencies to submit migration plans. CNSA 2.0 sets specific deadlines for Department of Defense systems.

For private sector organizations, the pressure comes from:

• Cyber insurers — increasingly requiring evidence of post-quantum readiness for policy renewal
• Enterprise customers — adding post-quantum requirements to vendor assessments
• Regulators — GDPR, HIPAA, PCI-DSS all require "state of the art" encryption, which will soon mean post-quantum
• Auditors — SOC 2 and ISO 27001 audits are beginning to flag classical-only cryptography

The H33 Approach: One API, No Rebuild

H33 is verifiable decision infrastructure. One API call gives you NIST-compliant post-quantum cryptography — ML-KEM key exchange, ML-DSA signatures, FHE encrypted computation, and ZK-STARK proofs — without changing your application code or infrastructure.

You are not integrating cryptography. You are calling an endpoint.

Every call returns an H33-74 attestation: 74 bytes of post-quantum proof, independently verifiable, anchored to Bitcoin mainnet. Your migration is not just complete — it's provable.

Sandbox free. No credit card. Full NIST FIPS 203/204 compliance from your first call.