NIST FIPS 203, 204, 205: Complete PQ Guide
Complete guide to NIST post-quantum standards with parameter tables, security levels, and H33 implementation
In August 2024, NIST published three post-quantum standards: FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA). These represent eight years of evaluation. For every organization using cryptography, these define the post-quantum foundation.
FIPS 203: ML-KEM (Key Encapsulation)
ML-KEM, formerly CRYSTALS-Kyber, provides key encapsulation -- establishing shared secrets over insecure channels. Replaces RSA key transport and Diffie-Hellman, both broken by Shor's algorithm. Security based on Module Learning With Errors (MLWE).
Parameter Sets
ML-KEM-512 (Level 1): 800-byte public key, 768-byte ciphertext, 32-byte secret. ML-KEM-768 (Level 3): 1,184-byte public key, 1,088-byte ciphertext. ML-KEM-1024 (Level 5): 1,568-byte public key. Module dimension k increases (2, 3, 4); ring dimension n=256 fixed.
H33 uses ML-KEM-768 in hybrid key exchange combining with X25519. Security holds if either assumption holds.
FIPS 204: ML-DSA (Digital Signatures)
ML-DSA, formerly CRYSTALS-Dilithium, provides signatures replacing RSA, ECDSA, EdDSA. Uses Fiat-Shamir-with-aborts: generate masking y, compute w=Ay, hash for challenge c, compute z=y+cs. Rejection sampling ensures signature distribution is independent of secret key.
Parameter Sets
ML-DSA-44 (Level 2): 1,312-byte key, 2,420-byte signature. ML-DSA-65 (Level 3): 1,952-byte key, 3,309-byte signature. ML-DSA-87 (Level 5): 2,592-byte key, 4,627-byte signature. Naming encodes module dimensions: ML-DSA-65 uses k=6, l=5, n=256.
H33 uses ML-DSA-65 as primary signature. Level 3 recommended for general purpose. The 3,309-byte signature is larger than ECDSA (64 bytes), but H33-74 distills the full three-family bundle (21,000+ bytes) to 74 bytes.
FIPS 205: SLH-DSA (Hash-Based Signatures)
SLH-DSA, formerly SPHINCS+, provides signatures based on hash function security rather than lattices. Critical for diversity: if lattice crypto is weakened, SLH-DSA remains secure because SHA-2 collision resistance is independent of lattice hardness.
Uses a hypertree construction achieving statelessness. Security reduces to hash function properties -- among the most studied objects in cryptography.
Parameter Sets
Twelve sets across three levels and two profiles: f (fast) and s (small). SLH-DSA-SHA2-128f (Level 1): 32-byte public key, 17,088-byte signature. Higher levels scale proportionally. Simple construction recommended.
H33 uses SLH-DSA-SHA2-128f-simple. Fast variant for production signing speed. The 17,088-byte signature is why H33-74 distillation is essential.
H33 Three-Family Implementation
One algorithm per family: ML-DSA-65 (MLWE, FIPS 204), FALCON-512 (NTRU), SLH-DSA-SHA2-128f (hash, FIPS 205). Breaking attestation requires simultaneously breaking MLWE, NTRU, and hash functions.
Batch signing: one triple-sign per 32-user batch. Signing stage: 391 microseconds (29% of pipeline). Per-auth: 38 microseconds total. FHE: 943 microseconds (70%). ZKP: sub-microsecond.
H33-74 distills to 74 bytes (32 on-chain + 42 Cachee). Algorithm-agnostic format survives upgrades.
Security Level Considerations
Current config: Level 1 for SLH-DSA and FALCON, Level 3 for ML-DSA. Bundle bounded at Level 1, but three-family independence means actual security is strictly stronger than single Level 5 -- attacker must break three problems not one.
Implementation Requirements
Constant-time mandatory: timing variations leak keys. ML-DSA rejection sampling, SLH-DSA hash computations, all polynomial arithmetic must prevent side channels. H33 implements all three from scratch in Rust, validated against NIST KATs, cross-validated against pqcrypto and liboqs. Over 3,700 tests.
H33 provides production-ready implementations via API. Contact support@h33.ai for implementation guidance.