NIST Post-Quantum vs Traditional Encryption: A Technical Comparison

The finalization of NIST's post-quantum standards creates an inflection point where organizations must understand not just what the new algorithms are, but how they compare to the classical algorithms they replace. This comparison drives procurement decisions, performance budgets, bandwidth planning, and migration timelines.

Key Exchange: RSA vs ML-KEM

RSA key transport encrypts a session key with the server's RSA public key. ML-KEM (FIPS 203) uses lattice-based key encapsulation. Both produce a shared session key through different mathematical foundations.

Key sizes: RSA-2048 public key: 256 bytes. ML-KEM-768 public key: 1,184 bytes (4.6x larger). ML-KEM-1024: 1,568 bytes (6.1x larger).

Ciphertext sizes: RSA-2048: 256 bytes. ML-KEM-768: 1,088 bytes (4.3x larger). ML-KEM-1024: 1,568 bytes (6.1x larger).

Performance: RSA-2048 key generation: ~1 ms. ML-KEM-768 key generation: ~50 us (20x faster). RSA-2048 decryption: ~1 ms. ML-KEM-768 decapsulation: ~60 us (16x faster). ML-KEM is actually faster than RSA for key operations, despite producing larger artifacts.

Security: RSA-2048 provides approximately 112 bits of classical security and zero quantum security. ML-KEM-768 provides NIST Level 3 (approximately 192-bit equivalent) against both classical and quantum adversaries. ML-KEM provides stronger security while being faster. The only trade-off is larger key and ciphertext sizes.

Key Exchange: ECDH vs ML-KEM

ECDH (X25519) is the more relevant comparison for modern TLS 1.3.

Key sizes: X25519: 32 bytes. ML-KEM-768: 1,184 bytes (37x larger).

Performance: X25519: ~50 us. ML-KEM-768: ~100 us (2x slower). X25519 is faster, but ML-KEM remains fast in absolute terms.

Security: X25519 provides ~128 bits classical security and zero quantum security (Shor's algorithm breaks it completely). ML-KEM-768 provides Level 3 against both classical and quantum adversaries. This is not a trade-off. X25519 provides zero quantum security. ML-KEM provides real quantum security.

Signatures: RSA-PSS vs ML-DSA

Signature sizes: RSA-2048: 256 bytes. ML-DSA-65: 3,293 bytes (12.9x larger). ML-DSA-87: 4,595 bytes (18x larger).

Public key sizes: RSA-2048: 256 bytes. ML-DSA-65: 1,952 bytes (7.6x larger).

Signing: RSA-2048 sign: ~1 ms. ML-DSA-65 sign: ~150 us (6.7x faster).

Verification: RSA-2048 verify: ~30 us. ML-DSA-65 verify: ~80 us (2.7x slower).

Security: RSA-2048: ~112 bits classical, zero quantum. ML-DSA-65: Level 3 classical and quantum.

Signatures: ECDSA vs ML-DSA

Signature sizes: ECDSA P-256: 64 bytes. ML-DSA-65: 3,293 bytes (51x larger).

Public key sizes: ECDSA P-256: 32 bytes (compressed). ML-DSA-65: 1,952 bytes (61x larger).

Signing: ECDSA P-256: ~100 us. ML-DSA-65: ~150 us (1.5x slower).

Verification: ECDSA P-256: ~150 us. ML-DSA-65: ~80 us (1.9x faster). ML-DSA verification is faster than ECDSA verification, which matters for systems that verify many more signatures than they generate.

Hash-Based Signatures: SLH-DSA

SLH-DSA (FIPS 205) provides signatures based entirely on hash functions -- the most conservative choice.

SLH-DSA-SHA2-128f: Signature: 17,088 bytes. Public key: 32 bytes. Sign: ~5 ms. Verify: ~2 ms. Security: NIST Level 1.

SLH-DSA signatures are enormous. This makes SLH-DSA impractical for high-frequency signing but valuable for long-lived artifacts (root certificates, archival documents) where signature size matters less than the independence of the security assumption.

Symmetric Encryption: Unchanged

AES-128 and AES-256 are not broken by quantum computers in the same way as public-key algorithms. Grover's algorithm halves the effective key length. AES-128 drops to 64-bit security (not quantum-safe). AES-256 drops to 128-bit security (still quantum-safe). Use AES-256 for all symmetric encryption.

The Bandwidth Budget

For a typical TLS 1.3 handshake with hybrid key exchange and two-certificate chain:

Classical (X25519 + ECDSA): ~2,300 bytes total handshake overhead.

Hybrid PQ (X25519+ML-KEM-768 + ECDSA+ML-DSA-65): ~17,100 bytes total. 7.4x increase.

On a 10 Mbps connection, the additional 15 KB adds 1.2 milliseconds. On 100 Mbps, 0.12 milliseconds. For applications where each handshake carries substantial data, the overhead is amortized and negligible.

The Performance Budget

Computationally, the picture is surprisingly favorable. ML-KEM key operations are faster than RSA. ML-DSA signing is faster than RSA and comparable to ECDSA. ML-DSA verification is faster than ECDSA.

H33's production benchmarks demonstrate that post-quantum operations achieve extraordinary throughput when properly optimized -- over 1.6 million authentications per second with full FHE + PQ attestation, proving performance is not a barrier.

The comparison is not a story of compromise. ML-KEM is faster than RSA. ML-DSA verification is faster than ECDSA. The algorithms are larger but not slower. The migration path is clear, the performance is production-ready, and the security upgrade from zero quantum resistance to quantum resistance is absolute.