NIST Post-Quantum Cryptography Standardization
The NIST Post-Quantum Cryptography Standardization process is a public, multi-round evaluation run by the United States National Institute of Standards and Technology (NIST) to select and standardize post-quantum cryptography algorithms. Opened with a call for proposals in December 2016, it produced the first three finished standards, FIPS 203, 204, and 205, on August 13, 2024, with further selections still in progress.
Origins and the 2016 call
The motivation was Shor's algorithm, which breaks RSA, Diffie-Hellman, and elliptic-curve public-key cryptography on a sufficiently large quantum computer, combined with the harvest now, decrypt later threat: encrypted traffic recorded today can be decrypted whenever such a machine exists. NIST surveyed the field in NISTIR 8105 (April 2016), announced the project at the PQCrypto 2016 conference, and published a formal call for proposals in December 2016 with a November 30, 2017 submission deadline.
The call sought two primitives: key-encapsulation mechanisms for key establishment and digital signatures for authentication. Candidates were evaluated against five security categories defined relative to attacks on symmetric primitives (categories 1, 3, and 5 match exhaustive key search on AES-128, AES-192, and AES-256; categories 2 and 4 match collision search on SHA-256 and SHA-384). NIST framed the process as a competition-like evaluation rather than a winner-take-all contest: several algorithms with different mathematical foundations could be standardized.
By the deadline NIST had received 82 submissions, of which 69 met the requirements and entered the first round in December 2017.
Evaluation rounds
The first round (2017 to 2019) exposed the field to worldwide public cryptanalysis, and a significant fraction of candidates were broken or seriously weakened. In January 2019 NIST advanced 26 candidates to the second round, allowing some submission teams to merge similar designs. In July 2020 the third round began with 7 finalists (the KEMs Classic McEliece, CRYSTALS-Kyber, NTRU, and SABER, and the signatures CRYSTALS-Dilithium, Falcon, and Rainbow) plus 8 alternates (BIKE, FrodoKEM, HQC, NTRU Prime, and SIKE among KEMs, and GeMSS, Picnic, and SPHINCS+ among signatures).
Evaluation weighed security first, then cost and performance (key, ciphertext, and signature sizes, plus speed), then algorithm and implementation characteristics such as side-channel resistance and simplicity. Analysis happened in the open, on the pqc-forum mailing list and at NIST standardization conferences.
Two breaks that shaped the outcome
Two third-round schemes fell to classical attacks, and both breaks became defining lessons.
In February 2022, Ward Beullens presented a key-recovery attack on Rainbow, a multivariate signature finalist, recovering a category 1 secret key from the public key in about 53 hours on a laptop (Breaking Rainbow Takes a Weekend on a Laptop). Rainbow was eliminated from the process.
SIKE, an isogeny-based KEM admired for its very small keys, advanced to the fourth round in July 2022. Weeks later, Wouter Castryck and Thomas Decru published an efficient key recovery attack on SIDH, the scheme underlying SIKE. The attack was purely classical, exploited mathematical structure together with the auxiliary torsion points that SIDH publishes, and recovered the key for SIKE's lowest parameter set in roughly an hour on a single CPU core. It extended to all parameter sets, and the SIKE team conceded the scheme was broken.
Neither attack required a quantum computer. Both targets had survived years of scrutiny before falling suddenly, which reinforced two principles: prefer problems with long cryptanalytic history, and standardize schemes resting on distinct mathematical foundations so one breakthrough cannot empty the whole portfolio. This reasoning kept the hash-based SPHINCS+ in the selection and later drove the search for a code-based backup KEM.
The July 2022 selection
On July 5, 2022 NIST announced its first selections: the KEM CRYSTALS-Kyber, and the signatures CRYSTALS-Dilithium, Falcon, and SPHINCS+. Three of the four are lattice-based; SPHINCS+ was included explicitly as a hedge built on different assumptions. Four KEMs (BIKE, Classic McEliece, HQC, and SIKE) continued into a fourth round for possible standardization later.
The first standards: FIPS 203, 204, and 205
NIST published draft standards in August 2023 and finalized them on August 13, 2024, renaming the algorithms in the process:
- ML-KEM (FIPS 203), from CRYSTALS-Kyber
- ML-DSA (FIPS 204), from CRYSTALS-Dilithium
- SLH-DSA (FIPS 205), from SPHINCS+
Falcon is planned as FN-DSA in FIPS 206, but as of early 2026 the draft has not been published, largely because Falcon's floating-point Gaussian sampler makes safe, constant-time implementation unusually difficult.
Round 4 and the HQC selection
On March 11, 2025 NIST selected HQC as its fifth algorithm: a code-based KEM intended as a backup to ML-KEM, chosen precisely because its security does not rest on lattices. The reasoning is documented in NIST IR 8545. Of the other fourth-round KEMs, SIKE had been withdrawn after the 2022 break, BIKE was not selected because confidence in its decoding-failure analysis was judged less mature, and Classic McEliece, though widely considered very conservative, was not standardized by NIST, in part because of its very large public keys. NIST expects a draft HQC standard around 2026 and a final standard around 2027.
The additional signature onramp
Both general-purpose signatures selected in 2022 are lattice-based, so NIST opened a separate process (the "onramp") for additional signature schemes, seeking diversity of assumptions and signatures that are small or fast to verify. Submissions closed June 1, 2023; NIST accepted 40 first-round candidates in July 2023 and advanced 14 to a second round in October 2024, spanning multivariate, code-based, isogeny-based, symmetric-based, and MPC-in-the-head designs. The onramp is ongoing as of early 2026, and any selection remains years away from a finished standard.
Timeline
| Date | Event |
|---|---|
| February 2016 | NIST announces the standardization effort at PQCrypto 2016 |
| April 2016 | NISTIR 8105, Report on Post-Quantum Cryptography, published |
| December 2016 | Formal call for proposals issued |
| November 2017 | Submission deadline; 82 submissions received |
| December 2017 | 69 complete first-round candidates announced |
| January 2019 | 26 candidates advance to round 2 |
| July 2020 | Round 3 begins with 7 finalists and 8 alternates |
| February 2022 | Rainbow broken by Beullens |
| July 5, 2022 | Kyber, Dilithium, Falcon, and SPHINCS+ selected; BIKE, Classic McEliece, HQC, and SIKE enter round 4 |
| July to August 2022 | SIKE broken by Castryck and Decru; the team concedes |
| June 2023 | Submission deadline for the additional signature onramp (40 candidates accepted) |
| August 2023 | Draft FIPS 203, 204, and 205 published |
| August 13, 2024 | FIPS 203, 204, and 205 finalized |
| October 2024 | 14 onramp signature candidates advance to round 2 |
| March 11, 2025 | HQC selected as the fifth algorithm |
| Early 2026 | FIPS 206 (FN-DSA) draft still pending; HQC draft in preparation |
Adoption
The finished standards now anchor real deployments: TLS uses ML-KEM in hybrid key agreement across major browsers and content networks, and government migration guidance in several countries sets transition horizons in the 2030 to 2035 range. For a side-by-side view of the standardized algorithms, see post-quantum algorithm comparison.
Frequently asked questions
Which post-quantum algorithms has NIST standardized?
ML-KEM (FIPS 203), ML-DSA (FIPS 204), and SLH-DSA (FIPS 205) were finalized in August 2024. Falcon is planned as FN-DSA in FIPS 206, and HQC was selected in March 2025 with its standard still to come.
Is the NIST process finished?
The first three standards are finished, but the HQC standard, the FN-DSA draft, and the additional signature onramp are still in progress as of early 2026.
Sources
- Post-Quantum Cryptography Project (NIST, 2024)
- NIST Releases First 3 Finalized Post-Quantum Encryption Standards (NIST, 2024)
- NIST Selects HQC as Fifth Algorithm for Post-Quantum Encryption (NIST, 2025)
- Breaking Rainbow Takes a Weekend on a Laptop (IACR ePrint Archive, 2022)
- An Efficient Key Recovery Attack on SIDH (IACR ePrint Archive, 2022)
- NIST IR 8545, Status Report on the Fourth Round of the NIST Post-Quantum Cryptography Standardization Process (NIST, 2025)
- Post-Quantum Cryptography: Digital Signature Schemes (NIST, 2024)
Cite this entry
"NIST Post-Quantum Cryptography Standardization." postquantum.wiki. Updated July 11, 2026. https://postquantum.wiki/nist-pqc-standardization@misc{pqwiki-nist-pqc-standardization,
title = {NIST Post-Quantum Cryptography Standardization},
howpublished = {\url{https://postquantum.wiki/nist-pqc-standardization}},
year = {2026},
note = {postquantum.wiki, updated 2026-07-11}
}