Post-quantum algorithm comparison
Post-quantum algorithm comparison collects the key figures for the NIST post-quantum standards and the classical algorithms they replace: key, ciphertext, and signature sizes, speed character, security basis, and standardization status. Sizes are exact bytes from the final FIPS documents and original specifications. For how these algorithms were chosen, see NIST Post-Quantum Cryptography Standardization; individual entries: ML-KEM, ML-DSA, SLH-DSA, FN-DSA / Falcon, HQC.
NIST security categories
NIST defines five security categories by comparison to attacks on symmetric primitives rather than abstract bit counts: a scheme meets a category if every known attack, classical or quantum, costs at least as much as the reference attack. Quantum search speedups against symmetric primitives are limited and well understood (Grover's algorithm), which makes these benchmarks stable anchors, unlike RSA and elliptic curves, which Shor's algorithm breaks outright.
| Category | Reference attack | Rough classical analogue | Standardized parameter sets |
|---|---|---|---|
| 1 | Key search on AES-128 | 128-bit security | ML-KEM-512, HQC-128, Falcon-512, SLH-DSA-128s/f |
| 2 | Collision search on SHA-256 | SHA-256 collision resistance | ML-DSA-44 |
| 3 | Key search on AES-192 | 192-bit security | ML-KEM-768, ML-DSA-65, HQC-192, SLH-DSA-192s/f |
| 4 | Collision search on SHA-384 | SHA-384 collision resistance | none among current standards |
| 5 | Key search on AES-256 | 256-bit security | ML-KEM-1024, ML-DSA-87, HQC-256, Falcon-1024, SLH-DSA-256s/f |
Category 3 is the common deployment default (ML-KEM-768, ML-DSA-65); category 5 appears where policy demands maximum margin.
Key establishment
The table compares KEMs with the elliptic-curve Diffie-Hellman key exchange they replace. For ECDH, the "ciphertext" column is the public share sent per direction. ML-KEM shared secrets are 32 bytes, HQC's are 64.
| Algorithm | Family | Public key (B) | Ciphertext (B) | Speed | Security basis | Status |
|---|---|---|---|---|---|---|
| X25519 | Elliptic-curve DH | 32 | 32 | very fast | ECDLP | broken by Shor's algorithm |
| ECDH P-256 | Elliptic-curve DH | 33 | 33 | fast | ECDLP | broken by Shor's algorithm |
| ML-KEM-512 | Lattice (Module-LWE) | 800 | 768 | very fast | Module-LWE | FIPS 203, final 2024 |
| ML-KEM-768 | Lattice (Module-LWE) | 1184 | 1088 | very fast | Module-LWE | FIPS 203, final 2024 |
| ML-KEM-1024 | Lattice (Module-LWE) | 1568 | 1568 | very fast | Module-LWE | FIPS 203, final 2024 |
| HQC-128 | Code-based | 2249 | 4497 | moderate | Quasi-cyclic syndrome decoding | selected 2025, standard expected ~2027 |
| HQC-192 | Code-based | 4522 | 9042 | moderate | Quasi-cyclic syndrome decoding | selected 2025, standard expected ~2027 |
| HQC-256 | Code-based | 7245 | 14485 | moderate | Quasi-cyclic syndrome decoding | selected 2025, standard expected ~2027 |
| X25519MLKEM768 | Hybrid | 1216 (client share) | 1120 (server share) | very fast | both bases | deployed in TLS 1.3 |
ML-KEM's arithmetic is fast enough that a full encapsulation plus decapsulation typically beats an X25519 exchange on modern CPUs; the real cost of the migration is the roughly 35-fold growth in bytes on the wire, about 2.3 KB per handshake for the deployed hybrid versus 64 bytes for pure X25519. See post-quantum TLS and hybrid cryptography.
Digital signatures
The table compares the NIST post-quantum digital signature scheme schemes with Ed25519, ECDSA, and RSA. Speed entries describe desktop-class CPUs; exact throughput varies by implementation.
| Algorithm | Public key (B) | Signature (B) | Sign speed | Verify speed | Security basis | Status |
|---|---|---|---|---|---|---|
| Ed25519 | 32 | 64 | very fast | very fast | ECDLP | broken by Shor's algorithm |
| ECDSA P-256 | 33 | 64 | very fast | fast | ECDLP | broken by Shor's algorithm |
| RSA-2048 | 256 | 256 | moderate | very fast | Factoring | broken by Shor's algorithm |
| ML-DSA-44 | 1312 | 2420 | fast | fast | Module-LWE / Module-SIS | FIPS 204, final 2024 |
| ML-DSA-65 | 1952 | 3309 | fast | fast | Module-LWE / Module-SIS | FIPS 204, final 2024 |
| ML-DSA-87 | 2592 | 4627 | fast | fast | Module-LWE / Module-SIS | FIPS 204, final 2024 |
| SLH-DSA-128s | 32 | 7856 | very slow | fast | Hash functions only | FIPS 205, final 2024 |
| SLH-DSA-128f | 32 | 17088 | slow | moderate | Hash functions only | FIPS 205, final 2024 |
| SLH-DSA-256s | 64 | 29792 | very slow | fast | Hash functions only | FIPS 205, final 2024 |
| Falcon-512 (FN-DSA) | 897 | 666 | moderate | very fast | NTRU lattices | FIPS 206 draft pending, early 2026 |
| Falcon-1024 (FN-DSA) | 1793 | 1280 | moderate | very fast | NTRU lattices | FIPS 206 draft pending, early 2026 |
RSA-2048 sizes are the raw 2048-bit modulus and signature; encoded public keys are slightly larger. Falcon signatures are variable length, listed in the fixed padded format of the specification.
What the numbers mean in practice
- Handshakes: swapping X25519 for the deployed hybrid grows each TLS handshake by about 2.3 KB, which measured deployments have shown is acceptable on the public Internet.
- Certificates: a certificate carries a public key and a signature. With ECDSA P-256 that is under 100 bytes of cryptographic material; with ML-DSA-65 it is about 5.3 KB, and a typical chain of three certificates multiplies the growth. This, not raw speed, is the hard problem in PKI migration to post-quantum.
- Choosing a signature: ML-DSA is the general-purpose default. SLH-DSA buys the most conservative assumptions with large, slow signatures, fitting firmware, code signing, and trust anchors. FN-DSA wins where bytes are scarce and verification dominates, once FIPS 206 is finished.
- Choosing a KEM: ML-KEM-768 is the default; HQC exists as a standardized fallback on non-lattice mathematics.
- Symmetric cryptography survives: AES-256 and SHA-2/SHA-3 need no replacement, only conservative parameter choices, since quantum attacks on them are limited to Grover-type speedups.
Migration playbooks favor hybrids and cryptographic agility: combine a classical and a post-quantum algorithm during the transition, and build systems that can swap algorithms without redesign, since FIPS 206 and the HQC standard will keep the target moving through the late 2020s.
Sources
- FIPS 203, Module-Lattice-Based Key-Encapsulation Mechanism Standard (NIST, 2024)
- FIPS 204, Module-Lattice-Based Digital Signature Standard (NIST, 2024)
- FIPS 205, Stateless Hash-Based Digital Signature Standard (NIST, 2024)
- Falcon: Fast-Fourier Lattice-based Compact Signatures over NTRU (Falcon team, 2020)
- RFC 8032, Edwards-Curve Digital Signature Algorithm (EdDSA) (IETF, 2017)
- Post-Quantum Cryptography Project (NIST, 2024)
Cite this entry
"Post-quantum algorithm comparison." postquantum.wiki. Updated July 11, 2026. https://postquantum.wiki/pqc-algorithm-comparison@misc{pqwiki-pqc-algorithm-comparison,
title = {Post-quantum algorithm comparison},
howpublished = {\url{https://postquantum.wiki/pqc-algorithm-comparison}},
year = {2026},
note = {postquantum.wiki, updated 2026-07-11}
}