Post-quantum algorithm comparison

Post-quantum algorithm comparison collects the key figures for the NIST post-quantum standards and the classical algorithms they replace: key, ciphertext, and signature sizes, speed character, security basis, and standardization status. Sizes are exact bytes from the final FIPS documents and original specifications. For how these algorithms were chosen, see NIST Post-Quantum Cryptography Standardization; individual entries: ML-KEM, ML-DSA, SLH-DSA, FN-DSA / Falcon, HQC.

NIST security categories

NIST defines five security categories by comparison to attacks on symmetric primitives rather than abstract bit counts: a scheme meets a category if every known attack, classical or quantum, costs at least as much as the reference attack. Quantum search speedups against symmetric primitives are limited and well understood (Grover's algorithm), which makes these benchmarks stable anchors, unlike RSA and elliptic curves, which Shor's algorithm breaks outright.

Category Reference attack Rough classical analogue Standardized parameter sets
1 Key search on AES-128 128-bit security ML-KEM-512, HQC-128, Falcon-512, SLH-DSA-128s/f
2 Collision search on SHA-256 SHA-256 collision resistance ML-DSA-44
3 Key search on AES-192 192-bit security ML-KEM-768, ML-DSA-65, HQC-192, SLH-DSA-192s/f
4 Collision search on SHA-384 SHA-384 collision resistance none among current standards
5 Key search on AES-256 256-bit security ML-KEM-1024, ML-DSA-87, HQC-256, Falcon-1024, SLH-DSA-256s/f

Category 3 is the common deployment default (ML-KEM-768, ML-DSA-65); category 5 appears where policy demands maximum margin.

Key establishment

The table compares KEMs with the elliptic-curve Diffie-Hellman key exchange they replace. For ECDH, the "ciphertext" column is the public share sent per direction. ML-KEM shared secrets are 32 bytes, HQC's are 64.

Algorithm Family Public key (B) Ciphertext (B) Speed Security basis Status
X25519 Elliptic-curve DH 32 32 very fast ECDLP broken by Shor's algorithm
ECDH P-256 Elliptic-curve DH 33 33 fast ECDLP broken by Shor's algorithm
ML-KEM-512 Lattice (Module-LWE) 800 768 very fast Module-LWE FIPS 203, final 2024
ML-KEM-768 Lattice (Module-LWE) 1184 1088 very fast Module-LWE FIPS 203, final 2024
ML-KEM-1024 Lattice (Module-LWE) 1568 1568 very fast Module-LWE FIPS 203, final 2024
HQC-128 Code-based 2249 4497 moderate Quasi-cyclic syndrome decoding selected 2025, standard expected ~2027
HQC-192 Code-based 4522 9042 moderate Quasi-cyclic syndrome decoding selected 2025, standard expected ~2027
HQC-256 Code-based 7245 14485 moderate Quasi-cyclic syndrome decoding selected 2025, standard expected ~2027
X25519MLKEM768 Hybrid 1216 (client share) 1120 (server share) very fast both bases deployed in TLS 1.3

ML-KEM's arithmetic is fast enough that a full encapsulation plus decapsulation typically beats an X25519 exchange on modern CPUs; the real cost of the migration is the roughly 35-fold growth in bytes on the wire, about 2.3 KB per handshake for the deployed hybrid versus 64 bytes for pure X25519. See post-quantum TLS and hybrid cryptography.

Digital signatures

The table compares the NIST post-quantum digital signature scheme schemes with Ed25519, ECDSA, and RSA. Speed entries describe desktop-class CPUs; exact throughput varies by implementation.

Algorithm Public key (B) Signature (B) Sign speed Verify speed Security basis Status
Ed25519 32 64 very fast very fast ECDLP broken by Shor's algorithm
ECDSA P-256 33 64 very fast fast ECDLP broken by Shor's algorithm
RSA-2048 256 256 moderate very fast Factoring broken by Shor's algorithm
ML-DSA-44 1312 2420 fast fast Module-LWE / Module-SIS FIPS 204, final 2024
ML-DSA-65 1952 3309 fast fast Module-LWE / Module-SIS FIPS 204, final 2024
ML-DSA-87 2592 4627 fast fast Module-LWE / Module-SIS FIPS 204, final 2024
SLH-DSA-128s 32 7856 very slow fast Hash functions only FIPS 205, final 2024
SLH-DSA-128f 32 17088 slow moderate Hash functions only FIPS 205, final 2024
SLH-DSA-256s 64 29792 very slow fast Hash functions only FIPS 205, final 2024
Falcon-512 (FN-DSA) 897 666 moderate very fast NTRU lattices FIPS 206 draft pending, early 2026
Falcon-1024 (FN-DSA) 1793 1280 moderate very fast NTRU lattices FIPS 206 draft pending, early 2026

RSA-2048 sizes are the raw 2048-bit modulus and signature; encoded public keys are slightly larger. Falcon signatures are variable length, listed in the fixed padded format of the specification.

What the numbers mean in practice

  • Handshakes: swapping X25519 for the deployed hybrid grows each TLS handshake by about 2.3 KB, which measured deployments have shown is acceptable on the public Internet.
  • Certificates: a certificate carries a public key and a signature. With ECDSA P-256 that is under 100 bytes of cryptographic material; with ML-DSA-65 it is about 5.3 KB, and a typical chain of three certificates multiplies the growth. This, not raw speed, is the hard problem in PKI migration to post-quantum.
  • Choosing a signature: ML-DSA is the general-purpose default. SLH-DSA buys the most conservative assumptions with large, slow signatures, fitting firmware, code signing, and trust anchors. FN-DSA wins where bytes are scarce and verification dominates, once FIPS 206 is finished.
  • Choosing a KEM: ML-KEM-768 is the default; HQC exists as a standardized fallback on non-lattice mathematics.
  • Symmetric cryptography survives: AES-256 and SHA-2/SHA-3 need no replacement, only conservative parameter choices, since quantum attacks on them are limited to Grover-type speedups.

Migration playbooks favor hybrids and cryptographic agility: combine a classical and a post-quantum algorithm during the transition, and build systems that can swap algorithms without redesign, since FIPS 206 and the HQC standard will keep the target moving through the late 2020s.

Sources

  1. FIPS 203, Module-Lattice-Based Key-Encapsulation Mechanism Standard (NIST, 2024)
  2. FIPS 204, Module-Lattice-Based Digital Signature Standard (NIST, 2024)
  3. FIPS 205, Stateless Hash-Based Digital Signature Standard (NIST, 2024)
  4. Falcon: Fast-Fourier Lattice-based Compact Signatures over NTRU (Falcon team, 2020)
  5. RFC 8032, Edwards-Curve Digital Signature Algorithm (EdDSA) (IETF, 2017)
  6. Post-Quantum Cryptography Project (NIST, 2024)
Cite this entry
"Post-quantum algorithm comparison." postquantum.wiki. Updated July 11, 2026. https://postquantum.wiki/pqc-algorithm-comparison@misc{pqwiki-pqc-algorithm-comparison, title = {Post-quantum algorithm comparison}, howpublished = {\url{https://postquantum.wiki/pqc-algorithm-comparison}}, year = {2026}, note = {postquantum.wiki, updated 2026-07-11} }