NIST security levels
The NIST security levels are five strength categories, numbered 1 through 5, that NIST defined to evaluate candidates in NIST Post-Quantum Cryptography Standardization. Rather than quoting abstract bit strengths, each category is anchored to an existing symmetric primitive: a parameter set meets a level if every known attack costs at least as much as the reference attack on that primitive, for classical and quantum attackers alike.
The five categories
| Level | Reference attack |
|---|---|
| 1 | Key search on AES-128 |
| 2 | Collision search on SHA-256 |
| 3 | Key search on AES-192 |
| 4 | Collision search on SHA-384 |
| 5 | Key search on AES-256 |
Quantum attack costs are modeled with bounded circuit depth, which limits how much Grover's algorithm can contribute in practice; the definitions come from the standardization project's evaluation criteria.
How parameter sets map
Standardized schemes publish one parameter set per target level. FIPS 203 claims category 1 for ML-KEM-512, category 3 for ML-KEM-768, and category 5 for ML-KEM-1024 (ML-KEM). FIPS 204 claims category 2 for ML-DSA-44, category 3 for ML-DSA-65, and category 5 for ML-DSA-87 (ML-DSA). Higher categories cost more bandwidth and computation, so protocols typically expose several parameter sets.
Sources
Cite this entry
"NIST security levels." postquantum.wiki. Updated July 11, 2026. https://postquantum.wiki/security-levels@misc{pqwiki-security-levels,
title = {NIST security levels},
howpublished = {\url{https://postquantum.wiki/security-levels}},
year = {2026},
note = {postquantum.wiki, updated 2026-07-11}
}