NIST security levels

The NIST security levels are five strength categories, numbered 1 through 5, that NIST defined to evaluate candidates in NIST Post-Quantum Cryptography Standardization. Rather than quoting abstract bit strengths, each category is anchored to an existing symmetric primitive: a parameter set meets a level if every known attack costs at least as much as the reference attack on that primitive, for classical and quantum attackers alike.

The five categories

Level Reference attack
1 Key search on AES-128
2 Collision search on SHA-256
3 Key search on AES-192
4 Collision search on SHA-384
5 Key search on AES-256

Quantum attack costs are modeled with bounded circuit depth, which limits how much Grover's algorithm can contribute in practice; the definitions come from the standardization project's evaluation criteria.

How parameter sets map

Standardized schemes publish one parameter set per target level. FIPS 203 claims category 1 for ML-KEM-512, category 3 for ML-KEM-768, and category 5 for ML-KEM-1024 (ML-KEM). FIPS 204 claims category 2 for ML-DSA-44, category 3 for ML-DSA-65, and category 5 for ML-DSA-87 (ML-DSA). Higher categories cost more bandwidth and computation, so protocols typically expose several parameter sets.

Sources

  1. Post-Quantum Cryptography Project (NIST, 2025)
  2. FIPS 203, Module-Lattice-Based Key-Encapsulation Mechanism Standard (NIST, 2024)
  3. FIPS 204, Module-Lattice-Based Digital Signature Standard (NIST, 2024)
Cite this entry
"NIST security levels." postquantum.wiki. Updated July 11, 2026. https://postquantum.wiki/security-levels@misc{pqwiki-security-levels, title = {NIST security levels}, howpublished = {\url{https://postquantum.wiki/security-levels}}, year = {2026}, note = {postquantum.wiki, updated 2026-07-11} }