Explore · Algorithms

The four NIST post-quantum standards

Tune each algorithm's security level and watch the key, ciphertext, and signature sizes update. Classical baselines (X25519, Ed25519) are drawn to scale so the payload-bloat problem is visible, not abstract.

FIPS 203

ML-KEM

Lattice (Module-LWE) · Key Encapsulation Mechanism

Level 2/3

The module-lattice KEM standard (derived from CRYSTALS-Kyber). Used for establishing shared secrets in TLS, SSH, IKEv2.

Security

192 bits

Public key

1.2 KB

vs 32 B X25519

Ciphertext

1.1 KB

vs 32 B X25519

FIPS 204

ML-DSA

Lattice (Module-LWE, Fiat-Shamir) · Digital Signature

Level 2/3

The module-lattice signature standard (derived from CRYSTALS-Dilithium). The primary NIST-recommended general-purpose PQ signature.

Security

192 bits

Public key

1.9 KB

vs 32 B Ed25519

Signature

3.2 KB

vs 64 B Ed25519

FIPS 205

SLH-DSA

Hash-based (stateless) · Digital Signature

Level 2/3

Stateless hash-based signatures (SPHINCS+). Conservative security, large signatures — good for firmware, code signing, DNSSEC research.

Security

192 bits

Public key

48 B

vs 32 B Ed25519

Signature

15.8 KB

vs 64 B Ed25519

FIPS 206 (draft)

FN-DSA

Lattice (NTRU, Falcon) · Digital Signature

Level 2/2

NTRU-lattice signatures (derived from Falcon). Smaller signatures than ML-DSA, but requires floating-point care in implementations.

Security

256 bits

Public key

1.8 KB

vs 32 B Ed25519

Signature

1.3 KB

vs 64 B Ed25519

Sizes pulled from FIPS 203 / 204 / 205 and Falcon round-3 submission. Where FN-DSA values differ under the FIPS 206 draft, we reflect the draft numbers. Attribution: NIST PQC · liboqs algorithm matrix.