After a long and arduous journey, NIST has finally released the draft standards for 3 post-quantum algorithms:
Let’s talk a little bit about each of the documents one by one.
FIPS-203 specifies ML-KEM which was based on the NIST Post-Quantum Competition’s only KEM winner Kyber. ML-KEM stands for Module Lattice-based Key Encapsulation Mechanism. It defines 3 parameter sets; each at a different level of security:
- ML-KEM-512 (security equivalence to AES-128)
- ML-KEM-768 (security equivalence to AES-192)
- ML-KEM-1024 (security equivalence to AES-256)
ML-KEM is appropriate as a general replacement for quantum-vulnerable key exchange algorithms such as ECDH or FFDH. Note that ECDH and FFDH happen to be Non-Interactive Key Exchange (NIKE) algorithms, but ML-KEM is not so for applications where the non-interactivity is a requirement, ML-KEM is NOT an appropriate drop-in replacement. While the performance of ML-KEM is very good, the cryptographic artifact sizes are larger than those of ECDH and FFDH.
FIPS 204 specifies ML-DSA which was based on the NIST Post-Quantum Competition’s Signature Scheme winner Dilithium. ML-DSA stands for Module Lattice Digital Signature Algorithm. It defines 3 parameter sets; each at a different level of security:
- ML-DSA-44 (security equivalence to SHA3-256)
- ML-DSA-65 (security equivalence to AES-192)
- ML-DSA-87 (security equivalence to AES-256)
Interestingly, the numbers in the parameter set names refers to the dimensions of a matrix that is used during key generation. For example, for ML-DSA-65, that matrix is 6 by 5 thus the 65. ML-DSA is appropriate as a general replacement for quantum-vulnerable signature algorithms such as ECDSA and RSA. While the performance of ML-DSA is very good, the cryptographic artifact sizes are larger than those of ECDSA and RSA.
FIPS 205 specifies SLH-DSA which was based on the NIST Post-Quantum Competition’s Signature Scheme winner SPHINCS+. SLH-DSA stands for StateLess Hash-based Digital Signature Algorithm. It defines 12 parameter sets:
The names can be seen as having the following format:
<hash> : Either SHA2 or or SHAKE. This is the hashing algorithm that is used for that parameter set.
<AES equivalence> : 128, 192, or 256. The security equivalence to AES.
<optimization> : s or f. ‘s’ is for small and ‘f’ is for fast.
SLH-DSA is appropriate as a general replacement for already standardized Stateful Hash-based Signature Schemes such as LMS and XMSS which are currently already standardized by NIST and are suggested for use for firmware signing and verification by the CNSA 2.0 guidance put out by the NSA. The performance and artifact sizes of SLH-DSA are comparable to LMS and XMSS.
This begs the question, since LMS and XMSS are already quantum-safe, why would they need to be replaced? The answer is that the management of the state in the Stateful Hash-based Signature Schemes is a potential pitfall and makes it vastly more difficult to use.
Finally, those of you that have been following this process are probably wondering what happened to Falcon. It is also getting a draft standard but is more difficult to implement so NIST is taking extra care and more time to write the draft standard for it.