Post-Quantum Crypto – Draft FIPS Standards Announced

James RamageCommon Criteria, FIPS 140-3

In our last article on Post Quantum Crypto (PQC) titled “Introduction to the Quantum Computing Impact on Cryptography”, we introduced quantum computing concepts and the potential impact on computer security and cryptography. The article also introduced CNSA 1.0 and CNSA 2.0 as initial suites of PQC algorithms developed by the National Security Agency (NSA). The thrust of PQC development has focused on the replacement of public key cryptography given quantum computing’s ability to conduct complex calculations quickly and potentially decrypt data encrypted with legacy algorithms in hours or days, versus the years it would have normally taken.

The article also listed Asymmetric algorithms for digitally signing firmware and software namely Leighton-Micali Signature (LMS) and Xtended Merkle Signature Scheme (XMSS), which are described in NIST SP 800–208. At present, LMS is testable by the NIST Automated Cryptographic Validation Protocol (ACVP) system, and work to provide algorithm testing for XMSS is still in progress.

See our last Lightship article on PQC here:

This article will focus on PQC updates from the National Institute of Standards and Technology (NIST) and the Cryptographic Module Validation Program (CMVP). In, August 24, 2023, NIST posted initial public drafts of three Federal Information Processing Standards (FIPS):

FIPS 203, also known as CRYSTALS-Kyber, specifies the Module-Lattice-based Key-Encapsulation Mechanism, or ML-KEM, which is a key-encapsulation mechanism (or KEM) used to establish a shared secret key between two parties communicating over a public channel. It is expected that key establishment schemes specified in NIST SP 800-56Ar3 and NIST SP 800-56Br2 may be vulnerable to PQC attacks and ML-KEM is an approved alternative for this security function.

FIPS 204, also known as CRYSTALS-Dilithium, provides algorithms for ML-DSA (Module Lattice Digital Signature Algorithm), which can detect unauthorized modifications to data, and to authenticate the identity of the signatory. In addition, a signature generated by ML-DSA can be used to demonstrate non-repudiation, implying that the signatory cannot refute signage at a later time. ML-DSA can be used in place of other digital signature schemes specified in the newer NIST FIPS 185-5 Digital Signature Standard and Special Publication SP 800-186.

FIPS 205 specifies an algorithm known as SPHINCS+ or SLH-DSA, which is a stateless hashed-based digital signature scheme. FIPS 205 defines a method for digital signature generation that can be to protect binary data (text messages) and for the verification of the digital signatures. Unlike the algorithms specified in NIST FIPS 185-5, SLH-DSA is expected to provide resistance to PQC attacks.

These draft standards specify key establishment and digital signature schemes designed to resist PQC attacks and are each derived from different submissions to the NIST Post-Quantum Cryptography Standardization Project. The public comment period for these three drafts closed on November 22, 2023. NIST is currently developing ACVP testing for PQC algorithms, ML-KEM, ML-DSA, SLH-DSA, and is expected soon (1Q24) in conjunction with self-test requirements. NIST is currently soliciting help from the community to evaluate the PQC algorithms and work towards full publication and standardization.

See the NIST website,, for more information.

As a side note, you may wonder how new algorithms are submitted, evaluated, and eventually selected for standardization. Algorithm candidates are submitted to NIST from academic institutions and industry, then the following criteria can be used to evaluate candidate PQC algorithms:

  • Security: Must be able to secure (encrypt) data for the expected lifetime of the asset
  • Computational efficiency: Algorithms should be fast to compute and not require inordinate amounts of computing resources (memory, disk, network)
  • Simplicity: Straightforward for vendors to acquire or design, and integrate into their products
  • Certifiable: Must be able to test and certify the algorithm to meet FIPS and CC standards
  • Universality: Algorithms should support a diverse set of industry use cases for data security


To fully understand the potential impact of post-quantum algorithm requirements, transitions, and impacts on your FIPS or CC projects, please contact the testing experts at Lightship Security!

James Ramage

James Ramage is a senior FIPS evaluator at Lightship. He has been doing FIPS evaluations and security certifications for 5+ years and enjoys working with customers, training team members and evaluating new technologies.