Algorithms
Post-quantum cryptographic algorithms evaluated for practical deployment.
Primitive
Assumption
Capability
FN-DSA
digital-signature
- Security
- NTRU lattice problems (Short Integer Solution over NTRU lattices)·EUF-CMA
- Standard
- FIPS 206
| Params | Level | PK | SK | Sig |
|---|---|---|---|---|
| FN-DSA-512 | 1 | 897 | 1,281 | 666 |
| FN-DSA-1024 | 5 | 1,793 | 2,305 | 1,280 |
Risk
Assumption: low
Implementation: high
Side-channel: high
Hash-based Signatures for Bitcoin
digital-signature
- Security
- Hash function second-preimage resistance (SHA-256)·EUF-CMA
- Standard
- ePrint 2025/2203
| Params | Level | PK | SK | Sig |
|---|---|---|---|---|
| hbs-btc-2e40 | 1 | 32 | 64 | 4,036 |
| hbs-btc-2e30 | 1 | 32 | 64 | 3,440 |
| hbs-btc-2e20 | 1 | 32 | 64 | 3,128 |
Risk
Assumption: low
Implementation: medium
Side-channel: low
HQC
kem
- Security
- Quasi-Cyclic Syndrome Decoding (QCSD)·IND-CCA2
- Standard
- NIST IR 8545
| Params | Level | PK | SK | CT | SS |
|---|---|---|---|---|---|
| HQC-128 | 1 | 2,241 | 2,321 | 4,433 | 32 |
| HQC-192 | 3 | 4,514 | 4,602 | 8,978 | 32 |
| HQC-256 | 5 | 7,237 | 7,333 | 14,421 | 32 |
Risk
Assumption: medium
Implementation: medium
Side-channel: medium
leanSig
digital-signature
- Security
- Hash function second-preimage resistance (Poseidon2 over 31-bit prime fields)·EUF-CMA
- Standard
- ePrint 2025/055 and ePrint 2025/1332
| Params | Level | PK | SK | Sig |
|---|---|---|---|---|
| leansig-hashing-optimized | 1 | 32 | 64 | 2,688 |
| leansig-size-optimized | 1 | 32 | 64 | 2,240 |
| leansig-balanced | 1 | 32 | 64 | 2,464 |
Risk
Assumption: medium
Implementation: high
Side-channel: medium
ML-DSA
digital-signature
- Security
- Module-LWE & Module-SIS·EUF-CMA
- Standard
- FIPS 204
| Params | Level | PK | SK | Sig |
|---|---|---|---|---|
| ML-DSA-44 | 2 | 1,312 | 2,560 | 2,420 |
| ML-DSA-65 | 3 | 1,952 | 4,032 | 3,309 |
| ML-DSA-87 | 5 | 2,592 | 4,896 | 4,627 |
Risk
Assumption: low
Implementation: high
Side-channel: medium
ML-KEM
kem
- Security
- Module-LWE·IND-CCA2
- Standard
- FIPS 203
| Params | Level | PK | SK | CT | SS |
|---|---|---|---|---|---|
| ML-KEM-512 | 1 | 800 | 1,632 | 768 | 32 |
| ML-KEM-768 | 3 | 1,184 | 2,400 | 1,088 | 32 |
| ML-KEM-1024 | 5 | 1,568 | 3,168 | 1,568 | 32 |
Risk
Assumption: low
Implementation: low
Side-channel: medium
SLH-DSA
digital-signature
- Security
- Hash function second-preimage resistance·EUF-CMA
- Standard
- FIPS 205
| Params | Level | PK | SK | Sig |
|---|---|---|---|---|
| SLH-DSA-SHA2-128s | 1 | 32 | 64 | 7,856 |
| SLH-DSA-SHA2-128f | 1 | 32 | 64 | 17,088 |
| SLH-DSA-SHA2-192s | 3 | 48 | 96 | 16,224 |
| SLH-DSA-SHA2-192f | 3 | 48 | 96 | 35,664 |
| SLH-DSA-SHA2-256s | 5 | 64 | 128 | 29,792 |
| SLH-DSA-SHA2-256f | 5 | 64 | 128 | 49,856 |
| SLH-DSA-SHAKE-128s | 1 | 32 | 64 | 7,856 |
| SLH-DSA-SHAKE-128f | 1 | 32 | 64 | 17,088 |
| SLH-DSA-SHAKE-192s | 3 | 48 | 96 | 16,224 |
| SLH-DSA-SHAKE-192f | 3 | 48 | 96 | 35,664 |
| SLH-DSA-SHAKE-256s | 5 | 64 | 128 | 29,792 |
| SLH-DSA-SHAKE-256f | 5 | 64 | 128 | 49,856 |
Risk
Assumption: low
Implementation: low
Side-channel: low
XMSS
digital-signature
- Security
- Hash function second-preimage resistance and pseudorandomness·EUF-CMA
- Standard
- RFC 8391
| Params | Level | PK | SK | Sig |
|---|---|---|---|---|
| XMSS-SHA2_10_256 | 1 | 68 | 136 | 2,498 |
| XMSS-SHA2_16_256 | 1 | 68 | 136 | 2,690 |
| XMSS-SHA2_20_256 | 1 | 68 | 136 | 2,819 |
Risk
Assumption: low
Implementation: high
Side-channel: low