Algorithms
Post-quantum cryptographic algorithms evaluated for practical deployment.
Primitive
Assumption
Capability
FN-DSA
digital-signature
- Security
- NTRU lattice problems (Short Integer Solution over NTRU lattices)·EUF-CMA
- Standard
- FIPS 206
| Params | Level | PK | SK | Sig |
|---|---|---|---|---|
| FN-DSA-512 | 1 | 897 | 1,281 | 666 |
| FN-DSA-1024 | 5 | 1,793 | 2,305 | 1,280 |
Risk
Assumption: low
Implementation: high
Side-channel: high
HQC
kem
- Security
- Quasi-Cyclic Syndrome Decoding (QCSD)·IND-CCA2
- Standard
- NIST IR 8545
| Params | Level | PK | SK | CT | SS |
|---|---|---|---|---|---|
| HQC-128 | 1 | 2,241 | 2,321 | 4,433 | 32 |
| HQC-192 | 3 | 4,514 | 4,602 | 8,978 | 32 |
| HQC-256 | 5 | 7,237 | 7,333 | 14,421 | 32 |
Risk
Assumption: medium
Implementation: medium
Side-channel: medium
leanSig
digital-signature
- Security
- Hash function second-preimage resistance (Poseidon over 31-bit prime fields)·EUF-CMA
- Standard
- ePrint 2025/055 and ePrint 2025/1332
| Params | Level | PK | SK | Sig |
|---|---|---|---|---|
| leansig | 1 | 50 | 32 | 3,072 |
Risk
Assumption: medium
Implementation: high
Side-channel: medium
ML-DSA
digital-signature
- Security
- Module-LWE & Module-SIS·SUF-CMA
- Standard
- FIPS 204
| Params | Level | PK | SK | Sig |
|---|---|---|---|---|
| ML-DSA-44 | 2 | 1,312 | 2,560 | 2,420 |
| ML-DSA-65 | 3 | 1,952 | 4,032 | 3,309 |
| ML-DSA-87 | 5 | 2,592 | 4,896 | 4,627 |
Risk
Assumption: low
Implementation: high
Side-channel: medium
ML-KEM
kem
- Security
- Module-LWE·IND-CCA2
- Standard
- FIPS 203
| Params | Level | PK | SK | CT | SS |
|---|---|---|---|---|---|
| ML-KEM-512 | 1 | 800 | 1,632 | 768 | 32 |
| ML-KEM-768 | 3 | 1,184 | 2,400 | 1,088 | 32 |
| ML-KEM-1024 | 5 | 1,568 | 3,168 | 1,568 | 32 |
Risk
Assumption: low
Implementation: low
Side-channel: medium
SHRIMPS
digital-signature
- Security
- Hash function second-preimage resistance (SHA-256)·EUF-CMA
- Standard
- ePrint 2025/2203
| Params | Level | PK | SK | Sig |
|---|---|---|---|---|
| shrimps-compact | 1 | 16 | 32 | 2,564 |
| shrimps-fallback | 1 | 16 | 32 | 7,856 |
Risk
Assumption: low
Implementation: high
Side-channel: low
SHRINCS
digital-signature
- Security
- Hash function second-preimage resistance (SHA-256)·EUF-CMA
- Standard
- ePrint 2025/2203
| Params | Level | PK | SK | Sig |
|---|---|---|---|---|
| shrincs-128-stateful | 1 | 32 | 96 | 324 |
| shrincs-l-stateful | 1 | 32 | 96 | 1,092 |
| shrincs-l-stateless | 1 | 32 | 96 | 4,396 |
Risk
Assumption: low
Implementation: high
Side-channel: low
SLH-DSA
digital-signature
- Security
- Hash function second-preimage resistance·EUF-CMA
- Standard
- FIPS 205
| Params | Level | PK | SK | Sig |
|---|---|---|---|---|
| SLH-DSA-SHA2-128s | 1 | 32 | 64 | 7,856 |
| SLH-DSA-SHA2-128f | 1 | 32 | 64 | 17,088 |
| SLH-DSA-SHA2-192s | 3 | 48 | 96 | 16,224 |
| SLH-DSA-SHA2-192f | 3 | 48 | 96 | 35,664 |
| SLH-DSA-SHA2-256s | 5 | 64 | 128 | 29,792 |
| SLH-DSA-SHA2-256f | 5 | 64 | 128 | 49,856 |
| SLH-DSA-SHAKE-128s | 1 | 32 | 64 | 7,856 |
| SLH-DSA-SHAKE-128f | 1 | 32 | 64 | 17,088 |
| SLH-DSA-SHAKE-192s | 3 | 48 | 96 | 16,224 |
| SLH-DSA-SHAKE-192f | 3 | 48 | 96 | 35,664 |
| SLH-DSA-SHAKE-256s | 5 | 64 | 128 | 29,792 |
| SLH-DSA-SHAKE-256f | 5 | 64 | 128 | 49,856 |
Risk
Assumption: low
Implementation: low
Side-channel: low
XMSS
digital-signature
- Security
- Hash function second-preimage resistance and pseudorandomness·EUF-CMA
- Standard
- RFC 8391
| Params | Level | PK | SK | Sig |
|---|---|---|---|---|
| XMSS-SHA2_10_256 | 1 | 68 | 136 | 2,500 |
| XMSS-SHA2_16_256 | 1 | 68 | 136 | 2,692 |
| XMSS-SHA2_20_256 | 1 | 68 | 136 | 2,820 |
Risk
Assumption: low
Implementation: high
Side-channel: low