Compare the NIST-standardised post-quantum algorithms KavachQ will deploy across your estate. Understand sizes, performance, and which algorithm fits which use case.
A sufficiently large quantum computer running Shor's algorithm factors integers and solves discrete logarithms in polynomial time — collapsing today's RSA, DH, and ECC.
Grover's quadratic speed-up halves the effective key strength of symmetric ciphers. AES-128 becomes ~64-bit; AES-256 remains comfortably safe and is the right post-quantum default.
A Cryptographically Relevant Quantum Computer is one large enough to run Shor's algorithm against real-world keys. Mainstream estimates place a CRQC within the 2030s.
KEMs establish shared secrets between parties. ML-KEM replaces ECDH / RSA key exchange in TLS, VPN, and messaging protocols.
| Algorithm | Standard | Family | Status | Sec. Level | Public Key | Ciphertext | Performance |
|---|---|---|---|---|---|---|---|
| ML-KEM (Kyber) | FIPS 203 | Lattice | NIST Finalized | 1 | 800 B | 768 B | ~0.04 ms |
| 3 | 1184 B | 1088 B | ~0.06 ms | ||||
| 5 | 1568 B | 1568 B | ~0.08 ms | ||||
| HQC | Draft FIPS pending | Code-based | NIST 5th Selection | 1 | 2249 B | 4497 B | ~0.1 ms |
| 3 | 4522 B | 9042 B | ~0.2 ms | ||||
| 5 | 7245 B | 14469 B | ~0.4 ms | ||||
| BIKE | NIST Round 4 | Code-based | Not Selected | 1 | 1541 B | 1573 B | ~0.1 ms |
| 3 | 3083 B | 3115 B | ~0.2 ms | ||||
| RSA | PKCS#1 / RFC 8017 | Factoring | Quantum Vulnerable | 112-bit cl. | 256 B | — | ~1 ms |
| 128-bit cl. | 384 B | — | ~3 ms | ||||
| ~140-bit cl. | 512 B | — | ~8 ms |
Digital signatures authenticate identity and data integrity. ML-DSA, SLH-DSA, and FN-DSA are the post-quantum replacements.
| Algorithm | Standard | Family | Status | Sec. Level | Public Key | Signature | Sign / Verify |
|---|---|---|---|---|---|---|---|
| ML-DSA (Dilithium) | FIPS 204 | Lattice | NIST Finalized | 2 | 1312 B | 2420 B | ~0.15 / ~0.05 ms |
| 3 | 1952 B | 3309 B | ~0.25 / ~0.08 ms | ||||
| 5 | 2592 B | 4627 B | ~0.38 / ~0.10 ms | ||||
| SLH-DSA (SPHINCS+) | FIPS 205 | Hash-based | NIST Finalized | 1 | 32 B | 7856 B | ~50 / ~3 ms |
| 1 | 32 B | 17088 B | ~3 / ~0.5 ms | ||||
| 5 | 64 B | 29792 B | ~200 / ~6 ms | ||||
| FN-DSA (Falcon) | FIPS 206 (Draft) | Lattice | NIST Finalizing | 1 | 897 B | 666 B | ~0.5 / ~0.05 ms |
| 5 | 1793 B | 1280 B | ~1 / ~0.10 ms | ||||
| RSA | PKCS#1 / RFC 8017 | Factoring | Vulnerable | 112-bit cl. | 256 B | 256 B | ~1 / ~0.03 ms |
| 128-bit cl. | 384 B | 384 B | ~3 / ~0.05 ms | ||||
| ~140-bit cl. | 512 B | 512 B | ~8 / ~0.08 ms | ||||
| ECDSA | FIPS 186-5 | Elliptic Curve | Vulnerable | 128-bit cl. | 64 B | 64 B | ~0.05 / ~0.10 ms |
| 192-bit cl. | 96 B | 96 B | ~0.15 / ~0.30 ms |
Description, strengths, limitations, and recommended use cases for each algorithm.
Match your infrastructure needs to the right algorithm.
You need a KEM to replace ECDH for establishing shared secrets.
Already adopted by Chrome, Firefox, Cloudflare, and AWS. Use hybrid (X25519 + ML-KEM) during transition.
You need digital signatures for software distribution and PKI.
Good balance of key/signature size and performance. Use SLH-DSA as a conservative backup for root certificates.
Constrained devices with limited bandwidth and storage.
FN-DSA has the smallest signatures among lattice schemes. Careful implementation needed to avoid side channels.
Applications where the cost of a break is catastrophic (nuclear, defence, long-lived secrets).
SLH-DSA relies only on hash function security — the most conservative assumption. Large signatures acceptable for high-stakes use.