N° 04Standards

FIPS 203 / 204 / 205

Quantum-Safe India Dossier · NIST FIPS standards · DST/NQM Report 2026

In August 2024, NIST finalised the algorithms that replace RSA and elliptic-curve cryptography. India's framework adopts them. Here is the exact swap map for the crypto an Indian bank actually runs.

THE REPLACEMENT MAP QUANTUM-VULNERABLE POST-QUANTUM REPLACEMENT RSA / ECDH key exchange ML-KEM (Kyber) FIPS 203 RSA / ECDSA signatures ML-DSA (Dilithium) FIPS 204 RSA root / firmware long-life signing SLH-DSA (SPHINCS+) FIPS 205 AES-128 → AES-256 · SHA strengthening Symmetric crypto is weakened, not broken — the report directs strengthening, not replacement.
Three new standards, one transitional rule: where possible, deploy hybrid (classical + PQC) during migration so a flaw in either scheme alone does not break the channel.

For years the honest answer to "what do we migrate to?" was "we're not sure yet." That ended in August 2024, when the US National Institute of Standards and Technology finalised its first post-quantum standards. India's framework references them directly, which means an Indian bank's target state is no longer a research question — it is a named set of algorithms.

The three standards

  • FIPS 203 — ML-KEM (derived from Kyber). A Key Encapsulation Mechanism: it replaces the public-key key exchange that establishes session keys in TLS and the key transport inside KMS. This is the front line against HNDL, because key exchange is what protects data in transit.
  • FIPS 204 — ML-DSA (derived from Dilithium). A lattice-based digital signature algorithm — the general-purpose replacement for RSA and ECDSA signatures on transactions, tokens and certificates. This is the front line against TNFL.
  • FIPS 205 — SLH-DSA (derived from SPHINCS+). A stateless hash-based signature scheme. It is larger and slower than ML-DSA, but it rests on the security of hash functions rather than lattice mathematics — a different, very conservative foundation. That makes it the prudent choice for the highest-assurance, longest-lived signing roots, where you want resilience even if a future weakness is found in lattice schemes.

A fourth standard, FIPS 206 (FN-DSA, derived from Falcon), is anticipated — a compact lattice signature useful where signature size is constrained. For most BFSI planning today, ML-KEM, ML-DSA and SLH-DSA are the working set.

What does not need replacing

A common misconception is that quantum computing breaks all cryptography. It does not. Symmetric encryption (AES) and hash functions (SHA-2/3) are weakened by Grover's algorithm, not broken by it — and the fix is to use larger parameters, not new algorithms. The report directs exactly this: strengthen rather than replace, for example migrating AES-128 to AES-256. The expensive, structural work is concentrated in public-key cryptography — key exchange and signatures — which is where RSA and ECC live.

Quantum computing doesn't break everything. It breaks the part that establishes trust between strangers — and that is the part the whole internet runs on.

The hybrid transition rule

The report does not ask for a flag-day cut-over. During Milestone 2 it calls for hybrid (classical + PQC) deployment — running a classical algorithm and a post-quantum one together, so the channel stays secure even if one scheme is later found flawed. In practice this looks like hybrid TLS key exchange (for example X25519 combined with ML-KEM) and dual-chain or hybrid certificates. Hybrid de-risks an immature ecosystem: it protects against HNDL now without betting everything on algorithms the world has only recently standardised.

The operational reality nobody mentions

PQC keys and signatures are bigger — sometimes substantially — than their RSA and ECC equivalents, and some operations cost more compute. The report is candid that this introduces performance overhead, manageable in millisecond-scale systems but genuinely problematic in microsecond-scale environments. For BFSI that means the migration is not a find-and-replace; it touches certificate sizes, handshake latency, packet fragmentation, HSM throughput and protocol limits. Each high-priority system needs its own performance assessment — which is also why the report repeatedly insists on pilots before full migration.

The takeaway for an Indian institution

The destination is known and standardised, so the strategic uncertainty is gone. What remains is engineering and sequencing: map every quantum-vulnerable asset to its FIPS replacement, decide where hybrid is the transitional step, and order the work by exposure and effort. The map above is the easy half. Knowing which of your systems sits on each red box — and migrating them without breaking a payment rail — is the work.

Where KavachQ fits · PLAN + PROVE · 03 / 05

KavachQ's PLAN module maps each vulnerable asset to its FIPS replacement (RSA → ML-DSA-65, ECDHE → ML-KEM-768) with the corresponding standard and an effort estimate, and flags where hybrid transition applies. Its PROVE module produces reporting aligned to the DST L1–L4 assurance framework. KavachQ does not build cryptographic primitives itself. → The destination is standardised; the sequencing is where the value is.