Post-Quantum Cryptography Algorithms
Migration from classical to post-quantum cryptographic algorithms
Migration from classical to post-quantum cryptographic algorithms
Data Sources: algorithms_transitions_04052026.csv, pqc_complete_algorithm_reference_04052026.csv • Updated: 4/5/2026
Algorithm Transition
Sort by:
RSA
ML-KEM-512
Encryption/KEM2048-bitNISTFIPS 203
2030
RSA
ML-KEM-768
Encryption/KEM3072-bitNISTFIPS 203
2035
RSA
ML-KEM-1024
Encryption/KEM4096-bitNISTFIPS 203
2035
ECDH
ML-KEM-512
Encryption/KEM256-bitNISTFIPS 203
2035
ECDH
ML-KEM-768
Encryption/KEM384-bitNISTFIPS 203
2035
ECDH
ML-KEM-1024
Encryption/KEM521-bitNISTFIPS 203
2035
X25519
ML-KEM-768
Encryption/KEM256-bitNISTFIPS 203
2035
X448
ML-KEM-1024
Encryption/KEM448-bitNISTFIPS 203
2035
DH
ML-KEM-768
Encryption/KEM2048-bitNISTFIPS 203
2035
RSA
HQC-128
Encryption/KEM2048-bitNISTCandidate
2030
RSA
HQC-192
Encryption/KEM3072-bitNISTCandidate
2035
RSA
HQC-256
Encryption/KEM4096-bitNISTCandidate
2035
ECDH
HQC-128
Encryption/KEM256-bitNISTCandidate
2035
ECDH
HQC-192
Encryption/KEM384-bitNISTCandidate
2035
ECDH
HQC-256
Encryption/KEM521-bitNISTCandidate
2035
X25519
HQC-192
Encryption/KEM256-bitNISTCandidate
2035
X448
HQC-256
Encryption/KEM448-bitNISTCandidate
2035
X25519
X25519MLKEM768
Hybrid KEM256-bitIETFCandidate
2035
ECDH
SecP256r1MLKEM768
Hybrid KEM256-bitIETFCandidate
2035
ECDH
SecP384r1MLKEM1024
Hybrid KEM384-bitIETFCandidate
2035
RSA-PSS
ML-DSA-44
Signature2048-bitNISTFIPS 204
2030
RSA-PSS
ML-DSA-65
Signature3072-bitNISTFIPS 204
2035
ECDSA
ML-DSA-44
Signature256-bitNISTFIPS 204
2035
ECDSA
ML-DSA-65
Signature384-bitNISTFIPS 204
2035
ECDSA
ML-DSA-87
Signature521-bitNISTFIPS 204
2035
RSA-PSS
ML-DSA-87
Signature4096-bitNISTFIPS 204
2035
RSA-PSS
FN-DSA-512
Signature2048-bitNISTCandidate
2030
RSA-PSS
FN-DSA-1024
Signature3072-bitNISTCandidate
2035
ECDSA
FN-DSA-512
Signature256-bitNISTCandidate
2035
ECDSA
FN-DSA-1024
Signature384-bitNISTCandidate
2035
ECDSA
FN-DSA-1024
Signature521-bitNISTCandidate
2035
Ed25519
FN-DSA-512
Signature256-bitNISTCandidate
2035
Ed448
FN-DSA-1024
Signature456-bitNISTCandidate
2035
Ed25519
ML-DSA-44
Signature256-bitNISTFIPS 204
2035
Ed25519
SLH-DSA-SHA2-128s
Signature256-bitNISTFIPS 205
2035
Ed448
SLH-DSA-SHA2-192s
Signature456-bitNISTFIPS 205
2035
Ed448
ML-DSA-65
Signature456-bitNISTFIPS 204
2035
RSA-PSS
SLH-DSA-SHA2-128s
Signature2048-bitNISTFIPS 205
2030
ECDSA
SLH-DSA-SHA2-128s
Signature256-bitNISTFIPS 205
2035
secp256k1
ML-DSA-44
Signature256-bitNISTFIPS 204
2035
secp256k1
FN-DSA-512
Signature256-bitNISTCandidate
2035
Any
SLH-DSA
SignatureN/ANISTFIPS 205
N/A
Any
LMS-SHA256
SignatureN/ANISTSP 800-208
N/A
Any
XMSS-SHA2_20
SignatureN/ANISTSP 800-208
N/A
SHA-1
SHA3-256
Hash160-bitNISTFIPS 202
Deprecated
MD5
SHA3-256
Hash128-bitNISTFIPS 202
Disallowed
SHA-256
SHA3-256
Hash256-bitNISTFIPS 202
Grover
HMAC-MD5
HMAC-SHA256
Hash128-bitNISTFIPS 198-1
Disallowed
SHA-1
HMAC-SHA256
Hash160-bitNISTFIPS 198-1
Deprecated
AES-256
AES-256
Symmetric256-bitNISTFIPS 197
Safe
AES-128
AES-256
Symmetric128-bitNISTFIPS 197
Not
AES-192
AES-256
Symmetric192-bitNISTFIPS 197
Grover
3DES
AES-256
Symmetric112-bit effectiveNISTFIPS 197
Disallowed
DES
AES-256
Symmetric56-bitNISTFIPS 197
Disallowed
SM2
Aigis-sig
Signature256-bitCACRTo Be Checked
TBD
SM2
Aigis-sig
Signature256-bitCACRTo Be Checked
TBD
SM2
Aigis-enc
Encryption/KEM256-bitCACRTo Be Checked
TBD
SM2
Aigis-enc
Encryption/KEM256-bitCACRTo Be Checked
TBD
SM2
LAC
Encryption/KEM256-bitCACRTo Be Checked
TBD
SM4
NGCC-BC
Symmetric128-bitCACRTo Be Checked
Not
SM3
NGCC-CH
Hash256-bitCACRTo Be Checked
Not
ECDH
SMAUG-T
Encryption/KEM256-bitKpqCCandidate
2035
ECDH
NTRU+
Encryption/KEM384-bitKpqCCandidate
2035
ECDSA
HAETAE
Signature256-bitKpqCCandidate
2035
ECDSA
AIMer
Signature256-bitKpqCCandidate
2035
RSA
FrodoKEM-976
Encryption/KEM3072-bitBSI/ANSSIISO 18033-2 Amd2
2035
RSA
FrodoKEM-1344
Encryption/KEM4096-bitBSI/ANSSIISO 18033-2 Amd2
2035
ECDH
FrodoKEM-640
Encryption/KEM256-bitBSI/ANSSIISO 18033-2 Amd2
2035
RSA
Classic McEliece 460896
Encryption/KEM3072-bitBSI/ANSSIBSI TR-02102-1
2035
RSA
Classic McEliece 6688128
Encryption/KEM4096-bitBSI/ANSSIBSI TR-02102-1
2035
Any
Covercrypt
Hybrid KEM with Access ControlN/AETSIETSI TS 104 015
N/A
ECDSA
UOV
Signature256-bitNISTCandidate
2035
ECDSA
MAYO
Signature256-bitNISTCandidate
2035
ECDSA
SQIsign
Signature256-bitNISTCandidate
2035
ECDSA
CROSS
Signature256-bitNISTCandidate
2035
ECDSA
LESS
Signature256-bitNISTCandidate
2035
ECDSA
FAEST
Signature256-bitNISTCandidate
2035
ECDSA
HAWK
Signature256-bitNISTCandidate
2035
ECDSA
SNOVA
Signature256-bitNISTCandidate
2035
RSA-PSS + ML-DSA
ML-DSA-44-RSA2048-PSS
Composite SignatureCompositeIETFCandidate
2035
ECDSA + ML-DSA
ML-DSA-44-ECDSA-P256
Composite SignatureCompositeIETFCandidate
2035
Ed25519 + ML-DSA
ML-DSA-44-Ed25519
Composite SignatureCompositeIETFCandidate
2035
ECDH + ML-KEM
ML-KEM-768-ECDH-P256
Composite KEMCompositeIETFCandidate
2035
RSA-OAEP + ML-KEM
ML-KEM-768-RSA-OAEP-2048
Composite KEMCompositeIETFCandidate
2035
DH
ML-KEM-768
Encryption/KEM3072-bitNISTFIPS 203
2035
DH
ML-KEM-1024
Encryption/KEM4096-bitNISTFIPS 203
2035
RSA PKCS#1 v1.5
ML-DSA-44
Signature2048-bitNISTFIPS 204
2030
RSA PKCS#1 v1.5
ML-DSA-65
Signature3072-bitNISTFIPS 204
2035
RSA-PSS
SLH-DSA-SHA2-256s
Signature4096-bitNISTFIPS 205
2035
ECDSA
SLH-DSA-SHA2-256s
Signature521-bitNISTFIPS 205
2035
Ed25519
SLH-DSA-SHAKE-128s
Signature256-bitNISTFIPS 205
2035
ECDSA
SLH-DSA-SHAKE-192s
Signature384-bitNISTFIPS 205
2035
DH
HQC-128
Encryption/KEM2048-bitNISTCandidate
2035
DH
HQC-192
Encryption/KEM3072-bitNISTCandidate
2035
SHA-1
SHA-256
Hash160-bitNISTFIPS 180-4
Deprecated
MD5
SHA-256
Hash128-bitNISTFIPS 180-4
Disallowed
HPKE
HPKE-PQ
Hybrid KEM (HPKE)256-bitIETFCandidate
2035
Encryption/KEM | RSA2048-bit | ML-KEM-512 (NIST Level 1) L1800B pk | NIST | FIPS 203 | 2030 (Deprecated) / 2035 (Disallowed) Std: 2024 (FIPS 203) |
Encryption/KEM | RSA3072-bit | ML-KEM-768 (NIST Level 3) L31,184B pk | NIST | FIPS 203 | 2035 (Disallowed) Std: 2024 (FIPS 203) |
Encryption/KEM | RSA4096-bit | ML-KEM-1024 (NIST Level 5) L51,568B pk | NIST | FIPS 203 | 2035 (Disallowed) Std: 2024 (FIPS 203) |
Encryption/KEM | ECDH (P-256)256-bit | ML-KEM-512 (NIST Level 1) L1800B pk | NIST | FIPS 203 | 2035 (Disallowed) Std: 2024 (FIPS 203) |
Encryption/KEM | ECDH (P-384)384-bit | ML-KEM-768 (NIST Level 3) L31,184B pk | NIST | FIPS 203 | 2035 (Disallowed) Std: 2024 (FIPS 203) |
Encryption/KEM | ECDH (P-521)521-bit | ML-KEM-1024 (NIST Level 5) L51,568B pk | NIST | FIPS 203 | 2035 (Disallowed) Std: 2024 (FIPS 203) |
Encryption/KEM | X25519256-bit | ML-KEM-768 (NIST Level 3) L31,184B pk | NIST | FIPS 203 | 2035 (Disallowed) Std: 2024 (FIPS 203) |
Encryption/KEM | X448448-bit | ML-KEM-1024 (NIST Level 5) L51,568B pk | NIST | FIPS 203 | 2035 (Disallowed) Std: 2024 (FIPS 203) |
Encryption/KEM | DH (Diffie-Hellman)2048-bit | ML-KEM-768 (NIST Level 3) L31,184B pk | NIST | FIPS 203 | 2035 (Disallowed) Std: 2024 (FIPS 203) |
Encryption/KEM | RSA2048-bit | HQC-128 (NIST Level 1) L12,249B pk | NIST | Candidate | 2030 (Deprecated) / 2035 (Disallowed) Std: Selected 2025 (Draft ~2027) |
Encryption/KEM | RSA3072-bit | HQC-192 (NIST Level 3) L34,522B pk | NIST | Candidate | 2035 (Disallowed) Std: Selected 2025 (Draft ~2027) |
Encryption/KEM | RSA4096-bit | HQC-256 (NIST Level 5) L57,245B pk | NIST | Candidate | 2035 (Disallowed) Std: Selected 2025 (Draft ~2027) |
Encryption/KEM | ECDH (P-256)256-bit | HQC-128 (NIST Level 1) L12,249B pk | NIST | Candidate | 2035 (Disallowed) Std: Selected 2025 (Draft ~2027) |
Encryption/KEM | ECDH (P-384)384-bit | HQC-192 (NIST Level 3) L34,522B pk | NIST | Candidate | 2035 (Disallowed) Std: Selected 2025 (Draft ~2027) |
Encryption/KEM | ECDH (P-521)521-bit | HQC-256 (NIST Level 5) L57,245B pk | NIST | Candidate | 2035 (Disallowed) Std: Selected 2025 (Draft ~2027) |
Encryption/KEM | X25519256-bit | HQC-192 (NIST Level 3) L34,522B pk | NIST | Candidate | 2035 (Disallowed) Std: Selected 2025 (Draft ~2027) |
Encryption/KEM | X448448-bit | HQC-256 (NIST Level 5) L57,245B pk | NIST | Candidate | 2035 (Disallowed) Std: Selected 2025 (Draft ~2027) |
Hybrid KEM | X25519256-bit | X25519MLKEM768 (Hybrid Level 3) L3NaNB pk | IETF | Candidate | 2035 (Disallowed) Std: ~2026 (IETF RFC Pending) |
Hybrid KEM | ECDH (P-256)256-bit | SecP256r1MLKEM768 (Hybrid Level 3) L3NaNB pk | IETF | Candidate | 2035 (Disallowed) Std: ~2026 (IETF RFC Pending) |
Hybrid KEM | ECDH (P-384)384-bit | SecP384r1MLKEM1024 (Hybrid Level 5) L5NaNB pk | IETF | Candidate | 2035 (Disallowed) Std: ~2026 (IETF RFC Pending) |
Signature | RSA-PSS2048-bit | ML-DSA-44 (NIST Level 2) L21,312B pk | NIST | FIPS 204 | 2030 (Deprecated) / 2035 (Disallowed) Std: 2024 (FIPS 204) |
Signature | RSA-PSS3072-bit | ML-DSA-65 (NIST Level 3) L31,952B pk | NIST | FIPS 204 | 2035 (Disallowed) Std: 2024 (FIPS 204) |
Signature | ECDSA (P-256)256-bit | ML-DSA-44 (NIST Level 2) L21,312B pk | NIST | FIPS 204 | 2035 (Disallowed) Std: 2024 (FIPS 204) |
Signature | ECDSA (P-384)384-bit | ML-DSA-65 (NIST Level 3) L31,952B pk | NIST | FIPS 204 | 2035 (Disallowed) Std: 2024 (FIPS 204) |
Signature | ECDSA (P-521)521-bit | ML-DSA-87 (NIST Level 5) L52,592B pk | NIST | FIPS 204 | 2035 (Disallowed) Std: 2024 (FIPS 204) |
Signature | RSA-PSS4096-bit | ML-DSA-87 (NIST Level 5) L52,592B pk | NIST | FIPS 204 | 2035 (Disallowed) Std: 2024 (FIPS 204) |
Signature | RSA-PSS2048-bit | FN-DSA-512 (NIST Level 1) L1897B pk | NIST | Candidate | 2030 (Deprecated) / 2035 (Disallowed) Std: Draft submitted 2025 (Final ~2027) |
Signature | RSA-PSS3072-bit | FN-DSA-1024 (NIST Level 5) L51,793B pk | NIST | Candidate | 2035 (Disallowed) Std: Draft submitted 2025 (Final ~2027) |
Signature | ECDSA (P-256)256-bit | FN-DSA-512 (NIST Level 1) L1897B pk | NIST | Candidate | 2035 (Disallowed) Std: Draft submitted 2025 (Final ~2027) |
Signature | ECDSA (P-384)384-bit | FN-DSA-1024 (NIST Level 5) L51,793B pk | NIST | Candidate | 2035 (Disallowed) Std: Draft submitted 2025 (Final ~2027) |
Signature | ECDSA (P-521)521-bit | FN-DSA-1024 (NIST Level 5) L51,793B pk | NIST | Candidate | 2035 (Disallowed) Std: Draft submitted 2025 (Final ~2027) |
Signature | Ed25519256-bit | FN-DSA-512 (NIST Level 1) L1897B pk | NIST | Candidate | 2035 (Disallowed) Std: Draft submitted 2025 (Final ~2027) |
Signature | Ed448456-bit | FN-DSA-1024 (NIST Level 5) L51,793B pk | NIST | Candidate | 2035 (Disallowed) Std: Draft submitted 2025 (Final ~2027) |
Signature | Ed25519256-bit | ML-DSA-44 (NIST Level 2) L21,312B pk | NIST | FIPS 204 | 2035 (Disallowed) Std: 2024 (FIPS 204) |
Signature | Ed25519256-bit | SLH-DSA-SHA2-128s (Level 1) L132B pk | NIST | FIPS 205 | 2035 (Disallowed) Std: 2024 (FIPS 205) |
Signature | Ed448456-bit | SLH-DSA-SHA2-192s (Level 3) L348B pk | NIST | FIPS 205 | 2035 (Disallowed) Std: 2024 (FIPS 205) |
Signature | Ed448456-bit | ML-DSA-65 (NIST Level 3) L31,952B pk | NIST | FIPS 204 | 2035 (Disallowed) Std: 2024 (FIPS 204) |
Signature | RSA-PSS2048-bit | SLH-DSA-SHA2-128s (Level 1) L132B pk | NIST | FIPS 205 | 2030 (Deprecated) / 2035 (Disallowed) Std: 2024 (FIPS 205) |
Signature | ECDSA (P-256)256-bit | SLH-DSA-SHA2-128s (Level 1) L132B pk | NIST | FIPS 205 | 2035 (Disallowed) Std: 2024 (FIPS 205) |
Signature | secp256k1256-bit | ML-DSA-44 (NIST Level 2) L21,312B pk | NIST | FIPS 204 | 2035 (Disallowed) Std: 2024 (FIPS 204) |
Signature | secp256k1256-bit | FN-DSA-512 (NIST Level 1) L1897B pk | NIST | Candidate | 2035 (Disallowed) Std: Draft submitted 2025 (Final ~2027) |
Signature | Any (Stateless)N/A | SLH-DSA (All Variants) | NIST | FIPS 205 | N/A Std: 2024 (FIPS 205) |
Signature | Any (Firmware Signing)N/A | LMS-SHA256 (Stateful) | NIST | SP 800-208 | N/A Std: 2020 (SP 800-208) |
Signature | Any (Firmware Signing)N/A | XMSS-SHA2_20 (Stateful) 64B pk | NIST | SP 800-208 | N/A Std: 2020 (SP 800-208) |
Hash | SHA-1160-bit | SHA3-256 (FIPS 202) | NIST | FIPS 202 | Deprecated 2011 / Disallowed 2030 — Grover: no additional risk (classically broken) Std: 2015 (FIPS 202) |
Hash | MD5128-bit | SHA3-256 (FIPS 202) | NIST | FIPS 202 | Disallowed — classically broken; Grover not primary concern Std: 2015 (FIPS 202) |
Hash | SHA-256256-bit | SHA3-256 (FIPS 202) | NIST | FIPS 202 | Grover reduces to ~128-bit — still quantum-safe; upgrade recommended for new PQC systems Std: 2015 (FIPS 202) |
Hash | HMAC-MD5128-bit | HMAC-SHA256 (FIPS 198-1) | NIST | FIPS 198-1 | Disallowed — classically broken; migrate immediately Std: 2002 (FIPS 198-1) |
Hash | SHA-1 (HMAC)160-bit | HMAC-SHA256 (FIPS 198-1) | NIST | FIPS 198-1 | Deprecated 2011 / Disallowed 2030 Std: 2002 (FIPS 198-1) |
Symmetric | AES-256256-bit | AES-256 (FIPS 197) | NIST | FIPS 197 | Safe beyond 2030 — Grover reduces to ~128-bit; remains quantum-resistant for symmetric encryption Std: 2001 (FIPS 197) |
Symmetric | AES-128128-bit | AES-256 (FIPS 197) | NIST | FIPS 197 | Not deprecated by NIST — Grover's theoretically halves security but deemed impractical (NIST 2024); CNSA 2.0 recommends AES-256 for national security systems Std: 2001 (FIPS 197) |
Symmetric | AES-192192-bit | AES-256 (FIPS 197) | NIST | FIPS 197 | Grover reduces to ~96-bit quantum security — upgrade recommended Std: 2001 (FIPS 197) |
Symmetric | 3DES112-bit effective | AES-256 (FIPS 197) | NIST | FIPS 197 | Disallowed Jan 2024 — Grover reduces to ~56-bit; migrate immediately Std: 2001 (FIPS 197) |
Symmetric | DES56-bit | AES-256 (FIPS 197) | NIST | FIPS 197 | Disallowed — broken classically and by Grover Std: 2001 (FIPS 197) |
Signature | SM2 (OSCCA)256-bit | Aigis-sig (CACR Level 1) | CACR | To Be Checked | TBD — NGCC program targeting ~2028 Std: 2020 (CACR 1st Prize); NGCC standardization ~2028 |
Signature | SM2 (OSCCA)256-bit | Aigis-sig (CACR Level 5) | CACR | To Be Checked | TBD — NGCC program targeting ~2028 Std: 2020 (CACR 1st Prize); NGCC standardization ~2028 |
Encryption/KEM | SM2 (OSCCA)256-bit | Aigis-enc (CACR Level 1) | CACR | To Be Checked | TBD — NGCC program targeting ~2028 Std: 2020 (CACR 1st Prize); NGCC standardization ~2028 |
Encryption/KEM | SM2 (OSCCA)256-bit | Aigis-enc (CACR Level 5) | CACR | To Be Checked | TBD — NGCC program targeting ~2028 Std: 2020 (CACR 1st Prize); NGCC standardization ~2028 |
Encryption/KEM | SM2 (OSCCA)256-bit | LAC (CACR LWE-based KEM) | CACR | To Be Checked | TBD — NGCC program targeting ~2028 Std: 2020 (CACR 1st Prize); NGCC standardization ~2028 |
Symmetric | SM4 (OSCCA)128-bit | NGCC-BC (TBD — Chinese PQ block cipher) | CACR | To Be Checked | Not deprecated — Grover reduces to ~64-bit; NGCC-BC track initiated Std: NGCC call open; submissions due June 2026; standard ~2028 |
Hash | SM3 (OSCCA)256-bit | NGCC-CH (TBD — Chinese PQ hash) | CACR | To Be Checked | Not deprecated — Grover reduces to ~128-bit; NGCC-CH track initiated Std: NGCC call open; submissions due June 2026; standard ~2028 |
Encryption/KEM | ECDH (P-256)256-bit | SMAUG-T (KpqC Level 1) | KpqC | Candidate | 2035 (Disallowed) Std: 2025 (KpqC Final Winner); Korean national standard TBD |
Encryption/KEM | ECDH (P-384)384-bit | NTRU+ (KpqC Level 3) | KpqC | Candidate | 2035 (Disallowed) Std: 2025 (KpqC Final Winner); Korean national standard TBD |
Signature | ECDSA (P-256)256-bit | HAETAE (KpqC Lattice Signature) | KpqC | Candidate | 2035 (Disallowed) Std: 2025 (KpqC Final Winner); Korean national standard TBD |
Signature | ECDSA (P-256)256-bit | AIMer (KpqC Symmetric Signature) | KpqC | Candidate | 2035 (Disallowed) Std: 2025 (KpqC Final Winner); Korean national standard TBD |
Encryption/KEM | RSA3072-bit | FrodoKEM-976 (BSI/ANSSI/ISO Level 3) L315,632B pk | BSI/ANSSI | ISO 18033-2 Amd2 | 2035 (Disallowed) Std: ISO/IEC 18033-2 Amd2 approved; BSI TR-02102-1 recommended |
Encryption/KEM | RSA4096-bit | FrodoKEM-1344 (BSI/ANSSI/ISO Level 5) L521,520B pk | BSI/ANSSI | ISO 18033-2 Amd2 | 2035 (Disallowed) Std: ISO/IEC 18033-2 Amd2 approved; BSI TR-02102-1 recommended |
Encryption/KEM | ECDH (P-256)256-bit | FrodoKEM-640 (BSI/ISO Level 1) L19,616B pk | BSI/ANSSI | ISO 18033-2 Amd2 | 2035 (Disallowed) Std: ISO/IEC 18033-2 Amd2 approved; BSI TR-02102-1 recommended |
Encryption/KEM | RSA3072-bit | Classic McEliece 460896 (BSI Level 1) | BSI/ANSSI | BSI TR-02102-1 | 2035 (Disallowed) Std: BSI TR-02102-1 recommended; NIST delayed for ISO alignment |
Encryption/KEM | RSA4096-bit | Classic McEliece 6688128 (BSI Level 5) | BSI/ANSSI | BSI TR-02102-1 | 2035 (Disallowed) Std: BSI TR-02102-1 recommended; NIST delayed for ISO alignment |
Hybrid KEM with Access Control | Any (Attribute-Based Encryption)N/A | Covercrypt (ETSI TS 104 015) | ETSI | ETSI TS 104 015 | N/A Std: Feb 2025 (ETSI TS 104 015 published) |
Signature | ECDSA (P-256)256-bit | UOV (NIST Sig Round 2 — Multivariate) | NIST | Candidate | 2035 (Disallowed) Std: NIST Additional Sig Round 2 (Oct 2024); final ~2027 |
Signature | ECDSA (P-256)256-bit | MAYO (NIST Sig Round 2 — Multivariate) | NIST | Candidate | 2035 (Disallowed) Std: NIST Additional Sig Round 2 (Oct 2024); final ~2027 |
Signature | ECDSA (P-256)256-bit | SQIsign (NIST Sig Round 2 — Isogeny) | NIST | Candidate | 2035 (Disallowed) Std: NIST Additional Sig Round 2 (Oct 2024); final ~2027 |
Signature | ECDSA (P-256)256-bit | CROSS (NIST Sig Round 2 — Code-based) | NIST | Candidate | 2035 (Disallowed) Std: NIST Additional Sig Round 2 (Oct 2024); final ~2027 |
Signature | ECDSA (P-256)256-bit | LESS (NIST Sig Round 2 — Code-based) | NIST | Candidate | 2035 (Disallowed) Std: NIST Additional Sig Round 2 (Oct 2024); final ~2027 |
Signature | ECDSA (P-256)256-bit | FAEST (NIST Sig Round 2 — Hash-based) | NIST | Candidate | 2035 (Disallowed) Std: NIST Additional Sig Round 2 (Oct 2024); final ~2027 |
Signature | ECDSA (P-256)256-bit | HAWK (NIST Sig Round 2 — Lattice) | NIST | Candidate | 2035 (Disallowed) Std: NIST Additional Sig Round 2 (Oct 2024); final ~2027 |
Signature | ECDSA (P-256)256-bit | SNOVA (NIST Sig Round 2 — Multivariate) | NIST | Candidate | 2035 (Disallowed) Std: NIST Additional Sig Round 2 (Oct 2024); final ~2027 |
Composite Signature | RSA-PSS + ML-DSAComposite | ML-DSA-44-RSA2048-PSS (IETF Composite Sig) | IETF | Candidate | 2035 (Disallowed) Std: IETF draft-ietf-lamps-pq-composite-sigs-15 (2025) |
Composite Signature | ECDSA + ML-DSAComposite | ML-DSA-44-ECDSA-P256 (IETF Composite Sig) | IETF | Candidate | 2035 (Disallowed) Std: IETF draft-ietf-lamps-pq-composite-sigs-15 (2025) |
Composite Signature | Ed25519 + ML-DSAComposite | ML-DSA-44-Ed25519 (IETF Composite Sig) | IETF | Candidate | 2035 (Disallowed) Std: IETF draft-ietf-lamps-pq-composite-sigs-15 (2025) |
Composite KEM | ECDH + ML-KEMComposite | ML-KEM-768-ECDH-P256 (IETF Composite KEM) | IETF | Candidate | 2035 (Disallowed) Std: IETF draft-ietf-lamps-pq-composite-kem-12 (2025) |
Composite KEM | RSA-OAEP + ML-KEMComposite | ML-KEM-768-RSA-OAEP-2048 (IETF Composite KEM) | IETF | Candidate | 2035 (Disallowed) Std: IETF draft-ietf-lamps-pq-composite-kem-12 (2025) |
Encryption/KEM | DH (Diffie-Hellman)3072-bit | ML-KEM-768 (NIST Level 3) L31,184B pk | NIST | FIPS 203 | 2035 (Disallowed) Std: 2024 (FIPS 203) |
Encryption/KEM | DH (Diffie-Hellman)4096-bit | ML-KEM-1024 (NIST Level 5) L51,568B pk | NIST | FIPS 203 | 2035 (Disallowed) Std: 2024 (FIPS 203) |
Signature | RSA PKCS#1 v1.52048-bit | ML-DSA-44 (NIST Level 2) L21,312B pk | NIST | FIPS 204 | 2030 (Deprecated) / 2035 (Disallowed) Std: 2024 (FIPS 204) |
Signature | RSA PKCS#1 v1.53072-bit | ML-DSA-65 (NIST Level 3) L31,952B pk | NIST | FIPS 204 | 2035 (Disallowed) Std: 2024 (FIPS 204) |
Signature | RSA-PSS4096-bit | SLH-DSA-SHA2-256s (Level 5) L564B pk | NIST | FIPS 205 | 2035 (Disallowed) Std: 2024 (FIPS 205) |
Signature | ECDSA (P-521)521-bit | SLH-DSA-SHA2-256s (Level 5) L564B pk | NIST | FIPS 205 | 2035 (Disallowed) Std: 2024 (FIPS 205) |
Signature | Ed25519256-bit | SLH-DSA-SHAKE-128s (Level 1) L132B pk | NIST | FIPS 205 | 2035 (Disallowed) Std: 2024 (FIPS 205) |
Signature | ECDSA (P-384)384-bit | SLH-DSA-SHAKE-192s (Level 3) L348B pk | NIST | FIPS 205 | 2035 (Disallowed) Std: 2024 (FIPS 205) |
Encryption/KEM | DH (Diffie-Hellman)2048-bit | HQC-128 (NIST Level 1) L12,249B pk | NIST | Candidate | 2035 (Disallowed) Std: Selected 2025 (Draft ~2027) |
Encryption/KEM | DH (Diffie-Hellman)3072-bit | HQC-192 (NIST Level 3) L34,522B pk | NIST | Candidate | 2035 (Disallowed) Std: Selected 2025 (Draft ~2027) |
Hash | SHA-1160-bit | SHA-256 (FIPS 180-4) | NIST | FIPS 180-4 | Deprecated 2011 / Disallowed 2030 — Grover: no additional risk (classically broken) Std: 2012 (FIPS 180-4 Rev) |
Hash | MD5128-bit | SHA-256 (FIPS 180-4) | NIST | FIPS 180-4 | Disallowed — classically broken; Grover not primary concern Std: 2012 (FIPS 180-4 Rev) |
Hybrid KEM (HPKE) | HPKE (X25519+HKDF)256-bit | HPKE-PQ (ML-KEM-768 + X25519, IETF) | IETF | Candidate | 2035 (Disallowed) Std: IETF draft-ietf-hpke-pq-03 (2025) |