NIST Finalized Four Post-Quantum Algorithms and the Migration Has Barely Started

NIST Selected Four Algorithms After a Six-Year Public Evaluation Process

The competition began in December 2016 when NIST issued a federal call for proposals. Eighty-two candidate algorithms arrived from research teams in 25 countries. The evaluation proceeded in rounds: 69 submissions survived initial review, 26 advanced to the second round in January 2019, and seven finalists plus eight alternates entered the third round in July 2020. Each round involved public comment periods, independent cryptanalysis, and performance benchmarking across reference hardware platforms.

Dustin Moody, the NIST mathematician who has led the PQC standardization project since its inception, described the selection criteria in a January 2026 presentation at Real World Crypto. "Security margin was the first filter," Moody said. "But after security, the deciding factors were performance, key sizes, and implementation complexity — in that order. An algorithm that is theoretically secure but produces 50-kilobyte signatures is not going to replace Ed25519 in any protocol that cares about bandwidth."

The four selections split into two categories. For key encapsulation — the operation that establishes shared secrets between parties — NIST chose CRYSTALS-Kyber, standardized as FIPS 203 under the formal name ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism). For digital signatures, NIST selected CRYSTALS-Dilithium (FIPS 204, now ML-DSA), SPHINCS+ (FIPS 205, now SLH-DSA), and Falcon (expected as FIPS 206 in late 2026). Three of the four rest on lattice mathematics. The outlier, SPHINCS+, relies entirely on hash functions.

That spread was intentional. If a breakthrough in lattice cryptanalysis were to emerge — a possibility that several academic groups have flagged as non-negligible — the hash-based fallback would remain standing. NIST called the approach "algorithm diversity" in its official selection report.

CRYSTALS-Kyber Handles Key Encapsulation Using Lattice Math

Kyber's security derives from the Module Learning With Errors (MLWE) problem, a structured variant of a mathematical puzzle first formalized by Oded Regev in 2005. The core idea: given a system of linear equations with small random errors added, recovering the secret vector is computationally hard for both classical and quantum algorithms. No known quantum attack solves MLWE in polynomial time.

The performance numbers are surprisingly competitive. Kyber-768, the middle security tier (roughly equivalent to AES-192), generates a key pair in approximately 0.05 milliseconds on an Intel Core i7. Encapsulation takes 0.07 milliseconds. Decapsulation takes 0.06 milliseconds. For comparison, RSA-2048 key generation on the same hardware averages 40 milliseconds — three orders of magnitude slower. Speed is not the problem.

Size is the problem. A Kyber-768 public key occupies 1,184 bytes. The ciphertext (encapsulated shared secret) occupies 1,088 bytes. An ECDH exchange on Curve25519 uses a 32-byte public key and produces a 32-byte shared secret. The 37x increase in public key size has direct consequences for protocols with constrained bandwidth — including blockchain transactions, where every byte on-chain translates to storage cost and propagation latency.

Vadim Lyubashevsky, an IBM Research cryptographer who co-designed both Kyber and Dilithium, addressed the size criticism at Eurocrypt 2025. "A kilobyte key is not small by pre-quantum standards," Lyubashevsky said, "but it is small by post-quantum standards. The original lattice-based schemes from the early 2000s produced keys ten times larger. Module lattices gave back an order of magnitude. The question is not whether 1,184 bytes is ideal — it is whether the alternative of remaining on ECDH, which Shor's algorithm breaks in polynomial time, is acceptable."

CRYSTALS-Dilithium and Falcon Provide Digital Signature Alternatives

Dilithium (ML-DSA) and Falcon both produce digital signatures — the cryptographic primitive that blockchains depend on to authorize transactions. The two algorithms solve the same problem but make different engineering tradeoffs.

Dilithium, also built on MLWE, prioritizes simplicity of implementation. At its recommended security level (Dilithium-3, roughly equivalent to AES-192), a public key is 1,952 bytes and a signature is 3,293 bytes. Compare that to Ed25519: 32-byte public keys, 64-byte signatures. The size penalty is significant but predictable. Signing takes approximately 0.3 milliseconds. Verification takes 0.2 milliseconds. Both operations are constant-time by design — a property that eliminates an entire class of side-channel attacks.

Falcon takes a different path. Its signatures are smaller: Falcon-512 produces 666-byte signatures with 897-byte public keys, and Falcon-1024 produces 1,280-byte signatures with 1,793-byte public keys. The tradeoff is implementation complexity. Falcon requires high-precision floating-point arithmetic during signing (specifically, a discrete Gaussian sampler over NTRU lattices), making constant-time implementation difficult on hardware without native double-precision support.

"Falcon has the best size profile of any lattice-based signature scheme, period," Lyubashevsky said at a panel discussion during PQCrypto 2025 in Tokyo. "The reason NIST standardized Dilithium first is that getting Falcon right — securely, on every platform — is an implementation challenge that most development teams are not equipped for yet." NIST confirmed in its March 2026 progress update that Falcon (to be named FN-DSA) remains on track for FIPS 206 publication before the end of the year.

Hash-Based Signatures Offer Conservative Security with Performance Tradeoffs

SPHINCS+ (SLH-DSA) stands apart from the lattice trio. Its security assumption is minimal: the collision resistance and preimage resistance of the underlying hash function, nothing more. If SHA-256 or SHAKE-256 holds, SPHINCS+ holds. No algebraic structure — no lattices, no error terms, no polynomial rings — means no algebraic attack surface.

That conservatism comes at a cost. SPHINCS+-256s, the "small signature" variant at the highest security level, produces signatures of 29,792 bytes. Nearly 30 kilobytes per signature. Signing takes roughly 1.2 seconds on commodity hardware — four thousand times slower than Dilithium. Verification is faster (approximately 3 milliseconds) but still an order of magnitude behind the lattice-based options.

The "fast" variant, SPHINCS+-256f, brings signing down to approximately 0.4 seconds but inflates signatures to 49,856 bytes. Neither variant is practical for high-throughput blockchain transaction signing, where Solana alone processes upwards of 4,000 transactions per second at peak load. A Solana block filled with SPHINCS+ signatures would consume hundreds of megabytes of bandwidth per second.

Hash-based signatures serve a specific role: a backstop. If lattice cryptanalysis advances in unexpected ways (a possibility that Moody himself has described as "low probability but non-zero consequence"), SPHINCS+ provides a fallback that depends on nothing except the hash function. For blockchain applications, Dilithium and Falcon are the realistic candidates. SPHINCS+ is the insurance policy.

Code-Based Schemes Survived Fifty Years of Cryptanalysis Without a Quantum Break

NIST's four selected algorithms do not cover every family of post-quantum cryptography. Code-based schemes — built on the difficulty of decoding random linear codes — trace back to Robert McEliece's 1978 public-key cryptosystem, making them the oldest surviving post-quantum candidates. The McEliece system, using binary Goppa codes, has withstood nearly five decades of classical and quantum cryptanalysis without a polynomial-time break.

Classic McEliece was a third-round alternate in NIST's evaluation. It was not selected for the initial standards primarily because of key size: a Classic McEliece public key at the 256-bit security level is approximately 1.04 megabytes. Storing a single public key requires more space than many entire Bitcoin transactions. The algorithm remains under consideration for future standardization, and NIST has acknowledged its "exceptionally strong security pedigree."

BIKE and HQC, two other code-based key encapsulation mechanisms, advanced to NIST's fourth evaluation round (announced in March 2025) as potential alternatives to Kyber. HQC uses quasi-cyclic codes with public keys around 4,500 bytes — larger than Kyber but far smaller than McEliece. The fourth round is expected to conclude in 2027.

The longevity of code-based cryptography matters for one reason: confidence. Lattice problems gained mainstream attention only in the 2010s. MLWE, the foundation of Kyber and Dilithium, dates to Regev's 2005 paper. Twenty years of scrutiny is not trivial — but it is not fifty years either. Code-based schemes offer a different kind of assurance, one earned through sheer duration of exposure to attack. If a lattice-based standard were to be broken or weakened, code-based cryptography would likely fill the gap.

Blockchain Integration Requires Hard Forks, Wallet Upgrades, and Extended Testing

Swapping a signature algorithm inside a blockchain protocol is not a library update. Every full node, every light client, every hardware wallet, and every smart contract that validates signatures must support the new scheme before the network can enforce it. For permissionless networks with thousands of independent operators, that coordination problem dwarfs the cryptographic engineering.

Bernstein Research published an analysis in April 2026 estimating that full migration of a major blockchain network from ECDSA to a post-quantum signature scheme would take 3 to 5 years from the point of algorithm selection. The estimate assumed 12 to 18 months for specification and reference implementation, 6 to 12 months for testnet deployment and auditing, and 12 to 24 months for ecosystem rollout (wallets, exchanges, custodians, and layer-2 protocols). None of the three largest blockchain networks — Bitcoin, Ethereum, or Solana — has formally selected an algorithm.

Bitcoin faces the steepest path. Protocol changes require a Bitcoin Improvement Proposal (BIP), extensive community review, miner signaling, and a soft or hard fork. No BIP for post-quantum signatures has reached draft status as of May 2026. The signature size increase alone (from 64 bytes for ECDSA to 2,420 bytes for Dilithium-2 at the lowest security level) would reduce effective block capacity by roughly 80 percent under current block size limits — a change that would reignite the block size debate that consumed the Bitcoin community from 2015 to 2017.

Ethereum's account abstraction roadmap (EIP-4337 and its successors) offers a more flexible migration path. Abstract accounts can define arbitrary signature verification logic, meaning individual wallets could adopt Dilithium or Falcon without a protocol-level hard fork. Vitalik Buterin mentioned post-quantum account abstraction in his "Splurge" roadmap category but has not set a target date.

Solana introduced an experimental Winternitz One-Time Signature (WOTS) vault in late 2025, allowing holders to move funds into a quantum-resistant account format. The implementation uses hash-based one-time signatures rather than Dilithium or Falcon. Adoption has been limited: fewer than 200 vaults were active as of April 2026, according to on-chain data tracked by Solana Floor.

The Migration Deadline: NIST Targets 2035 but Quantum Hardware May Not Wait

NIST's official guidance, published alongside the August 2024 standards, calls for federal agencies to complete migration away from vulnerable algorithms by 2035. The deadline applies to RSA, ECDSA, ECDH, and all other schemes breakable by Shor's algorithm. Federal agencies must inventory their cryptographic dependencies, prioritize high-value assets, and begin transitioning to the new standards immediately.

The 2035 target assumes a particular timeline for quantum hardware. NIST's internal risk assessment (referenced in Moody's January 2026 talk, though not published in full) places the probability of a cryptographically relevant quantum computer before 2035 at approximately 15 to 20 percent. That number rises to roughly 50 percent by 2040 and above 80 percent by 2050.

"The risk is not evenly distributed," Moody said at Real World Crypto. "Data encrypted today and stored by an adversary can be decrypted the moment a quantum computer exists. That is not a 2035 problem. That is a today problem." The harvest-now-decrypt-later threat — where attackers collect encrypted traffic now for future quantum decryption — has driven early adoption of Kyber in TLS 1.3 by Google (Chrome 124, April 2024) and Cloudflare (October 2024).

Blockchain networks face a different variant of the timing problem. Encrypted data can be re-encrypted under a new scheme. Private keys cannot be retroactively protected. Once a quantum computer can derive a private key from an exposed public key, every coin associated with that key is spendable by the attacker. Migration must happen before the hardware threshold is crossed, not after.

IBM's hardware roadmap targets 100,000 physical qubits by 2033. Google has outlined a path to one million physical qubits on a similar timeline. The March 2026 Google-Caltech estimate put the threshold for breaking 256-bit ECDSA at fewer than 500,000 physical qubits. If error rates continue to improve at the pace observed between 2022 and 2026, the window between "not yet possible" and "demonstrably broken" could close faster than the 3-to-5-year migration estimates suggest.

The standards are published. The algorithms are specified. Open-source implementations exist in liboqs, pqcrypto, and every major TLS library. What remains is the hardest part of any cryptographic transition: convincing thousands of independent software projects, hardware manufacturers, and protocol governance bodies to move simultaneously on a threat that has not yet materialized. If past migrations are any guide — the SHA-1 deprecation took seven years from NIST recommendation to browser enforcement, and SHA-1 was already demonstrably broken — the post-quantum transition could easily consume the entire window between now and the arrival of a machine capable of running Shor's algorithm at scale.