Full Report
NIST is advancing nine new post-quantum signature algorithms as potential candidates for future standardization. We take a closer look at all of them, and argue that while they are in the works and show great potential, we should use ML-DSA for now — the best one currently available.
Analysis Summary
# Best Practices: Post-Quantum Cryptography (PQC) Migration
## Overview
These practices address the urgent need to transition from classical cryptographic algorithms (RSA, ECC) to Post-Quantum Cryptography (PQC). While new signature algorithms are being developed, these guidelines focus on using currently available, NIST-standardized tools to mitigate "Harvest Now, Decrypt Later" attacks and prepare for future quantum threats.
## Key Recommendations
### Immediate Actions
1. **Prioritize ML-KEM:** Deploy **ML-KEM** (formerly Kyber) for key encapsulation immediately to protect against "Harvest Now, Decrypt Later" attacks.
2. **Adopt ML-DSA for Authentication:** Standardize on **ML-DSA** (formerly Dilithium) for digital signatures now. While larger than classical signatures, it is the only fully vetted, high-performance general-purpose PQC signature available today.
3. **Inventory Cryptographic Assets:** Identify all systems using RSA and ECC, specifically targeting public-facing TLS endpoints and internal authentication services.
### Short-term Improvements (1-3 months)
1. **Update Hardware/MTU Settings:** Prepare network infrastructure for larger ML-DSA signatures (e.g., ML-DSA-44 is ~2.4KB vs. RSA’s 256 bytes). This may require adjusting MTU sizes or handling packet fragmentation in TLS.
2. **Implement Hybrid Modes:** Deploy "hybrid" cryptography that combines a classical algorithm (like X25519) with a post-quantum algorithm (like ML-KEM). This ensures security even if a flaw is discovered in the new PQC algorithm.
3. **Test FN-DSA (Falcon) Readiness:** Begin proof-of-concept testing for **FN-DSA** if your environment is high-volume/low-bandwidth, as its signatures are smaller than ML-DSA, though implementation is more complex.
### Long-term Strategy (3+ months)
1. **Target 2029 Full Transition:** Aim for complete post-quantum security across all systems by 2029, as suggested by industry leaders.
2. **Agility Planning:** Build "cryptographic agility" into applications to allow for switching to "Third Round" algorithms (like HAWK, MAYO, or SQIsign) once standardized (expected post-2028).
3. **Decommission Vulnerable Legacy Primitives:** Phase out RSA-2048 and ECC as part of a formal lifecycle management policy.
## Implementation Guidance
### For Small Organizations
- **Rely on Managed Services:** Use Cloudflare, AWS, or Google Cloud services that have already integrated ML-KEM/ML-DSA.
- **Update Clients:** Ensure browser and OS updates are enforced to support PQC-enabled TLS.
### For Medium Organizations
- **Audit Internal APIs:** Check if internal microservices use self-signed certificates or custom PKI that need to be upgraded to ML-DSA.
- **Review MTU Issues:** Test for middlebox interference (firewalls/load balancers) that might drop the larger PQC handshake packets.
### For Large Enterprises
- **PKI Modernization:** Update Certificate Authorities (CAs) to support ML-DSA. Prepare for larger certificate chains.
- **Bandwidth Capacity Planning:** Analyze the impact of increased handshake sizes on global traffic costs and latency at scale.
- **Hybrid Deployment:** Mandate hybrid PQC for all high-value data transfers.
## Configuration Examples
*While specific CLI commands vary by vendor, the logic follows:*
- **TLS Cipher Suite Preference:**
`TLS_AES_256_GCM_SHA384` with Key Exchange: `X25519MLKEM768` (Hybrid)
- **Signature Algorithm Preference:**
Priority 1: `ML-DSA-44` or `ML-DSA-65`
Priority 2: `Ed25519` (Legacy Fallback)
## Compliance Alignment
- **NIST FIPS 203:** (ML-KEM)
- **NIST FIPS 204:** (ML-DSA)
- **NIST FIPS 205:** (SLH-DSA)
- **CNSA 2.0:** U.S. Commercial National Security Algorithm Suite requirements for PQC.
## Common Pitfalls to Avoid
- **The "Wait and See" Trap:** Waiting for "better" algorithms (like SQIsign or HAWK) that won't be standardized until 2028–2030. Use ML-DSA now.
- **Ignoring Fragmentation:** Failing to account for larger PQC signatures, leading to "zombie" connections where handshakes fail due to packet size limits.
- **Dropping Classical Security:** Moving *only* to PQC. Use **hybrid** modes to maintain compliance and security against currently known threats.
## Resources
- **NIST PQC Project:** [csrc.nist[.]gov/projects/pqc-dig-sig]
- **The Signatures Zoo:** [pqshield[.]github[.]io/nist-sigs-zoo/]
- **Cloudflare PQC Roadmap:** [blog[.]cloudflare[.]com/post-quantum-roadmap]