NIST Post-Quantum Cryptography Timeline: 2016-2026
News
NIST Post-Quantum Cryptography Timeline: 2016-2026
11 min read
A Decade of Building Quantum-Resistant Standards
The transition from classical to post-quantum cryptography did not happen overnight. It is the result of a methodical, decade-long effort led by the U.S. National Institute of Standards and Technology (NIST), involving hundreds of researchers from dozens of countries. This timeline documents every major milestone in that process, from the initial call for proposals in 2016 through the publication of final standards and ongoing work in 2025 and beyond.
Understanding this history matters. Organizations planning their post-quantum migration need to know which algorithms have been standardized, which are still in progress, and what comes next. Every date and fact in this article is drawn directly from official NIST publications, press releases, and Federal Register notices.
2016: The Starting Gun
In April 2016, NIST published NISTIR 8105, "Report on Post-Quantum Cryptography", a technical report assessing the threat that quantum computers pose to existing public-key cryptographic systems. The report concluded that new algorithms resistant to quantum attack were needed and that a public, competitive process was the best way to identify them.
On December 20, 2016, NIST formally issued its call for proposals for post-quantum cryptographic algorithms. The call requested submissions in two categories: key encapsulation mechanisms (KEMs) for encryption, and digital signature schemes for authentication. NIST set explicit requirements for security levels, performance, and documentation. Submissions were due by November 30, 2017.
The response was enormous. By the deadline, NIST received 82 submissions from research teams around the world. The submissions spanned five major families of mathematical approaches: lattice-based, code-based, multivariate polynomial, hash-based, and other (including isogeny-based and zero-knowledge approaches).
2017: Round 1 Begins
After reviewing all 82 submissions for completeness and correctness, NIST announced in November 2017 that 69 candidates met the requirements for Round 1 evaluation. The remaining 13 were excluded due to incomplete specifications, known attacks discovered during the submission period, or failure to meet formatting requirements.
The 69 Round 1 candidates broke down by category:
- Lattice-based: The largest group, including CRYSTALS-Kyber, CRYSTALS-Dilithium, NTRU, SABER, FrodoKEM, and others
- Code-based: Including Classic McEliece, BIKE, HQC, and others based on error-correcting codes
- Multivariate: Including Rainbow, GeMSS, and others based on systems of polynomial equations
- Hash-based: Including SPHINCS+ and other schemes with security rooted in hash function properties
- Other: Including SIKE (isogeny-based) and other novel approaches
NIST organized a public workshop (the First PQC Standardization Conference, April 2018) where submitters presented their designs and the broader cryptographic community provided analysis. This open process was deliberate: NIST wanted the widest possible scrutiny of every candidate.
2019: Round 2 Narrows the Field
In January 2019, after more than a year of public analysis, NIST announced the 26 second-round candidates. This was a significant reduction from 69, driven by cryptanalytic attacks, performance concerns, and comparative analysis.
The 26 candidates included 17 KEM/encryption schemes and 9 signature schemes. Notable survivors at this stage included CRYSTALS-Kyber, CRYSTALS-Dilithium, FALCON, SPHINCS+, NTRU, SABER, Classic McEliece, BIKE, HQC, and SIKE.
Several high-profile eliminations occurred during this round. Multiple multivariate signature schemes were broken or shown to have unacceptable key sizes. Some lattice-based schemes were eliminated because they offered no clear advantage over the leading designs. The second round continued with intensive analysis, including side-channel resistance evaluation and implementation testing on constrained devices.
2020: The Third-Round Finalists
In July 2020, NIST made its most consequential selection to date, announcing 7 finalists and 8 alternate candidates for the third round.
The finalists (algorithms most likely to be standardized) were:
- CRYSTALS-Kyber (lattice-based KEM) -- later standardized as ML-KEM
- NTRU (lattice-based KEM)
- SABER (lattice-based KEM)
- Classic McEliece (code-based KEM)
- CRYSTALS-Dilithium (lattice-based signature) -- later standardized as ML-DSA
- FALCON (lattice-based signature) -- later to become FN-DSA
- SPHINCS+ (hash-based signature) -- later standardized as SLH-DSA
The alternate candidates (kept under consideration for potential future standardization) included BIKE, HQC, SIKE, FrodoKEM, and others. NIST explicitly stated that alternates could still be selected if finalists encountered problems or if algorithmic diversity was needed.
2022: The First Selections and a Dramatic Collapse
July 2022 was the watershed month for post-quantum cryptography. NIST announced the first four algorithms selected for standardization:
- CRYSTALS-Kyber (renamed ML-KEM) for key encapsulation
- CRYSTALS-Dilithium (renamed ML-DSA) for digital signatures
- FALCON (later designated FN-DSA) for digital signatures
- SPHINCS+ (renamed SLH-DSA) for digital signatures
NIST selected one KEM and three signature algorithms, reflecting the greater diversity needed in signature schemes across different use cases. CRYSTALS-Kyber was chosen as the primary KEM due to its strong security arguments, small key sizes, and fast performance. For signatures, Dilithium was recommended as the general-purpose choice, FALCON for applications requiring the smallest signatures, and SPHINCS+ as a conservative, hash-based alternative not relying on lattice assumptions.
NIST also announced a Round 4 for additional KEM candidates, seeking algorithmic diversity beyond lattice-based schemes. The Round 4 candidates were BIKE, Classic McEliece, HQC, and SIKE.
The SIKE Collapse
In a dramatic development, SIKE was completely broken in July 2022 by researchers Wouter Castryck and Thomas Decru. Their attack, published just weeks after NIST's Round 4 announcement, used classical mathematics (specifically, the theory of isogenies between abelian surfaces) to recover SIKE private keys in minutes on a single laptop. This was not a quantum attack. It was a devastating classical cryptanalytic result that invalidated the entire supersingular isogeny approach to key encapsulation.
The SIKE collapse underscored why NIST's multi-year, public evaluation process is essential. Even algorithms that survived years of analysis can fall to unexpected mathematical breakthroughs. It also reinforced the value of algorithmic diversity: relying on a single mathematical assumption is risky.
CNSA 2.0
In September 2022, the National Security Agency (NSA) published the Commercial National Security Algorithm Suite 2.0 (CNSA 2.0), incorporating the newly selected post-quantum algorithms. CNSA 2.0 set timelines for U.S. national security systems to transition to post-quantum cryptography, with requirements beginning as early as 2025 for some applications and full transition mandated by 2033-2035.
2023: Draft Standards for Public Comment
In August 2023, NIST published draft versions of FIPS 203, FIPS 204, and FIPS 205 for a 90-day public comment period. These drafts specified the exact algorithms, parameter sets, and implementation requirements for ML-KEM, ML-DSA, and SLH-DSA respectively.
The public comment period generated extensive feedback from implementers, hardware vendors, and the academic community. Key areas of discussion included side-channel resistance requirements, parameter set naming conventions (the transition from "Kyber" to "ML-KEM" naming), and guidance on hybrid deployment alongside classical algorithms.
August 13, 2024: The Standards Are Published
On August 13, 2024, NIST officially published the first-ever post-quantum cryptographic standards:
- FIPS 203: Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM) -- derived from CRYSTALS-Kyber, specifying ML-KEM-512, ML-KEM-768, and ML-KEM-1024 parameter sets at NIST security levels 1, 3, and 5 respectively
- FIPS 204: Module-Lattice-Based Digital Signature Algorithm (ML-DSA) -- derived from CRYSTALS-Dilithium, specifying ML-DSA-44, ML-DSA-65, and ML-DSA-87 parameter sets
- FIPS 205: Stateless Hash-Based Digital Signature Algorithm (SLH-DSA) -- derived from SPHINCS+, specifying twelve parameter sets across three security levels and two performance profiles (fast vs. small)
This was a landmark moment. For the first time, organizations worldwide had official, peer-reviewed, government-backed standards for cryptography designed to resist quantum computers. The publication triggered migration planning across industries from finance and healthcare to defense and critical infrastructure.
Alongside the final standards, NIST published a draft of FIPS 206 (draft) for the FN-DSA (FALCON-based) signature scheme. FN-DSA's standardization is proceeding on a separate timeline due to its more complex implementation requirements, particularly around secure sampling of discrete Gaussians.
2025: HQC Selected as the Fifth Algorithm
On March 11, 2025, NIST announced the selection of HQC (Hamming Quasi-Cyclic) as the fifth post-quantum algorithm for standardization. HQC is a code-based key encapsulation mechanism, meaning its security rests on the difficulty of decoding random linear codes rather than on lattice problems.
This selection was driven by NIST's desire for algorithmic diversity. With ML-KEM already standardized as the primary lattice-based KEM, having a code-based alternative provides a critical backup. If a fundamental breakthrough were to weaken lattice-based cryptography, organizations would have an independently secure KEM to fall back on.
HQC offers larger ciphertexts and keys than ML-KEM but is based on mathematical problems (specifically, the syndrome decoding problem) that have been studied for over 60 years with no known efficient quantum or classical algorithm. A draft standard for HQC is expected to follow.
What Comes Next
Several standardization efforts remain in progress or are anticipated:
- FIPS 206 (draft) (FN-DSA): The FALCON-derived signature scheme is still in draft form. FN-DSA offers the smallest combined signature-plus-public-key size among the selected signature algorithms, making it attractive for constrained environments. Finalization is expected but no firm date has been announced.
- HQC standard: Following its March 2025 selection, a draft FIPS for HQC is anticipated. The standardization process will include a public comment period.
- Additional signature schemes: NIST has an ongoing call for additional digital signature algorithms, seeking schemes with short signatures, fast verification, or novel security assumptions beyond lattices and hashes.
- Migration guidance: NIST continues to develop transition guidance, including SP 800-227 (Recommendations for Transition to Post-Quantum Cryptography) and updates to existing standards like SP 800-56A/B for key establishment.
Lessons from the NIST Process
The NIST PQC standardization process provides several enduring lessons for cryptographic engineering. First, open competition works. By soliciting proposals worldwide and subjecting them to years of public analysis, NIST identified algorithms that survived scrutiny from hundreds of independent researchers. Second, algorithmic diversity is essential. The SIKE collapse demonstrated that even well-studied mathematical assumptions can fall unexpectedly. NIST's selection of algorithms from different mathematical families (lattices, hashes, codes) ensures that a single breakthrough cannot compromise everything. Third, standardization takes time. Eight years from the initial call to the final standards reflects the depth of analysis required for algorithms that will protect critical infrastructure for decades.
Timeline Summary
| Date | Milestone |
|---|---|
| Apr 2016 | NISTIR 8105 published, assessing quantum threat to public-key crypto |
| Dec 2016 | NIST issues call for post-quantum algorithm proposals |
| Nov 2017 | 69 complete Round 1 candidates announced (from 82 submissions) |
| Jan 2019 | 26 Round 2 candidates selected |
| Jul 2020 | 7 finalists and 8 alternates for Round 3 |
| Jul 2022 | 4 algorithms selected: Kyber (ML-KEM), Dilithium (ML-DSA), FALCON (FN-DSA), SPHINCS+ (SLH-DSA) |
| Jul 2022 | SIKE broken by Castryck-Decru classical attack |
| Sep 2022 | NSA publishes CNSA 2.0 with PQC transition timelines |
| Aug 2023 | Draft FIPS 203, 204, 205 published for public comment |
| Aug 13, 2024 | FIPS 203 (ML-KEM), 204 (ML-DSA), 205 (SLH-DSA) officially published |
| Mar 11, 2025 | HQC selected as 5th PQC algorithm for standardization |
Why This Matters for Your Organization
The NIST PQC timeline is not just academic history. It carries direct implications for anyone responsible for data security:
- Standards are finalized. FIPS 203, 204, and 205 are published and available for immediate adoption. There is no longer a reason to wait for "the standards to be ready."
- Migration timelines are tightening. CNSA 2.0 mandates that U.S. national security systems begin transitioning now, with full compliance required by the early 2030s. Private-sector organizations handling sensitive data should follow a similar schedule.
- Harvest-now-decrypt-later is real. Adversaries are collecting encrypted data today with the expectation of decrypting it when quantum computers become available. Data encrypted with only classical algorithms today may be compromised in the future.
- Hybrid deployment is the recommended approach. Both NIST and NSA recommend combining post-quantum and classical algorithms during the transition period. If either the post-quantum or classical algorithm is compromised, the other provides continued protection.
QNSQY implements this hybrid approach by default, combining ML-KEM with X25519 for key encapsulation and ML-DSA with Ed25519 for signatures. Every encryption operation uses both classical and post-quantum algorithms, so your data is protected regardless of which mathematical assumptions hold up over time.
Further Reading
For deeper dives into the specific algorithms mentioned in this timeline:
- Understanding ML-KEM: The Future of Key Encapsulation
- NIST FIPS 203/204/205 Guide
- What is Post-Quantum Cryptography?
- FN-DSA (FALCON) Explained
- HQC Explained
Sources
- NIST Post-Quantum Cryptography Project
- NISTIR 8105: Report on Post-Quantum Cryptography (April 2016)
- FIPS 203: Module-Lattice-Based Key-Encapsulation Mechanism Standard (August 2024)
- FIPS 204: Module-Lattice-Based Digital Signature Standard (August 2024)
- FIPS 205: Stateless Hash-Based Digital Signature Standard (August 2024)
- NSA CNSA 2.0 and Post-Quantum Cybersecurity Resources
- NIST Selects HQC for Post-Quantum Standardization (March 2025)
Related Articles
- NIST FIPS 203/204/205: The Complete Guide
- The State of Post-Quantum Cryptography in 2026
- What is Post-Quantum Cryptography?
- HQC: Code-Based PQ Encryption
Start Your Post-Quantum Migration
QNSQY implements FIPS 203 (ML-KEM) and FIPS 204 (ML-DSA) in hybrid mode with classical algorithms. Available on all tiers, including free.
Originally published at quantumsequrity.com.
Top comments (0)