[Deep Dive] Post-Quantum Crypto: FIPS 203 & 204 Cheat Sheet
![[Deep Dive] Post-Quantum Crypto: FIPS 203 & 204 Cheat Sheet](/assets/thumbnails/post-post-quantum-cryptography-fips-203-204-implementation-guide-og.png)
Bottom Line
As of 2026, the transition to Module-Lattice-Based Cryptography is no longer optional for high-compliance stacks. Implementing a hybrid approach—combining classical X25519 with NIST-standard ML-KEM and ML-DSA—is the only way to ensure safety against both classical and future quantum adversaries.
Key Takeaways
- ›ML-KEM (FIPS 203) replaces Kyber as the standard for key encapsulation and secure key exchange.
- ›ML-DSA (FIPS 204) replaces Dilithium for digital signatures and authentication workflows.
- ›Hybrid Negotiation is mandatory: Always wrap PQC algorithms in classical layers (e.g., X25519MLKEM768).
- ›Expect significant overhead: ML-KEM-768 public keys are ~1,184 bytes, compared to 32 bytes for X25519.
- ›Upgrade to OpenSSL 3.4+ or Go 1.24+ to access native, optimized assembly implementations.
By May 2026, 'Harvest Now, Decrypt Later' (HNDL) attacks have moved from theoretical warnings to a primary concern for long-term data archival. NIST's finalization of FIPS 203 and FIPS 204 has standardized the use of Module-Lattice-Based algorithms (ML-KEM and ML-DSA), providing the first industry-wide defense against cryptographically relevant quantum computers (CRQC). This reference guide provides the implementation patterns and configuration flags necessary to migrate your 2026 production stack to a quantum-safe posture.
The PQC Developer Toolbox
Efficiently managing Post-Quantum Cryptography (PQC) requires updated tooling. Below are the essential keyboard shortcuts for this reference and the CLI commands for the OpenSSL 3.5+ ecosystem.
| Keyboard Shortcut | Action |
|---|---|
| Ctrl + K | Focus Algorithm Search Filter |
| Ctrl + Shift + C | Copy Code Snippet to Clipboard |
| Esc | Clear All Search Filters |
Generating a quantum-safe keypair using ML-KEM-768 (the recommended 2026 baseline):
# Generate ML-KEM-768 Private Key
openssl genpkey -algorithm ML-KEM-768 -out pqc_private.pem
# Extract Public Key
openssl pkey -in pqc_private.pem -pubout -out pqc_public.pem
# Check Algorithm Support
openssl list -kem-algorithms | grep ML-KEMBottom Line
Migration to PQC must follow the Hybrid Principle: never use PQC alone. Combine ML-KEM/ML-DSA with classical algorithms (X25519/ECDSA) to maintain security if one of the lattice-based assumptions is ever broken. In 2026, X25519MLKEM768 is the gold standard for TLS 1.3 key exchange.
Algorithm Comparison Matrix
Use the filter below to compare NIST-standardized algorithms. While PQC offers quantum resistance, it introduces significant increases in public key (PK) and ciphertext/signature size.
| Algorithm (FIPS) | NIST Level | PK Size (Bytes) | Edge |
|---|---|---|---|
| ML-KEM-768 (203) | 3 | 1,184 | Best for TLS |
| ML-DSA-65 (204) | 3 | 1,952 | Best Signatures |
| SLH-DSA (205) | 1-5 | 32-128 | Stateless |
FIPS 203: ML-KEM (Key Exchange)
ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism) is the primary method for establishing shared secrets over an untrusted channel. In your 2026 stack, you should favor ML-KEM-768, which offers a balance of security (equivalent to AES-192) and performance.
Implementation in Go 1.25+ using the standard library:
import (
"crypto/mlkem"
"crypto/rand"
)
// Generate a ML-KEM-768 key pair
dk, ek, _ := mlkem.GenerateKey768()
// Encapsulate: Client side
ct, ss, _ := mlkem.Encapsulate768(ek)
// Decapsulate: Server side
ss_dec, _ := dk.Decapsulate(ct)FIPS 204: ML-DSA (Digital Signatures)
ML-DSA provides the backbone for identity and authenticity. It is significantly faster than RSA for verification but has much larger signatures. ML-DSA-65 is the recommended replacement for ECDSA P-256 and RSA-3072.
- Verification Speed: Extremely fast, making it ideal for high-traffic API gateways.
- Memory Footprint: High; ensure your HSM or secure enclave supports at least 4KB buffer sizes for signature processing.
- Use Case: Firmware signing, TLS leaf certificates, and JWT authentication.
The Hybrid Stack Configuration
To avoid 'All Eggs in One Basket' lattice risks, configure your web servers (Nginx/Envoy) to use X25519 + ML-KEM. This ensures that even if a mathematical breakthrough compromises ML-KEM, your data remains secured by the classical X25519 curve.
Nginx 1.29+ / OpenSSL 3.5 Configuration:
ssl_protocols TLSv1.3;
# Configure hybrid groups in order of preference
ssl_groups x25519_mlkem768:x25519:secp384r1;
# Ensure server preference is enforced
ssl_prefer_server_ciphers on;Frequently Asked Questions
Should I completely remove RSA and ECDSA in 2026? +
How much slower is ML-KEM compared to X25519? +
Which FIPS level should I choose for general web apps? +
Get Engineering Deep-Dives in Your Inbox
Weekly breakdowns of architecture, security, and developer tooling — no fluff.