Supported algorithms
Sizes, OIDs, and selection guidance for the NIST post-quantum algorithms implemented in post-quantum-packages.
Standards coverage
| Standard | Algorithms | Type | NIST security categories | Status |
|---|---|---|---|---|
| FIPS 203 (ML-KEM) | ML-KEM-512, ML-KEM-768, ML-KEM-1024 | Key encapsulation | I, III, V | Final (Aug 2024) |
| FIPS 204 (ML-DSA) | ML-DSA-44, ML-DSA-65, ML-DSA-87 | Digital signatures | II, III, V | Final (Aug 2024) |
| FIPS 205 (SLH-DSA) | SLH-DSA-SHA2/SHAKE in 128s, 128f, 192s, 192f, 256s, 256f | Hash-based signatures | I, III, V | Final (Aug 2024) |
Falcon (FN-DSA) is selected for a future standard (FIPS 206) and is not yet implemented in these packages.
Key and signature sizes
Use these when sizing calldata, certificate chains, JWT envelopes, or storage. The packages expose sizes programmatically through pq-oid's Algorithm.get().
ML-KEM (FIPS 203)
| Parameter set | Public key | Secret key | Ciphertext | Shared secret |
|---|---|---|---|---|
| ML-KEM-512 | 800 B | 1,632 B | 768 B | 32 B |
| ML-KEM-768 | 1,184 B | 2,400 B | 1,088 B | 32 B |
| ML-KEM-1024 | 1,568 B | 3,168 B | 1,568 B | 32 B |
ML-DSA (FIPS 204)
| Parameter set | Public key | Secret key | Signature |
|---|---|---|---|
| ML-DSA-44 | 1,312 B | 2,560 B | 2,420 B |
| ML-DSA-65 | 1,952 B | 4,032 B | 3,309 B |
| ML-DSA-87 | 2,592 B | 4,896 B | 4,627 B |
SLH-DSA (FIPS 205, selection)
| Parameter set | Public key | Secret key | Signature |
|---|---|---|---|
| SLH-DSA-SHA2-128s | 32 B | 64 B | 7,856 B |
| SLH-DSA-SHA2-128f | 32 B | 64 B | 17,088 B |
| SLH-DSA-SHA2-192s | 48 B | 96 B | 16,224 B |
| SLH-DSA-SHA2-256s | 64 B | 128 B | 29,792 B |
SHAKE variants of SLH-DSA have the same sizes; performance differs.
OIDs
ML-KEM-512 2.16.840.1.101.3.4.4.1
ML-KEM-768 2.16.840.1.101.3.4.4.2
ML-KEM-1024 2.16.840.1.101.3.4.4.3
ML-DSA-44 2.16.840.1.101.3.4.3.17
ML-DSA-65 2.16.840.1.101.3.4.3.18
ML-DSA-87 2.16.840.1.101.3.4.3.19
The full list (including all 12 SLH-DSA variants) is exposed through pq-oid and mapped to JOSE / COSE / X.509 descriptors by pq-algorithm-id.
Algorithm selection guide
Use this as a starting heuristic, not a substitute for a security review.
- Need a signature → use ML-DSA-65 by default. NIST Level 3, best balance of size and verification cost. Drop to ML-DSA-44 only if you are size-constrained and accept Level 2. Use ML-DSA-87 for Level 5.
- Need a KEM → use ML-KEM-768. Level 3, the standard recommendation. ML-KEM-512 is Level 1; ML-KEM-1024 is Level 5.
- Need hash-only security assumptions → use a SLH-DSA variant. Hash-based, so its security does not depend on lattice problems. Cost: signatures are 7,856 bytes and up; verification is multiple millions of gas on EVM. The
s(small) variants have smaller signatures but slower signing; thef(fast) variants are the reverse.
Signature size in context
PQ signatures are larger than classical ones by one to two orders of magnitude. This is the fundamental engineering constraint these packages are designed around.
| Scheme | Signature | Notes |
|---|---|---|
| Ed25519 (classical) | 64 B | Quantum-vulnerable |
| ML-DSA-44 | 2,420 B | FIPS 204, lattice-based |
| ML-DSA-65 | 3,309 B | FIPS 204, lattice-based |
| SLH-DSA-SHA2-128s | 7,856 B | FIPS 205, hash-based |
On an L2 that posts calldata to L1, a 3,309-byte ML-DSA-65 signature is the dominant per-transaction cost driver. The packages expose helpers to compute these costs (planned: pq-size-calculator).