Algorithm Selector
This guide helps you choose the right post-quantum algorithm for your use case. Recommendations are based on security requirements, performance characteristics, compliance needs, and deployment constraints.
Key Encapsulation (KEM)
| Use Case | Recommended | Alternative | Standard | Security Level |
|---|---|---|---|---|
| General key exchange | ML-KEM-768 | ML-KEM-1024 | NIST FIPS 203 | Level 3/5 |
| Korean compliance | SMAUG-T3 | SMAUG-T5 | KPQC | Level 3/5 |
| Conservative | FrodoKEM-976 | Classic-McEliece | – | Level 5 |
| Lightweight/IoT | ML-KEM-512 | HQC-128 | NIST FIPS 203 | Level 1 |
Notes:
- ML-KEM-768 is the recommended default for most applications. It provides NIST Level 3 security with good performance and moderate key sizes.
- SMAUG-T is required for Korean government and financial sector compliance alongside or instead of NIST algorithms.
- FrodoKEM and Classic-McEliece offer the most conservative security margins but have significantly larger key sizes (Classic-McEliece public keys exceed 250 KB).
- ML-KEM-512 is suitable for constrained environments where Level 1 security is acceptable.
Digital Signatures
| Use Case | Recommended | Alternative | Standard | Signature Size |
|---|---|---|---|---|
| General signing | ML-DSA-65 | ML-DSA-87 | NIST FIPS 204 | 3,309 bytes |
| Compact signatures | Falcon-512 | Falcon-1024 | NIST | ~666 bytes |
| Conservative/stateless | SLH-DSA-SHA2-128f | SLH-DSA-SHAKE-256f | NIST FIPS 205 | 17,088 bytes |
| Korean compliance | HAETAE-3 | HAETAE-5 | KPQC | varies |
| Classical (transitional) | Ed25519 | RSA-2048 | RFC 8032 | 64 bytes |
Notes:
- ML-DSA-65 is the recommended general-purpose signature algorithm. It balances security, signature size, and signing/verification speed.
- Falcon-512 produces the smallest post-quantum signatures (~666 bytes vs. 3,309 for ML-DSA-65) and has fast verification, but signing requires careful floating-point sampling. Falcon has extensive SIMD and GPU acceleration in MetaMUI.
- SLH-DSA makes the fewest cryptographic assumptions (hash function security only) and is recommended when long-term conservative security is the priority. The tradeoff is larger signatures and slower signing.
- HAETAE is the KPQC-selected signature scheme for Korean compliance requirements.
- Ed25519 and RSA-2048 are included for transitional use. RSA-2048 is marked as deprecated for 2030 and should be replaced by a post-quantum algorithm before then.
Symmetric Cryptography and Hashing
| Use Case | Recommended | Alternative | Notes |
|---|---|---|---|
| Authenticated encryption | AES-256-GCM | ChaCha20-Poly1305 | AES-NI hardware or no hardware acceleration |
| Fast hashing | BLAKE3 | SHA3-256 | BLAKE3 has SIMD acceleration on all platforms |
| Password hashing | Argon2id | PBKDF2 | Memory-hard; resists GPU/ASIC attacks |
| Key derivation | HKDF-SHA256 | BLAKE3-KDF | HKDF is the established standard choice |
| Lightweight AEAD | Ascon-128 | – | NIST SP 800-232; designed for constrained devices |
Notes:
- AES-256-GCM is preferred when AES-NI hardware acceleration is available. ChaCha20-Poly1305 performs better in software-only environments (mobile, embedded).
- BLAKE3 is the fastest general-purpose hash function available in MetaMUI, with SIMD acceleration across AVX2, AVX-512, and NEON backends.
- Argon2id is the recommended password hashing function. It combines resistance to both GPU attacks (memory-hardness) and side-channel attacks (data-independent memory access).
- Ascon-128 is the NIST Lightweight Cryptography standard (SP 800-232), designed for IoT and embedded applications.
Selection Criteria
Understanding NIST Security Levels
NIST defines five security levels based on the computational effort required to break the algorithm:
| Level | Equivalent Strength | Meaning |
|---|---|---|
| Level 1 | AES-128 | At least as hard to break as exhaustive key search on AES-128 |
| Level 2 | SHA-256 collision | At least as hard as finding a SHA-256 collision |
| Level 3 | AES-192 | At least as hard as exhaustive key search on AES-192 |
| Level 4 | SHA-384 collision | At least as hard as finding a SHA-384 collision |
| Level 5 | AES-256 | At least as hard as exhaustive key search on AES-256 |
For most applications, Level 3 provides a strong balance of security and performance. Level 5 is appropriate for high-value, long-lived secrets. Level 1 is suitable for short-lived or low-sensitivity data.
Key Size vs. Performance Tradeoffs
Higher security levels increase key and signature sizes, which affects bandwidth, storage, and computation time. Consider these factors:
- Network-constrained environments (IoT, mobile): Prefer algorithms with smaller keys and signatures (Falcon, ML-KEM-512).
- Storage-constrained environments: Falcon signatures (~666 bytes) are roughly 5x smaller than ML-DSA signatures (~3,309 bytes).
- CPU-constrained environments: ML-KEM and ML-DSA have fast, constant-time implementations. Falcon signing is more expensive due to FFT-based sampling.
- Verification-heavy workloads (blockchain, certificate chains): Falcon and ML-DSA both offer fast verification.
Compliance Requirements
- NIST compliance (US, international): Use FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), or FIPS 205 (SLH-DSA).
- KPQC compliance (South Korea): Use SMAUG-T for key encapsulation and HAETAE for signatures. These can be deployed alongside NIST algorithms in a dual-compliance configuration.
- ETSI compliance (Europe): ETSI recommends hybrid approaches combining classical and post-quantum algorithms during the transition period.
Hardware Acceleration
MetaMUI provides SIMD and GPU acceleration for performance-critical algorithms:
| Algorithm | AVX2 | AVX-512 | NEON (ARM) | Metal (GPU) |
|---|---|---|---|---|
| Falcon-512/1024 | Yes | Yes | Yes | Yes |
| BLAKE3 | Yes | Yes | Yes | – |
| AES-256-GCM | AES-NI | AES-NI | ARM CE | – |
| ChaCha20-Poly1305 | Yes | Yes | Yes | – |
| ML-KEM | Yes | – | Yes | – |
| ML-DSA | Yes | – | Yes | – |
Falcon and BLAKE3 have the most extensive hardware acceleration, with optimized code paths for all supported SIMD instruction sets plus Apple Metal GPU batch operations for Falcon.