Post-Quantum Algorithm Threat Models

Comprehensive threat analysis for 19 post-quantum cryptographic algorithms resistant to both classical and quantum attacks.

NIST Standardized Algorithms (FIPS 203/204/205)

ML-KEM (Module Lattice Key Encapsulation)

• ML-KEM-512 - 128-bit security
• ML-KEM-768 - 192-bit security
• ML-KEM-1024 - 256-bit security

ML-DSA (Module Lattice Digital Signature)

• ML-DSA-44 - 128-bit security
• ML-DSA-65 - 192-bit security
• ML-DSA-87 - 256-bit security

SLH-DSA (Stateless Hash-based Digital Signature)

• SLH-DSA-SHA2-128f - Fast variant
• SLH-DSA-SHAKE-256f - SHAKE variant

NIST Round 4 Additional Algorithms

Falcon (Fast Fourier Lattice-based Signatures)

• Falcon-512 - 128-bit security
• Falcon-1024 - 256-bit security

Korean Post-Quantum Cryptography (KPQC)

KEM Algorithms

• SMAUG-T - Module-LWR based
• NTRU+ - NTRU variant

Signature Algorithms

• Haetae - Lattice-based
• AIMer - MPC-in-the-head

Stateful Hash-Based Signatures

• XMSS - eXtended Merkle Signature Scheme
• LMS - Leighton-Micali Signature

Code-Based & Additional KEMs

• Classic McEliece - Code-based
• HQC-128 - Hamming Quasi-Cyclic
• FrodoKEM - Learning With Errors

Risk Assessment Summary

Algorithm Family	Quantum Resistance	Maturity	Performance	Key/Signature Size
ML-KEM	Excellent	High (NIST Standard)	Fast	Medium
ML-DSA	Excellent	High (NIST Standard)	Fast	Medium
SLH-DSA	Excellent	High (NIST Standard)	Moderate	Large
Falcon	Excellent	Medium (Round 4)	Very Fast	Small
KPQC	Excellent	Low-Medium	Varies	Varies
Stateful	Excellent	High	Fast	Small*
Code-Based	Excellent	High	Moderate	Very Large

*Stateful signatures have small signature sizes but require careful state management

Selection Guidelines

For Key Exchange/Encryption

1. Primary Choice: ML-KEM-768 (balanced security/performance)
2. High Security: ML-KEM-1024 or Classic McEliece
3. Constrained Devices: ML-KEM-512 or NTRU+
4. Research/Testing: SMAUG-T, FrodoKEM

For Digital Signatures

1. Primary Choice: ML-DSA-65 (balanced)
2. Small Signatures: Falcon-512 (requires careful implementation)
3. Hash-Based: SLH-DSA (no state required)
4. Stateful: XMSS/LMS (when state can be managed)
5. Research/Testing: Haetae, AIMer

Common Threats Across PQC

Implementation Vulnerabilities

• Side-channel attacks (timing, power, EM)
• Fault injection attacks
• Random number generation weaknesses
• Incorrect parameter validation

Protocol-Level Risks

• Downgrade attacks in hybrid systems
• Algorithm confusion attacks
• Key management complexity
• State management (for stateful signatures)

Deployment Challenges

• Large key/ciphertext sizes
• Performance impacts
• Backward compatibility
• Crypto-agility requirements

Migration Considerations

Store-Now-Decrypt-Later (SNDL)

• Critical: Data with >10 year protection requirements
• Action: Immediate migration to PQC required

Active Attack Timeline

• 2025-2030: Low risk, hybrid recommended
• 2030-2035: Medium risk, full PQC recommended
• 2035+: High risk, PQC mandatory

Compliance Requirements

• NIST: Migrate to standardized PQC by 2030
• CNSA 2.0: Quantum-resistant by 2025-2033
• EU/ENISA: Following NIST timeline
• Industry: Varies by sector

---

Back to Algorithm Threat Models
Back to Threat Models