PQC Tracker

Algorithm Coverage

Coverage of NIST post-quantum algorithms across all tracked mandates.Required — explicitly mandated, non-compliance is a violation. Recommended — officially encouraged but not compelled. Noted — referenced for awareness only, no obligation attached. Prohibited — use is explicitly disallowed.

Coverage matrix

Algorithm
NSA
US
CNSA-2
NIST
US
IR-8547
OMB
US
M-23-02
CISA
US
PQC-INITIATIVE
NCSC
UK
UK-PQC
BSI
Germany
PQC-MIGRATION
ANSSI
France
PQC-POSITION
CSA
Singapore
SG-PQC
ASD
Australia
PQC
ENISA
EU
EU-NIS2
CRYPTREC
Japan
PQC
NIST
US
SP-800-208
ETSI
Global
ISG-QSC
IETF
Global
PQC-PROTOCOLS
FALCON (FN-DSA)FIPS 206REQ
HQCNOTE
LMS / HSSSP 800-208RECRECREC
ML-DSAFIPS 204REQREQREQRECRECRECRECRECRECRECRECRECREC
ML-KEMFIPS 203REQREQREQRECRECRECRECRECRECRECRECRECREC
SLH-DSAFIPS 205RECREQRECNOTERECNOTENOTEREC
XMSSSP 800-208RECRECREC
LegendREQRequiredRECRecommendedNOTENotedPROHIBProhibitedNot referenced

Algorithm reference

FALCON (FN-DSA)FIPS 206

Replaces: ECDSA

SignatureStandardized

Fast-Fourier Lattice-based Compact Signatures over NTRU, standardized as FN-DSA in FIPS 206 (October 2024). Produces significantly smaller signatures and public keys than ML-DSA, making it attractive for bandwidth-constrained environments such as TLS handshakes and embedded systems. Based on NTRU lattices with a discrete Gaussian sampler. Requires careful, constant-time implementation to avoid side-channel vulnerabilities.

Referenced in

HQC

Replaces: RSA, ECDH

KEMCandidate

Hamming Quasi-Cyclic (HQC) is a code-based key encapsulation mechanism selected by NIST in March 2024 for standardization as a backup to ML-KEM. Based on the hardness of decoding random quasi-cyclic codes, it provides a mathematically distinct foundation from lattice-based ML-KEM, offering algorithmic diversity in case lattice assumptions are weakened. Draft NIST standard pending.

Referenced in

LMS / HSSSP 800-208

Replaces: RSA, ECDSA

SignatureStandardized

Leighton-Micali Hash-Based Signatures (LMS) with Hierarchical Signature Scheme (HSS) is a stateful hash-based signature scheme standardized in IETF RFC 8554 (2019) and approved for US federal use in NIST SP 800-208 (2020). Like XMSS, security relies only on hash function properties. Recommended by NSA CNSA 2.0 and NIST for firmware and software signing in National Security Systems. Stateful — requires strict state management to prevent catastrophic key reuse.

Referenced in

ML-DSAFIPS 204

Replaces: RSA, ECDSA

SignatureStandardized

Module-Lattice-Based Digital Signature Algorithm standardized in FIPS 204 (August 2024). Based on the CRYSTALS-Dilithium submission. Provides quantum-resistant digital signatures as a replacement for RSA and ECDSA. Offers parameter sets at security levels 2, 3, and 5 corresponding to AES-128, AES-192, and AES-256 equivalent strength.

Referenced in

ML-KEMFIPS 203

Replaces: RSA, ECDH

KEMStandardized

Module-Lattice-Based Key-Encapsulation Mechanism standardized in FIPS 203 (August 2024). Based on the CRYSTALS-Kyber submission. Provides quantum-resistant key exchange as a drop-in replacement for RSA and ECDH key encapsulation. Available in security levels 512, 768, and 1024 (roughly equivalent to AES-128, AES-192, and AES-256).

Referenced in

SLH-DSAFIPS 205

Replaces: RSA, ECDSA

SignatureStandardized

Stateless Hash-Based Digital Signature Algorithm standardized in FIPS 205 (August 2024). Based on the SPHINCS+ submission. Security relies solely on hash function properties, providing a conservative alternative to lattice-based schemes. Produces larger signatures but offers a security proof independent of structured mathematical hardness assumptions.

Referenced in

XMSSSP 800-208

Replaces: RSA, ECDSA

SignatureStandardized

Extended Merkle Signature Scheme (XMSS) is a stateful hash-based signature scheme standardized in IETF RFC 8391 (2018) and approved for US federal use in NIST SP 800-208 (2020). Security depends solely on the security of the underlying hash function — no algebraic hardness assumptions. Stateful: signers must track signature count and never reuse one-time keys. Recommended for firmware signing and environments with low signing volume and careful state management.

Referenced in

Algorithm standards quick reference

FIPSAlgorithmTypeStatusYear
FIPS 203ML-KEMKEMFinal2024
FIPS 204ML-DSASignatureFinal2024
FIPS 205SLH-DSASignatureFinal2024
FIPS 206FALCON (FN-DSA)SignatureFinal2024
SP 800-208XMSS / LMSSignatureFinal2020
TBDHQCKEMCandidate
RFC 8391XMSSSignatureFinal2018
RFC 8554LMS / HSSSignatureFinal2019

Sources: NIST PQC project, IETF LAMPS WG, ETSI ISG QSC. FIPS 206 (FN-DSA) finalized October 2024. HQC standardization pending. SP 800-208 / RFC 8391 / RFC 8554 cover stateful hash-based schemes.