Protocols · FIPS 203 / 204 / 205

Post-Quantum
Cryptography

NIST-selected algorithms for a world where quantum computers break RSA and ECDSA. The selfdriven identity layer — built on KERI/ACDC — is ready for the transition.

FIPS 203 ML-KEM FIPS 204 ML-DSA FIPS 205 SLH-DSA Replaces RSA · ECDSA · ECDH
1994 Shor's Algorithm
2016 NIST PQC Call
2022 Finalists Selected
2024 FIPS 203/204/205
2030+ CRQC Risk Window
⚠ The Quantum Threat

Shor's algorithm solves integer factoring and discrete logarithm problems in polynomial time on a cryptographically relevant quantum computer (CRQC) — breaking RSA, ECDSA, ECDH, and DH entirely.

✓ The NIST Response

Post-quantum algorithms rely on problems believed hard for both classical and quantum computers: lattice problems (MLWE/MSIS) and hash-function security. Standardised August 2024.

Security Under Quantum Attack

RSA-2048
BROKEN
ECDSA P-256
BROKEN
AES-128
64-bit QS
ML-KEM-768
Level 3
ML-DSA-87
Level 5
SLH-DSA-256s
Level 5
NIST Selected Algorithms — Click to Explore
FIPS 203 · KEM

ML-KEM

Key Encapsulation

Module Lattice KEM — replaces ECDH/RSA for key exchange. Three parameter sets: 512, 768, 1024.

FIPS 204 · Signature

ML-DSA

Digital Signatures

Module Lattice DSA — replaces ECDSA/RSA-PSS. Fiat-Shamir with aborts construction. Variants 44, 65, 87.

FIPS 205 · Signature

SLH-DSA

Hash-Based Signatures

Stateless hash-based signatures — relies only on SHA-256/SHAKE. Conservative backup. 12 parameter sets.

🔑

selfdriven KERI/ACDC + PQC Migration Path

selfdriven's identity layer uses KERI Autonomous Identifiers (AIDs) — self-certifying, rotation-capable, and witness-anchored. Because AIDs support pre-rotation and key rotation via the Key Event Log (KEL), migrating to PQC signing keys (ML-DSA-65 for everyday events, SLH-DSA-256s for root AIDs) requires only a rot event — no re-issuance, no downtime. ACDC credentials issued under the new keys are immediately valid. The selfdriven ecosystem is structurally PQC-ready today.

FIPS 203 · 2024

ML-KEM

Module Lattice-based Key Encapsulation Mechanism (CRYSTALS-Kyber)

Problem: MLWE Ring: ℤ_q[x]/(xⁿ+1) q = 3329 n = 256

Hard Problem — Module Learning With Errors (MLWE)

Given public matrix A and vector b = As + e (mod q), find secret s — where e is a small-magnitude "error" sampled from a binomial distribution. With the right parameters, this is computationally indistinguishable from random for both classical and quantum adversaries.

// Interactive Lattice — Move Mouse Over Canvas

Protocol Walkthrough — Key Exchange

// Simulate Key Generation

Public Key (pk) — shareable
— click KeyGen —
Secret Key (sk) — hover to reveal
— click KeyGen —
Ciphertext (ct) — encapsulated
— click Encapsulate —
Shared Secret (ss) — 32 bytes
— click Decapsulate —

Parameter Sets

VariantSecuritypkct
ML-KEM-512Level 1800 B768 B
ML-KEM-768Level 31184 B1088 B
ML-KEM-1024Level 51568 B1568 B

Key Properties

  • IND-CCA2 secure under MLWE assumption
  • NTT for efficient polynomial multiplication
  • Fujisaki-Okamoto transform for CCA security
  • Deterministic using SHAKE-256 PRF
  • No passwords — ephemeral or static use
FIPS 204 · 2024

ML-DSA

Module Lattice-based Digital Signature Algorithm (CRYSTALS-Dilithium)

Problem: MSIS + MLWE Method: Fiat-Shamir w/ Aborts q = 8380417

Hard Problem — MSIS

Module Short Integer Solution: find a short non-zero vector z such that Az = 0 (mod q) in a lattice module. Combined with MLWE to construct a signature scheme where forgery requires solving an exponentially hard lattice problem.

Fiat-Shamir with Aborts

The response vector z = y + cs₁ might leak the secret s₁ if its coefficients are too large. ML-DSA uses rejection sampling: if z exceeds bound γ₁ − β, signing aborts and restarts. This ensures z's distribution is independent of the secret key.

Signing Protocol — Step by Step

Signature Size Comparison

Parameter Sets

VariantSecuritypksig
ML-DSA-44Level 21312 B2420 B
ML-DSA-65Level 31952 B3309 B
ML-DSA-87Level 52592 B4627 B

Security Properties

  • EUF-CMA — existentially unforgeable under chosen message attack
  • Deterministic or randomised signing mode
  • SHAKE-128/256 for all hashing
  • ~4.25 expected aborts per signature (ML-DSA-65)
  • Power analysis resistant by design
✍️

KERI Key Events with ML-DSA

Every KERI event (icp, rot, ixn, dip) is signed by the controlling AID's current key pair. Replacing the signing key with ML-DSA-65 requires only adding it to the next key commitment in a rot event. All existing ACDC credentials anchored to the AID remain valid — the KEL provides cryptographic continuity across the key rotation.

FIPS 205 · 2024

SLH-DSA

Stateless Hash-Based Digital Signature Algorithm (SPHINCS+)

Basis: Hash functions only Hash: SHA-256 / SHAKE Layers: d=8 XMSS

Why Hash-Based?

SLH-DSA's security rests only on the collision resistance and one-wayness of SHA-256 or SHAKE — properties studied for decades with no known quantum speedup beyond Grover's quadratic reduction. It is the portfolio's conservative "insurance policy": if lattice assumptions fail, SLH-DSA remains secure.

// SHA-256 Avalanche Effect — Try One Character Change

SHA-256 · Message 1
SHA-256 · Message 2

// Merkle Tree — SLH-DSA Root of Trust (Simplified)

Public key = 32-byte top root. Signature proves a leaf is authentic via highlighted auth path.

Signing Components — Step by Step

Variants (SHA-2 family)

VariantSig SizeSpeed
sha2-128s7856 BSlow/Small
sha2-128f17088 BFast/Large
sha2-256s29792 BSlow/Small
sha2-256f49856 BFast/Large

Construction Layers

  • WOTS+ — one-time sig at each leaf
  • FORS — few-time sig over message digest chunks
  • XMSS — eXtended Merkle tree per layer
  • HT — Hypertree chains d=8 XMSS layers
  • Stateless — no counter state needed
Algorithm Comparison

Classical vs Post-Quantum

⚠ Classical — Broken by Quantum

RSA-2048 key256 B
ECDSA P-256 sig64 B
ECDH shared secret32 B
Quantum security0 bits
Hard problemFactoring / DLog
Shor's algorithmBreaks all

✓ Post-Quantum — NIST Selected

ML-KEM-768 pk1184 B
ML-DSA-65 sig3309 B
ML-KEM-768 ct1088 B
Quantum security~128 bits
Hard problemLWE / SIS / Hash
Shor's algorithmNot applicable

Use Case Decision Matrix

Use CaseAlgorithmReasonLevel
TLS Key ExchangeML-KEM-768Small keys, fast opsLevel 3
Code SigningML-DSA-65Balanced size/speedLevel 3
Root CA CertificateSLH-DSA-256sConservative, long-livedLevel 5
IoT / ConstrainedML-KEM-512Smallest footprintLevel 1
KERI Event SigningML-DSA-65rot event, KEL continuityLevel 3
KERI Root AIDSLH-DSA-256sMax conservatism for rootLevel 5
ACDC CredentialsML-DSA-65Issuer sig on credentialLevel 3

Migration Strategy

  • Hybrid mode — classical + PQC during transition
  • Harvest now, decrypt later — encrypt today's data
  • TLS 1.3 + ML-KEM already in Chrome/Firefox (X25519MLKEM768)
  • PKI: leaf certs → intermediates → root
  • KERI rot event — migrate AID signing key with no downtime

NIST Security Levels

  • Level 1 — AES-128 equivalent (Grover)
  • Level 2 — SHA-256 collision equivalent
  • Level 3 — AES-192 equivalent
  • Level 4 — SHA-384 collision equivalent
  • Level 5 — AES-256 equivalent (highest)
🛡️

selfdriven PQC Readiness — Protocols Area of Focus

Under the selfdriven 8 Areas of Focus, PQC migration falls within 04 · Protocols — identity infrastructure and technical standards. The selfdriven Human Conductor for Protocols leads the migration roadmap: auditing all signing surfaces, scheduling KERI rot events for AID key upgrades, and updating ACDC schema to accept ML-DSA or SLH-DSA proof types. AI agents handle monitoring, reporting on KEL consistency, and flagging credentials signed with deprecated algorithms.