Cryptographic Engineers · Free Tool
Four questions. A named NIST FIPS 203/204/205 algorithm recommendation with parameter set, technical justification, key and signature size data, hybrid configuration guidance, and library support references. No account required. Results appear on this page.
This tool takes four inputs from a cryptographic implementer and returns a specific algorithm recommendation from the three finalised NIST post-quantum cryptography standards: FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA). The recommendation includes the parameter set, a technical justification, key and signature size data for comparison with classical equivalents, and hybrid configuration references where applicable.
The tool is a branching decision tree, not a scoring system. Given your four inputs, exactly one primary recommendation results. For the digital signature path, an alternative recommendation is also shown, with an explanation of when to choose SLH-DSA over ML-DSA.
The primary audience is cryptographic engineers, developers, and security architects who are actively implementing post-quantum cryptography and need to answer a direct question: which specific NIST algorithm and parameter set should I use for this application, and why? The tool returns a named answer, not a set of options to consider further.
FIPS 206 (FN-DSA, formerly FALCON) is not included in this tool's recommendations. FIPS 206 was not a final standard as of March 2026. Classical algorithms (RSA, ECDSA, ECDH) appear only in the size comparison table for reference. This tool does not assess regulatory compliance or migration readiness.
Quantum Security and Defence does not collect, associate, or retain your name or your company name when you use these tools. All information is stored only for the duration of the browser session.
We collect only country, industry, and results data. This information is anonymised and cannot be associated with you or your company. Such anonymised data may be used for industry-level reporting, shared with members, incorporated into our research, and provided to government departments to support lobbying activity and the communication of industry readiness.
By using this tool, you consent to the provision of results data on a strictly anonymised basis. No personal name, email address, or company name is stored.
Country is recorded anonymously for sector-level benchmarking only.
Required to generate your recommendation. Recorded anonymously.
Industry selection is required and recorded anonymously. It does not affect the algorithm recommendation.
Not recorded. Only used to personalise your results within this browser session.
Not recorded. Only used to personalise your results within this browser session.
Name and company are used only within your browser session. They are not stored or transmitted.
Select the primary cryptographic operation you are implementing. If your application requires both key exchange and digital signatures, run the tool twice: once for each use case. Key encapsulation, data-at-rest encryption, secure messaging, and IoT key agreement all route to ML-KEM (FIPS 203). Digital signatures route to ML-DSA (FIPS 204) as primary with SLH-DSA (FIPS 205) as an alternative.
Your answer is used to calculate your score. Results data is recorded anonymously for benchmarking. No email, name, or company details are transmitted or stored.
NIST security levels indicate resistance to quantum attack, measured against the computational effort required to break AES at the corresponding key size using Grover's algorithm on a quantum computer. Level 1 is adequate for most commercial applications without long-term confidentiality requirements. Level 3 is the most widely adopted default for new PQC deployments and is consistent with CNSA 2.0 minimum requirements for non-NSS systems. Level 5 is required by CNSA 2.0 for US National Security Systems. If you are unsure, select "Not sure": the tool will apply Level 3.
Your answer is used to calculate your score. Results data is recorded anonymously for benchmarking. No email, name, or company details are transmitted or stored.
Post-quantum algorithms have larger key and signature sizes than their classical equivalents. ML-KEM-768 public keys are 1,184 bytes; ECDH P-256 public keys are 64 bytes. ML-DSA-65 signatures are 3,309 bytes; ECDSA P-256 signatures are 64 bytes. Your performance environment determines which parameter sets are practical and whether size-optimised variants should be noted. For most server and desktop deployments, size is not a significant constraint. For embedded systems and network protocols, it is.
Your answer is used to calculate your score. Results data is recorded anonymously for benchmarking. No email, name, or company details are transmitted or stored.
A hybrid scheme combines a classical algorithm (such as X25519 or ECDH P-384) with a post-quantum algorithm (such as ML-KEM-768) so that security holds as long as either component remains unbroken. This provides defence in depth during the transition period, when confidence in new post-quantum algorithm implementations is still being established across the industry. Most European national guidance (NCSC UK, BSI TR-02102-1, ANSSI) recommends or requires hybrid during the transition period. CNSA 2.0 requires PQC-only as the end-state for US National Security Systems. If you are unsure, select "Not sure": the tool applies a hybrid-preferred default consistent with current European transition guidance.
Your answer is used to calculate your score. Results data is recorded anonymously for benchmarking. No email, name, or company details are transmitted or stored.
Professional Advisory
This tool returns a specific algorithm recommendation. For a structured assessment of your organisation's PQC readiness, cryptographic inventory, compliance obligations, and migration sequencing, engage directly.
Discuss your situation