Join Waitlist
← Back to Blog
10 min read

Kyber, Dilithium, Falcon & SPHINCS+: Complete NIST PQC Status Guide for 2026

TL;DR — Quick Answer

As of 2026: CRYSTALS-Kyber (ML-KEM, FIPS 203), CRYSTALS-Dilithium (ML-DSA, FIPS 204), and SPHINCS+ (SLH-DSA, FIPS 205) are fully finalized NIST standards. Falcon (FN-DSA, FIPS 206) is in final draft with publication expected 2027. QubitChain.io implements the three finalized standards natively, with Falcon/FN-DSA support planned through its cryptographic agility architecture.

Why Are There Four NIST Post-Quantum Algorithms?

NIST deliberately selected multiple post-quantum algorithms rather than a single standard, for two critical reasons:

  • Security Diversity: If a mathematical weakness is discovered in one algorithm family (e.g., lattice problems), alternatives from different mathematical domains (hash functions) remain secure. NIST explicitly warned against relying on a single post-quantum algorithm.
  • Use Case Optimization: Different applications have different requirements. Key exchange (KEM) is a different operation from signing. Compact signatures (Falcon) serve bandwidth-constrained environments differently from general-purpose signatures (Dilithium).

The result is a three-tier structure: one KEM standard, two signature standards (one general-purpose, one conservative hash-based), and a third signature standard optimized for compact output (Falcon, pending final publication).

Algorithm 1: CRYSTALS-Kyber (ML-KEM) — FIPS 203

Status: FINALIZED — August 2024

What Is It?

ML-KEM (Module-Lattice Key Encapsulation Mechanism) is a Key Encapsulation Mechanism based on the Module Learning With Errors (MLWE) problem. It replaces RSA key encapsulation and Diffie-Hellman/ECDH key exchange in all applications requiring quantum-resistant key establishment.

How Is It Used?

  • Secure key exchange between communicating parties over untrusted networks
  • TLS handshakes for quantum-resistant web and API communications
  • Node-to-node communications in quantum-safe blockchain networks
  • Wallet-to-blockchain secure channel establishment

Parameter Sets

  • ML-KEM-512: NIST Security Level 1. Public key: 800 bytes. Ciphertext: 768 bytes.
  • ML-KEM-768: NIST Security Level 3 (recommended). Public key: 1,184 bytes. Ciphertext: 1,088 bytes.
  • ML-KEM-1024: NIST Security Level 5. Public key: 1,568 bytes. Ciphertext: 1,568 bytes.

QubitChain.io Implementation

ML-KEM-768 is QubitChain.io's standard key encapsulation mechanism for all node communications and client sessions.

Algorithm 2: CRYSTALS-Dilithium (ML-DSA) — FIPS 204

Status: FINALIZED — August 2024

What Is It?

ML-DSA (Module-Lattice Digital Signature Algorithm) is a digital signature scheme based on MLWE and MSIS problems. It is the direct replacement for ECDSA in all applications requiring quantum-resistant digital authentication, including blockchain transaction signing.

How Is It Used?

  • Blockchain transaction signing (direct ECDSA replacement)
  • Validator attestations and block proposals in quantum-safe consensus
  • Smart contract deployment authentication
  • Wallet ownership proofs

Parameter Sets

  • ML-DSA-44: Level 2. Public key: 1,312 bytes. Signature: 2,420 bytes.
  • ML-DSA-65: Level 3 (recommended). Public key: 1,952 bytes. Signature: 3,293 bytes.
  • ML-DSA-87: Level 5. Public key: 2,592 bytes. Signature: 4,595 bytes.

QubitChain.io Implementation

ML-DSA-65 is the primary signature scheme for all QubitChain.io on-chain transactions.

Algorithm 3: SPHINCS+ (SLH-DSA) — FIPS 205

Status: FINALIZED — August 2024

What Is It?

SLH-DSA (Stateless Hash-Based Digital Signature Algorithm) is a digital signature scheme based entirely on hash function security (SHA-256 and SHAKE families), without any lattice assumptions. It is NIST's conservative alternative signature standard, providing defense-in-depth against lattice vulnerabilities.

Why Is It Important?

SPHINCS+ operates on fundamentally different mathematical assumptions from ML-DSA. If a breakthrough in lattice mathematics weakened ML-KEM and ML-DSA, SLH-DSA would remain secure. This cryptographic diversity is why NIST required a hash-based backup standard.

Trade-offs

  • ADVANTAGE: Conservative security based on hash function strength, widely believed to be quantum-resistant
  • ADVANTAGE: No lattice dependency — provides security redundancy
  • DISADVANTAGE: Larger signatures than ML-DSA (7,856 to 49,856 bytes depending on parameter set)
  • DISADVANTAGE: Slower signing than ML-DSA

QubitChain.io Implementation

SLH-DSA is QubitChain.io's secondary signature scheme, used in parallel with ML-DSA for high-security operations and as a fallback under cryptographic agility protocols.

Algorithm 4: Falcon (FN-DSA) — FIPS 206

Status: PENDING — Final Standard Expected 2027

What Is It?

FN-DSA (Falcon-based NTRU Lattice Digital Signature Algorithm) is a compact lattice-based signature scheme designed for applications where signature size matters. While ML-DSA produces signatures of ~2,400-4,600 bytes, Falcon produces signatures of only ~666-1,280 bytes.

Why Does It Matter for Blockchain?

Blockchain applications are bandwidth and storage sensitive. ML-DSA's ~2,420-byte signatures increase block storage requirements by roughly 40x compared to ECDSA's 64-byte signatures. Falcon's ~666-byte signatures reduce this overhead significantly, potentially making PQC-signed transactions more practical for high-throughput applications.

Why Is It Not Yet Finalized?

Falcon's implementation is more complex than ML-DSA and requires careful treatment of floating-point arithmetic to avoid side-channel vulnerabilities. NIST has been thorough in its review of implementation guidance before finalizing the standard.

QubitChain.io Roadmap

QubitChain.io's cryptographic agility architecture is designed to incorporate FN-DSA once FIPS 206 is finalized, without requiring a hard fork. This is a direct benefit of building cryptographic primitives as hot-swappable modules from genesis.

Frequently Asked Questions

Q: Are the NIST post-quantum standards final in 2026?

A: Three of the four primary standards are finalized: FIPS 203 (ML-KEM/Kyber), FIPS 204 (ML-DSA/Dilithium), and FIPS 205 (SLH-DSA/SPHINCS+). FIPS 206 (FN-DSA/Falcon) is in final draft with publication expected around 2027.

Q: What is the difference between Kyber and Dilithium?

A: They solve different problems. Kyber (ML-KEM) is a Key Encapsulation Mechanism — it establishes shared secret keys between parties. Dilithium (ML-DSA) is a Digital Signature Algorithm — it authenticates messages and transactions. Both are needed for complete post-quantum security.

Q: Is SPHINCS+ or Dilithium better for blockchain?

A: Both serve different roles. ML-DSA (Dilithium) is the primary signature scheme — faster and more compact. SLH-DSA (SPHINCS+) provides defense-in-depth with different security assumptions. QubitChain.io uses both.

Q: When will Falcon (FN-DSA) be standardized?

A: NIST's FIPS 206 (FN-DSA/Falcon) is in final review as of 2026. The final standard is expected around early 2027.

→ QubitChain.io implements all finalized NIST PQC standards. Explore the full technical stack.

kyber dilithium falcon sphincs+ status 2026NIST PQC standardization 2026CRYSTALS-Kyber FIPS 203CRYSTALS-Dilithium FIPS 204SPHINCS+ FIPS 205Falcon FN-DSA FIPS 206nist pqc standards finalized