Fraunhofer Institute for Applied and Integrated Security
Fraunhofer Institute for Applied and Integrated Security

Developments in PQC: An International Comparison of PQC Standardization and Migration

Quantum-capable attackers threaten today’s dominant public-key schemes, such as RSA, (EC)DH, and (EC)DSA, because efficient quantum algorithms can efficiently solve the underlying mathematical problems.

Particularly critical is the "store now – decrypt later" scenario, in which attackers collect encrypted data today with the intention of decrypting it later.

Cryptography is deeply embedded in architectures, products, and supply chains. Cryptographic keys, certificates, and protocol parameters often persist for many years. Early action is therefore crucial to protect long-term data from subsequent disclosure.

Post-quantum cryptography (PQC) offers robust alternatives for protecting data, but its implementation requires a structured migration.

Current positions on PQC standardization and migration

Hybridization

Since PQC methods are relatively new and less well-researched, it may be advisable to combine them with classical cryptographic methods. In such a hybrid approach, security can be guaranteed even if one of the combined methods proves to be insecure.

In the EU, lattice-based cryptography is currently intended for use only in hybrid form. The European Cybersecurity Certification Group calls for its combination with classical, established methods. The BSI follows this approach in its technical guideline and requires the use of non-hash-based PQC methods in a hybrid form. Hash-based signatures such as SLH-DSA, as well as LMS and XMSS, can be used independently.

The National Institute of Standards and Technology (NIST) epermits standalone use for all recommended schemes and positions hybrid schemes as useful, but only as a temporary migration option.

The british National Cyber Security Centre (NCSC) ffollows this line and recommends hybrid schemes only as a transitional measure for the eventual transition to pure PQC schemes.

Recommended PQC schemes

There is broad consensus on the recommendation to use ML-KEM for key exchange and ML-DSA for digital signatures. Furthermore, SLH-DSA as well as the stateful hash-based signatures LMS and XMSS are recommended for specific use cases. The key difference among the various positions, however, lies in whether these methods may be used as standalone solutions or only in hybrid configurations today.


Signature Schemes

Region Recommended methods Parameter notes Hybrid Mandatory
EU ML-DSA, SLH-DSA, as well as LMS and XMSS ML-DSA-65 or ML-DSA-87. SLH-DSA according to FIPS205 in categories 3 and 5. Yes, for ML-DSA
Germany ML-DSA, SLH-DSA, as well as LMS and XMSS ML-DSA-65 or ML-DSA-87. SLH-DSA according to FIPS205 in Categories 3 and 5. XMSS and LMS according to SP 800-208. Yes, for ML-DSA
USA ML-DSA, SLH-DSA, as well as LMS and XMSS ML-DSA according to FIPS204. SLH-DSA according to FIPS205. LMS and XMSS according to SP 800-208. No
United Kingdom ML-DSA, SLH-DSA, as well as LMS and XMSS ML-DSA according to FIPS204 (ML-DSA-65 recommended). SLH-DSA according to FIPS205. LMS and XMSS according to SP 800-208. No


Key exchange schemes

Region Recommended methods Parameter notes Hybrid Mandatory
EU ML-KEM and conservative FrodoKEM ML-KEM-768 or ML-KEM-1024. FrodoKEM-976 or FrodoKEM-1344. Yes
Germany ML-KEM as well as conservative FrodoKEM and Classic McEliece
HQC as soon as standardized		 ML-KEM-768 or ML-KEM-1024. FrodoKEM-976 or FrodoKEM-1344.
mceliece460896(f), mcelie-ce6688128(f), or mcelie-ce8192128(f).
HQC according to NIST Categories 3 and 5.		 Yes
USA ML-KEM ML-KEM according to FIPS203. No
United Kingdom ML-KEM ML-KEM according to FIPS203 (ML-KEM-768 recommended).  No

PQC Migration Timeline

The following key milestones are defined by the various national security authorities.

EU

  • By 2026: First Steps completed. National PQC roadmaps established. Pilot projects for high and medium risks launched.
  • By 2030: Next Steps implemented. Migration for high-risk use cases completed. Quantum-secure software and firmware updates enabled by default.
  • By 2035: Migration for medium-risk use cases completed and for low-risk use cases as far as practically possible.

Germany 

  • By 2030: Completion of migration for applications with very high security requirements.
  • By 2032: Traditional key agreement methods are recommended only for hybrid use.
  • By 2036: Classical signature schemes will only be recommended for hybrid use

USA

  • 2024: Publication of FIPS203, FIPS204 and FIPS205 for ML-KEM, ML-DSA, and SLH-DSA.
  • After 2030: Classical schemes with 112-bit security strength are marked as obsolete in the guidelines.
  • 2035: Classical public-key schemes are no longer recommended. The goal is a complete migration to PQC for signatures and key exchange.

United Kingdom

  • By 2028: Inventory and assessment completed. Initial migration plans developed. Supply chain requirements addressed.
  • By 2031: Implementation of early and prioritized migrations. Refined roadmaps with a clear path to completion.
  • By 2035: Complete migration to PQC for all systems, services, and products

 

References

European Cybersecurity Certification Group (ECCG). Agreed Cryptographic Mechanisms. European Cybersecurity Certification Scheme on Common Criteria (EUCC) Guidelines. European Union Agency for Cybersecurity (ENISA), Mai 2025. url: https://certification.enisa.europa.eu/publications/eucc-guidelines-cryptography_en.

National Institute of Standards and Technology (NIST). Module-Lattice-Based Key-Encapsulation Mechanism Standard. FIPS 203. National Institute of Standards and Technology (NIST), Aug. 2024. doi: 10.6028/NIST.FIPS.203.

National Institute of Standards and Technology (NIST). Module-Lattice-Based Digital Signature Standard. FIPS 204. National Institute of Standards and Technology (NIST), Aug. 2024. doi: 10.6028/NIST.FIPS.204.

National Institute of Standards and Technology (NIST). Stateless Hash-Based Digital Signature Standard. FIPS 205. National Institute of Standards and Technology (NIST), Aug. 2024. doi: 10.6028/NIST.FIPS.205.

European Union PQC Workstream. A Coordinated Implementation Roadmap for the Transition to Post-Quantum Cryptography. Techn. Ber. Part 1. Version 1.1. NIS Cooperation Group, Juni 2025. url: https://digital-strategy.ec.europa.eu/en/library/coordinated-implementation-roadmap-transition-post-quantum-cryptography.

Dustin Moody u. a. Transition to Post-Quantum Cryptography Standards. Techn. Ber. NIST IR 8547 ipd. National Institute of Standards and Technology (NIST), Nov. 2024. url: https://csrc.nist.gov/pubs/ir/8547/ipd.

National Cyber Security Centre (NCSC). Next Steps in Preparing for Post-Quantum Cryptography. Version 2.0. Aug. 2024. url: https://www.ncsc.gov.uk/whitepaper/next-steps-preparing-for-post-quantum-cryptography.

National Cyber Security Centre (NCSC). Timelines for Migration to Post-Quantum Cryptography. Version 1.0. Mai 2025. url: https://www.ncsc.gov.uk/guidance/pqc-migration-timelines.

David Cooper et al. Recommendation for Stateful Hash-Based Signature Schemes. Special Publication (SP) 800-208. National Institute of Standards and Technology (NIST), Oct. 2020. doi: 10.6028/NIST.SP.800-208.

Bundesamt für Sicherheit in der Informationstechnik (BSI). Kryptographische Verfahren: Empfehlungen und Schlüssellängen. Technische Richtlinie TR-02102-1. Version 2025-01. BSI, Jan. 2025. url: https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102.html.