Verified lab results, NIST-sourced parameters, and working implementations for security engineers migrating production systems to post-quantum standards.
All parameters verified against FIPS 203, FIPS 204, FIPS 205 · Lab environment: Ubuntu 26.04 · OpenSSL 3.5.5 · i7-13700HX · ✓ Lab-verified
Each contribution is tagged by novelty level. All results are reproducible — exact commands included.
X25519MLKEM768 KEX and an ML-DSA-65 certificate chain — both sides post-quantum — using only stock OpenSSL 3.5.5 default provider. Most documented PQC TLS demos still use the OQS provider extension; native default-provider support only landed in OpenSSL 3.5.0 (April 2025).
Negotiated TLS1.3 group: X25519MLKEM768 + Verify return code: 0 (ok)
libcrypto.so ctypes FFI benchmarks (not subprocess, not wrappers) show ML-KEM-768 KEM operation at 0.055ms vs 0.085ms for X25519. This contradicts the common industry claim that PQC KEMs are slower. The bottleneck is ciphertext size (1,088B vs 32B), not computation.
epk‖ct[:32] as HKDF salt). The IETF hybrid-design draft specifies the cryptographic construction; this wire format with tamper detection is a new implementation.
openssl verify. Full PQC TLS with ML-DSA-65 certs confirmed working.
pip install cryptography.
All evidence files in evidence/ for comparison.
github.com/DannyBCarrJr/pqc-practitioners-guide ↗
Breaks RSA, ECDSA, ECDH, X25519 in polynomial time. No parameter increase helps. [R1]
Halves symmetric key security. AES-256 survives with 128-bit PQ security. AES-128 becomes marginal.
Adversaries store ciphertext today. Long-lived secrets encrypted with X25519 are at risk in the 10–15 year horizon. [R4]
| Algorithm | Type | Quantum threat | Status |
|---|---|---|---|
| RSA-2048/4096 | Public key | Shor — complete | Broken |
| ECDSA / X25519 | Sig / KEX | Shor — complete | Broken |
| AES-128-GCM | Symmetric | Grover — halved | Marginal |
| AES-256-GCM | Symmetric | Grover — 128-bit eff. | Safe ✓ |
| ML-KEM-768 | KEM | No known speedup | Safe ✓ |
| ML-DSA-65 | Signature | No known speedup | Safe ✓ |
NIST standardized three algorithm families in August 2024. All parameters below are from the published FIPS documents and verified against OpenSSL 3.5.5 output. ✓ Lab-verified
| Variant | Level | Public Key | Ciphertext | Shared Secret | Use |
|---|---|---|---|---|---|
| ML-KEM-512 | L1 | 800 B | 768 B | 32 B | Constrained |
| ML-KEM-768 | L3 | 1,184 B | 1,088 B | 32 B | ✓ General |
| ML-KEM-1024 | L5 | 1,568 B | 1,568 B | 32 B | Gov/NSS |
| Variant | Level | Public Key | Signature | vs Ed25519 | Use |
|---|---|---|---|---|---|
| ML-DSA-44 | L2 | 1,312 B | 2,420 B | 38× | |
| ML-DSA-65 | L3 | 1,952 B | 3,309 B | 52× | ✓ General |
| ML-DSA-87 | L5 | 2,592 B | 4,627 B | 72× | Long-lived |
The conservative choice: trust only hash functions, not lattice assumptions. Use for root CAs and offline signing. Never for TLS session certificates.
| Variant | Sign time | Signature | Public key | Use case |
|---|---|---|---|---|
| SLH-DSA-SHA2-128s | 233ms | 7,856 B | 32 B | Root CAs, firmware signing |
| SLH-DSA-SHA2-128f | 11.6ms | 17,088 B | 32 B | More frequent offline signing |
Library-speed numbers via direct libcrypto ctypes FFI — not subprocess overhead. Within ~5% of C application performance. ✓ Lab-verified
Even ML-DSA-65 at 0.61ms (sign + verify combined) is sub-millisecond — a server handling 1,000 TLS handshakes/second spends 0.61 seconds/second on signing and verifying. The real overhead is the 3,309-byte signature in the certificate chain.
| TLS Layer | Classical | Post-Quantum | Status |
|---|---|---|---|
| Key Exchange | X25519 ECDH | X25519MLKEM768 hybrid | ✓ Lab B3 |
| Authentication | ECDSA P-256 cert | ML-DSA-65 cert chain | ✓ Lab CA |
| Record Encryption | AES-256-GCM | AES-256-GCM | Already PQ-safe |
# nginx — one line to enable hybrid PQC key exchange
ssl_ecdh_curve X25519MLKEM768:x25519:prime256v1;
ssl_protocols TLSv1.3;
# Verify it's working
openssl s_client -connect your.server.com:443 -tls1_3 \
-groups X25519MLKEM768:x25519 </dev/null 2>&1 | \
grep "Negotiated TLS"
# Negotiated TLS1.3 group: X25519MLKEM768 ✓
Negotiated TLS1.3 group: X25519MLKEM768 confirmed with stock OpenSSL 3.5.5, no OQS provider. Full PQC TLS with ML-DSA-65 3-tier CA chain verified. Handshake overhead: +2,272 bytes, +0.7ms.
| Component | Classical | PQC Hybrid | Delta |
|---|---|---|---|
| ClientHello key_share | 32 B | 1,216 B | +1,184 B |
| ServerHello (+ ML-KEM ct) | ~800 B | ~1,920 B | +1,088 B |
| Server cert (ML-DSA-65) | ~500 B | ~7,700 B | +7,200 B |
| Record layer cipher | AES-256-GCM — unchanged ✓ | ||
ssl_stapling_buffer 8k; — the default 4KB is too small.
TLS protects data in transit. Application-layer encryption protects data at rest. Long-lived secrets — wills, credentials, records — need quantum resistance in the envelope, not just the transport layer.
Combines X25519 ECDH + ML-KEM-768 via HKDF with context binding. Both shared secrets must be broken to recover the DEK.
| Field | Size | Purpose |
|---|---|---|
| magic + version | 5 B | HKEM/v1 framing |
| X25519 ephemeral key | 32 B | Classical ECDH contribution |
| ML-KEM-768 ciphertext | 1,088 B | Post-quantum encapsulation |
| AES-GCM nonce | 12 B | Random per-wrap nonce |
| Wrapped DEK (ct + tag) | 48 B | 32B DEK + 16B GCM tag |
| Total per recipient | 1,185 B | vs ~92B for X25519-only |
Adversary must break both X25519 (Shor's — quantum required) and ML-KEM-768 (MLWE — no known quantum speedup) simultaneously. Classical + quantum belt and suspenders.
IETF draft-ietf-tls-hybrid-design specifies this construction. [R9]
DEK recovery: ✓
Tamper detection: ✓ (AES-GCM InvalidTag)
Wrap round-trip: ~0.1ms at library speed
Breaking change: none — additive upgrade
All National Security Systems must use exclusively PQC algorithms by 2030. ML-KEM-1024 (not 768) and ML-DSA-87 required for NSS. Level 5 requirement.
RSA and ECDH/ECDSA deprecated after 2030. Data protected with these algorithms today that must remain confidential past 2030 is at HNDL risk.
Communications, Energy, Financial Services, Healthcare, and Transportation called out explicitly as high-priority sectors for PQC migration.
Recommends hybrid classical+PQC during transition. Endorses CRYSTALS-Kyber (ML-KEM) and Dilithium (ML-DSA). NIS2 requires "appropriate and proportionate measures."
All technical claims trace to the following primary sources.