Post-quantum cryptography is the response to a specific, anticipated threat: a sufficiently large quantum computer running Shor's algorithm could break the public-key cryptography — RSA and elliptic-curve schemes — that secures most of today's key exchange and digital signatures. PQC is cryptography built on mathematical problems that are believed to resist both classical and quantum attack, so that the security of key establishment and signing survives the arrival of quantum hardware. The authoritative anchor for what PQC now concretely is comes from NIST, which after a multi-year selection process published its first finalized standards in 2024.

The flagship of those is FIPS 203, the Module-Lattice-Based Key-Encapsulation Mechanism Standard, published and made effective August 13, 2024. FIPS 203 standardizes a scheme called ML-KEM. A key-encapsulation mechanism is the building block that replaces classical key exchange: it lets two parties establish a shared secret over a public channel, and that shared secret can then drive fast symmetric-key encryption. NIST defines the primitive in the standard's abstract.

"A key-encapsulation mechanism (KEM) is a set of algorithms that, under certain conditions, can be used by two parties to establish a shared secret key over a public channel. A shared secret key that is securely established using a KEM can then be used with symmetric-key cryptographic algorithms to perform basic tasks in secure communications, such as encryption and authentication."— NIST FIPS 203, Module-Lattice-Based Key-Encapsulation Mechanism Standard, source

The "module-lattice" in the name points to where the quantum resistance comes from. ML-KEM's security is related to the hardness of computational problems over structured lattices — problems for which no efficient quantum algorithm is known, unlike the integer-factoring and discrete-log problems that Shor's algorithm dispatches. NIST states the consequence plainly: ML-KEM is believed to be secure even against adversaries who possess a quantum computer. The standard specifies three parameter sets — ML-KEM-512, ML-KEM-768, and ML-KEM-1024 — in order of increasing security strength and decreasing performance, so implementers can trade off margin against speed.

Why a KEM, and why now

The choice to standardize a key-encapsulation mechanism first reflects where the urgency is. The most-discussed near-term quantum risk is "harvest now, decrypt later": an adversary records encrypted traffic today and decrypts it once a capable quantum computer exists. Because key establishment is what protects the confidentiality of a session, replacing classical key exchange with a quantum-resistant KEM directly addresses that harvest-now risk for data that must stay confidential for years. FIPS 203 is the standard that makes a vetted, interoperable KEM available for that migration. NIST published it alongside companion standards for digital signatures — FIPS 204 (ML-DSA) and FIPS 205 (SLH-DSA) — which address the authentication side of the same quantum threat, but the KEM is the piece aimed squarely at confidentiality of established keys.

It is worth being precise about what FIPS 203 standardizes and what it does not. It standardizes the algorithm — ML-KEM, with its three parameter sets — and the conditions under which it produces a shared secret. It does not, by itself, migrate any deployed system; moving an installed base off RSA and ECC onto ML-KEM is an engineering program involving certificates, protocols, libraries, and hardware, and the patent and standards record around the industry is full of work on exactly that migration problem. The standard is the destination; the transition is a separate, multi-year effort that NIST and others have flagged as the harder part.

The three parameter sets deserve a closer look because they are where implementers make a concrete choice. NIST specifies ML-KEM-512, ML-KEM-768, and ML-KEM-1024 in order of increasing security strength and decreasing performance. The trade-off is the familiar one in cryptography: higher security margins come with larger keys and ciphertexts and more computation. By standardizing three levels rather than one, FIPS 203 lets a system designer match the parameter set to the threat model and performance budget — a constrained device and a high-assurance server need not make the same choice. The shared-secret output of any of the three then feeds ordinary symmetric-key encryption, which is itself not threatened by quantum computers in the same way public-key schemes are, since the practical quantum impact on symmetric ciphers is far more limited.

The reason this is the part NIST standardized first connects back to the threat timeline. A capable quantum computer does not yet exist, but the "harvest now, decrypt later" risk is present today for any data that must remain confidential for a long period. Because key establishment is the hinge of session confidentiality, putting a standardized, quantum-resistant KEM in implementers' hands is the most time-sensitive move — it protects the confidentiality of keys negotiated now against decryption later. Signatures, addressed by the companion FIPS 204 and FIPS 205 standards, defend authenticity and integrity, which are generally less exposed to the harvest-now problem because a signature's value is largely contemporaneous.

The takeaway for defenders

For a defender, the document-grounded summary is this: post-quantum cryptography is no longer purely prospective. As of August 2024, FIPS 203 provides a NIST-standardized, lattice-based KEM — ML-KEM — that establishes shared keys over public channels and is believed secure against quantum-equipped adversaries, in three selectable strength levels. Together with the FIPS 204 and FIPS 205 signature standards, it gives organizations a finalized algorithmic foundation for the transition away from quantum-vulnerable public-key cryptography. The citable primary source for any claim about what PQC "is" at the standard level is FIPS 203 itself, and its definition of a KEM is the load-bearing sentence — the rest of the post-quantum conversation, including the long migration, builds on that primitive.