Post-Quantum Key Sizes

Every NIST-standardized post-quantum algorithm. Public key, private key, signature, and ciphertext sizes. Compared against the classical algorithms they replace.

Last updated: April 22, 2026 | Sources: NIST FIPS 203, 204, 205 final specifications

Key Encapsulation Mechanisms (FIPS 203)

Algorithm	Standard	Security	Public Key	Private Key	Ciphertext	Shared Secret	vs ECDH
ECDH P-256	Classical	~128-bit	32 B	32 B	32 B	32 B	baseline
X25519	Classical	~128-bit	32 B	32 B	32 B	32 B	baseline
RSA-2048	Classical	~112-bit	256 B	1,192 B	256 B	varies	8x pk
ML-KEM-512	FIPS 203	Level 1	800 B	1,632 B	768 B	32 B	25x pk
ML-KEM-768	FIPS 203	Level 3	1,184 B	2,400 B	1,088 B	32 B	37x pk
ML-KEM-1024	FIPS 203	Level 5	1,568 B	3,168 B	1,568 B	32 B	49x pk

Cache impact: Every TLS 1.3 session ticket carries an ML-KEM ciphertext for session resumption. At ML-KEM-768, that is 1,088 bytes per ticket vs 32 bytes for X25519. 500K cached session tickets: 16 MB classical, 544 MB PQ.

Digital Signatures — Lattice-Based (FIPS 204)

Algorithm	Standard	Security	Public Key	Private Key	Signature	vs Ed25519
Ed25519	Classical	~128-bit	32 B	32 B	64 B	baseline
ECDSA P-256	Classical	~128-bit	64 B	32 B	64 B	1x
RSA-2048	Classical	~112-bit	256 B	1,192 B	256 B	4x sig
ML-DSA-44	FIPS 204	Level 2	1,312 B	2,560 B	2,420 B	38x sig
ML-DSA-65	FIPS 204	Level 3	1,952 B	4,032 B	3,309 B	52x sig
ML-DSA-87	FIPS 204	Level 5	2,592 B	4,896 B	4,627 B	72x sig

Cache impact: JWTs carry ML-DSA signatures. At ML-DSA-65, each cached JWT includes 3,309 bytes of signature. 100K cached tokens = 331 MB of signature data alone.

Digital Signatures — NTRU Lattice (Pending Standardization)

Algorithm	Standard	Security	Public Key	Private Key	Signature	vs Ed25519
FALCON-512	FN-DSA (pending)	Level 1	897 B	1,281 B	690 B	11x sig
FALCON-1024	FN-DSA (pending)	Level 5	1,793 B	2,305 B	1,330 B	21x sig

Cache impact: FALCON is the most cache-friendly PQ signature. At 690 bytes, it is 4.8x smaller than ML-DSA-65 and 24.8x smaller than SLH-DSA-128f. Preferred for constrained environments and high-frequency signing.

Digital Signatures — Hash-Based (FIPS 205)

Algorithm	Standard	Security	Public Key	Private Key	Signature	vs Ed25519
SLH-DSA-SHA2-128s	FIPS 205	Level 1	32 B	64 B	7,856 B	123x sig
SLH-DSA-SHA2-128f	FIPS 205	Level 1	32 B	64 B	17,088 B	267x sig
SLH-DSA-SHA2-192s	FIPS 205	Level 3	48 B	96 B	16,224 B	254x sig
SLH-DSA-SHA2-192f	FIPS 205	Level 3	48 B	96 B	35,664 B	557x sig
SLH-DSA-SHA2-256s	FIPS 205	Level 5	64 B	128 B	29,792 B	466x sig
SLH-DSA-SHA2-256f	FIPS 205	Level 5	64 B	128 B	49,856 B	779x sig

Cache impact: SLH-DSA public keys are tiny (32-64 bytes) but signatures are enormous. Do NOT cache full SLH-DSA signatures unless required for audit. Cache the verification result (boolean + content hash) instead. One SLH-DSA-256f signature (49 KB) consumes the same cache memory as 512 classical Ed25519 signatures.

Cache Working Set — Before and After

Scenario	Crypto Material / Entry	1M Entries	vs Classical
Classical (ECDH + Ed25519)	96 B	96 MB	baseline
ML-KEM-768 + ML-DSA-65	4,493 B	4.49 GB	47x
ML-KEM-768 + FALCON-512	1,874 B	1.87 GB	20x
ML-KEM-1024 + ML-DSA-87	6,195 B	6.20 GB	65x
ML-KEM-768 + SLH-DSA-128f	18,272 B	18.27 GB	190x
Hybrid (X25519 + ML-KEM-768)	1,280 B	1.28 GB	13x

Cache Latency — Network vs In-Process

Value Size	Example	Redis GET	Cachee L0 GET	Difference
64 B	Ed25519 signature	0.3 ms	0.000031 ms	9,677x
1,088 B	ML-KEM-768 ciphertext	0.35 ms	0.000031 ms	11,290x
3,309 B	ML-DSA-65 signature	0.45 ms	0.000031 ms	14,516x
4,493 B	PQ session token	0.55 ms	0.000031 ms	17,742x
17,088 B	SLH-DSA-128f signature	0.9 ms	0.000031 ms	29,032x
49,856 B	SLH-DSA-256f signature	1.4 ms	0.000031 ms	45,161x

What is Post-Quantum Caching? | Cachee PQ Details | Install Cachee | Full PQ Key Size Guide (blog)