MICKAI®
Article · 12 July 2026

FIPS 203, 204 and 205: which post-quantum standard does what?

A plain mapping of NIST's three finalised post-quantum standards, what each one does, and where key encapsulation and signatures belong in an audit ledger.

FIPS 203, 204 and 205: which post-quantum standard does what?
Author
Micky Irons
Published
12 July 2026
Follow Micky Irons
LinkedInX
sovereign aipost-quantum cryptographyfips 203fips 204fips 205

FIPS 203 (ML-KEM) establishes shared secrets through key encapsulation. FIPS 204 (ML-DSA) and FIPS 205 (SLH-DSA) create digital signatures. FIPS 203 itself never signs anything.

The question matters in 2026 because harvest-now, decrypt-later collection turns today's key exchange into a future liability, and audit regimes are hardening. DORA has applied since January 2025, NIS2 covers essential and important entities, and the US CLOUD Act can compel a US-based provider to disclose data regardless of where its servers sit. Under the EU AI Act, high-risk Annex III obligations once expected on 2 August 2026 were deferred by the Digital Omnibus to 2 December 2027, but the direction of travel is clear: records must be provably intact for years, which is exactly what post-quantum signatures deliver. Mainstream cloud AI services such as ChatGPT, Copilot and Gemini are the right choice for open, collaborative work, yet regulated buyers cannot route their most sensitive records through a US-based provider that the CLOUD Act can reach.

What does FIPS 203 (ML-KEM) actually do?

FIPS 203 standardises ML-KEM, a key encapsulation mechanism that lets two parties agree a shared secret over an untrusted channel; it never produces a signature.

ML-KEM is a lattice-based scheme. Two parties use it to derive a shared secret that then protects a session with fast symmetric encryption. It replaces the classical key exchange that a large quantum computer would eventually break. Because its output is a shared secret and not a verifiable signature, ML-KEM has no role in proving who wrote a record or whether that record was later altered. That is a separate problem, and it is solved by the two signature standards.

FIPS 203, 204 and 205: which post-quantum standard does what?, illustration 1

Why did NIST publish two signature standards, FIPS 204 and 205?

FIPS 204 (ML-DSA) is the primary signature standard for general use; FIPS 205 (SLH-DSA) is a conservative hash-based backup should lattice signatures ever weaken.

NIST published two signature standards on purpose. FIPS 204 (ML-DSA) is lattice-based and is intended as the default choice for most signing, balancing signature size and speed. FIPS 205 (SLH-DSA) rests on hash functions alone, which sit on very well understood assumptions. It produces larger, slower signatures, so it is not the everyday pick, but it offers a conservative fallback if lattice schemes are ever weakened. Holding both means a signing strategy that does not depend on a single mathematical bet.

FIPS 203, 204 and 205: which post-quantum standard does what?, illustration 2

Which post-quantum standard does what?

FIPS 203 handles key establishment, FIPS 204 is the primary signing standard, and FIPS 205 the conservative signature backup; the table maps each precisely.

StandardAlgorithmJobWhere it fits
FIPS 203ML-KEMKey encapsulation, establishing a shared secretProtects key exchange; never signs
FIPS 204ML-DSADigital signatures, the primary signing standardSigns each ledger record
FIPS 205SLH-DSAStateless hash-based signatures, a conservative backupBackup signing where maximum caution applies
FIPS 203, 204 and 205: which post-quantum standard does what?, illustration 3

Where does each standard fit in an AI audit ledger?

In an audit ledger, FIPS 204 or 205 signs each record so its integrity is provable; FIPS 203 protects the key exchange around it.

An audit ledger has two distinct security needs. The first is proving that each record is authentic and unaltered, which is a signature job: FIPS 204 signs the everyday entries, and FIPS 205 can countersign entries that demand the highest assurance. The second need is protecting the channel over which keys and data move, which is where FIPS 203 belongs. Confusing the two leaves a gap. A ledger encrypted with ML-KEM but signed with nothing has confidentiality and no provable integrity: a quantum adversary a decade from now could not read it, yet no auditor today could prove a single line was genuine.

FIPS 203, 204 and 205: which post-quantum standard does what?, illustration 4

Why do buyers confuse these three standards?

Buyers conflate them because all three arrived together in August 2024; procurement teams often ask for post-quantum without specifying which job they mean.

The names are close, the release date was shared, and marketing rounds all three into one phrase. A buyer asks a vendor for post-quantum readiness and receives a yes that may cover only key exchange, or only signatures, or a roadmap for neither. The precise question is not are you post-quantum but which of the three jobs have you implemented, and where. Getting that answer in writing is the difference between a genuine posture and a hopeful label.

The three standards are not interchangeable: one moves keys, two make signatures, and treating them as a single procurement checkbox is how audit trails quietly fail.

How does a sovereign system apply these standards?

A sovereign system signs every sealed action with a post-quantum signature and protects key exchange with ML-KEM, so the audit chain survives future quantum attack.

Mickai is a Sovereign Intelligence Operating System, a SIOS, built and live, running offline on operator-owned hardware. Every action is cryptographically sealed into a post-quantum signed audit ledger. In our substrate this maps cleanly onto the three standards:

  • FIPS 204 and FIPS 205 sign every sealed record in the audit ledger.
  • FIPS 203 protects key exchange at the zero-egress inbound perimeter.
  • Hardware-attested identity binds each signature to a specific machine and operator.

Across our 50 brains, 25 domain and 25 operational, cross-model consensus is recorded and signed the same way, so a decision and the reasoning behind it stay provable offline. The architecture is covered by 104 filed UK patent applications and 2,340 claims, owned by Mickai LTD (Companies House 17166618), filed and patent pending.

Frequently asked questions

Does FIPS 203 (ML-KEM) ever create a digital signature?

No. FIPS 203 is a key encapsulation mechanism only. It establishes a shared secret between two parties and produces no verifiable signature. If you need to prove authorship or integrity, you must use FIPS 204 or FIPS 205, not FIPS 203.

Should we choose FIPS 204 or FIPS 205 for our signatures?

FIPS 204 (ML-DSA) is the primary signature standard and the sensible default for most signing. FIPS 205 (SLH-DSA) is the conservative hash-based backup, useful where you want assurance that does not depend on lattice assumptions. Many systems deploy both, using 204 broadly and 205 for the highest-assurance records.

Do we need to implement all three standards in one system?

Often yes. Confidentiality of key exchange is FIPS 203's job, everyday signing is FIPS 204's, and conservative backup signing is FIPS 205's. A complete audit posture wants both key establishment and signatures, so the three standards complement rather than replace one another.

How do these standards protect an AI audit ledger?

FIPS 204 and FIPS 205 sign each ledger record, so its origin and integrity can be verified for years, even against a future quantum adversary. FIPS 203 protects the key exchange that surrounds the ledger. Together they give confidentiality in transit and provable integrity at rest.

Does Mickai publish pricing for a post-quantum audit ledger?

Pricing is shared in briefings, not publicly. What we can state openly is the architecture: a zero-egress inbound perimeter, hardware-attested identity bound to the audit chain, and a post-quantum signed ledger that runs offline on operator-owned hardware. Commercial detail follows once the technical fit is confirmed.

Subscribe
Get every new Mickai article by email.

Long-form essays on sovereign AI from Micky Irons. One email per article. No tracking, no marketing, no third parties. Every email includes a one-click unsubscribe link.

Prefer RSS? Subscribe at /articles/feed.xml.

Originally published at https://mickai.co.uk/articles/fips-203-204-205-which-post-quantum-standard-does-what. If you operate in a regulated sector or want sovereign AI on your own hardware, the audit form on mickai.co.uk is the entry point.
More articles