1. Introduction
Cryptography predates the digital era, as the need for secure information exchange over insecure channels existed independently of computing systems. It has evolved significantly from simple substitution ciphers to algorithms based on intractable mathematical problems that even the most powerful machines cannot solve. Historical trends demonstrate that methods perceived as secure at their inception may become vulnerable as knowledge and technology advance. It has emerged that classical public-key schemes, such as the Rivest–Shamir–Adleman (RSA) [1] and elliptic curve cryptography (ECC), which have stood as foundational elements of secure communication for more than 40 years, are vulnerable to quantum computing. Although quantum computers capable of compromising current public-key cryptography do not yet exist, the advancement of quantum computing makes the transition to quantum-resistant algorithms necessary. Therefore, research communities, standardisation organisations, and the technology sector are undertaking efforts to build a quantum-resilient digital ecosystem to protect sensitive data.
Quantum computing introduces a computational paradigm that offers capabilities that classical computing cannot achieve. Its potential lies not in performing classical algorithms faster but in leveraging quantum mechanics to develop new algorithms for specific problems. This technology holds immense promise for fields, such as drug discovery [2, 3] and materials science, enabling outcomes that remain beyond the scope of classical technologies. Despite the benefits, this computational power could pose a significant threat to cryptographic systems [4–6]. In particular, Shor’s [7] and Grover’s [8] algorithms could efficiently break widely used cryptographic schemes.
To mitigate the risk posed by quantum computing, two approaches have been devised: quantum key distribution (QKD) [9] and post-quantum cryptography (PQC). QKD is grounded in the fundamental principles of quantum mechanics, whereby any attempt to eavesdrop disturbs the system and reveals the adversary’s presence. PQC is based on new mathematical problems that are deemed intractable by quantum and classical computing. Currently, PQC is prioritised due to its feasibility to deploy on classical infrastructures.
This paper provides an overview of PQC identified during the National Institute of Standards and Technology (NIST) selection process. These standards are described in terms of their performance, with emphasis on key sizes and cryptographic operation speed. While the existing literature often presents isolated benchmarks focusing on single domains like Internet of Things (IoT) or blockchain, or offers general theoretical reviews, this paper contributes a unified and comprehensive taxonomy. Rather than examining metrics in vacuum, this work consolidates fragmented performance data from various independent studies to create a centralised guide for making decisions. This unified framework explicitly maps algorithms standardised by NIST to their optimal practical use cases across multiple technological domains, accounting for hardware and network constraints. The content is supplemented by case studies illustrating the implementation of selected standards in security scenarios. Overall, this provides a better understanding of the challenges associated with deploying new standards in classical cryptography.
The rest of the paper is organised as follows. Section 2 demonstrates the emerging risks posed to classical cryptography by quantum computing. Section 3 introduces the research methodology and decision framework used to develop the taxonomy. Section 4 introduces post-quantum primitives and categorises their mathematical foundations. Section 5 reviews the NIST standardisation process, followed by Section 6, which specifies the security strength levels. Section 7 presents a comparative study of NIST finalists, with a particular focus on performance benchmarks and analysing the suitability of their parameter sets for specific use cases. Finally, Section 8 summarises the analysis and concludes the paper.
2. Vulnerabilities in Classical Cryptography
Shor’s algorithm was published by Peter Shor in 1994 [7], which poses a threat to RSA and ECC. This algorithm can solve integer factorisation and discrete logarithm problems exponentially faster than classical computers by leveraging a fundamental feature of quantum computing: quantum parallelism, which enables simultaneous operations on multiple inputs and the computation of periods via Quantum Fourier Transform [10]. Grover’s algorithm was introduced by Lov Grover in 1996 [8] to enhance the efficiency of searching unsorted databases. It leverages quantum parallelism to achieve a quadratic speedup. However, it could be useful in brute-force attacks on symmetric encryption keys, reducing their strength by about half [11].
The Harvest now, decrypt later (HNDL) strategy poses a particular threat to data with a long lifecycle, such as medical, governmental, or military records. This approach allows adversaries to intercept and archive encrypted data today with the intent of decrypting it when sufficiently powerful quantum computers could be capable of executing both Shor’s and Grover’s algorithms [12, 13].
The scale and complexity of this challenge are unprecedented since the deployment of public-key cryptography. Despite improved tools and awareness, previous experience suggests that this transition is a lengthy process. However, the HNDL threat demands immediate action to secure data against future compromise. Given that migration could span a decade or more, significant public and private sector resources are now focused on developing and deploying quantum-resistant solutions [14, 15]. The proposed mitigation steps against quantum threats are summarised in Table 1 [16].
Table 1
HNDL mitigation strategy.
3. Research Methodology and Decision Framework
To bridge the gap between theoretical PQC specifications and practical implementation, this survey employs a systematic comparative analysis guided by a core research question: How do the empirical performance trade-offs of NIST-standardised algorithms dictate their optimal deployment across diverse technological environments characterised by strict hardware and bandwidth constraints? To answer this, the research design follows a strict three-phase methodology, such as literature selection, criteria formulation, and use-case mapping.
First, empirical performance data were collected from peer-reviewed literature and official NIST reports, intentionally focusing on practical metrics rather than purely mathematical foundations. The scientific validity of this approach relies on cross-referencing results from multiple independent benchmarks, providing a more comprehensive and statistically robust evaluation than a single experimental setup.
Second, to establish a rigorous basis for the proposed taxonomy, the algorithms were compared across three explicit criteria:
Data overhead: Public key, signature, and ciphertext sizes, representing primary bandwidth constraints and network latency factors.
Computational latency: Execution time required for critical cryptographic operations, such as key generation, encapsulation, signing, and verification.
Resource efficiency: Energy consumption and computational footprint, dictating feasibility for resource-constrained IoT and edge devices.
Finally, the taxonomy was constructed by mapping the empirical performance profiles of each algorithm against the strict requirements of various technological environments. Algorithms demonstrating low energy consumption and efficient execution times were mapped to resource-constrained IoT devices. Schemes characterised by highly compact signatures but intensive computational requirements were assigned to bandwidth-limited environments, such as blockchain networks. Conversely, algorithms prioritising conservative security models with large data overheads were designated exclusively for high-integrity offline tasks, including firmware updates.
4. Post-Quantum Cryptography and Core Families
Post-quantum cryptography aims to develop algorithms based on new mathematical problems that remain resistant to both conventional and quantum algorithms. PQC is divided into the following five categories [17]:
Lattice-based cryptography is the most versatile family of PQCs that offers an optimal balance between robustness and efficiency. The foundation of this family lies in two hard mathematical problems, such as shortest vector problem (SVP) and learning with errors (LWE), which offer reductions from worst-case lattice problems, ensuring that breaking an average key is as difficult as solving the toughest possible instance [18].
Code-based cryptography builds upon the computational difficulty of decoding random linear error-correcting codes and offers strong security guarantees due to 45 years of cryptanalysis. Despite this, code-based cryptography schemes require large public keys.
Hash-based cryptography [19] provides the most mathematically conservative security foundation in PQC, relying exclusively on hash function security, rather than complex mathematical assumptions that might be vulnerable to future cryptanalytic advances or unexpected algorithmic breakthroughs. Hash-based cryptography can be divided into two main approaches, stateful and stateless. Stateful schemes offer relatively small signatures, but their practical use is challenging because each key pair can sign only a limited number of messages, necessitating strict state management. In contrast, stateless schemes eliminate the need for tracking keys but incur significantly larger signature sizes.
Isogeny-based cryptography, which relies on the hardness of computing isogenies between supersingular elliptic curves to offer exceptionally small public-key sizes. Nevertheless, one of its algorithms, supersingular isogeny key encapsulation (SIKE), was compromised by classical computation.
Multivariate cryptography [20] relies on the non-deterministic polynomial (NP)-hard problem of solving systems of non-linear multivariate quadratic equations over finite fields. It outperforms competitors in speed by using simple addition and multiplication over small finite fields, making it ideal for low-cost IoT devices, such as radio frequency identification (RFID) chips. Although it provides exceptionally short signatures compared to other post-quantum algorithms, it often lacks formal security proofs; notably, the Rainbow signature scheme was significantly compromised by a classical attack.
5. NIST PQC Standardisation
National Institute of Standards and Technology launched its multi-year standardisation initiative in 2016, which aims to establish quantum-resistant cryptography methods (including key encapsulation mechanisms and digital signatures) capable of withstanding attacks from both classical and quantum computers [21–25]. Initially, 82 submissions were received and subsequently evaluated through rigorous cryptanalysis and performance benchmarking over several years. The evaluation was based on security, cost, and performance criteria as well as algorithm and implementation characteristics [21]. In 2022, NIST announced four selected algorithms to be standardised: CRYSTALS-Kyber, CRYSTALS-Dilithium, Falcon, and SPHINCS+ [23].
Although NIST selected the winners, it decided to launch a fourth evaluation round that included Classic McEliece, Bike, hamming quasi-cyclic (HQC), and SIKE. This decision was motivated by the need to diversify key establishment methods and the desire to select an algorithm based on an alternative mathematical problem. It was widely expected that the selection would be a two-horse race between HQC and BIKE. SIKE had already been broken, and Classic McEliece was considered unsuitable for general use, given its large public keys [26]. Consequently, in this phase, which concluded in March 2025, NIST additionally selected HQC, which relies on quasi-cyclic codes [27]. Furthermore, HQC shares similarities with LWE-based cryptosystems, such as ML-KEM [28]. According to the official NIST report, Classic McEliece was a strong candidate, despite generating large keys. It was not selected due to the risk of conflict with concurrent efforts within standards of the International Organisation for Standardisation (ISO) and concerns regarding the creation of incompatible standards. It was determined that the benefits of deploying this algorithm in niche applications did not outweigh the costs associated with increased migration complexity, given that the primary priority was a general-purpose solution. Consequently, NIST decided to omit this algorithm for now, without ruling out the possibility of adopting the ISO standard in future [25].
In 2024, NIST published the first final Federal Information Processing Standards (FIPS) [29–31], formalising their new names:
Module-Lattice Key Encapsulation Mechanism (ML-KEM), standardised as FIPS 203 [29], is derived from the CRYSTALS-Kyber algorithm [32]. It is a key encapsulation mechanism that relies on lattice cryptography and the learning with errors problem, offering a balance between strong security and the computational efficiency of cryptographic operations, and generating relatively compact key sizes. Therefore, ML-KEM is the primary KEM standard defined by NIST. The transformation of CRYSTALS-Kyber into ML-KEM involved several significant modifications, including adjustments to the Fujisaki–Okamoto transformation and changes to secret-key management, encapsulation algorithms, and randomness generation.
Module–Lattice Digital Signature Algorithm (ML-DSA), adopted as the FIPS 204 standard [30], is directly based on the CRYSTALS-Dilithium algorithm [33]. It is a lattice-based digital signature scheme that relies on the hardness of the module-learning with errors (M-LWE) problem, which gives strong security proofs and efficient cryptographic operations. Although it generates large signature sizes, its implementation does not require complex operations, such as floating-point operations.
Stateless Hash-Based Digital Signature Algorithm (SLH-DSA), standardised as FIPS 205 [31], is based on the SPHINCS+ algorithm, which is a stateless, hash-based signature scheme that offers a highly conservative security model relying on the robustness of cryptographic hash functions rather than algebraic assumptions. Although it provides a reliable long-term security hedge, it entails substantial performance trade-offs, including significantly larger signature sizes and higher signing latency [34].
Falcon Digital Signature Algorithm (FN-DSA), identified in the summary listings as FIPS 206, is derived from the Falcon algorithm [35], which is a lattice-based signature scheme utilising NTRU lattices with Fast Fourier Sampling to achieve high computational efficiency and exceptionally compact signature sizes. Although it minimises network overhead and energy consumption, its reliance on complex floating-point arithmetic introduces significant implementation challenges and susceptibility to side-channel vulnerabilities.
To date, neither HQC nor Falcon has been standardised. However, the initial draft standard for Falcon (FIPS 206) is expected to be released imminently [36]. NIST continues its efforts to standardise additional digital signature schemes to ensure cryptographic diversity. The objective is to find solutions characterised by compact signatures and based on mathematical problems distinct from the lattice. In 2026, NIST is expected to select candidates from a group of 14 to the third round of additional digital signature schemes process [24].
6. NIST’s Security Strength
A crucial aspect of analysing cryptographic algorithms is security assessment, which provides insight into their resilience against attacks. Although quantum computing poses a major threat to the current cryptographic system, predicting its true capabilities, such as speed and memory size, is challenging. Therefore, NIST proposed and developed broad categories of security strength for PQC. Rather than relying on specific bit-security estimates for submitted algorithms, these categories are benchmarked against the computational resources required to compromise the existing standards, specifically the AES block cipher family and the SHA hash functions. This approach explicitly accounts for quantum algorithmic threats, such as Grover’s algorithm. A detailed classification of these five security levels is provided in Table 2 [11, 26, 37]. Table 3 demonstrates the security levels that are available for each of the PQC algorithms.
Table 3
NIST post-quantum cryptography security levels for selected algorithms.
7. Overview of NIST Finalists
In this section, we present a comparative analysis of PQC finalists. Notably, these algorithms belong to different families based on distinct mathematical problems, which lead to differences in key and signature sizes and performance. Therefore, this aspect is critical within the context of hardware constraints, as the existing infrastructure is frequently ill-equipped to meet the substantial memory and computational demands imposed by these emerging standards. Increased data sizes may lead to latency and performance bottlenecks, presenting a significant implementation challenge for resource-constrained systems. Consequently, analysis of performance and hardware compatibility is widely regarded as a fundamental complement to the verification of theoretical security of these algorithms [38]. Comparison of post-quantum schemes with classical ones is crucial for assessing their readiness for deployment.
7.1. Key Encapsulation Mechanism Schemes
Although PQC is widely considered slower than classical cryptography, most performance analyses indicate that PQC is comparable to classical algorithms and can be significantly better [39–41]. A prominent illustration of this is Sosnowski et al. [40], which presents testing across a range of hardware environments that indicates that ML-KEM-512 executes approximately three times faster than X25519 elliptic curve Diffie–Hellman across all security levels, whereas its communication overhead is only moderate [17].
However, this computational efficiency is often offset by network-layer challenges. A detailed examination of ML-KEM-768 presented in Wang and Shahril Ismail [42] demonstrates that, despite a 15-20% increase in transport layer security (TLS) handshake latency relative to RSA, the algorithm exceeds classical Elliptic Curve Diffie–Hellman Ephemeral (ECDHE) in computational efficiency by requiring significantly fewer CPU cycles. Although public-key sizes surpass those of current RSA or ECC standards, they remain considerably more compact and bandwidth-efficient than alternative post-quantum schemes, such as McEliece, which utilises keys several orders of magnitude larger. Furthermore, the combination of robust security and minimal power requirements positions ML-KEM as a viable solution for resource-constrained environments.
Abbasi et al. [43] presents a comprehensive benchmarking study conducted across three distinct hardware architectures, such as a cloud server, a user laptop, and an IoT device. The results demonstrate that ML-KEM consistently exhibits superior performance and energy efficiency compared to other evaluated key encapsulation mechanisms. Notably, ML-KEM consumes up to three times less energy than alternative KEM schemes, making it a strong candidate for resource-constrained edge devices. Through targeted library optimisations, the authors achieved performance improvements of 12.5%–16.7% over NIST reference benchmarks. Furthermore, in key generation tasks, ML-KEM was more than three orders of magnitude faster than RSA-3072. Additionally, its integration into the TLS protocol introduces minimal overhead and negligible packet fragmentation, while the algorithm demonstrates near-linear scalability in server environments.
Hamming quasi-cyclic has been selected recently for standardisation as a backup; consequently, its analysis is not yet as extensive as its counterpart ML-KEM. Nonetheless, comparative studies indicate that its performance is relatively slower and it also requires a larger bandwidth than ML-KEM. Its encapsulation keys require 2241 bytes, whereas ML-KEM keys require only 800 bytes for security level 1, which may be a disadvantage in bandwidth-constrained systems. A detailed comparison of these parameters, highlighting differences in key sizes and ciphertext lengths between the two algorithms, is presented in Table 4. Furthermore, Truong et al. [28] mentioned that the resources-constrained implementation of HQC is feasible, which was broad in Kim et al. [44].
Table 4
Sizes of keys and ciphertexts (in bytes) of PQC KEM standards.
| Parameters | ML-KEM | HQC | ||||
|---|---|---|---|---|---|---|
| 1 | 3 | 5 | 1 | 3 | 5 | |
| Encapsulation key | 800 | 1184 | 1568 | 2241 | 4514 | 7237 |
| Decapsulation key | 1632 | 2400 | 3168 | 2321 | 4602 | 7333 |
| Ciphertext | 768 | 1088 | 1568 | 4433 | 8978 | 14421 |
| Shared secret key | 32 | 32 | 32 | 32 | 32 | 32 |
The computational superiority of ML-KEM over classical ECDHE stems directly from its mathematical foundations. Built upon the module-LWE problem, its core operations rely on efficient matrix multiplication and polynomial addition, enabling highly optimised, low-energy implementations. Conversely, the substantial communication overhead of HQC is an inherent architectural constraint derived from decoding random linear error-correcting codes, rather than a mere software limitation. This fundamental theoretical divergence between lattice- and code-based paradigms explicitly justifies prioritising ML-KEM for bandwidth sensitive protocols like TLS in the proposed taxonomy.
7.2. Digital Signatures Schemes
Digital signatures underpin secure communication and data integrity by verifying the identity of the message’s author. The analysis of digital signatures should focus on evaluating the time required for critical cryptographic operations, the key and cipher sizes, and the implementation vulnerabilities to determine their feasibility for deployment across different platforms. Figure 1 presents signature benchmarks on an x86-64 processor using data from the Open Quantum Safe open-source initiative [45]. The presented data clearly illustrate the differences between implemented standards, especially SLH-DSA.
According to Kim et al. [44], which employed a practical benchmark, ML-DSA offers efficient signing but requires substantially larger keys and signatures than classical RSA; therefore, its use is challenged in network-constrained systems. Comparison of ML-DSA with Falcon (FN-DSA) also yields larger keys and signatures and slower verification times. Similarly, comparable findings were reported in Abbasi et al. [43], in which a comprehensive benchmark was conducted concerning the cryptographic operations, keys, and signatures. Based on the findings, ML-DSA might lead to packet fragmentation. Nonetheless, the benchmark demonstrates that ML-DSA offers an efficient energy profile compared to FN-DSA, which ensures favourable parallelisation potential and offers faster verification.
In Raavi et al. [41], a comprehensive performance analysis was provided comparing the digital signature schemes. The main findings indicate that SLH-DSA is fastest for signing messages longer than 3.256 MB, compared to ML-DSA and FN-DSA, although it incurs the highest network overhead. Although ML-DSA performs well in both cases, FN-DSA may be a better choice for environments with network and memory constraints. Equally to this finding, Dziechciarz and Niemiec [39] demonstrated that PQC, especially ML-DSA, indeed provides the best performance for small file size, while SLH-DSA achieves the worst performance, even compared to RSA. Moreover, this study also observes that SLH-DSA with ‘s’ suffix generates smaller signatures, but at the expense of speed. Meanwhile, ‘f’ suffix achieves better performance, but at the expense of a larger signature size.
Schemitt et al. [46] conducted the simulation of the performance of PQC digital signature schemes in order to assess the feasibility of their adoption as a new standard in Bitcoin and Ethereum. These findings indicate that PQC algorithms, particularly ML-DSA and Mayo, outperform current standards across all security levels. Moreover, Mayo is among the candidates in the second additional NIST round and may be selected for standardisation. However, the round is still going. While these findings suggest the feasibility of PQC to deploy blockchain in terms of time of operation, this study highlights that it did not evaluate the size of keys and signatures, which are significantly larger than the current ones.
In contrast, Juaristi et al. [47] presented a comprehensive benchmark assessing key and signature sizes and found that FN-DSA generates the smallest signature among PQC schemes; however, it is 19 times larger than the current standard signatures. Additionally, SLH-DSA achieved the smallest key size among other PQC alternatives. Nevertheless, each PQC scheme produces extremely large signatures relative to current standards, particularly as the security level increases. Based on these findings, the study concluded that ML-DSA-44 is the most balanced option.
Although SLH-DSA is known for its strong security, grounded in the well-understood properties of cryptographic hash functions, it has numerous limitations due to its stateless design. Compared to its counterparts, it offers a less favourable trade-off between security and key size [48].
The performance trade-offs observed in digital signature schemes can be directly traced back to their fundamental mathematical designs. ML-DSA’s energy-efficient signing reflects its straightforward algebraic structure, which avoids complex floating-point calculations. While FN-DSA achieves highly compact signatures using NTRU lattices and Fast Fourier Sampling, this specific mathematical design becomes a severe bottleneck in constrained environments lacking hardware-accelerated floating-point arithmetic. Furthermore, the massive network overhead of SLH-DSA is the direct mathematical cost of its stateless, hash-based architecture. By avoiding structured algebraic assumptions, SLH-DSA explicitly sacrifices efficiency for conservative security, justifying its taxonomy placement as a specialised tool for offline tasks, such as firmware updates.
7.3. Taxonomy of Post–Quantum Cryptographic Techniques
The landscape of NIST-standardised algorithms presents a complex multi-criteria optimisation problem for system architects. To bridge the gap between theoretical algorithm specifications and practical deployment, this paper proposes a structured taxonomy, presented in Figure 2. Concrete application examples corresponding to these categories are listed in Table 6.
This taxonomy is methodologically grounded in the empirical size constraints summarised in Tables 1, 4, and 5, as well as the benchmarks discussed in previous sections. By mapping specific system priorities, such as bandwidth conservation, acceptable network overhead, and conservative security assumptions, directly to corresponding algorithms, the taxonomy provides a deployment-oriented framework for PQC migration.
Table 5
Sizes of key and signature (in bytes) of PQC digital signatures schemes.
Table 6
PQC adoption depends on requirements.
| Use cases | Recommended PQC | Requirements | References |
|---|---|---|---|
| Resource-constrained Devices and IoT | ML-KEM, ML-DSA | Low energy consumption and high efficiency on limited hardware | [52] |
| Wearable sensors and monitoring devices (Healthcare), real-time application | ML-KEM | High computational efficiency and low resource overhead | [53] |
| TLS Handshake, VPN, Key Exchange in 6G-AKA | ML-KEM | Low latency, and negligible packet fragmentation | [54–56] |
| SIM authentication in 6G-AKA | ML-DSA | Security and efficiency balance | [54] |
| Server and Cloud Environments | ML-KEM, ML-DSA | Scalability and minimal protocol overhead for high-volume connections | [57] |
| Blockchain | FN-DSA | Relatively compact signature size and efficient verification time | [39, 41] |
| Blockchain-based Federated Learning | ML-DSA | Fast signing and verification, manageable signature size, strong security guarantees | [58] |
| Firmware update | SLH-DSA | Long-term integrity, offline signing | [59] |
| CA | SLH-DSA | High security domains | [59] |
Within this framework, ML-KEM emerges as the most robust, general-purpose key encapsulation mechanism. As evidenced by the metrics in Table 4 and performance benchmarks, it serves as a highly efficient drop-in replacement for classical KEMs in standard protocols like TLS, achieving a favourable balance between low computational overhead and practical key sizes. To ensure crypto-agility and mitigate risks associated with lattice-based assumptions, HQC is included as a primary non-lattice fallback, offering deployable key sizes of approximately 2.2 kB that are well suited for network infrastructure.
In the context of digital signatures, ML-DSA emerges as the most balanced choice for standard network infrastructure, proving particularly effective and efficient when signing small files. However, as evidenced in Table 5, its signature sizes can induce latency in bandwidth-constrained environments. Under such strict network or memory constraints, FN-DSA presents a better alternative, offering significantly smaller signature and public-key sizes. Nevertheless, FN-DSA requires a more complex architecture, primarily due to the use of floating-point arithmetic, which complicates secure constant-time signing [49]. Without fast floating point processing hardware, its signing operations are significantly bottlenecked, operating up to 20 times slower [50]. NIST prioritised design simplicity during its evaluation, noting that the technical complexity of FN-DSA could introduce vulnerabilities during implementation. Consequently, ML-DSA is more favourable due to its relatively straightforward and transparent structure [23].
Finally, SLH-DSA serves primarily as a conservative back-up standard, rather than a primary solution for general applications. Although its practical utility is limited by slower speeds and significant data overhead, exceeding 7.8 kB, as shown in Table 5, its selection is justified by robust security guarantees rooted in well-understood cryptographic hash functions, offering resilience distinct from structured lattice-based schemes [11].
7.4. Practical Deployment Challenges and Limitations
To fully address the deployment gap, it is crucial to recognise that the immediate integration of these standards will not occur as a strict drop-in replacement for classical algorithms. During the multi-year migration phase, industry best practices dictate the use of hybrid cryptographic schemes, which combine a classical primitive with a post-quantum standard to maintain traditional compliance while adding quantum resistance. However, this hybrid approach exacerbates the performance trade-offs outlined in this taxonomy by effectively doubling the communication overhead and computational latency during handshakes. Consequently, the proposed taxonomy becomes even more critical for system architects. Selecting an algorithm with a minimal footprint, such as ML-KEM or FN-DSA, is not merely an optimisation but a strict requirement to prevent packet fragmentation and connection timeouts when operating within a hybrid deployment framework.
Furthermore, real-world deployment must account for physical security vulnerabilities. Despite the robust theoretical security offered by algorithms like ML-KEM, their practical implementations may remain susceptible to side-channel attacks (SCAs), including timing analysis and differential power analysis. Because PQC algorithms often require complex mathematical operations, they present new attack surfaces for adversaries observing power consumption or electromagnetic emissions. This vulnerability served as a primary motivation for the novel approach proposed by Zafar and Iqbal [51]. Rather than relying on the standard ML-KEM implementation, the authors introduced a more constrained variant supported by a fallback mechanism. Consequently, the resulting system achieves up to a 30% reduction in latency and significantly lower resource consumption, compared to conventional solutions, while maintaining high performance across both server and IoT platforms. Ultimately, securing PQC against SCAs requires constant-time implementations and hardware-level masking, adding further complexity to their widespread adoption.
8. Conclusions
This paper addresses the practical deployment challenges of PQC by synthesising empirical performance benchmarks with their underlying mathematical characteristics. The analysis demonstrates that while classical algorithms like RSA offer broad versatility across diverse applications, NIST–standardised PQC schemes entail specific operational trade-offs. These distinctions underscore the value of the proposed deployment taxonomy as a structured guide for system architects.
Beyond these contributions, the empirical data highlights that current schemes face several limitations and environment-specific constraints. Notably, SLH-DSA demonstrates that, despite offering conservative security, the massive data overhead renders it impractical for widespread deployment, particularly in bandwidth-sensitive certificate chains. Similarly, while ML-DSA provides a balanced, energy-efficient profile for general infrastructure, its relatively large signature sizes remain a networking challenge. FN-DSA mitigates the size issue but introduces critical computational bottlenecks on devices lacking hardware-accelerated floating-point arithmetic. Regarding KEMs, our performance analysis supports that ML-KEM is a proven, highly efficient solution, a finding practically validated by their adoption by major industry leaders, such as Cloudflare [56]. However, the development of optimised backup mechanisms remains a significant challenge, particularly when managing the increased network load during hybrid transition phases. These strict trade-offs underscore the need to intensify research into algorithms with more universal characteristics, as relying solely on niche solutions is insufficient for the global security ecosystem. Moreover, rapid progress in quantum computing and cryptanalysis requires continuous assessment, as these developments could compromise cryptographic primitives much more quickly than in the past. This necessitates adopting a crypto-agility paradigm, preparing for more frequent standard rotation and continuous evaluation.
Future work will focus on extending this taxonomy by evaluating additional digital signature candidates from the ongoing NIST standardisation process. Specifically, exploring alternative mathematical approaches, such as MPC-in-the-Head or isogeny-based schemes, will proactively identify their optimal deployment environments, ensuring robust cryptographic diversity should they be standardised. Furthermore, it is essential to assess the performance of hardware-accelerated implementations. Benchmarking these primitives using FPGAs or dedicated ASIC coprocessors is crucial to mitigate their high computational and memory demands, particularly for resource-constrained IoT devices. Finally, further research must explore the practical integration of hybrid cryptographic schemes. This includes rigorously evaluating the latency and bandwidth overhead of combining classical and post-quantum algorithms within real-world protocols to ensure a secure, performant, and stable transition during the migration period.

