ML-KEM is Great! What’s Missing?

Post-Quantum Cryptography (PQC) has made significant progress with the standardization of ML-KEM, ML-DSA, and SLH-DSA, paving the way for widespread adoption. However, since many adopters lack expertise in cryptography,
it is crucial for specifications and guidance to be concise, accessible, and focused on recommending only secure implementations of PQC and related primitives to minimize the risk of vulnerabilities. Moreover, ML-KEM may not be suitable for all applications, and backup algorithms are needed for cryptographic agility. To address this, we propose several suggestions for NIST’s specifications and guidance, including the use of ephemeral keys, hybridization strategies, key combiners, key derivation functions, additional key encapsulation mechanisms, and best practices for asymmetric keying. The transition to quantum-resistant cryptography offers an excellent opportunity to reassess outdated algorithms and practices that no longer provide acceptable security.