Appendix D
NIST PQC Security Categories
As part of the PQC standardization process, NIST introduced five security categories, labeled 1 through 5, to classify the robustness of each algorithm. Each category represents a minimum security level that a PQC algorithm’s cryptanalysis must require, defined in reference to well-understood baselines in classical cryptography. This approach avoids over-reliance on precise bit estimates (which are uncertain in the quantum era) and instead uses broad tiers of strength:
| Category | Reference Problem | Classical Security Level |
|---|---|---|
| 1 | Brute-force key search on AES-128 | ~128 bits |
| 2 | Collision search on SHA-256 | ~128 bits |
| 3 | Brute-force key search on AES-192 | ~192 bits |
| 4 | Collision search on SHA-384 | ~192 bits |
| 5 | Brute-force key search on AES-256 | ~256 bits |
Odd-numbered categories (1, 3, 5) define security against brute-force key search on symmetric ciphers. Even-numbered categories (2, 4) define security against hash collision attacks. In practice, most implementations target Category 1 (ML-KEM-512, ML-DSA-44), Category 3 (ML-KEM-768, ML-DSA-65), or Category 5 (ML-KEM-1024, ML-DSA-87).