NIST FIPS 203 / 204 / 205 alignment

Y*EB0H6HJ&782X8?B>░K░YA$U*D04░C?C*P░J&9▓20M▓2░·972UA@2137QQ1█6$0▓PQ*ND#QC%7SE6J3<X\@0\/G82V3M#@4%&QXNN>6░S?>M>█GM0V2░<W32%#98Q▓██>R▒C▓X2·RRZ/9▒283F@$9$?D\7FE▒GP#▓?HS>F█K31HUHPJ?&>▒B▓66G>39JEE9Q▒<THSZ&K\>WN2CE6░▓HE<░V1NXWT▓@Y<\56G33KDHGXUX@K▒▓$Z<G2?▒0KETK%R?1\8B1NB3··FAGSVM/G#?75KQ@M8#7G5·</G\DQSQF&1*GQK▓3SG\VVE4█$▒·U%CY*EB0H6HJ&782X8?B>░K░YA$U*D04░C?C*P░J&9▓20M▓2░·972UA@2137QQ1█6$0▓PQ*ND#QC%7SE6J3<X\@0\/G82V3M#@4%&QXNN>6░S?>M>█GM0V2░<W32%#98Q▓██>R▒C▓X2·RRZ/9▒283F@$9$?D\7FE▒GP#▓?HS>F█K31HUHPJ?&>▒B▓66G>39JEE9Q▒<THSZ&K\>WN2CE6░▓HE<░V1NXWT▓@Y<\56G33KDHGXUX@K▒▓$Z<G2?▒0KETK%R?1\8B1NB3··FAGSVM/G#?75KQ@M8#7G5·</G\DQSQF&1*GQK▓3SG\VVE4█$▒·U%C

DQB\▒RM#?U5AMC?2P6\UPFM9E>?P█Q>/&Y█T1UZH$E5A2K0E?R▓QY#EYGRC7FZJ5\%CY▒8K3V>G072BK7\1CM<&231/9PC?1░6E▒US░█?#ZM&PRE·&J1?V?2N<HBPGSF/D4%5%9X$EFUHU<C9VVP5%·B<2USC@$W248E&V%░M@&AA?FE\0%V0YU90XBP·?W2?*7VYN60B▒EBJQ%6R8$<\8GSN%N2·▓U@MN%3WW5ZNVQ%█▓X>2R#8C9$E▓AM4AUGGBB▒·%5/K·3CCY3▓*S%TR/T$·A/EAT?░P·Q>WD9CYAEG0ZR7UFU▓XZ0▒?B▓0\Q0Q&DQB\▒RM#?U5AMC?2P6\UPFM9E>?P█Q>/&Y█T1UZH$E5A2K0E?R▓QY#EYGRC7FZJ5\%CY▒8K3V>G072BK7\1CM<&231/9PC?1░6E▒US░█?#ZM&PRE·&J1?V?2N<HBPGSF/D4%5%9X$EFUHU<C9VVP5%·B<2USC@$W248E&V%░M@&AA?FE\0%V0YU90XBP·?W2?*7VYN60B▒EBJQ%6R8$<\8GSN%N2·▓U@MN%3WW5ZNVQ%█▓X>2R#8C9$E▓AM4AUGGBB▒·%5/K·3CCY3▓*S%TR/T$·A/EAT?░P·Q>WD9CYAEG0ZR7UFU▓XZ0▒?B▓0\Q0Q&

How QorTrace's methodology maps to the NIST post-quantum standards.

NIST finalised the first three post-quantum standards in August 2024. Every QorTrace audit and certificate explicitly cites compliance against them.

The three standards

FIPS	Algorithm (former name)	Use case
FIPS 203	ML-KEM (CRYSTALS-Kyber)	Key encapsulation — replaces RSA-OAEP, ECDH key agreement
FIPS 204	ML-DSA (CRYSTALS-Dilithium)	Digital signatures — replaces ECDSA, RSA-PSS
FIPS 205	SLH-DSA (SPHINCS+)	Stateless hash-based signatures — replaces ECDSA where size > performance

A fourth, FIPS 206 (FN-DSA / Falcon), is in draft. We track it but don't yet score against it.

What "alignment" means in our reports

Every audit we issue includes a section called PQC Migration Readiness that scores your contract against:

Signature scheme — does the contract use ECDSA, ED25519, or a hash-protected scheme?
Migration path — how many breaking changes does the move to ML-DSA / SLH-DSA require?
Forward secrecy — does any sensitive material rotate at a frequency safe against HNDL?
Algorithm agility — can your contract swap signature schemes without redeployment?

Each gets a Critical / High / Moderate / Low rating that maps directly to a remediation step.

CNSA 2.0 (NSA, not NIST)

The NSA's Commercial National Security Algorithm 2.0 mandates:

2030: New systems for federal use must be PQC-ready
2035: All federal systems must have completed migration

We score against CNSA 2.0 timelines on every Atlas wallet. The countdown ticker in your Atlas dashboard isn't decorative — it's calibrated against the CNSA 2.0 cutover date.

EU DORA & UK FCA

DORA (in force from January 2025) requires regulated EU financial entities to:

Maintain an inventory of cryptographic primitives
Demonstrate a migration roadmap to "quantum-resistant" alternatives
Test resilience annually

QorTrace's Atlas inventory + signed audit reports are designed to be droppable into a DORA evidence pack with zero rework.

How to cite us

In your compliance evidence, paste the audit URL and the methodology version:

"Smart contract audited under QorTrace methodology qortrace-method-v0.2, scoring NIST FIPS 203 / 204 / 205 alignment as Compliant for ML-DSA primitives. See verifying URL: https://qortrace.com/verify/{audit_id}"

Reviewers (SOC 2, ISO 27001, DORA) will recognise the structure — we drafted it with them in mind.

Want a stamped receipt?

Generate a methodology receipt PDF at /methodology/receipt/{audit_id}. It's separately signed and includes a hash chain reviewers can paste into their workpapers. See Verifying an audit certificate.