person Tute World Team

ML-DSA: Post-Quantum Digital Signatures

Digital signatures authenticate software, certificates, and communications. ML-DSA — standardized as FIPS 204, based on CRYSTALS-Dilithium — is the primary post-quantum replacement for ECDSA and RSA signatures. Here's how it works and why it's the right choice for most signing needs.

Why Do We Need New Signature Algorithms?

Today's digital signature algorithms (ECDSA, RSA-PSS, Ed25519) use elliptic curve or RSA mathematics. Shor's algorithm on a quantum computer can compute the private signing key from the public key — completely breaking these algorithms.

The consequence: a quantum-capable adversary could:

  • Forge code signing certificates → install malware that appears legitimate
  • Create fraudulent TLS certificates → impersonate any HTTPS website
  • Forge software update signatures → push malicious "updates"
  • Sign fraudulent financial transactions
  • Impersonate any identity with a valid-looking digital credential

ML-DSA: The Algorithm

ML-DSA (Module-Lattice Digital Signature Algorithm), standardized as FIPS 204, is based on the same Module-LWE hard problem as ML-KEM — but configured for signing rather than key exchange.

It uses a technique called Fiat-Shamir with Aborts — a general method for turning identification protocols into signature schemes via a hash function (the "Fiat-Shamir transform").

How Signing Works (High Level)

  1. Key Generation: Generate a random matrix A and secret vectors s₁, s₂ (small norm). Public key = (A, t = A·s₁ + s₂). Private key = (s₁, s₂).
  2. Signing: Generate a random "masking" vector y. Compute a challenge c = H(A·y || message). Compute response z = y + c·s₁. If z is too large (the "abort" condition), restart. The signature is (z, c).
  3. Verification: Check that A·z - c·t is close to A·y (reconstructed from the public key), and that H(A·z - c·t || message) = c.
The "with Aborts" part: ML-DSA may restart signing multiple times before finding a valid signature. This is by design — the abort condition ensures the signature doesn't leak information about the private key. On average, ~4 attempts are needed. This is fast in practice.

ML-DSA Parameter Sets

VariantSecurity LevelPublic KeyPrivate KeySignature
ML-DSA-44Level 2 (~128-bit)1,312 B2,528 B2,420 B
ML-DSA-65Level 3 (~192-bit)1,952 B4,000 B3,293 B
ML-DSA-87Level 5 (~256-bit)2,592 B4,864 B4,595 B

Compare to ECDSA P-256: 64-byte signature, 64-byte public key. ML-DSA signatures are 38–72× larger. This is a real cost — but manageable in most protocols. The performance (speed) is comparable to or better than RSA.

ML-DSA vs. Other Signature Schemes

ECDSA P-256 (Today)

  • Signature: 64 bytes
  • Public key: 64 bytes
  • Fast signing and verification
  • Broken by quantum computers

ML-DSA-65 (Post-Quantum)

  • Signature: 3,293 bytes
  • Public key: 1,952 bytes
  • Fast signing and verification
  • Quantum-resistant

SLH-DSA (Most Conservative)

  • Signature: 8,080–49,856 bytes
  • Public key: 32–64 bytes
  • Slower signing
  • Based only on hash functions

Migration: Where ML-DSA Replaces ECDSA

ML-DSA is the right choice for most signature use cases:

  • Code signing: Operating systems verifying that software updates, drivers, and apps are authentic before running them
  • TLS/X.509 certificates: The signatures on end-entity and intermediate certificates
  • JWT tokens: API authentication and authorization tokens
  • SSH keys: Server and user authentication in SSH
  • Document signing: Legal documents, contracts, PDFs
  • Blockchain: Transaction authorization (though many chains use their own curves)
Hybrid signatures during transition: For TLS certificates, the IETF is developing hybrid certificate formats that include both ECDSA and ML-DSA signatures. This ensures backward compatibility with clients that don't yet support PQC while providing quantum protection for those that do.

Frequently Asked Questions

Is ML-DSA-44 (Level 2) secure enough for most applications?

Generally yes. Level 2 provides approximately 128 bits of classical security and is designed to resist the best known quantum attacks. The US government's guidance (from CISA and NIST) considers Level 2 appropriate for most general applications. Level 3 (ML-DSA-65) is the most common recommendation as a conservative choice, while Level 5 (ML-DSA-87) is for the highest security requirements.

Does ML-DSA support batch verification?

Not natively in the way that Ed25519 does. However, ML-DSA verification is fast enough that this is rarely a bottleneck in practice. Research into batching techniques for lattice-based signatures is ongoing and may be incorporated in future variants.

What is FN-DSA and how does it differ from ML-DSA?

FN-DSA (formerly FALCON) is a fourth NIST PQC signature standard currently in process (expected as FIPS 206). It uses different lattice mathematics (NTRU lattices) and produces much smaller signatures than ML-DSA (~666 bytes for 128-bit security) — closer to ECDSA in size. However, it's more complex to implement correctly, particularly due to Gaussian sampling requirements. It's ideal for bandwidth-constrained environments where signature size matters most.

← Lattice-Based Cryptography Next: Hash-Based Signatures →

Frequently Asked Questions

What will I learn here?

This page covers the core concepts and techniques you need to understand the topic and progress confidently to the next lesson.

How should I use this page?

Start with the overview, then follow the section links to deepen your understanding. Use the table of contents on the right to jump to specific sections.

What should I read next?

Use the navigation below to continue to the next lesson or explore related topics.