We cannot wait for better post-quantum signature algorithms
3 hours ago
- #quantum-resistant signatures
- #post-quantum cryptography
- #NIST standardization
- RSA and ECC are vulnerable to quantum attacks, but ML-KEM encryption and ML-DSA signatures are quantum-resistant and were standardized by NIST in 2024.
- Cloudflare aims for full post-quantum security by 2029, with most traffic already using ML-KEM, but signatures still need migration to protect authentication.
- ML-DSA has downsides like larger sizes compared to classical algorithms, and alternative post-quantum signature schemes are being developed, such as FN-DSA and others from NIST's third round.
- New signature schemes like SQIsign offer small signatures but slow signing, UOV has tiny signatures but huge public keys, and stateful hash-based signatures require careful state management.
- FN-DSA (Falcon) offers better performance than ML-DSA but has implementation challenges, especially for secure signing, and is not yet widely available.
- Proof-of-knowledge schemes like FAEST, MQOM, and SDitH provide conservative security and flexibility for applications like anonymous credentials, but may not outperform ML-DSA dramatically.
- Structured multivariate schemes like MAYO and SNOVA aim to reduce key sizes, with MAYO being more conservative and SNOVA more aggressive but less stable.
- Timelines for new signature algorithms suggest they won't be ready in time for initial migrations (e.g., FN-DSA by 2033, multivariate by 2034), so ML-DSA is necessary for now.
- The ongoing competition is crucial for advancing post-quantum cryptography beyond basic primitives, enabling future improvements and applications like anonymous credentials.