Hasty Briefsbeta

Bilingual

We cannot wait for better post-quantum signature algorithms

3 hours ago
  • #quantum-resistant signatures
  • #post-quantum cryptography
  • #NIST standardization
  • RSA and ECC are vulnerable to quantum attacks, but ML-KEM encryption and ML-DSA signatures are quantum-resistant and were standardized by NIST in 2024.
  • Cloudflare aims for full post-quantum security by 2029, with most traffic already using ML-KEM, but signatures still need migration to protect authentication.
  • ML-DSA has downsides like larger sizes compared to classical algorithms, and alternative post-quantum signature schemes are being developed, such as FN-DSA and others from NIST's third round.
  • New signature schemes like SQIsign offer small signatures but slow signing, UOV has tiny signatures but huge public keys, and stateful hash-based signatures require careful state management.
  • FN-DSA (Falcon) offers better performance than ML-DSA but has implementation challenges, especially for secure signing, and is not yet widely available.
  • Proof-of-knowledge schemes like FAEST, MQOM, and SDitH provide conservative security and flexibility for applications like anonymous credentials, but may not outperform ML-DSA dramatically.
  • Structured multivariate schemes like MAYO and SNOVA aim to reduce key sizes, with MAYO being more conservative and SNOVA more aggressive but less stable.
  • Timelines for new signature algorithms suggest they won't be ready in time for initial migrations (e.g., FN-DSA by 2033, multivariate by 2034), so ML-DSA is necessary for now.
  • The ongoing competition is crucial for advancing post-quantum cryptography beyond basic primitives, enabling future improvements and applications like anonymous credentials.