A Bluffer's Guide to PQC Digital Signatures: (Source: Bill Buchanan)
- In digital signing, a private key is used to sign the hash of a message, and the associated public key will verify it.
- RSA, ECDSA and EdDSA are all broken by Shor's algorithm.
- For digital certificates, RSA is currently the most popular method for public keys and signing.
- NIST-approved signatures are defined in FIPS 186-5 (Digital Signature Standard - DSS).
- NIST has defined that RSA, ECDSA and EdDSA will be deprecated in 2030, and disallowed from 2035.
- NIST have approved two main standards for FIPS 204 (ML-DSA) and FIPS 2025 (SLH-DSA).
- ML-DSA is based on the Dilithium method, and SLH-DSA is based on the SPHINCS+ method.
- SLH-DSA is a stateless hash method, and where there is no need to remember the previously used private keys.
- There are three levels of security of PQC signatures: Level 1 (128-bit equiv security), Level 3 (192-bit equiv security) and Level 5 (256-bit equiv security).
- ML-DSA is a lattice-based method. For 128-bit security, we have ML-DSA-44, for 192-bit, we have ML-DSA-65, and for 256-bit security, we have ML-DSA-87.
- SLH is a hash-based method. For 128-bit security, we have SLH-DSA-SHA2-128f, for 192-bit, we have SLH-DSA-SHA2-192f, and for 256-bit security, we have SLH-DSA-SHA2-256f. We can have SHA-2 or SHAKE as the hashing method (SHAKE is faster).
- With SLH-DSA, we can have a fast version, such as SLH-DSA-SHA2-256f, or a slower version, such as SLH-DSA-SHA2-256s.
- For ML-DSA-44, we have a 1,330-byte public key, a 2,602-byte private key, and a signature size of 2,420 bytes. Reasonable key sizes and reasonable signature size.
- For SLH-DSA-SHA2-128f, we have a 33 public key, a 64-byte private key, and a signature size of 17,088 bytes. Small keys, large signature.
- ML-DSA is generally much faster than SLH-DSA, but SLH-DSA has strong security guarantees.
- ML-DSA and SLH-DSA are now supported in OpenSSL 3.5.
- NIST have also approved FIPS 206 (Falcon) as a standard, and which has smaller key and signature sizes and but is slower than ML-KEM.
- In Round 2 for Additional Signatures, NIST is assessing other methods for future signatures, and include Multivariate Cryptography (MC), and Unbalanced Oil and Vinegar (UOV), MPC-in-the-Head, and Code-based methods.
- The XMSS methods allow for stateful signature replacements, but these often require hardware-based controls and can be slow.
- There are some worries about the long-term security of lattice-based methods, but hash-based ones generally have few worries about their long-term security.
- ML-DSA is generally as fast for key generation and signing as elliptic curve methods, and much faster than RSA.
- With PQC signing, we can have pre-hash sign, and where we take the hash of the message and before feed it into the signature method. This has esser performance effect.
See them in action with OpenSSL 3.5 here:
Signature Generation:
https://asecuritysite.com/openssl/mldsa_keygen
Certificate Generation:
Digital Certificate (X.509) for ML-DSA and SLH-DSA Keys with OpenSSL 3.6
