
While NIST-standardized ML-DSA secures connections today, its large sizes and limitations mean better post-quantum signatures are essential—but they won't be ready in time. This blog explores the trade-offs, the specialist algorithms on the horizon, and why the search must continue even as we deploy what we have.
Introduction: The Quantum Clock Is Ticking
The cryptographic foundations of internet security—RSA and elliptic curve cryptography (ECC)—are structurally vulnerable to sufficiently advanced quantum computers. Such computers do not yet exist, but the trajectory of quantum development suggests their arrival is sooner than previously projected. This creates an urgent threat: harvest-now-decrypt-later attacks, where adversaries collect encrypted data today with the expectation of decrypting it once a capable quantum computer is available.
The solution is already standardized. In 2024, the U.S. National Institute of Standards and Technology (NIST) finalized ML-KEM for encryption and ML-DSA for digital signatures after an eight-year open international competition. These algorithms are designed to resist quantum cryptanalysis. Cloudflare has already migrated the majority of its traffic to ML-KEM, protecting user data from harvest-now-decrypt-later threats. But encryption is only one half of the equation: authentication systems rely on signatures, which remain vulnerable.
Cloudflare is targeting 2029 for full post-quantum security, aiming to deploy post-quantum signatures alongside encryption to protect against unauthorized access. However, the signature transition is more complex. ML-DSA, the best all-around post-quantum signature scheme standardized today, has notable downsides: it produces significantly larger public keys and signatures on the wire, and many optimization tricks possible with RSA and ECC are infeasible with lattice-based schemes.
Better signature algorithms are on the horizon. NIST recently advanced nine candidate schemes to the third round of its “signatures on-ramp,” and a draft standard for FN-DSA (née Falcon) is expected soon. But these algorithms will not be ready in time for the post-quantum transition. As security researcher Eric Rescorla noted in 2024: “You go to war with the algorithms you have, not the ones you wish you had.”
- RSA and ECC are vulnerable to quantum computers—no fixed timeline, but risk is real and approaching.
- Harvest-now-decrypt-later attacks make immediate migration to post-quantum encryption critical.
- ML-KEM encryption is already deployed at scale; signatures remain the next frontier.
- Cloudflare aims to be fully post-quantum secure by 2029, using standardized algorithms now.
- Better signature algorithms (e.g., FN-DSA, SQIsign, UOV) are in development but will not be ready for the first wave of migration.
- ML-DSA must be used today despite its larger footprint and reduced flexibility.
Organizations must begin the migration now. Encryption is already deployable; signatures are the harder lift but cannot wait for more ideal schemes that are still years away from standardization.
ML-DSA: The Best We Have, But Not the Best We Need
ML-DSA, standardized by NIST in 2024 as the primary post-quantum signature algorithm, represents the most balanced option available today for protecting authentication systems against quantum-capable adversaries. However, it carries significant operational trade-offs that enterprise engineers must account for when designing post-quantum migration paths. The most immediately visible limitation is wire size: an ML-DSA 44 public key occupies 1,312 bytes, and its signature spans 2,420 bytes. In contrast, the classical Ed25519 scheme uses only 32-byte public keys and 64-byte signatures, while even RSA-2048 requires only 272 and 256 bytes respectively. For protocols like TLS where public keys and signatures are transmitted during the handshake, this 20–40× increase in payload directly impacts latency, bandwidth consumption, and packet fragmentation behavior, particularly in constrained or high-throughput environments.
Beyond raw size, ML-DSA forces engineers to abandon a broad class of cryptographic optimizations that were routine with RSA and ECC. As the Cloudflare analysis notes, many of the cryptographic tricks that engineers relied on with RSA and ECC—such as compact signature aggregation, algebraic manipulation for zero-knowledge proofs, or leveraging homomorphic properties for protocol-level efficiency—are not feasible with ML-DSA’s lattice-based construction. This loss of composability means that existing infrastructure built around these techniques cannot be directly ported; new protocol designs are required, adding engineering cost and risk during the migration window.
Performance comparisons from standardized benchmarks further illustrate the gap:
- Ed25519 (classical, quantum‑vulnerable): public key 32 bytes, signature 64 bytes, signing time 0.15, verification 1.3 (lower is better on CPU time).
- RSA-2048 (classical, quantum‑vulnerable): public key 272 bytes, signature 256 bytes, signing time 80, verification 0.4.
- ML-DSA 44 (post‑quantum): public key 1,312 bytes, signature 2,420 bytes, signing and verification both set as baseline 1.0.
- FN-DSA 512 (draft standard, lattice): public key 897 bytes, signature 666 bytes, signing 3.0, verification 0.7.
- HAWK 512 (third‑round candidate, lattice): public key 1,024 bytes, signature 555 bytes, signing 0.25, verification 1.2.
- SQIsign (third‑round candidate, isogeny): public key 65 bytes, signature 148 bytes, signing 300, verification 50.
ML-DSA is the only fully standardized post-quantum signature algorithm with widespread library support and deployment precedent, making it the unavoidable choice for initial migration. But it is a generalist, not an all-star like Ed25519, which dominated nearly every metric while remaining quantum-vulnerable. Emerging schemes such as FN-DSA and HAWK offer smaller signatures and faster verification, while SQIsign approaches classical wire sizes—but none are ready for production use. Enterprise teams should deploy ML-DSA now to meet the 2029 post-quantum readiness target, while actively monitoring the NIST third‑round candidates for future specialization opportunities.
The Coming Better Algorithms Are Not Coming Soon Enough
The U.S. National Institute of Standards and Technology (NIST) recently advanced nine post-quantum signature schemes to the third round of its “signatures on-ramp,” and a draft standard for FN-DSA (Falcon) is expected imminently. Yet none of these algorithms will be ready in time for the first post-quantum (PQ) migration. As Eric Rescorla wrote in 2024: “You go to war with the algorithms you have, not the ones you wish you had.” The transition deadline is imminent, and ML-DSA—standardized in 2024 after an eight-year international competition—must be deployed now.
The on-ramp candidates, including SQIsign, UOV, MAYO, and others, are specialists that optimize one metric (e.g., tiny signatures for SQIsign or fast verification for UOV) at the cost of other serious trade-offs. SQIsign’s signing is slow and difficult to implement in a timing side-channel secure manner; UOV’s public keys are tens of kilobytes; and several multivariate schemes rely on still-evolving security arguments. Even FN-DSA, which offers smaller signatures than ML-DSA, has no final standard and will require years of additional analysis, implementation hardening, and ecosystem integration before it is production-safe. The problem of quantum-vulnerable cryptography is arriving too soon to wait for these improvements.
- Standardization lag: Nine on-ramp schemes are only now entering the third round; final standards are years away. FN-DSA’s draft is imminent but not yet published, and even after finalization, adoption cycles (TLS libraries, CAs, hardware modules) add years.
- Implementation maturity ML-DSA already has hardened implementations in major cryptographic libraries (OpenSSL, BoringSSL, liboqs). The new candidates lack side-channel secure, audited code at scale.
- Security confidence: ML-DSA’s lattice-based construction underwent extensive scrutiny during the first NIST competition. Newer schemes, especially those based on isogenies (SQIsign) or multivariate structure, have less time in the cryptanalytic spotlight.
A practical example: an enterprise migrating its TLS infrastructure to post-quantum authentication today cannot substitute FN-DSA for ML-DSA because FN-DSA is not yet in any stable TLS implementation. Likewise, waiting for SQIsign’s small signatures would require accepting a 300× signing slowdown and unresolved side-channel risks. The only production-ready, standardized lattice-based signature algorithm is ML-DSA. It is larger on the wire than elliptic-curve alternatives, but it works now. Deploy ML-DSA today; pursue the next generation for the second migration. The algorithms you have are the ones that will secure your systems against the coming quantum threat.
Specialist Algorithms: SQIsign and UOV Deep Dive
Two post-quantum signature families stand out as "specialists" because they approach classical elliptic-curve performance on certain metrics but are problematic on others. SQIsign and UOV both produce signatures far smaller than any lattice-based scheme, but at the cost of unusual trade-offs that constrain their deployment. The table below summarizes the relevant variants at the 128-bit security level, extracted from the NIST on-ramp round two evaluations.
- SQIsign I – Public key: 65 bytes; Signature: 148 bytes. Signing CPU time is 300× slower than ML-DSA verification, and verification is 50× slower than ML-DSA. Signing is marked as hard to implement in a timing side‑channel secure manner (⚠️).
- UOV Is-pkc – Public key: 66 576 bytes; Signature: 96 bytes. Signing time is 0.3× ML-DSA (faster), verification is 2.4× slower.
- UOV Ip-pkc – Public key: 43 576 bytes; Signature: 128 bytes. Similar performance profile.
SQIsign’s strength is its tiny on‑wire footprint: a 148‑byte signature and a 65‑byte public key are competitive with Ed25519 (64‑byte signature, 32‑byte public key) and far smaller than ML‑DSA (2 420‑byte signature, 1 312‑byte public key). However, the signing operation is computationally expensive—300× slower than ML‑DSA—and implementing it in a constant‑time, side‑channel‑resistant manner remains difficult. Consequently, SQIsign is unsuitable for online signing (e.g., a TLS handshake) but may be viable for offline use cases such as Certificate Authority (CA) signatures or DNSSEC, where signing is infrequent and verification is the primary concern. The underlying isogeny mathematics is rich and less studied than lattice or multivariate problems. Notably, SQIsign does not rely on torsion points, avoiding the structural weakness that led to the break of SIKE. Nevertheless, the mathematical attack surface is broader than that of more mature families.
UOV (Unbalanced Oil and Vinegar) dates back to 1999 and produces the smallest post‑quantum signatures at 96 bytes. The trade‑off is a public key of 66 kB—roughly 50× larger than ML‑DSA’s public key. This makes UOV impractical for protocols where the public key must be transmitted over the wire, such as TLS server certificates. Conversely, it is attractive when the public key can be predistributed. For example, a browser that trusts ~100 root CA certificates and ~30 Certificate Transparency logs would need about 8 MB of storage for those public keys—acceptable for a firmware bundle or application update. UOV’s security stems from the multivariate quadratic problem, which is considered classic and well studied, but structured multivariate schemes have seen steady improvement in attack algorithms, potentially eroding security margins over time.
Practical recommendations:
- Use SQIsign where signatures and public keys must be as small as possible and signing is performed offline (e.g., CA certificate issuance, DNSSEC zone signing). Ensure that implementations are rigorously side‑channel hardened before relying on them for any production system.
- Use UOV when the public key can be distributed out‑of‑band (e.g., embedded in firmware or pre‑loaded into a trusted store) and signature size is critical. The large public key is a deployment cost that must be weighed against the benefit of a 96‑byte signature.
- For both algorithms, monitor the NIST on‑ramp process: third‑round changes may alter performance or security margins. No final standards are expected before 2027–2029.
Why We Still Need Better Post-Quantum Signatures
The standardized post-quantum signature ML-DSA suffices for the first wave of migration, but its larger signature and public key sizes (2,420 and 1,312 bytes respectively at security level 3) and slower verification prevent drop-in replacement for classical signatures in many contexts. Better algorithms are needed for future large-scale deployments and specific protocols. The following reasons justify continued investment beyond ML-DSA.
- No single post-quantum algorithm outperforms Ed25519 on all relevant metrics. Ed25519 offers a 32‑byte public key, 64‑byte signature, fast signing, and very fast verification. Among standardized and candidate post-quantum schemes, none simultaneously match these properties. ML-DSA has larger signatures and public keys; FN-DSA achieves smaller signatures (666 bytes) but with slower signing and complex side‑channel‑secure implementation. The absence of a universal “all‑star” algorithm means protocol designers must choose based on application priorities, which itself creates engineering overhead.
- Specialist algorithms serve niche roles but introduce trade‑offs that limit broad adoption. For example, SQIsign produces extremely small signatures (148 bytes) and public keys (65 bytes) and its security relies on generic brute‑force attacks, a favorable property. However, its signing is slow (300× baseline), and side‑channel safe implementations are difficult. This makes SQIsign unsuitable for online TLS handshakes but potentially viable for offline uses like CA certificates or DNSSEC, where signing is performed infrequently and verification speed matters more. UOV delivers tiny signatures (96 bytes) but at the cost of a large public key (66 kB), precluding its use in scenarios where public keys must be transmitted on the wire, such as TLS server certificates. These trade‑offs prevent a one‑size‑fits‑all solution.
- Future applications require smaller signatures or faster verification than ML‑DSA provides. Large‑scale deployments like DNSSEC need signatures that fit within DNS message size limits; ML‑DSA signatures (2,420 bytes) exceed typical UDP payloads. Faster verification is critical for high‑throughput environments such as certificate transparency logs or CDN edge servers that must validate many signatures per second. While ML‑DSA verification is reasonably fast, schemes like FN‑DSA (0.7× baseline) or MAYO (0.4× baseline) offer lower verification latency, which becomes important at scale.
- NIST’s continued support for new signature algorithms remains essential despite ML‑DSA being “good enough” for immediate migration. The September 2025 announcement of nine candidates advancing to round three of the “signatures on‑ramp” shows that the cryptographic community recognizes these gaps. New schemes such as HAWK, MQOM, and FAEST explore different hardness assumptions and performance profiles, increasing the likelihood of a future generalist that approaches Ed25519’s metrics. Without sustained investment, protocols requiring smaller or faster signatures would be forced to accept ML‑DSA’s overhead or delay migration.
In summary, ML‑DSA enables the critical first wave of post‑quantum migration, but the enterprise landscape demands a broader palette. Research into better signature algorithms—balanced across size, speed, and security—is not merely academic; it directly addresses practical constraints in protocols like TLS, DNSSEC, and the WebPKI. NIST’s ongoing evaluation is the most effective path to closing the gap left by classical signatures.
Conclusion: Deploy Now, Improve Later
The migration to ML-DSA signatures is non-negotiable for protecting authentication systems against quantum threats. Classical signature algorithms such as RSA and ECC are vulnerable to sufficiently advanced quantum computers, and while encryption has been secured using ML-KEM (already deployed on the majority of Cloudflare traffic), signatures remain the next critical frontier. Cloudflare targets full post-quantum security by 2029, as stated in its technical roadmap. The urgency is driven by harvest-now-decrypt-later attacks: data encrypted today can be stored and decrypted once quantum computers mature. Signatures prevent unauthorized access and must be migrated proactively.
ML-DSA, standardized by NIST in 2024 after an eight-year competition, is the best all-around post-quantum signature scheme available today. However, it has downsides: signature and public key sizes are significantly larger than classical equivalents (e.g., ML-DSA-44 public key 1,312 bytes vs. Ed25519 32 bytes), and many cryptographic tricks possible with RSA or ECC are infeasible. Despite these limitations, the principle "you go to war with the algorithms you have" (Eric Rescorla, 2024) applies. Deploying ML-DSA now provides immediate protection while the ecosystem adapts.
Better post-quantum signature schemes are on the horizon. NIST has advanced nine candidates to the third round of its "signatures on-ramp," and a draft standard for FN-DSA (based on Falcon) is expected soon. These algorithms offer improvements in size or performance but are not yet mature enough for widespread deployment. Cloudflare actively monitors FN-DSA, HAWK, SQIsign, and others, but acknowledges that waiting would leave systems exposed. The search for better schemes must continue in parallel with first-migration deployment.
The enterprise community must support ongoing standardization efforts to ensure future algorithms are secure, performant, and implementable. Recommended actions include:
- Participating in NIST's standardization process by reviewing and testing candidate signatures.
- Deploying ML-DSA in non-critical systems to gain operational experience.
- Monitoring draft standards for FN-DSA and preparing migration plans.
- Contributing to open-source implementations and side-channel security analyses.
Deploying ML-DSA now is the only viable path to timely quantum resilience. Simultaneously, investing in the next generation of signature schemes ensures long-term efficiency and security. The community's active engagement with NIST and the broader PQC ecosystem is essential to achieve both goals.
Editorial Policy & Research Methodology
Our findings are based on rigorous internal research, verified industry benchmarks, and direct technical implementation experience from our enterprise client projects. All statistics and technical claims are reviewed by senior engineers before publication to ensure accuracy, transparency, and helpfulness for our readers.
