ML-DSA (FIPS 204)
ML-DSA (Module-Lattice-Based Digital Signature Algorithm) is the post-quantum digital signature scheme scheme standardized by NIST in FIPS 204, finalized on August 13, 2024. It is the standardized form of CRYSTALS-Dilithium, selected in the NIST PQC standardization process, and it is the default general-purpose signature recommendation for the post-quantum transition.
How it works
ML-DSA is built from lattice-based cryptography: forging a signature is related to the Module Learning With Errors (Module-LWE) and Module Short Integer Solution (Module-SIS) problems over the polynomial ring Z_q[X]/(X^256 + 1) with q = 8380417. The public key is essentially a compressed matrix equation involving the secret key; the matrix itself is expanded deterministically from a 32-byte seed, which keeps public keys compact.
The signing procedure follows the Fiat-Shamir with aborts paradigm. The signer commits to a masking vector, derives a challenge by hashing the commitment together with the message representative, and computes a response that mixes the challenge with the secret key. If the candidate response would leak statistical information about the secret key, the attempt is rejected ("aborted") and signing restarts with fresh masking; a signature typically succeeds after a handful of iterations. This rejection sampling is what makes the published signature distribution independent of the secret key, and it is the scheme's central design idea.
Parameter sets
FIPS 204 defines three parameter sets. Note that ML-DSA-44 targets NIST security category 2, defined relative to collision search on SHA-256. All sizes are exact, in bytes.
| Parameter set | Security category | Public key | Private key | Signature |
|---|---|---|---|---|
| ML-DSA-44 | 2 | 1312 | 2560 | 2420 |
| ML-DSA-65 | 3 | 1952 | 4032 | 3309 |
| ML-DSA-87 | 5 | 2592 | 4896 | 4627 |
For comparison, an Ed25519 public key is 32 bytes and its signature 64 bytes, so ML-DSA signatures are roughly 40 to 70 times larger; see post-quantum algorithm comparison.
Hedged signing
FIPS 204 signs in a "hedged" mode by default: each signature mixes 32 bytes of fresh randomness with a value derived from the private key and the message. If the random number generator fails, the scheme degrades to deterministic signing rather than leaking the key, and the fresh randomness also makes fault-injection and some side-channel attacks harder. A fully deterministic variant (the randomness fixed to 32 zero bytes) is permitted for environments without a random bit generator, with the caveat that deterministic lattice signing is more exposed to fault attacks.
Two related choices appear in the standard: signing accepts an optional context string of up to 255 bytes for domain separation, and a pre-hash variant, HashML-DSA, signs a digest of the message for cases where the full message is not available to the signer. Both were added during standardization and are among the reasons round-3 Dilithium and ML-DSA are not interoperable.
Performance and role
Signing and verification are fast, on the order of tens to a few hundred microseconds on desktop processors, with verification cheaper than signing. Key generation is also fast, and the scheme needs no floating-point arithmetic, which makes constant-time implementation straightforward compared to FN-DSA.
ML-DSA is the workhorse signature of the transition. NIST's draft migration guidance treats it as the general-purpose replacement for RSA and ECDSA signatures (NIST IR 8547), and the NSA's CNSA 2.0 suite specifies ML-DSA-87 for national security systems. Standards work is underway to carry ML-DSA in X.509 certificates, TLS, and code signing; the practical obstacle is size, since every certificate carries both a public key and a signature, inflating handshakes and trust chains. See PKI migration to post-quantum and post-quantum TLS.
Alternatives
Where ML-DSA's assumptions or sizes do not fit, the other NIST signatures trade differently: SLH-DSA offers more conservative, hash-only security at the cost of much larger signatures and slower signing, and FN-DSA (Falcon) offers much smaller keys and signatures at the cost of a difficult implementation. Implementations of ML-DSA are available in liboqs, PQClean, and OpenSSL.
Frequently asked questions
Is ML-DSA the same as Dilithium?
ML-DSA is the standardized form of CRYSTALS-Dilithium with changes such as hedged signing by default and context strings, so it is not interoperable with round-3 Dilithium.
Which parameter set is the usual default?
ML-DSA-65 is the common general-purpose choice; ML-DSA-87 is specified where category 5 security is required.
Sources
- FIPS 204, Module-Lattice-Based Digital Signature Standard (NIST, 2024)
- CRYSTALS-Dilithium official site (CRYSTALS team, 2024)
- NIST IR 8547 (initial public draft), Transition to Post-Quantum Cryptography Standards (NIST, 2024)
Cite this entry
"ML-DSA (FIPS 204)." postquantum.wiki. Updated July 11, 2026. https://postquantum.wiki/ml-dsa@misc{pqwiki-ml-dsa,
title = {ML-DSA (FIPS 204)},
howpublished = {\url{https://postquantum.wiki/ml-dsa}},
year = {2026},
note = {postquantum.wiki, updated 2026-07-11}
}