Key insight

Two signature standards for one job (authenticity). ML-DSA (FIPS 204) is the fast lattice-based workhorse — the default for most signing. SLH-DSA (FIPS 205) is the slow, large, but ultra-conservative hash-based backup — reach for it where you can’t afford to be wrong and rarely sign (root keys, firmware). The recurring engineering catch: post-quantum signatures are much bigger than ECDSA.

In one sentence

ML-DSA is your everyday quantum-safe signature; SLH-DSA is the different-maths insurance you keep for the keys that must never fall.

What a signature proves

A digital signature lets anyone verify that a message really came from a specific signer and wasn’t altered in transit — using the signer’s public key. It’s what makes a certificate trustworthy, what lets your device trust a software update, and what underpins digital identity (see signatures in the foundations). “Quantum breaks authenticity” means a quantum computer could forge these — which is exactly what these two standards prevent.

ML-DSA: the lattice workhorse

Like ML-KEM, ML-DSA (FIPS 204) is built on structured lattices — fast, with reasonably compact signatures. It’s the default for most signing. Three sizes correspond to rising security levels:

Parameter setSecurity levelUse when
ML-DSA-44~AES-128Lightest; constrained contexts
ML-DSA-65~AES-192Common default
ML-DSA-87~AES-256Highest assurance (NSA CNSA 2.0)

SLH-DSA: the hash-based backup

SLH-DSA (FIPS 205) takes a completely different route: it’s built entirely from hash functions — the same well-studied building blocks we’ve trusted for decades. The upside is enormous confidence: hash-based security is about as conservative as cryptography gets. The downside: it’s slow to sign and produces large signatures (tens of kilobytes).

Why standardise something so heavy? Because it’s the insurance policy. If a surprise weakness were found in lattices, both ML-KEM and ML-DSA could be affected at once — they share a foundation. SLH-DSA shares nothing with them and would still stand.

Two signature standards, different foundations ML-DSA is fast with small signatures on lattices; SLH-DSA is slow with large signatures on hashes but is a conservative backup. ML-DSA · FIPS 204 Foundation: lattices Fast · small signatures Default workhorse 44 / 65 / 87 SLH-DSA · FIPS 205 Foundation: hash functions Slow · large signatures Ultra-conservative backup for keys that must not fall
Same job, deliberately different mathematics — so a break in one doesn’t take out both.

The size problem you must plan for

The recurring practical catch: post-quantum signatures and keys are bigger — sometimes a lot bigger:

SchemeSignature size (rough)
ECDSA (classical)~64 bytes
ML-DSA-65~3,300 bytes
SLH-DSA (typical)~7,000–30,000 bytes

That sounds trivial until a certificate chain carries several signatures, a tiny embedded device has little memory, or a protocol was designed assuming small signatures. Planning for larger signatures — in certificates, handshakes, and firmware images — is one of the real engineering tasks of migration.

Concretely, here is how the extra bytes bite in each place:

Which one, when?

SituationReach for
General signing, TLS certs, tokens, frequent operationsML-DSA (performance)
Long-lived roots, firmware/boot keys, rarely-signed anchorsSLH-DSA (maximum conservatism)
Highest-assurance national-security systemsML-DSA-87 (CNSA 2.0)
How to find your SLH-DSA keys: you don’t guess — you audit your PKI and signing inventory. The candidates are the keys whose validity spans many years and whose compromise is unrecoverable: root and intermediate CA keys, code- and firmware-signing keys, and secure-boot anchors. Everything high-volume and routinely rotated (TLS leaf certs, tokens, service identities) stays on ML-DSA for performance. Rule of thumb: if forging it would be catastrophic and you sign with it rarely, it’s SLH-DSA territory.
Digital signature
Proof that a message came from a specific signer and wasn’t altered.
ML-DSA
Module-Lattice Digital Signature Algorithm (FIPS 204) — the fast lattice workhorse.
SLH-DSA
Stateless Hash-based DSA (FIPS 205) — the conservative hash-based backup.
ML-KEM
Module-Lattice Key-Encapsulation Mechanism (FIPS 203) — the companion key-exchange standard, on the same lattice foundation.
FIPS (Federal Information Processing Standard)
The US government standard series; FIPS 204 defines ML-DSA and FIPS 205 defines SLH-DSA.
ECDSA (Elliptic-Curve Digital Signature Algorithm)
The classical signature scheme being replaced; ~64-byte signatures versus thousands for the post-quantum schemes.
Hash-based signature
A signature built only from hash functions; extremely conservative.
Trust anchor
A long-lived root or firmware key that underpins trust for years — prime SLH-DSA territory.
PKI (Public-Key Infrastructure)
The system of certificates, CAs and keys you audit to find long-lived signing keys.
CA (Certificate Authority) / TLS (Transport Layer Security)
The authority that issues certificates, and the protocol (behind HTTPS) whose handshakes carry them — both affected by larger signatures.
CNSA 2.0
The NSA’s (National Security Agency) Commercial National Security Algorithm suite, which selects ML-DSA-87.

What to carry forward

Next: PQC vs QKD → — new maths versus new physics, and why they’re not the same answer.

Understand it in your own words

Paste into any AI assistant to check yourself:

I'm learning the two post-quantum signature standards. Quiz me one question
at a time, correcting me gently:

1. What does a digital signature prove, and what does "quantum breaks
   authenticity" mean?
2. What is ML-DSA built on, and what are the 44/65/87 sizes?
3. What is SLH-DSA built on instead, and why keep a slow, heavy scheme
   around at all?
4. Give the rough signature-size comparison between ECDSA, ML-DSA, and
   SLH-DSA. Why does the size increase matter in practice?
5. Give me the rule of thumb for when to use ML-DSA vs SLH-DSA.

References & further reading

  1. NIST, FIPS 204: Module-Lattice-Based Digital Signature Standard (Aug 2024). csrc.nist.gov/pubs/fips/204
  2. NIST, FIPS 205: Stateless Hash-Based Digital Signature Standard (Aug 2024). csrc.nist.gov/pubs/fips/205
  3. NSA, CNSA 2.0 — selection of ML-DSA-87 for national-security signing. nsa.gov/cybersecurity
  4. NIST, Stateful Hash-Based Signatures (SP 800-208) — related hash-based signing guidance. csrc.nist.gov/pubs/sp/800/208