ML-DSA-65: Choosing the Right Post-Quantum Signature

Picking a signature algorithm for a post-quantum blockchain is a one-way door. Get it wrong and you're stuck with it. QBit went with ML-DSA-65 (formerly CRYSTALS-Dilithium), and here's why.

Three NIST-standardized options were on the table: ML-DSA (lattice-based), FN-DSA (NTRU lattice-based), and SLH-DSA (hash-based). They have very different tradeoff profiles.

ML-DSA-65 gives 128-bit post-quantum security (NIST Level 3) with a 3,293-byte signature. Yes, that's bigger than FN-DSA's 666 bytes. But ML-DSA has one property we couldn't compromise on: integer-only constant-time arithmetic. No floating-point operations during signing means no side-channel risk. When people are signing from mobile wallets and hardware devices, that matters a lot.

SLH-DSA was out early. Its 16,224-byte signatures are nearly 5x larger than ML-DSA-65, and that kills bandwidth even with proof aggregation.

The other thing working in ML-DSA-65's favor: its algebraic structure maps well to STARK constraint systems. Verification can be arithmetized efficiently, which is what lets Sentries aggregate thousands of signature checks into a single compact proof.