QNSI
Start building free
Why QNSI
The Quantum ImperativeWhy QNSIPQC Migration GuideCompetitive AnalysisVet PQC Vendors
Platform
Platform ArchitectureCapabilitiesUse Cases by IndustryKnowledge BaseBlogResearch
Trust
Trust HubCompliance MappingNIST ACVP ConformancePerformance BenchmarksEntropy ChainAlgorithm CatalogSystem Status
Developers
Developer HubUse CasesAI Assistants (MCP)
PricingContactStart building free

Digital Signature

ML-DSA

Module-Lattice-based Digital Signature Algorithm · FIPS 204

FIPS-finalisedlattice-based3 parameter setsQNSI tier: default+provider: nobleprovider: liboqsalso called: Dilithium, CRYSTALS-Dilithium, Module-LWE Signature
NIST's primary post-quantum digital signature standard, finalised August 2024 as FIPS 204. ML-DSA powers JWT signing, audit-log integrity, code-signing, and authn token issuance across QNSI.

Mechanism

How it works

ML-DSA is built on the hardness of the Module Learning With Errors (Module-LWE) and Module Short Integer Solution (Module-SIS) problems. Signatures are generated via the Fiat-Shamir transform applied to an identification protocol over polynomial rings. FIPS 204 Algorithm 1 specifies ML-DSA.KeyGen(ξ) where ξ is a 32-byte random seed, internally calling ML-DSA.KeyGen_internal(ξ). Parameter sets ML-DSA-44 / 65 / 87 target NIST security levels 2 / 3 / 5.

Parameter Sets

3 variants shipped

Each variant trades security category against key, ciphertext, or signature size. QNSI exposes all variants via the @heossi/liboqs-native binding; tenant crypto-policy determines which are allowed.

VariantNIST LevelPublic KeySecret KeySignatureNote
ML-DSA-44L21,312 B2,560 B2,420 BJWT signing default. Smallest signature size of the FIPS-finalised signatures.
ML-DSA-65L31,952 B4,032 B3,309 BStrict policy tier default. Recommended for high-security JWT and audit signing.
ML-DSA-87L52,592 B4,896 B4,627 BMaximum + Government default. Required for `government` tier.

NIST ACVP

Conformance evidence

QNSI runs the official NIST ACVP test vectors against every shipped algorithm. Live evidence + SHA-3-256 tamper digest at /verify/conformance.

@noble/post-quantum
passing
Pure-JavaScript reference; cross-verification secondary on Maximum + Government tiers.
@heossi/liboqs-native
deferred
Native-C primary production engine. Runs across every QNSI backend service.
noble passes all 75 ML-DSA keyGen ACVP tests. liboqs keyGen tests deferred because liboqs C library 0.15.0 does not yet expose OQS_SIG_keypair_derand. Sign / verify operations run against test vectors that provide the keypair, so signature correctness is independently exercised at runtime by the cross-verification service on Maximum and Government policy tiers.
View live ACVP evidence →

Use Cases

When to use it

  • JWT signing (auth-service default)
  • Audit-log Merkle root signing (audit-service)
  • Inter-service SPIFFE SVID signing
  • Code-signing artefacts
  • Compliance evidence-pack signing

Trade-offs

What you give up, what you get

  • Larger signatures than Falcon but faster signing and simpler implementation
  • Constant-time reference implementation (side-channel resistant)
  • Same Module-LWE security assumption as ML-KEM — assumption-economy across families

FAQ

ML-DSA — frequently asked questions

Concise, source-of-truth answers to the questions buyers and engineers ask most about this algorithm.

What is ML-DSA?

ML-DSA (Module-Lattice-based Digital Signature Algorithm) is a lattice based post-quantum digital signature scheme. It is designed to resist attacks from both classical and quantum computers, and QNSI ships 3 of its parameter sets. It is also known as Dilithium, CRYSTALS-Dilithium, Module-LWE Signature.

Is ML-DSA NIST-standardized?

Yes. ML-DSA is a NIST-standardized algorithm, finalized as FIPS 204. QNSI runs the official NIST ACVP test vectors against it on every release, with the live evidence and a SHA-3-256 tamper digest published at /verify/conformance.

What is ML-DSA used for?

On QNSI, ML-DSA is used for JWT signing (auth-service default); Audit-log Merkle root signing (audit-service). It is available from the default crypto-policy tier upward via the noble and liboqs providers.

References

Primary sources