Post-Quantum Signatures: Dilithium, FALCON, and the Coming Cryptographic Migration

Why the Signatures Have to Change

Every digital signature securing the internet today rests on one of two mathematical problems: the difficulty of factoring large numbers (RSA) or the difficulty of the elliptic curve discrete logarithm problem (ECDSA, Ed25519). Both problems are hard for classical computers. Both are efficiently solvable by a sufficiently large quantum computer running Shor's algorithm.

This is not a hypothetical concern for the distant future. The threat model that matters is "harvest now, decrypt later": an adversary records encrypted data or captures public keys today, then breaks them once a cryptographically relevant quantum computer exists. For digital signatures, the risk is more direct. The moment Shor's algorithm can recover a private key from a public key, every signature scheme based on RSA or elliptic curves becomes forgeable. An attacker could sign transactions, impersonate identities, and forge certificates at will.

Recognizing this, the US National Institute of Standards and Technology (NIST) ran a multi-year, multi-round global competition to select and standardize quantum-resistant cryptographic algorithms. In August 2024, NIST released its first finalized post-quantum standards. Two of them are digital signature schemes built on lattice mathematics: CRYSTALS-Dilithium and FALCON. *(Source: NIST, 'NIST Releases First 3 Finalized Post-Quantum Encryption Standards', August 2024)*

The Lattice Foundation

Both Dilithium and FALCON derive their security from the hardness of problems on mathematical lattices. A lattice is a regular grid of points in high-dimensional space. The core hard problems, finding the shortest vector in a lattice or solving systems of noisy linear equations, are believed to be difficult for both classical and quantum computers. Unlike factoring and discrete logarithms, no efficient quantum algorithm is known for these lattice problems.

Dilithium's security is built on the Module Learning With Errors (M-LWE) problem and the Module Short Integer Solution (M-SIS) problem. The Learning With Errors problem asks an adversary to recover a secret vector given a set of random linear equations that have been deliberately corrupted with small amounts of noise. The noise is what makes the problem hard: without it, the system would be trivially solvable with linear algebra. *(Source: NIST FIPS 204, Module-Lattice-Based Digital Signature Standard)*

FALCON takes a related but distinct approach, using NTRU lattices and a technique called fast-Fourier sampling over a structured lattice. The mathematics is more intricate, but the payoff is dramatically smaller signatures, which matters enormously in storage- and bandwidth-constrained environments like blockchains.

The Official Names: ML-DSA and FN-DSA

When NIST finalized these algorithms, it renamed them to reflect their mathematical foundations rather than their competition codenames.

CRYSTALS-Dilithium became ML-DSA (Module-Lattice-Based Digital Signature Algorithm), standardized as FIPS 204 in August 2024. It is NIST's primary, general-purpose signature standard. It comes in three parameter sets: ML-DSA-44, ML-DSA-65, and ML-DSA-87, corresponding to increasing security levels. *(Source: NIST FIPS 204; DigiCert, 'An In-Depth Look At The NIST PQC Algorithms')*

FALCON became FN-DSA (FFT over NTRU-Lattice-Based Digital Signature Algorithm), to be standardized as FIPS 206. As of mid-2026, FIPS 206 remains in development, lagging behind the lattice and hash-based standards that were finalized first. *(Source: Prof Bill Buchanan OBE FRSE, 'Get Ready for FN-DSA', March 2025; Securosys PQC Release Overview)*

A third signature standard, SLH-DSA (FIPS 205, formerly SPHINCS+), is hash-based rather than lattice-based. It is intended as a conservative backup in case a weakness is later found in the lattice schemes. Its signatures are very large, but its security rests only on the properties of hash functions, which are extremely well understood.

Dilithium vs FALCON: The Core Trade-off

The choice between Dilithium and FALCON is a study in engineering trade-offs. Neither is universally better. They optimize for different constraints.

Dilithium (ML-DSA) offers the simpler, more robust design. It uses the Fiat-Shamir With Aborts construction and avoids the floating-point Gaussian sampling that FALCON requires. This makes Dilithium easier to implement correctly, easier to protect against side-channel attacks, and faster at key generation and signing. The cost is size: its public keys and signatures are comparatively large.

FALCON (FN-DSA) produces the most compact signatures of any lattice scheme, but at the price of implementation complexity. Its Gaussian sampling over NTRU lattices is mathematically delicate, computationally expensive for key generation, and notoriously difficult to implement in constant time, which is a requirement for side-channel resistance. *(Source: arxiv.org/pdf/2601.17785, comparative analysis of lattice signature schemes; SynX, 'Comparing Post-Quantum Signature Schemes')*

The concrete numbers make the trade-off vivid:

| Scheme | Public Key | Signature | |--------|-----------|-----------| | ECDSA (P-256) | ~64 bytes | ~64 bytes | | ML-DSA-44 (Dilithium) | 1,312 bytes | 2,420 bytes | | ML-DSA-87 (Dilithium) | 2,592 bytes | 4,627 bytes | | FALCON-512 | 897 bytes | 658 bytes | | FALCON-1024 | 1,793 bytes | 1,275 bytes |

*(Sources: NIST FIPS 204; arxiv.org/pdf/2601.17785; Prof Bill Buchanan, March 2025)*

A FALCON-512 signature at 658 bytes is roughly a quarter the size of an ML-DSA-44 signature at 2,420 bytes, while offering security comparable to RSA-2048. For systems where every byte is written to permanent, replicated storage, that difference is decisive.

The Performance Picture Is Better Than the Size Picture

A common misconception is that post-quantum signatures are slow. In computational terms, that is largely false. Independent benchmarking has found that ML-DSA actually outperforms ECDSA in most signing and verification operations across most security levels. With AVX2 hardware acceleration, Dilithium-2 completes a full key generation, sign, and verify cycle in well under a millisecond. *(Source: arxiv.org/html/2503.12952v1, 'Performance Analysis and Industry Deployment of Post-Quantum Cryptography Algorithms'; arxiv.org/pdf/2510.09271)*

Within Dilithium, signing dominates the runtime, accounting for over 60% of total execution time across all security levels, because the structured lattice sampling required to generate a signature is more expensive than verifying one. But verification, which is the operation a blockchain network performs millions of times, is fast.

The real cost of post-quantum signatures is not speed. It is size.

What This Means for Blockchains

For blockchains, the size expansion of post-quantum signatures is the central migration challenge, and it is a serious one.

A typical ECDSA or Ed25519 signature is 64 bytes. Replacing it with an ML-DSA signature of 2,420 to 4,627 bytes expands every transaction by a factor of 40 to 70. This is not a minor overhead. In tests on BNB Chain, post-quantum signature adoption pushed transaction sizes to roughly 2.5 KB and reduced network throughput by an estimated 40 to 50%, driven by larger blocks and slower propagation across the network. *(Source: Jung-Hua Liu, 'Post-Quantum Roadmaps for Blockchain Ecosystems', Medium)*

Every signature on a blockchain is stored permanently and replicated across every full node. A 40x expansion in signature size translates directly into a 40x expansion in the storage and bandwidth cost of the data those signatures secure. For a network processing millions of transactions, this changes the economics of running a node and the practical limits of throughput.

This size pressure explains why FALCON, despite its implementation complexity, is the preferred choice for several blockchain ecosystems. Polkadot's post-quantum roadmap, for example, plans to use FALCON for account-level user signatures specifically because its smaller signature size reduces on-chain transaction costs. The implementation difficulty is a one-time engineering cost paid by the protocol developers; the size saving is paid back on every single transaction, forever. *(Source: Jung-Hua Liu, Medium)*

Migration Strategies

No serious system is switching to post-quantum signatures overnight. The migration strategies that have emerged share common patterns.

Hybrid signatures combine a classical scheme (ECDSA or Ed25519) with a post-quantum scheme (Dilithium or FALCON) so that a forgery requires breaking both. This protects against the possibility that a flaw is later discovered in the newer lattice schemes, while providing quantum resistance immediately. The cost is even larger combined signature sizes during the transition period.

Cryptographic agility is the architectural principle of designing systems so the signature algorithm can be swapped without redesigning the whole protocol. Research prototypes already demonstrate signature layers that can switch between Dilithium, FALCON, and newer schemes like Hawk by changing a parameter. Systems built with agility in mind can adopt new standards as they are finalized, rather than being locked to one algorithm. *(Source: arxiv.org/pdf/2601.17785)*

Signature aggregation and compression techniques aim to reduce the on-chain footprint of large numbers of post-quantum signatures, particularly for validator and consensus signatures, which are the most numerous on many networks. These are active areas of research rather than settled solutions.

The Honest Timeline

The migration to post-quantum signatures is a decade-scale undertaking, not a single upgrade. The standards exist now. ML-DSA is finalized; FN-DSA is close. But rewriting the cryptographic foundations of the internet, certificate authorities, secure messaging, financial settlement, and blockchains, is a coordination problem of enormous scale.

For blockchains specifically, the migration is also a governance problem. Changing the signature scheme is a consensus-breaking change that requires every participant to upgrade. It is the kind of change that requires the coalition coordination and deliberate governance design that distinguishes resilient protocols from fragile ones.

The organizations that begin planning now, auditing where they rely on quantum-vulnerable signatures, designing for cryptographic agility, and understanding the size and performance implications of the post-quantum schemes, will migrate on their own timeline. Those that wait until a cryptographically relevant quantum computer is announced will migrate under pressure, which is always more expensive and more error-prone.

Post-quantum cryptography is not a future technology. The standards are here. The migration has started. The only open question for any given organization is whether it leads or follows.

---

*Sources: NIST, 'NIST Releases First 3 Finalized Post-Quantum Encryption Standards' (August 2024, nist.gov) · NIST FIPS 204, Module-Lattice-Based Digital Signature Standard (nvlpubs.nist.gov) · DigiCert, 'An In-Depth Look At The NIST PQC Algorithms' (digicert.com) · Prof Bill Buchanan OBE FRSE, 'Get Ready for FN-DSA' (Medium, March 2025) · 'Performance Analysis and Industry Deployment of Post-Quantum Cryptography Algorithms' (arxiv.org/html/2503.12952v1) · Comparative lattice signature analysis (arxiv.org/pdf/2601.17785) · Jung-Hua Liu, 'Post-Quantum Roadmaps for Blockchain Ecosystems' (Medium) · SynX, 'Comparing Post-Quantum Signature Schemes: Dilithium, Falcon, SPHINCS+'*