The race to standardize post-quantum signature algorithms is heating up. NIST has advanced nine new candidates for future standardization, but Cloudflare argues that none of them are ready for prime-time deployment. For now, ML-DSA (FIPS 204) remains the best available option — even if it's not ideal.
- NIST announced nine new candidate algorithms for post-quantum signatures, including SQIsign, HAWK, and UOV. These are still under evaluation and far from final approval.
- ML-DSA (formerly Dilithium) is currently the only standardized post-quantum signature scheme (FIPS 204). Cloudflare has already implemented it in production for
x509certificates andTLShandshakes. - The main drawbacks of ML-DSA are large signature sizes (around 2.5 KB for the recommended security level) and slower verification compared to classical ECDSA or EdDSA. This impacts bandwidth and latency.
- The nine new candidates aim to address these issues, offering smaller signatures (e.g., SQIsign targets ~200 bytes) or faster verification. However, none have passed rigorous cryptanalysis or achieved standardization.
- Cloudflare's recommendation: use ML-DSA now where post-quantum security is required, and plan to migrate to newer algorithms once they are standardized (likely in 2–4 years). The
opensslproviderandliboqslibraries support ML-DSA today.
For developers, this means you should start integrating ML-DSA into your applications that need long-term security, such as code signing, certificate transparency, and TLS 1.3. While waiting for better algorithms, ML-DSA is the only battle-tested option. Keep an eye on the NIST process but don't delay deployment — quantum threats will arrive before perfect signatures do.