RSA and ECC, cryptographic algorithms that we’ve all relied on for decades, are vulnerable to the attack of sufficiently advanced quantum computers. Such quantum computers do not exist yet, but they seem to be coming sooner than expected. Luckily, the solution is already available: migrate to ML-KEM encryption and ML-DSA signatures, which are designed to be resistant to quantum attack.
They were standardized in 2024 by the U. S. National Institute of Standards and Technology (NIST) after an eight-year open international competition.
The migration to post-quantum cryptography is in full swing now. At the time of writing, the majority of traffic handled by Cloudflare is already using ML-KEM encryption, and is thus secured against the threat to data posed by harvest-now-decrypt-later attacks. But encryption is only one part of the equation: to be fully secure against quantum computers capable of breaking classical cryptography, we aim to deploy post-quantum signatures to protect authentication systems from unauthorized access.
We are targeting 2029 for Cloudflare to be fully post-quantum secure. ML-DSA, the best all-around post-quantum signature scheme standardized today, has its downsides: it’s much larger on the wire, and many tricks we were able to perform with RSA and ECC simply cannot be done with ML-DSA. There are better post-quantum signature schemes on the horizon: last month, NIST announced that it is advancing nine post-quantum signature schemes to the third round of the “ signatures on-ramp ”.
And a draft standard for FN-DSA (née Falcon), which was picked from the previous competition, is expected imminently. We have been very interested in advances in post-quantum signature algorithms, and wrote about the progress in 2021 , 2022 , 2024 , and 2025 . In this blog post we’ll treat you to the latest developments in great detail.
But first we have to deal with the elephant in the room: These new signature algorithms will not be ready in time for the PQ transition — not even close, as we will see later on . The problem is arriving too soon for us to wait. ML-DSA is available today, and it will have to do for the first migration.
As Eric Rescorla wrote in 2024: You go to war with the algorithms you have, not the ones you wish you had. Nonetheless, the search for better post-quantum signature algorithms is crucial for several reasons, and we firmly believe it is still the best use of NIST’s limited resources. Let’s have a look at the signature algorithms in detail.
After that we’ll look at the timeline for their availability, and the reasons why we still need them. The signature algorithms In the table below, we compare the candidate signature algorithms that progressed to the third round (marked by 🤔), with classical algorithms vulnerable to quantum attack (marked by ❌), and the post-quantum algorithms that are already standardized ( ✅) or soon will be (📝).
Each candidate proposes several variants. We list the most relevant variants to TLS, the protocol used to secure connections on the Internet. To explore all variants, check out Thom Wigger ’s signatures zoo .
Sizes (bytes) CPU time (lower is better) Family Name variant A Public key Signature Signing Verification Elliptic curves Ed25519 ❌ 32 64 0. 15 1. 3 Factoring RSA 2048 ❌ 272 256 80 0.
4 Lattices ML-DSA 44 ✅ 1,312 2,420 1 (baseline) 1 (baseline) Symmetric SLH-DSA 128s ✅ 32 7,856 14,000 40 SLH-DSA 128f ✅ 32 17,088 720 110 SLH-DSA 128-24 📝 32 3,856 7,000,000 ⚠️ 4 LMS M24_H20_W8 ✅ 48 1,112 2. 9 ⚠️ 8. 4 Lattices FN-DSA 512 📝 897 666 3 ⚠️ 0.
7 Lattices HAWK 512 🤔 1,024 555 0. 25 1. 2 Proof of knowledge MQOM L1-gf16-fast-5r 🤔 60 3,280 8 20 SDitH SDitH2-L1-gf2-fast 🤔 70 4,484 15 40 FAEST EM-128f 🤔 32 5,060 4.
2 9 Isogeny SQIsign I 🤔 65 148 300 ⚠️ 50 Multivariate MAYO one 🤔 1,420 454 2. 1 0. 4 MAYO two 🤔 4,912 186 1.
1 0. 8 QR-UOV I-(127 156 54 3) 🤔 24,225 200 9. 3 20 SNOVA (24,5,4) 🤔 1,016 248 1.
2 1. 7 SNOVA (25,8,3) 🤔 2,320 165 1 1. 5 SNOVA (37,17,2) 🤔 9,842 124 0.
8 1. 3 UOV Is-pkc 🤔 66,576 96 0. 3 2.
4 UOV Ip-pkc 🤔 43,576 128 0. 3 2 A few more remarks on this table: Most candidates have multiple variants in every security level. We show the most relevant variants for TLS at the 128-bit security level, the gold standard for security.
CPU times are taken from the signatures zoo in June 2026, which collected them from the round two submission documents and later advances. Candidates are allowed to make changes for the third round, which will influence these numbers. Some will improve (both in compute and size), whereas others will regress to counter new attacks.
Check out the zoo for the latest numbers. We marked FN-DSA and SQIsign signing with a ⚠️️, as both are hard to implement in a fast and timing side-channel secure manner. LMS signing has a ⚠️, as secure LMS signing requires keeping state across signatures, and the listed signing time assumes a 32MB cache.
The 128-24 variant of SLH-DSA is marked with a ⚠️️ as it’s meant to create fewer than 2 24 signatures. No "all-star" algorithm One thing that stands out immediately is that the quantum-vulnerable elliptic curves signature algorithm Ed25519 is by far the best all-around choice (ignoring its quantum vulnerability): it has the best numbers in almost every single metric, including public key size, signature size, and signing time.
It’s only beaten on verification time, but it’s more than fast enough for the vast majority of applications. This is quite different than the roster of post-quantum algorithms. Instead of a single "all-star" algorithm, we have roughly two categories of schemes: the "specialists" that approach our trusty elliptic curve signatures on some metrics, but are problematic on others, which make them great in the right deployment scenario.
Then there are the “generalists”, such as ML-DSA, which don’t perform as well as elliptic curves on all metrics, but so far as downsides go, are pretty balanced. Specialists Let’s start with the specialists.
Originally published at blog.cloudflare.com


