ML-DSA (FIPS 204) and SLH-DSA (FIPS 205)
Compare CRYSTALS-Dilithium lattice signatures with SPHINCS+ hash-based signatures and their trade-offs.
ML-DSA Origins
ML-DSA (Module-Lattice-based Digital Signature Algorithm), standardized as FIPS 204, is derived from CRYSTALS-Dilithium. Dilithium was designed by Ducas, Kiltz, Lepoint, Lyubashevsky, Schwabe, Seiler, and Stehle and submitted to NIST in 2017. It uses the Fiat-Shamir with aborts framework applied to Module-LWE, producing a practical signature scheme with strong security proofs.
Fiat-Shamir with Aborts
Classical Fiat-Shamir transforms interactive identification protocols into signatures. For lattice schemes, a direct application leaks information about the secret key through the response vector. The "with aborts" technique by Lyubashevsky adds rejection sampling: the signer checks if the response would reveal information and aborts and retries if so. This adds a small signing overhead but is essential for security.
All lessons in this course
- The NIST PQC Competition: Process and Criteria
- ML-KEM (FIPS 203): CRYSTALS-Kyber Standardized
- ML-DSA (FIPS 204) and SLH-DSA (FIPS 205)
- Planning Your Migration to Post-Quantum Standards