🔐 Introduction
As quantum computing threatens to break classical public key cryptography, the CRYSTALS-Dilithium algorithm—also referred to in many implementations as ML-DSA (Module Lattice Digital Signature Algorithm)—has emerged as the leading post-quantum signature scheme standardized by NIST in 2024.
Dilithium comes in three main security levels:
- ML-DSA-44 (Level 1)
- ML-DSA-65 (Level 3)
- ML-DSA-87 (Level 5)
In this post, we’ll break down the key differences between these levels in terms of security, performance, key/signature sizes, and recommended use cases.
🧠 What Is CRYSTALS-Dilithium?
CRYSTALS-Dilithium is a lattice-based, stateless, post-quantum digital signature scheme. It is built on the Module Learning With Errors (Module-LWE) and Module-SIS problems, which are believed to be resistant even to powerful quantum computers.
It’s efficient, simple to implement, and has proven security reductions, making it ideal for widespread adoption.
📊 At a Glance: Comparison Table
| Variant | NIST Security Level | Public Key Size | Signature Size | Private Key Size | Ideal Use Case |
|---|---|---|---|---|---|
| ML-DSA-44 | Level 1 (AES-128) | 1,312 bytes | 2,420 bytes | 2,528 bytes | IoT, mobile apps, fast auth |
| ML-DSA-65 | Level 3 (AES-192) | 1,952 bytes | 4,000 bytes | 4,064 bytes | General-purpose apps, secure email |
| ML-DSA-87 | Level 5 (AES-256) | 2,592 bytes | 4,592 bytes | 4,880 bytes | Long-term security, critical infrastructure |
🔍 Core Differences Between ML-DSA-44, 65, and 87
1. 🔐 Security Strength
- ML-DSA-44 provides classical 128-bit security, suitable for everyday applications.
- ML-DSA-65 targets 192-bit security, offering stronger protection for sensitive operations.
- ML-DSA-87 delivers 256-bit post-quantum security, ideal for long-term privacy and national security-grade systems.
🔒 Choose higher levels for sensitive data, long-term secrecy, or highly regulated environments.
2. 📦 Key and Signature Sizes
As security level increases, so do key and signature sizes:
- ML-DSA-44 is compact—ideal for low-resource environments.
- ML-DSA-65 strikes a balance between size and strength.
- ML-DSA-87 is the most robust but incurs larger storage and bandwidth costs.
| Metric | ML-DSA-44 | ML-DSA-65 | ML-DSA-87 |
|---|---|---|---|
| Public Key | 1.3 KB | 1.9 KB | 2.5 KB |
| Signature | 2.4 KB | 4.0 KB | 4.6 KB |
| Private Key | 2.5 KB | 4.0 KB | 4.8 KB |
3. ⚙️ Performance
- Signature Generation is fastest at lower levels (ML-DSA-44), making it ideal for authentication-heavy apps.
- Verification performance is consistent across levels, though slightly slower at higher security.
- All variants offer strong side-channel resistance and support constant-time implementations.
🧩 Use Case Recommendations
✅ ML-DSA-44
- 🔸 Recommended For: Low-end devices, IoT, smartcards, mobile apps
- 🔸 Why? Small keys and fast execution, yet still quantum-safe
✅ ML-DSA-65
- 🔸 Recommended For: Web services, secure messaging, general software applications
- 🔸 Why? Balanced trade-off between performance and stronger security
✅ ML-DSA-87
- 🔸 Recommended For: Government systems, blockchain, critical infrastructure
- 🔸 Why? Maximum assurance, long-term data confidentiality
📦 Real-World Integration
CRYSTALS-Dilithium has already been integrated into:
- OpenSSL 3.2+ (with PQC hybrid mode support)
- BoringSSL and WolfSSL (experimental branches)
- TLS 1.3 Hybrid Key Exchange (via NIST PQC Interoperability Profiles)
- FIDO2 and WebAuthn prototypes
It’s also supported in reference implementations from NIST, PQClean, and liboqs.
✅ Summary: Which Variant Should You Choose?
| If You Need… | Choose… |
|---|---|
| Lightweight, fast signatures | ML-DSA-44 |
| Balanced performance and security | ML-DSA-65 |
| Maximum security and longevity | ML-DSA-87 |
For most enterprise applications today, ML-DSA-65 is a safe and scalable default. But for systems that must remain secure for decades, ML-DSA-87 offers long-term peace of mind.