NIST selected multiple post-quantum signature algorithms to address different use cases. CRYSTALS-Dilithium (ML-DSA) and FALCON are the two primary choices. Understanding their trade-offs helps you select the right algorithm for your application.
Algorithm Overview
Both algorithms are lattice-based but use different mathematical approaches:
- Dilithium: Based on Module-LWE and Module-SIS problems using "Fiat-Shamir with Aborts"
- FALCON: Based on NTRU lattices using GPV framework with fast Fourier sampling
Key and Signature Sizes
One of the most significant differences is size:
Size Comparison (Security Level 3)
Dilithium3: Public key 1,952 bytes, Signature 3,293 bytes
FALCON-512: Public key 897 bytes, Signature 666 bytes
FALCON offers significantly smaller signatures—roughly 5x smaller than Dilithium. This makes FALCON attractive for bandwidth-constrained applications like blockchain transactions or IoT devices.
Performance Characteristics
Performance varies by operation:
- Key Generation: Dilithium is faster (FALCON requires complex precomputation)
- Signing: Dilithium is faster and more consistent
- Verification: FALCON is faster
Dilithium's signing time is predictable, while FALCON's can vary due to its rejection sampling. This matters for real-time applications with strict latency requirements.
Implementation Complexity
Dilithium is significantly easier to implement correctly:
- Dilithium: Uses simple operations, easier constant-time implementation
- FALCON: Requires floating-point arithmetic and complex sampling, harder to secure against side-channel attacks
For organizations implementing their own cryptographic code (not recommended but sometimes necessary), Dilithium presents fewer pitfalls.
Side-Channel Resistance
Side-channel attacks extract secrets by analyzing timing, power consumption, or electromagnetic emissions:
- Dilithium: Designed with side-channel resistance in mind; constant-time implementations are straightforward
- FALCON: More challenging to protect; floating-point operations are notoriously difficult to make constant-time
Use Case Recommendations
Based on these trade-offs:
Choose Dilithium when:
- Implementation simplicity is important
- Signing performance and consistency matter
- Side-channel resistance is critical
- Bandwidth isn't severely constrained
Choose FALCON when:
- Signature and key size are paramount
- Verification speed is more important than signing
- Using well-audited library implementations
- Applications like blockchain or certificates where size matters
What H33 Uses
H33 primarily uses Dilithium3 for our authentication signatures. The reasons:
- Consistent signing performance for real-time auth (we guarantee 1.28ms)
- Simpler side-channel protection in our secure enclaves
- NIST's primary recommendation for general-purpose use
We may add FALCON support for specific use cases where signature size is critical, such as blockchain attestations.
Future Considerations
Both algorithms are strong choices with different strengths. The cryptographic community continues to analyze both, and neither shows signs of weakness. Your choice should be driven by your application's specific requirements around size, performance, and implementation constraints.
Ready to Go Quantum-Secure?
Start protecting your users with post-quantum authentication today. 1,000 free auths, no credit card required.
Get Free API Key →