06 — Security Levels
Three Levels, Three Use Cases
ML-DSA comes in three flavours. The differences are in the lattice dimension, the number of polynomials, and the bounds used in rejection sampling.
| ML-DSA-44 | ML-DSA-65 | ML-DSA-87 | |
|---|---|---|---|
| NIST Security Level | Level 2 | Level 3 | Level 5 |
| Classical equivalent | AES-128 | AES-192 | AES-256 |
| Module rank (k/l) | 4/4 | 6/5 | 8/7 |
| Public key | 1,312 B | 1,952 B | 2,592 B |
| Signature | 2,420 B | 3,293 B | 4,595 B |
| Sign time | ~300 µs | ~500 µs | ~800 µs |
| Verify time | ~80 µs | ~120 µs | ~180 µs |
What the Numbers Mean
k and l (Module Dimensions)
The matrix A has dimensions k×l over the polynomial ring:
- ML-DSA-44: A is 4×4 → 16 polynomials total
- ML-DSA-65: A is 6×5 → 30 polynomials total
- ML-DSA-87: A is 8×7 → 56 polynomials total
Higher k and l mean:
- More LWE equations (harder to solve)
- Larger public key (more polynomials to store)
- Larger signature (more response coefficients)
γ₁ and γ₂ (Bounds)
- γ₁: The bound for rejection sampling on z. Larger γ₁ = wider mask = easier rejection = larger signature.
- γ₂: The bound for the hint polynomials. Controls how much information the hint reveals.
τ (Number of 1s in Challenge)
The challenge c is a sparse polynomial with exactly τ coefficients equal to ±1 and the rest 0:
- ML-DSA-44: τ = 39
- ML-DSA-65: τ = 49
- ML-DSA-87: τ = 60
Higher τ = more terms in c·s₁ = harder to forge but slightly larger signatures.
How to Choose
Default: ML-DSA-65
Use this unless you have a specific reason not to.
Why:
- Security Level 3 (≈ AES-192) — strong margin
- Reasonable signature size (~3.3 KB) — acceptable for TLS, code signing
- NIST recommends Level 3 as the minimum for general use
Use ML-DSA-44 When
- Constrained bandwidth (IoT, SMS, high-frequency trading)
- Short-term signatures (session tickets, temporary tokens)
- Performance-critical signing pipelines
Caution: Level 2 provides ~128-bit classical security but only ~64-bit quantum security (against Grover). For long-term document signatures, this may be insufficient.
Use ML-DSA-87 When
- High-assurance environments (military, critical infrastructure root CAs)
- Long-term legal documents (contracts with 10+ year validity)
- Regulatory requirement for highest security level
- Root certificates in PKI hierarchies (compromise is catastrophic)
Trade-off: 4.6 KB signatures. Fine for occasional operations (certificate issuance, firmware signing), but large for high-frequency protocols.
Signature Size Impact on Protocols
| Protocol | Typical payload | Per-signature overhead | ML-DSA-65 impact |
|---|---|---|---|
| TLS handshake | ~2–4 KB | +3.3 KB | Significant; consider FN-DSA for bandwidth |
| Code signing | 1–100 MB | +3.3 KB | Negligible |
| Document signing (PDF) | 10 KB–10 MB | +3.3 KB | Negligible |
| Blockchain (Bitcoin-like) | ~250 B tx | +3.3 KB | Very significant; 13× larger |
| Firmware image | 1–50 MB | +3.3 KB | Negligible |
| Git commits | ~100 B–10 KB | +3.3 KB | Significant for small commits |
Comparison with Classical and Other PQC
| ECDSA P-256 | RSA-2048 | ML-DSA-65 | FN-DSA-512 | SLH-DSA-SHA2-128s | |
|---|---|---|---|---|---|
| Public key | 32 B | 256 B | 1,952 B | 897 B | 32 B |
| Signature | 64 B | 256 B | 3,293 B | 666 B | 7,856 B |
| Security (classical) | ~128 bit | ~112 bit | ~192 bit | ~128 bit | ~128 bit |
| Quantum security | 0 | 0 | ~96 bit | ~64 bit | ~64 bit |
| Speed (sign) | ~50 µs | ~5 ms | ~500 µs | ~1 ms | ~10 ms |
| Speed (verify) | ~100 µs | ~150 µs | ~120 µs | ~100 µs | ~1 ms |
Resources
- NIST FIPS 204, Section 4: Parameter Sets
- NIST IR 8547: Transition to Post-Quantum Cryptography
- CRYSTALS-Dilithium specification: parameter rationale