01 — Why We Need ML-DSA
What Digital Signatures Do
A digital signature is a cryptographic proof that binds three things:
- A message — the document, software, or transaction
- A signer — identified by their public key
- A moment in time — the signature cannot be created before the private key existed
Unlike a handwritten signature (easy to forge), a digital signature is:
- Unforgeable — only the private key holder can create it
- Verifiable — anyone with the public key can check it
- Non-repudiable — the signer cannot later deny having signed
Where Signatures Are Used
| Use Case | What Signs | Consequence of Forgery |
|---|---|---|
| TLS certificates | Certificate authorities sign domain certificates | Fake bank websites, man-in-the-middle attacks |
| Software updates | Vendor signs OS patches, app updates | Malware injection, supply chain attacks |
| Code signing | Developer signs binaries, packages | Trojanised software, compromised build pipelines |
| Document signing | CEO/lawyer signs contracts, filings | Fraudulent transactions, invalid legal agreements |
| Blockchain | Transaction signatures | Stolen cryptocurrency, unauthorised transfers |
| Firmware | Manufacturer signs device firmware | Bricked devices, persistent backdoors |
The Quantum Threat
How Shor's Algorithm Forges Signatures
RSA signatures:
- Signature: σ = m^d mod n (where d is the private key)
- Verification: σ^e ≡ m mod n (where e is the public key)
- Shor's algorithm factors n, recovering d from (n, e)
- Result: Anyone can now forge signatures
ECDSA/EdDSA signatures:
- Signature: (r, s) where s = k⁻¹(H(m) + d·r)
- d is the private key (discrete log of public key Q = d·G)
- Shor's algorithm solves the discrete log, recovering d
- Result: Anyone can now forge signatures
Timeline
| Year | Milestone | Impact |
|---|---|---|
| 1994 | Shor's algorithm | Theoretical threat established |
| 2019 | 53-qubit Sycamore | Quantum supremacy demonstrated (non-cryptographic) |
| 2024 | 1,121-qubit Condor | Scaling trajectory clear |
| ~2030 | ~10,000 logical qubits | ECDSA broken (estimated) |
| ~2035 | ~1,000,000 physical qubits | RSA-2048 broken (estimated) |
The "Harvest Now, Forge Later" Attack
Even more insidious than decrypting recorded traffic:
- Adversary records signed documents/transactions today.
- They don't need to break anything now.
- In 10–15 years, they use a quantum computer to recover private keys from public keys.
- They forge backdated signatures on fraudulent documents.
- Legal, financial, and audit systems collapse because signature validity can no longer be trusted.
This is why we must transition BEFORE quantum computers exist.
What ML-DSA Fixes
ML-DSA signatures are based on the Short Integer Solution (SIS) problem over lattices:
Given a matrix A and a bound β, find a short vector s such that A·s = 0 (mod q) and ||s|| ≤ β.
This problem has no periodic structure for Shor's algorithm to exploit. The best known quantum attack (Grover's) provides only a square-root speedup — insufficient to break practical parameters.
What Doesn't Change
| Layer | Before | After |
|---|---|---|
| Hash function | SHA-256 / SHA-3 | SHA-256 / SHA-3 (unchanged) |
| Message encoding | ASN.1 DER, JSON, XML | Same formats |
| PKI structure | X.509 certificates | X.509 v3 with new algorithm OIDs |
| Trust anchors | Root CA public keys | Root CA public keys (now ML-DSA) |
Only the signature algorithm changes. The surrounding infrastructure (hashing, certificate formats, trust chains) stays the same.
Resources
- Shor, "Algorithms for quantum computation" (1994)
- NIST IR 8547: Transition to Post-Quantum Cryptography
- CA/Browser Forum: Baseline Requirements updates for PQC certificates