Algorithm Reference
PQC Algorithm Sizes Reference
Section titled “PQC Algorithm Sizes Reference”Technical reference for NIST post-quantum algorithm variants.
ML-KEM (FIPS 203) — Key Encapsulation
Section titled “ML-KEM (FIPS 203) — Key Encapsulation”| Variant | Security Level | Public Key | Ciphertext | Shared Secret |
|---|---|---|---|---|
| ML-KEM-512 | Level 1 | 800 B | 768 B | 32 B |
| ML-KEM-768 | Level 3 | 1,184 B | 1,088 B | 32 B |
| ML-KEM-1024 | Level 5 | 1,568 B | 1,568 B | 32 B |
ML-DSA (FIPS 204) — Digital Signatures
Section titled “ML-DSA (FIPS 204) — Digital Signatures”| Variant | Security Level | Public Key | Signature |
|---|---|---|---|
| ML-DSA-44 | Level 2 | 1,312 B | 2,420 B |
| ML-DSA-65 | Level 3 | 1,952 B | 3,309 B |
| ML-DSA-87 | Level 5 | 2,592 B | 4,627 B |
SLH-DSA (FIPS 205) — Hash-Based Signatures
Section titled “SLH-DSA (FIPS 205) — Hash-Based Signatures”| Variant | Security Level | Public Key | Signature |
|---|---|---|---|
| SLH-DSA-128s | Level 1 | 32 B | 7,856 B |
| SLH-DSA-128f | Level 1 | 32 B | 17,088 B |
| SLH-DSA-192s | Level 3 | 48 B | 16,224 B |
| SLH-DSA-192f | Level 3 | 48 B | 35,664 B |
| SLH-DSA-256s | Level 5 | 64 B | 29,792 B |
| SLH-DSA-256f | Level 5 | 64 B | 49,856 B |
s = small signature (slower), f = fast signing (larger signature)
Security Levels
Section titled “Security Levels”| Level | Classical Equivalent | Use Case |
|---|---|---|
| Level 1 | AES-128 | Standard security |
| Level 3 | AES-192 | Recommended default |
| Level 5 | AES-256 | Maximum security |
Performance Benchmarks
Section titled “Performance Benchmarks”Source: arXiv:2503.12952 (2025), CPU @ 3.3 GHz
ML-DSA vs ECDSA (Signatures)
Section titled “ML-DSA vs ECDSA (Signatures)”| Algorithm | KeyGen | Sign | Verify | Total |
|---|---|---|---|---|
| ML-DSA-44 | 0.09 ms | 0.45 ms | 0.10 ms | 0.64 ms |
| ML-DSA-65 | 0.15 ms | 0.70 ms | 0.15 ms | 0.99 ms |
| ML-DSA-87 | 0.25 ms | 0.84 ms | 0.27 ms | 1.36 ms |
| ECDSA P-256 | 0.30 ms | 0.40 ms | 0.10 ms | 0.80 ms |
| ECDSA P-384 | 0.50 ms | 0.90 ms | 0.30 ms | 1.70 ms |
Direct Comparison (Security Level 3: ML-DSA-65 vs ECDSA P-384)
Section titled “Direct Comparison (Security Level 3: ML-DSA-65 vs ECDSA P-384)”| Metric | ECDSA P-384 | ML-DSA-65 | Ratio |
|---|---|---|---|
| KeyGen | 0.50 ms | 0.15 ms | 3x faster |
| Sign | 0.90 ms | 0.70 ms | ~20% faster |
| Verify | 0.30 ms | 0.15 ms | 2x faster |
| Public Key | 97 B | 1,952 B | 20x larger |
| Signature | 96 B | 3,309 B | 34x larger |
Ratios remain valid across different machines. Absolute values are indicative (CPU @ 3.3 GHz).
ML-DSA vs RSA (Signatures)
Section titled “ML-DSA vs RSA (Signatures)”Sources: OpenSSL Cookbook (x86), arXiv:2503.12952 (x86 @ 3.3 GHz)
| Algorithm | Sign | Verify | Ratio vs ML-DSA-65 |
|---|---|---|---|
| ML-DSA-65 | 0.70 ms | 0.15 ms | — |
| RSA-2048 | ~1 ms | 0.045 ms | Sign: 1.4x slower |
| RSA-3072 | ~4.8 ms | 0.096 ms | Sign: 7x slower |
RSA verification is faster, but signing is significantly slower than ML-DSA. For servers that sign frequently, ML-DSA provides better throughput.
SLH-DSA vs ML-DSA (Signatures)
Section titled “SLH-DSA vs ML-DSA (Signatures)”Sources: arXiv:2503.12952 (x86 @ 3.3 GHz), conduition.io (Intel 12th gen @ 2.8 GHz)
| Algorithm | Sign | Verify | Signature | Public Key |
|---|---|---|---|---|
| ML-DSA-65 | 0.70 ms | 0.15 ms | 3,309 B | 1,952 B |
| SLH-DSA-128f | ~30 ms | ~10 ms | 17,088 B | 32 B |
| SLH-DSA-128s | ~200 ms | ~3 ms | 7,856 B | 32 B |
| Metric | ML-DSA-65 | SLH-DSA-128f | SLH-DSA-128s |
|---|---|---|---|
| Sign | 0.70 ms | ~30 ms | ~200 ms |
| Ratio | — | ~40x slower | ~300x slower |
When to use SLH-DSA:
- Conservative security (hash-based, no lattice assumptions)
- Root of Trust, firmware signing (sign rarely, verify often)
- Long-term archival signatures
When to use ML-DSA:
- Performance-critical applications (TLS, API signing)
- Frequent signing operations
- Bandwidth-constrained environments
ML-KEM vs X25519 vs RSA (Key Exchange)
Section titled “ML-KEM vs X25519 vs RSA (Key Exchange)”Sources: arXiv:2508.01694 (x86), filippo.io (Apple M1)
| Algorithm | Operation | Time | Ratio vs ML-KEM-768 |
|---|---|---|---|
| ML-KEM-768 | Encaps + Decaps | ~0.2 ms | — |
| X25519 | ECDHE | ~0.65 ms | ~3x slower |
| RSA-3072 | Key transport | >200 ms | ~1000x slower |
ML-KEM is faster than X25519 for key exchange, despite larger key sizes. RSA key transport is orders of magnitude slower and rarely used in modern TLS.
X25519 = ECDH (Elliptic Curve Diffie-Hellman) on Curve25519.