Skip to content

47-Day Certificates Are Coming. Are You Ready?

Act Now →

What Is ML-DSA (FIPS 204)? 

ML-DSA

ML-DSA (Module-Lattice-Based Digital Signature Algorithm) is the post-quantum digital signature standard published by NIST in FIPS 204 in August 2024, based on the CRYSTALS-Dilithium algorithm. 

ML-DSA is a quantum-resistant digital signature algorithm that proves authenticity and integrity, replacing RSA and ECDSA signatures. NIST standardized it as FIPS 204 in August 2024, based on CRYSTALS-Dilithium, with three parameter sets: ML-DSA-44, ML-DSA-65, and ML-DSA-87. It is well suited to code signing, document signing, and certificate authentication. 

Key Takeaways

  • ML-DSA is NIST’s primary post-quantum digital signature standard, published as FIPS 204 in August 2024. 
  • It is the standardized form of CRYSTALS-Dilithium, based on the MLWE and MSIS lattice problems. 
  • Three parameter sets (ML-DSA-44/65/87) map to roughly AES-128, 192, and 256 security. 
  • ML-DSA-65 is the recommended default for most applications. 
  • It replaces RSA and ECDSA signatures and is well suited to code and firmware signing. 

What is ML-DSA?

ML-DSA is a post-quantum digital signature algorithm. A digital signature proves that a message, file, or certificate came from a specific private key and was not altered, the role played today by RSA and ECDSA. NIST standardized ML-DSA in FIPS 204 in August 2024, alongside ML-KEM (FIPS 203) for key establishment.

Why ML-DSA Matters

Digital signatures underpin trust in software, documents, and certificates. Today’s signatures rely on RSA and elliptic-curve cryptography, which a quantum computer running Shor’s algorithm could forge. ML-DSA is built on lattice problems with no known efficient quantum attack, so signatures created with it remain trustworthy in a post-quantum world. This matters most for things signed today that must stay verifiable for years, such as firmware and long-lived code.

How ML-DSA Works

ML-DSA is built on the Module Learning With Errors (MLWE) and Module Short Integer Solution (MSIS) problems. Like other signature schemes, it uses three operations: key generation produces a public and private key pair, signing uses the private key to produce a signature over a message, and verification uses the public key to confirm the signature is valid and the message unchanged. 

PQC Advisory Services

Gain post-quantum readiness with expert-led cryptographic assessment, migration strategy, and hands-on implementation aligned to NIST standards.

ML-DSA Parameter Sets

FIPS 204 defines three parameter sets that trade security strength against signature and key sizes. 

Parameter setSecurity levelTypical use
ML-DSA-44 Roughly AES-128 (Level 2) Lightweight needs. 
ML-DSA-65 Roughly AES-192 (Level 3) Recommended default for most applications. 
ML-DSA-87 Roughly AES-256 (Level 5) Highest security, including national security systems. 

ML-DSA vs Code Signing

Code and firmware signing are among the most pressing uses for ML-DSA, because signed artifacts can live in the field for many years. US CNSA 2.0 guidance requires software and firmware signing to use quantum-resistant signatures for national security systems, with exclusive use targeted from 2027. Moving signing to ML-DSA, often in hybrid form first, protects the integrity of software well into the quantum era. See what are hybrid certificates.

How Encryption Consulting Helps

Encryption Consulting’s PQC Advisory helps you adopt ML-DSA as part of a broader migration, and CodeSign Secure supports post-quantum code and firmware signing so your signatures stay valid in the quantum era. Backed by ISO/IEC 27001:2022 and SOC 2 certified practices. 

Enterprise Code-Signing Solution

Get One solution for all your software code-signing cryptographic needs with our code-signing solution.

Frequently Asked Questions

Is ML-DSA the same as Dilithium? 

ML-DSA is the standardized version of CRYSTALS-Dilithium. Dilithium was the algorithm selected in the NIST post-quantum competition, and NIST standardized it as ML-DSA in FIPS 204 in August 2024. The names refer to the same signature scheme, but ML-DSA is the official standard name to use going forward. 

What is the difference between ML-DSA and ML-KEM? 

They do different jobs. ML-DSA (FIPS 204) is a digital signature algorithm, used to prove authenticity and integrity, replacing RSA and ECDSA signatures. ML-KEM (FIPS 203) is a key encapsulation mechanism, used to establish a shared secret key, replacing RSA and Diffie-Hellman key exchange. Many systems will use both together. 

Which ML-DSA parameter set should I use? 

ML-DSA-65 is the recommended default for most applications, offering security roughly equivalent to AES-192. ML-DSA-44 is the lightest option (AES-128 level), and ML-DSA-87 targets the highest security needs such as national security systems (AES-256 level). The choice balances security requirements against signature and key sizes. 

What is ML-DSA used for? 

ML-DSA is a general-purpose post-quantum signature algorithm. It suits code signing, firmware signing, document signing, certificate signatures, and protocol authentication, anywhere a digital signature proves who created something and that it was not altered. It is a direct quantum-safe replacement for ECDSA and RSA signatures. 

Is ML-DSA quantum-safe? 

ML-DSA is designed to resist both classical and quantum attacks. Its security rests on the hardness of the Module Learning With Errors and Module Short Integer Solution problems, which have no known efficient quantum algorithm. NIST standardized it in FIPS 204 specifically as a quantum-resistant signature scheme. 

Adopt Post-Quantum Signatures 

Ready to move signing to ML-DSA? Explore CodeSign Secure, or talk to a PQC advisor.Â