Skip to content

47-Day Certificates Are Coming. Are You Ready?

Act Now →

What Is FN-DSA (FALCON, FIPS 206)?

PQC

FN-DSA (FFT over NTRU-Lattice-Based Digital Signature Algorithm) is NIST’s name for the post-quantum digital signature scheme based on FALCON, to be standardized as FIPS 206. It is a lattice-based signature known for very compact signatures and public keys, and as of mid-2026 it is a draft standard, not yet finalized.

FN-DSA is the fourth post-quantum algorithm in NIST’s signature and key-establishment suite, based on the FALCON submission. It produces the smallest signatures and public keys of NIST’s post-quantum signature schemes, which makes it attractive where bandwidth is tight. Unlike ML-KEM, ML-DSA, and SLH-DSA, FN-DSA is not yet finalized: NIST submitted the draft in 2025, with the final FIPS 206 expected in late 2026 or early 2027.

Key Takeaways

  • FN-DSA (FFT over NTRU-Lattice-Based Digital Signature Algorithm) is NIST’s name for the FALCON-based post-quantum signature scheme, to be standardized as FIPS 206.
  • It is not yet a final standard. NIST submitted the draft for approval on August 28, 2025, and the final FIPS 206 is widely expected in late 2026 or early 2027.
  • FN-DSA’s headline strength is compactness: it produces the smallest signatures and public keys among NIST’s post-quantum signature standards, which suits bandwidth-constrained uses.
  • Its headline challenge is implementation difficulty. FN-DSA signing relies on floating-point Gaussian sampling that is hard to implement safely and in constant time, which is the main reason its standardization took longer than the others.
  • For now, FN-DSA is something to plan and test for, not deploy in production. ML-DSA (FIPS 204) is the finalized, buildable lattice signature standard today.

What FN-DSA Is

FN-DSA is a digital signature algorithm designed to resist attacks from quantum computers. It comes from FALCON, one of the schemes NIST selected during its post-quantum standardization process, alongside CRYSTALS-Dilithium (now ML-DSA) and SPHINCS+ (now SLH-DSA).

NIST gave FALCON the standard name FN-DSA, which stands for FFT over NTRU-Lattice-Based Digital Signature Algorithm, and is preparing to publish it as FIPS 206.

Like ML-DSA, FN-DSA is lattice-based, but it uses a different construction. It is built on NTRU lattices and follows a hash-then-sign design, where a signature is a lattice point close to a target derived from the message hash.

It uses the Fast Fourier Transform and a structure called a FALCON tree to perform the discrete Gaussian sampling at the heart of signing. This mathematics is what gives FN-DSA its compactness, and also what makes it hard to implement.

Current Status: Draft, Not Final

This is the most important thing to understand about FN-DSA in 2026, because it is easy to assume all four NIST post-quantum algorithms are finalized. They are not.

AlgorithmStandardStatus (mid-2026)
ML-KEMFIPS 203Final (August 2024)
ML-DSAFIPS 204Final (August 2024)
SLH-DSAFIPS 205Final (August 2024)
FN-DSAFIPS 206Draft. Submitted for approval Aug 28, 2025; final expected late 2026 or early 2027

NIST submitted the FN-DSA draft standard for approval on August 28, 2025, and has been preparing an Initial Public Draft for public review. Based on how the other standards progressed, the review period is expected to run about a year, placing the final FIPS 206 in late 2026 or early 2027.

Until then, the specification can still change, and details such as parameter encodings and object identifiers are not yet locked. This is why major certificate authorities have said they will not ship FN-DSA in production until the standard is final.

PQC Advisory Services

Gain post-quantum readiness with expert-led cryptographic assessment, migration strategy, and hands-on implementation aligned to NIST standards.

Why FN-DSA Is Attractive: Compactness

FN-DSA’s defining advantage is size. Among NIST’s post-quantum signature schemes, FALCON produces the smallest combination of signature and public key. That matters in places where every byte counts: constrained devices, protocols with tight packet budgets, and certificates that are transmitted constantly.

Compared with SLH-DSA, whose signatures run to many kilobytes, and even with ML-DSA, FN-DSA’s compact signatures are a meaningful practical advantage. In certificate hierarchies, this makes FN-DSA especially interesting for root and intermediate certificates, where small signatures reduce the size of every chain that descends from them.

Why FN-DSA Is Hard: Floating-Point Sampling

The reason FN-DSA took longer to standardize than the other three schemes is implementation difficulty. Its signing process depends on sampling from a discrete Gaussian distribution, and the reference design uses floating-point arithmetic to do it.

Floating-point operations are notoriously difficult to make behave identically across different hardware, and they are a common source of timing side-channels, where the time an operation takes leaks information about the secret key.

A signature scheme that leaks key information through timing is dangerous, so FN-DSA implementations must be written with great care to run in constant time. NIST has been working through these challenges, including how to handle a possible fixed-point implementation, which is part of why the standard has taken additional time.

The practical implication for organizations: FN-DSA should be deployed only with well-vetted, side-channel-resistant implementations, ideally in controlled environments such as HSMs.

FN-DSA vs ML-DSA: Two Lattice Signatures

Because both are lattice-based signature standards, FN-DSA and ML-DSA are often compared directly. They make opposite tradeoffs.

AttributeML-DSA (FIPS 204)FN-DSA (FIPS 206)
StatusFinal (August 2024)Draft; final expected late 2026 / early 2027
Based onCRYSTALS-DilithiumFALCON (NTRU lattices)
Signature and key sizeLargerSmallest of the NIST signature schemes
ImplementationRelatively straightforward, integer-basedDifficult; floating-point Gaussian sampling
Best fitGeneral-purpose default, buildable todayBandwidth-constrained cases, root/intermediate certs, once final

The practical guidance today is straightforward: ML-DSA is the lattice signature you build with now, because it is finalized and easier to implement safely. FN-DSA is the one you plan and test for, choosing it later where its compact signatures justify the extra implementation care, and only once FIPS 206 is final.

Where FN-DSA Fits in the Full PQC Suite

FN-DSA is one piece of NIST’s post-quantum toolkit, and understanding how the pieces relate helps with algorithm selection:

  • ML-KEM (FIPS 203) handles key establishment. It is the default for protecting data in transit.
  • ML-DSA (FIPS 204) is the general-purpose signature. It is the finalized default for most signing today.
  • SLH-DSA (FIPS 205) is the conservative, hash-based signature for long-lived, high-assurance use.
  • FN-DSA (FIPS 206) is the compact lattice signature, still in draft, best suited to bandwidth-constrained and certificate-hierarchy uses once final.

How Encryption Consulting Helps

FN-DSA is a good example of why post-quantum migration is a planning problem, not a one-time switch. Encryption Consulting’s Post-Quantum Cryptography Advisory Services help you build crypto-agility so you can adopt algorithms like FN-DSA when they finalize, without re-architecting.

We inventory where your signatures live, identify the bandwidth-constrained and certificate-hierarchy use cases where FN-DSA’s compactness would help, and design systems that can swap algorithms as standards settle, so a draft today becomes a controlled deployment tomorrow rather than an emergency. For production signing needs right now, we help you adopt the finalized ML-DSA and SLH-DSA standards appropriately. Backed by ISO/IEC 27001:2022 and SOC 2 certified practices.

PQC Advisory Services

Gain post-quantum readiness with expert-led cryptographic assessment, migration strategy, and hands-on implementation aligned to NIST standards.

Frequently Asked Questions

What is FN-DSA?

FN-DSA (FFT over NTRU-Lattice-Based Digital Signature Algorithm) is NIST’s name for the post-quantum digital signature scheme based on FALCON, to be standardized as FIPS 206. It is a lattice-based signature that produces very compact signatures and public keys, making it attractive where bandwidth is limited. As of mid-2026 it is a draft standard, not yet finalized, with the final version expected in late 2026 or early 2027.

Is FN-DSA (FIPS 206) finalized?

No. Unlike ML-KEM (FIPS 203), ML-DSA (FIPS 204), and SLH-DSA (FIPS 205), which were all finalized in August 2024, FN-DSA is still a draft. NIST submitted the draft standard for approval on August 28, 2025, and the final FIPS 206 is widely expected in late 2026 or early 2027. Because the specification can still change, major certificate authorities have said they will not deploy FN-DSA in production until it is finalized.

What is the difference between FN-DSA and ML-DSA?

Both are lattice-based post-quantum signature standards, but they make opposite tradeoffs. ML-DSA (FIPS 204, based on CRYSTALS-Dilithium) is finalized, easier to implement, and has larger signatures. FN-DSA (FIPS 206, based on FALCON) is still in draft, harder to implement because of floating-point Gaussian sampling, but produces the smallest signatures and keys. ML-DSA is the buildable default today; FN-DSA is the compact option to plan and test for.

Why is FN-DSA harder to implement than the other PQC standards?

FN-DSA signing requires sampling from a discrete Gaussian distribution, and the reference design uses floating-point arithmetic. Floating-point operations behave differently across hardware and are a common source of timing side-channels that can leak the private key. Implementing FN-DSA safely requires constant-time, side-channel-resistant code, which is difficult. This implementation complexity is the main reason FN-DSA took longer to standardize than ML-DSA and SLH-DSA.

What is FN-DSA best used for?

FN-DSA’s compact signatures and public keys make it attractive in bandwidth-constrained settings and, within certificate hierarchies, for root and intermediate certificates where small signatures benefit every chain beneath them. Because its signing is complex and slow, it is less suited to high-frequency leaf-certificate signing. In practice, organizations should treat FN-DSA as a future option to test now and deploy later, once FIPS 206 is final and vetted implementations exist.

Should I use FN-DSA now?

Not in production. Because FIPS 206 is still a draft and the specification can change, the responsible approach is to plan and test with FN-DSA but build production systems on the finalized standards. Use ML-DSA (FIPS 204) as your general-purpose post-quantum signature today, and design for crypto-agility so you can adopt FN-DSA cleanly once it is finalized in the expected late 2026 or early 2027 timeframe.

Plan for FN-DSA Without Betting Production on a Draft

FN-DSA will matter where compact signatures count, but it is not production-ready yet. Explore Encryption Consulting’s PQC Advisory Services to build the crypto-agility that lets you adopt FN-DSA the moment FIPS 206 is final, while running today’s signing on the standards that are already approved.