Can we use ML-DSA-44 to save bandwidth?

For low-stakes uses (short-lived JWT, ephemeral signatures), yes. For long-term root signing or contract signatures, use ML-DSA-65 or higher.

FALCON (FN-DSA, NIST-pending) produces smaller signatures than ML-DSA but uses floating-point arithmetic — harder to implement constant-time. NIST may finalize FN-DSA as supplemental standard. Monitor; don't deploy preview standards in production.

Are PQ signatures patentable?

NIST published ML-DSA royalty-free. Same posture as ML-KEM. Safe for commercial use.

Can we sign legacy artifacts retroactively with ML-DSA?

Yes — countersignature pattern. Add a second ML-DSA signature alongside existing RSA/ECDSA signatures. Both verify; either failing causes verification failure (or use either-or, depending on policy). Common for code-signing migration.

Is ML-DSA secure against side-channel attacks?

The reference implementation has constant-time signing/verification primitives. Production deployment must use those (don't roll your own). Some early implementations (2023-2024) had timing leaks; current reference (2024-onwards) is hardened.

ML-DSA (Dilithium) Signatures — Replacing RSA and ECDSA in Code Signing, JWT, and PKI

Read as

ML-DSA (Module-Lattice-based Digital Signature Algorithm, formerly CRYSTALS-Dilithium) is FIPS 204 — the NIST-standard PQ signature replacing RSA, ECDSA, and EdDSA. Like ML-KEM, it’s lattice-based on the Module-LWE / Module-SIS hardness assumptions. This module covers what ML-DSA does, how it differs from ML-KEM, the three security levels, and how to use it in production for code signing, JWT, and CA hierarchies.

If your organisation signs anything — software releases, JWT tokens, X.509 certificates, audit reports, contracts — ML-DSA is in your future. The migration from RSA-2048 / ECDSA-P256 to ML-DSA is the second half of the PQ migration program (after ML-KEM for key exchange).

ML-DSA vs ML-KEM — different jobs

ML-KEM = key exchange. Two parties end up with a shared secret.

ML-DSA = digital signature. One party (signer) produces signature S over message M; anyone can verify S against M and signer’s public key.

Same lattice family, different protocol. ML-DSA’s underlying problem is Module-Short-Integer-Solution (M-SIS) — given a matrix and a target, find a “short” vector that hashes to it. Like Module-LWE, no quantum speedup is known.

Want this for your team?

Custom team training + practitioner advisory

Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.

Book team training call Replies in 4 working hrs · India-only · Senior consultants

ML-DSA (Dilithium) Signatures — Replacing RSA and ECDSA in Code Signing, JWT, and PKI

ML-DSA vs ML-KEM — different jobs

Custom team training + practitioner advisory

Other modules in this track

What is Quantum Computing — Qubits, Superposition, Entanglement (Beginner)

Why Quantum Matters for Cybersecurity — The Post-Quantum Threat in Plain English

Shor’s Algorithm Explained — Why RSA and ECC Will Break