ML-DSA (FIPS 204)
Module-Lattice-Based Digital Signature Algorithm
Overview
ML-DSA is the NIST-standardized post-quantum digital signature algorithm defined in FIPS 204. Formerly known as CRYSTALS-Dilithium, ML-DSA provides EUF-CMA-secure digital signatures based on the hardness of the Module Learning With Errors (Module-LWE) and Module Short Integer Solution (Module-SIS) problems.
ML-DSA uses a Fiat-Shamir with Aborts framework: the signer repeatedly samples a masking vector, computes a candidate signature, and rejects if the result would leak information about the secret key. This rejection sampling ensures that valid signatures are statistically independent of the secret key.
Specifications
| Parameter Set | NIST Level | Public Key (bytes) | Secret Key (bytes) | Signature (bytes) |
|---|---|---|---|---|
| ML-DSA-44 | 2 | 1312 | 2560 | 2420 |
| ML-DSA-65 | 3 | 1952 | 4032 | 3309 |
| ML-DSA-87 | 5 | 2592 | 4896 | 4627 |
Core operations:
KeyGen()— Generate a signing key pairSign(sk, msg)— Produce a signature over a messageVerify(pk, msg, sig)— Verify a signature against a public key and message
Underlying math: NTT over Z_q[X]/(X^256 + 1) with q = 8380417. The module dimensions (k, l) vary by parameter set: (4,4), (6,5), and (8,7) for ML-DSA-44, -65, and -87 respectively.
Security
- Security notion: EUF-CMA (existential unforgeability under chosen-message attack)
- Hardness assumptions: Module-LWE and Module-SIS
- Signing method: Fiat-Shamir with Aborts — rejection sampling ensures signatures do not leak secret key information
- Deterministic signing: ML-DSA supports both deterministic and hedged (randomized) signing modes
- NIST Level 2 / 3 / 5: ML-DSA-44, ML-DSA-65, and ML-DSA-87 target security equivalent to SHA-256 collision resistance, AES-192, and AES-256 against quantum adversaries, respectively
Hardware Acceleration
ML-DSA benefits from SIMD acceleration for NTT operations over its polynomial ring, as well as for polynomial arithmetic (addition, subtraction, pointwise multiplication) used in signing and verification.
| Acceleration | Target | Description |
|---|---|---|
| AVX-2 | x86-64 | Parallel NTT butterfly and polynomial arithmetic |
| NEON | ARM | Parallel NTT butterfly and polynomial arithmetic |
Platform Support
ML-DSA is implemented across all 10 platforms in the MetaMUI suite:
| Platform | Language | Implementation Path |
|---|---|---|
| Native | C | metamui-crypto-c/ |
| Systems | Rust | metamui-crypto-rust/ |
| Backend | Go | metamui-crypto-go/ |
| Data Science | Python | metamui-crypto-python/ |
| JVM | Java | metamui-crypto-java/ |
| JVM/Android | Kotlin | metamui-crypto-kotlin/ |
| .NET | C# | metamui-crypto-csharp/ |
| Apple | Swift | metamui-crypto-swift/ |
| Web | TypeScript | metamui-crypto-typescript/ |
| Browser/Edge | WASM | metamui-crypto-wasm/ |
API Example
// Key generation
let (pk, sk) = ml_dsa_65::keygen(&mut rng);
// Signing
let message = b"Document to be signed";
let signature = ml_dsa_65::sign(&sk, message);
// Verification
let is_valid = ml_dsa_65::verify(&pk, message, &signature);
assert!(is_valid);
Test Vectors
- Location:
test-vectors/dilithium_vectors.json - Coverage: KeyGen, Sign, Verify for all three parameter sets
- Source: NIST ACVP test vector format
References
- FIPS 204 — Module-Lattice-Based Digital Signature Standard. National Institute of Standards and Technology (2024). https://csrc.nist.gov/pubs/fips/204/final
- CRYSTALS-Dilithium — Ducas, L., Kiltz, E., Lepoint, T., et al. CRYSTALS-Dilithium Algorithm Specifications and Supporting Documentation. https://pq-crystals.org/dilithium/
- NIST PQC Standardization — Post-Quantum Cryptography project. https://csrc.nist.gov/projects/post-quantum-cryptography