All NewsSecurity

Why we cannot wait for better post-quantum signature algorithms

NIST is advancing nine new post-quantum signature algorithms as potential candidates for future standardization. We take a closer look at all of them, and argue

07 / 09 / 2026Source: Security
Why we cannot wait for better post-quantum signature algorithms
Feature image

News

What happened

NIST is advancing nine new post-quantum signature algorithms as potential candidates for future standardization. We take a closer look at all of them, and argue that while they are in the works and show great potential, we should use ML-DSA for now — the best one currently available. RSA and ECC, cryptographic algorithms that we’ve all relied on for decades, are vulnerable to the attack of sufficiently advanced quantum computers. Such quantum computers do not exist yet, but they seem to be coming sooner than expected. Luckily, the solution is already available: migrate to ML-KEM encryption and ML-DSA signatures, which are designed to be resistant to quantum attack. They were standardized in 2024 by the U.S. National Institute of Standards and Technology (NIST) after an eight-year open international competition. The migration to post-quantum cryptography is in full swing now. At the time of writing, the majority of traffic handled by Cloudflare is already using ML-KEM encryption, and is thus secured against the threat to data posed by harvest-now-decrypt-later attacks. But encryption is only one part of the equation: to be fully secure against quantum computers capable of breaking classical cryptography, we aim to deploy post-quantum signatures to protect authentication systems from unauthorized access. We are targeting 2029 for Cloudflare to be fully post-quantum secure. ML-DSA, the best all-around post-quantum signature scheme standardized today, has its downsides: it’s much larger on the wire, and many tricks we were able to perform with RSA and ECC simply cannot be done with ML-DSA. There are better post-quantum signature schemes on the horizon: last month, NIST announced that it is advancing nine post-quantum signature schemes to the third round of the “ signatures on-ramp ”. And a draft standard for FN-DSA (née Falcon), which was picked from the previous competition, is expected imminently. We have been very interested in advances in post-quantum signature algo

NIST is advancing nine new post-quantum signature algorithms as potential candidates for future standardization. We take a closer look at all of them, and argue that while they are in the works and show great potential, we should use ML-DSA for now — the best one currently available. RSA and ECC, cryptographic algorithms that we’ve all relied on for decades, are vulnerable to the attack of sufficiently advanced quantum computers. Such quantum computers do not exist yet, but they seem to be coming sooner than expected. Luckily, the solution is already available: migrate to ML-KEM encryption and ML-DSA signatures, which are designed to be resistant to quantum attack. They were standardized in 2024 by the U.S. National Institute of Standards and Technology (NIST) after an eight-year open international competition. The migration to post-quantum cryptography is in full swing now. At the time of writing, the majority of traffic handled by Cloudflare is already using ML-KEM encryption, and is thus secured against the threat to data posed by harvest-now-decrypt-later attacks. But encryption is only one part of the equation: to be fully secure against quantum computers capable of breaking classical cryptography, we aim to deploy post-quantum signatures to protect authentication systems from unauthorized access. We are targeting 2029 for Cloudflare to be fully post-quantum secure. ML-DSA, the best all-around post-quantum signature scheme standardized today, has its downsides: it’s much larger on the wire, and many tricks we were able to perform with RSA and ECC simply cannot be done with ML-DSA. There are better post-quantum signature schemes on the horizon: last month, NIST announced that it is advancing nine post-quantum signature schemes to the third round of the “ signatures on-ramp ”. And a draft standard for FN-DSA (née Falcon), which was picked from the previous competition, is expected imminently. We have been very interested in advances in post-quantum signature algorithms, and wrote about the progress in 2021 , 2022 , 2024 , and 2025 . In this blog post we’ll treat you to the latest developments in great detail. But first we have to deal with the elephant in the room: These new signature algorithms will not be ready in time for the PQ transition — not even close, as we will see later on . The problem is arriving too soon for us to wait. ML-DSA is available today, and it will have to do for the first migration. As Eric Rescorla wrote in 2024: You go to war with the algorithms you have, not the ones you wish you had. Nonetheless, the search for better post-quantum signature algorithms is crucial for several reasons, and we firmly believe it is still the best use of NIST’s limited resources. Let’s have a look at the signature algorithms in detail. After that we’ll look at the timeline for their availability, and the reasons why we still need them. The signature algorithms In the table below, we compare the candidate signature algorithms that progressed to the third round (marked by 🤔), with classical algorithms vulnerable to quantum attack (marked by ❌), and the post-quantum algorithms that are already standardized ( ✅) or soon will be (📝). Each candidate proposes several variants. We list the most relevant variants to TLS, the protocol used to secure connections on the Internet. To explore all variants, check out Thom Wigger s' signatures zoo . Sizes (bytes) CPU time (lower is better) Family Name variant A Public key Signature Signing Verification Elliptic curves Ed25519 ❌ 32 64 0.15 1.3 Factoring RSA 2048 ❌ 272 256 80 0.4 Lattices ML-DSA 44 ✅ 1,312 2,420 1 (baseline) 1 (baseline) Symmetric SLH-DSA 128s ✅ 32 7,856 14,000 40 SLH-DSA 128f ✅ 32 17,088 720 110 SLH-DSA 128-24 📝 32 3,856 7,000,000 ⚠️ 4 LMS M24_H20_W8 ✅ 48 1,112 2.9 ⚠️ 8.4 Lattices FN-DSA 512 📝 897 666 3 ⚠️ 0.7 Lattices HAWK 512 🤔 1,024 555 0.25 1.2 Proof of knowledge MQOM L1-gf16-fast-5r 🤔 60 3,280 8 20 SDitH SDitH2-L1-gf2-fast 🤔 70 4,484 15 40 FAEST EM-128f 🤔 32 5,060 4.2 9 Isogeny SQIsign I 🤔 65 148 300 ⚠️ 50 Multivariate MAYO one 🤔 1,420 454 2.1 0.4 MAYO two 🤔 4,912 186 1.1 0.8 QR-UOV I-(127 156 54 3) 🤔 24,225 200 9.3 20 SNOVA (24,5,4) 🤔 1,016 248 1.2 1.7 SNOVA (25,8,3) 🤔 2,320 165 1 1.5 SNOVA (37,17,2) 🤔 9,842 124 0.8 1.3 UOV Is-pkc 🤔 66,576 96 0.3 2.4 UOV Ip-pkc 🤔 43,576 128 0.3 2 A few more remarks on this table: Most candidates have multiple variants in every security level. We show the most relevant variants for TLS at the 128-bit security level, the gold standard for security. CPU times are taken from the signatures zoo in June 2026, which collected them from the round two submission documents and later advances. Candidates are allowed to make changes for the third round, which will influence these numbers. Some will improve (both in compute and size), whereas others will regress to counter new attacks. Check out the zoo for the latest numbers. We marked FN-DSA and SQIsign signing with a ⚠️️, as both are hard to implement in a fast and timing side-channel secure manner. LMS signing has a ⚠️, as secure LMS signing requires keeping state across signatures, and the listed signing time assumes a 32MB cache. The 128-24 variant of SLH-DSA is marked with a ⚠️️ as it’s meant to create fewer than 2 24 signatures. No "all-star" algorithm One thing that stands out immediately is that the quantum-vulnerable elliptic curves signature algorithm Ed25519 is by far the best all-around choice (ignoring its quantum vulnerability): it has the best numbers in almost every single metric, including public key size, signature size, and signing time. It’s only beaten on verification time, but it’s more than fast enough for the vast majority of applications. This is quite different than the roster of post-quantum algorithms. Instead of a single "all-star" algorithm, we have roughly two categories of schemes: the "specialists" that approach our trusty elliptic curve signatures on some metrics, but are problematic on others, which

Release at a glance

Key facts from the announcement.

Version

0.15

Source

Cloudflare Blog

REMOTE ACCESS

Protect Your Admin Sessions

A zero-exposure architecture secures your server. A VPN secures you — encrypting your connection when managing infrastructure from untrusted networks, coffee shops, or travel. NordVPN is what we use for this layer.

Try NordVPN

This is an affiliate link. If you purchase, I earn a commission at no extra cost to you.

Changes at a glance

What's new

NIST is advancing nine new post-quantum signature algorithms as potential candidates for future standardization. We take a closer look at all of them, and argue that while they are in the works and show great potential, we should use ML-DSA for now — the best one currently available. RSA and ECC, cryptographic algorithms that we’ve all relied on for decades, are vulnerable to the attack of sufficiently advanced quantum computers. Such quantum computers do not exist yet, but they seem to be coming sooner than expected. Luckily, the solution is already available: migrate to ML-KEM encryption and ML-DSA signatures, which are designed to be resistant to quantum attack. They were standardized in 2024 by the U.S. National Institute of Standards and Technology (NIST) after an eight-year open international competition. The migration to post-quantum cryptography is in full swing now. At the time of writing, the majority of traffic handled by Cloudflare is already using ML-KEM encryption, and is thus secured against the threat to data posed by harvest-now-decrypt-later attacks. But encryption is only one part of the equation: to be fully secure against quantum computers capable of breaking classical cryptography, we aim to deploy post-quantum signatures to protect authentication systems from unauthorized access. We are targeting 2029 for Cloudflare to be fully post-quantum secure. ML-DSA, the best all-around post-quantum signature scheme standardized today, has its downsides: it’s much larger on the wire, and many tricks we were able to perform with RSA and ECC simply cannot be done with ML-DSA. There are better post-quantum signature schemes on the horizon: last month, NIST announced that it is advancing nine post-quantum signature schemes to the third round of the “ signatures on-ramp ”. And a draft standard for FN-DSA (née Falcon), which was picked from the previous competition, is expected imminently. We have been very interested in advances in post-quantum signature algorithms, and wrote about the progress in 2021 , 2022 , 2024 , and 2025 . In this blog post we’ll treat you to the latest developments in great detail. But first we have to deal with the elephant in the room: These new signature algorithms will not be ready in time for the PQ transition — not even close, as we will see later on . The problem is arriving too soon for us to wait. ML-DSA is available today, and it will have to do for the first migration. As Eric Rescorla wrote in 2024: You go to war with the algorithms you have, not the ones you wish you had. Nonetheless, the search for better post-quantum signature algorithms is crucial for several reasons, and we firmly believe it is still the best use of NIST’s limited resources. Let’s have a look at the signature algorithms in detail. After that we’ll look at the timeline for their availability, and the reasons why we still need them. The signature algorithms In the table below, we compare the candidate signature algorithms that progressed to the third round (marked by 🤔), with classical algorithms vulnerable to quantum attack (marked by ❌), and the post-quantum algorithms that are already standardized ( ✅) or soon will be (📝). Each candidate proposes several variants. We list the most relevant variants to TLS, the protocol used to secure connections on the Internet. To explore all variants, check out Thom Wigger s' signatures zoo . Sizes (bytes) CPU time (lower is better) Family Name variant A Public key Signature Signing Verification Elliptic curves Ed25519 ❌ 32 64 0.15 1.3 Factoring RSA 2048 ❌ 272 256 80 0.4 Lattices ML-DSA 44 ✅ 1,312 2,420 1 (baseline) 1 (baseline) Symmetric SLH-DSA 128s ✅ 32 7,856 14,000 40 SLH-DSA 128f ✅ 32 17,088 720 110 SLH-DSA 128-24 📝 32 3,856 7,000,000 ⚠️ 4 LMS M24_H20_W8 ✅ 48 1,112 2.9 ⚠️ 8.4 Lattices FN-DSA 512 📝 897 666 3 ⚠️ 0.7 Lattices HAWK 512 🤔 1,024 555 0.25 1.2 Proof of knowledge MQOM L1-gf16-fast-5r 🤔 60 3,280 8 20 SDitH SDitH2-L1-gf2-fast 🤔 70 4,484 15 40 FAEST EM-128f 🤔 32 5,060 4.2 9 Isogeny SQIsign I 🤔 65 148 300 ⚠️ 50 Multivariate MAYO one 🤔 1,420 454 2.1 0.4 MAYO two 🤔 4,912 186 1.1 0.8 QR-UOV I-(127 156 54 3) 🤔 24,225 200 9.3 20 SNOVA (24,5,4) 🤔 1,016 248 1.2 1.7 SNOVA (25,8,3) 🤔 2,320 165 1 1.5 SNOVA (37,17,2) 🤔 9,842 124 0.8 1.3 UOV Is-pkc 🤔 66,576 96 0.3 2.4 UOV Ip-pkc 🤔 43,576 128 0.3 2 A few more remarks on this table: Most candidates have multiple variants in every security level. We show the most relevant variants for TLS at the 128-bit security level, the gold standard for security. CPU times are taken from the signatures zoo in June 2026, which collected them from the round two submission documents and later advances. Candidates are allowed to make changes for the third round, which will influence these numbers. Some will improve (both in compute and size), whereas others will regress to counter new attacks. Check out the zoo for the latest numbers. We marked FN-DSA and SQIsign signing with a ⚠️️, as both are hard to implement in a fast and timing side-channel secure manner. LMS signing has a ⚠️, as secure LMS signing requires keeping state across signatures, and the listed signing time assumes a 32MB cache. The 128-24 variant of SLH-DSA is marked with a ⚠️️ as it’s meant to create fewer than 2 24 signatures. No "all-star" algorithm One thing that stands out immediately is that the quantum-vulnerable elliptic curves signature algorithm Ed25519 is by far the best all-around choice (ignoring its quantum vulnerability): it has the best numbers in almost every single metric, including public key size, signature size, and signing time. It’s only beaten on verification time, but it’s more than fast enough for the vast majority of applications. This is quite different than the roster of post-quantum algorithms. Instead of a single "all-star" algorithm, we have roughly two categories of schemes: the "specialists" that approach our trusty elliptic curve signatures on some metrics, but are problematic on others, which

Breaking changes

No breaking changes were reported in the source material.

Analysis

In detail

NIST is advancing nine new post-quantum signature algorithms as potential candidates for future standardization. We take a closer look at all of them, and argue that while they are in the works and show great potential, we should use ML-DSA for now — the best one currently available. RSA and ECC, cryptographic algorithms that we’ve all relied on for decades, are vulnerable to the attack of sufficiently advanced quantum computers. Such quantum computers do not exist yet, but they seem to be coming sooner than expected. Luckily, the solution is already available: migrate to ML-KEM encryption and ML-DSA signatures, which are designed to be resistant to quantum attack. They were standardized in 2024 by the U.S. National Institute of Standards and Technology (NIST) after an eight-year open international competition. The migration to post-quantum cryptography is in full swing now. At the time of writing, the majority of traffic handled by Cloudflare is already using ML-KEM encryption, and is thus secured against the threat to data posed by harvest-now-decrypt-later attacks. But encryption is only one part of the equation: to be fully secure against quantum computers capable of breaking classical cryptography, we aim to deploy post-quantum signatures to protect authentication systems from unauthorized access. We are targeting 2029 for Cloudflare to be fully post-quantum secure. ML-DSA, the best all-around post-quantum signature scheme standardized today, has its downsides: it’s much larger on the wire, and many tricks we were able to perform with RSA and ECC simply cannot be done with ML-DSA. There are better post-quantum signature schemes on the horizon: last month, NIST announced that it is advancing nine post-quantum signature schemes to the third round of the “ signatures on-ramp ”. And a draft standard for FN-DSA (née Falcon), which was picked from the previous competition, is expected imminently. We have been very interested in advances in post-quantum signature algorithms, and wrote about the progress in 2021 , 2022 , 2024 , and 2025 . In this blog post we’ll treat you to the latest developments in great detail. But first we have to deal with the elephant in the room: These new signature algorithms will not be ready in time for the PQ transition — not even close, as we will see later on . The problem is arriving too soon for us to wait. ML-DSA is available today, and it will have to do for the first migration. As Eric Rescorla wrote in 2024: You go to war with the algorithms you have, not the ones you wish you had. Nonetheless, the search for better post-quantum signature algorithms is crucial for several reasons, and we firmly believe it is still the best use of NIST’s limited resources. Let’s have a look at the signature algorithms in detail. After that we’ll look at the timeline for their availability, and the reasons why we still need them. The signature algorithms In the table below, we compare the candidate signature algorithms that progressed to the third round (marked by 🤔), with classical algorithms vulnerable to quantum attack (marked by ❌), and the post-quantum algorithms that are already standardized ( ✅) or soon will be (📝). Each candidate proposes several variants. We list the most relevant variants to TLS, the protocol used to secure connections on the Internet. To explore all variants, check out Thom Wigger s' signatures zoo . Sizes (bytes) CPU time (lower is better) Family Name variant A Public key Signature Signing Verification Elliptic curves Ed25519 ❌ 32 64 0.15 1.3 Factoring RSA 2048 ❌ 272 256 80 0.4 Lattices ML-DSA 44 ✅ 1,312 2,420 1 (baseline) 1 (baseline) Symmetric SLH-DSA 128s ✅ 32 7,856 14,000 40 SLH-DSA 128f ✅ 32 17,088 720 110 SLH-DSA 128-24 📝 32 3,856 7,000,000 ⚠️ 4 LMS M24_H20_W8 ✅ 48 1,112 2.9 ⚠️ 8.4 Lattices FN-DSA 512 📝 897 666 3 ⚠️ 0.7 Lattices HAWK 512 🤔 1,024 555 0.25 1.2 Proof of knowledge MQOM L1-gf16-fast-5r 🤔 60 3,280 8 20 SDitH SDitH2-L1-gf2-fast 🤔 70 4,484 15 40 FAEST EM-128f 🤔 32 5,060 4.2 9 Isogeny SQIsign I 🤔 65 148 300 ⚠️ 50 Multivariate MAYO one 🤔 1,420 454 2.1 0.4 MAYO two 🤔 4,912 186 1.1 0.8 QR-UOV I-(127 156 54 3) 🤔 24,225 200 9.3 20 SNOVA (24,5,4) 🤔 1,016 248 1.2 1.7 SNOVA (25,8,3) 🤔 2,320 165 1 1.5 SNOVA (37,17,2) 🤔 9,842 124 0.8 1.3 UOV Is-pkc 🤔 66,576 96 0.3 2.4 UOV Ip-pkc 🤔 43,576 128 0.3 2 A few more remarks on this table: Most candidates have multiple variants in every security level. We show the most relevant variants for TLS at the 128-bit security level, the gold standard for security. CPU times are taken from the signatures zoo in June 2026, which collected them from the round two submission documents and later advances. Candidates are allowed to make changes for the third round, which will influence these numbers. Some will improve (both in compute and size), whereas others will regress to counter new attacks. Check out the zoo for the latest numbers. We marked FN-DSA and SQIsign signing with a ⚠️️, as both are hard to implement in a fast and timing side-channel secure manner. LMS signing has a ⚠️, as secure LMS signing requires keeping state across signatures, and the listed signing time assumes a 32MB cache. The 128-24 variant of SLH-DSA is marked with a ⚠️️ as it’s meant to create fewer than 2 24 signatures. No "all-star" algorithm One thing that stands out immediately is that the quantum-vulnerable elliptic curves signature algorithm Ed25519 is by far the best all-around choice (ignoring its quantum vulnerability): it has the best numbers in almost every single metric, including public key size, signature size, and signing time. It’s only beaten on verification time, but it’s more than fast enough for the vast majority of applications. This is quite different than the roster of post-quantum algorithms. Instead of a single "all-star" algorithm, we have roughly two categories of schemes: the "specialists" that approach our trusty elliptic curve signatures on some metrics, but are problematic on others, which

Key takeaways

The most important facts from this update.

NIST is advancing nine new post-quantum signature algorithms as potential candidates for future standardization

Why it matters

If you run self-hosted infrastructure, homelab services, or automation stacks, this update is worth tracking before you change production.

Homelab impact

If you run related services in your homelab, review whether this update affects your current deployment. Check compatibility with your Docker Compose files, reverse proxy config, or network setup before you upgrade production stacks.

What to do next

Practical steps for operators running self-hosted stacks.

Read the full release notes or changelog on the source site
Check whether your current version is affected
Test the update in a staging environment before you change production

This brief covers what you need from Cloudflare Blog's reporting. Visit the original post for release notes, changelogs, and full technical documentation.

Self HostingSecurityNetworking