NIST selects 14 post-quantum signature algorithms for the second round of its competition, aiming to secure digital communications in the era of quantum computers. Learn about the challenges and implications of TLS.
In late October, the U.S. National Institute of Standards and Technology (NIST) announced that fourteen post-quantum algorithms for digital signatures have advanced to the second round of the “signatures on-ramp” competition.
These algorithms are designed to ensure the security of our digital communications in the future era of quantum computers. Four quantum secure algorithms have previously been standardized: ML-DSA, SLH-DSA, XMSS, and LHS, while work on Falcon is the fifth. This article provides insight into the importance and status of quantum secure digital signatures.
The role of digital signatures in TLS
When someone visits a website, a TLS (Transport Layer Security) connection is established between the browser and the server. With this digital signature, the server signs the exchanged communication and presents a TLS-leaf certificate to show that it is authorized to operate the website. This certificate is signed by a certificate authority (CA). Often, this is not done directly by the root CA but through a third-party CA certificate.
In addition, a TLS-leaf certificate must contain a minimum of two Signed Certificate Timestamps (SCTs), which show that the certificate was publicly registered in Certificate Transparency (CT) logs. This may increase to three or more SCTs in the coming years. Finally, the server may include an OCSP step to demonstrate that the certificate has not been revoked. Thus, a minimum of five signatures and two public keys are sent over the network to establish a new TLS connection.
Different types of digital signatures
Within TLS, both online and offline digital signatures are used. The signature to transmit information is generated online with every incoming TLS connection, so fast signing is essential. The other signatures are generated offline, often weeks, months, or years in advance, so the signing speed is less critical. With offline signatures, fast verification is more important than fast signing.
Also Read: The Dark Side of Cyber Monday: How to Stay Secure
Evaluation of quantum secure signatures
The fourteen algorithms that reached the second round of NIST’s competition vary in performance and size. A key challenge is that many algorithms have much larger signatures and public keys than classical algorithms such as RSA or ECDSA. This leads to an increase in the amount of data sent over the network during the TLS handshake, which can affect performance.
The lattice-based ML-DSA (formerly Dilithium) has relatively large signatures and public keys but is simple to implement and requires little computing power. SLH-DSA (previously SPHINCS+) is based on hash functions and thus enjoys high confidence in security but has large signatures and requires more computing power for signing and verification. Falcon offers smaller signatures and fast verification but requires complex and subtle implementation for secure signing, making it less suitable for online digital signatures.
Impact on the TLS handshake
As mentioned, adding larger quantum secure signatures for the TLS handshake can greatly increase the amount of data sent during the handshake. Experiments show that over half of the data sent over current QUIC connections already consists of certificates. Adding even larger digital signatures will further increase this overhead, which could adversely affect connection performance.
Future challenges
Although the migration to quantum-secure cryptography for digital signatures is less urgent than that to quantum-secure key exchange, it will be more challenging in practice. This is due to the complexity of associated certificate management, the sizes of signatures, and the involvement of multiple parties, such as different certification authorities, browsers, and servers.
Also Read: Cyber Threats 2025: Trends, Tactics, and Tech to Watch
Good performance is essential to the success of quantum secure cryptography for TLS. As a result, fundamental changes to TLS are now being discussed to reduce the number of digital signatures. The next few years will be crucial for evaluating and standardizing these algorithms and changes to TLS to ensure that all of our Internet communications remain secure in the future with quantum computing. Additional information can be read in the more extensive blog.
