🔔Post-Quantum Signatures: NIST's Second Wave In August 2024, NIST finalized its first PQC standards: ML-KEM (key exchange), ML-DSA, and SLH-DSA (signatures). A third signature, Falcon (FN-DSA, FIPS 206), is still in draft. Last week, NIST announced the nine candidates advancing to Round 3 of a parallel competition aimed at additional signature schemes, explicitly chosen to fill the gaps left by the first wave. Each of the standardized signatures comes with sharp trade-offs. None of them is naturally suited to threshold signing, and all have signatures that are large compared to ECDSA's 64 bytes. ➡️ SLH-DSA (SPHINCS+, hash-based) The most conservative choice: its security rests only on the collision resistance of a hash function. The price is enormous signatures (7–50 KB !!!). It is the safest pick for very long-lived signatures (firmware, archival, some blockchains such as QRL). ➡️ML-DSA (Dilithium, lattice-based). Compact and fast, while elegant, is younger than hash-based assumptions. It is becoming the default for TLS, PKI, and most non-blockchain ecosystems (~2.4 KB signatures). ➡️Falcon (FN-DSA, lattice-based). The smallest of the three (~666 B at NIST-I), which is why Algorand and Solana selected it. Its drawback: signing relies on floating-point arithmetic, making error-prone and side-channel-resistant/ constant-time implementations notoriously hard. Its FIPS 206 standard is still in draft. 🔍Most blockchains are leaning towards customized shorter versions of SLH-DSA. NIST is organizing a second wave of standardization. The goal is twofold: shrink signature sizes and diversify the underlying mathematics so a single cryptanalysis breakthrough cannot break everything. The nine Round 3 finalists span five families: 🔸 Isogeny: SQIsign 🔸 Lattice: HAWK 🔸 MPC-in-the-Head: MQOM, SDitH 🔸 Multivariate: MAYO, QR-UOV, SNOVA, UOV 🔸 Symmetric-based: FAEST Notably, no code-based scheme survived. Both Round 2 candidates were eliminated: LESS and CROSS were dropped because of 2 attacks 👉 Two candidates worth watching ⏩ SQIsign produces the smallest known post-quantum signatures by a wide margin: from 148B to 292B (depending on the level of security), with sub-130-byte public keys. That is the only PQC signature scheme today that even approaches the bandwidth profile of ECDSA, extremely attractive for blockchains, certificates, and firmware. The catch: isogeny-based cryptography is still young, signing is mathematically intricate, and side-channel hardening is an active research area. ⏩HAWK is essentially "Falcon without the floating-point." It is a lattice hash-and-sign scheme producing 555 B signatures at NIST-I (smaller than Falcon's 666 B) and can be implemented purely with integer arithmetic, a major engineering win. NIST has said the Round 3 review will last roughly two years and that any multivariate winners are unlikely to be standardized without yet another round. Realistically, the earliest a new signature standard will land alongside ML-DSA and SLH-DSA is 2028. The urgency to migrate has grown sharply, yet the current standards still have significant drawbacks, and this last-minute selection round, while necessary, collides head-on with the migration timeline.