Post-Quantum
Signature Size Explorer
Discover how massive post-quantum cryptography signatures really are. Interactive visual comparison of Dilithium, Falcon, SPHINCS+, and classical algorithms.
Select algorithms
Quick comparisons:
Visual comparison
Select algorithms to compare
Why does this matter?
Post-quantum cryptography is coming. Understanding the tradeoffs is important for developers and organizations.
Network bandwidth
Larger signatures mean more data transmitted. A SPHINCS+ signature can be tens of KB versus a 64-byte Ed25519 signature, which has major implications for network protocols, APIs, and mobile applications.
Storage costs
Blockchain and distributed systems store signatures permanently. Millions of transactions with multi-KB signatures add up fast. This can increase storage requirements by an order of magnitude or more.
Performance impact
TLS handshakes, certificate chains, and authentication protocols all use signatures. Larger signatures mean more parsing, validation, and transmission time.
The post-quantum transition
In 2023, NIST published the first post-quantum FIPS standards. While large-scale quantum computers are likely still a decade or more away, organizations need to begin planning migration now because of "harvest now, decrypt later" risks and the lengthy transition process.
Dilithium is widely viewed as a strong balance of security and signature size for many applications. Falcon offers smaller signatures but with more complex implementation considerations. SPHINCS+ provides conservative, hash-based security with much larger signatures.
The choice isn't just about security. It's about infrastructure, bandwidth, storage, and cost. This tool helps you visualize the real-world tradeoffs.
Frequently Asked Questions
Why are post-quantum signatures so much larger than classical ones?
Classical algorithms like Ed25519 rely on the difficulty of factoring large numbers or elliptic curve discrete logarithms. Post-quantum algorithms (like Dilithium) use lattice-based or hash-based problems that require significantly more data to provide the same security level against quantum attacks.
What is the difference between ML-DSA and SLH-DSA?
ML-DSA (Module-Lattice-Based Digital Signature Algorithm), formerly known as Dilithium, is optimized for speed and relatively small signature sizes. SLH-DSA (Stateless Hash-Based Digital Signature Algorithm), formerly SPHINCS+, is a more conservative choice based on the security of hash functions, but results in much larger signatures.
Which post-quantum algorithm has the smallest signature?
Among the NIST-standardized algorithms, Falcon (to be standardized as FIPS 206) offers the smallest signatures, with Falcon-512 averaging around 666 bytes. However, it is more complex to implement securely compared to Dilithium.
When should I migrate to post-quantum cryptography?
Organizations should begin planning now, especially for systems with long-lived data. While cryptographically relevant quantum computers don't exist yet, the "harvest now, decrypt later" risk means that data encrypted today could be vulnerable in the future.
Sources and references
All signature and key sizes are sourced from official NIST PQC standardization documents and reference implementations. Data is accurate as of January 2026.
Sizing notes: signature sizes are raw bytes (some schemes are variable-length). Public key sizes are representative values, and real-world formats can add encoding overhead.
NIST standards
- • FIPS 204: Module-Lattice-Based Digital Signature Standard (ML-DSA / Dilithium)
- • FIPS 205: Stateless Hash-Based Digital Signature Standard (SLH-DSA / SPHINCS+)
Reference implementations
- • Open Quantum Safe (liboqs) - openquantumsafe.org
- • NIST PQC Project - csrc.nist.gov
- • PQC Algorithm Specifications - Official submission documents
Algorithm-specific references
Dilithium (ML-DSA): Signature sizes from NIST FIPS 204 Table 2. ML-DSA-44: 2,420 bytes, ML-DSA-65: 3,309 bytes, ML-DSA-87: 4,627 bytes.
Falcon: Average signature sizes from falcon-sign.info. Falcon-512: ~666 bytes, Falcon-1024: ~1,280 bytes (variable length). NIST-selected; awaiting FIPS 206 finalization.
SPHINCS+ (SLH-DSA): Sizes from NIST FIPS 205. SPHINCS+-128s: 7,856 bytes, SPHINCS+-128f: 17,088 bytes, SPHINCS+-256s: 29,792 bytes.
Ed25519: 64-byte signatures, 32-byte public keys from RFC 8032.
ECDSA P-256: 64-byte raw signatures (DER encoding is larger).
RSA-2048: 256-byte signatures from PKCS#1 standard.