Which post-quantum signature family has the smallest signatures?

Falcon typically has the smallest signatures among the selected post-quantum signature families, with Falcon-512 around 666 bytes on average.

Why would teams still choose Dilithium over Falcon?

Teams often choose ML-DSA (Dilithium) over Falcon when standardized tooling, protocol momentum, and lower implementation risk matter more than minimizing signature size. ML-DSA signatures are still multi-kilobyte.

When does SPHINCS+ make sense?

SLH-DSA (SPHINCS+) can make sense when you want hash-only cryptographic assumptions and signing volume is low enough to tolerate signatures from about 8 KB to 30 KB. It is a niche choice today, not the default for high-volume production signing.

Guide

Dilithium vs Falcon vs SPHINCS+

Quick answer: Falcon is smallest among these three, Dilithium (ML-DSA) is a common first migration choice with the most mature finalized standard (FIPS 204) and tooling among these three today, and SPHINCS+ (SLH-DSA) is the hash-based option with the largest signatures and the most niche production use.

Open the visualizer About the author

Comparison table

Signature size ranges use representative values from this project's dataset and referenced standards. Falcon signatures are variable-length; sizes shown are typical averages. Scope is limited to these three NIST-selected signature families.

Family	Standard	Typical signature size	Strengths	Tradeoffs
Dilithium	ML-DSA (FIPS 204)	2,420-4,627 bytes	Fast operations; mature FIPS 204 ecosystem	Larger signatures than Falcon
Falcon	FN-DSA (in progress)	666-1,280 bytes	Smallest signatures among selected PQ signatures	More complex implementation and hardening
SPHINCS+	SLH-DSA (FIPS 205)	7,856-29,792 bytes	Conservative hash-based assumptions	Very large signatures and bandwidth/storage overhead

How to choose in practice

Heuristics for planning, not a substitute for protocol review, threat modeling, or a formal security audit.

Choose Dilithium (ML-DSA) when you want a standardized, general-purpose PQ signature and can accept multi-kilobyte signatures (about 2.4-4.6 KB). Dilithium is not small compared to classical schemes like Ed25519; it is the middle ground among these three NIST-selected families (smaller than SPHINCS+, larger than Falcon). Teams often start here because FIPS 204 is finalized, library and protocol support is among the strongest today, and implementation risk is generally considered lower than Falcon. That is why it is a common first migration choice, not because it has the smallest signatures.
Choose Falcon when signature size is a hard constraint and you will rely on a well-audited, constant-time implementation from a reputable library, not a from-scratch port. Falcon is still awaiting FIPS 206 finalization; treat ecosystem maturity as part of the decision.
Choose SPHINCS+ (SLH-DSA) when you explicitly want hash-only assumptions (FIPS 205) and signing volume is low enough that multi-kilobyte to tens-of-kilobyte signatures are acceptable. It is a niche choice today, not the default for high-volume services. Sometimes considered for root CAs, firmware, or code signing where signatures are infrequent and conservative assumptions matter more than bandwidth.

Operational impact checklist

Network

Larger signatures increase request/response sizes and can affect mobile and high-volume APIs.

Storage

At scale, signature bytes become a meaningful infrastructure cost driver.

Protocol fit

Verify compatibility with certificates, message formats, and legacy boundary systems.

Implementation risk

Prefer options your team can implement, test, and monitor confidently.

Sources

FIPS 204: Module-Lattice-Based Digital Signature Standard (ML-DSA / Dilithium)
FIPS 205: Stateless Hash-Based Digital Signature Standard (SLH-DSA / SPHINCS+)
NIST Post-Quantum Cryptography Project
Open Quantum Safe (liboqs)