Algorithm Comparison

Side-by-side comparison of the three NIST post-quantum cryptography standards. Real-world parameter sizes at their recommended security levels.

Property	ML-KEM-768	ML-DSA-65	SLH-DSA-128s
Type	KEM	Signature	Signature
Standard	FIPS 203	FIPS 204	FIPS 205
Security Basis	MLWE lattice	MLWE lattice	Hash functions
Security Level	NIST Level 3	NIST Level 3	NIST Level 1
Public Key Size	1.2 KB	1.9 KB	32 B
Secret Key Size	2.3 KB	3.9 KB	64 B
Sig / Ciphertext Size	1.1 KB(ciphertext)	3.2 KB(signature)	7.7 KB(signature)

Size Comparison

ML-KEM-7681.2 KB

ML-DSA-651.9 KB

SLH-DSA-128s32 B

ML-KEM-768

Lattice-based key encapsulation for secure key exchange. Fast operations, moderate key sizes.

Strengths

+Fast encapsulation/decapsulation
+Moderate sizes
+Well-studied lattice assumptions

Trade-offs

-Larger keys than classical ECDH
-Relatively new standard

ML-DSA-65

Lattice-based digital signatures using Fiat-Shamir with Aborts. Good balance of speed and size.

Strengths

+Fast signing and verification
+Reasonable signature sizes
+Shared lattice foundation with ML-KEM

Trade-offs

-Larger signatures than classical ECDSA
-Non-deterministic signing (rejection sampling)

SLH-DSA-128s

Hash-based signatures with minimal security assumptions. Tiny keys but large signatures.

Strengths

+Smallest public keys
+Conservative security (hash-only)
+Stateless design

Trade-offs

-Very large signatures
-Slower signing
-Higher bandwidth requirements

When to Use What?

ML-KEM is for key exchange (replacing ECDH/RSA key transport). Use it when establishing shared secrets in TLS, VPNs, or messaging protocols.

ML-DSA is the general-purpose signature scheme (replacing ECDSA/RSA signatures). Best for certificates, code signing, and authentication where bandwidth is not extremely constrained.

SLH-DSA is the conservative choice relying only on hash function security. Prefer it when you need minimal cryptographic assumptions and can tolerate larger signatures (e.g., firmware signing, long-term document signatures).