Dilithium vs Falcon: choosing a post-quantum signature
Dilithium (standardized as ML-DSA, FIPS 204) and Falcon (being standardized as FN-DSA) are both NIST-selected lattice-based post-quantum signature schemes. They solve the same problem and rest on related lattice hardness, but they make different trade-offs in signature size, speed and, crucially, implementation difficulty.
Size versus implementation risk
Falcon’s headline advantage is compactness: its signatures and public keys are markedly smaller than Dilithium’s, which matters when bandwidth or storage is tight. The catch is that Falcon relies on floating-point Gaussian sampling that is notoriously hard to implement in constant time. A subtle timing leak can expose the key. Dilithium was deliberately designed to avoid floating point, making it far easier to implement safely across platforms.
Speed and profile
Dilithium offers fast, uniform signing and verification with a straightforward, side-channel-friendly implementation, which is why it is the general-purpose default. Falcon verification is fast and its small signatures suit constrained protocols, but signing is more delicate. In short: Dilithium optimizes for safe, portable implementation; Falcon optimizes for signature size at the cost of implementation care.
How to choose
Default to Dilithium (ML-DSA) unless you have a specific, measured reason to minimize signature size — for example a bandwidth-critical protocol where every byte counts and you have a vetted, constant-time Falcon implementation. Both are resistant to known classical and quantum attacks per NIST, not unbreakable. For most developers, the easier-to-implement scheme is the safer scheme, and that is Dilithium.
Try it yourself — live, free, verifiable in 30 seconds:
Sign with Dilithium via the PQC API →