00 Cryptography

ML-DSA-65

FIPS 204 — the post-quantum digital signature.

ML-DSA-65 is the NIST-standardized digital signature algorithm UltimaOS uses for authentication. Standardized as FIPS 204 in August 2024, it is one of the two lattice-based algorithms selected by NIST to replace RSA and ECDSA in the post-quantum era.

01 Overview

Section overview

Why a new signature algorithm.

01

RSA and ECDSA are quantum-broken

Shor's algorithm factors large integers and computes discrete logarithms in polynomial time on a quantum computer. A sufficiently large quantum computer would forge any RSA or ECDSA signature in seconds.

02

ML-DSA-65 is lattice-based

ML-DSA-65 (formerly Dilithium-3) derives its security from the hardness of finding short vectors in module lattices — a problem for which no efficient quantum algorithm is known. It is one of the most studied post-quantum signature schemes, with over a decade of cryptanalysis.

03

Standardized by NIST

FIPS 204 was published in August 2024 after an eight-year standardization process. The algorithm has been implemented, audited, and benchmarked across hundreds of independent research groups and reviewed by national agencies.

02 Details

Section details

How ML-DSA-65 works in UltimaOS.

Every account on UltimaOS has a long-term ML-DSA-65 key pair generated on first device setup. The private key never leaves the device. The public key is registered with the server at account creation and is the basis of every authenticated operation.

01

Account authentication

Sign-in challenges are signed with the user's ML-DSA-65 private key. The server verifies with the stored public key. No password is ever sent over the wire — the cryptographic proof replaces passwords entirely.

02

Invitation signatures

When a workspace admin invites a new member, the invitation token is signed with the admin's ML-DSA-65 key. The recipient verifies the signature on their device, ensuring the invitation came from a legitimate admin.

03

Audit log integrity

Administrative actions (member removal, role change, billing update) are signed with the actor's ML-DSA-65 key. The audit trail is append-only and the signatures make any tampering detectable.

04

Software update verification

Every UltimaOS update is signed with ML-DSA-65. Clients verify the signature before applying the update. A second, independent signature with SLH-DSA (FIPS 205) acts as a fallback in case ML-DSA-65 is ever broken.

03 Key points

Key takeaways

Practical considerations.

  1. 01

    Key generation is fast

    ML-DSA-65 key generation takes about 0.1 ms on a modern laptop. Account creation completes in under 200 ms total including server round-trip.

  2. 02

    Signatures are larger than ECDSA

    An ML-DSA-65 signature is 3,309 bytes — about 10x larger than a typical ECDSA signature (64 bytes). For a chat/workspace product this is invisible; for high-volume protocols it would matter.

  3. 03

    Verification is fast

    ML-DSA-65 signature verification is faster than signing and runs in well under 1 ms. The server can verify thousands of signatures per second per core.

  4. 04

    Public keys are 1,952 bytes

    ML-DSA-65 public keys fit in a single UDP packet. Account identifiers include a hash of the public key plus a short display name, keeping URLs and identifiers human-readable.

04b References

Authoritative sources

Standards and references.

05 Frequently asked

Common questions

Questions about ML-DSA-65.

What is ML-DSA-65?
Short answer

ML-DSA-65 (Module-Lattice-Based Digital Signature Algorithm, parameter set 65) is the NIST-standardized post-quantum digital signature scheme specified in FIPS 204. It is the lattice-based successor to RSA and ECDSA for the post-quantum era. (FIPS 204 spec)

What does the "65" mean in ML-DSA-65?
Short answer

The "65" refers to the NIST security level. ML-DSA-65 targets NIST Level 3 — equivalent in classical security terms to breaking AES-192, or roughly 192-bit security against classical attackers.

Is ML-DSA-65 the same as Dilithium?
Short answer

Yes. ML-DSA-65 is the standardized name; Dilithium was the name used during the NIST competition. The mathematical construction is identical.

How does ML-DSA-65 compare to RSA-2048?
Short answer

ML-DSA-65 has smaller keys than RSA-4096 and similar signing speed, with much faster verification. Unlike RSA-2048, ML-DSA-65 remains secure against quantum attackers. The main trade-off is signature size (3.3 KB vs ~256 bytes).

Can ML-DSA-65 signatures be forged by quantum computers?
Short answer

No efficient quantum algorithm is known for the module-lattice problems that ML-DSA-65 is based on. The algorithm has been studied for over a decade by the cryptographic community with no significant breaks.

What is FIPS 204?
Short answer

FIPS 204 is the Federal Information Processing Standard published by NIST in August 2024 that specifies ML-DSA. It is the formal standardization of the scheme.

Does UltimaOS also use classical signature algorithms?
Short answer

No. Classical signatures (RSA, ECDSA) are not used in UltimaOS for user-facing operations. Hash-based signatures (SLH-DSA, FIPS 205) are used as a second signature on software updates as a fallback.

What happens if ML-DSA-65 is broken?
Short answer

The team would migrate to a new signature scheme (likely the next NIST-standardized algorithm). UltimaOS software updates are already double-signed with SLH-DSA, providing an independent fallback channel.