Project Eleven is proud to announce a new, open-source effort to accelerate the performance of post-quantum cryptographic signature schemes without sacrificing security.
In collaboration with JP Aumasson (Taurus) and Zooko Wilcox (Zcash), creators of the BLAKE3 family of hash functions, we’ve launched a new initiative called Suite-B that leverages BLAKE3's high-performance hashing to create faster variants of the NIST standard PQ algorithms. Our first protocol, ML-DSA-B, is a drop-in variant of the NIST-standardized ML-DSA (formerly CRYSTALS-Dilithium).
Post-quantum signature schemes like ML-DSA and SLH-DSA are foundational to the future of secure blockchains, messaging platforms, identity protocols, and financial infrastructure. But their performance overhead has remained a major bottleneck for adoption.
- Hashing dominates runtime. In current implementations, 60–80% of signature generation and verification time is spent inside the hash function.
- BLAKE3 is fast. On modern CPUs and GPUs, BLAKE3 outperforms SHA2 and SHA3, while preserving strong cryptographic properties (second preimage resistance, PRF behavior).
- Security is preserved. ML-DSA-B achieves the same level of existential unforgeability under standard assumptions, only faster.
Even though ML-DSA relies on the hardness of lattice-based problems, cryptographic hash functions are invoked frequently in both the signing and verification protocol. In the standard implementation, ML-DSA relies on the SHAKE hash function for:
- Expanding a seed into a full public key
- Randomness sampling
- Challenge generation
ML-DSA-B replaces calls to SHAKE with BLAKE3, the fastest widely deployed cryptographic hash algorithm.
Our Rust implementation of ML-DSA-B (a fork of RustCrypto’s signature suite) shows:
- Up to 60× speedup in message pre-hashing
- Up to 20% faster signing times
- Up to 30% faster verification times
Performance varies by platform, but the biggest gains are on x86_64 architectures (widely used by both Intel and AMD). Even on Apple silicon, which features a native instruction set for SHAKE acceleration, the pre-hashing advantage for ML-DSA-B remains significant, especially for larger message sizes.
ML-DSA-B introduces a small change with outsized impact: it gives protocol designers, blockchain developers, and cryptographic engineers a tool that’s easier to deploy at scale, without compromising safety. For distributed systems like public blockchains, with heterogeneous infrastructure that already strains under classical cryptography, even a marginal performance gain makes a huge difference.
Our mission at Project Eleven is to build future-proof cryptography and tools for the post-quantum era. By pushing the boundaries of performance, we hope to minimize the tradeoff for organizations and protocols that might otherwise hesitate to transition to PQC.
ML-DSA-B isn't the end of the story. It's the beginning of a new era of PQ cryptography that prioritizes both performance and real-world security. From here, we aim to:
- Create a variant of SLH-DSA (SLH-DSA-B) BLAKE3-optimized variant of SLH-DSA (formerly SPHINCS+)
- C implementations: For embedded platforms and hardware wallets
- Test vectors & standardization hooks
We’re excited to support this effort, and welcome contributors and collaborators. The repo is open source and available here.