Are Emerging PQ Signature Schemes Better for Blockchains?

Post-quantum (PQ) digital signatures are an increasingly relevant topic in the blockchain world. Why? Because almost all blockchains rely on classical cryptographic signatures (e.g. ECDSA, Schnorr) that could be broken by future quantum computers. To stay secure long-term, blockchains will need to switch to quantum-resistant signature schemes. NIST has already standardized a three PQ signature algorithms, but new candidates are currently under consideration that might offer advantages for blockchain use. Are these emerging schemes (like SQIsign, FAEST, and HAWK) actually better for blockchains than the current standards (ML-DSA, FN-DSA, SLH-DSA)?

The Current Standard PQ Signatures

After a multi-year evaluation process, NIST selected three signature schemes to standardize for post-quantum security. Each takes a very different approach to digital signatures:

  • ML-DSA (CRYSTALS-Dilithium): A lattice-based scheme. ML-DSA is like the “all-rounder”, it has relatively small keys and signatures (a few kilobytes) and is very fast to sign and verify. It’s considered one of the most practical choices and is expected to be widely adopted. The downside? A 2–3 KB signature is much larger than an ECDSA signature (64 bytes), which means transactions will bloat in size compared to today.
  • FN-DSA (Falcon): Another lattice-based scheme. FN-DSA’s forte is compact signatures, on the order of ~0.7 KB, even smaller than ML-DSA’s. Verification in FN-DSA is fast (great for nodes that must verify many transactions quickly). However, FN-DSA’s signing algorithm is more complex. This complexity makes it a bit slower to sign and trickier to implement without flaws. For blockchains, FN-DSA’s smaller signature size is attractive, though its implementation complexity might be a headache for developers.
  • SLH-DSA (SPHINCS+): A stateless hash-based signature scheme. SLH-DSA doesn’t rely on lattices or any “algebraic” problem, it only needs a secure hash function. This makes it ultra-conservative (even if quantum maths breakthroughs undermine lattices, SLH-DSA should remain solid). The trade-off? Considerable signature sizes (on the order of 5–15 KB) and slower performance, since signing and verifying require computing many hash operations. In a blockchain context, a 10 KB signature per transaction is a tough pill to swallow. Blocks would grow enormous, and verifying many signatures would be time-consuming. SLH-DSA is often viewed as a backup plan: very secure, but used only if more efficient options aren’t trusted.

In summary, the standardised PQ signatures each have pros and cons for blockchain use. ML-DSA and FN-DSA are efficient, but both rely on lattice assumptions. SLH-DSA has massive signatures but offers a different, non-lattice security foundation. Enter the new contenders – could they give us the best of both worlds (smaller signatures, fast performance, and diverse assumptions)?

New Kids on the Block: Emerging PQ Signature Schemes

Researchers are continually proposing new PQ signature schemes, and a few have garnered attention as potential improvements or alternatives for use in blockchains. Let’s look at three notable ones: SQIsign, FAEST, and HAWK. Each brings something unique to the table.

SQIsign: Tiny Signatures from Isogenies

What it is: SQIsign is an isogeny-based signature scheme. It leverages the mathematics of supersingular isogenies (think of puzzles based on finding paths between elliptic curves). Isogeny cryptography was famous for having tiny key sizes. (For example, the SIKE key exchange had keys only a few hundred bytes long.) SQIsign follows suit by producing extremely compact signatures and keys, potentially on the order of just a few dozen bytes, which is smaller than even current Bitcoin signatures!

Why it could be great for blockchains: The small size (compared with other PQ schemes!) is the big appeal. In a blockchain, every byte counts (affecting transaction throughput and storage). SQIsign’s minimal signature size means transactions wouldn’t blow up in size. You could fit many more signatures into a block without increasing the block’s kilobyte count by much. This could make PQ security far less burdensome on network bandwidth and blockchain storage. Furthermore, SQIsign is based on a fundamentally different hardness assumption (isogeny problems) than lattices or hashes, adding diversity to our cryptographic toolkit.

Challenges and cons: SQIsign is still very experimental. The scheme is quite complex under the hood, and current implementations are much slower at signing and verifying compared to lattice-based schemes. Isogeny operations (the maths needed to create and verify signatures) take a lot of computation, likely orders of magnitude more time than ML-DSA or FN-DSA for a single signature. This means that while an SQIsign signature would hardly dent your block size, verifying thousands of them might strain your node’s CPU. Another concern: the isogeny field suffered a setback when a related scheme (the SIKE key exchange) was broken by cryptanalysts. SQIsign’s core mathematical problem hasn’t been broken, but confidence in isogeny-based crypto took a hit, and researchers are scrutinising it closely. In short, SQIsign could be a game-changer in theory, but both it’s security and performance optimisations need to be considered carefully before anyone should rely on it.

FAEST: Signatures Built on AES (Symmetric Security)

What it is: FAEST is a signature scheme that takes a very different approach, it’s built on symmetric cryptography (like AES) combined with zero-knowledge proofs. You can think of FAEST as a cousin of the Picnic signature family that was an alternate candidate in the NIST process. Instead of hard maths problems like lattices, FAEST’s security comes from the assumed security of a block cipher (the AES encryption algorithm). The signer essentially proves “I know a secret key that, when plugged into AES, produces this specific output,” without revealing the key. This proof, made non-interactive via the Fiat-Shamir transform, is the signature.

Why it could be great for blockchains: The security assumption is simple and reassuring, if you trust that AES (with a big key) resists all attacks (even quantum ones aside from a brute force), you can trust FAEST. This diversity is good in case future quantum algorithms undermine lattices; FAEST would remain standing so long as AES is secure. Furthermore, FAEST keys can be extremely small (just an AES key and some randomness, perhaps just 16 or 32 bytes for the public key). Signature sizes are larger than ML-DSA’s but still in the few kilobyte range, potentially comparable to or a bit more than ML-DSA (exact sizes depend on parameters, but we might be talking on the order of 5KB or so for 128-bit security). Importantly, FAEST is designed to be efficient on modern hardware, since it leans on AES, it can take advantage of hardware acceleration (AES instructions available on most CPUs). This means signing and verifying might be reasonably fast, perhaps on the order of milliseconds, not seconds. In a blockchain, where a node might have to verify hundreds or thousands of signatures per block, using a scheme that can leverage hardware acceleration could be a plus.

Challenges and cons: While smaller than SLH-DSA, the signatures are still much bigger than FN-DSA’s or current ECDSA. A few kilobytes per signature will add up if you have lots of transactions. Performance-wise, FAEST is more compute-heavy than lattice schemes, each signature involves many AES computations and a fairly complex zero-knowledge proof protocol. Even with hardware help, verifying many FAEST signatures back-to-back could tax a node’s CPU more than, say, verifying the same number of ML-DSA signatures. Another consideration is that FAEST (and Picnic-like schemes) are relatively new and haven’t considered much cryptanalysis in the wild. The cryptographic community has studied lattice problems for decades, whereas the security of these proof-based schemes rests on subtleties of the protocols (e.g. ensuring there are no side channels or subtle flaws in the zero-knowledge proof soundness). For blockchain devs, that means FAEST is promising, but not yet as mature or widely implemented as the NIST-approved algorithms. It might be a bit early without further vetting and standardization.

HAWK: A Fresh Take on Signatures (Multivariate Maths?)

What it is: HAWK is another emerging post-quantum signature scheme that has been getting attention. HAWK’s design is based on a different class of mathematical problems, likely multivariate polynomial equations (or something non-lattice, non-isogeny). You can loosely relate it to the family of multivariate cryptography (which included earlier schemes like Rainbow). Multivariate signatures involve creating and solving random-looking polynomial equations as the secret trapdoor. Historically, these schemes can produce very small signatures and fast signing/verification. HAWK appears to be a modern attempt at a secure multivariate scheme, possibly introduced to address weaknesses that broke older ones.

Why it could be great for blockchains: If HAWK follows the pattern of multivariate schemes, it could have tiny signature sizes (maybe on the order of a few hundred bytes or less) and very fast signing and verifying (essentially just evaluating low-degree polynomials, which is computationally cheap). This means a blockchain using HAWK might enjoy signature sizes in the same ballpark as current ECDSA or Ed25519 signatures, keeping transaction size bloat to a minimum. Verification speed is crucial for blockchain scalability – and here HAWK could shine, allowing each node to verify transactions quickly without heavy computation. In addition, HAWK is not lattice-based, offering an alternative security assumption. For risk-averse blockchain designers, having an efficient non-lattice option is attractive (as a hedge against any future lattice-breaking advances).

Challenges and cons: Multivariate schemes have had a rocky history – for instance, the much-hyped Rainbow signature was eventually broken. The security of HAWK’s mathematical problem needs more scrutiny to be confident it truly withstands quantum attacks and classical cryptanalysis. One common issue with multivariate signatures is public key size: the public key (which can be thought of as a set of polynomial equations) can be very large, often tens or hundreds of kilobytes. If HAWK hasn’t found a clever way to compress the public key, this could be a concern for blockchains. (Imagine needing to post a 100 KB public key on-chain the first time an address is used, that’s significant overhead.) There are techniques like deriving the public key from a smaller seed, but it’s not always straightforward. Another con: HAWK is brand new on the scene. It likely hasn’t been through rigorous standardization processes yet. Early performance claims might not hold up in real-life implementations or might require a lot of optimization work. For blockchain devs, this means while HAWK is exciting on paper, it’s not plug-and-play. It needs time to mature, and its advantages would have to clearly outweigh those of ML-DSA or FN-DSA to justify switching over in a critical system like a blockchain.

Comparing Key Features

To summarize the key characteristics of these schemes, here’s a quick comparison of the standardized options versus the new candidates (for roughly equivalent security levels around 128-bit quantum security):

PQ Algorithm Comparison

Table: Rough comparison of PQ signature schemes. Sizes and speeds are approximate and depend on parameter choices. “Fast” means on the order of milliseconds or less per signature; “Slow” could be much higher. (TPS = transactions per second capability.)

As the table shows, the new schemes aim to combine the strengths of different approaches, but each comes with its own trade-offs. Now, let’s address the big question: should blockchains consider these emerging schemes? Are they actually better than the likes of ML-DSA/FN-DSA for practical use?

Are These New Schemes Better for Blockchains?

It depends on what “better” means. Each blockchain has its own priorities (throughput, security margin, ease of implementation, etc.). Let’s evaluate in a blockchain context:

  • Security and Trust: All of these schemes (old and new) are believed to be secure against quantum attacks as far as we know. The standardized ones have gone through years of evaluation in the NIST process – so there’s a higher confidence in their security and robustness. The emerging schemes, while promising, haven’t yet been through that wringer. For a blockchain developer, trust is key – billions of dollars can be at stake. So the newer schemes will need more time and analysis to reach the same trust level. In this sense, ML-DSA, FN-DSA, and SLH-DSA still hold the edge simply due to maturity.
  • Performance: Blockchains benefit from fast verification and small data sizes. Here, FN-DSA already offers a compact, fast-verifying solution. SQIsign and HAWK theoretically offer even smaller signatures, which is appealing. HAWK could also offer very fast ops. If raw throughput (TPS) and minimal bandwidth are top priority, and if HAWK or SQIsign can be made secure and efficient, they might be better suited in the long run. But today, ML-DSA and FN-DSA have the performance edge in real implementations. For example, a blockchain could start using FN-DSA now and get reasonably small signatures and fast verifications. SQIsign, as of now, would be too slow to be better, despite its tiny size, unless major improvements are made.
  • Ease of Implementation: This is an often overlooked but crucial factor for real-world adoption. ML-DSA’s and SLH-DSA’s algorithms are conceptually straightforward (polynomials mod q, and hash trees respectively) and have reference implementations available. FN-DSA is more complex but still within reach for experienced crypto engineers. The new schemes can be more complex or unusual. SQIsign’s math is specialized; implementing it without mistakes (and securing against side-channels) is non-trivial. FAEST involves protocols that must be carefully coded and optimized. HAWK, if multivariate, means handling huge keys or matrices efficiently. If a scheme is hard to implement or requires a lot of expertise, that’s a knock against it for many blockchain projects (which often use existing cryptographic libraries). At least for now, the standardized ones likely have an “easier” path to integration.
  • On-Chain Overheads: In terms of block and transaction size, SQIsign and HAWK (small signatures) sound better, whereas SLH-DSA sounds worse. FN-DSA and ML-DSA are in between – bigger than legacy signatures but maybe manageable. A blockchain that really needs to minimize data (say, IoT blockchain or one with tiny blocks) might eye SQIsign/HAWK type solutions in the future if they mature. But remember, using HAWK might also require posting a large public key at least once (e.g., when an address is first used, the network needs the public key to verify signatures). This could negate some per-signature gains. A scheme like SQIsign could have both tiny pubkeys and sigs, which is ideal, but again not until it’s fast enough.
  • Cryptographic Diversity: Some blockchain designers might consider using multiple signature schemes (for example, giving users a choice or using a hybrid approach) to guard against a sudden break in one. In such scenarios, having alternatives like FAEST or SQIsign around is valuable. They could be “better” in the sense of offering a safety net. For instance, if one day a major flaw is found in lattice-based cryptography, having a production-ready FAEST or HAWK implementation could save the day. So “better” might mean better as part of a diverse ecosystem, rather than outright replacing the others.

In summary, none of the emerging schemes is a slam-dunk “better in all aspects” replacement for ML-DSA, FN-DSA, or SLH-DSA at this moment. Each involves trade-offs. SQIsign offers fantastic size reduction but at a cost in speed and current trust. FAEST provides a different security basis, but isn’t as compact or battle-tested as lattice solutions. HAWK could combine speed and compactness, but we need to see its security and whether its large public keys can be handled in practice.

On the Cusp of Change

Are emerging PQ signature schemes better for blockchains? They have the potential to be, in specific ways, smaller signatures here, faster verification there, or offering a Plan B if our current assumptions falter. However, “potential” is the key word. Currently, the standardised trio (ML-DSA, FN-DSA, SLH-DSA) remain the baseline against which others are measured, and they are solid options for starting the post-quantum transition in blockchains.

The new schemes like SQIsign, FAEST, and HAWK show that innovation is alive and well in cryptography. Some of them might become part of the next generation of blockchain security. Blockchain developers should stay curious and informed about these developments because the “crypto” in cryptocurrency could literally be built on these algorithms. Over the coming years, as these schemes are refined and (hopefully) standardised, we’ll get a clearer picture of whether a blockchain upgrade to SQIsign or HAWK makes sense.

In the end, the goal is that blockchains continue to be secure and efficient even in the quantum age. Getting there will likely involve a mix of adopting proven solutions and keeping an open mind (and eye) toward new breakthroughs. It’s an exciting time at the intersection of blockchain and post-quantum cryptography, the tools we choose will safeguard the decentralization and trust of blockchain networks for decades to come. So, keep your private keys close and your quantum-resistant algorithms closer! The future of blockchain security depends on them.