The Future of PKI: ML-DSA vs RSA-2048 in a Post-Quantum World
Written and researched by Steve Monti — SafeCipher.com
Quantum computing pressures classical cryptography like RSA-2048. This guide compares RSA-2048 with ML-DSA (the NIST standardised Dilithium family), explains sizes/security, and shows how to design a practical post-quantum PKI — with hybrid migration where needed.
Introduction
RSA-2048 underpins many PKI deployments today, yet it is vulnerable to future quantum attacks (e.g., Shor’s algorithm). To future-proof, organisations should plan for ML-DSA (lattice-based) signatures across PKI roots, intermediates, and end-entity certificates, while managing the operational impact of larger keys and signatures.
RSA-2048 vs ML-DSA at a Glance
| Feature | RSA-2048 | ML-DSA-87 (≈ Dilithium-3) | ML-DSA-65 (≈ Dilithium-5) |
|---|---|---|---|
| Algorithm type | Classical (integer factorisation) | Post-quantum (lattice-based) | Post-quantum (lattice-based) |
| Security level (approx.) | ~112-bit (≈ AES-112) | NIST Level 3 (≈ AES-192) | NIST Level 5 (≈ AES-256) |
| Public key size | ~256 B (2048-bit modulus) | ~1,952 B | ~2,592 B |
| Signature size | ~256 B | ~3,293 B | ~4,595 B |
| Verification performance | Fast, mature | Efficient on modern CPUs | Efficient; larger artifacts |
| Quantum resistance | ❌ No | ✅ Yes | ✅ Yes |
| PKI compatibility today | ✅ Ubiquitous | Growing support | Growing support |
Sizes are typical values for ML-DSA parameter sets; exact bytes depend on implementation/profile. RSA sizes shown for intuition (modulus-dependent).
Designing a Post-Quantum PKI Chain
Goal: maximise security at the top of the chain and balance performance/footprint for high-traffic endpoints — without sacrificing verifiability or policy clarity.
Recommended chain (pure PQ)
- Root CA: ML-DSA-65 (Level 5, highest assurance, infrequent use)
- Intermediate CA(s): ML-DSA-87 (Level 3, smaller sigs than -65, good balance)
- End-entity (servers/services): ML-DSA-87 (or -44 for constrained/short-lived if policy allows)
Hybrid transition (compatibility)
- Option A — Dual certs: Issue classical (RSA/ECDSA) and ML-DSA in parallel; advertise via AIA/ALTNAMES where supported.
- Option B — Protocol-level hybrid: For signatures/KEMs where supported (e.g., ECDSA+ML-DSA; X25519+Kyber for key exchange).
- Server-first rollout: upgrade verifiers first; maintain rollback and clear deprecation timelines.
Operational Trade-offs You Must Plan For
Size & latency
- TLS handshake sizes increase with PQ signatures and chains.
- OCSP/CRL responses and stapling payloads grow accordingly.
- Mitigate with shorter chains, stapling, and caching.
Software & hardware readiness
- Ensure CA software supports ML-DSA profiles and policies.
- Validate HSM/Cloud HSM firmware for ML-DSA keys and audit trails.
- Update enrollment/automation (ACME/EST/SCEP variants) and clients.
Profiles & policy
- Define EKUs/KUs, path-length, name constraints, lifetimes per tier.
- Adopt crypto-agility: shorter lifetimes, fast rotation, issuer pinning.
- Document revocation strategy (OCSP stapling, CRL mirrors/gateways).
Monitoring & SLOs
- Track handshake suites, chain sizes, error rates, and stapling health.
- Alert on policy drift; test PQ paths in CI/CD and canary stages.
Certificate Chain Comparison (Indicative)
| Component | RSA-2048 PKI | Post-Quantum PKI (Recommended) |
|---|---|---|
| Root CA | RSA-2048 | ML-DSA-65 (highest assurance) |
| Intermediate CA | RSA-2048 | ML-DSA-87 (balanced size/security) |
| End-entity certs | RSA-2048 | ML-DSA-87 (servers/services) — ML-DSA-44 where constrained & policy-approved |
| Signature size impact | ~256 B each | ~3.3–4.6 KB per certificate signature |
| Quantum resistance | ❌ No | ✅ Yes |
You can shorten overall handshake size by keeping chains shallow and using OCSP stapling with sensible TTLs.
Next Steps for Enterprise PKI Teams
- Run a cryptographic audit (CBOM): discover algorithms, keys, cert profiles, and trust anchors across code, cloud, on-prem, and devices.
- Design PQ profiles & policy: root/intermediate/leaf parameter sets, EKUs/KUs, lifetimes, revocation, and name constraints.
- Pilot hybrid rollouts: server-first, dual-stack where needed, with clear rollback and metrics.
- Upgrade HSM/Cloud HSM paths: key ceremonies, backups, and compliance evidence for ML-DSA.
- Continuously monitor: handshake/chain metrics, revocation propagation, and policy conformance.
Related services & resources
Cryptographic Audit & CBOM • PKI Services • PKI Design & Architecture • Quantum PKI Transition • Cloud HSM Services • HSM Services • HSM Support • HSM Vendors
Ready to Plan Your Post-Quantum PKI?
Begin with a 30-minute introductory call. We’ll align goals, sign a mutual NDA, and propose a scoped, not-to-exceed discovery and pilot plan tailored to your environment (Europe and North America supported).