The Future of PKI: ML-DSA vs. RSA-2048 in a Post-Quantum World

Written and researched by Steve Monti SafeCipher.com

In this post, I compare RSA-2048 with ML-DSA-65 and evaluate the implications of using ML-DSA-87-based PKI chains

Introduction

The emergence of quantum computing poses a significant threat to classical cryptography algorithms like RSA-2048, which form the backbone of Public Key Infrastructure (PKI). To future-proof digital security, organizations must adopt quantum-resistant cryptographic algorithms, such as ML-DSA (Dilithium).

In this post, we compare RSA-2048 with ML-DSA-65, evaluate the implications of using ML-DSA-87-based PKI chains, and discuss how enterprises can prepare for a quantum-secure PKI.

RSA-2048 vs. ML-DSA-65: Security, Key Sizes, and Performance

Comparison Table: RSA-2048 vs. ML-DSA-65 (Dilithium5)

FeatureRSA-2048ML-DSA-65 (Dilithium5)
Algorithm TypeClassical (Integer Factorization)Post-Quantum (Lattice-Based)
Key Size (Public Key)256 bytes (2,048 bits)1,952 bytes (~1.9 KB)
Key Size (Private Key)Varies (~2,048 bits)4,032 bytes (~4 KB)
Signature Size256 bytes (2,048 bits)3,309 bytes (~3.3 KB)
Security Level~112-bit security (Comparable to AES-112)Quantum-Secure (AES-256 Equivalent)
Quantum ResistanceBroken by Quantum Computers (Shor’s Algorithm)Quantum-Resistant (Lattice-Based Security)
Performance✅ Faster for verification🔹 Efficient signing & verification, but larger keys and signatures
PKI Compatibility✅ Widely supported in all PKI systems⚠️ Limited adoption in current CA software

Key Takeaways

  • RSA-2048 is highly vulnerable to quantum attacks.
    • Shor’s algorithm will render RSA-2048 obsolete once large-scale quantum computers become viable.
  • ML-DSA-65 offers long-term quantum resistance but introduces larger public keys and signatures compared to RSA-2048, which impacts bandwidth, storage, and performance.
  •  

PKI Chains with ML-DSA-87: Balancing Security and Efficiency

For post-quantum PKI, a combination of ML-DSA-87 (Dilithium3) and ML-DSA-65 (Dilithium5) can build a secure certificate chain.

Why Use ML-DSA-87 for Root CAs?

  • Higher Security Assurance: ML-DSA-87 offers AES-192 equivalent security (NIST Level 3), making it suitable for long-lived root CAs.
  • Larger Signature Sizes: ML-DSA-87 generates 4,627-byte signatures, larger than ML-DSA-65’s 3,309 bytes. While this increases the size of the root certificate, it provides added security for the top level of the chain.

Why Use ML-DSA-65 for Subordinate CAs and End-Entity Certs?

  • Quantum-Secure: ML-DSA-65 provides AES-256 equivalent security (NIST Level 5) for subordinate CAs and end-entity certificates.
  • Smaller Signature Sizes than ML-DSA-87: Using ML-DSA-65 at lower levels in the PKI chain reduces the overall size of the chain.

Certificate Chain Comparison

ComponentRSA-2048-Based PKIML-DSA-Based PKI
Root CARSA-2048ML-DSA-87 (4,627-byte signatures)
Intermediate CARSA-2048ML-DSA-65 (3,309-byte signatures)
End-Entity CertsRSA-2048ML-DSA-65 (3,309-byte signatures)
Signature Size ImpactSmall (~256 bytes each)Larger (~3.3 KB – 4.6 KB per certificate)
Quantum Resistance❌ No✅ Yes

Challenges of Adopting Post-Quantum PKI

1. Larger Key and Signature Sizes

  • RSA-2048’s compact 256-byte signatures are efficient for bandwidth and storage.
  • ML-DSA signatures are significantly larger, ranging from 3.3 KB to 4.6 KB. This affects:
    • TLS handshake times for HTTPS connections.
    • Storage of certificate chains on devices with constrained resources.
    • Transmission overhead for OCSP responses and CRLs.

2. Software and Hardware Upgrades

  • PKI software (e.g., Microsoft ADCS, EJBCA, Venafi) must integrate post-quantum cryptographic libraries.
  • Hardware Security Modules (HSMs) need updated firmware to store and manage post-quantum keys.

3. Hybrid Deployment Models

  • During the transition, organizations may issue dual-signed certificates (RSA + ML-DSA) to ensure compatibility with legacy systems while adopting quantum resistance.

Next Steps for Enterprises

Audit your PKI to identify quantum-vulnerable cryptography.
Plan hybrid deployments with dual certificates for backward compatibility.
Test PQC algorithms (like ML-DSA) in controlled environments before large-scale deployment.
Monitor adoption of PQC standards across software vendors and browsers.

Final Thought

The shift to quantum-safe PKI is a necessary evolution. ML-DSA algorithms (Dilithium) offer a robust solution but require balancing security assurance with the overhead of larger keys and signatures. As organizations transition, they must adapt their infrastructure to handle the challenges posed by quantum-resistant cryptography.

Are you preparing your PKI for the quantum era? Discuss your strategy with SafeCipher