The Future of PKI: ML-DSA vs. RSA-2048 in a Post-Quantum World
Written and researched by Steve Monti SafeCipher.com
In this post, I compare RSA-2048 with ML-DSA-65 and evaluate the implications of using ML-DSA-87-based PKI chains
Introduction
The emergence of quantum computing poses a significant threat to classical cryptography algorithms like RSA-2048, which form the backbone of Public Key Infrastructure (PKI). To future-proof digital security, organizations must adopt quantum-resistant cryptographic algorithms, such as ML-DSA (Dilithium).
In this post, we compare RSA-2048 with ML-DSA-65, evaluate the implications of using ML-DSA-87-based PKI chains, and discuss how enterprises can prepare for a quantum-secure PKI.
RSA-2048 vs. ML-DSA-65: Security, Key Sizes, and Performance
Comparison Table: RSA-2048 vs. ML-DSA-65 (Dilithium5)
Feature | RSA-2048 | ML-DSA-65 (Dilithium5) |
Algorithm Type | Classical (Integer Factorization) | Post-Quantum (Lattice-Based) |
Key Size (Public Key) | 256 bytes (2,048 bits) | 1,952 bytes (~1.9 KB) |
Key Size (Private Key) | Varies (~2,048 bits) | 4,032 bytes (~4 KB) |
Signature Size | 256 bytes (2,048 bits) | 3,309 bytes (~3.3 KB) |
Security Level | ~112-bit security (Comparable to AES-112) | Quantum-Secure (AES-256 Equivalent) |
Quantum Resistance | ❌ Broken by Quantum Computers (Shor’s Algorithm) | ✅ Quantum-Resistant (Lattice-Based Security) |
Performance | ✅ Faster for verification | 🔹 Efficient signing & verification, but larger keys and signatures |
PKI Compatibility | ✅ Widely supported in all PKI systems | ⚠️ Limited adoption in current CA software |
Key Takeaways
- RSA-2048 is highly vulnerable to quantum attacks.
- Shor’s algorithm will render RSA-2048 obsolete once large-scale quantum computers become viable.
- ML-DSA-65 offers long-term quantum resistance but introduces larger public keys and signatures compared to RSA-2048, which impacts bandwidth, storage, and performance.
PKI Chains with ML-DSA-87: Balancing Security and Efficiency
For post-quantum PKI, a combination of ML-DSA-87 (Dilithium3) and ML-DSA-65 (Dilithium5) can build a secure certificate chain.
Why Use ML-DSA-87 for Root CAs?
- Higher Security Assurance: ML-DSA-87 offers AES-192 equivalent security (NIST Level 3), making it suitable for long-lived root CAs.
- Larger Signature Sizes: ML-DSA-87 generates 4,627-byte signatures, larger than ML-DSA-65’s 3,309 bytes. While this increases the size of the root certificate, it provides added security for the top level of the chain.
Why Use ML-DSA-65 for Subordinate CAs and End-Entity Certs?
- Quantum-Secure: ML-DSA-65 provides AES-256 equivalent security (NIST Level 5) for subordinate CAs and end-entity certificates.
- Smaller Signature Sizes than ML-DSA-87: Using ML-DSA-65 at lower levels in the PKI chain reduces the overall size of the chain.
Certificate Chain Comparison
Component | RSA-2048-Based PKI | ML-DSA-Based PKI |
Root CA | RSA-2048 | ML-DSA-87 (4,627-byte signatures) |
Intermediate CA | RSA-2048 | ML-DSA-65 (3,309-byte signatures) |
End-Entity Certs | RSA-2048 | ML-DSA-65 (3,309-byte signatures) |
Signature Size Impact | Small (~256 bytes each) | Larger (~3.3 KB – 4.6 KB per certificate) |
Quantum Resistance | ❌ No | ✅ Yes |
Challenges of Adopting Post-Quantum PKI
1. Larger Key and Signature Sizes
- RSA-2048’s compact 256-byte signatures are efficient for bandwidth and storage.
- ML-DSA signatures are significantly larger, ranging from 3.3 KB to 4.6 KB. This affects:
- TLS handshake times for HTTPS connections.
- Storage of certificate chains on devices with constrained resources.
- Transmission overhead for OCSP responses and CRLs.
2. Software and Hardware Upgrades
- PKI software (e.g., Microsoft ADCS, EJBCA, Venafi) must integrate post-quantum cryptographic libraries.
- Hardware Security Modules (HSMs) need updated firmware to store and manage post-quantum keys.
3. Hybrid Deployment Models
- During the transition, organizations may issue dual-signed certificates (RSA + ML-DSA) to ensure compatibility with legacy systems while adopting quantum resistance.
Next Steps for Enterprises
Audit your PKI to identify quantum-vulnerable cryptography.
Plan hybrid deployments with dual certificates for backward compatibility.
Test PQC algorithms (like ML-DSA) in controlled environments before large-scale deployment.
Monitor adoption of PQC standards across software vendors and browsers.
Final Thought
The shift to quantum-safe PKI is a necessary evolution. ML-DSA algorithms (Dilithium) offer a robust solution but require balancing security assurance with the overhead of larger keys and signatures. As organizations transition, they must adapt their infrastructure to handle the challenges posed by quantum-resistant cryptography.
Are you preparing your PKI for the quantum era? Discuss your strategy with SafeCipher