up:: FIPS 206 (FN-DSA)

FN-DSA-1024

FN-DSA-1024 is the larger of the two parameter sets of FN-DSA, the forthcoming FALCON-derived post-quantum signature standard, and it targets NIST security category 5, the highest tier. Its defining trait is the same as its smaller sibling’s: compactness. A 1,793-byte public key and a 1,280-byte signature make it the most compact category-5 standardization-track post-quantum signature, well under a third of the category-5 ML-DSA-87 signature and a small fraction of the category-5 SLH-DSA one. The catch is that FIPS 206 is not finalized, so FN-DSA-1024 is a design-for-later target rather than a deploy-today standard, and its sizes below come from the FALCON specification pending the finalized FIPS 206 text.

Source: NIST Post-Quantum Cryptography project, Falcon standardization underway, csrc.nist.gov/projects/post-quantum-cryptography; FALCON specification, falcon-sign.info.

The short version:

  • FN-DSA-1024 does digital signatures, proving authenticity and integrity. It is not for key establishment. (Key exchange is ML-KEM.)
  • It targets NIST security category 5, the higher of FN-DSA’s two parameter sets, with FN-DSA-512 at category 1.
  • Its public key is 1,793 bytes and its signature is 1,280 bytes, the most compact category-5 standardization-track post-quantum signature. [OPERATOR VERIFY: figures are from the FALCON spec; re-verify against FIPS 206 when published.]
  • FIPS 206 is still in development, so FN-DSA-1024 is a planning and prototyping target, not an approved standard for compliance.
  • Its security rests on NTRU lattice math with a hash-and-sign design, and its Gaussian sampler makes it the hardest of the standardized signatures to implement safely.

What is FN-DSA-1024?

FN-DSA-1024 is the category-5 parameter set of FN-DSA, the standardization-track name for the scheme known during the NIST competition as FALCON-1024. A signature scheme works in three moves: the signer generates a public verification key and a private signing key, signs a message or its digest with the private key, and anyone holding the public key checks that the signature is valid for that exact message. FN-DSA-1024 runs that protocol with the parameters tuned for the highest security tier while keeping the small artifacts that define the family.

Unlike ML-DSA, which uses module lattices with a Fiat-Shamir-with-aborts design, FN-DSA is built on NTRU lattices with the older hash-and-sign approach: the message is hashed to a point, and the signer uses a lattice trapdoor to find a short vector near it. A fast-Fourier trapdoor sampler draws each signature from a discrete Gaussian distribution so the released signatures leak essentially nothing about the private key. That sampler is the source of both FN-DSA’s compactness and its implementation difficulty, and at category 5 the compactness advantage over ML-DSA-87 is at its most pronounced.

Source: NIST IR 8413, Status Report on the Third Round of the NIST Post-Quantum Cryptography Standardization Process, csrc.nist.gov/pubs/ir/8413/upd1/final.

What are FN-DSA-1024’s sizes and security category?

These figures come from the FALCON specification, the basis for FN-DSA, pending the finalized FIPS 206 text, which may refine encoding details or conventions.

PropertyValue
NIST security categoryCategory 5
Public key1,793 bytes
Signature1,280 bytes

For scale, the 1,280-byte signature is a little over a quarter of the category-5 ML-DSA-87 signature (4,627 bytes) and a tiny fraction of the category-5 SLH-DSA-256s signature (29,792 bytes), and the 1,793-byte public key is smaller than ML-DSA-87’s 2,592-byte key. That compactness at the highest security tier is what FN-DSA-1024 offers, and it is the whole reason the scheme stays in the portfolio.

Source: FALCON specification, key and signature size figures, falcon-sign.info. [OPERATOR VERIFY: re-verify against FIPS 206 once published; these are pre-standard FALCON figures.]

Is FN-DSA-1024 finalized, and when would you use it?

FN-DSA-1024 is not finalized, because FIPS 206 is still in development. In August 2024 NIST published its first three post-quantum standards, FIPS 203, 204, and 205; FALCON was selected for standardization as FIPS 206 at the same time, but that process is still underway, with no publication date announced. Until FIPS 206 publishes, FN-DSA-1024 cannot satisfy FIPS 140-3 approved-algorithm requirements, so validated category-5 post-quantum signing relies on ML-DSA-87 or the appropriate SLH-DSA set.

The role FN-DSA-1024 is designed for is the one where category-5 assurance is required and signature size is still a first-order constraint: high-assurance certificate chains, long-lived signed artifacts on thin transport, and size-sensitive category-5 signing where its 1,280-byte signature creates real operational value against ML-DSA-87’s 4,627 bytes. A team that wants it is designing toward it today rather than deploying it for compliance, and the reason for caution beyond the draft status is the implementation profile, because FN-DSA’s Gaussian sampler and required floating-point arithmetic make it the hardest of the standardized signatures to build in constant time. Keeping the option open across a signing architecture is the point of crypto-agility.

Source: NIST Post-Quantum Cryptography project, csrc.nist.gov/projects/post-quantum-cryptography. [OPERATOR VERIFY: confirm current FIPS 206 status before publishing a date; none announced as of 2026-07-12.]

Common misconceptions

  1. “FN-DSA-1024 is a finalized standard I can deploy for compliance.” It is selected and in development. The finalized standardized signatures are ML-DSA (FIPS 204) and SLH-DSA (FIPS 205); FN-DSA work today is planning and prototyping.
  2. “Small signatures mean easy deployment.” The opposite tends to hold. FN-DSA-1024’s compactness comes from a floating-point Gaussian sampler that is among the hardest cryptographic components to implement in constant time.
  3. “FALCON-1024 and FN-DSA-1024 are different algorithms.” FALCON-1024 is the competition-era name; FN-DSA-1024 is the standardization-track designation for the same category-5 scheme that FIPS 206 will specify.
  4. “The 1024 means a 1024-bit key.” It reflects the internal lattice dimension and maps to security category 5, not to a key length. The public key is 1,793 bytes and the signature is 1,280 bytes.

Questions people ask

Is FN-DSA-1024 finalized? No. FALCON was selected for standardization as FIPS 206, and that process is still underway as of mid-2026, while FIPS 203, 204, and 205 published in August 2024. [OPERATOR VERIFY: confirm current FIPS 206 status at csrc.nist.gov before citing a date.]

How much smaller is FN-DSA-1024 than ML-DSA-87? Substantially. Its 1,280-byte signature is a little over a quarter of ML-DSA-87’s 4,627 bytes, and its 1,793-byte public key is smaller than ML-DSA-87’s 2,592 bytes.

Why is FN-DSA-1024 hard to implement? Its signing uses floating-point arithmetic that the FALCON specification calls unavoidable, plus a Gaussian sampler whose secure, constant-time implementation is difficult. If the sampler’s timing or power draw depends on secret values, it can leak the private key over many signatures.

Does FN-DSA-1024 do key exchange? No. It is a signature algorithm. Key establishment is the job of ML-KEM.

Should I use FN-DSA-1024 or ML-DSA-87? For category-5 signing today, ML-DSA-87 is the better choice: finalized, more forgiving to implement, and validation-ready. Reach for FN-DSA-1024 only where its smaller signature is a genuine architectural constraint at the category-5 tier, and only once FIPS 206 is final.


Everything here is the map, given freely. When your team needs to decide whether FN-DSA-1024’s compact category-5 signatures are worth its implementation profile and draft status in your own architecture, that’s what an alignment briefing is for.

Last verified 2026-07-12 · Maintained by Addie LaMarr, LaMarr Labs.