up:: FIPS 206 (FN-DSA)

FN-DSA-512

FN-DSA-512 is the smaller of the two parameter sets of FN-DSA, the forthcoming FALCON-derived post-quantum signature standard, and it targets NIST security category 1. Its defining trait is compactness: an 897-byte public key and a 666-byte signature make it the smallest standardization-track post-quantum signature, a fraction of the smallest ML-DSA signature and roughly a twelfth of the smallest SLH-DSA one. The catch is that FIPS 206 is not finalized, so FN-DSA-512 is a design-for-later target rather than a deploy-today standard, and its sizes below come from the FALCON specification pending the finalized FIPS 206 text.

Source: NIST Post-Quantum Cryptography project, Falcon standardization underway, csrc.nist.gov/projects/post-quantum-cryptography; FALCON specification, falcon-sign.info.

The short version:

  • FN-DSA-512 does digital signatures, proving authenticity and integrity. It is not for key establishment. (Key exchange is ML-KEM.)
  • It targets NIST security category 1, the smaller of FN-DSA’s two parameter sets, with FN-DSA-1024 at category 5.
  • Its public key is 897 bytes and its signature is 666 bytes, the most compact of any standardization-track post-quantum signature. [OPERATOR VERIFY: figures are from the FALCON spec; re-verify against FIPS 206 when published.]
  • FIPS 206 is still in development, so FN-DSA-512 is a planning and prototyping target, not an approved standard for compliance.
  • Its security rests on NTRU lattice math with a hash-and-sign design, and its Gaussian sampler makes it the hardest of the standardized signatures to implement safely.

What is FN-DSA-512?

FN-DSA-512 is the category-1 parameter set of FN-DSA, the standardization-track name for the scheme known during the NIST competition as FALCON-512. A signature scheme works in three moves: the signer generates a public verification key and a private signing key, signs a message or its digest with the private key, and anyone holding the public key checks that the signature is valid for that exact message. FN-DSA-512 runs that protocol with the parameters tuned for the lower security tier and the most compact artifacts.

Unlike ML-DSA, which uses module lattices with a Fiat-Shamir-with-aborts design, FN-DSA is built on NTRU lattices with the older hash-and-sign approach: the message is hashed to a point, and the signer uses a lattice trapdoor to find a short vector near it. A fast-Fourier trapdoor sampler draws each signature from a discrete Gaussian distribution so the released signatures leak essentially nothing about the private key. That sampler is the source of both FN-DSA’s compactness and its implementation difficulty, and it is what sets FN-DSA-512 apart from the ML-DSA sets at a comparable security tier.

Source: NIST IR 8413, Status Report on the Third Round of the NIST Post-Quantum Cryptography Standardization Process, csrc.nist.gov/pubs/ir/8413/upd1/final.

What are FN-DSA-512’s sizes and security category?

These figures come from the FALCON specification, the basis for FN-DSA, pending the finalized FIPS 206 text, which may refine encoding details or conventions.

PropertyValue
NIST security categoryCategory 1
Public key897 bytes
Signature666 bytes

For scale, the 666-byte signature is about a quarter of the smallest ML-DSA-44 signature (2,420 bytes) and under a tenth of the smallest SLH-DSA-128s signature (7,856 bytes), and the 897-byte public key is smaller than any ML-DSA public key. That compactness is the entire reason FN-DSA stays in the portfolio, and it is what FN-DSA-512 offers at the category-1 tier.

Source: FALCON specification, key and signature size figures, falcon-sign.info. [OPERATOR VERIFY: re-verify against FIPS 206 once published; these are pre-standard FALCON figures.]

Is FN-DSA-512 finalized, and when would you use it?

FN-DSA-512 is not finalized, because FIPS 206 is still in development. In August 2024 NIST published its first three post-quantum standards, FIPS 203, 204, and 205; FALCON was selected for standardization as FIPS 206 at the same time, but that process is still underway, with no publication date announced. Until FIPS 206 publishes, FN-DSA-512 cannot satisfy FIPS 140-3 approved-algorithm requirements, so validated post-quantum signing relies on ML-DSA or SLH-DSA.

The role FN-DSA-512 is designed for is the one where signature size is the first-order constraint at a category-1 tier: thin-bandwidth links, certificate-heavy chains, and size-sensitive tokens or signed metadata, where its 666-byte signature creates real operational value. Even a team that wants it is designing toward it today rather than deploying it for compliance, and the reason for caution beyond the draft status is the implementation profile, because FN-DSA’s Gaussian sampler and required floating-point arithmetic make it the hardest of the standardized signatures to build in constant time. Keeping the option open across a signing architecture is the point of crypto-agility.

Source: NIST Post-Quantum Cryptography project, csrc.nist.gov/projects/post-quantum-cryptography. [OPERATOR VERIFY: confirm current FIPS 206 status before publishing a date; none announced as of 2026-07-12.]

Common misconceptions

  1. “FN-DSA-512 is a finalized standard I can deploy for compliance.” It is selected and in development. The finalized standardized signatures are ML-DSA (FIPS 204) and SLH-DSA (FIPS 205); FN-DSA work today is planning and prototyping.
  2. “Small signatures mean easy deployment.” The opposite tends to hold. FN-DSA-512’s compactness comes from a floating-point Gaussian sampler that is among the hardest cryptographic components to implement in constant time.
  3. “FALCON-512 and FN-DSA-512 are different algorithms.” FALCON-512 is the competition-era name; FN-DSA-512 is the standardization-track designation for the same category-1 scheme that FIPS 206 will specify.
  4. “The 512 means a 512-bit key.” It reflects the internal lattice dimension and maps to security category 1, not to a key length. The public key is 897 bytes and the signature is 666 bytes.

Questions people ask

Is FN-DSA-512 finalized? No. FALCON was selected for standardization as FIPS 206, and that process is still underway as of mid-2026, while FIPS 203, 204, and 205 published in August 2024. [OPERATOR VERIFY: confirm current FIPS 206 status at csrc.nist.gov before citing a date.]

How much smaller is FN-DSA-512 than ML-DSA-44? Substantially. Its 666-byte signature is about a quarter of ML-DSA-44’s 2,420 bytes, and its 897-byte public key is smaller than ML-DSA-44’s 1,312 bytes.

Why is FN-DSA-512 hard to implement? Its signing uses floating-point arithmetic that the FALCON specification calls unavoidable, plus a Gaussian sampler whose secure, constant-time implementation is difficult. If the sampler’s timing or power draw depends on secret values, it can leak the private key over many signatures.

Does FN-DSA-512 do key exchange? No. It is a signature algorithm. Key establishment is the job of ML-KEM.

Should I use FN-DSA-512 or ML-DSA-44? For most general-purpose signing, ML-DSA-44 or ML-DSA-65 is the better choice today: finalized, more forgiving to implement, and validation-ready. Reach for FN-DSA-512 only where signature size is a genuine architectural constraint, and only once FIPS 206 is final.


Everything here is the map, given freely. When your team needs to decide whether FN-DSA-512’s compact signatures are worth its implementation profile and draft status in your own architecture, that’s what an alignment briefing is for.

Last verified 2026-07-12 · Maintained by Addie LaMarr, LaMarr Labs.