up:: FIPS 204 (ML-DSA)
ML-DSA-87
ML-DSA-87 is the largest and most conservative of the three parameter sets defined in FIPS 204, the primary NIST post-quantum standard for digital signatures, and it targets NIST security category 5, the highest tier. It does the same signing job as its siblings, proving that a certificate, a software update, or a signed record came from the expected signer and was not altered, and it carries the largest artifacts of the family, a 2,592-byte public key and a 4,627-byte signature. Those bytes buy the widest lattice-signature margin the standard offers, which is why ML-DSA-87 is the choice for national-security systems and long-lived, high-value signing, while ML-DSA-65 is the common general-purpose default for everything else.
Source: NIST FIPS 204, Module-Lattice-Based Digital Signature Standard, Tables 1 and 2, August 2024.
The short version:
- ML-DSA-87 does digital signatures, proving authenticity and integrity. It is not for key establishment. (Key exchange is ML-KEM.)
- It sits at NIST security category 5, the highest of the three ML-DSA tiers.
- Its public key is 2,592 bytes, its private key is 4,896 bytes, and its signature is 4,627 bytes.
- It is the highest-assurance lattice signature, for national-security and long-lived signing. ML-DSA-65 is the general-purpose default.
- Its security rests on lattice math (Module-LWE and Module-SIS), which Shor’s algorithm does not break.
What is ML-DSA-87?
ML-DSA-87 is the category-5 parameter set of ML-DSA, the standardized form of the algorithm known during the NIST competition as CRYSTALS-Dilithium. A signature scheme works in three moves: the signer generates a public verification key and a private signing key, signs a message or its digest with the private key, and anyone holding the public key checks that the signature is valid for that exact message. ML-DSA-87 runs that protocol at the strongest parameters the standard defines, which is what gives it the widest margin and the largest artifacts.
The “87” refers to the dimensions of the internal lattice matrix the parameter set uses, not to a key length in bits. What it tracks in practice is the security category: ML-DSA-87 is claimed at category 5, above ML-DSA-65 at category 3 and ML-DSA-44 at category 2. The security of all three rests on the Module-LWE and Module-SIS problems over a polynomial ring, lattice hardness assumptions with no known efficient solution on a classical or a quantum computer, which is what makes ML-DSA the replacement for the ECDSA and RSA signatures that Shor’s algorithm forges.
Source: NIST FIPS 204, §4, August 2024.
What are ML-DSA-87’s sizes and security category?
The parameters are the thing to internalize, because they are where the engineering cost lives. These figures are verbatim from Table 2 (sizes in bytes) and Table 1 (security categories) of the standard.
| Property | Value |
|---|---|
| NIST security category | Category 5 |
| Private key | 4,896 bytes |
| Public key | 2,592 bytes |
| Signature | 4,627 bytes |
The scale to note is the step up from the default. ML-DSA-87’s signature is 4,627 bytes against ML-DSA-65’s 3,309, and its public key is 2,592 bytes against 1,952, making it the largest of the three lattice-signature sets across every field. Signing and verifying stay fast enough for mainstream hardware, so the reason to choose it is assurance and the price is bytes, in certificates, transport, and storage, rather than a meaningful performance hit.
Source: NIST FIPS 204, Tables 1 and 2, August 2024.
When should you use ML-DSA-87?
ML-DSA-87 is the set you reach for when the signature margin matters more than the artifact size, and for general-purpose signing ML-DSA-65 remains the common default. The category-5 tier is the appropriate floor where policy or a long trust horizon demands the maximum lattice margin. The roles where it fits:
- National-security and classified signing. Where the highest assurance is a policy requirement, category 5 is the appropriate tier, and it is the ML-DSA level CNSA 2.0 aligns to for national-security systems.
- Long-lived, high-value trust anchors. Certificates and keys whose signatures must stay trustworthy for decades benefit from the widest margin, so a future improvement in lattice cryptanalysis does not erode them.
- Roles where the extra bytes are affordable. ML-DSA-87’s larger signature is easy to absorb where signing is infrequent and the artifacts are not on a hot, high-volume path.
For a conservative signing foundation that does not depend on lattice hardness at all, some architects pair or replace the highest lattice tier with SLH-DSA, the hash-based hedge, for the most sensitive long-lived roots of trust. ML-DSA-87 remains the highest-assurance option within the lattice family, and crypto-agility is what lets a program hold both options open.
Source: NIST FIPS 204, Tables 1 and 2, August 2024.
Common misconceptions
- “The 87 means an 87-bit or 87-byte key.” It does not. The number reflects the dimensions of the internal lattice matrix and maps to security category 5, not to a key or signature length. The signature is 4,627 bytes.
- “ML-DSA-87 should be the default because bigger is safer.” ML-DSA-65 is the common general-purpose default because category 3 suits most signing at lighter cost. Category 5 is worth its extra bytes only where policy or a long trust horizon calls for it.
- “ML-DSA-87 is dramatically slower.” Its compute stays fast on mainstream hardware. The real cost is size, the largest keys and signatures of the three sets, not a performance cliff.
- “Category 5 lattice is the most conservative option there is.” It is the strongest lattice tier, and the most conservative signature foundation is hash-based SLH-DSA, which rests on no lattice assumption at all. Some roots of trust reach for that assumption diversity rather than a larger lattice parameter.
Questions people ask
When should I choose ML-DSA-87 over ML-DSA-65? When the signature margin has to be maximal: national-security or classified signing, and long-lived high-value trust anchors. For general-purpose signing, ML-DSA-65 is the common default.
How much larger is ML-DSA-87 than ML-DSA-65? Its signature is 4,627 bytes against 3,309, its public key is 2,592 bytes against 1,952, and its private key is 4,896 bytes against 4,032.
Is ML-DSA-87 much slower than the smaller sets? No. Signing and verifying stay fast on mainstream hardware, so the binding cost is size in certificates, transport, and storage rather than speed.
Does ML-DSA-87 do key exchange? No. It is a signature algorithm, so it proves authenticity and integrity only. Key establishment is the job of ML-KEM.
Is ML-DSA-87 required for national-security systems? CNSA 2.0 aligns its national-security signature requirement to the category-5 level, which is the tier ML-DSA-87 provides. Confirm the exact parameter wording against the current CNSA 2.0 advisory before quoting it as a named-parameter mandate. [OPERATOR VERIFY: confirm CNSA 2.0 wording ties the ML-DSA requirement to ML-DSA-87 by name or to category 5.]
Everything here is the map, given freely. When your team needs to decide where the category-5 margin of ML-DSA-87 is worth its size against your own signing and assurance requirements, that’s what an alignment briefing is for.
Last verified 2026-07-12 · Maintained by Addie LaMarr, LaMarr Labs.