ML-DSA library comparison
A reference summary of which ML-DSA implementation the PQ smart-account stack uses, why, and what the realistic alternatives are.
Selected: ml-dsa (RustCrypto)
Used in the Stylus verifier (ML-DSA-65) and the off-chain Rust CLI (pq-keygen, pq-sign, pq-verify).
| Property | ml-dsa (RustCrypto) | Why it matters |
|---|---|---|
| Maintenance | Active, multi-maintainer (Tony Arcieri + Trail of Bits contributors) | Reduces single-maintainer risk for a cryptographic dependency |
| Compatibility | Compiles to wasm32-unknown-unknown cleanly | Required for Stylus |
| Standards | Passes NIST ACVP and Wycheproof test vectors | Standards conformance is the only acceptable bar |
| Performance | Faster verify than the main pure-Rust alternative in benchmarks | Verification gas is the dominant runtime cost on-chain |
| API stability | RC stage (0.1.0-rc.7 at time of writing) | Pinned; ACVP vectors re-validated on any upgrade |
The RC status is the main trade-off. The crate is well-tested and on a path to stable, but is not yet 1.0. This is mitigated by pinning and treating any version bump as a re-audit on the on-chain side.
Alternatives evaluated
The full review covered ten Rust crates and two TypeScript libraries. The four that were most relevant:
| Library | Type | Verdict | Reasoning |
|---|---|---|---|
ml-dsa (RustCrypto) | Rust crate | Selected | Best maintenance, broadest test coverage, fastest verify |
fips204 (IntegrityChain) | Rust crate | Strong runner-up | Smaller WASM (~12.7 KB) but single-maintainer and slower verify |
pqcrypto-dilithium | Rust crate | Rejected | Older Dilithium parameters; behind FIPS 204 spec |
@noble/post-quantum | TypeScript / JS | Selected for client-side | Audited JS implementation by Paul Miller; used in the Snap and as the wallet's reference for cross-checking |
What the selection delivers
- Bi-directional verification. A signature generated by
@noble/post-quantumin TypeScript verifies in the Stylusml-dsacrate, and vice versa. This is asserted by an explicit cross-implementation test in the verifier's test suite. - NIST ACVP coverage. All three parameter sets (ML-DSA-44/65/87) are exercised against NIST ACVP keygen, siggen, and sigver vectors.
- WASM size budget headroom. Approximately 3.3 KB raw headroom over the gzipped binary inside the 24 KB Stylus compressed limit.
What would prompt a switch
- If
ml-dsalags Stylus SDK upgrades or the spec,fips204is the immediate fallback. The verifier's API surface is small enough that switching is a few hundred lines. - If a second-source Rust implementation backed by an established cryptographer becomes available and fits the size budget, deploying both with a comparison check would be desirable for defense in depth.
Related
- Stylus ML-DSA-65 verifier — integration-level concerns (size budget, cross-implementation tests, deactivation lifecycle)
- Production limitations — the RC dependency tracked as an explicit risk