What a Digital Signature Actually Does
Before getting to the algorithm, it is worth being precise about what a digital signature is supposed to accomplish. When you send a transaction on any blockchain, three things need to be true at the same time. First, the transaction must have been authorized by the legitimate owner of the sending address - this is authentication. Second, nobody else should be able to fake that authorization - this is unforgeability. Third, the transaction contents must not have been altered after signing - this is integrity.
A digital signature scheme achieves all three through asymmetric key pairs. You hold a private key that only you know. From that private key, a public key is derived that you share openly - in the blockchain context, your address is derived from your public key. To authorize a transaction, you use your private key to compute a signature over the transaction data. Anyone can use your public key to verify that the signature is genuine, but nobody can produce a valid signature without knowing your private key. That is the core of it.
The security of the whole system rests on one question: how hard is it to work backwards from the public key to the private key? For classical computers, it is effectively impossible for well-designed schemes. For quantum computers, the answer depends critically on which mathematical problem underpins the scheme.
Why ECDSA Is Broken by Shor's Algorithm
Bitcoin and Ethereum both use ECDSA - the Elliptic Curve Digital Signature Algorithm - operating over the secp256k1 elliptic curve. ECDSA's security rests on the Elliptic Curve Discrete Logarithm Problem (ECDLP): given a point Q on the curve and the base point G, find the integer k such that Q = k * G. On a classical computer, the best known algorithms for solving this take exponential time relative to the key size. A 256-bit key provides approximately 128 bits of classical security - strong enough that breaking it with classical hardware would take longer than the age of the universe.
In 1994, mathematician Peter Shor published an algorithm that runs on a quantum computer and solves both the integer factorization problem and the discrete logarithm problem in polynomial time. This matters enormously because both RSA (factorization) and ECDSA (discrete logarithm) derive their security from exactly these problems. A quantum computer running Shor's algorithm at scale could recover an ECDSA private key from the corresponding public key efficiently - turning what was computationally impossible into a tractable problem.
Every time you send an Ethereum or Bitcoin transaction, your public key is broadcast to the entire network and permanently recorded on-chain. An adversary recording this data today can attempt to recover your private key retroactively once sufficiently powerful quantum hardware exists. This "harvest now, decrypt later" threat means addresses with exposed public keys are already at risk - the quantum computer does not need to exist yet for the data collection to have begun.
Current fault-tolerant quantum computers capable of running Shor's algorithm against 256-bit ECC do not exist yet. Conservative research estimates place their emergence somewhere in the 2030-2040 range, with wide uncertainty in both directions. The point is not that the threat is immediate - it is that infrastructure with multi-decade lifespans needs to make its security decisions now, not when the hardware appears.
What Lattice-Based Cryptography Is
Lattice-based cryptography is one of the main families of post-quantum cryptographic schemes - algorithms believed to be secure against both classical and quantum computers. A lattice, in the mathematical sense, is a regular grid of points in high-dimensional space. You can think of it as the set of all integer linear combinations of a set of basis vectors. The key hardness assumption underlying lattice cryptography is that certain problems on high-dimensional lattices are computationally intractable even for quantum computers.
The two most important lattice problems are the Shortest Vector Problem (SVP) - finding the shortest non-zero vector in a lattice - and the Learning With Errors problem (LWE). LWE can be described intuitively as follows: you are given a large number of noisy linear equations, and you must recover the secret values that generated them. The "noise" term is what makes the problem hard; without it the equations could be solved by Gaussian elimination, but the noise prevents that while still allowing the legitimate key-holder (who knows the structure) to recover the answer efficiently.
The reason lattice problems are believed to be quantum-resistant is that Shor's algorithm and related quantum algorithms provide no meaningful speedup against them. The best known quantum algorithms for SVP and LWE still require exponential time. This is not proven - no one has proved P is not NP, let alone proven quantum hardness of lattice problems - but decades of analysis by the cryptographic community have found no efficient quantum attack, which is the strongest practical confidence available.
How CRYSTALS-Dilithium Works
CRYSTALS-Dilithium is a digital signature scheme whose security reduces to the hardness of the Module Learning With Errors (MLWE) problem and the Module Short Integer Solution (MSIS) problem - both lattice problems. "Module" here refers to a specific algebraic structure that makes the scheme more efficient without sacrificing security.
At a high level, Dilithium is a Fiat-Shamir signature scheme: it works by the signer generating a random commitment, receiving a challenge derived from the message and the commitment via a hash function, and then computing a response that binds together the challenge, the commitment, and the private key. A verifier can check the response using only the public key. The security of the scheme comes from the fact that computing a valid response without knowing the private key requires solving MSIS, which is hard.
Here is a simplified diagram of the signing and verification flow:
One detail worth noting is the rejection sampling step in signing. If the response vector z would leak information about the secret key s1 - specifically, if its coefficients are too large - the signer discards that attempt and starts over with a fresh random masking vector. This keeps the key secure but means signing time is slightly variable. In practice, rejection happens rarely and the average signing time is fast.
Why NIST Selected Dilithium as a Standard
NIST (the US National Institute of Standards and Technology) ran a multi-year public competition to standardize post-quantum cryptographic algorithms, soliciting global submissions and subjecting them to years of cryptanalytic scrutiny from the worldwide research community. CRYSTALS-Dilithium was selected as the primary post-quantum digital signature standard, published as FIPS 204 in August 2024.
NIST's selection process evaluated candidates on four criteria: security, performance, implementation simplicity, and resistance to implementation attacks (such as side-channel attacks). Dilithium performed well on all four. On security, the MLWE hardness assumption is among the best-studied in post-quantum cryptography, with no efficient attacks found during six years of public analysis. On performance, Dilithium is fast to sign and verify on standard hardware, with signature and key generation times competitive with RSA-2048 in practice. On simplicity, the algorithm does not require complex mathematical machinery to implement correctly, which reduces the risk of subtle implementation bugs.
NIST selected three parameter sets for FIPS 204, named ML-DSA-44, ML-DSA-65, and ML-DSA-87, corresponding to security levels 2, 3, and 5 respectively (calibrated against the security of AES-128, AES-192, and AES-256). The parameter comparison looks like this:
| Variant | Security Level | Public Key | Signature | Classical Equivalent |
|---|---|---|---|---|
| ML-DSA-44 (Dilithium2) | NIST 2 | 1,312 bytes | 2,420 bytes | AES-128 |
| ML-DSA-65 (Dilithium3) | NIST 3 | 1,952 bytes | 2,701 bytes | AES-192 - used by Qlorix |
| ML-DSA-87 (Dilithium5) | NIST 5 | 2,592 bytes | 4,595 bytes | AES-256 |
| ECDSA secp256k1 (reference) | classical only | 33 bytes | 65 bytes | broken by Shor's |
How Qlorix Implements Dilithium3
Qlorix uses ML-DSA-65 (Dilithium3) as the mandatory signature scheme for all transactions and validator attestations. This choice was made on three grounds. First, NIST security level 3 provides a conservative safety margin - equivalent classical security of 192 bits is substantially stronger than the 128-bit minimum and aligns with guidance from national security agencies for long-term data protection. Second, the performance characteristics of Dilithium3 are well within the bounds required for high-throughput block production. Third, the larger signature size relative to ECDSA is a known cost that was factored into the block format, gas accounting, and network design from genesis.
Address derivation on Qlorix works as follows: a Dilithium3 key pair is generated; the public key is hashed using SHA3-256; the last 20 bytes of that hash become the address. The address format is intentionally the same length and hex encoding style as Ethereum addresses, which means Qlorix addresses look familiar to users and existing tooling can display them without modification. The cryptographic substance underneath - the key that controls the address - is a Dilithium3 key pair rather than an ECDSA key pair.
Every transaction on Qlorix includes a Dilithium3 signature over the transaction hash. The QLVM exposes a native precompile at a fixed address for on-chain Dilithium3 signature verification, so smart contracts that need to verify signatures (for multisig wallets, for example) can do so efficiently without implementing the algorithm in Solidity. Validator attestations in the consensus protocol are also Dilithium3 signatures, meaning the entire security stack - from user wallets to consensus - uses the same post-quantum primitive.
No migration path required: Because Qlorix was designed around Dilithium3 from the start, there is no classical signature mode and no future migration to manage. Assets on Qlorix are protected by post-quantum signatures from the first block. Developers building on Qlorix do not need to understand Dilithium3 internals - the wallet layer and SDK handle key generation and signing automatically, and the QLVM handles verification transparently within the transaction execution engine.
Signature Sizes in Practice
The most frequently raised practical objection to post-quantum signatures is size. A Dilithium3 signature is 2,701 bytes versus 65 bytes for ECDSA - roughly a 40x increase. This is a real cost that deserves honest treatment rather than dismissal.
Qlorix addresses it in three ways. First, the block format and gas accounting were specified for Dilithium3 from genesis, so the larger signature size is baked into throughput calculations rather than being an unexpected overhead added to a system designed for small signatures. Second, signature data is stored in a dedicated calldata section of transactions and pruned from state after finality, so the long-term state growth cost is lower than it might appear. Third, the block gas target is set conservatively at launch and will be raised through governance as hardware capabilities and network conditions permit, providing a path to higher throughput as the ecosystem grows.
For comparison: Ethereum's EIP-4844 (blob transactions) added ~128KB blobs per block to support rollup data availability, and the network handles this without issue. Dilithium3 signatures at Qlorix's target throughput add a fraction of that per block. The size is manageable; it just requires that the infrastructure was designed with it in mind from the beginning, which is exactly what the Qlorix architecture does.
What This Means for the Long Term
CRYSTALS-Dilithium is not the final word in post-quantum cryptography. The field continues to evolve, and more efficient algorithms may be standardized in the years ahead. Qlorix's governance system allows the network to adopt new signature schemes through hard forks if and when they become available and standardized. The important thing is that the baseline security is already post-quantum - any future upgrade is an improvement on a solid foundation, not a desperate migration from a broken one.
For users and developers, the practical takeaway is simple: assets on Qlorix are protected by an algorithm that no known quantum computer can break, standardized by NIST after six years of public analysis, and implemented as a first-class citizen of the protocol rather than an afterthought. The threat of quantum computers to blockchain security is real and developing. Qlorix's answer to that threat is in production, not on a roadmap.