EIP-8051: ML-DSA verification

EIPs EIPs core
1

Introducing an Ethereum Integration Proposal for ML-DSA Signatures

We are introducing an Ethereum Integration Proposal for ML-DSA signatures, aligning with the [FIPS 204 standard] and ensuring compatibility with NIST Known Answer Test (KAT) vectors.

ML-DSA (Module Lattice–based Digital Signature Algorithm) is one of the NIST-selected post-quantum signature schemes, designed to offer strong security guarantees against both classical and quantum attacks.

Our proposal brings ML-DSA verification capabilities natively into Ethereum smart contracts, enabling future-proof authentication and secure decentralized applications.

The MLDSA_VERIFY Contract

To make this practical on-chain, we developed the MLDSA_VERIFY smart contract, which:

  • Implements ML-DSA verification according to FIPS 204,
  • Is fully compliant with NIST KAT test vectors,
  • Uses the same hash functions and parameters as the reference standard.

This ensures that on-chain verification behaves identically to the standardized cryptographic primitives — a crucial property for interoperability, auditing, and security.

The MLDSA_VERIFY_ETH contract

While the standard version uses SHAKE256 as the underlying hash function, this can be inefficient in the EVM environment.
To address this, we introduce an alternative variant, MLDSA_VERIFY_ETH, which:

  • Replaces SHAKE256 with Keccak256 in counter mode,
  • Reduces the computational overhead significantly,
  • Keeps the algorithm semantically equivalent, but optimized for the EVM.

This change allows ML-DSA verification to run more efficiently on-chain while maintaining cryptographic soundness.

Comparison with other signature schemes

The choice of post-quantum signature scheme for Ethereum is not finalized and multiple candidates are being evaluated by the community…

Falcon, as implemented in [DRAFT EIP], produces smaller signatures — around 666 bytes for an equivalent security level — which is attractive for on-chain storage and gas costs.
However, it also has higher signing complexity, which can make generating signatures slower and more resource-intensive, especially in constrained environments.

By contrast, ML-DSA offers simpler signing and verification procedures, with a slightly larger signature size. This EIP provides an alternative approach that balances efficiency, on-chain performance, and post-quantum security, and is meant to be compared directly with EIP-9999 to inform the community’s final decision.

The following table compares the public key and signature size for ML-DSA and FN-DSA:

Scheme Public key Signature
ML-DSA 1312B 2420B
FN-DSA 897B 666B

EIP-7932 Compatibility

Our proposal is fully compatible with EIP-7932 (Algorithmic Transaction Types), defining:

  • ALG_TYPE = 0xFA for NIST-compliant Falcon-512,
  • ALG_TYPE = 0xFB for EVM-friendly Falcon-512,
  • MAX_SIZE = 699 bytes for the signature_info container,
  • GAS_PENALTY ≈ 3000 gas (subject to benchmarking).

This ensures seamless integration with the emerging transaction type framework for alternative signature schemes.

Next Steps and Community Feedback

We invite the Ethereum community to:

  • Review the technical specification and implementation
  • Provide feedback on the tradeoffs between ML-DSA and other post-quantum schemes
  • Test the contracts in various use cases
  • Contribute to gas optimization efforts

Current repo allow to use python signer and verify onchain signatures. In the next days a hardware implementation (non genuine Ledger application) will be provided to experiment wallet integration. All those are public good delivered to the community.

Additional Resources

1 Like