Announcing ML-DSA-B: Optimizing Post-Quantum Signatures with BLAKE3

Project Eleven is proud to announce a new, open-source effort to accelerate the performance of post-quantum cryptographic signature schemes without sacrificing security.

In collaboration with JP Aumasson (Taurus) and Zooko Wilcox (Zcash), creators of the BLAKE3 family of hash functions, we’ve launched a new initiative called Suite-B that leverages BLAKE3's high-performance hashing to create faster variants of the NIST standard PQ algorithms. Our first protocol, ML-DSA-B, is a drop-in variant of the NIST-standardized ML-DSA (formerly CRYSTALS-Dilithium).

Motivation

Post-quantum signature schemes like ML-DSA and SLH-DSA are foundational to the future of secure blockchains, messaging platforms, identity protocols, and financial infrastructure. But their performance overhead has remained a major bottleneck for adoption.

• Hashing dominates runtime. In current implementations, 60–80% of signature generation and verification time is spent inside the hash function.
• BLAKE3 is fast. On modern CPUs and GPUs, BLAKE3 outperforms SHA2 and SHA3, while preserving strong cryptographic properties (second preimage resistance, PRF behavior).
• Security is preserved. ML-DSA-B achieves the same level of existential unforgeability under standard assumptions, only faster.

Even though ML-DSA relies on the hardness of lattice-based problems, cryptographic hash functions are invoked frequently in both the signing and verification protocol. In the standard implementation, ML-DSA relies on the SHAKE hash function for:

• Expanding a seed into a full public key
• Randomness sampling
• Challenge generation

ML-DSA-B replaces calls to SHAKE with BLAKE3, the fastest widely deployed cryptographic hash algorithm.

Benchmarks

Our Rust implementation of ML-DSA-B (a fork of RustCrypto’s signature suite) shows:

• Up to 60× speedup in message pre-hashing
• Up to 20% faster signing times
• Up to 30% faster verification times

Performance varies by platform, but the biggest gains are on x86_64 architectures (widely used by both Intel and AMD). Even on Apple silicon, which features a native instruction set for SHAKE acceleration, the pre-hashing advantage for ML-DSA-B remains significant, especially for larger message sizes.

What’s Next

ML-DSA-B introduces a small change with outsized impact: it gives protocol designers, blockchain developers, and cryptographic engineers a tool that’s easier to deploy at scale, without compromising safety. For distributed systems like public blockchains, with heterogeneous infrastructure that already strains under classical cryptography, even a marginal performance gain makes a huge difference.

Our mission at Project Eleven is to build future-proof cryptography and tools for the post-quantum era. By pushing the boundaries of performance, we hope to minimize the tradeoff for organizations and protocols that might otherwise hesitate to transition to PQC.

ML-DSA-B isn't the end of the story. It's the beginning of a new era of PQ cryptography that prioritizes both performance and real-world security. From here, we aim to:

• Create a variant of SLH-DSA (SLH-DSA-B) BLAKE3-optimized variant of SLH-DSA (formerly SPHINCS+)
• C implementations: For embedded platforms and hardware wallets
• Test vectors & standardization hooks

We’re excited to support this effort, and welcome contributors and collaborators. The repo is open source and available here.

‍

If this post sparked your curiosity, you'll love our newsletter.

Join thousands of readers tracking the latest breakthroughs in quantum computing and cryptography.

Subscribe here: https://www.projecteleven.com/subscribe.