Performance and Applicability of Post-Quantum Digital Signature Algorithms in Resource-Constrained Environments

: The continuous development of quantum computing necessitates the development of quantum-resistant cryptographic algorithms. In response to this demand, the National Institute of Standards and Technology selected standardized algorithms including Crystals-Dilithium, Falcon, and Sphincs+ for digital signatures. This paper provides a comparative evaluation of these algorithms across key metrics. The results indicate varying strengths and weaknesses for each algorithm, underscoring the importance of context-speciﬁc deployments. Our ﬁndings indicate that Dilithium offers advantages in low-power scenarios, Falcon excels in signature veriﬁcation speed, and Sphincs+ provides robust security at the cost of computational efﬁciency. These results underscore the importance of context-speciﬁc deployments in speciﬁc and resource-constrained technological applications, like IoT, smart cards, blockchain, and vehicle-to-vehicle communication.


Introduction
The potential of quantum computing is continuously enhanced by exploring hardwarespecific quantum algorithms, advancing the theoretical framework for quantum heuristics [1,2], and by contributing to a broad array of other applications that drive the field's overall development.Thereby, the existing cryptographic methods face unprecedented threats.Conventional public-key cryptographic systems, underpinning much of today's secure digital communication, could be rendered obsolete if sufficiently large quantum computers were to be built [3].The problem is not speculative; the scientific consensus has increasingly moved toward viewing large-scale quantum computing as an engineering challenge rather than as an unresolvable theoretical obstacle.Predictions indicate that within a few decades, quantum computers capable of breaking the current public-key schemes could be a reality.
While the timeline for the advent of quantum computing capable of breaking the current cryptographic systems is still uncertain, the long lead time required to implement new cryptographic infrastructures warrants immediate action.Specifically, the existing systems must be adapted or replaced to withstand attacks from both classical and quantum computers.In this context, the urgency of developing and implementing post-quantum (or quantum-resistant) cryptographic algorithms is palpable [3].
The National Institute of Standards and Technology (NIST) initiated a process in 2016 to develop and standardize one or more public-key cryptographic algorithms to bolster the existing FIPS 186-4 Digital Signature Standard (DSS) [4].In response to this call, multiple rounds of standardization processes were carried out [5][6][7].The third round, conducted in July 2022, finalized the selection of post-quantum algorithms specifically for public-key encryption and digital signatures [8].In general, these selections aim to specify additional unclassified, publicly disclosed algorithms capable of securing sensitive information in the foreseeable future, including the post-quantum era.
Of the algorithms chosen, Crystals-Dilithium, Falcon, and Sphincs+ pertain to digital signatures.Crystals-Dilithium and Falcon are lattice-based schemes, with considerations for both depending on the context of application-Dilithium is easier to implement, while Falcon yields shorter signatures [9].Sphincs+, although slower and larger, is significant because it is based on a different mathematical approach, i.e., hash functions.This diversification offers a fail-safe against unforeseen vulnerabilities in lattice schemes.Furthermore, a "hybrid mode" is permitted, enabling the use of quantum-resistant algorithms alongside already approved NIST algorithms without compromising FIPS validation [10].
While the NIST PQC process provides a roadmap, it is crucial to also consider implementation, integration into existing systems, and potential adversarial strategies.From a research and development perspective, this demands interdisciplinary expertise in quantum computing, cybersecurity, and algorithmic theory.

About the Chosen Digital Signature Algorithms
Dilithium, Falcon, and Sphincs+, the algorithms that were shortlisted by the NIST for post-quantum cryptographic standardization, matured over several iterations, and their latest (third submission) versions were analyzed in this paper as they offer refined security and performance trade-offs.The standardization of Dilithium and Sphincs+ is currently in draft stage [11,12].Falcon's first draft standard is anticipated in 2024 [13].

Dilithium
Dilithium is a digital signature scheme that is highly secure against chosen-message attacks, based on the hardness of lattice problems over module lattices [14].
The design of Dilithium is grounded in Lyubashevsky's "Fiat-Shamir with Aborts" technique [15,16], which employs sample rejection to make lattice-based Fiat-Shamir schemes compact and secure.It most closely resembles schemes proposed in [17,18].

Selected Parameters and Performance Metrics
Table 1 shows the basic parameters of Dilithium, detailed further in [19].Figure 1 shows the performance of Dilithium in terms of execution speed.The authors of [20] listed the following advantages of Dilithium: • Significantly higher speed and significantly smaller size compared to hash-based schemes (e.g., the Sphincs+ scheme).

•
Simple implementation, as Gaussian sampling is not required.
They focused on the comparison between Dilithium and Falcon, as these are the only two lattice-based schemes in the third round of NIST's call, and NIST announced that it will standardize only one such scheme.
The authors emphasized that Falcon's signature and key sizes are about 2.3 times smaller than those of Dilithium (Figure 2) but pointed out its disadvantages:

•
It uses high-precision Gaussian sampling (64 bit precision), which makes it difficult to notice subtle implementation errors (the distribution would still look Gaussian even if it is not satisfactory), possibly leading to the leakage of the secret key.

•
It is complex to mask, and there have been no serious attempts to improve this, so far.However, masking may not be required for signing a small number of messages (in the order of 100 messages).
• Dilithium has the advantage of using only uniform sampling within a power-of-two range, making it much easier to detect implementation errors.

Advantages and Disadvantages According to the Authors
The authors of [20] listed the following advantages of Dilithium: • Significantly higher speed and significantly smaller size compared to hash-based schemes (e.g., the Sphincs+ scheme).

•
Simple implementation, as Gaussian sampling is not required.
They focused on the comparison between Dilithium and Falcon, as these are the only two lattice-based schemes in the third round of NIST's call, and NIST announced that it will standardize only one such scheme.
The authors emphasized that Falcon's signature and key sizes are about 2.3 times smaller than those of Dilithium (Figure 2) but pointed out its disadvantages:

•
It uses high-precision Gaussian sampling (64 bit precision), which makes it difficult to notice subtle implementation errors (the distribution would still look Gaussian even if it is not satisfactory), possibly leading to the leakage of the secret key.

•
It is complex to mask, and there have been no serious attempts to improve this, so far.However, masking may not be required for signing a small number of messages (in the order of 100 messages).

•
Dilithium has the advantage of using only uniform sampling within a power-of-two range, making it much easier to detect implementation errors.Further, the authors compared the two algorithms by their execution speed (according to [9,21]), concluding that Falcon's only advantage is in much faster verification (Table 2).
While both algorithms are competitive, the authors of [20] stressed the applicability of Dilithium and Falcon for specific uses.In the end, both schemes were standardized, Further, the authors compared the two algorithms by their execution speed (according to [9,21]), concluding that Falcon's only advantage is in much faster verification (Table 2).While both algorithms are competitive, the authors of [20] stressed the applicability of Dilithium and Falcon for specific uses.In the end, both schemes were standardized, since Dilithium is easier to implement, and Falcon provides significantly shorter signatures.The authors suggested that Dilithium may serve as a "general-purpose" algorithm, while Falcon could be used in applications requiring multiple signatures (in the order of 100-1000 signatures).

Falcon
Falcon is a signature scheme grounded in lattice cryptography, specifically designed for efficient and compact execution over NTRU lattices, as indicated by its full name, "Fast-Fourier lattice-based compact signatures over NTRU."The architectural simplicity of Falcon derives from its implementation of the theoretical blueprint set forth by Gentry, Peikert, and Vaikuntanathan in their 2008 paper [22] for creating lattice-based hash-and-sign algorithms.This theoretical model demands two primary components: -A designated family of cryptographic lattices, for which Falcon selects NTRU lattices.-A mechanism for trapdoor sampling, with Falcon employing an innovative method known as fast Fourier sampling.
To encapsulate this, Falcon's signature scheme can be concisely described as the combination of the GPV framework, NTRU lattices, and fast Fourier sampling.

Selected Parameters and Performance Metrics
The recommended parameters and performance metrics for Falcon are presented in Table 3.These performance metrics are based on an implementation on an Intel ® Core ® i5-8259U CPU ("Coffee Lake" core, clocked at 2.3 GHz) [23].According to [24], the advantages include:

•
The most bandwidth-efficient algorithm, as shown in Figure 3.

•
The modular design; for instance, NTRU lattices could be replaced with other lattice types.

•
A broad and deep body of research supports lattice security.

•
Better-examined security against side-channel attacks.
According to [24], the advantages include: • The most bandwidth-efficient algorithm, as shown in Figure 3.
• The modular design; for instance, NTRU lattices could be replaced with other lattice types.
• A broad and deep body of research supports lattice security.
• Better-examined security against side-channel attacks.

Disadvantages:
• Complex key and signature generation processes.
• Key and signature generation relies on floating-point arithmetic.
• For Falcon, and generally for all other schemes, the risk of side-channel attacks still needs further research.

Sphincs+
Sphincs+ serves as a cutting-edge post-quantum digital signature algorithm engineered to withstand quantum-computing attacks.Grounded in hash-based cryptography, the scheme's security is straightforward to evaluate and hinges solely on the characteristics of the hash function in use.Sphincs+ essentially builds on the foundational Disadvantages:

•
Complex key and signature generation processes.

•
Key and signature generation relies on floating-point arithmetic.

•
For Falcon, and generally for all other schemes, the risk of side-channel attacks still needs further research.

Sphincs+
Sphincs+ serves as a cutting-edge post-quantum digital signature algorithm engineered to withstand quantum-computing attacks.Grounded in hash-based cryptography, the scheme's security is straightforward to evaluate and hinges solely on the characteristics of the hash function in use.Sphincs+ essentially builds on the foundational architecture of Sphincs but enhances it through parameter optimization and the incorporation of novel methods aimed at boosting both the algorithm's speed and its security profile [25].

Selected Parameters and Performance Metrics
The architecture of Sphincs+ allows for a multitude of trade-offs between the speed of the algorithm and the size of the digital signature, even at a given security level.Table 4 presents six distinct sets of parameters that, in conjunction with the cycle counts provided in Figure 4, demonstrate how these trade-offs manifest in practice.Table 5 outlines the sizes of the public keys, secret keys, and digital signatures in bytes.Regarding memory utilization, the reference implementation generally leans toward minimal stack consumption.Table 5 outlines the sizes of the public keys, secret keys, and digital signatures in bytes.Regarding memory utilization, the reference implementation generally leans toward minimal stack consumption.The essence of Sphincs+ lies in its dichotomy: while it arguably represents the most cautious approach to post-quantum digital signature architecture, it pays the price in efficiency, in terms of both signature size and computational speed. Disadvantages: • Signature size and speed: Sphincs+ is not designed to be the fastest or the smallest, although it does offer trade-offs between these two metrics. Advantages: • Minimal security assumptions: the security is entirely predicated on well-understood hash functions, avoiding new computational hardness assumptions.

•
Easily analyzed attacks: the current state-of-the-art attacks, both classical and quantum, can be straightforwardly analyzed, enabling precise security quantification.

•
Small key sizes: Sphincs+ boasts compact public keys, a benefit in scenarios where public keys are often transmitted.

•
Overlap with XMSS: the scheme harmonizes well with XMSS, facilitating their combined use in specific applications like VPNs.

•
Reusable building blocks: speed enhancements in underlying hash functions directly translate into Sphincs+ performance gains.

Parameter and Performance Comparison 3.1. Key and Signature Size
Two relevant parameters are compared in the analysis of algorithms: key size and signature size, for which smaller values are better.The data on key length and signature length are presented in Figure 5 [19, 23,26].They are similar to the data reported for Dilithium and Falcon in [27].
The essence of Sphincs+ lies in its dichotomy: while it arguably represents the most cautious approach to post-quantum digital signature architecture, it pays the price in efficiency, in terms of both signature size and computational speed. Disadvantages: • Signature size and speed: Sphincs+ is not designed to be the fastest or the smallest, although it does offer trade-offs between these two metrics.

Advantages: •
Minimal security assumptions: the security is entirely predicated on well-understood hash functions, avoiding new computational hardness assumptions.

•
Easily analyzed attacks: the current state-of-the-art attacks, both classical and quantum, can be straightforwardly analyzed, enabling precise security quantification.

•
Small key sizes: Sphincs+ boasts compact public keys, a benefit in scenarios where public keys are often transmitted.

•
Overlap with XMSS: the scheme harmonizes well with XMSS, facilitating their combined use in specific applications like VPNs.

•
Reusable building blocks: speed enhancements in underlying hash functions directly translate into Sphincs+ performance gains.

Key and Signature Size
Two relevant parameters are compared in the analysis of algorithms: key size and signature size, for which smaller values are better.The data on key length and signature length are presented in Figure 5 [19, 23,26].They are similar to the data reported for Dilithium and Falcon in [27].The two lattice-based algorithms (Crystals-Dilithium, Falcon) have public keys with comparable sizes, while Sphincs+ has a significantly shorter public key length, as seen in Figure 5. On the other hand, Sphincs+ has the largest signature length.

Execution Speed
The performance speed of an algorithm is evaluated based on the speed of executing three operations: key generation, signing, and signature verification.The execution speed depends on the platform on which a PQC (post-quantum cryptography) algorithm is run, as well as on the implementation of the algorithm.The scientific and professional community continuously proposes new algorithm implementations with the goal of their optimization and achieving better performance.
Performance speed tests are more detailed for the following platforms: Besides the two mentioned platforms (Arm Cortex M4 and x86/x64 processors), there are implementations of PQ algorithms for other platforms.However, these are individual implementations where a comparative analysis of all three digital signature algorithms is not possible.For example, Dilithium was implemented and tested on various FPGA platforms [28][29][30][31], on the Cortex M3 platform [21], on ARMv8 platforms (Cortex-A72 and Apple M1) [32], as well as on IBM Z computers [33].Falcon's implementation was also described on ARMv8 platforms (Jetson Xavier CPU with 8 ARMv8.2 cores) [34], and the implementation of Sphincs+ was reported on FPGA [35] and ARM Cortex M3 platforms [36].

Execution Speed of Digital Signature Algorithms on x86/64 Platforms and Energy Consumption
Data from [38] show the execution speed on the x86/x64 platform with an i7-6700 processor, and [27] provides execution time data for the i7-1165G7 processor for Dilithium and Falcon, as shown in Figure 7.Both [38] and [39] provide data on energy consumption, concluding that energy consumption is roughly proportional to the speed, i.e., the execution time, as power consumption has much smaller deviations (maximum 20% in [38], maximum 50% in [39]) compared to execution speed (which varies by several orders of magnitude).

Recent Algorithm Implementations
In the current landscape of algorithmic research, there is considerable effort devoted to the enhancement of standardized algorithms through specific implementations.As illustrated in Table 6, a review-conducted based on the authors' estimation for relevance to the topic of this paper-of publications from the years 2022 and 2023 indicated a substantial concentration of studies focused on Dilithium.However, active research efforts regarding all three algorithms will warrant their further development, particularly in the context of applicability on performance-constrained platforms, as discussed in next section.

Applicability on Performance-Constrained Platforms
Real-world systems operate under severe resource constraints, requiring cryptographic algorithms that are not only secure against quantum threats but also

Recent Algorithm Implementations
In the current landscape of algorithmic research, there is considerable effort devoted to the enhancement of standardized algorithms through specific implementations.As illustrated in Table 6, a review-conducted based on the authors' estimation for relevance to the topic of this paper-of publications from the years 2022 and 2023 indicated a substantial concentration of studies focused on Dilithium.However, active research efforts regarding all three algorithms will warrant their further development, particularly in the context of applicability on performance-constrained platforms, as discussed in next section.

Applicability on Performance-Constrained Platforms
Real-world systems operate under severe resource constraints, requiring cryptographic algorithms that are not only secure against quantum threats but also computationally efficient.Speed is another common factor; whether it is real-time V2V communication or swift financial transactions via smart cards, the selected post-quantum algorithms must offer rapid signature verification and message processing.Moreover, the transition to postquantum secure algorithms involves a complex trade-off between security, computational load, key sizes, and signature verification times, often necessitating hardware-accelerated solutions or innovative approaches like threshold signatures.
Also, the NIST's other recent initiative [52,53] underscores the critical need for lightweight cryptography in constrained environments as analyzed, for example, in [54].These efforts reflect a future trend in the cryptographic towards developing solutions that are both quantum-resistant and resource-efficient.Namely, as quantum computing progresses, the expectation is that quantum-resistant cryptographic algorithms will also need to be lightweight to be practical for devices with limited computational capabilities.
Thus, in our selection, we focused on systems that represent a diverse range of constraints and for which relevant data on post-quantum signature performance are available.

IoT Systems
IoT systems encompass a wide range of applications, from modern smart home sensors to devices embedded in critical infrastructure like power grids, traffic control, and water supply systems [55].These are often devices that are installed for extended periods.
The NIST uses the ARM Cortex M4 platform as a representative for embedded systems, whereas many IoT systems rely on processors with significantly lower performance capabilities (less RAM, slower processors).According to [55], Falcon is a better choice for implementing post-quantum (PQ) digital signatures on IoT platforms with limited RAM (up to about 64 KB).A similar conclusion is drawn by the authors of [56], where PQ signatures are verified on systems with 8 KB of RAM (ARM Cortex M3), including Sphincs+, thus making all three algorithms applicable for IoT in a broader context.Sphincs+ is also applicable for ARM Cortex M3 [36].
The authors circumvented the problem of oversized keys by streaming the keys into memory in parts and performing operations accordingly [56].In general, in lattice-based signatures like Dilithium2 and Falcon-512, hashing constitutes a significant portion of the computational load, accounting for 65% and 36% of it, respectively.Similarly, in hash-based signature schemes like Sphincs-Sha256-128s-Simple and Sphincs-Sha256-128f-Simple, hashing operations represent an even larger share, corresponding to 90% and 88%, respectively.Both types of schemes would benefit more from hardware-accelerated hashing.
In a research paper [57], the authors presented a post-quantum secure multi-party collaborative signature scheme that enhances deterability in Industrial Internet of Things (IIoT) settings.This approach addresses both fairness and privacy protection issues that are commonly found in conventional IIoT security mechanisms.To validate the practicality of this Dilithium-based protocol, the authors developed and tested a prototype to assess its performance.
In their research [58], the authors showed the FPGA implementations of all three round-3 parameter sets for Dilithium, targeting the low-end Artix-7 platform.Their design adhered to a universal objective: it achieved low latency in comparison to other postquantum secure signature algorithms, while maintaining a small area footprint.This dual advantage makes the use of Dilithium viable in a range of low-cost and resource-constrained environments, including IoT.
A paper [59] investigated an area-efficient FPGA implementation of Sphincs+, a postquantum hash-based signature scheme.By leveraging resource sharing in a compact hardware solution, the authors successfully adapted Sphincs+ for resource-constrained systems like IoT devices and nano-satellites.
Another paper [60] compared the suitability of Falcon and Dilithium signature schemes for IoT applications, focusing on verification performance and transmission cost.Falcon emerged as the more efficient choice in terms of both speed and resource utilization, particularly in FPGA environments.This advantage is likely to extend to ASICs, suggesting a better time-area product for Falcon.However, Dilithium presents an advantage in scenarios requiring frequent key generation or client-side signing due to its lower complexity in these operations.Thus, while Falcon offers superior verification and transmission efficiencies, Dilithium may be preferable for applications with specific key management requirements.

Smart Cards
Smart cards, which form the basis for contactless payments, present a challenge for the implementation of post-quantum (PQ) algorithms, especially digital signature algorithms.Compared to the ARM Cortex M4 platform, they have significantly less memory (four times less) and a slower processor (1.7 times slower).When compared with x86-64 platforms, they have 170,000 times less memory and a processor that is 40 times slower.The limited processor speed is further constrained by the slow communication speeds supported (below 100 kB/s) [61].
Currently, smart cards have hardware blocks implemented for random number generation, AES encryption (supporting one AES block), and ECC/RSA signatures (enabling parallel execution and speeds up to 10 times higher than software implementations).As modern smart cards do not have dedicated hardware for executing PQ digital signatures, and the process of implementation and certification is lengthy (6 to 18 months for certification alone), consideration is being given to how PQ algorithms can be executed on the current versions of smart cards.
During algorithm implementation, it is essential to employ masked algorithms to achieve protection against side-channel attacks.Masked algorithms generally require longer execution times and consume more memory (for example, the execution time for Dilithium increases by 5.6 times) [62].
In conclusion, only Dilithium fits within the constraints of smart cards.Falcon requires too much RAM and too much time for key generation.Sphincs+ has an issue with the size of the signature, which can be partly mitigated by hash-based accelerators for embedded devices but not for smart cards [63].
For example, the authors of [64] introduced a variant of Dilithium known as DiLizium, which has the potential to replace distributed RSA and ECDSA signature schemes in authentication contexts, including applications like Smart-ID.

Vehicle-to-Vehicle Communication
Vehicle-to-vehicle (V2V) communication enables timely warnings about approaching vehicles, which is especially useful in situations without a direct line of sight [65].Each vehicle broadcasts 10 basic safety messages (BSMs) per second [66].These BSMs contain information on the direction of travel, current location, time, speed, and the status of the gas and brake pedals.Currently, secure wireless communication between vehicles is facilitated through the IEEE 1609.2 standard, which uses elliptic curve digital signature algorithm (ECDSA) for digital signatures.
Given that the transmission of messages (BSMs) occurs over very short distances, both message transmission and verification must be completed within the order of milliseconds.Therefore, an analysis was conducted to determine whether post-quantum (PQ) digital signature algorithms meet these criteria.
Regarding quick signature verification, Dilithium and Falcon appeared to be suitable replacements for ECDSA.However, when the size of the signature was also considered, Dilithium became inapplicable as its signature size exceeds the message size (2304 bytes) defined in IEEE 802.11p.Falcon was proposed as the most appropriate algorithm for V2V communication [66].
Similar conclusions were reached in [67], where the authors evaluated the performance of Dilithium and Falcon for over-the-air (OTA) updates used in vehicle-to-everything (V2X) communication infrastructures.Namely, an experimental evaluation was conducted on the Xilinx Zynq Ultrascale+ ZCU102 board, tailored for automotive applications, to assess the performance of the Dilithium and Falcon cryptographic algorithms.The findings indicated that Falcon outperformed Dilithium in both signature verification latency and signature byte footprint.
In a paper [68], the authors achieved significant optimizations of the Dilithium algorithm for Aurix implementation, specifically targeting automotive applications.They managed to reduce the computational time for key generation, signature creation, and verification across varying security levels.Specifically, they reported time reductions in the range from 23% to 29% for key generation, from 12% to 19% for signature creation, and from 18% to 26% for signature verification.
A paper [69] discussed the practical integration of Dilithium into multiprocessor system-on-chip (MPSoC) architectures, commonly employed in automotive environments and managed by a commercial real-time operating system (RTOS).Experimental data revealed that deploying Dilithium on a multi-core framework significantly enhanced the performance metrics-yielding improvements of up to 48% in key generation, 34% in the signature process, and 42% in verification tasks-when contrasted with single-core configurations.
Other researchers [70] investigated the constraints of conforming to IEEE 1609.2 standards in the context of the WAVE protocol for vehicle-to-vehicle (V2V) communications.They identified the inability to incorporate cryptographic schemes with large signature sizes as a fundamental limitation.To circumvent this issue, they introduced a technique termed "split way for Crystals-Dilithium," aimed at ensuring the WAVE protocol's integrity while adhering to maximum packet size restrictions.

Blockchain Technology
For establishing trust in blockchain technology, it is essential to ensure three pillars: security, authenticity, and integrity.It is crucial that blockchains maintain these attributes even in the post-quantum era, with asymmetric cryptography being the foundational method to secure these properties.The authors of [71] pointed out the shortcomings of Sphincs+ and proposed the use of Dilithium in blockchain technology, not necessarily as a standalone algorithm but also as an enhancement to existing algorithms-essentially, as a hybrid solution.The use of hybrid algorithms was also suggested in [72].
According to [27], Falcon has the most compact key and signature lengths among the lattice-based cryptographic algorithms studied.While alternatives like Dilithium offer rapid performance, they come at the cost of significantly larger keys and signatures.Given this, there is growing consensus that Falcon's integration into blockchain technology could be promising for future advancements.
For key generation in blockchain applications, threshold signatures can also be employed [73].This method replaces the traditional KeyGen and Sign algorithms of digital signatures with an interactive multi-party protocol.The KeyGen protocol involves multiple participants who interactively generate a key.The Sign algorithm is then replaced with an interactive protocol for generating signatures.A unique feature of this protocol is that a sufficient number of participants must agree to sign a message before a signature can be generated.The verification of the signature is performed in the standard way.This ensures that an attacker cannot generate a signature on any message that has not been signed by an "honest" party.According to [73], Sphincs+ algorithms are hindered by the need to compute a large number of hash function queries on secret data.
Post-quantum digital signature-based blockchain was also proposed as an appropriate method for securing the mobile internet of things (MIoT) ecosystem, increasingly becoming important with the wider availability and increasing speeds of mobile internet (5G and 6G) [74].
In a paper [75], four quantum-resistant algorithms-Sphincs+ + Sha256s, Sphincs+ + Shake256s, Dilithium, and Falcon-were evaluated for their efficiency and practicality.While Dilithium emerged as the most computationally efficient algorithm, it suffered from the disadvantage of having the largest public key size, posing significant challenges for its application in blockchain systems where each transaction embeds the public key.
However, after incorporation of the interplanetary file system (IPFS), Dilithium maintained its efficiency and experienced a significant reduction in both signature and public key sizes to just 32 bytes each.Notably, Sphincs+ also benefits from IPFS, with a remarkable 99% reduction in signature size.
A paper [71] illustrated that Dilithium can be effectively configured to provide varying levels of quantum security in blockchain systems without significantly inflating the block size.Specifically, an 80 bit quantum security level yields a block size of less than 1 MB, closely aligning with the current 1 MB block size in Bitcoin.For moderate and high security levels, the block sizes range from 1.5 to 2.0 MB and approach 3.0 MB, respectively.These are still within acceptable limits for practical blockchain deployment.Moreover, the performance gains are optimized further by efficient AVX2 implementations, which are consistent with the efficiency trends observed in Skylake architectures.This flexibility makes Crystals-Dilithium a versatile choice for enhancing quantum security in blockchain, accommodating both current needs and future upgradations without burdening the system with large block sizes.
A paper [76] evaluated the viability of using the Falcon signature algorithm in the context of blockchain, specifically within the Ethereum mainnet.The analysis revealed a prohibitive cost for Falcon signature verification, consuming an average of 500 million gas units.This is substantially higher than the current block gas limit of 12 million units in Ethereum.
Another paper [77] presented a compelling argument for replacing W-OTS, the current signature scheme in IOTA-a distributed ledger technology (DLT) tailored for internet of things (IoT) and internet of vehicles (IoV) applications-with the post-quantum signature scheme Dilithium.The findings indicated that Dilithium offers significant advantages over W-OTS in multiple dimensions.Firstly, it accelerates transaction processing and reduces signature space, thereby cutting down latency, which is critical in fast-paced IoV networks.Secondly, while W-OTS necessitates the repetitive generation of public and private keys, Dilithium requires only a one-time generation, offering a more efficient operational model.Furthermore, Dilithium decreases the network's bandwidth requirement by 7% due to its smaller cumulative size for cryptographic elements.The execution time for the initial use case scenario, involving the generation of public and private keys, was also dramatically reduced by 87%.Given these benefits, Dilithium emerges as a more efficient and scalable choice for enhancing the security and performance of IOTA-based networks.

Conclusions
Dilithium and Falcon rely on lattice-based cryptography, a domain with substantial theoretical grounding for resistance against quantum attacks.Sphincs+ takes a different approach, opting for hash-based mechanisms that minimize the algorithm's security assumptions, providing a more easily quantifiable security posture.
Their computational efficiency was benchmarked across ARM and x86-64 platforms, revealing distinct performance characteristics.Dilithium consistently excelled in computational efficiency across both platforms, which makes it a prime candidate for systems where processing power is limited.Falcon, on the other hand, stood out in signature verification speed, despite requiring more computational resources for key generation.Sphincs+ remains the most computationally demanding algorithm, yet it offers the flexibility to trade off between computational efficiency and security parameters.
Energy consumption evaluations further emphasized Dilithium's advantage in lowpower scenarios, such as IoT devices.Falcon follows closely, with its energy footprint moderated by its efficiency in signature verification, whereas Sphincs+ is generally less energy-efficient due to its higher computational load.In terms of key and signature sizes, Falcon scored well with its compact design, thereby optimizing bandwidth.Dilithium, while generally efficient, suffers from somewhat larger signature sizes, which affects its bandwidth efficiency.Sphincs+, although secure, presents a significant challenge in bandwidth-constrained applications due to its large signatures.
Dilithium appears as a highly versatile and computationally efficient algorithm, particularly appealing for embedded systems and internet of things (IoT) devices, thanks to its low energy consumption and computational requirements across ARM and x86-64 platforms.It also presents adaptability in smart cards and shows potential for strengthening blockchain architectures through hybrid cryptographic solutions.Falcon, despite its more cumbersome key generation, emerges as an ideal fit for high-throughput, lowlatency environments due to its excellence in rapid signature verification.This makes it particularly suited for IoT platforms with RAM constraints up to 64 KB and real-time V2V communication systems, though its higher computational costs render it less favorable for smart card deployments.
Sphincs+, on the other hand, brings to the table a high degree of security customizability at the expense of computational speed and energy efficiency.While this trade-off positions it as a viable option for certain IoT configurations, its less efficient performance and large signature size significantly limit its utility in smart cards and make it a less-thanoptimal choice for multi-party threshold signature-based blockchain systems.
Furthermore, the computational burden imposed by hashing operations in these algorithms, especially in Sphincs+, opens avenues for further optimization through hardwareaccelerated hashing solutions.These insights underscore the necessity of context-specific evaluations for algorithm selection, given the trade-offs between computational efficiency, energy consumption, and security.
Overall, our study offers insights for the implementation and integration of postquantum cryptographic algorithms into existing systems and highlights the importance of interdisciplinary expertise in quantum computing, cybersecurity, and algorithmic theory.
Conclusively, a comparative evaluation across key metrics revealed the following features: -Security level: we compared public key and signature sizes, showing that Sphincs+ offers the smallest public key size, beneficial for storage-limited devices.-Performance speed: Dilithium leads in key generation and signing speed, while Falcon is optimal for fast signature verification.-Computational efficiency: this paper outlines the potential for hardware-accelerated optimizations and the significant computational demands of Sphincs+ in comparison to the other two algorithms.-Applicability on constrained platforms: Dilithium and Falcon are more suitable for devices like IoT sensors, whereas Sphincs+'s larger signature size may hinder its use in the most resource-limited environments.
In summary, each algorithm has distinct advantages, and the choice depends on the specific requirements of the deployment context.
In the future, there will be a significant push to integrate post-quantum cryptographic algorithms into existing communication protocols and security infrastructures.Consequently, resource-constrained devices, such as those analyzed in this paper, will require lightweight cryptographic solutions due to their limited resources.Research into efficient algorithms that are both quantum-resistant and suitable for low-power, low-compute environments is likely to increase.Thereby, considering smart cards, the weakest device type analyzed, the emerging trend of substituting them with more resourceful mobile devices aligns with the need for stronger, quantum-resistant cryptographic solutions.
From the authors' personal viewpoint, a paradigm shift in research and development (for example, changes in hardware and/or materials as an approach to optimizing algorithms) is bound to occur when the development of quantum computers will pose a tangible threat to the usual algorithms.Predicting this shift is a challenging task and falls outside the scope of this paper.

Figure 2 .
Figure 2. Comparison of Dilithium and Falcon by public key and signature lengths (Falcon's values for Level 3 are not available) [20].

Figure 3 .
Figure 3. Key and signature size for Falcon and some competing algorithms [24].

Figure 3 .
Figure 3. Key and signature size for Falcon and some competing algorithms [24].

Figure 4
Figure 4 shows the algorithm's performance metrics (minimum and maximum values) when run on a 3.1 GHz Intel Xeon E3-1220 CPU (Haswell architecture), with 32 GB of memory.Optimized implementations for platforms compatible with the AVX2 instruction set are also available.Specifically, for Haraka, the availability of the AES-NI instruction set is particularly noteworthy.Each of six implementations has its version for: -One, three and five NIST security levels.-Small and fast parameter sets.-Simple and robust instantiations of the tweakable hash functions.-Offering various trade-offs.

Table 4 .
[25]ples of parameter sets for Sphincs+ targeting different security levels and different trade-offs between size and speed[25].