Post-quantum signatures spend a large share of their runtime on hashing. We propose replacing their hash functions with BLAKE3, the fastest widely deployed cryptographic hash.

Authors:

• JP Aumasson / @veorq, Taurus
• Conor Deegan / @conor-deegan, Project 11
• Alex Pruden / @apruden08, Project 11
• Zooko Wilcox-O'Hearn / @zooko, Zcash

BLAKE3 is already integrated across diverse systems, from blockchains to video games. It can serve as a drop-in replacement for any hashing mode: regular hashing, keyed hashing (PRF), key derivation functions (KDF), or extensible output functions (XOF).

BLAKE3 outperforms the SHA-2 and SHA-3 families and is even competitive with hardware-accelerated SHA-256, as benchmarks show.

Built on two decades of cryptanalytic scrutiny, BLAKE3 descends from BLAKE (designed in 2008 as a SHA3 candidate), which itself derives from ChaCha (a variant of the 2005 Salsa20 cipher).

Switching to BLAKE3 does not weaken security.

ML-DSA (FIPS 204) is a lattice-based post-quantum signature scheme based on Dilithium. It relies on the SHA3-based functions SHAKE128 and SHAKE256.

We replace those with BLAKE3 and call the new scheme ML-DSA-B.

We ran experimental benchmarks, modifying RustCrypto's ML-DSA with the reference BLAKE3 Rust code. Preliminary results show that, depending on the platform, ML-DSA-B can offer the following speed-up:

1. Message pre-hash: up to 60 times faster.
2. Signature: up to 20% faster.
3. Verification: up to 30% faster.

We also include test vectors for ML-DSA-B, generated using domain-separated hash. The two keyed BLAKE3 hashers were derived from strings: "ML-DSA-B-H" and "ML-DSA-B-G".

SLH-DSA (FIPS 205) is a hash-based post-quantum signature scheme based on SPHINCS+. It has two variants: one using SHA-256 and one using SHAKE.

We replace those with BLAKE3 and call the new scheme SLH-DSA-B.

We ran experimental benchmarks, modifying RustCrypto's SLH-DSA with the reference BLAKE3 Rust code. Preliminary results show that, depending on the platform, SLH-DSA-B can offer the following speed-up:

1. SHAKE is the slowest choice in all benchmarks (4–7× slower) because of its higher per-bit hashing cost.
2. BLAKE3 and SHA2 are in a similar performance range; the faster one depends on hardware.
3. Architecture effects dominate: x86 favors BLAKE3 (SIMD parallelism), Apple M3 favors SHA2 (hardware SHA extensions).

We also include test vectors for SLH-DSA-B.

SLH-DSA s variants use smaller, slower parameter sets that trade performance for reduced signature size and stronger security margins. On Apple M3, SHA2 slightly outperforms BLAKE3 in these variants due to the chip's dedicated SHA acceleration, while both are several times faster than SHAKE.

SLH-DSA f variants use larger, faster parameter sets optimized for signing and verification speed at the cost of larger signatures. On Apple M3, the same pattern holds: SHA2 remains the fastest, BLAKE3 close behind, and SHAKE significantly slower.

SLH-DSA s variants use smaller, more conservative parameters that prioritize compact signatures over raw speed. On x86_64, BLAKE3 performs best thanks to its SIMD-parallel hash design, while SHA2 trails slightly and SHAKE remains the slowest by a large margin.

SLH-DSA f variants use larger parameter sets tuned for faster operation at the cost of bigger signatures. On x86_64, the relative ordering is consistent: BLAKE3 is the fastest, SHA2 close behind, and SHAKE several times slower due to its higher per-bit hashing cost.

• By @itzmeanjan:
  • ML-DSA-B C++ version
  • Announcement: "Keygen is 20% faster. Signing is 76% faster. Verify is 18% faster."
  • Ran our test vectors successfully

We plan to:

• This fork is temporarily pinned to an earlier RustCrypto commit. We intend to re-sync with upstream (RustCrypto/signatures) to incorporate the latest ML-DSA changes.

• Evaluate BLAKE3's impact on other post-quantum standards and candidates, including KEMs and NIST's Additional signature schemes.