Skip to content

PATTERN Cited by 1 source

Specialist vs generalist algorithm selection

Context

When no single algorithm dominates all relevant metrics (size, speed, security margin, implementation simplicity), the design space fragments into specialists (excellent on one axis, problematic on others) and generalists (balanced trade-offs, no outstanding weakness).

Problem

Classical elliptic-curve signatures (Ed25519) were an "all-star" โ€” best or near-best on every metric simultaneously. Post-quantum cryptography has no such all-star. System designers must choose between algorithms that excel in one dimension at the cost of others.

Solution

Profile the deployment scenario against the axes that actually matter, then select the narrowest-fit algorithm:

Scenario Constraint Best fit
Online TLS handshake Balanced size + speed Generalist (ML-DSA)
CA root signing (offline) Smallest wire size, signing speed irrelevant Specialist (SQIsign)
Pre-distributed trust anchors Smallest signatures, key size amortised Specialist (UOV)
Anonymous credentials General-purpose ZK proof system Specialist (FAEST/MQOM)
Maximum conservatism Hash-only security assumption Specialist (SLH-DSA)

Consequences

  • Generalist deployed first: The generalist (ML-DSA) ships years earlier because it has no blocking implementation hazards. Systems that can tolerate its sizes should adopt it immediately.
  • Specialist deployed later: Specialist algorithms arrive 5โ€“10 years later. Systems that cannot tolerate the generalist's sizes must use compensating controls in the interim.
  • Multi-algorithm systems: Long-lived infrastructure (WebPKI) may use different algorithms at different layers (e.g., UOV for root certs, ML-DSA for leaf/intermediate certs).

(Source: sources/2026-07-09-cloudflare-post-quantum-signature-algorithms)

Seen in

Last updated ยท 575 distilled / 1,757 read