PATTERN Cited by 1 source
Specialist vs generalist algorithm selection¶
Context¶
When no single algorithm dominates all relevant metrics (size, speed, security margin, implementation simplicity), the design space fragments into specialists (excellent on one axis, problematic on others) and generalists (balanced trade-offs, no outstanding weakness).
Problem¶
Classical elliptic-curve signatures (Ed25519) were an "all-star" โ best or near-best on every metric simultaneously. Post-quantum cryptography has no such all-star. System designers must choose between algorithms that excel in one dimension at the cost of others.
Solution¶
Profile the deployment scenario against the axes that actually matter, then select the narrowest-fit algorithm:
| Scenario | Constraint | Best fit |
|---|---|---|
| Online TLS handshake | Balanced size + speed | Generalist (ML-DSA) |
| CA root signing (offline) | Smallest wire size, signing speed irrelevant | Specialist (SQIsign) |
| Pre-distributed trust anchors | Smallest signatures, key size amortised | Specialist (UOV) |
| Anonymous credentials | General-purpose ZK proof system | Specialist (FAEST/MQOM) |
| Maximum conservatism | Hash-only security assumption | Specialist (SLH-DSA) |
Consequences¶
- Generalist deployed first: The generalist (ML-DSA) ships years earlier because it has no blocking implementation hazards. Systems that can tolerate its sizes should adopt it immediately.
- Specialist deployed later: Specialist algorithms arrive 5โ10 years later. Systems that cannot tolerate the generalist's sizes must use compensating controls in the interim.
- Multi-algorithm systems: Long-lived infrastructure (WebPKI) may use different algorithms at different layers (e.g., UOV for root certs, ML-DSA for leaf/intermediate certs).
(Source: sources/2026-07-09-cloudflare-post-quantum-signature-algorithms)
Seen in¶
- sources/2026-07-09-cloudflare-post-quantum-signature-algorithms โ Cloudflare's taxonomy of PQ signature specialists vs generalists