Module-Lattice-Based Digital Signature Algorithm (ML-DSA) is a lattice-based post-quantum signature scheme standardized by NIST and supported by DigiCert for PQC experiments. It was formerly known as CRYSTALS-Dilithium and is intended to replace classical digital signatures with quantum-safe equivalents. ML-DSA provides authenticity and non-repudiation in a way designed to resist future quantum attacks.  

Module-Lattice-Based Key Encapsulation Mechanism (ML-KEM) is a quantum-safe key exchange algorithm, standardized by NIST and supported in DigiCert tools and SDKs. It lets two parties establish a shared secret over a public channel, which can be used to secure session encryption such as in TLS, protecting confidentiality against quantum attacks. 

In a post-quantum TLS handshake: 

• ML-KEM establishes a shared encryption key between client and server. 

• ML-DSA is used to authenticate the server’s identity via its TLS certificate. 

Together, these provide both confidentiality and authenticity resistant to future quantum cryptanalysis, though current mainstream browsers do not yet support ML-DSA certificates.  

Mainstream browsers require extensive testing, ecosystem coordination, and library integration before adopting new cryptographic primitives. While ML-KEM has seen early production use for key exchange, support for post-quantum signature algorithms like ML-DSA in browsers is still in development. That’s why tools like Curl or Links are recommended for your test server.

Yes. Because browsers don’t yet support quantum-safe certificates, you’ll use command-line tools such as:

• Curl: Fetches raw HTML over TLS
• Links: Renders text pages via command line

These allow you to validate your server’s post-quantum TLS handshake and certificate behavior in a controlled test environment.