Does post-quantum cryptography slow AI down? The performance question, answered
Post-quantum signatures are larger and modestly slower than classical ones, but an audit ledger signs consequential decisions, not every token, keeping overhead small.
No, not noticeably. Post-quantum signatures are larger and modestly slower than classical ones, but an audit ledger signs consequential decisions, not every token.
The question matters in 2026 because regulated operators are being asked to prove what their AI systems decided, and to sign that proof with cryptography that will still hold once quantum computers can break today's classical curves. Buyers reasonably worry that stronger signatures mean slower systems. The honest answer depends entirely on what you sign and how often you sign it.
What does an AI audit ledger actually sign?
An audit ledger signs consequential decisions and their evidence, approvals, escalations, model outputs that move money or affect people, not each token a model emits.
A useful ledger records the decisions that carry consequence: an approval, an escalation, a payout, a denial, an output that affects a person's rights. These are the events a regulator, an auditor or a court will later want to verify, and they are rare relative to the millions of tokens a model emits while generating text. Signing every token would be wasteful and prove nothing. Signing the finished decision, with the inputs and the identity that produced it, is where signatures earn their keep. In our SIOS each sealed entry binds to a hardware-attested identity, so the record shows not only what was decided but which attested operator and which model produced it. A consequential entry can also carry a cross-model consensus record, several models agreeing on the same output, sealed as one signed decision.
How much larger and slower are post-quantum signatures?
They are larger and modestly slower than classical signatures, with size growing more than signing time, and the exact ratios depend on the scheme chosen.
Post-quantum schemes trade compactness for security that resists quantum attack, and the growth is real but uneven. Signature and key sizes rise more sharply than the time it takes to sign. Lattice-based ML-DSA keeps signing fast while producing larger signatures and keys. Hash-based SLH-DSA makes the most conservative security assumptions and keeps its keys compact, but produces the largest signatures and signs more slowly. The table sets the relative behaviour out plainly.
| Dimension | Classical (for example ECDSA) | ML-DSA (FIPS 204) | SLH-DSA (FIPS 205) |
|---|---|---|---|
| Relative signature size | Smallest, the baseline | Larger | Largest |
| Relative signing speed | Fast, the baseline | Broadly comparable, fast | Slower |
| Relative key size | Small | Larger | Compact |
| Best fit | Legacy interoperability, not quantum-safe | High-volume general audit signing | Conservative, low-frequency anchoring |
No figures are quoted here as benchmarks, because the honest comparison is relative: larger, comparable, slower. What matters for a ledger is that the largest cost sits in bytes stored, not in time spent on the decision path.
Does this slow down AI inference or the user experience?
No, because signing sits off the inference hot path. A model generates its answer first, then the ledger seals that decision as a separate step.
Inference latency is dominated by the model generating tokens. Signing happens after the decision is formed, on a separate step that does not block the response a user sees. A ledger can batch signatures, anchor periodically and verify offline, so the signing rate is set by the rate of consequential decisions, not the rate of tokens. Because the perimeter is zero-egress and inbound only, nothing waits on a remote signing service either. The cryptography runs on the same operator-owned hardware that runs the model.
Which post-quantum scheme fits an audit ledger best?
ML-DSA suits high-volume general signing for its balance of speed and size, while SLH-DSA suits low-frequency, high-value anchoring where minimal cryptographic assumptions matter most.
ML-DSA is the sensible default for volume ledger signing: fast, standardised as FIPS 204, and balanced across size and speed. SLH-DSA, standardised as FIPS 205, earns its place where you want the smallest set of assumptions, for example anchoring a checkpoint or a root record that must remain verifiable for decades. Many designs use both, ML-DSA for the frequent entries and SLH-DSA to anchor the chain at intervals. This is an architecture choice, and we set it by the value and longevity of the evidence. The mechanisms that bind these signatures to attested identity and to a tamper-evident chain sit within our filed intellectual property: 104 filed UK patent applications and 2,340 claims, owned by Mickai LTD (Companies House 17166618), filed and patent pending.
Why does FIPS 203 not add signing overhead?
FIPS 203, ML-KEM, is key encapsulation, not a signature scheme. It protects data in transit and never signs the ledger, adding no signing cost.
There is a common confusion between the three NIST standards. FIPS 204 (ML-DSA) and FIPS 205 (SLH-DSA) are signature schemes: they produce the seals on the ledger. FIPS 203 (ML-KEM) is key encapsulation: it establishes shared secrets so data can be encrypted in transit, and it never signs anything. So when the performance question is asked about signing an audit ledger, ML-KEM is simply not part of the answer. Confusing the two leads people to overstate the signing cost of a post-quantum design.
Is the post-quantum overhead worth it for regulated AI in 2026?
Yes, because audit evidence must survive far longer than any single transaction, and harvest-now-decrypt-later means signatures made today have to resist tomorrow's quantum attacks.
Regulation is moving faster than quantum hardware, and both point the same way. The EU AI Act's high-risk Annex III obligations, once due 2 August 2026, were deferred by the Digital Omnibus to 2 December 2027, with embedded Annex I high-risk to 2 August 2028 and Article 50 transparency largely unchanged. DORA has been in force since January 2025, and NIS2 covers essential and important entities. Across all of them the operator must be able to produce durable, verifiable evidence of what its systems did. The US CLOUD Act can compel a US-based provider to hand over data regardless of where its servers sit, which is why the most sensitive workloads cannot run on public cloud AI services such as ChatGPT, Copilot or Gemini. Those services are the right choice for a great deal of everyday work. For evidence that must resist a future quantum adversary, a modest signing overhead today is cheap insurance.
“The true cost of a post-quantum audit ledger is not measured in bytes or milliseconds, but against the value of evidence that must still verify long after the decision it records.”
Frequently asked questions
Will post-quantum signatures make my AI slower for users?
No in any way a user would notice. The model generates its answer on the inference path, and signing happens afterwards as a separate step that seals the finished decision. Because a ledger signs consequential decisions rather than every token, the signing rate is low and stays off the hot path.
Should I use ML-DSA or SLH-DSA for an audit ledger?
For most entries, ML-DSA (FIPS 204) is the balanced default: fast to sign with moderate size growth. SLH-DSA (FIPS 205) suits low-frequency anchoring where the most conservative assumptions matter, at the cost of larger signatures and slower signing. Many ledgers use ML-DSA for volume and SLH-DSA to anchor the chain.
Does FIPS 203 sign anything in the ledger?
No. FIPS 203 is ML-KEM, a key encapsulation mechanism that protects data in transit. It establishes shared secrets and never produces a signature. The signing standards are FIPS 204 and FIPS 205, so ML-KEM adds no signing overhead to the audit ledger.
Is post-quantum cryptography actually required yet under EU rules?
The EU AI Act does not mandate a specific signature scheme, and its high-risk Annex III obligations were deferred by the Digital Omnibus from 2 August 2026 to 2 December 2027. What the regime does require is durable, verifiable evidence, and post-quantum signing is how that evidence survives a future quantum adversary. DORA and NIS2 add their own evidentiary expectations.
Why sign consequential decisions instead of every token?
Signing every token would multiply cost for no benefit, because tokens are intermediate and disposable while decisions carry consequence. A regulator or court cares about the approval, the payout or the denial, not each word a model emitted. Signing at the decision boundary keeps overhead small and the evidence meaningful.




