The PKIUtil client supports the following post-quantum algorithms.

The same OID identifies the public key and signature algorithm in post-quantum cryptography . The OIDs below are not yet standardized and will change in future versions.

Dilithium

The Dilithium algorithms use relatively small keys but produce certificates roughly:

6 times larger than RSA.
30 times larger than ECC.

As explained in pq-crystals.org/dilithium, these algorithms are used to "expand the matrix and the masking vectors, and to sample the secret polynomials".

PQ algorithm string	OID	Signature size in bytes	Public key size in bytes	Private key size in bytes
Dilithium2 (Round 3)	1.3.6.1.4.1.2.267.7.4.4	2420	1312	2528
Dilithium3 (Round 3)	1.3.6.1.4.1.2.267.7.6.5	3293	1952	4000
Dilithium5 (Round 3)	1.3.6.1.4.1.2.267.7.8.7	4595	2592	4864
ML-DSA-44-ipd (FIPS 204 ipd)	1.3.6.1.4.1.2.267.12.4.4	2420	1312	2560
ML-DSA-65-ipd (FIPS 204 ipd)	1.3.6.1.4.1.2.267.12.6.5	3309	1952	4032
ML-DSA-86-ipd (FIPS 204 ipd)	1.3.6.1.4.1.2.267.12.8.7	4627	2592	4896

Falcon

The Falcon algorithms use relatively small keys but produce certificates:

3 times larger than RSA
15 times larger than ECC.

See the table below for the supported Falcon algorithms.

PQ algorithm string	OID	Signature size in bytes	Public key size in bytes	Private key size in bytes
Falcon-512	1.3.9999.3.6	690	897	1281
Falcon-1024	1.3.9999.3.9	1330	1793	2305

SPHINCS+

The SPHINCS+ algorithm is stable, trusted, and does not require state management like other hash-based algorithms. SPHINCS+ produces very large signatures and has variants that affect the signature size and speed.

The 'f' component produces full signatures, and, therefore, the largest signature sizes but is faster at key generation and signing.
The 's' component produces more compact signature sizes at the expense of performance (which can be up to 10 times slower for keygen and twice as slow for verification, depending on implementation).
The robust implementations have more conservative security proof and are, therefore, 2-3 times slower than simple implementations.
The simple implementation is faster.

See the table below for the supported SPHINCS+ algorithms.

PQ algorithm string	OID	Signature size in bytes	Public key size in bytes	Private key size in bytes
SPHINCS+-SHA256-128f-simple	1.3.9999.6.4.13	33953	32	64
SPHINCS+-SHA256-128s-simple	1.3.9999.6.4.16	16161	32	64
SPHINCS+-SHA256-192f-simple	1.3.9999.6.5.10	71329	48	96
SPHINCS+-SHA256-192s-simple	1.3.9999.6.5.12	34129	48	96
SPHINCS+-SHA256-256f-simple	1.3.9999.6.6.12	98433	64	128
SPHINCS+-SHA256-256s-simple	1.3.9999.6.6.10	59585	64	128
SPHINCS+-SHAKE-128f-simple	1.3.9999.6.7.13	33953	32	64
SPHINCS+-SHAKE-128s-simple	1.3.9999.6.7.16	16161	32	64
SPHINCS+-SHAKE-192f-simple	1.3.9999.6.8.10	71329	48	96
SPHINCS+-SHAKE-192s-simple	1.3.9999.6.8.12	34129	48	96
SPHINCS+-SHAKE-256f-simple	1.3.9999.6.9.10	98433	64	128
SPHINCS+-SHAKE-256s-simple	1.3.9999.6.9.12	59585	64	128

Composite Signatures

The PKIUtil client supports composite signatures specified by the datatracker.ietf.org/doc/draft-ounsworth-pq-composite-sigs draft.

Composite algorithm string	OID	Signature size in bytes	Public key size in bytes	Private key size in bytes
MLDSA44-RSA2048-PSS-SHA256	2.16.840.1.114027.80.8.1.1	2690	1596	5120
MLDSA44-RSA2048-PKCS15-SHA256	2.16.840.1.114027.80.8.1.2	2690	1596	5120
MLDSA44-ECDSA-P256-SHA256	2.16.840.1.114027.80.8.1.4	2502	1413	3969
MLDSA44-ECDSA-brainpoolP256r1-SHA256	2.16.840.1.114027.80.8.1.5	2502	1413	3969
MLDSA65-RSA3072-PSS-SHA512	2.16.840.1.114027.80.8.1.6	3707	2388	7808
MLDSA65-RSA3072-PKCS15-SHA512	2.16.840.1.114027.80.8.1.7	3707	2388	7808
MLDSA65-ECDSA-P256-SHA512	2.16.840.1.114027.80.8.1.8	3392	2053	6081
MLDSA65-ECDSA-brainpoolP256r1-SHA512	2.16.840.1.114027.80.8.1.9	3392	2053	6081
MLDSA87-ECDSA-P384-SHA512	2.16.840.1.114027.80.8.1.11	4709	2725	7598
MLDSA87-ECDSA-brainpoolP384r1-SHA512	2.16.840.1.114027.80.8.1.12	4709	2725	7598