Support for ML-DSA (FIPS-204) post-quantum signing algorithm

[shiyin-weng]

Context

NIST has finalized FIPS-204 (ML-DSA), the Module-Lattice-Based Digital Signature Algorithm, as the primary post-quantum digital signature standard. The Go team has proposed a public crypto/mldsa API (golang/go#77626) and is expected to ship it in an upcoming Go release.

The IETF is also working on registering ML-DSA algorithm identifiers for JOSE/JWT use (draft-ietf-cose-dilithium).

Request

Are there plans to add an ML-DSA SigningMethod to golang-jwt once crypto/mldsa is available in the Go standard library?

Specifically:

• Is this on the project's roadmap?
• Is there a target timeline?
• Which security levels are you considering? (ML-DSA-44, ML-DSA-65, ML-DSA-87)

Why this matters

Organizations subject to CNSA 2.0 timelines need to migrate to post-quantum signatures by 2030. Since golang-jwt is the most widely used JWT library in Go, many teams are planning their migration path and need to understand whether PQC support will come from this library or if they should implement jwt.SigningMethod themselves.

We understand this depends on both the Go stdlib shipping crypto/mldsa and the IETF finalizing the JOSE algorithm identifier. This issue is primarily to understand intent and planning.

[oxisto]

Sure, I dont see any reason NOT to provide such a signing mechanism, provided the API is public by Go 1.27. We would then need to guard it with build tags as we will definitely NOT bump up the minimum version to 1.27

[salrashid123]

i used the evaluation candidate implementation here

• https://github.com/salrashid123/golang-jwt-pqc

its far better to have this included standard in golang-jwt sonce once support is available, i'll archive the link above.

also worth mentioning the git repo support KMS based keys too so there's a maybe some follow on support for golang-jwt providers for various KMSs (AWS, GCP, Azure, etc)