The SKiP/SH Model

Tier 1 · the visible triangle

SKiP — pick two, sacrifice one

Three engineering properties trade off against one another. A scheme can excel at two of them; whichever it can't deliver is the one it SKiPs.

Speed

Cycle cost — treated as a vector across keygen / sign / verify (or encaps / decaps), never a scalar. Falcon is fast to sign and verify but slow to keygen; FAEST is the inverse. Where a scheme lands depends on which phase your workload stresses.

Key size

Public + private key bytes. The UOV family pays here brutally — public keys from tens of kilobytes to over a megabyte — to buy a tiny signature.

Payload size

Signature bytes, or KEM ciphertext bytes. Hash- and MPC-in-the-Head schemes blow up here: SLH-DSA and FAEST run into the tens of kilobytes.

Tier 2 · the two hidden axes

S + H — what it costs you to trust

SKiP describes what a scheme looks like. Two further axes describe what it costs to trust — and they're where the bill comes due when a scheme appears to win all three visible axes at once.

S · was the “†” dagger

Sturdiness

Implementation robustness. Can it be built fast and safely? Constant-time discipline, freedom from floating-point fragility, side-channel resistance. Falcon is low-sturdiness (FP Gaussian sampling); SQIsign carries an open constant-time-signing problem; HAWK is essentially the un-daggered Falcon (integer-only); SLH-DSA is maximally sturdy (hash-only, no secret-dependent branching).

H · was the “‡” mark

Hardness

Cryptographic robustness — strength and maturity of the underlying assumption. SNOVA took the worst hit: Beullens' forgery attacks cut its margin by 2^8–2^39 and pushed some parameter sets below NIST's threshold, forcing a Round 2 rescue — it scores below MAYO, which weathered the same era of multivariate cryptanalysis (NIST IR 8610) without a parameter change. MQOM's ROM/QROM proofs are still maturing; isogeny & young lattice schemes have a thin analyst pool. SDitH, FAEST (AES-hardness), classic hash-based, and code-based schemes anchor the conservative end.

the central lesson

If a scheme seems to win all three SKiP axes, the cost hasn't vanished — it has moved off-triangle. The scheme is borrowing against Sturdiness or Hardness. The framework tells you where to look for the catch.

candidate placement · interactive

Where the schemes land

Plotting combined K+P size (log bytes) against relative sign / encaps cost (log, lower-left is better). Dot fill = family. Tap any point for its SKiP/SH read. Covers the standardized FIPS set plus all nine Round 3 additional-signature candidates.

tap a point

Select a scheme

Each point carries its two visible coordinates plus the hidden-axis read — the reason it sits where it does and what it's paying for.

full reference · click headers to sort

The whole field, scored

Sizes are NIST security Level 1 (≈128-bit), representative parameter sets. Each axis is scored 1–7, where 7 is best (smallest / fastest / most conservative / most robust) and 1 is worst. Bars fill and warm from red (1) through amber (4) to green (7). † flags a fragile or not-yet-constant-time implementation.

Scheme	Family	Status	PK (B)	Sig/CT (B)	K	P	S	Sturdy	Hard	Reads as

Lattice Hash Multivariate / UOV MPC-in-the-Head Isogeny Code Pre-quantum

selection shorthand

Picking for a deployment

01 · balanced workhorse

Need all three "okay"?

ML-DSA / ML-KEM. The centroid — nothing tiny, nothing huge, fast, and high on both hidden axes. That dual-high is exactly why they're the FIPS primary picks.

02 · max the hidden axes

Long-lived roots, can't be wrong?

SLH-DSA / Classic McEliece / FAEST. Conservative assumptions, sturdy implementations. You pay in payload or key size — accept it for trust anchors.

03 · byte-minimal, debt accepted

Bandwidth is everything?

UOV / SQIsign / MAYO. Tiny on the wire — but each picks one of small-key or small-signature, never both, and pays a Hardness or Sturdiness debt (big keys, slow signing, thin margins). MAYO's two parameter sets are the same scheme sliding along that K↔P edge. Use where the savings justify the risk.