Washington, DC — The U.S. National Institute of Standards and Technology (NIST) announced it has completed the third round of the Post-Quantum Cryptography (PQC) standardization process, which selects public-key cryptographic algorithms to protect information through the advent of quantum computers. A total of four candidate algorithms have been selected for standardization, and four additional algorithms will continue into the fourth round.
A detailed description of the decision process and selection rationale is included in NIST Internal Report (NIST IR) 8413, Status Report on the Third Round of the NIST Post-Quantum Cryptography Standardization Process, which is also available on the NIST PQC webpage. Questions may be directed to pqc-comments@nist.gov.
This announcement also discusses plans for a Fourth PQC Conference and an upcoming call for additional quantum-resistant digital signature algorithms.
In the third round of the NIST PQC Standardization Process, NIST has identified four candidate algorithms for standardization. NIST will recommend two primary algorithms to be implemented for most use cases: CRYSTALS-KYBER (key-establishment) and CRYSTALS-Dilithium (digital signatures). In addition, the signature schemes FALCON and SPHINCS+ will also be standardized.
CRYSTALS-KYBER (key-establishment) and CRYSTALS-Dilithium (digital signatures) were both selected for their strong security and excellent performance, and NIST expects them to work well in most applications.
FALCON will also be standardized by NIST since there may be use cases for which CRYSTALS-Dilithium signatures are too large.
SPHINCS+ will also be standardized to avoid relying only on the security of lattices for signatures. NIST asks for public feedback on a version of SPHINCS+ with a lower number of maximum signatures.
NIST will create new draft standards for the algorithms to be standardized and will coordinate with the submission teams to ensure that the standards comply with the specifications. As part of the drafting process, NIST will seek input on specific parameter sets to include, particularly for security category 1. When finished, the standards will be posted for public comment. After the close of the comment period, NIST will revise the draft standards as appropriate based on the feedback received. A final review, approval, and promulgation process will then follow.
The following candidate KEM algorithms will advance to the fourth round:
Both BIKE and HQC are based on structured codes, and either would be suitable as a general-purpose KEM that is not based on lattices. NIST expects to select at most one of these two candidates for standardization at the conclusion of the fourth round.
SIKE remains an attractive candidate for standardization because of its small key and ciphertext sizes. NIST will continue to study it in the fourth round.
Classic McEliece was a finalist but is not being standardized by NIST at this time. Although Classic McEliece is widely regarded as secure, NIST does not anticipate it being widely used due to its large public key size. NIST may choose to standardize Classic McEliece at the end of the fourth round.
For the algorithms moving on to the fourth round, NIST will allow the submission teams to provide updated specifications and implementations (“tweaks”). The deadline for these tweaks will be October 1, 2022. Any submission team that feels that they may not meet the deadline should contact NIST as soon as possible. NIST will review the proposed modifications and publish the accepted submissions shortly afterward. As a general guideline, NIST expects any modifications to be relatively minor. The fourth round will proceed similarly to the previous rounds.
NIST will hold a 4th NIST PQC Standardization Conference on November 29 – December 1, 2022. The conference details have not yet been finalized. The preliminary Call for Papers will be announced later, both on the pqc-forum and the NIST PQC webpage.
NIST also plans to issue a new Call for Proposals for public-key (quantum-resistant) digital signature algorithms by the end of summer 2022. NIST is primarily looking to diversify its signature portfolio, so signature schemes that are not based on structured lattices are of greatest interest. NIST would like submissions for signature schemes that have short signatures and fast verification.
Submissions in response to that call will be due by June 1, 2023. Submitters are encouraged to communicate with NIST ahead of time. NIST will decide which (if any) of the submitted signature algorithms to accept and will initiate a new process for evaluation. NIST expects that process to be much smaller in scope than the current PQC process. The signature schemes accepted to that process will need to be thoroughly analyzed, which will similarly take several years.