Post-Quantum Cryptography Standardization


Post-Quantum Cryptography Standardization is a project by NIST to standardize post-quantum cryptography. 23 signature schemes were submitted, 59 encryption/KEM schemes were submitted by the initial submission deadline at the end of 2017, of which 69 total were deemed complete and proper and participated in the first round. 26 of these have advanced to the second round. Seven of the candidates have been named third-round finalists, and 8 have been named third-round alternates.

Background

A NIST published report from April 2016 cites experts that acknowledge the possibility of quantum technology to render the commonly used RSA algorithm insecure by 2030. As a result, a need to standardize quantum-secure cryptographic primitives arose. Since most symmetric primitives are relatively easy to modify in a way that makes them quantum resistant, efforts have focused on public-key cryptography, namely digital signatures and key encapsulation mechanisms. In December 2016 NIST initiated a standardization process by announcing a call for proposals.
The competition is now in its third round out of expected four, where in each round some algorithms are discarded and others are studied more carefully. NIST hopes to publish the standardization documents by 2024, but may speed up the process if major breakthroughs in quantum computing are made.
It is currently undecided whether the future standards be published as FIPS or as NIST Special Publication.

Round One

Under consideration were:
TypePKE/KEMSignatureSignature & PKE/KEM
Lattice
  • CRYSTALS-DILITHIUM
  • DRS
  • FALCON
  • pqNTRUSign
  • qTESLA
    • Code-based
  • BIG QUAKE
  • BIKE
  • Classic McEliece
  • DAGS
  • Edon-K
  • HQC
  • LAKE
  • LEDAkem
  • LEDApkc
  • Lepton
  • LOCKER
  • McNie
  • NTS-KEM
  • ROLLO
  • Ouroboros-R
  • QC-MDPC KEM
  • Ramstake
  • RLCE-KEM
  • RQC
  • pqsigRM
  • RaCoSS
  • RankSign
    • Hash-based
  • Gravity-SPHINCS
  • SPHINCS+
    • Multivariate
  • CFPKM
  • Giophantus
  • DualModeMS
  • GeMSS
  • Gui
  • HiMQ-3
  • LUOV
  • MQDSS
  • Rainbow
  • SRTPI
  • DME
    • Braid group
  • WalnutDSA
    • Supersingular Elliptic Curve Isogeny
  • SIKE
    • Satirical submission
  • pqRSA
    • Other
  • Guess Again
  • HK17
  • Mersenne-756839
  • RVB
  • Picnic

    • Round One submissions published attacks

  • Guess Again by Lorenz Panny
  • RVB by Lorenz Panny
  • RaCoSS by Daniel J. Bernstein, Andreas Hülsing, Tanja Lange and Lorenz Panny
  • HK17 by Daniel J. Bernstein and Tanja Lange
  • SRTPI by Bo-Yin Yang
  • WalnutDSA
  • * by Ward Beullens and Simon R. Blackburn
  • * by Matvei Kotov, Anton Menshov and Alexander Ushakov
  • DRS by Yang Yu and Léo Ducas
  • DAGS by Elise Barelli and Alain Couvreur
  • Edon-K by Matthieu Lequesne and Jean-Pierre Tillich
  • RLCE by Alain Couvreur, Matthieu Lequesne, and Jean-Pierre Tillich
  • Hila5 by Daniel J. Bernstein, Leon Groot Bruinderink, Tanja Lange and Lorenz Panny
  • Giophantus by Ward Beullens, Wouter Castryck and Frederik Vercauteren
  • RankSign by Thomas Debris-Alazard and Jean-Pierre Tillich
  • McNie by Philippe Gaborit ; Terry Shue Chien Lau and Chik How Tan

    Round Two

    • Candidates moving on to the second round were announced on January 30, 2019. They are:
    TypePKE/KEMSignature
    Lattice
    • CRYSTALS-KYBER
    • FrodoKEM
    • LAC
    • NewHope
    • NTRU
    • NTRU Prime
    • Round5
    • SABER
    • Three Bears
  • CRYSTALS-DILITHIUM
  • FALCON
  • qTESLA
    • Code-based
  • BIKE
  • Classic McEliece
  • HQC
  • LEDAcrypt
  • NTS-KEM
  • ROLLO
  • RQC
    • Hash-based
  • SPHINCS+
    • Multivariate
  • GeMSS
  • LUOV
  • MQDSS
  • Rainbow
    • Supersingular Elliptic Curve Isogeny
  • SIKE
    • Zero-knowledge proofs
  • Picnic

    • Round Three

    On July 22, 2020, NIST announced seven finalists, as well as eight alternate algorithms. The first track contains the algorithms which appear to have the most promise, and will be considered for standardization at the end of the third round. Algorithms in the second track could still become part of the standard, after the third round ends. NIST expects some of the alternate candidates to be considered in a fourth round.

    Finalists

    Alternate candidates