Thursday, July 23, 2020

Post-Quantum Cryptography (PQC) Standardization Process:

    It has been almost a year and a half since the second round of the NIST PQC Standardization Process began. After careful consideration, NIST would like to announce the candidates that will be moving on to the third round. The seven third-round Finalists are:

Third Round Finalists 
Public-Key Encryption/KEMs
Classic McEliece

Digital Signatures

In addition, the following eight candidate algorithms will advance to the third round:

Alternate Candidates
Public-Key Encryption/KEMs
NTRU Prime

Digital Signatures

    During the third round, the term “finalist” will refer to the first seven algorithms listed above, and the terms “alternate” or “alternate candidate” will be used for the other eight algorithms also advancing. The finalists will continue to be reviewed for consideration for standardization at the conclusion of the third round. As CRYSTALS-KYBER, NTRU, and SABER are all structured lattice schemes, NIST intends to select, at most, one for the standard. The same is true for the signature schemes CRYSTALS-DILITHIUM and FALCON. In NIST’s current view, these structured lattice schemes appear to be the most promising general-purpose algorithms for public-key encryption/KEM and digital signature schemes.

    For the eight alternate candidate algorithms being advanced into the third round, NIST notes that these algorithms may still potentially be standardized, although that most likely will not occur at the end of the third round. NIST expects to have a fourth round of evaluation for some of the candidates on this track. Several of these alternate candidates have worse performance than the finalists but might be selected for standardization based on a high confidence in their security. Other candidates have acceptable performance but require additional analysis or other work to inspire sufficient confidence in their security or security rationale. In addition, some alternates were selected based on NIST’s desire for a broader range of hardness assumptions in future post-quantum security standards, their suitability for targeted use cases, or their potential for further improvement.

    NIST would like to thank all of the submission teams for their efforts in this standardization process. It was not an easy decision to narrow down the submissions. A detailed description of the decision process and rationale for selection are available in NIST Internal Report (NISTIR) 8309, Status Report on the Second Round of the NIST Post-Quantum Cryptography Standardization Process. It is also available on the NIST post-quantum webpage, Questions may be directed to NIST hopes that the teams whose scheme were not selected to advance will continue to participate by evaluating and analyzing the remaining cryptosystems along with the cryptographic community at large. These combined efforts are crucial to the development of NIST’s future post-quantum public-key standards.

    For the algorithms moving on to the third round, NIST will allow the submission teams the option of providing updated specifications and implementations (i.e., “tweaks”). The deadline for these tweaks will be October 1, 2020. It would be helpful if submission teams provided NIST with a summary of their expected changes by August 10, 2020. If any submission team feels that they may not meet the deadlines, they are strongly encouraged to contact NIST to discuss. NIST will review the proposed modifications and publish the accepted submissions shortly afterwards. As a general guideline, NIST expects that any modifications to the seven finalists will be relatively minor while allowing more latitude to the eight alternate candidate algorithms. Note, however, that larger changes may signal that an algorithm is not mature enough for standardization at this time. More detailed information and guidance will be provided in another message.

    It is estimated that this third phase of evaluation and review will last 12-18 months. NIST is planning to hold a 3rd NIST PQC Standardization Conference in 2021. Obviously, much of the conference details will depend on conditions relating to the pandemic and have not been finalized. The preliminary Call for Papers for this conference can be found at and will also be posted to this pqc-forum in another message. The deadline for submission to the 3rd NIST PQC Conference will likely be sometime around the end of 2020.

    Note: These are NIST’s current plans. If new results emerge during the third round which undermine NIST’s confidence in some of the finalists, NIST may extend the timeline, or make changes to the process.  If NIST has less serious concerns specific to a particular finalist and sees the need to continue evaluating it, NIST may instead defer the decision about standardization for the affected finalist until the fourth round. 

NISTIR 8309:

NIST Post-Quantum Cryptography project: