It
has been almost a year and a half since the second round of the NIST PQC
Standardization Process began. After careful consideration, NIST would like to
announce the candidates that will be moving on to the third round. The seven
third-round Finalists are:
Third Round Finalists
Public-Key
Encryption/KEMs
Classic McEliece
CRYSTALS-KYBER
NTRU
SABER
Digital
Signatures
CRYSTALS-DILITHIUM
FALCON
Rainbow
In
addition, the following eight candidate algorithms will advance to the third
round:
Alternate Candidates
Public-Key
Encryption/KEMs
BIKE;
FrodoKEM
HQC
NTRU Prime
SIKE
Digital
Signatures
GeMSS
Picnic
SPHINCS+
During
the third round, the term “finalist” will refer to the first seven algorithms
listed above, and the terms “alternate” or “alternate candidate” will be used
for the other eight algorithms also advancing. The finalists will continue to
be reviewed for consideration for standardization at the conclusion of the
third round. As CRYSTALS-KYBER, NTRU, and SABER are all structured lattice
schemes, NIST intends to select, at most, one for the standard. The same is
true for the signature schemes CRYSTALS-DILITHIUM and FALCON. In NIST’s current
view, these structured lattice schemes appear to be the most promising
general-purpose algorithms for public-key encryption/KEM and digital signature
schemes.
For
the eight alternate candidate algorithms being advanced into the third round,
NIST notes that these algorithms may still potentially be standardized,
although that most likely will not occur at the end of the third round. NIST
expects to have a fourth round of evaluation for some of the candidates on this
track. Several of these alternate candidates have worse performance than the
finalists but might be selected for standardization based on a high confidence
in their security. Other candidates have acceptable performance but require
additional analysis or other work to inspire sufficient confidence in their
security or security rationale. In addition, some alternates were selected
based on NIST’s desire for a broader range of hardness assumptions in future
post-quantum security standards, their suitability for targeted use cases, or
their potential for further improvement.
NIST
would like to thank all of the submission teams for their efforts in this
standardization process. It was not an easy decision to narrow down the
submissions. A detailed description of the decision process and rationale for
selection are available in NIST
Internal Report (NISTIR) 8309, Status Report on the Second Round of the NIST Post-Quantum
Cryptography Standardization Process. It is also
available on the NIST post-quantum webpage, www.nist.gov/pqcrypto.
Questions may be directed to [email protected].
NIST hopes that the teams whose scheme were not selected to advance will
continue to participate by evaluating and analyzing the remaining cryptosystems
along with the cryptographic community at large. These combined efforts are
crucial to the development of NIST’s future post-quantum public-key standards.
For
the algorithms moving on to the third round, NIST will allow the submission
teams the option of providing updated specifications and implementations (i.e.,
“tweaks”). The deadline for these tweaks will be October 1, 2020. It would be
helpful if submission teams provided NIST with a summary of their expected
changes by August 10, 2020. If any submission team feels that they may not meet
the deadlines, they are strongly encouraged to contact NIST to discuss. NIST
will review the proposed modifications and publish the accepted submissions
shortly afterwards. As a general guideline, NIST expects that any modifications
to the seven finalists will be relatively minor while allowing more latitude to
the eight alternate candidate algorithms. Note, however, that larger changes
may signal that an algorithm is not mature enough for standardization at this
time. More detailed information and guidance will be provided in another
message.
It
is estimated that this third phase of evaluation and review will last 12-18
months. NIST is planning to hold a 3rd NIST PQC Standardization Conference
in 2021. Obviously, much of the conference details will depend on conditions
relating to the pandemic and have not been finalized. The preliminary Call for
Papers for this conference can be found at www.nist.gov/pqcrypto and
will also be posted to this pqc-forum in another message. The deadline for
submission to the 3rd NIST PQC Conference will likely be sometime around the
end of 2020.
Note:
These are NIST’s current plans. If new results emerge during the third round
which undermine NIST’s confidence in some of the finalists, NIST may extend the
timeline, or make changes to the process. If NIST has less serious
concerns specific to a particular finalist and sees the need to continue
evaluating it, NIST may instead defer the decision about standardization for
the affected finalist until the fourth round.
NISTIR
8309:
https://csrc.nist.gov/publications/detail/nistir/8309/final
NIST
Post-Quantum Cryptography project:
https://www.nist.gov/pqcrypto