NIST Post-Quantum Cryptography Standardization: Difference between revisions

Post-Quantum Cryptography Standardization is a project by NIST to standardize post-quantum cryptography.^[1] 23 signature schemes were submitted, 59 encryption/KEM schemes were submitted^[2] by the initial submission deadline at the end of 2017, of which 69 total were deemed complete and proper and participated in the first round. 26 of these have advanced to the second round (17 encryption/key-establishment and 9 signature schemes).

Round Two

Candidates moving on the to second round were announced on January 30, 2019. They are:^[3]

Type	PKE/KEM	Signature
Lattice	CRYSTALS-KYBER[4] FrodoKEM[5] LAC NewHope[6] NTRU (merger of NTRUEncrypt and NTRU-HRSS-KEM)[7] NTRU Prime[8] Round5 (merger of Round2 and Hila5, announced 4 August 2018)[9] SABER Three Bears[10]	CRYSTALS-DILITHIUM[4] FALCON[11] qTESLA[12]
Code-based	BIKE[13] Classic McEliece HQC[14] LEDAcrypt (merger of LEDAkem[15] and LEDApkc[16]) NTS-KEM[17] ROLLO (merger of Ouroboros-R, LAKE and LOCKER) [18] RQC[19]
Hash-based		SPHINCS+[20]
Multivariate		GeMSS[21] LUOV MQDSS[22] Rainbow
Supersingular Elliptic Curve Isogeny	SIKE[23]
Zero-knowledge proofs		Picnic[24]

Round One

Under consideration were:^[25]
(strikethrough means it had been withdrawn)

Type	PKE/KEM	Signature	Signature & PKE/KEM
Lattice	Compact LWE CRYSTALS-KYBER Ding Key Exchange EMBLEM and R.EMBLEM FrodoKEM HILA5 (withdrawn and merged into Round5) KCL (pka OKCN/AKCN/CNKE) KINDI LAC LIMA Lizard LOTUS NewHope NTRUEncrypt[7] NTRU-HRSS-KEM NTRU Prime Odd Manhattan Round2 (withdrawn and merged into Round5) Round5 (merger of Round2 and Hila5, announced 4 August 2018)[9] SABER Three Bears Titanium	CRYSTALS-DILITHIUM DRS FALCON pqNTRUSign[7] qTESLA
Code-based	BIG QUAKE BIKE Classic McEliece DAGS Edon-K HQC LAKE (withdrawn and merged into ROLLO) LEDAkem LEDApkc Lepton LOCKER (withdrawn and merged into ROLLO) McNie NTS-KEM ROLLO (merger of Ouroboros-R, LAKE and LOCKER) [18] Ouroboros-R (withdrawn and merged into ROLLO) QC-MDPC KEM Ramstake RLCE-KEM RQC	pqsigRM RaCoSS RankSign
Hash-based		Gravity-SPHINCS SPHINCS+
Multivariate	CFPKM Giophantus	DualModeMS GeMSS Gui HiMQ-3 LUOV MQDSS Rainbow	SRTPI DME
Braid group		WalnutDSA
Supersingular Elliptic Curve Isogeny	SIKE
Satirical submission			pqRSA
Other	Guess Again HK17 Mersenne-756839 RVB	Picnic

Round One submissions published attacks

• Guess Again by Lorenz Panny ^[26]
• RVB by Lorenz Panny^[27]
• RaCoSS by Daniel J. Bernstein, Andreas Hülsing, Tanja Lange and Lorenz Panny^[28]
• HK17 by Daniel J. Bernstein and Tanja Lange^[29]
• SRTPI by Bo-Yin Yang^[30]
• WalnutDSA
  • by Ward Beullens and Simon R. Blackburn^[31]
  • by Matvei Kotov, Anton Menshov and Alexander Ushakov^[32]
• DRS by Yang Yu and Léo Ducas ^[33]
• DAGS by Elise Barelli and Alain Couvreur^[34]
• Edon-K by Matthieu Lequesne and Jean-Pierre Tillich^[35]
• RLCE by Alain Couvreur, Matthieu Lequesne, and Jean-Pierre Tillich^[36]
• Hila5 by Daniel J. Bernstein, Leon Groot Bruinderink, Tania Lange and Lorenz Panny^[37]
• Giophantus by Ward Beullens, Wouter Castryck and Frederik Vercauteren^[38]
• RankSign by Thomas Debris-Alazard and Jean-Pierre Tillich ^[39]
• McNie by Philippe Gaborit ^[40]; Terry Shue Chien Lau and Chik How Tan ^[41]

See also

• Advanced Encryption Standard process
• NIST hash function competition

References

1. "Post-Quantum Cryptography Standardization - Post-Quantum Cryptography". Csrc.nist.gov. 3 January 2017. Retrieved 31 January 2019.
2. "Archived copy". Archived from the original on 2017-12-29. Retrieved 2017-12-29. {{cite web}}: Unknown parameter |dead-url= ignored (|url-status= suggested) (help)
3. Computer Security Division, Information Technology Laboratory (3 January 2017). "Round 2 Submissions - Post-Quantum Cryptography - CSRC". Csrc.nist.gov. Retrieved 31 January 2019.
4. Schwabe, Peter. "CRYSTALS". Pq-crystals.org. Retrieved 31 January 2019.
5. "FrodoKEM". Frodokem.org. Retrieved 31 January 2019.
6. Schwabe, Peter. "NewHope". Newhopecrypto.org. Retrieved 31 January 2019.
7. [1] ^{[dead link]}
8. [2] ^{[dead link]}
9. "Google Groups". Groups.google.com. Retrieved 31 January 2019.
10. "ThreeBears". SourceForge.net. Retrieved 31 January 2019.
11. "Falcon". Falcon-sign.info. Retrieved 31 January 2019.
12. "qTESLA – Efficient and post-quantum secure lattice-based signature scheme". Retrieved 31 January 2019.
13. "BIKE - Bit Flipping Key Encapsulation". Bikesuite.org. Retrieved 31 January 2019.
14. "HQC". Pqc-hqc.org. Retrieved 31 January 2019.
15. "LEDAkem Key Encapsulation Module". Ledacrypt.org. Retrieved 31 January 2019.
16. "LEDApkc Public Key Cryptosystem". Ledacrypt.org. Retrieved 31 January 2019.
17. [3] ^{[dead link]}
18. "ROLLO". Pqc-rollo.org. Retrieved 31 January 2019.
19. "RQC". Pqc-rqc.org. Retrieved 31 January 2019.
20. [4] ^{[dead link]}
21. [5] ^{[dead link]}
22. "MQDSS post-quantum signature". Mqdss.org. Retrieved 31 January 2019.
23. "SIKE – Supersingular Isogeny Key Encapsulation". Sike.org. Retrieved 31 January 2019.
24. [6] ^{[dead link]}
25. Computer Security Division, Information Technology Laboratory (3 January 2017). "Round 1 Submissions - Post-Quantum Cryptography - CSRC". Csrc.nist.gov. Retrieved 31 January 2019.
26. "Dear all, the following Python script quickly recovers the message from a given "Guess Again" ciphertext without knowledge of the private key" (PDF). Csrc.nist.gov. Retrieved 30 January 2019.
27. Panny, Lorenz (25 December 2017). "Fast key recovery attack against the "RVB" submission to #NISTPQC: t …. Computes private from public key". Twitter. Retrieved 31 January 2019. {{cite web}}: no-break space character in |title= at position 69 (help)
28. [7] ^{[dead link]}
29. [8] ^{[dead link]}
30. "Dear all, We have broken SRTPI under CPA and TPSig under KMA" (PDF). Csrc.nist.gov. Retrieved 30 January 2019.
31. Beullens, Ward; Blackburn, Simon R. (2018). "Practical attacks against the Walnut digital signature scheme". Eprint.iacr.org.
32. Kotov, Matvei; Menshov, Anton; Ushakov, Alexander (2018). "AN ATTACK ON THE WALNUT DIGITAL SIGNATURE ALGORITHM". Eprint.iacr.org.
33. Yu, Yang; Ducas, Léo (2018). "Learning strikes again: the case of the DRS signature scheme". Eprint.iacr.org.
34. Barelli, Elise; Couvreur, Alain (2018). "An efficient structural attack on NIST submission DAGS". arXiv:1805.05429 [cs.CR].
35. Lequesne, Matthieu; Tillich, Jean-Pierre (2018). "Attack on the Edon-K Key Encapsulation Mechanism". arXiv:1802.06157 [cs.CR].
36. Couvreur, Alain; Lequesne, Matthieu; Tillich, Jean-Pierre (2018). "Recovering short secret keys of RLCE in polynomial time". arXiv:1805.11489 [cs.CR].
37. Bernstein, Daniel J.; Groot Bruinderink, Leon; Lange, Tanja; Lange, Lorenz (2017). "Hila5 Pindakaas: On the CCA security of lattice-based encryption with error correction". {{cite journal}}: Cite journal requires |journal= (help)
38. "Official Comments" (PDF). Csrc.nist.gov. 13 September 2018.
39. "Two attacks on rank metric code-based schemes: RankSign and an Identity-Based-Encryption scheme" (PDF). Arxiv.org.
40. "I am afraid the parameters in this proposal have at most 4 to 6‐bits security under the Information Set Decoding (ISD) attack" (PDF). Csrc.nist.gov. Retrieved 30 January 2019.
41. Lau, Terry Shue Chien; Tan, Chik How (31 January 2019). Inomata, Atsuo; Yasuda, Kan (eds.). "Key Recovery Attack on McNie Based on Low Rank Parity Check Codes and Its Reparation". Springer International Publishing. pp. 19–34. doi:10.1007/978-3-319-97916-8_2. Retrieved 31 January 2019 – via Springer Link.

External links

• Unofficial website tracking submissions
• First round candidates by field by Ryo Fujita
• First round candidates by field (revised)
• First round candidates by field (revised again)