NIST Post-Quantum Cryptography Standardization

From Wikipedia, the free encyclopedia

Post-Quantum Cryptography Standardization[1] is a program and competition by NIST to update their standards to include post-quantum cryptography.[2] It was announced at PQCrypto 2016.[3] 23 signature schemes and 59 encryption/KEM schemes were submitted by the initial submission deadline at the end of 2017[4] of which 69 total were deemed complete and proper and participated in the first round. Seven of these, of which 3 are signature schemes, have advanced to the third round, which was announced on July 22, 2020.


Academic research on the potential impact of quantum computing dates back to at least 2001.[5] A NIST published report from April 2016 cites experts that acknowledge the possibility of quantum technology to render the commonly used RSA algorithm insecure by 2030.[6] As a result, a need to standardize quantum-secure cryptographic primitives was pursued. Since most symmetric primitives are relatively easy to modify in a way that makes them quantum resistant, efforts have focused on public-key cryptography, namely digital signatures and key encapsulation mechanisms. In December 2016 NIST initiated a standardization process by announcing a call for proposals.[7]

The competition is now in its third round out of expected four, where in each round some algorithms are discarded and others are studied more closely. NIST hopes to publish the standardization documents by 2024, but may speed up the process if major breakthroughs in quantum computing are made.

It is currently undecided whether the future standards be published as FIPS or as NIST Special Publication (SP).

Round one[edit]

Under consideration were:[8]
(strikethrough means it had been withdrawn)

Type PKE/KEM Signature Signature & PKE/KEM
  • Compact LWE
  • CRYSTALS-Kyber
  • Ding Key Exchange
  • FrodoKEM
  • HILA5 (withdrawn and merged into Round5)
  • LAC
  • LIMA
  • Lizard
  • NewHope
  • NTRUEncrypt[9]
  • NTRU Prime
  • Odd Manhattan
  • Round2 (withdrawn and merged into Round5)
  • Round5 (merger of Round2 and Hila5, announced 4 August 2018)[10]
  • Three Bears
  • Titanium
  • BIKE
  • Classic McEliece + NTS-KEM
  • DAGS
  • Edon-K
  • HQC
  • LAKE (withdrawn and merged into ROLLO)
  • LEDAkem
  • LEDApkc
  • Lepton
  • LOCKER (withdrawn and merged into ROLLO)
  • McNie
  • ROLLO (merger of Ouroboros-R, LAKE and LOCKER) [11]
  • Ouroboros-R (withdrawn and merged into ROLLO)
  • Ramstake
  • RQC
  • pqsigRM
  • RaCoSS
  • RankSign
  • Gravity-SPHINCS
  • Giophantus
  • DualModeMS
  • GeMSS
  • Gui
  • HiMQ-3
  • LUOV
  • Rainbow
  • DME
Braid group
  • WalnutDSA
Supersingular elliptic curve isogeny
Satirical submission
  • Guess Again
  • HK17
  • Mersenne-756839
  • RVB
  • Picnic

Round one submissions published attacks[edit]

  • Guess Again by Lorenz Panny [14]
  • RVB by Lorenz Panny[15]
  • RaCoSS by Daniel J. Bernstein, Andreas Hülsing, Tanja Lange and Lorenz Panny[16]
  • HK17 by Daniel J. Bernstein and Tanja Lange[17]
  • SRTPI by Bo-Yin Yang[18]
  • WalnutDSA
    • by Ward Beullens and Simon R. Blackburn[19]
    • by Matvei Kotov, Anton Menshov and Alexander Ushakov[20]
  • DRS by Yang Yu and Léo Ducas [21]
  • DAGS by Elise Barelli and Alain Couvreur[22]
  • Edon-K by Matthieu Lequesne and Jean-Pierre Tillich[23]
  • RLCE by Alain Couvreur, Matthieu Lequesne, and Jean-Pierre Tillich[24]
  • Hila5 by Daniel J. Bernstein, Leon Groot Bruinderink, Tanja Lange and Lorenz Panny[25]
  • Giophantus by Ward Beullens, Wouter Castryck and Frederik Vercauteren[26]
  • RankSign by Thomas Debris-Alazard and Jean-Pierre Tillich [27]
  • McNie by Philippe Gaborit;[28] Terry Shue Chien Lau and Chik How Tan [29]

Round two[edit]

Candidates moving on to the second round were announced on January 30, 2019. They are:[30]

Type PKE/KEM Signature
Supersingular elliptic curve isogeny
Zero-knowledge proofs

Round three[edit]

On July 22, 2020, NIST announced seven finalists ("first track"), as well as eight alternate algorithms ("second track"). The first track contains the algorithms which appear to have the most promise, and will be considered for standardization at the end of the third round. Algorithms in the second track could still become part of the standard, after the third round ends.[51] NIST expects some of the alternate candidates to be considered in a fourth round. NIST also suggests it may re-open the signature category for new schemes proposals in the future.[52]

On June 7–9, 2021, NIST conducted the third PQC standardization conference, virtually.[53] The conference included candidates' updates and discussions on implementations, on performances, and on security issues of the candidates. A small amount of focus was spent on intellectual property concerns.


Type PKE/KEM Signature

Alternate candidates[edit]

Type PKE/KEM Signature
  • FrodoKEM
  • NTRU Prime
  • GeMSS
Supersingular elliptic curve isogeny
Zero-knowledge proofs
  • Picnic

Intellectual property concerns[edit]

After NIST's announcement regarding the finalists and the alternate candidates, various intellectual property concerns were voiced, notably surrounding lattice-based schemes such as Kyber and NewHope. NIST holds signed statements from submitting groups clearing any legal claims, but there is still a concern that third parties could raise claims. NIST claims that they will take such considerations into account while picking the winning algorithms.[54]

Round three submissions published attacks[edit]

  • Rainbow: by Ward Beullens on a classical computer[55]


During this round, some candidates have shown to be vulnerable to some attack vectors. It forces these candidates to adapt accordingly:

may change the nested hashes used in their proposals in order for their security claims to hold.[56]
side channel attack by . A masking may be added in order to resist the attack. This adaptation affects performance and should be considered while standardizing.[57]

Selected Algorithms 2022[edit]

On July 5, 2022, NIST announced the first group of winners from its six-year competition.[58][59]

Type PKE/KEM Signature

Round four[edit]

On July 5, 2022, NIST announced four candidates for PQC Standardization Round 4.[60]

Supersingular elliptic curve isogeny

Round four submissions published attacks[edit]

  • SIKE: by Wouter Castryck and Thomas Decru on a classical computer[61]

See also[edit]


  1. ^ "Post-Quantum Cryptography PQC". 3 January 2017.
  2. ^ "Post-Quantum Cryptography Standardization – Post-Quantum Cryptography". 3 January 2017. Retrieved 31 January 2019.
  3. ^ Moody, Dustin (24 November 2020). "The Future Is Now: Spreading the Word About Post-Quantum Cryptography". Nist.
  4. ^ "Archived copy". Archived from the original on 2017-12-29. Retrieved 2017-12-29.{{cite web}}: CS1 maint: archived copy as title (link)
  5. ^ Hong, Zhu (2001). "Survey of Computational Assumptions Used inCryptography Broken or Not by Shor's Algorithm" (PDF). {{cite journal}}: Cite journal requires |journal= (help)
  6. ^ "NIST Released NISTIR 8105, Report on Post-Quantum Cryptography". 21 December 2016. Retrieved 5 November 2019.
  7. ^ "NIST Asks Public to Help Future-Proof Electronic Information". Nist. 20 December 2016. Retrieved 5 November 2019.
  8. ^ Computer Security Division, Information Technology Laboratory (3 January 2017). "Round 1 Submissions – Post-Quantum Cryptography – CSRC". Retrieved 31 January 2019.
  9. ^ a b c "Archived copy". Archived from the original on 2017-12-29. Retrieved 2017-12-29.{{cite web}}: CS1 maint: archived copy as title (link)
  10. ^ a b "Google Groups". Retrieved 31 January 2019.
  11. ^ a b "ROLLO". Retrieved 31 January 2019.
  12. ^ RSA using 231 4096-bit primes for a total key size of 1 TiB. "Key almost fits on a hard drive" Bernstein, Daniel (2010-05-28). "McBits and Post-Quantum RSA" (PDF). Retrieved 2019-12-10.
  13. ^ Bernstein, Daniel; Heninger, Nadia (2017-04-19). "Post-quantum RSA" (PDF). Retrieved 2019-12-10.
  14. ^ "Dear all, the following Python script quickly recovers the message from a given "Guess Again" ciphertext without knowledge of the private key" (PDF). Retrieved 30 January 2019.
  15. ^ Panny, Lorenz (25 December 2017). "Fast key recovery attack against the "RVB" submission to #NISTPQC: t …. Computes private from public key". Twitter. Retrieved 31 January 2019.
  16. ^ "Comments on RaCoSS". Archived from the original on 2017-12-26. Retrieved 2018-01-04.
  17. ^ "Comments on HK17". Archived from the original on 2018-01-05. Retrieved 2018-01-04.
  18. ^ "Dear all, We have broken SRTPI under CPA and TPSig under KMA" (PDF). Retrieved 30 January 2019.
  19. ^ Beullens, Ward; Blackburn, Simon R. (2018). "Practical attacks against the Walnut digital signature scheme". Cryptology ePrint Archive.
  20. ^ Kotov, Matvei; Menshov, Anton; Ushakov, Alexander (2018). "AN ATTACK ON THE WALNUT DIGITAL SIGNATURE ALGORITHM". Cryptology ePrint Archive.
  21. ^ Yu, Yang; Ducas, Léo (2018). "Learning strikes again: the case of the DRS signature scheme". Cryptology ePrint Archive.
  22. ^ Barelli, Elise; Couvreur, Alain (2018). "An efficient structural attack on NIST submission DAGS". arXiv:1805.05429 [cs.CR].
  23. ^ Lequesne, Matthieu; Tillich, Jean-Pierre (2018). "Attack on the Edon-K Key Encapsulation Mechanism". arXiv:1802.06157 [cs.CR].
  24. ^ Couvreur, Alain; Lequesne, Matthieu; Tillich, Jean-Pierre (2018). "Recovering short secret keys of RLCE in polynomial time". arXiv:1805.11489 [cs.CR].
  25. ^ Bernstein, Daniel J.; Groot Bruinderink, Leon; Lange, Tanja; Lange, Lorenz (2017). "Hila5 Pindakaas: On the CCA security of lattice-based encryption with error correction". Cryptology ePrint Archive.
  26. ^ "Official Comments" (PDF). 13 September 2018.
  27. ^ Debris-Alazard, Thomas; Tillich, Jean-Pierre (2018). "Two attacks on rank metric code-based schemes: RankSign and an Identity-Based-Encryption scheme". arXiv:1804.02556 [cs.CR].
  28. ^ "I am afraid the parameters in this proposal have at most 4 to 6‐bits security under the Information Set Decoding (ISD) attack" (PDF). Retrieved 30 January 2019.
  29. ^ Lau, Terry Shue Chien; Tan, Chik How (31 January 2019). "Key Recovery Attack on McNie Based on Low Rank Parity Check Codes and Its Reparation". In Inomata, Atsuo; Yasuda, Kan (eds.). Advances in Information and Computer Security. Lecture Notes in Computer Science. Vol. 11049. Springer International Publishing. pp. 19–34. doi:10.1007/978-3-319-97916-8_2. ISBN 978-3-319-97915-1.
  30. ^ Computer Security Division, Information Technology Laboratory (3 January 2017). "Round 2 Submissions – Post-Quantum Cryptography – CSRC". Retrieved 31 January 2019.
  31. ^ a b Schwabe, Peter. "CRYSTALS". Retrieved 31 January 2019.
  32. ^ "FrodoKEM". Retrieved 31 January 2019.
  33. ^ Schwabe, Peter. "NewHope". Retrieved 31 January 2019.
  34. ^ "NTRU Prime: Intro". Archived from the original on 2019-09-01. Retrieved 2019-01-30.
  35. ^ "SABER". Retrieved 17 June 2019.
  36. ^ "ThreeBears". Retrieved 31 January 2019.
  37. ^ "Falcon". Falcon. Retrieved 26 June 2019.
  38. ^ "qTESLA – Efficient and post-quantum secure lattice-based signature scheme". Retrieved 31 January 2019.
  39. ^ "BIKE – Bit Flipping Key Encapsulation". Retrieved 31 January 2019.
  40. ^ "HQC". Retrieved 31 January 2019.
  41. ^ "LEDAkem Key Encapsulation Module". Retrieved 31 January 2019.
  42. ^ "LEDApkc Public Key Cryptosystem". Retrieved 31 January 2019.
  43. ^ "NTS-Kem". Archived from the original on 2017-12-29. Retrieved 2017-12-29.
  44. ^ "RQC". Retrieved 31 January 2019.
  45. ^
  46. ^ "GeMSS". Archived from the original on 2019-01-31. Retrieved 2019-01-30.
  47. ^ "LUOV -- An MQ signature scheme". Retrieved 22 January 2020.
  48. ^ "MQDSS post-quantum signature". Retrieved 31 January 2019.
  49. ^ "SIKE – Supersingular Isogeny Key Encapsulation". Retrieved 31 January 2019.
  50. ^ "Picnic. A Family of Post-Quantum Secure Digital Signature Algorithms". Retrieved 26 February 2019.
  51. ^ Moody, Dustin; Alagic, Gorjan; Apon, Daniel C.; Cooper, David A.; Dang, Quynh H.; Kelsey, John M.; Liu, Yi-Kai; Miller, Carl A.; Peralta, Rene C.; Perlner, Ray A.; Robinson, Angela Y.; Smith-Tone, Daniel C.; Alperin-Sheriff, Jacob (2020). "Status Report on the Second Round of the NIST Post-Quantum Cryptography Standardization Process". doi:10.6028/NIST.IR.8309. S2CID 243755462. Retrieved 2020-07-23. {{cite journal}}: Cite journal requires |journal= (help)
  52. ^ Third PQC Standardization Conference - Session I Welcome/Candidate Updates, retrieved 2021-07-06
  53. ^ Computer Security Division, Information Technology Laboratory (2021-02-10). "Third PQC Standardization Conference | CSRC". CSRC | NIST. Retrieved 2021-07-06.
  54. ^ "Submission Requirements and Evaluation Criteria" (PDF).
  55. ^ Beullens, Ward (2022). "Breaking Rainbow Takes a Weekend on a Laptop" (PDF).
  56. ^ Grubbs, Paul; Maram, Varun; Paterson, Kenneth G. (2021). "Anonymous, Robust Post-Quantum Public Key Encryption". Cryptology ePrint Archive.
  57. ^ Karabulut, Emre; Aysu, Aydin (2021). "Falcon Down: Breaking Falcon Post-Quantum Signature Scheme through Side-Channel Attacks". Cryptology ePrint Archive.
  58. ^ "NIST Announces First Four Quantum-Resistant Cryptographic Algorithms". NIST. 2022-07-05. Retrieved 2022-07-09.
  59. ^ "Selected Algorithms 2022". CSRC | NIST. 2022-07-05. Retrieved 2022-07-09.
  60. ^ "Round 4 Submissions". CSRC | NIST. 2022-07-05. Retrieved 2022-07-09.
  61. ^ Goodin, Dan. "Post-quantum encryption contender is taken out by single-core PC and 1 hour". Ars Technica. Retrieved 6 August 2022.

External links[edit]