NIST requests comments on the initial public drafts of three PQC Federal Information Processing Standards (FIPS)

[Moody, Dustin (Fed)]

We are very happy to announce that the draft PQC standards are now available!   

 

Dustin Moody 

NIST PQC 

 

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 

 

NIST requests comments on the initial public drafts of three Federal Information Processing Standards (FIPS): 

1. FIPS 203, Module-Lattice-Based Key-Encapsulation Mechanism Standard 
2. FIPS 204, Module-Lattice-Based Digital Signature Standard 
3. FIPS 205, Stateless Hash-Based Digital Signature Standard 

These proposed standards specify key establishment and digital signature schemes that are designed to resist future attacks by quantum computers, which threaten the security of current standards. The three algorithms specified in these standards are each derived from different submissions to the NIST Post-Quantum Cryptography Standardization Project.  

The public comment period for these three drafts is open through November 22, 2023. See the publication details to download the drafts and for information on submitting comments. 

*** 

Draft FIPS 203 specifies a cryptographic scheme called the Module-Lattice-Based Key-Encapsulation Mechanism Standard which is derived from the CRYSTALS-KYBER submission. A key encapsulation mechanism (KEM) is a particular type of key establishment scheme that can be used to establish a shared secret key between two parties communicating over a public channel. Current NIST-approved key establishment schemes are specified in NIST Special Publication (SP) 800-56A, Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm-Based Cryptography, and SP 800-56B, Recommendation for Pair-Wise Key Establishment Schemes Using Integer Factorization Cryptography.  

The drafts of FIPS 204 and 205 each specify digital signature schemes, which are used to detect unauthorized modifications to data and to authenticate the identity of the signatory. FIPS 204 specifies the Module-Lattice-Based Digital Signature Standard, which is derived from CRYSTALS-Dilithium submission. FIPS 205 specifies the Stateless Hash-Based Digital Signature Standard derived from the SPHINCS⁺ submission. Current NIST-approved digital signature schemes are specified in FIPS 186-5, Digital Signature Standard, and SP 800-208, Recommendation for Stateful Hash-based Signature Schemes. NIST is also developing a FIPS that specifies a digital signature algorithm derived from FALCON as an additional alternative to these standards. 

 
Comments about these drafts may be submitted electronically via the following email addresses: 

   FIPS 203: fips-203...@nist.gov
   FIPS 204: fips-204...@nist.gov
   FIPS 205: fips-205...@nist.gov

 

All relevant comments received by the deadline of November 22, 2023 will be published electronically at https://csrc.nist.gov and www.regulations.gov without change or redaction, so commenters should not include information they do not wish to be posted (e.g., personal or confidential business information). Comments that contain profanity, vulgarity, threats, or other inappropriate language or content will not be posted or considered. 

 

After the comment period closes, NIST will analyze the comments, make changes to the documents as appropriate, and then propose the drafts FIPS 203, FIPS 204, and FIPS 205 to the Secretary of Commerce for approval. 

 

Additional links: 

• Federal Register Notice:  https://www.federalregister.gov/d/2023-18197 
• NIST news item:  https://www.nist.gov/news-events/news/2023/08/nist-standardize-encryption-algorithms-can-resist-attack-quantum-computers 
• NIST CSRC news item:    https://csrc.nist.gov/News/2023/three-draft-fips-for-post-quantum-cryptography 

[Simon Hoerder]

Hi,

Thanks for the draft standards, it is very good to have them. However, I notice that none of them contain a test vector. I believe it would be very useful to have at least a test vector included, maybe even at a suitably high level a worked example. This would help immensely with interoperability concerns.

Please note that I put the FIPS-20x...@nist.gov addresses in BCC to avoid list replies accidentally getting sent there.

Best regards,

Simon

On 24 Aug 2023, at 14:22, 'Moody, Dustin (Fed)' via pqc-forum <pqc-...@list.nist.gov> wrote:



--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/SA1PR09MB8669445D14B595C4CCF25E2AE51DA%40SA1PR09MB8669.namprd09.prod.outlook.com.

[김광조]

I agree with Simon with 100%.

Thanks

======================================================

President  Kwangjo Kim

Emeritus Prof.@KAIST,  IACR Fellow

International Research ins. for  Cyber Security(IRCS)

#1202 Sungji Heights-tel, 2 Seohyeon-ro 210 Beon-gil,  Bundang-gu, Seongnam-si, 

Gyeonggi-do, 13591, Rep. of Korea

Tel: +82-703-1386 Mobile: +82-10-9414-1386 E-mail : k...@kaist.ac.kr

Web : https://ircs.re.kr

=====================================================

To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/194366F4-5339-4134-824C-F44B82D6404D%40hoerder.net.

[Anjan Roy]

Dear NIST,

Thank you very much - it's really good to see these draft standards finally out. But I totally agree with others that having test vectors will be very useful - at least for me, so that I can be sure that my implementations of PQC schemes are conformant to the draft standards. 

Regards,

Anjan 

[Moody, Dustin (Fed)]

Simon (and others),

We agree that having test vectors is very important.  However, we don't typically put the test vectors in the FIPS themselves.   For example, if you look at the SHA-3 standard FIPS 202, in appendix B we point somewhere else, rather than having them in that document.  Specifically, it points to our Computer Security Resources Center page

https://csrc.nist.gov/projects/cryptographic-standards-and-guidelines/example-values

where we prefer to put them.  That way they can be more easily updated, while it is much more difficult to update a FIPS.  We will update that page for the new PQC algorithms, and we'll be sure to announce when we do that.  Thanks,

Dustin

---

From: pqc-...@list.nist.gov <pqc-...@list.nist.gov> on behalf of Simon Hoerder <si...@hoerder.net>
Sent: Thursday, August 24, 2023 12:52 PM
To: pqc-forum <pqc-...@list.nist.gov>
Subject: Re: [pqc-forum] NIST requests comments on the initial public drafts of three PQC Federal Information Processing Standards (FIPS)

 

To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/194366F4-5339-4134-824C-F44B82D6404D%40hoerder.net.

[Anjan Roy]

Dustin,

It totally makes sense. Thank you for the clarification.

Cheers,

Anjan 

To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/SA1PR09MB8669A354ACAF76EAA873A928E51DA%40SA1PR09MB8669.namprd09.prod.outlook.com.

[Erkan USLU]

Dear NIST PQC team,

According to part 1.3.2 the size of c^{tilde} which is a part of
signature is increased for ML-DSA-65 and ML-DSA-87. However in table
2, it can be seen that the signature sizes of the ML-DSA-65 and
ML-DSA-87 is still same as Dilithium-3 and Dilithium-5 respectively.


I think the actual signature sizes of these parameter sets should be
3309 (3293 + 16) bytes for ML-DSA-65 and 4627 (4595 + 32) bytes for
ML-DSA-87.

If I am wrong can you please correct me?

By the way thanks for your afford on these standardization process and
great works.

Best,
Erkan USLU
Middle East Technical University

> NIST requests comments<https://www.federalregister.gov/d/2023-18197>

> on the initial public drafts of three Federal Information Processing
> Standards (FIPS):
>

> 1. FIPS 203, Module-Lattice-Based Key-Encapsulation Mechanism
> Standard<https://csrc.nist.gov/pubs/fips/203/ipd>
> 2. FIPS 204, Module-Lattice-Based Digital Signature
> Standard<https://csrc.nist.gov/pubs/fips/204/ipd>
> 3. FIPS 205, Stateless Hash-Based Digital Signature
> Standard<https://csrc.nist.gov/pubs/fips/205/ipd>

>
> These proposed standards specify key establishment and digital
> signature schemes that are designed to resist future attacks by
> quantum computers, which threaten the security of current standards.
> The three algorithms specified in these standards are each derived
> from different submissions to the NIST Post-Quantum Cryptography
> Standardization

> Project<https://csrc.nist.gov/Projects/post-quantum-cryptography/post-quantum-cryptography-standardization>.

> FIPS 203: fips-203...@nist.gov<mailto:fips-203...@nist.gov>
> FIPS 204: fips-204...@nist.gov<mailto:fips-204...@nist.gov>
> FIPS 205: fips-205...@nist.gov<mailto:fips-205...@nist.gov>

>
>
>
> All relevant comments received by the deadline of November 22, 2023
> will be published electronically at

> https://csrc.nist.gov<https://csrc.nist.gov/> and
> www.regulations.gov<http://www.regulations.gov/> without change or

> redaction, so commenters should not include information they do not
> wish to be posted (e.g., personal or confidential business
> information). Comments that contain profanity, vulgarity, threats,
> or other inappropriate language or content will not be posted or
> considered.
>
>
>
> After the comment period closes, NIST will analyze the comments,
> make changes to the documents as appropriate, and then propose the
> drafts FIPS 203, FIPS 204, and FIPS 205 to the Secretary of Commerce
> for approval.
>
>
>
> Additional links:
>

> * Federal Register Notice: https://www.federalregister.gov/d/2023-18197
> * NIST news item:
> https://www.nist.gov/news-events/news/2023/08/nist-standardize-encryption-algorithms-can-resist-attack-quantum-computers
> * NIST CSRC news item:

> https://csrc.nist.gov/News/2023/three-draft-fips-for-post-quantum-cryptography
>
>
> --
> You received this message because you are subscribed to the Google
> Groups "pqc-forum" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to

> pqc-forum+...@list.nist.gov<mailto:pqc-forum+...@list.nist.gov>.

> To view this discussion on the web visit

> https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/SA1PR09MB8669445D14B595C4CCF25E2AE51DA%40SA1PR09MB8669.namprd09.prod.outlook.com<https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/SA1PR09MB8669445D14B595C4CCF25E2AE51DA%40SA1PR09MB8669.namprd09.prod.outlook.com?utm_medium=email&utm_source=footer>.

>
> --
> You received this message because you are subscribed to the Google
> Groups "pqc-forum" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to

> pqc-forum+...@list.nist.gov<mailto:pqc-forum+...@list.nist.gov>.

> To view this discussion on the web visit

> https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/194366F4-5339-4134-824C-F44B82D6404D%40hoerder.net<https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/194366F4-5339-4134-824C-F44B82D6404D%40hoerder.net?utm_medium=email&utm_source=footer>.

>
> --
> You received this message because you are subscribed to the Google
> Groups "pqc-forum" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to pqc-forum+...@list.nist.gov.
> To view this discussion on the web visit

> https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/SA1PR09MB8669A354ACAF76EAA873A928E51DA%40SA1PR09MB8669.namprd09.prod.outlook.com.

[Simon Hoerder]

Hi Dustin, all,

Thanks for the update. That makes sense and I’m looking forward to seeing those test vectors.

Best,
Simon

On 24 Aug 2023, at 20:47, Anjan Roy <anjan...@gmail.com> wrote:



To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/CANhqc%2BP3_2dmyaQEFrUdY6vsJMxCsdhKqoTKaJwsk5rCSRieVQ%40mail.gmail.com.

[Anubhab Baksi]

Dear Dustin (and others),

We would like to inform you about the erroneous estimation of the quantum attack complexity. This is due to some Q# related bugs in the Eurocrypt'20 paper from which the estimates were taken. The currently best-known results, as far as we know, are from our paper ("Quantum Analysis of AES" by Jang et al.) where we also presented bug-fixed results from the Eurocrypt'20 paper. We have notified the FIPS-203/-204/-205 email channels with more details.

Thanks,

Anubhab Baksi (and other authors)

To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/4353B778-E40E-4DC6-A07C-FA67EE7ED800%40hoerder.net.

[Perlner, Ray A. (Fed)]

Dear Erkan USLU,

3309 (3293 + 16) bytes for ML-DSA-65 and 4627 (4595 + 32) bytes for ML-DSA-87 are indeed the correct lengths. We will fix this in the final FIPS.
Thanks for letting us know,

Ray

> comments<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%25
> 2F%2Fwww.federalregister.gov%2Fd%2F2023-18197&data=05%7C01%7Cray.perln
> er%40nist.gov%7Cca9302378bd6404245d208dba5564f9b%7C2ab5d82fd8fa4797a93
> e054655c61dec%7C1%7C0%7C638285562354166163%7CUnknown%7CTWFpbGZsb3d8eyJ
> WIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000
> %7C%7C%7C&sdata=c4emVqsJ4unXmyCSnEYv7MCO1t%2FIJlGsrevLFbkzi28%3D&reser
> ved=0> on the initial public drafts of three Federal Information

> https://csrc.nist.gov/<https://csrc.nist.gov/> and
> http://www.r/
> egulations.gov%2F&data=05%7C01%7Cray.perlner%40nist.gov%7Cca9302378bd6
> 404245d208dba5564f9b%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C6382
> 85562354166163%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2l
> uMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=HNZ1imwTMcAI
> XrhBT97ORSLwdg6EGGPBjFb9%2Bt1y9L4%3D&reserved=0<http://www.regulations.gov/> without change or redaction, so commenters should not include information they do not wish to be posted (e.g., personal or confidential business information). Comments that contain profanity, vulgarity, threats, or other inappropriate language or content will not be posted or considered.

To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/20230825102952.Horde.G6oIDrkN9gyzXFaGfHqLP7l%40horde.metu.edu.tr.

[Joost Renes]

Hi Ray and NIST PQC team,

A similar question for the private key sizes in Table 2, as the length of tr was increased from 32 to 64 bytes.
For Dilithium2 it would be 32 + 32 + 64 + 4 * 96 + 4 * 96 + 4 * 416 = 2560 bytes (as opposed to 2528).
Similarly, Dilithium3 and Dilithium5 private key sizes would be increased by 32 bytes.
Could you confirm whether this is correct or not?

Kind regards,
Joost

-----Original Message-----
From: 'Perlner, Ray A. (Fed)' via pqc-forum <pqc-...@list.nist.gov>
Sent: Tuesday, August 29, 2023 3:32 PM
To: Erkan USLU <erkan...@metu.edu.tr>; pqc-forum <pqc-...@list.nist.gov>
Subject: [EXT] RE: [pqc-forum] NIST requests comments on the initial public drafts of three PQC Federal Information Processing Standards (FIPS)

Caution: This is an external email. Please take care when clicking links or opening attachments. When in doubt, report the message using the 'Report this email' button

> https://csrc/
> .nist.gov%2Fprojects%2Fcryptographic-standards-and-guidelines%2F&data=
> 05%7C01%7Cjoost.renes%40nxp.com%7Cd36f60a5bb32432cb41908dba8945e84%7C6
> 86ea1d3bc2b4c6fa92cd99c5c301635%7C0%7C0%7C638289127433333119%7CUnknown
> %7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJ
> XVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=6KrcBChmJvx%2BVfscNlqDRuoGA%2FWAukJe
> x0y4YyWHG3w%3D&reserved=0

> comments<https://eur01.safelinks.protection.outlook.com/?url=https%3A%25
> 2F%2Fgcc02.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%2525
> &data=05%7C01%7Cjoost.renes%40nxp.com%7Cd36f60a5bb32432cb41908dba8945e
> 84%7C686ea1d3bc2b4c6fa92cd99c5c301635%7C0%7C0%7C638289127433333119%7CU
> nknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1ha
> WwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=hLfEm%2FHTWFXZ%2FdmrrKxEUV%2Fi
> W1EKi6dofFQhkfZYh98%3D&reserved=0

> 2F%2Fwww.federalregister.gov%2Fd%2F2023-18197&data=05%7C01%7Cray.perln
> er%40nist.gov%7Cca9302378bd6404245d208dba5564f9b%7C2ab5d82fd8fa4797a93
> e054655c61dec%7C1%7C0%7C638285562354166163%7CUnknown%7CTWFpbGZsb3d8eyJ
> WIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000
> %7C%7C%7C&sdata=c4emVqsJ4unXmyCSnEYv7MCO1t%2FIJlGsrevLFbkzi28%3D&reser
> ved=0> on the initial public drafts of three Federal Information
> Processing Standards (FIPS):
>
> 1. FIPS 203, Module-Lattice-Based Key-Encapsulation Mechanism
> Standard<https://csrc.nist.gov/pubs/fips/203/ipd>
> 2. FIPS 204, Module-Lattice-Based Digital Signature
> Standard<https://csrc.nist.gov/pubs/fips/204/ipd>
> 3. FIPS 205, Stateless Hash-Based Digital Signature

> Standard<https://eur01.safelinks.protection.outlook.com/?url=https%3A%25
> 2F%2Fcsrc.nist.gov%2Fpubs%2Ffips%2F205%2Fipd&data=05%7C01%7Cjoost.rene
> s%40nxp.com%7Cd36f60a5bb32432cb41908dba8945e84%7C686ea1d3bc2b4c6fa92cd
> 99c5c301635%7C0%7C0%7C638289127433333119%7CUnknown%7CTWFpbGZsb3d8eyJWI
> joiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7
> C%7C%7C&sdata=3xXdLxSYxOOTJzbjVR2VbfuJ6snsd%2Bla62VOJAmNDHs%3D&reserve
> d=0>

> https://csrc/
> .nist.gov%2F&data=05%7C01%7Cjoost.renes%40nxp.com%7Cd36f60a5bb32432cb4
> 1908dba8945e84%7C686ea1d3bc2b4c6fa92cd99c5c301635%7C0%7C0%7C6382891274
> 33333119%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiL
> CJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=AcY%2FkSWa%2Bx%2B2
> lznXv5PmNcEyvjOJbh%2FiuaUjHoBrh3Y%3D&reserved=0<https://eur01.safelink/
> s.protection.outlook.com/?url=https%3A%2F%2Fcsrc.nist.gov%2F&data=05%7
> C01%7Cjoost.renes%40nxp.com%7Cd36f60a5bb32432cb41908dba8945e84%7C686ea
> 1d3bc2b4c6fa92cd99c5c301635%7C0%7C0%7C638289127433333119%7CUnknown%7CT
> WFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI
> 6Mn0%3D%7C3000%7C%7C%7C&sdata=AcY%2FkSWa%2Bx%2B2lznXv5PmNcEyvjOJbh%2Fi
> uaUjHoBrh3Y%3D&reserved=0> and
> http://www.r/
> %2F&data=05%7C01%7Cjoost.renes%40nxp.com%7Cd36f60a5bb32432cb41908dba89
> 45e84%7C686ea1d3bc2b4c6fa92cd99c5c301635%7C0%7C0%7C638289127433333119%
> 7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik
> 1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=HpbLWiCoc%2FBnfiuzIYITR1Q%2
> Bmap9JjAAqJVmWP8zYPg%3D&reserved=0

> egulations.gov%2F&data=05%7C01%7Cray.perlner%40nist.gov%7Cca9302378bd6
> 404245d208dba5564f9b%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C6382
> 85562354166163%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2l
> uMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=HNZ1imwTMcAI
> XrhBT97ORSLwdg6EGGPBjFb9%2Bt1y9L4%3D&reserved=0<http://www.regulations.gov/> without change or redaction, so commenters should not include information they do not wish to be posted (e.g., personal or confidential business information). Comments that contain profanity, vulgarity, threats, or other inappropriate language or content will not be posted or considered.
>
>
>
> After the comment period closes, NIST will analyze the comments, make
> changes to the documents as appropriate, and then propose the drafts
> FIPS 203, FIPS 204, and FIPS 205 to the Secretary of Commerce for
> approval.
>
>
>
> Additional links:
>
> * Federal Register Notice: https://www.federalregister.gov/d/2023-18197
> * NIST news item:
> https://www.nist.gov/news-events/news/2023/08/nist-standardize-encryption-algorithms-can-resist-attack-quantum-computers
> * NIST CSRC news item:

> https://csrc/
> .nist.gov%2FNews%2F2023%2Fthree-draft-fips-for-post-quantum-cryp&data=
> 05%7C01%7Cjoost.renes%40nxp.com%7Cd36f60a5bb32432cb41908dba8945e84%7C6
> 86ea1d3bc2b4c6fa92cd99c5c301635%7C0%7C0%7C638289127433333119%7CUnknown
> %7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJ
> XVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=lMb2pV%2Fj1tywwmf1LWm38pzT9QMBQCRoS6
> XlsHRay5E%3D&reserved=0

To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/DM6PR09MB485567B863421CAF37A6B99B9CE7A%40DM6PR09MB4855.namprd09.prod.outlook.com.

[Perlner, Ray A. (Fed)]

Hi Joost,

Yes, the correct private key sizes for the three ML-DSA parameter sets are indeed 2560, 4032, and 4896 bytes. We will correct this in the final version of the FIPS.

Thank you for pointing this out,

> comments<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%25
> 2F%2Feur01.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%2525
> &data=05%7C01%7Cray.perlner%40nist.gov%7Cbcb4ba4f1dc04cca98f608dbad26c
> df0%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638294154406371047%7C
> Unknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1h
> aWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=eH0iXh50XNWZUjthxxecCzUIZPz5V
> HzQmgtRPsIiL2A%3D&reserved=0

> 2F%2Fgcc02.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%2525
> &data=05%7C01%7Cjoost.renes%40nxp.com%7Cd36f60a5bb32432cb41908dba8945e
> 84%7C686ea1d3bc2b4c6fa92cd99c5c301635%7C0%7C0%7C638289127433333119%7CU
> nknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1ha
> WwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=hLfEm%2FHTWFXZ%2FdmrrKxEUV%2Fi
> W1EKi6dofFQhkfZYh98%3D&reserved=0
> 2F%2Fwww.federalregister.gov%2Fd%2F2023-18197&data=05%7C01%7Cray.perln
> er%40nist.gov%7Cca9302378bd6404245d208dba5564f9b%7C2ab5d82fd8fa4797a93
> e054655c61dec%7C1%7C0%7C638285562354166163%7CUnknown%7CTWFpbGZsb3d8eyJ
> WIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000
> %7C%7C%7C&sdata=c4emVqsJ4unXmyCSnEYv7MCO1t%2FIJlGsrevLFbkzi28%3D&reser
> ved=0> on the initial public drafts of three Federal Information
> Processing Standards (FIPS):
>
> 1. FIPS 203, Module-Lattice-Based Key-Encapsulation Mechanism
> Standard<https://csrc.nist.gov/pubs/fips/203/ipd>
> 2. FIPS 204, Module-Lattice-Based Digital Signature
> Standard<https://csrc.nist.gov/pubs/fips/204/ipd>
> 3. FIPS 205, Stateless Hash-Based Digital Signature

> Standard<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%25
> 2F%2Feur01.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%2525
> &data=05%7C01%7Cray.perlner%40nist.gov%7Cbcb4ba4f1dc04cca98f608dbad26c
> df0%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638294154406371047%7C
> Unknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1h
> aWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=eH0iXh50XNWZUjthxxecCzUIZPz5V
> HzQmgtRPsIiL2A%3D&reserved=0

> lznXv5PmNcEyvjOJbh%2FiuaUjHoBrh3Y%3D&reserved=0<https://gcc02.safelink/
> s.protection.outlook.com/?url=https%3A%2F%2Feur01.safelink%2F&data=05%
> 7C01%7Cray.perlner%40nist.gov%7Cbcb4ba4f1dc04cca98f608dbad26cdf0%7C2ab
> 5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638294154406371047%7CUnknown%7
> CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXV
> CI6Mn0%3D%7C3000%7C%7C%7C&sdata=fZ2vULysrvwlmDkbwM8GmIeNBrmkn9j7FpzJ%2
> F4sU5ks%3D&reserved=0

> s.protection.outlook.com/?url=https%3A%2F%2Fcsrc.nist.gov%2F&data=05%7
> C01%7Cjoost.renes%40nxp.com%7Cd36f60a5bb32432cb41908dba8945e84%7C686ea
> 1d3bc2b4c6fa92cd99c5c301635%7C0%7C0%7C638289127433333119%7CUnknown%7CT
> WFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI
> 6Mn0%3D%7C3000%7C%7C%7C&sdata=AcY%2FkSWa%2Bx%2B2lznXv5PmNcEyvjOJbh%2Fi
> uaUjHoBrh3Y%3D&reserved=0> and
> http://www.r/

> %2F&data=05%7C01%7Cray.perlner%40nist.gov%7Cbcb4ba4f1dc04cca98f608dbad
> 26cdf0%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638294154406371047
> %7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6I
> k1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=E7o7LOqzmmk3qvTO7fZmx2as%2
> FYPOjLVsXy3Jrc%2FriN0%3D&reserved=0

To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/AM9PR04MB81611E81E982AB3627407B38FFE9A%40AM9PR04MB8161.eurprd04.prod.outlook.com.

[Anubhab Baksi]

Dear community,

 

With regard to the Asiacrypt'23 paper on quantum analysis of AES (available at: https://eprint.iacr.org/2023/1417), we would like to note the following points.

 

Our paper (available at: https://eprint.iacr.org/2022/683) has better results than what are reported in that paper. One may also note that (an earlier version of) our paper was cited by this paper as a major reference/motivation. Moreover, while going through their source-codes, we seem to notice some bug, which apparently underestimated the actual cost. We are currently working on fixing the bugs, and will update our paper with the new results.

 

Thanks and best regards,

Anubhab, Kyungbae, Anupam, Hwajeong and other co-authors

সোম, ২৮ আগস্ট, ২০২৩ ১৬:৪৫ তারিখে Anubhab Baksi <anub...@gmail.com> লিখেছেন: