Announcement
After careful consideration during the 3rd Round of the NIST PQC Standardization Process, NIST has identified four candidate algorithms for standardization. The primary algorithms NIST recommends be implemented for most use cases are CRYSTALS-KYBER (key-establishment) and CRYSTALS-Dilithium (digital signatures). In addition, the signature schemes Falcon and SPHINCS+ will also be standardized.
Algorithms to be Standardized
Public-Key Encryption/KEMs
CRYSTALS-KYBER
Digital Signatures
CRYSTALS-Dilithium
Falcon
SPHINCS+
CRYSTALS-KYBER (key-establishment) and CRYSTALS-Dilithium (digital signatures) were both selected for their strong security and excellent performance, and NIST expects them to work well in most applications. Falcon will also be standardized by NIST since there may be use cases for which CRYSTALS-Dilithium signatures are too large. Additionally, SPHINCS+ will be standardized to avoid only relying on the security of lattices for signatures. NIST asks for public feedback on a version of SPHINCS+ with a lower number of maximum signatures.
Additionally, the following candidate KEM algorithms will advance to the fourth round:
4th Round Candidates
Public-Key Encryption/KEMs
BIKE
Classic McEliece
HQC
SIKE
Both BIKE and HQC are based on structured codes, and either would be suitable as a general-purpose KEM that is not based on lattices. NIST expects to select at most one of these two candidates for standardization at the conclusion of the fourth round. SIKE remains an attractive candidate for standardization because of its small key and ciphertext sizes and will continue to study it in the fourth round. Classic McEliece was a finalist but is not being standardized by NIST at this time. Although Classic McEliece is widely regarded as secure, NIST does not anticipate it being widely used due to its large public key size. NIST may choose to standardize Classic McEliece at the end of the fourth round.
For the algorithms moving on to the fourth round, NIST will allow the submission teams to provide updated specifications and implementations (“tweaks”). The deadline for these tweaks will be October 1, 2022. Any submission team that feels that they may not meet the deadline should contact NIST as soon as possible. NIST will review the proposed modifications and publish the accepted submissions shortly afterwards. As a general guideline, NIST expects any modifications to be relatively minor. The fourth round will proceed similarly to the previous rounds. More detailed information and guidance will be provided in another message.
A detailed description of the decision process and rationale for selection will be included in NIST Interagency or Internal Report (NISTIR) 8413, Status Report on the Third Round of the NIST Post-Quantum Cryptography Standardization Process, which will soon be available at https://csrc.nist.gov/publications and on the NIST post-quantum webpage https://nist.gov/pqcrypto. Questions may be directed to pqc-co...@nist.gov.
NIST will create new draft standards for the algorithms to be standardized and will coordinate with the submission teams to ensure that the standards comply with the specifications. As part of the drafting process, NIST will seek input on specific parameter sets to include, particularly for security category 1. When finished, the standards will be posted for public comment. After the close of the comment period, NIST will revise the draft standards as appropriate based on the feedback received. A final review, approval, and promulgation process will then follow.
NIST will hold a 4th NIST PQC Standardization Conference on November 29 – December 1, 2022. The conference details have not yet been finalized. The preliminary Call for Papers will be posted, both on the pqc-forum and the NIST PQC webpage http://nist.gov/pqcrypto.
NIST also plans to issue a new Call for Proposals for public-key (quantum-resistant) digital signature algorithms by the end of summer 2022. NIST is primarily looking to diversify its signature portfolio, so signature schemes that are not based on structured lattices are of greatest interest. NIST would like submissions for signature schemes that have short signatures and fast verification (e.g., UOV). Submissions in response to this call will be due by June 1, 2023. Submitters are encouraged to communicate with NIST ahead of time. NIST will decide which (if any) of the submitted signature algorithms to accept and will initiate a new process for evaluation. NIST expects this process to be much smaller in scope than the current PQC process. The signature schemes accepted to this process will need to be thoroughly analyzed, which will similarly take several years.
NIST would like to thank the community and all of the submission teams for their efforts in this standardization process and hopes that the teams whose schemes were not selected to advance will continue to participate by evaluating and analyzing the remaining cryptosystems alongside the cryptographic community at large. These combined efforts are crucial to the development of NIST’s future post-quantum public-key standards.
The NIST PQC team
--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/SA1PR09MB866933A15C3568FC510B4B68E5819%40SA1PR09MB8669.namprd09.prod.outlook.com.
Guidelines for submitting tweaks for Fourth Round Candidates
Deadline: October 1, 2022
Candidate teams must meet the same submission requirements and minimum acceptability criteria stated in the original Call for Proposals. Submissions must be submitted to NIST at pqc-sub...@nist.gov by October 1, 2022. Submissions should include a cover sheet, algorithm specifications (and other supporting documentation), and optical/digital media (e.g., implementations, known-answer test files, etc.) as described in Section 2 of the original Call For Proposals. In addition, NIST requires a short document outlining the modifications introduced in the new submission. This document should be included in the supporting documentation folder of the submission (see Section 2.C.4 of the CFP). NIST will review the proposed changes to determine whether they meet the submission requirements and minimum acceptability requirements, as well as whether they significantly affect the design of the algorithm and require a major reevaluation. As a general guideline, NIST expects any modifications to be relatively minor. It would be helpful if submission teams provided NIST with a summary of their expected changes prior to the deadline. If the deadline will pose a problem for any submission team, they should contact NIST in advance.
NIST does NOT need new signed IP statements unless new submission team members have
been added or the status of intellectual property for the submission has changed. If either of
these cases apply, NIST will need new signed IP statements (see Section 2.D of the CFP). These
statements must be actual hard copies – not digital scans – and must be provided to NIST by the 4th NIST PQC Standardization Conference (December 1, 2022).
NIST is aware that some submission packages may be large in size. The email system for pqc-submi...@nist.gov can only accept files up to 25MB. For larger files, candidate teams may upload submission packages at a location of their choosing and send NIST the download link. If that option is not suitable, NIST has a file transfer system that can be used (please email pqc-co...@nist.gov for more details). NIST will review the submitted packages as quickly as possible and post the candidate submission packages that are complete and proper on www.nist.gov/pqcrypto. Teams are encouraged to submit early. General questions may be asked on the pqc-forum. For more specific questions, please email pqc-co...@nist.gov.
The NIST PQC team
--
During PQC Standardization, the United States Department of Commerce’s National Institute of Standards and Technology (NIST) has worked on selecting a cryptographic key encapsulation algorithm that would protect information from attacks by classical and quantum computers. In furtherance of NIST’s PQC Standardization efforts, NIST and Dr. Jintai Ding announce intentions to enter into a patent license agreement, wherein a patent owned by Dr. Ding’s Ohio-based company, Algo Consulting, would be licensed to NIST. As a result of this patent license agreement, implementers and end users of NIST’s PQC standard, which will be based on the selected cryptographic key encapsulation algorithm, will not need a separate license from Algo Consulting, Inc. This will promote the timely and widespread adoption of NIST’s PQC standard, a shared goal of NIST and Dr. Ding.
NIST appreciates Dr. Ding’s efforts and cooperation and will announce its selection of the cryptographic key encapsulation algorithm as soon as reasonably possible.
The NIST PQC team
Dr. Jintai Ding, owner Algo Consulting, Inc.
From: 'Moody, Dustin (Fed)' via pqc-forum <pqc-...@list.nist.gov>
Sent: Tuesday, July 5, 2022 11:32 AM
To: pqc-forum <pqc-...@list.nist.gov>
Subject: [pqc-forum] Announcement: The End of the 3rd Round - the First PQC Algorithms to be Standardized
Announcement
--
Call for Papers for the 4th NIST PQC Standardization Conference
Location: Virtual
November 29 – December 1, 2022
Submission deadline: September 15, 2022
(Conference without proceedings)
NIST plans to hold the 4th NIST PQC Standardization Conference from November 29 to December 1, 2022. The purpose of the conference is to discuss various aspects of the candidate algorithms and to obtain valuable feedback for informing decisions on standardization. NIST will invite the submission teams for both the selected algorithms, as well as the algorithms advancing to the fourth round, to give an update on their algorithms.
In addition, NIST is soliciting research and discussion papers, surveys, presentations, case
studies, panel proposals, and participation from all interested parties, including researchers,
system architects, implementors, vendors, and users. NIST will post the accepted papers and
presentations on the conference website after the conference; however, no formal proceedings
will be published. NIST encourages the submission of presentations and reports on preliminary
work that participants plan to publish elsewhere.
Topics for submissions should include but are not limited to:
Submissions should be provided electronically, in PDF, for standard US letter-size paper (8.5 x
11 inches). Submitted papers must not exceed 20 pages, excluding references and appendices
(single space, with 1-inch margins using a 10 pt or larger font). Proposals for panels should be
no longer than five pages and should include possible panelists and an indication of which
panelists have confirmed their participation.
Please submit the following information to pqc...@nist.gov:
All submissions will be acknowledged.
General information about the conference, including registration information, will be available at the conference website: http://www.nist.gov/pqcrypto.
From: 'Moody, Dustin (Fed)' via pqc-forum <pqc-...@list.nist.gov>
Sent: Tuesday, July 5, 2022 11:32 AM
To: pqc-forum <pqc-...@list.nist.gov>
Subject: [pqc-forum] Announcement: The End of the 3rd Round - the First PQC Algorithms to be Standardized
Announcement
--
Sorry for so many messages!
Here’s the link to the official NIST announcement. Please share:
Here’s the link to NISTIR 8413: Status Report on the Third Round of the NIST Post-Quantum Cryptography Standardization Process, which explains the rationale behind the decisions.
https://nvlpubs.nist.gov/nistpubs/ir/2022/NIST.IR.8413.pdf
Dustin
From: 'Moody, Dustin (Fed)' via pqc-forum <pqc-...@list.nist.gov>
Sent: Tuesday, July 5, 2022 11:32 AM
To: pqc-forum <pqc-...@list.nist.gov>
Subject: [pqc-forum] Announcement: The End of the 3rd Round - the First PQC Algorithms to be Standardized
Announcement
--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
To view this discussion on the web visit
Can we get the text of the actual license agreement between NIST and CNRS/University of Limoges?
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/SA1PR09MB86697183D3615A85EB2FAC3BE5809%40SA1PR09MB8669.namprd09.prod.outlook.com.
Hi,
Do anybody know if we can expect an update of the CNSA suite in a few days or will it take months? That is another very important announcement. The NSA PQC FAQ states:
"The intention is to update CNSA to remove quantum-vulnerable algorithms and replace them with a subset of the quantum-resistant algorithms selected by NIST at the end of the third round of the NIST post-quantum effort"
https://www.nsa.gov/Cybersecurity/Post-Quantum-Cybersecurity-Resources/
Suite B was very influencial. The algorithms, modes, and parameters chosen for CNSA will likely have a big influence on enterprises and various industries.
Cheers,
John Preuß Mattsson
--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/HE1PR0701MB3050DE85057A661E22566FB989809%40HE1PR0701MB3050.eurprd07.prod.outlook.com.
I assume that the standards need to be written before they can be adopted into the CNSA Suite?
---
Mike Ounsworth
From: 'John Mattsson' via pqc-forum <pqc-...@list.nist.gov>
Sent: July 6, 2022 1:01 PM
To: pqc-forum <pqc-...@list.nist.gov>
Subject: [EXTERNAL] [pqc-forum] Re: Announcement: The End of the 3rd Round - the First PQC Algorithms to be Standardized
WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.
--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
pqc-forum+...@list.nist.gov.
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/HE1PR0701MB3050DE85057A661E22566FB989809%40HE1PR0701MB3050.eurprd07.prod.outlook.com.
I assume that the standards need to be written before they can be adopted into the CNSA Suite?
This is my assumption as well.
Now we know what algorithms will be standardized – but not the exact parameter sets, format of the bits-on-the-wire, etc. And the upcoming standards will have to undergo public discussion first.
Thanks
From: 'John Mattsson' via pqc-forum <pqc-...@list.nist.gov>
Sent: July 6, 2022 1:01 PM
To: pqc-forum <pqc-...@list.nist.gov>
Subject: [EXTERNAL] [pqc-forum] Re: Announcement: The End of the 3rd Round - the First PQC Algorithms to be Standardized
WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.
Hi,
Do anybody know if we can expect an update of the CNSA suite in a few days or will it take months? That is another very important announcement. The NSA PQC FAQ states:
"The intention is to update CNSA to remove quantum-vulnerable algorithms and replace them with a subset of the quantum-resistant algorithms selected by NIST at the end of the third round of the NIST post-quantum effort"
https://www.nsa.gov/Cybersecurity/Post-Quantum-Cybersecurity-Resources/
Suite B was very influencial. The algorithms, modes, and parameters chosen for CNSA will likely have a big influence on enterprises and various industries.
Cheers,
John Preuß Mattsson
--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/HE1PR0701MB3050DE85057A661E22566FB989809%40HE1PR0701MB3050.eurprd07.prod.outlook.com.
Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.
--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/CH0PR11MB573974BF84D7CD9C0456A06A9F809%40CH0PR11MB5739.namprd11.prod.outlook.com.
NSA does not currently have a set date for release of "CNSA 2.0.” We hope to have an update soon, after we have completed our review of NIST's report and worked through internal reviews. It will probably take longer than days, hopefully less than months.
Cheers,
Adrian
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/B17A6A63-5E58-4206-B3CD-95307DF7607B%40ll.mit.edu.
Forgot to include—
This will be guidance only for now.
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/ade2b14f7ccc425f8aef5fdf6fa1fc76%40nsa.gov.
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/B17A6A63-5E58-4206-B3CD-95307DF7607B%40ll.mit.edu.
Ideally – no tweaks would be necessary. In practice, however, we can’t know (yet).
And the standard would have to spell out all the details, so that one could (re-)create an interoperable implementation from scratch.
--
V/R,
Uri
From: Dan Brown <dani...@blackberry.com>
Date: Wednesday, July 6, 2022 at 16:09
To: Daniel Apon <dapon....@gmail.com>, Uri Blumenthal <u...@ll.mit.edu>
Cc: Mike Ounsworth <Mike.Ou...@entrust.com>, John Mattsson <john.m...@ericsson.com>, pqc-forum <pqc-...@list.nist.gov>
Subject: RE: [pqc-forum] RE: Announcement: The End of the 3rd Round - the First PQC Algorithms to be Standardized
The submitted specifications already included parameters, and the reference implementation included bits-on-the-wire formats implied by the api.h files.
Small changes in cryptography can mean big changes in security. So, ideally, no more changes will be needed.
Dan
From: pqc-...@list.nist.gov <pqc-...@list.nist.gov> On Behalf Of Daniel Apon
Sent: Wednesday, July 6, 2022 3:43 PM
To: Blumenthal, Uri - 0553 - MITLL <u...@ll.mit.edu>
Cc: Mike Ounsworth <Mike.Ou...@entrust.com>; John Mattsson <john.m...@ericsson.com>; pqc-forum <pqc-...@list.nist.gov>
Subject: Re: [pqc-forum] RE: Announcement: The End of the 3rd Round - the First PQC Algorithms to be Standardized
CAUTION - This email is from an external source. Please be cautious with links and attachments. (go/taginfo) |
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/CAPxHsSLxUe5MS8hKX1tjr-bPC6M5YOL3AACAjhpEUuhyEkqEpw%40mail.gmail.com.
This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.
As stated in our announcement yesterday: "NIST also plans to issue a new Call for Proposals for public-key (quantum-resistant) digital signature algorithms by the end of summer 2022. NIST is primarily looking to diversify its signature portfolio, so signature schemes that are not based on structured lattices are of greatest interest. NIST would like submissions for signature schemes that have short signatures and fast verification. Submissions in response to this call will be due by June 1, 2023. Submitters are encouraged to communicate with NIST ahead of time. NIST will decide which (if any) of the submitted signature algorithms to accept and will initiate a new process for evaluation. NIST expects this process to be much smaller in scope than the current PQC process. The signature schemes accepted to this process will need to be thoroughly analyzed, which will similarly take several years."
We’re willing to look at any (including lattice-based) signature scheme, but we will only move them forward in the “on-ramp” standardization process if they align with the stated priorities above. For lattice-based signatures, they would also need to substantially improve over what we already selected. NIST will consider the submissions on a case by case basis. You can look for more detailed information when the new call for signatures is released.
Dustin Moody
NIST
Let me be more explicit.
I have not talked to the Cisco execs; I cannot imagine that they would approve the use of Kyber without an assessment of the Cisco liability (and associated licensing fees, if any).
I have not talked to the Cisco lawyers; I cannot imagine that they would be willing to give any such assurance without an examination of the licenses (and an examination of the press releases would not be sufficient).
Hence, until we get the text of the licenses (both the one signed with CNRS and the one to be signed with Algo Consulting), Cisco cannot use Kyber. If continues to be true, we will need to seek an alternative solution.
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/DM4PR11MB5455A7327EC94163B5E67668C18B9%40DM4PR11MB5455.namprd11.prod.outlook.com.
--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/20220716033215.988731.qmail%40cr.yp.to.
6.2 Performance benchmarking of NTRUrobust, Saber, and Kyber
In this subsection, we present the performance results of our NTRUrobust release compared to the FairSaber and Kyber1024 releases of SABER and KYBER post-quantum KEM schemes, which their parameter sets meet the category 5 security Levels.
with parameters {n=1024,
q=65537, p=2}
Table 2: Performance benchmarking between NTRUrobust, FireSaber, and Kyber1024 releases. The result values are given in milliseconds (ms):
|
The reader can see our paper at the link:
--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/20220716033215.988731.qmail%40cr.yp.to.