Announcement: The End of the 3rd Round - the First PQC Algorithms to be Standardized

13,467 views
Skip to first unread message

Moody, Dustin (Fed)

unread,
Jul 5, 2022, 11:32:17 AM7/5/22
to pqc-forum

Announcement

 

After careful consideration during the 3rd Round of the NIST PQC Standardization Process, NIST has identified four candidate algorithms for standardization. The primary algorithms NIST recommends be implemented for most use cases are CRYSTALS-KYBER (key-establishment) and CRYSTALS-Dilithium (digital signatures).  In addition, the signature schemes Falcon and SPHINCS+ will also be standardized.

 

Algorithms to be Standardized


 

Public-Key Encryption/KEMs

CRYSTALS-KYBER

 

Digital Signatures

CRYSTALS-Dilithium

Falcon

SPHINCS+


 

 

CRYSTALS-KYBER (key-establishment) and CRYSTALS-Dilithium (digital signatures) were both selected for their strong security and excellent performance, and NIST expects them to work well in most applications. Falcon will also be standardized by NIST since there may be use cases for which CRYSTALS-Dilithium signatures are too large. Additionally, SPHINCS+ will be standardized to avoid only relying on the security of lattices for signatures. NIST asks for public feedback on a version of SPHINCS+ with a lower number of maximum signatures.

 

Additionally, the following candidate KEM algorithms will advance to the fourth round:

 

4th Round Candidates


 

Public-Key Encryption/KEMs

BIKE

Classic McEliece

HQC

SIKE

 


 

Both BIKE and HQC are based on structured codes, and either would be suitable as a general-purpose KEM that is not based on lattices. NIST expects to select at most one of these two candidates for standardization at the conclusion of the fourth round. SIKE remains an attractive candidate for standardization because of its small key and ciphertext sizes and will continue to study it in the fourth round. Classic McEliece was a finalist but is not being standardized by NIST at this time.  Although Classic McEliece is widely regarded as secure, NIST does not anticipate it being widely used due to its large public key size. NIST may choose to standardize Classic McEliece at the end of the fourth round.

 

For the algorithms moving on to the fourth round, NIST will allow the submission teams to provide updated specifications and implementations (“tweaks”). The deadline for these tweaks will be October 1, 2022. Any submission team that feels that they may not meet the deadline should contact NIST as soon as possible. NIST will review the proposed modifications and publish the accepted submissions shortly afterwards. As a general guideline, NIST expects any modifications to be relatively minor. The fourth round will proceed similarly to the previous rounds. More detailed information and guidance will be provided in another message.

 

A detailed description of the decision process and rationale for selection will be included in NIST Interagency or Internal Report (NISTIR) 8413, Status Report on the Third Round of the NIST Post-Quantum Cryptography Standardization Process, which will soon be available at https://csrc.nist.gov/publications and on the NIST post-quantum webpage https://nist.gov/pqcrypto. Questions may be directed to pqc-co...@nist.gov.

 

NIST will create new draft standards for the algorithms to be standardized and will coordinate with the submission teams to ensure that the standards comply with the specifications. As part of the drafting process, NIST will seek input on specific parameter sets to include, particularly for security category 1. When finished, the standards will be posted for public comment. After the close of the comment period, NIST will revise the draft standards as appropriate based on the feedback received. A final review, approval, and promulgation process will then follow.

 

NIST will hold a 4th NIST PQC Standardization Conference on November 29 – December 1, 2022. The conference details have not yet been finalized. The preliminary Call for Papers will be posted, both on the pqc-forum and the NIST PQC webpage http://nist.gov/pqcrypto.

NIST also plans to issue a new Call for Proposals for public-key (quantum-resistant) digital signature algorithms by the end of summer 2022. NIST is primarily looking to diversify its signature portfolio, so signature schemes that are not based on structured lattices are of greatest interest. NIST would like submissions for signature schemes that have short signatures and fast verification (e.g., UOV). Submissions in response to this call will be due by June 1, 2023. Submitters are encouraged to communicate with NIST ahead of time. NIST will decide which (if any) of the submitted signature algorithms to accept and will initiate a new process for evaluation. NIST expects this process to be much smaller in scope than the current PQC process. The signature schemes accepted to this process will need to be thoroughly analyzed, which will similarly take several years. 

 

NIST would like to thank the community and all of the submission teams for their efforts in this standardization process and hopes that the teams whose schemes were not selected to advance will continue to participate by evaluating and analyzing the remaining cryptosystems alongside the cryptographic community at large. These combined efforts are crucial to the development of NIST’s future post-quantum public-key standards.

 

 

The NIST PQC team

 

Deirdre Connolly

unread,
Jul 5, 2022, 11:45:04 AM7/5/22
to Moody, Dustin (Fed), pqc-forum
Congratulations and thank you to the NIST team and all the submitters! 🎇

--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/SA1PR09MB866933A15C3568FC510B4B68E5819%40SA1PR09MB8669.namprd09.prod.outlook.com.

Doge Protocol

unread,
Jul 5, 2022, 12:27:15 PM7/5/22
to pqc-forum, dustin...@nist.gov
Thanks NIST team!

>>>NIST would like submissions for signature schemes that have short signatures and fast verification (e.g., UOV).

On this, will having shorter public keys also be a pre-requisite for submissions or only shorter signatures is a pre-req?

Yesterday there was a paper posted that improves on Falcon signature size. Would this and similar improvements in the future also be considered eligible for submission?

Moody, Dustin (Fed)

unread,
Jul 5, 2022, 1:34:31 PM7/5/22
to pqc-forum

Guidelines for submitting tweaks for Fourth Round Candidates

Deadline: October 1, 2022

 

Candidate teams must meet the same submission requirements and minimum acceptability criteria stated in the original Call for Proposals. Submissions must be submitted to NIST at pqc-sub...@nist.gov by October 1, 2022. Submissions should include a cover sheet, algorithm specifications (and other supporting documentation), and optical/digital media (e.g., implementations, known-answer test files, etc.) as described in Section 2 of the original Call For Proposals. In addition, NIST requires a short document outlining the modifications introduced in the new submission. This document should be included in the supporting documentation folder of the submission (see Section 2.C.4 of the CFP). NIST will review the proposed changes to determine whether they meet the submission requirements and minimum acceptability requirements, as well as whether they significantly affect the design of the algorithm and require a major reevaluation. As a general guideline, NIST expects any modifications to be relatively minor. It would be helpful if submission teams provided NIST with a summary of their expected changes prior to the deadline. If the deadline will pose a problem for any submission team, they should contact NIST in advance.

 

NIST does NOT need new signed IP statements unless new submission team members have

been added or the status of intellectual property for the submission has changed. If either of

these cases apply, NIST will need new signed IP statements (see Section 2.D of the CFP). These

statements must be actual hard copies – not digital scans – and must be provided to NIST by the 4th NIST PQC Standardization Conference (December 1, 2022).

 

NIST is aware that some submission packages may be large in size. The email system for pqc-submi...@nist.gov can only accept files up to 25MB. For larger files, candidate teams may upload submission packages at a location of their choosing and send NIST the download link. If that option is not suitable, NIST has a file transfer system that can be used (please email pqc-co...@nist.gov for more details). NIST will review the submitted packages as quickly as possible and post the candidate submission packages that are complete and proper on www.nist.gov/pqcrypto. Teams are encouraged to submit early. General questions may be asked on the pqc-forum. For more specific questions, please email pqc-co...@nist.gov.

 

The NIST PQC team

--

Moody, Dustin (Fed)

unread,
Jul 5, 2022, 1:34:56 PM7/5/22
to pqc-forum

During PQC Standardization, the United States Department of Commerce’s National Institute of Standards and Technology (NIST) has worked on selecting a cryptographic key encapsulation algorithm that would protect information from attacks by classical and quantum computers.  In furtherance of NIST’s PQC Standardization efforts, NIST and Dr. Jintai Ding announce intentions to enter into a patent license agreement, wherein a patent owned by Dr. Ding’s Ohio-based company, Algo Consulting, would be licensed to NIST.  As a result of this patent license agreement, implementers and end users of NIST’s PQC standard, which will be based on the selected cryptographic key encapsulation algorithm, will not need a separate license from Algo Consulting, Inc.  This will promote the timely and widespread adoption of NIST’s PQC standard, a shared goal of NIST and Dr. Ding.

 

NIST appreciates Dr. Ding’s efforts and cooperation and will announce its selection of the cryptographic key encapsulation algorithm as soon as reasonably possible.

 

The NIST PQC team

Dr. Jintai Ding, owner Algo Consulting, Inc.

 

 

From: 'Moody, Dustin (Fed)' via pqc-forum <pqc-...@list.nist.gov>
Sent: Tuesday, July 5, 2022 11:32 AM
To: pqc-forum <pqc-...@list.nist.gov>
Subject: [pqc-forum] Announcement: The End of the 3rd Round - the First PQC Algorithms to be Standardized

 

Announcement

--

Moody, Dustin (Fed)

unread,
Jul 5, 2022, 1:35:29 PM7/5/22
to pqc-forum

Call for Papers for the 4th NIST PQC Standardization Conference

Location: Virtual

November 29 – December 1, 2022

Submission deadline:  September 15, 2022

(Conference without proceedings)

 

NIST plans to hold the 4th NIST PQC Standardization Conference from November 29 to December 1, 2022.  The purpose of the conference is to discuss various aspects of the candidate algorithms and to obtain valuable feedback for informing decisions on standardization. NIST will invite the submission teams for both the selected algorithms, as well as the algorithms advancing to the fourth round, to give an update on their algorithms.

 

In addition, NIST is soliciting research and discussion papers, surveys, presentations, case

studies, panel proposals, and participation from all interested parties, including researchers,

system architects, implementors, vendors, and users. NIST will post the accepted papers and

presentations on the conference website after the conference; however, no formal proceedings

will be published. NIST encourages the submission of presentations and reports on preliminary

work that participants plan to publish elsewhere.

 

Topics for submissions should include but are not limited to:

 

  • Classical and quantum cryptanalysis of the algorithms, including cryptanalysis of weakened or toy versions
  • Analysis of relative performance or resource requirements for some or all of the algorithms
  • Assessments of classical and quantum security strengths of the algorithms
  • Systemization of knowledge relevant to the NIST PQC standardization process
  • Substantial improvements in the implementation of algorithms
  • Improved analysis or proofs of properties of finalists/candidates, even when this does not lead to any attack
  • Proposed criteria to be used for selecting algorithms for standardization
  • Impacts to existing applications and protocols (e.g., changes needed to accommodate specific algorithms)
  • Steps or strategies for organizations to prepare for the coming transition

 

 

Submissions should be provided electronically, in PDF, for standard US letter-size paper (8.5 x

11 inches). Submitted papers must not exceed 20 pages, excluding references and appendices

(single space, with 1-inch margins using a 10 pt or larger font). Proposals for panels should be

no longer than five pages and should include possible panelists and an indication of which

panelists have confirmed their participation.

 

Please submit the following information to pqc...@nist.gov:

 

  • Name, affiliation, email, phone number (optional), postal address (optional) for the primary submitter
  • First name, last name, and affiliation of each co-submitter
  • Finished paper, presentation, or panel proposal in PDF format as an attachment

 

All submissions will be acknowledged.

 

General information about the conference, including registration information, will be available at the conference website: http://www.nist.gov/pqcrypto.

 

 

From: 'Moody, Dustin (Fed)' via pqc-forum <pqc-...@list.nist.gov>
Sent: Tuesday, July 5, 2022 11:32 AM
To: pqc-forum <pqc-...@list.nist.gov>
Subject: [pqc-forum] Announcement: The End of the 3rd Round - the First PQC Algorithms to be Standardized

 

Announcement

--

Moody, Dustin (Fed)

unread,
Jul 5, 2022, 1:36:32 PM7/5/22
to pqc-forum

Sorry for so many messages! 

 

Here’s the link to the official NIST announcement.  Please share:

 

https://www.nist.gov/news-events/news/2022/07/nist-announces-first-four-quantum-resistant-cryptographic-algorithms

 

 

Here’s the link to NISTIR 8413:  Status Report on the Third Round of the NIST Post-Quantum Cryptography Standardization Process, which explains the rationale behind the decisions.

 

https://nvlpubs.nist.gov/nistpubs/ir/2022/NIST.IR.8413.pdf

 

Dustin

 

 

From: 'Moody, Dustin (Fed)' via pqc-forum <pqc-...@list.nist.gov>
Sent: Tuesday, July 5, 2022 11:32 AM
To: pqc-forum <pqc-...@list.nist.gov>
Subject: [pqc-forum] Announcement: The End of the 3rd Round - the First PQC Algorithms to be Standardized

 

Announcement

--

You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to


To view this discussion on the web visit

ToTheMars ABC

unread,
Jul 5, 2022, 1:50:26 PM7/5/22
to pqc-forum, dustin...@nist.gov
Can someone tell me why there is no rainbow signature in the list? Isn't it a 3rd round finalist?

Gustavo Banegas

unread,
Jul 5, 2022, 1:54:17 PM7/5/22
to ToTheMars ABC, pqc-forum, dustin...@nist.gov
Well,
As Dustin pointed in the first email, there is a report that details all the choices. It includes why some of the schemes were not selected. For Rainbow, please read page 51.

All the best,
Gustavo
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.

D. J. Bernstein

unread,
Jul 5, 2022, 4:04:16 PM7/5/22
to pqc-...@list.nist.gov
'Moody, Dustin (Fed)' via pqc-forum writes:
> NIST and Dr. Jintai Ding announce intentions to enter into a patent
> license agreement

Great. Is there a specific schedule for the completion of this
agreement?

[ implementors and end users ]
> will not need a separate license

That's good to hear. But will the agreement have limitations and poison
pills similar to the "grant" that NIST previously obtained from ISARA
(https://web.archive.org/web/20201101181903/https://www.isara.com/nist-grant.html)?

In any case, congratulations to Dr. Ding and the rest of the Kyber team
regarding Kyber's selection for standardization!

---D. J. Bernstein

P.S. Also, regarding signatures, congratulations to the Dilithium and
Falcon teams! And, since I'm just one of a huge number of members of the
SPHINCS+ team, maybe I'm allowed to congratulate SPHINCS+ too.
signature.asc

Moody, Dustin (Fed)

unread,
Jul 6, 2022, 12:24:45 PM7/6/22
to pqc-forum
From: 'Moody, Dustin (Fed)' via pqc-forum <pqc-...@list.nist.gov>
Sent: Tuesday, July 5, 2022 1:36 PM
To: pqc-forum <pqc-...@list.nist.gov>
Subject: [pqc-forum] RE: Announcement: The End of the 3rd Round - the First PQC Algorithms to be Standardized
 

Scott Fluhrer (sfluhrer)

unread,
Jul 6, 2022, 1:14:29 PM7/6/22
to Moody, Dustin (Fed), pqc-forum

Can we get the text of the actual license agreement between NIST and CNRS/University of Limoges?

John Mattsson

unread,
Jul 6, 2022, 2:01:26 PM7/6/22
to pqc-forum

Hi,

 

Do anybody know if we can expect an update of the CNSA suite in a few days or will it take months? That is another very important announcement. The NSA PQC FAQ states:

 

"The intention is to update CNSA to remove quantum-vulnerable algorithms and replace them with a subset of the quantum-resistant algorithms selected by NIST at the end of the third round of the NIST post-quantum effort"

 

https://www.nsa.gov/Cybersecurity/Post-Quantum-Cybersecurity-Resources/

 

Suite B was very influencial. The algorithms, modes, and parameters chosen for CNSA will likely have a big influence on enterprises and various industries.

 

Cheers,

John Preuß Mattsson

EL HASSANE LAAJI

unread,
Jul 6, 2022, 2:17:50 PM7/6/22
to pqc-forum
Hi.
Congratulations to the teams whose schemes were selected.
I ask if the NTRU scheme (Public-Key Encryption/KEMs), will die???
Best regards.

--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.

Mike Ounsworth

unread,
Jul 6, 2022, 2:24:49 PM7/6/22
to John Mattsson, pqc-forum

I assume that the standards need to be written before they can be adopted into the CNSA Suite?

 

---

Mike Ounsworth

 

From: 'John Mattsson' via pqc-forum <pqc-...@list.nist.gov>

Sent: July 6, 2022 1:01 PM
To: pqc-forum <pqc-...@list.nist.gov>

Subject: [EXTERNAL] [pqc-forum] Re: Announcement: The End of the 3rd Round - the First PQC Algorithms to be Standardized

 

WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.


--

You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to

Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.

Q R

unread,
Jul 6, 2022, 2:37:02 PM7/6/22
to John Mattsson, pqc-forum
That is an excellent question.

I cannot imagine how anyone can implement these without having the
final standards from NIST.

It does not seem like a good approach to just say - go use the
algorithms as-is because it seems like there is a lot of work yet to
be done with finalizing parameters, making algorithms more human
readable, providing guidance on how to use alg and security levels,
etc.

The current NSA guidance ups key sizes to help protect against Q-Day
and Y2Q and NIST also added support for hybrid shared keys, pre-shared
keys and ITU added hybrid certificates.

As I currently understand it, teams should be
- creating a data inventory with sensitivity
- creating a crypto inventory with details
- determining is a hybrid method is needed to protect against the
store-now / decrypt later attack
- figuring out ways to add crypto agility from internal, open-source
and commercial products
- doing the NIST guidance on preparing for PQC transition
- experimenting with things like Open Quantum Safe and its spinoffs
(TLS, SSH, S/MIME...)
- learning how to do optimizations for lattice based methods
- exploring all their use cases for the different devices and how
these algorithms may impact choosing parameters sets and which algs to
use

Bottom line, I know NSA wants to move fast once the standards are
complete, but it does seem immature that that is now.

However, I cannot speak for anyone so take all my comments with a grain of salt.

-Amzoti
> --
> You received this message because you are subscribed to the Google Groups
> "pqc-forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to pqc-forum+...@list.nist.gov.
> To view this discussion on the web visit
> https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/HE1PR0701MB3050DE85057A661E22566FB989809%40HE1PR0701MB3050.eurprd07.prod.outlook.com.
>

Blumenthal, Uri - 0553 - MITLL

unread,
Jul 6, 2022, 3:00:30 PM7/6/22
to Mike Ounsworth, John Mattsson, pqc-forum

I assume that the standards need to be written before they can be adopted into the CNSA Suite?

 

This is my assumption as well.

 

Now we know what algorithms will be standardized – but not the exact parameter sets, format of the bits-on-the-wire, etc. And the upcoming standards will have to undergo public discussion first.

 

Thanks

 

 

From: 'John Mattsson' via pqc-forum <pqc-...@list.nist.gov>
Sent: July 6, 2022 1:01 PM
To: pqc-forum <pqc-...@list.nist.gov>
Subject: [EXTERNAL] [pqc-forum] Re: Announcement: The End of the 3rd Round - the First PQC Algorithms to be Standardized

 

WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.


Hi,

 

Do anybody know if we can expect an update of the CNSA suite in a few days or will it take months? That is another very important announcement. The NSA PQC FAQ states:

 

"The intention is to update CNSA to remove quantum-vulnerable algorithms and replace them with a subset of the quantum-resistant algorithms selected by NIST at the end of the third round of the NIST post-quantum effort"

 

https://www.nsa.gov/Cybersecurity/Post-Quantum-Cybersecurity-Resources/

 

Suite B was very influencial. The algorithms, modes, and parameters chosen for CNSA will likely have a big influence on enterprises and various industries.

 

Cheers,

John Preuß Mattsson

--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
pqc-forum+...@list.nist.gov.
To view this discussion on the web visit
https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/HE1PR0701MB3050DE85057A661E22566FB989809%40HE1PR0701MB3050.eurprd07.prod.outlook.com.

Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.

--

You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.

Stanger, Adrian D

unread,
Jul 6, 2022, 3:11:39 PM7/6/22
to pqc-forum

NSA does not currently have a set date for release of "CNSA 2.0.” We hope to have an update soon, after we have completed our review of NIST's report and worked through internal reviews. It will probably take longer than days, hopefully less than months.

 

Cheers,

 

Adrian

Stanger, Adrian D

unread,
Jul 6, 2022, 3:14:15 PM7/6/22
to pqc-forum

Forgot to include—

 

This will be guidance only for now.

Daniel Apon

unread,
Jul 6, 2022, 3:43:32 PM7/6/22
to Blumenthal, Uri - 0553 - MITLL, Mike Ounsworth, John Mattsson, pqc-forum
From my end: Uri appears exactly right

--Daniel

Blumenthal, Uri - 0553 - MITLL

unread,
Jul 6, 2022, 4:28:48 PM7/6/22
to Dan Brown, pqc-forum

Ideally – no tweaks would be necessary. In practice, however, we can’t know (yet).

 

And the standard would have to spell out all the details, so that one could (re-)create an interoperable implementation from scratch.

 

-- 

V/R,

Uri

 

 

From: Dan Brown <dani...@blackberry.com>
Date: Wednesday, July 6, 2022 at 16:09
To: Daniel Apon <dapon....@gmail.com>, Uri Blumenthal <u...@ll.mit.edu>
Cc: Mike Ounsworth <Mike.Ou...@entrust.com>, John Mattsson <john.m...@ericsson.com>, pqc-forum <pqc-...@list.nist.gov>
Subject: RE: [pqc-forum] RE: Announcement: The End of the 3rd Round - the First PQC Algorithms to be Standardized

 

The submitted specifications already included parameters, and the reference implementation included bits-on-the-wire formats implied by the api.h files. 

Small changes in cryptography can mean big changes in security. So, ideally, no more changes will be needed.

​​​​​

Dan

 

From: pqc-...@list.nist.gov <pqc-...@list.nist.gov> On Behalf Of Daniel Apon
Sent: Wednesday, July 6, 2022 3:43 PM
To: Blumenthal, Uri - 0553 - MITLL <u...@ll.mit.edu>
Cc: Mike Ounsworth <Mike.Ou...@entrust.com>; John Mattsson <john.m...@ericsson.com>; pqc-forum <pqc-...@list.nist.gov>
Subject: Re: [pqc-forum] RE: Announcement: The End of the 3rd Round - the First PQC Algorithms to be Standardized

 

CAUTION - This email is from an external source. Please be cautious with links and attachments. (go/taginfo)

 


This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.

Moody, Dustin (Fed)

unread,
Jul 7, 2022, 1:55:57 PM7/7/22
to Doge Protocol, pqc-forum

As stated in our announcement yesterday:  "NIST also plans to issue a new Call for Proposals for public-key (quantum-resistant) digital signature algorithms by the end of summer 2022. NIST is primarily looking to diversify its signature portfolio, so signature schemes that are not based on structured lattices are of greatest interest. NIST would like submissions for signature schemes that have short signatures and fast verification. Submissions in response to this call will be due by June 1, 2023. Submitters are encouraged to communicate with NIST ahead of time. NIST will decide which (if any) of the submitted signature algorithms to accept and will initiate a new process for evaluation. NIST expects this process to be much smaller in scope than the current PQC process. The signature schemes accepted to this process will need to be thoroughly analyzed, which will similarly take several years." 

We’re willing to look at any (including lattice-based) signature scheme, but we will only move them forward in the “on-ramp” standardization process if they align with the stated priorities above.  For lattice-based signatures, they would also need to substantially improve over what we already selected.  NIST will consider the submissions on a case by case basis. You can look for more detailed information when the new call for signatures is released.   

Dustin Moody

NIST

Scott Fluhrer (sfluhrer)

unread,
Jul 15, 2022, 2:55:15 PM7/15/22
to Moody, Dustin (Fed), pqc-forum, Jonathan Felten (jfelten)

Let me be more explicit.

 

I have not talked to the Cisco execs; I cannot imagine that they would approve the use of Kyber without an assessment of the Cisco liability (and associated licensing fees, if any).

 

I have not talked to the Cisco lawyers; I cannot imagine that they would be willing to give any such assurance without an examination of the licenses (and an examination of the press releases would not be sufficient).

 

Hence, until we get the text of the licenses (both the one signed with CNRS and the one to be signed with Algo Consulting), Cisco cannot use Kyber.  If continues to be true, we will need to seek an alternative solution.

Daniel Apon

unread,
Jul 15, 2022, 3:12:51 PM7/15/22
to Scott Fluhrer (sfluhrer), Moody, Dustin (Fed), pqc-forum, Jonathan Felten (jfelten)
This connects to another pressing issue, for which there is not yet a concrete recommendation from NIST, at least as far as I'm aware:

When does NIST recommend that an interested organization should begin their actual migration to post-quantum cryptography deployment based on the July 5th, 2022 announcement?
(Of course, prior to such a "go" date, many practical, preliminary steps can be completed in preparation for the migration date. But that aside..)

As this issue arises in context: Scott says that Cisco cannot use Kyber until Cisco receives the text of the licenses (CNRS/Algo) -- and presumably has sufficient, interluding time for Cisco lawyers to examine the text of the licenses.

1) At which point in time does NIST intend for (for example) Cisco -- or any other organization -- to begin migration to Kyber (or Dilithium/Falcon/SPHINCS+)?
2) At which point in time will the text of the licenses (CNRS/Algo) be posted publicly?

Speaking in my personal capacity in my role at MITRE (having not spoken with MITRE execs or MITRE lawyers either),
--Daniel

Daniel Apon

unread,
Jul 15, 2022, 3:17:10 PM7/15/22
to Scott Fluhrer (sfluhrer), Moody, Dustin (Fed), pqc-forum, Jonathan Felten (jfelten)
The particularly relevant question I'm also asking about is when NIST will go from algorithm specification selection to parameterization / tweak finalization for the selected algorithms.

The obvious date is the release of the full standards documents in ~2024 (ETA).
Will there be a safe fixed point in parameterization/tweaks for early-adopters/deployers prior to the standards documentation release in ~2024?

Cheers

D. J. Bernstein

unread,
Jul 15, 2022, 11:32:49 PM7/15/22
to pqc-...@list.nist.gov
'Scott Fluhrer (sfluhrer)' via pqc-forum writes:
> If continues to be true, we will need to seek an alternative solution.

NIST's new report already points to a solution (see page 18):

If the agreements are not executed by the end of 2022, NIST may
consider selecting NTRU instead of KYBER. NTRU was proposed in 1996,
and U.S. patents were dedicated to the public in 2007.

(I have no idea how whoever reviewed this could have imagined that
"2007" was correct. If NTRU had been patent-free in 2007 then why didn't
people try rolling it out in response to the Snowden revelations? In
fact, the main NTRU patent expired in 2017, and the company didn't give
up on the patent until earlier in 2017.)

The same report says NIST is confident in NTRU's security:

One of the difficult choices NIST faced was deciding between KYBER,
NTRU, and Saber. All three were selected as finalists and were very
comparable to each other. NIST is confident in the security that each
provides.

Regarding performance, the report says

A significant factor in the decision to choose KYBER over NTRU was
NTRU's performance (particularly key generation), which was not quite
as efficient as that of KYBER

but also admits how insignificant this "significant factor" is in the
real world:

Most applications would be able to use any of them without
significant performance penalties.

So NIST could have simply selected the patent-free option back in 2021.
What happened instead was NIST delaying for half a year working on
patent buyouts for Kyber. Many wheels in the deployment ecosystem were
waiting for NIST, and were slowed down by half a year as a result. This
translates directly into half a year of user data given to attackers.

There's nothing in the report considering the security damage caused by
this delay, let alone explaining how this damage is outweighed by the
small advantages that the report attributes to Kyber.

Maybe the patent-buyout details will be published next week. Maybe we'll
see that the details are adequate, unlike the poison-pill "grant" that
NIST negotiated with ISARA:

https://web.archive.org/web/20201101181903/https://www.isara.com/nist-grant.html

And maybe NIST will release an analysis convincingly explaining why we
shouldn't be worried about the patents that NIST hasn't said anything
about so far, such as CN107566121A.

Or maybe NIST simply doesn't grasp the magnitude of the problem here.
NIST's report briefly says that "an evaluation factor is whether a
patent might hinder adoption", but this is a remarkable retreat from the
call for submissions, which used the word "critical":

NIST believes it is critical that this process leads to cryptographic
standards that can be freely implemented in security technologies and
products.

Figuring out what patents are out there, and what's safe from those
patents given the complications of patent law, takes tons of work and
should have been emphasized from the beginning of NISTPQC. Instead NIST
discouraged public patent analysis, instead deciding to handle patents
behind the scenes as an afterthought. This mistake has already created
half a year of delay.

This looks like a great opportunity for agile tech companies to get
ahead of the game by rolling out NTRU. The business case is clear, with
ample cover provided by NIST's report:

* We can act now to help protect users against quantum computers.
There's broad awareness of the quantum threat, and users will
appreciate hearing that we're taking action.

* NIST selected Kyber and seems to have some patent agreements for
Kyber, but many companies are stalled waiting to see whether those
agreements really deal with the full scale of the patent problem.
Main scenarios to consider are "yes", "no", and "still won't be
sure by 2023".

* Meanwhile NIST's report says NTRU is patent-free, says NIST is
"confident in the security" of NTRU, and says most applications can
use NTRU "without significant performance penalties".

* NIST's report even says "If the agreements are not executed by the
end of 2022, NIST may consider selecting NTRU instead of KYBER."
The report is _not_ saying that there's something wrong with NTRU.

* NIST's report says that some small performance advantages of Kyber
over NTRU were a "significant factor" in NIST's decision to choose
Kyber. Those performance advantages are irrelevant to us, and NIST
calls other Kyber advantages "marginal". We care much more about
issues that are barely covered in NIST's report, such as deployment
timelines and patents.

* We can go ahead with rolling out NTRU right now, while running
experiments with Kyber in parallel to make sure we can easily swap
in Kyber later if that turns out to be the right thing to do.

I'm concerned about various risks here that were downplayed or ignored
in NIST's report. In particular, the NTRU submission is _not_ exactly
the 1996 version of NTRU, so it _could_ be covered by patents that
haven't come to public attention (even if the risks are lower than for
Kyber); also, one should _not_ be confident in the security of any of
these systems. The analysis in https://ntruprime.cr.yp.to/warnings.html
indicates that Streamlined NTRU Prime (as in sntrup761, now used by
default in OpenSSH) has somewhat lower patent risks and somewhat lower
security risks than the NTRU submission. However, from the perspective
of users whose data is being intercepted and recorded by large-scale
attackers right now, it's hard to imagine how any of these risks are
comparable to the damage caused by further delay.

---D. J. Bernstein
signature.asc

Daniel Apon

unread,
Jul 16, 2022, 12:28:56 AM7/16/22
to pqc-forum
"in response to the Snowden revelations"

Thanks, Dad.

Perhaps you could explain to the Public why you're so aggressively targeting, in public, your PhD student's submission with political nonsense?

--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.

EL HASSANE LAAJI

unread,
Jul 16, 2022, 6:55:53 PM7/16/22
to pqc-...@list.nist.gov
Hi
> One of the difficult choices NIST faced was deciding between KYBER,
  >NTRU, and Saber. All three were selected as finalists and were very
  >comparable to each other. NIST is confident in the security that each
 >  provides.

> Regarding performance, the report says

 >  A significant factor in the decision to choose KYBER over NTRU was
 >  NTRU's performance (particularly key generation), which was not quite
 >  as efficient as that of KYBER


I think it is possible to increase NTRU's performance.

I create a release of NTRU-HPS, but defined in the ring of the form "Rq=Zq[X]/(X^n+1)", that uses NTT algorithm combined with our Fast Modular Multiplication Algorithm (FMMA) (inspired by NewHope method). We obtained drastic results as shown in the table:

6.2          Performance benchmarking of NTRUrobust, Saber, and Kyber

                In this subsection, we present the performance results of our NTRUrobust release compared to the FairSaber and Kyber1024 releases of SABER and KYBER post-quantum KEM schemes, which their parameter sets meet the category 5 security Levels.

with parameters {n=1024, q=65537, p=2}

 

Table 2: Performance benchmarking between NTRUrobust,  FireSaber, and Kyber1024 releases. The result values are given in milliseconds (ms):

Keys Gen (ms)

Encap (ms)

Decap (ms)

Kyber1024

0.46

0.63

0.63

FireSaber

2,51

3.12

3.43

NTRUrobust

1,25

0.47

0,62

 

 NB: We note that all implementations are performed on a PC-TOSHIBA with an Intel(R) Core(TM) i7-2630QM CPU, 2 GHz processor, RAM  8 GO, under environment Windows 7-32 bits and  Dev-C++ 4.9.9.2.

Best regards.

--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.

Brian Hagen

unread,
Jul 16, 2022, 7:29:39 PM7/16/22
to pqc-...@list.nist.gov
"D. J. Bernstein" <d...@cr.yp.to> writes:
> NIST's new report already points to a solution (see page 18):
>
> If the agreements are not executed by the end of 2022, NIST may
> consider selecting NTRU instead of KYBER. NTRU was proposed in 1996,
> and U.S. patents were dedicated to the public in 2007.
>
> (I have no idea how whoever reviewed this could have imagined that
> "2007" was correct. If NTRU had been patent-free in 2007 then why didn't
> people try rolling it out in response to the Snowden revelations? In
> fact, the main NTRU patent expired in 2017, and the company didn't give
> up on the patent until earlier in 2017.
 
What about US7929688B2 and US7773746B2? You've previously said that US7929688B2 is "a potential problem for the 2005 NTRU parameter sets, Streamlined NTRU Prime, the HRSS NTRU KEM, etc."
 
-b

D. J. Bernstein

unread,
Jul 16, 2022, 9:32:08 PM7/16/22