Guidelines for submitting tweaks for Third Round Finalists and Candidates
Deadline: October 1, 2020
Finalist and Candidate teams must meet the same submission requirements and minimum acceptability criteria as given in the original Call for Proposals. Submissions must be submitted to NIST at pqc-sub...@nist.gov by October 1, 2020. It would be helpful if submission teams provided NIST with a summary of their expected changes by August 10, 2020. If either of these deadlines will pose a problem for any submission team, they should contact NIST in advance. In particular, submissions should include a cover sheet, algorithm specifications (and other supporting documentation), and optical/digital media (e.g., implementations, known-answer test files, etc.) as described in Section 2 of CFP.
NIST does NOT need new signed IP statements unless new submission team members have been added or the status of intellectual property for the submission has changed. If either of these cases apply, NIST will need new signed IP statements (see Section 2.D of the CFP). These statements must be actual hard copies—not digital scans—and must be provided to NIST by the 3rd NIST PQC Standardization Conference. In particular, NIST will need new signed IP statements for new members of the merged Classic McEliece team.
In addition, NIST requires a short document outlining the modifications introduced in the new submission. This document should be included in the Supporting Documentation folder of the submission (see Section 2.C.4 of the CFP). NIST will review the proposed changes to see if they meet the submission requirements and minimum acceptability requirements, as well as if they would significantly affect the design of the algorithm, requiring a major re-evaluation. As a general guideline, NIST expects any modifications to the seven finalists to be relatively minor while allowing more latitude to the eight alternate candidate algorithms. Note, however, that larger changes may signal that an algorithm is not mature enough for standardization for some time.
As performance will continue to play a large role in the third round, NIST offers the following guidance. Submitters must include the reference and optimized implementation (which can be the same) with their submission package. The reference implementation should still be in ANSI C; however, the optimized implementation is not required to be in ANSI C. NIST strongly recommends also providing an AVX2 (Haswell) optimized implementation and would encourage other optimized software implementations (e.g. microcontrollers) and hardware implementations (e.g. FPGAs).
NIST is aware that some submission packages may be large in size. The email system for pqc-submi...@nist.gov is only set to handle files up to 25MB. For files which are larger, you may upload your submission package somewhere of your choosing and send us the download link when you submit. If that option is not suitable, NIST has a file transfer system that can be used. To find out about this option, please send a message to pqc-co...@nist.gov. NIST will review the submitted packages as quickly as possible and post the candidate submission packages which are “complete and proper” on our webpage www.nist.gov/pqcrypto. Teams are encouraged to submit early. General questions may be asked on the pqc-forum. For more specific questions, please contact us at pqc-co...@nist.gov.
The NIST PQC team
Before Rainbow can be ready for standardization, its parameters must be adjusted to ensure that it meets its claimed security targets.
Dan,
In our report we strongly encouraged submitters to provide at least one parameter set that meets category 5. We have previously noted this is NOT a requirement. As we've also already said, the call for proposals specified a set of evaluation criteria, not a set of "rules" or "requirements".
Again, while providing category 5 parameters is not a requirement, the call for proposals did note that "schemes with greater flexibility will meet the needs of more users than less flexible schemes, and therefore, are preferable." It particularly noted that flexibility may include that "It is straightforward to customize the scheme’s parameters to meet a range of security targets and performance goals." Providing category 5 parameters would help to demonstrate that a scheme offers this flexibility.
We are happy to discuss and get feedback from the community on this (and any other) issue. In doing so, we strive to adhere to the principles, processes, and procedures set forth in NISTIR 7977, NIST Cryptographic Standards and Guidelines Development Process. We want the PQC standardization process to be as open and transparent as possible. We encourage discussion on the pqc-forum, but as not everything needs to be on the public forum, we also can be contacted directly at pqc-co...@nist.gov.
Dustin Moody
NIST PQC
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/DM6PR09MB5909D83F420E79B9551E1F1FE5700%40DM6PR09MB5909.namprd09.prod.outlook.com.
In the original Call for Proposals published in 2016, NIST recommended submitters focus on categories 1, 2, and 3. NIST also recommended submitters provide at least one parameter set above category 3. In our latest report published, we encouraged a few teams to include category 5 parameter sets. We don't see this as a "sudden change". These are NOT requirements. Throughout the process we've been in dialogue with various teams as they have adjusted parameter sets. The decisions are always made by the submitters, who can submit what they think best. We gave our current recommendations in our 2nd round report, and don't anticipate making any suggestions for more parameter sets. Submission teams can submit more parameter sets if they choose, although in general, NIST believes that too many parameter sets make evaluation and analysis more difficult.
Dustin
On Aug 2, 2020, at 2:50 AM, D. J. Bernstein <d...@cr.yp.to> wrote:
(I'm reminded of how one submitter, presumably not having looked at the
numbers, tried to downplay this as "fine-tuning". Useful rule of thumb:
whenever someone uses performance-comparison terminology with unclear
boundaries, ask him what the actual performance numbers are. Very often
such a lack of clarity is a cover for not knowing the facts.)
--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/ECF9C181-8D96-430A-8DF8-34A4A0BBAFC0%40shiftleft.org.