Announcement of the 3rd Round Onramp Candidates

941 views
Skip to first unread message

dustin...@nist.gov

unread,
May 14, 2026, 3:21:38 PM (4 days ago) May 14
to pqc-forum

Nine Candidates Advance to the Third Round of the Additional Digital Signatures for the PQC Standardization Process

 After 18 months of evaluation, NIST has selected nine candidates for the third round of the Additional Digital Signatures for the Post-Quantum Cryptography (PQC) Standardization Process. The advancing digital signature algorithms are:

  • FAEST
  • HAWK
  • MAYO
  • MQOM
  • QR-UOV
  • SDitH
  • SNOVA
  • SQIsign
  • UOV

NIST Internal Report (IR) 8610 describes the evaluation criteria and selection process. These third-round candidates will have the opportunity to submit updated specifications and implementations (i.e., “tweaks”). NIST will provide more details to the submission teams in a separate message. This third phase of evaluation and review is expected to last approximately two years.

 NIST is also planning to hold the 7th NIST PQC Standardization Conference in the late spring/early summer of 2027. The conference will most likely be held in (or near) Gaithersburg, Maryland.

 Questions may be directed to pqc-co...@nist.gov. NIST thanks all of the candidate submission teams for their efforts in this standardization process as well as the cryptographic community at large, which helped analyze the signature schemes.


The NIST PQC team

Thom Wiggers

unread,
May 14, 2026, 5:39:14 PM (4 days ago) May 14
to dustin...@nist.gov, pqc-forum
Hi all,

Thanks NIST PQC team! I’d honestly thought that this would take a little bit longer still. 

Coincidentally, I have been at work updating our signatures zoo comparison tool. I’ve now added a round-3 page.


I am very pleased to announce that you can now zoom on the graph—Claude is clearly much better at javascript than me.

Cheers,

Thom

(PS. I’d like to invite scheme submitters to open PRs (https://github.com/pqshield/nist-sigs-zoo/) or issues with a link to any and all updated versions as they have them — that’d be a great help to keep track of things and show the latest state of the game.)


--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.
To view this discussion visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/5e07130a-10b4-429e-bd6d-44b5b8a48996n%40list.nist.gov.

John Mattsson

unread,
May 15, 2026, 3:59:15 AM (3 days ago) May 15
to dustin...@nist.gov, Thom Wiggers, pqc-forum
Thanks for your hard work!

I think this is a very good selection. It is appropriate to narrow the set of algorithms and focus on a smaller number of candidates, 2035 is only nine years away. I appreciate the clear statement that NIST targets the robust SUF-CMA notion for all general-purpose signatures.

The report states that “NIST anticipates a longer timeline for the potential standardization of any of these multivariate schemes and is unlikely to standardize them without a further round of evaluation.”

Does this imply that NIST may consider standardizing MPC-in-the-Head, lattice-based, or isogeny-based schemes without an additional evaluation round? Given the statement that “a primary challenge for HAWK and SQIsign will be a more complete understanding of their relatively novel security assumptions,” I assume that NIST is primarily considering the potential standardization of MPC-in-the-Head schemes without a further round of evaluation, contingent on receiving sufficient additional analysis of their complex designs and security proofs.

Cheers,
John Preuß Mattsson

Daniel Apon

unread,
May 16, 2026, 6:33:45 PM (2 days ago) May 16
to John Mattsson, dustin...@nist.gov, Thom Wiggers, pqc-forum
Cheers, team

John-- What I read from the statement "A primary challenge for HAWK and SQIsign will be a more complete understanding of their relatively novel security assumptions" is that a more complete understanding of HAWK's and SQIsign's relatively novel security assumptions will be a primary challenge.

That sounds like it's work up to the international research community, not NIST, to perform. And NIST would adjudicate.

Best
--Daniel

To view this discussion visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/AS4PR07MB8825582786AADC06398BEA8589042%40AS4PR07MB8825.eurprd07.prod.outlook.com.
Reply all
Reply to author
Forward
0 new messages