Announcement of the Onarmp Round 2 Candidates

[Moody, Dustin (Fed)]

NIST Announces 14 Candidates to Advance to the Second Round of the Additional Digital Signatures for the Post-Quantum Cryptography Standardization Process

 

After over a year of evaluation, NIST has selected 14 candidates for the second round of the Additional Digital Signatures for the NIST PQC Standardization Process. The advancing public-key encryption and key-establishment algorithms are:

 

• CROSS
• FAEST
• HAWK
• LESS
• MAYO
• Mirath (merger of MIRA/MiRitH)
• MQOM
• PERK
• QR-UOV
• RYDE
• SDitH
• SNOVA
• SQIsign
• UOV

 

NIST Internal Report (IR) 8528 describes the evaluation criteria and selection process, and questions may be directed to pqc-co...@nist.gov. NIST thanks all of the candidate submission teams for their efforts in this standardization process as well as the cryptographic community at large, which helped analyze the signature schemes.

 

Moving forward, the second-round candidates have the option of submitting updated specifications and implementations (i.e., “tweaks”). NIST will provide more details to the submission teams in a separate message. This second phase of evaluation and review is estimated to last 12-18 months.

 

NIST is tentatively planning to hold a 6th NIST PQC Standardization Conference from September 24-26, 2025, in person at NIST in Gaithersburg, Maryland.

 

 

The NIST PQC team

 

Links:

https://csrc.nist.gov/news/2024/pqc-digital-signature-second-round-announcement

https://csrc.nist.gov/projects/pqc-dig-sig

[dustin...@nist.gov]

Here is the link to NISTIR 8528, Status Report on the First Round of the Additional Digital Signature Schemes for the NIST Post-Quantum Cryptography Standardization Process:

https://csrc.nist.gov/pubs/ir/8528/final

[John Mattsson]

Hi,

 

“Digital signature schemes needed to enable existentially unforgeable signatures

with respect to an adaptive chosen message attack (EUF-CMA security).”

 

I think NIST should strongly prefer signatures that are believed to provide strong existentially unforgeable signatures with respect to an adaptive chosen message attack (SUF-CMA security) rather than only EUF-CMA security.

 

EdDSA, ML-DSA, and SLH-DSA are all SUF-CMA. EUF-CMA only signatures can lead to significant vulnerabilities such as replay of messages, double billing, double money transactions, double receipts, double contracts, as well as log and transaction history poisoning. SUF-CMA vs EUF-CMA is not a theoretic consideration; it is very much a real-world problem. NIST signature algorithms are used in a wide variety of use cases.

 

EUF-CMA only signatures do not align well with the excellent NIST guidelines [1]:

 

“Cryptographic standards and guidelines should be chosen to minimize the demands on users and implementers as well as the adverse consequences of human mistakes and equipment failures.”

 

“NIST strives to standardize secure cryptographic algorithms, schemes, and modes of operation whose security properties are …. robust against accidental misuse””

 

We know that most developers assume that all signatures are SUF-CMA.

 

My preference would be that NIST do not standardize any new signature algorithms that are believed to only provide EUF-CMA security unless there is a compelling justification. SUF-CMA is best practice for any modern standard.

 

Cheers,

John Preuß Mattsson

Expert Cryptographic Algorithms and Security Protocols, Ericsson

 

[1] NIST Cryptographic Standards and Guidelines Development Process

https://nvlpubs.nist.gov/nistpubs/ir/2016/nist.ir.7977.pdf

 

 

--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.
To view this discussion visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/1748dd33-a5e9-42ae-a1c1-a6aa936f77ffn%40list.nist.gov.