NIST has indicated that they will announce which of the Round 3 Post Quantum Cryptography algorithms they will select for standardization and also which of the alternatives will proceed on to Round 4 for analysis on July 5, 2022. This will represent a major milestone in a process that was started in late 2016.

NIST Standardization Process Round 3 PQC Candidates. Source: NIST

They will be announcing multiple algorithms for standardization for two reasons. First, there are differences between the algorithms in technical characteristics such as key size, encoding and decoding speed, and cipher text size which may make different algorithms preferable for certain applications. For example, an IoT device with limited processing power may not want to use the same algorithm as a powerful server which has much more processing capability. The other reason is to provide multiple solutions that are usable for security reasons. If, for some reason, one of the algorithms is broken in the future, there will be an alternative that can be used to replace it. There are several different types of algorithms that are classified into lattice-based, code-based, hash-based, multivariate, and supersingular isogeny-based mechanisms and NIST would prefer to have different classes of algorithms available in case a weakness is found in the future that could impact an entire class. For example, in the chart above Kyber, NTRU, and SABER are all lattice-based algorithms and we do not think NIST will select more than one of those three.

The chart above shows the algorithms that they have been analyzing during the Round 3 analysis. For the algorithms shown in the Finalist column NIST will select some of them for standardization. The others will either be dropped out or may be moved to Round 4 for additional analysis. For the algorithms shown in the Alternates column, some of the will be selected for further analysis in Round 4. Those not selected will likely be dropped from further consideration. One recent development is that NIST has indicated they will reopen the submission process for new Signature algorithms as they feel they may not have enough diversity of algorithm types in the current batch of Round 3 candidates.

For more information, you can visit the Post-Quantum Cryptography website maintained by NIST which contains an archive of the submissions, presentations, workshops and events that have occurred during this program.

July 1, 2022