In the aftermath of the U.S. National Institute of Standards and Technology (NIST) selection of candidates for Round 3 of the PQC selection process, the NSA has posted comments on what types algorithms they are favoring for national security and commercial use cases. The NSA has reviewed the security of many of the algorithms and has concluded that they are confident of the security and performance characteristics of lattice-based schemes that have a strong dependence on well-studied mathematical problems also believe that hash-based signatures provide well-understood security for certain niche solutions. In the group of third round finalists for Public Key Encryption/KEM algorithms, three out of the four algorithms are lattice-based including CRYSTALS-KYBER, NTRU, and SABER. Because of their similarities, NIST has stated that they will only choose, at most, one of them for the standard.

For digital signatures, NIST has indicated that they are intending to standaridize the LMS and XMSS algorithms which are stateful hash based algorithms. These algorithms limit the number of allowable signatures per public key and require the signer to maintain an internal state. As such, they are not as flexible as other techniques, but NSA also indicated that they will approve these algorithms for certain niche applications where maintaining state is not a problem.

The NSA further expressed appreciation to NIST for all the work they have done during this selection program and stated their confidence that the end result will provide secure PQC solutions for everyone’s use.

For more information, you can read NSA’s PQC guidance statement here as well as NIST’s third round candidate announcement here.

July 29, 2020