Menu
Home
People
Places
Arts
History
Plants & Animals
Science
Life & Culture
Technology
Reference.org
NIST Post-Quantum Cryptography Standardization
open-in-new
<h2 id="background">Background</h2> <p>Academic research on the potential impact of quantum computing dates back to at least 2001.<a class="footnote-ref" id="fnref:6" href="#fn:6"><sup>6</sup></a> A NIST published report from April 2016 cites experts that acknowledge the possibility of quantum technology to render the commonly used <a href="/facts/RSA_(algorithm)/XTzyfHuq">RSA</a> algorithm insecure by 2030.<a class="footnote-ref" id="fnref:7" href="#fn:7"><sup>7</sup></a> As a result, a need to standardize <a href="/facts/Post-quantum_cryptography/1qeqUQve">quantum-secure</a> cryptographic primitives was pursued. Since most symmetric primitives are relatively easy to modify in a way that makes them quantum resistant, efforts have focused on public-key cryptography, namely <a href="/facts/Digital_signatures/tY7e2pnW">digital signatures</a> and <a href="/facts/Key_encapsulation/uDR3scKh">key encapsulation mechanisms</a>. In December 2016 NIST initiated a standardization process by announcing a call for proposals.<a class="footnote-ref" id="fnref:8" href="#fn:8"><sup>8</sup></a> </p><p>The competition is now in its third round out of expected four, where in each round some algorithms are discarded and others are studied more closely. NIST hopes to publish the standardization documents by 2024, but may speed up the process if major breakthroughs in <a href="/facts/Quantum_computing/nbbcgmvq">quantum computing</a> are made. </p><p>It is currently undecided whether the future standards will be published as <a href="/facts/Federal_Information_Processing_Standards/n0Ll7hpQ">FIPS</a> or as NIST Special Publication (SP). </p> <h2 id="round-one">Round one</h2> <p>Under consideration were:<a class="footnote-ref" id="fnref:9" href="#fn:9"><sup>9</sup></a> (strikethrough means it had been withdrawn) </p> <table><tbody><tr><th>Type</th><th>PKE/<a href="/facts/Key_encapsulation/uDR3scKh">KEM</a></th><th>Signature</th><th>Signature & PKE/KEM</th></tr><tr><td><a href="/facts/Lattice-based_cryptography/66HyNf1P">Lattice</a></td><td><ul><li>Compact LWE</li><li><a href="/facts/Kyber/FgSGHwCx">CRYSTALS-Kyber</a></li><li>Ding Key Exchange</li><li>EMBLEM and R.EMBLEM</li><li>FrodoKEM</li><li>HILA5 (withdrawn and merged into Round5)</li><li>KCL (pka OKCN/AKCN/CNKE)</li><li>KINDI</li><li>LAC</li><li>LIMA</li><li>Lizard</li><li>LOTUS</li><li>NewHope</li><li><a href="/facts/NTRUEncrypt/B6MR5HkI">NTRUEncrypt</a><a class="footnote-ref" id="fnref:10" href="#fn:10"><sup>10</sup></a></li><li>NTRU-HRSS-KEM</li><li>NTRU Prime</li><li>Odd Manhattan</li><li>Round2 (withdrawn and merged into Round5)</li><li>Round5 (merger of Round2 and Hila5, announced 4 August 2018)<a class="footnote-ref" id="fnref:11" href="#fn:11"><sup>11</sup></a></li><li>SABER</li><li>Three Bears</li><li>Titanium</li></ul></td><td><ul><li>CRYSTALS-Dilithium</li><li>DRS</li><li><a href="/facts/Falcon_(signature_scheme)/CKG5xxaw">FALCON</a></li><li><a href="/facts/NTRUSign/Njl2bmRf">pqNTRUSign</a><a class="footnote-ref" id="fnref:12" href="#fn:12"><sup>12</sup></a></li><li>qTESLA<a class="footnote-ref" id="fnref:13" href="#fn:13"><sup>13</sup></a><a class="footnote-ref" id="fnref:14" href="#fn:14"><sup>14</sup></a></li></ul></td><td></td></tr><tr><td>Code-based</td><td><ul><li>BIG QUAKE</li><li>BIKE</li><li>Classic <a href="/facts/McEliece_cryptosystem/Yb3X3nzs">McEliece</a> + NTS-<a href="/facts/Key_encapsulation/uDR3scKh">KEM</a></li><li>DAGS</li><li>Edon-K</li><li>HQC</li><li>LAKE (withdrawn and merged into ROLLO)</li><li>LEDAkem</li><li>LEDApkc</li><li>Lepton</li><li>LOCKER (withdrawn and merged into ROLLO)</li><li>McNie</li><li>NTS-KEM</li><li>ROLLO (merger of Ouroboros-R, LAKE and LOCKER) <a class="footnote-ref" id="fnref:15" href="#fn:15"><sup>15</sup></a></li><li>Ouroboros-R (withdrawn and merged into ROLLO)</li><li>QC-MDPC <a href="/facts/Key_encapsulation/uDR3scKh">KEM</a></li><li>Ramstake</li><li>RLCE-KEM</li><li>RQC</li></ul></td><td><ul><li>pqsigRM</li><li>RaCoSS</li><li>RankSign</li></ul></td><td></td></tr><tr><td>Hash-based</td><td></td><td><ul><li>Gravity-SPHINCS</li><li>SPHINCS+</li></ul></td><td></td></tr><tr><td>Multivariate</td><td><ul><li>CFPKM</li><li>Giophantus</li></ul></td><td><ul><li>DualModeMS</li><li>GeMSS</li><li>Gui</li><li>HiMQ-3</li><li>LUOV</li><li>MQDSS</li><li>Rainbow</li></ul></td><td><ul><li>SRTPI</li><li>DME</li></ul></td></tr><tr><td>Braid group</td><td></td><td><ul><li>WalnutDSA</li></ul></td><td></td></tr><tr><td>Supersingular elliptic curve isogeny</td><td><ul><li><a href="/facts/Supersingular_isogeny_key_exchange/TsGD1l3T">SIKE</a></li></ul></td><td></td><td></td></tr><tr><td>Satirical submission</td><td></td><td></td><td><ul><li>pq<a href="/facts/RSA_cryptosystem/XTzyfHuq">RSA</a><a class="footnote-ref" id="fnref:16" href="#fn:16"><sup>16</sup></a><a class="footnote-ref" id="fnref:17" href="#fn:17"><sup>17</sup></a></li></ul></td></tr><tr><td>Other</td><td><ul><li>Guess Again</li><li>HK17</li><li>Mersenne-756839</li><li>RVB</li></ul></td><td><ul><li>Picnic</li></ul></td><td></td></tr></tbody></table> <h3>Round one submissions published attacks</h3> <ul><li>Guess Again by Lorenz Panny <a class="footnote-ref" id="fnref:18" href="#fn:18"><sup>18</sup></a></li> <li>RVB by Lorenz Panny<a class="footnote-ref" id="fnref:19" href="#fn:19"><sup>19</sup></a></li> <li>RaCoSS by <a href="/facts/Daniel_J._Bernstein/KQLuMRTx">Daniel J. Bernstein</a>, Andreas Hülsing, <a href="/facts/Tanja_Lange/8bYpR72r">Tanja Lange</a> and Lorenz Panny<a class="footnote-ref" id="fnref:20" href="#fn:20"><sup>20</sup></a></li> <li>HK17 by Daniel J. Bernstein and Tanja Lange<a class="footnote-ref" id="fnref:21" href="#fn:21"><sup>21</sup></a></li> <li>SRTPI by Bo-Yin Yang<a class="footnote-ref" id="fnref:22" href="#fn:22"><sup>22</sup></a></li> <li>WalnutDSA <ul><li>by Ward Beullens and Simon R. Blackburn<a class="footnote-ref" id="fnref:23" href="#fn:23"><sup>23</sup></a></li> <li>by Matvei Kotov, Anton Menshov and Alexander Ushakov<a class="footnote-ref" id="fnref:24" href="#fn:24"><sup>24</sup></a></li></ul></li> <li>DRS by Yang Yu and Léo Ducas <a class="footnote-ref" id="fnref:25" href="#fn:25"><sup>25</sup></a></li> <li>DAGS by Elise Barelli and Alain Couvreur<a class="footnote-ref" id="fnref:26" href="#fn:26"><sup>26</sup></a></li> <li>Edon-K by Matthieu Lequesne and Jean-Pierre Tillich<a class="footnote-ref" id="fnref:27" href="#fn:27"><sup>27</sup></a></li> <li>RLCE by Alain Couvreur, Matthieu Lequesne, and Jean-Pierre Tillich<a class="footnote-ref" id="fnref:28" href="#fn:28"><sup>28</sup></a></li> <li>Hila5 by Daniel J. Bernstein, Leon Groot Bruinderink, Tanja Lange and Lorenz Panny<a class="footnote-ref" id="fnref:29" href="#fn:29"><sup>29</sup></a></li> <li>Giophantus by Ward Beullens, Wouter Castryck and Frederik Vercauteren<a class="footnote-ref" id="fnref:30" href="#fn:30"><sup>30</sup></a></li> <li>RankSign by Thomas Debris-Alazard and Jean-Pierre Tillich <a class="footnote-ref" id="fnref:31" href="#fn:31"><sup>31</sup></a></li> <li>McNie by Philippe Gaborit;<a class="footnote-ref" id="fnref:32" href="#fn:32"><sup>32</sup></a> Terry Shue Chien Lau and Chik How Tan <a class="footnote-ref" id="fnref:33" href="#fn:33"><sup>33</sup></a></li></ul> <h2 id="round-two">Round two</h2> <p>Candidates moving on to the second round were announced on January 30, 2019. They are:<a class="footnote-ref" id="fnref:34" href="#fn:34"><sup>34</sup></a> </p> <table><tbody><tr><th>Type</th><th>PKE/KEM</th><th>Signature</th></tr><tr><td>Lattice</td><td><ul><li>CRYSTALS-Kyber<a class="footnote-ref" id="fnref:35" href="#fn:35"><sup>35</sup></a></li><li>FrodoKEM<a class="footnote-ref" id="fnref:36" href="#fn:36"><sup>36</sup></a></li><li>LAC</li><li><a href="/facts/NewHope/B185hwvB">NewHope</a><a class="footnote-ref" id="fnref:37" href="#fn:37"><sup>37</sup></a></li><li><a href="/facts/NTRU/1dzRzEDz">NTRU</a> (merger of NTRUEncrypt and NTRU-HRSS-KEM)<a class="footnote-ref" id="fnref:38" href="#fn:38"><sup>38</sup></a></li><li>NTRU Prime<a class="footnote-ref" id="fnref:39" href="#fn:39"><sup>39</sup></a></li><li>Round5 (merger of Round2 and Hila5, announced 4 August 2018)<a class="footnote-ref" id="fnref:40" href="#fn:40"><sup>40</sup></a></li><li>SABER<a class="footnote-ref" id="fnref:41" href="#fn:41"><sup>41</sup></a></li><li>Three Bears<a class="footnote-ref" id="fnref:42" href="#fn:42"><sup>42</sup></a></li></ul></td><td><ul><li>CRYSTALS-Dilithium<a class="footnote-ref" id="fnref:43" href="#fn:43"><sup>43</sup></a></li><li><a href="/facts/Falcon_(signature_scheme)/CKG5xxaw">FALCON</a><a class="footnote-ref" id="fnref:44" href="#fn:44"><sup>44</sup></a></li><li>qTESLA</li></ul></td></tr><tr><td>Code-based</td><td><ul><li>BIKE<a class="footnote-ref" id="fnref:45" href="#fn:45"><sup>45</sup></a></li><li>Classic <a href="/facts/McEliece_cryptosystem/Yb3X3nzs">McEliece</a></li><li>HQC<a class="footnote-ref" id="fnref:46" href="#fn:46"><sup>46</sup></a></li><li>LEDAcrypt (merger of LEDAkem<a class="footnote-ref" id="fnref:47" href="#fn:47"><sup>47</sup></a> and LEDApkc<a class="footnote-ref" id="fnref:48" href="#fn:48"><sup>48</sup></a>)</li><li>NTS-KEM<a class="footnote-ref" id="fnref:49" href="#fn:49"><sup>49</sup></a></li><li>ROLLO (merger of Ouroboros-R, LAKE and LOCKER) <a class="footnote-ref" id="fnref:50" href="#fn:50"><sup>50</sup></a></li><li>RQC<a class="footnote-ref" id="fnref:51" href="#fn:51"><sup>51</sup></a></li></ul></td><td></td></tr><tr><td>Hash-based</td><td></td><td><ul><li>SPHINCS+<a class="footnote-ref" id="fnref:52" href="#fn:52"><sup>52</sup></a></li></ul></td></tr><tr><td>Multivariate</td><td></td><td><ul><li>GeMSS<a class="footnote-ref" id="fnref:53" href="#fn:53"><sup>53</sup></a></li><li>LUOV<a class="footnote-ref" id="fnref:54" href="#fn:54"><sup>54</sup></a></li><li>MQDSS<a class="footnote-ref" id="fnref:55" href="#fn:55"><sup>55</sup></a></li><li>Rainbow</li></ul></td></tr><tr><td>Supersingular elliptic curve isogeny</td><td><ul><li><a href="/facts/Supersingular_isogeny_key_exchange/TsGD1l3T">SIKE</a><a class="footnote-ref" id="fnref:56" href="#fn:56"><sup>56</sup></a></li></ul></td><td></td></tr><tr><td><a href="/facts/Zero-knowledge_proofs/38soaPT5">Zero-knowledge proofs</a></td><td></td><td><ul><li>Picnic<a class="footnote-ref" id="fnref:57" href="#fn:57"><sup>57</sup></a></li></ul></td></tr></tbody></table> <h2 id="round-three">Round three</h2> <p>On July 22, 2020, NIST announced seven finalists ("first track"), as well as eight alternate algorithms ("second track"). The first track contains the algorithms which appear to have the most promise, and will be considered for standardization at the end of the third round. Algorithms in the second track could still become part of the standard, after the third round ends.<a class="footnote-ref" id="fnref:58" href="#fn:58"><sup>58</sup></a> NIST expects some of the alternate candidates to be considered in a fourth round. NIST also suggests it may re-open the signature category for new schemes proposals in the future.<a class="footnote-ref" id="fnref:59" href="#fn:59"><sup>59</sup></a> </p><p>On June 7–9, 2021, NIST conducted the third PQC standardization conference, virtually.<a class="footnote-ref" id="fnref:60" href="#fn:60"><sup>60</sup></a> The conference included candidates' updates and discussions on implementations, on performances, and on security issues of the candidates. A small amount of focus was spent on intellectual property concerns. </p> <h3>Finalists</h3> <table><tbody><tr><th>Type</th><th>PKE/KEM</th><th>Signature</th></tr><tr><td>Lattice</td><td><ul><li><a href="/facts/Kyber/FgSGHwCx">CRYSTALS-Kyber</a></li><li><a href="/facts/NTRU/1dzRzEDz">NTRU</a></li><li>SABER</li></ul></td><td><ul><li>CRYSTALS-Dilithium</li><li><a href="/facts/Falcon_(signature_scheme)/CKG5xxaw">FALCON</a></li></ul></td></tr><tr><td>Code-based</td><td><ul><li>Classic <a href="/facts/McEliece_cryptosystem/Yb3X3nzs">McEliece</a></li></ul></td><td></td></tr><tr><td>Multivariate</td><td></td><td><ul><li>Rainbow</li></ul></td></tr></tbody></table> <h3>Alternate candidates</h3> <table><tbody><tr><th>Type</th><th>PKE/KEM</th><th>Signature</th></tr><tr><td>Lattice</td><td><ul><li>FrodoKEM</li><li>NTRU Prime</li></ul></td><td></td></tr><tr><td>Code-based</td><td><ul><li><a href="https://bikesuite.org/">BIKE</a></li><li><a href="https://pqc-hqc.org/">HQC</a></li></ul></td><td></td></tr><tr><td>Hash-based</td><td></td><td><ul><li>SPHINCS+</li></ul></td></tr><tr><td>Multivariate</td><td></td><td><ul><li>GeMSS</li></ul></td></tr><tr><td>Supersingular elliptic curve isogeny</td><td><ul><li><a href="/facts/Supersingular_isogeny_key_exchange/TsGD1l3T">SIKE</a></li></ul></td><td></td></tr><tr><td><a href="/facts/Zero-knowledge_proofs/38soaPT5">Zero-knowledge proofs</a></td><td></td><td><ul><li>Picnic</li></ul></td></tr></tbody></table> <h3>Intellectual property concerns</h3> <p>After <a href="/facts/NIST/gr9Fnh85">NIST</a>'s announcement regarding the finalists and the alternate candidates, various intellectual property concerns were voiced, notably surrounding <a href="/facts/Lattice-based_cryptography/66HyNf1P">lattice-based schemes</a> such as <a href="/facts/Kyber/FgSGHwCx">Kyber</a> and <a href="/facts/NewHope/B185hwvB">NewHope</a>. NIST holds signed statements from submitting groups clearing any legal claims, but there is still a concern that third parties could raise claims. NIST claims that they will take such considerations into account while picking the winning algorithms.<a class="footnote-ref" id="fnref:61" href="#fn:61"><sup>61</sup></a> </p> <h3>Round three submissions published attacks</h3> <ul><li>Rainbow: by Ward Beullens on a classical computer<a class="footnote-ref" id="fnref:62" href="#fn:62"><sup>62</sup></a></li></ul> <h3>Adaptations</h3> <p>During this round, some candidates have shown to be vulnerable to some attack vectors. It forces these candidates to adapt accordingly: </p> CRYSTAL-Kyber and SABER may change the nested hashes used in their proposals in order for their security claims to hold.<a class="footnote-ref" id="fnref:63" href="#fn:63"><sup>63</sup></a> FALCON side channel attack using electromagnetic measurements to extract the secret signing keys. A masking may be added in order to resist the attack. This adaptation affects performance and should be considered whilst standardizing.<a class="footnote-ref" id="fnref:64" href="#fn:64"><sup>64</sup></a> <h3>Selected Algorithms 2022</h3> <p>On July 5, 2022, NIST announced the first group of winners from its six-year competition.<a class="footnote-ref" id="fnref:65" href="#fn:65"><sup>65</sup></a><a class="footnote-ref" id="fnref:66" href="#fn:66"><sup>66</sup></a> </p> <table><tbody><tr><th>Type</th><th>PKE/KEM</th><th>Signature</th></tr><tr><td>Lattice</td><td><ul><li><a href="/facts/Kyber/FgSGHwCx">CRYSTALS-Kyber</a></li></ul></td><td><ul><li><a href="https://pq-crystals.org/dilithium/index.shtml">CRYSTALS-Dilithium</a></li><li><a href="https://falcon-sign.info/">FALCON</a></li></ul></td></tr><tr><td>Hash-based</td><td></td><td><ul><li><a href="https://sphincs.org/">SPHINCS+</a></li></ul></td></tr></tbody></table> <h2 id="round-four">Round four</h2> <p>On July 5, 2022, NIST announced four candidates for PQC Standardization Round 4.<a class="footnote-ref" id="fnref:67" href="#fn:67"><sup>67</sup></a> </p> <table><tbody><tr><th>Type</th><th>PKE/KEM</th></tr><tr><td>Code-based</td><td><ul><li><a href="https://bikesuite.org/">BIKE</a></li><li><a href="https://classic.mceliece.org/">Classic McEliece</a></li><li><a href="https://pqc-hqc.org/">HQC</a></li></ul></td></tr><tr><td>Supersingular elliptic curve isogeny</td><td><ul><li><a href="https://sike.org/">SIKE</a> (Broken August 5, 2022) <a class="footnote-ref" id="fnref:68" href="#fn:68"><sup>68</sup></a></li></ul></td></tr></tbody></table> <h3>Round four submissions published attacks</h3> <ul><li>SIKE: by Wouter Castryck and Thomas Decru on a classical computer<a class="footnote-ref" id="fnref:69" href="#fn:69"><sup>69</sup></a><a class="footnote-ref" id="fnref:70" href="#fn:70"><sup>70</sup></a></li></ul> <h3>Selected Algorithm 2025</h3> <p>On March 11, 2025, NIST announced the selection of a backup algorithm for KEM.<a class="footnote-ref" id="fnref:71" href="#fn:71"><sup>71</sup></a> </p> <table><tbody><tr><th>Type</th><th>PKE/KEM</th></tr><tr><td>Code-based</td><td><ul><li><a href="https://pqc-hqc.org/">HQC</a></li></ul></td></tr></tbody></table> <h2 id="first-release">First release</h2> <p>On August 13, 2024, NIST released final versions of its first three Post Quantum Crypto Standards.<a class="footnote-ref" id="fnref:72" href="#fn:72"><sup>72</sup></a> According to the release announcement: </p> <blockquote> <p>While there have been no substantive changes made to the standards since the draft versions, NIST has changed the algorithms’ names to specify the versions that appear in the three finalized standards, which are: </p> <ul><li>Federal Information Processing Standard (FIPS) 203, intended as the primary standard for general encryption. Among its advantages are comparatively small encryption keys that two parties can exchange easily, as well as its speed of operation. The standard is based on the CRYSTALS-Kyber algorithm, which has been renamed ML-KEM, short for Module-Lattice-Based Key-Encapsulation Mechanism.</li> <li>FIPS 204, intended as the primary standard for protecting digital signatures. The standard uses the CRYSTALS-Dilithium algorithm, which has been renamed ML-DSA, short for Module-Lattice-Based Digital Signature Algorithm.</li> <li>FIPS 205, also designed for digital signatures. The standard employs the Sphincs+ algorithm, which has been renamed SLH-DSA, short for Stateless Hash-Based Digital Signature Algorithm. The standard is based on a different math approach than ML-DSA, and it is intended as a backup method in case ML-DSA proves vulnerable.</li> <li>Similarly, when the draft FIPS 206 standard built around FALCON is released, the algorithm will be dubbed FN-DSA, short for FFT (fast-Fourier transform) over NTRU-Lattice-Based Digital Signature Algorithm.</li></ul> </blockquote> <p>On March 11, 2025 NIST released HQC as the fifth algorithm for post-quantum asymmetric encryption as used for key encapsulation / exchange.<a class="footnote-ref" id="fnref:73" href="#fn:73"><sup>73</sup></a> The new algorithm is as a backup for ML-KEM, the main algorithm for general encryption. HQC is based on different math than ML-KEM, thus mitigating weakness if found.<a class="footnote-ref" id="fnref:74" href="#fn:74"><sup>74</sup></a> The draft standard incorporating the HQC algorithm is expected in early 2026 with the final in 2027. </p> <h2 id="additional-digital-signature-schemes">Additional Digital Signature Schemes</h2> <h3>Round One</h3> <p>NIST received 50 submissions and deemed 40 to be complete and proper according to the submission requirements.<a class="footnote-ref" id="fnref:75" href="#fn:75"><sup>75</sup></a> Under consideration are:<a class="footnote-ref" id="fnref:76" href="#fn:76"><sup>76</sup></a> (strikethrough means it has been withdrawn) </p> <table><tbody><tr><th>Type</th><th>Signature</th></tr><tr><td><a href="/facts/Lattice-based_cryptography/66HyNf1P">Lattice</a></td><td><ul><li>EagleSign</li><li>EHTv3 and EHTv4</li><li>HAETAE<a class="footnote-ref" id="fnref:77" href="#fn:77"><sup>77</sup></a></li><li>HAWK</li><li>HuFu<a class="footnote-ref" id="fnref:78" href="#fn:78"><sup>78</sup></a></li><li>Raccoon<a class="footnote-ref" id="fnref:79" href="#fn:79"><sup>79</sup></a><a class="footnote-ref" id="fnref:80" href="#fn:80"><sup>80</sup></a></li><li>SQUIRRELS<a class="footnote-ref" id="fnref:81" href="#fn:81"><sup>81</sup></a></li></ul></td></tr><tr><td>Code-based</td><td><ul><li>CROSS<a class="footnote-ref" id="fnref:82" href="#fn:82"><sup>82</sup></a></li><li>Enhanced pqsigRM</li><li>FuLeeca<a class="footnote-ref" id="fnref:83" href="#fn:83"><sup>83</sup></a></li><li>LESS<a class="footnote-ref" id="fnref:84" href="#fn:84"><sup>84</sup></a></li><li>MEDS<a class="footnote-ref" id="fnref:85" href="#fn:85"><sup>85</sup></a></li><li>Wave<a class="footnote-ref" id="fnref:86" href="#fn:86"><sup>86</sup></a></li></ul></td></tr><tr><td>MPC-in-the-Head</td><td><ul><li>MIRA<a class="footnote-ref" id="fnref:87" href="#fn:87"><sup>87</sup></a></li><li>MiRitH<a class="footnote-ref" id="fnref:88" href="#fn:88"><sup>88</sup></a></li><li>MQOM<a class="footnote-ref" id="fnref:89" href="#fn:89"><sup>89</sup></a></li><li>PERK<a class="footnote-ref" id="fnref:90" href="#fn:90"><sup>90</sup></a></li><li>RYDE<a class="footnote-ref" id="fnref:91" href="#fn:91"><sup>91</sup></a></li><li>SDitH<a class="footnote-ref" id="fnref:92" href="#fn:92"><sup>92</sup></a></li></ul></td></tr><tr><td>Multivariate</td><td><ul><li>3WISE ("the submitter agrees that the scheme is insecure, but prefers to not withdraw in the hope that studying the scheme will advance cryptanalysis"<a class="footnote-ref" id="fnref:93" href="#fn:93"><sup>93</sup></a>)</li><li>Biscuit<a class="footnote-ref" id="fnref:94" href="#fn:94"><sup>94</sup></a></li><li>DME-Sign ("Our first impression is that the attack works and we are checking the details of the attack .We are implementing a variant of the DME that may resist the attack but we have to verify it."<a class="footnote-ref" id="fnref:95" href="#fn:95"><sup>95</sup></a>)</li><li>HPPC</li><li>MAYO<a class="footnote-ref" id="fnref:96" href="#fn:96"><sup>96</sup></a></li><li>PROV<a class="footnote-ref" id="fnref:97" href="#fn:97"><sup>97</sup></a></li><li>QR-UOV<a class="footnote-ref" id="fnref:98" href="#fn:98"><sup>98</sup></a></li><li>SNOVA<a class="footnote-ref" id="fnref:99" href="#fn:99"><sup>99</sup></a></li><li>TUOV<a class="footnote-ref" id="fnref:100" href="#fn:100"><sup>100</sup></a></li><li>UOV<a class="footnote-ref" id="fnref:101" href="#fn:101"><sup>101</sup></a></li><li>VOX<a class="footnote-ref" id="fnref:102" href="#fn:102"><sup>102</sup></a></li></ul></td></tr><tr><td>Supersingular elliptic curve isogeny</td><td><ul><li><a href="/facts/SQIsign/B5z3QfMX">SQIsign</a><a class="footnote-ref" id="fnref:103" href="#fn:103"><sup>103</sup></a></li></ul></td></tr><tr><td>Symmetric-based</td><td><ul><li>AIMer<a class="footnote-ref" id="fnref:104" href="#fn:104"><sup>104</sup></a></li><li>Ascon-Sign</li><li>FAEST<a class="footnote-ref" id="fnref:105" href="#fn:105"><sup>105</sup></a></li><li>SPHINCS-alpha</li></ul></td></tr><tr><td>Other</td><td><ul><li>ALTEQ<a class="footnote-ref" id="fnref:106" href="#fn:106"><sup>106</sup></a></li><li>eMLE-Sig 2.0</li><li>KAZ-SIGN</li><li>Preon</li><li>Xifrat1-Sign.I</li></ul></td></tr></tbody></table> <h3>Round one submissions published attacks</h3> <ul><li>3WISE by Daniel Smith-Tone<a class="footnote-ref" id="fnref:107" href="#fn:107"><sup>107</sup></a></li> <li>EagleSign by Mehdi Tibouchi<a class="footnote-ref" id="fnref:108" href="#fn:108"><sup>108</sup></a></li> <li>KAZ-SIGN by Daniel J. Bernstein;<a class="footnote-ref" id="fnref:109" href="#fn:109"><sup>109</sup></a> Scott Fluhrer<a class="footnote-ref" id="fnref:110" href="#fn:110"><sup>110</sup></a></li> <li>Xifrat1-Sign.I by Lorenz Panny<a class="footnote-ref" id="fnref:111" href="#fn:111"><sup>111</sup></a></li> <li>eMLE-Sig 2.0 by Mehdi Tibouchi<a class="footnote-ref" id="fnref:112" href="#fn:112"><sup>112</sup></a> (implementation by Lorenz Panny<a class="footnote-ref" id="fnref:113" href="#fn:113"><sup>113</sup></a>)</li> <li>HPPC by Ward Beullens;<a class="footnote-ref" id="fnref:114" href="#fn:114"><sup>114</sup></a> Pierre Briaud, Maxime Bros, and Ray Perlner<a class="footnote-ref" id="fnref:115" href="#fn:115"><sup>115</sup></a></li> <li>ALTEQ by Markku-Juhani O. Saarinen<a class="footnote-ref" id="fnref:116" href="#fn:116"><sup>116</sup></a> (implementation only?)</li> <li>Biscuit by Charles Bouillaguet<a class="footnote-ref" id="fnref:117" href="#fn:117"><sup>117</sup></a></li> <li>MEDS by Markku-Juhani O. Saarinen and Ward Beullens<a class="footnote-ref" id="fnref:118" href="#fn:118"><sup>118</sup></a> (implementation only)</li> <li>FuLeeca by Felicitas Hörmann and Wessel van Woerden<a class="footnote-ref" id="fnref:119" href="#fn:119"><sup>119</sup></a></li> <li>LESS by the LESS team (implementation only)<a class="footnote-ref" id="fnref:120" href="#fn:120"><sup>120</sup></a></li> <li>DME-Sign by Markku-Juhani O. Saarinen<a class="footnote-ref" id="fnref:121" href="#fn:121"><sup>121</sup></a> (implementation only?); Pierre Briaud, Maxime Bros, Ray Perlner, and Daniel Smith-Tone<a class="footnote-ref" id="fnref:122" href="#fn:122"><sup>122</sup></a></li> <li>EHTv3 by Eamonn Postlethwaite and Wessel van Woerden;<a class="footnote-ref" id="fnref:123" href="#fn:123"><sup>123</sup></a> Keegan Ryan and Adam Suhl<a class="footnote-ref" id="fnref:124" href="#fn:124"><sup>124</sup></a></li> <li>Enhanced pqsigRM by Thomas Debris-Alazard, Pierre Loisel and Valentin Vasseur;<a class="footnote-ref" id="fnref:125" href="#fn:125"><sup>125</sup></a> Pierre Briaud, Maxime Bros, Ray Perlner and Daniel Smith-Tone<a class="footnote-ref" id="fnref:126" href="#fn:126"><sup>126</sup></a></li> <li>HAETAE by Markku-Juhani O. Saarinen<a class="footnote-ref" id="fnref:127" href="#fn:127"><sup>127</sup></a> (implementation only?)</li> <li>HuFu by Markku-Juhani O. Saarinen<a class="footnote-ref" id="fnref:128" href="#fn:128"><sup>128</sup></a></li> <li>SDitH by Kevin Carrier and Jean-Pierre Tillich;<a class="footnote-ref" id="fnref:129" href="#fn:129"><sup>129</sup></a> Kevin Carrier, Valérian Hatey, and Jean-Pierre Tillich<a class="footnote-ref" id="fnref:130" href="#fn:130"><sup>130</sup></a></li> <li>VOX by Hiroki Furue and Yasuhiko Ikematsu<a class="footnote-ref" id="fnref:131" href="#fn:131"><sup>131</sup></a></li> <li>AIMer by Fukang Liu, Mohammad Mahzoun, Morten Øygarden, Willi Meier<a class="footnote-ref" id="fnref:132" href="#fn:132"><sup>132</sup></a></li> <li>SNOVA by Yasuhiko Ikematsu and Rika Akiyama<a class="footnote-ref" id="fnref:133" href="#fn:133"><sup>133</sup></a></li> <li>PROV by Ludovic Perret, and River Moreira Ferreira<a class="footnote-ref" id="fnref:134" href="#fn:134"><sup>134</sup></a> (implementation only)</li></ul> <h3>Round Two</h3> <p>NIST deemed 14 submissions to pass to the second round.<a class="footnote-ref" id="fnref:135" href="#fn:135"><sup>135</sup></a> </p> <table><tbody><tr><th>Type</th><th>Signature</th></tr><tr><td><a href="/facts/Lattice-based_cryptography/66HyNf1P">Lattice</a></td><td><ul><li>HAWK</li></ul></td></tr><tr><td>Code-based</td><td><ul><li>CROSS<a class="footnote-ref" id="fnref:136" href="#fn:136"><sup>136</sup></a></li><li>LESS<a class="footnote-ref" id="fnref:137" href="#fn:137"><sup>137</sup></a></li></ul></td></tr><tr><td>MPC-in-the-Head</td><td><ul><li>Mirath<a class="footnote-ref" id="fnref:138" href="#fn:138"><sup>138</sup></a> (merge of MIRA and MiRitH)</li><li>MQOM<a class="footnote-ref" id="fnref:139" href="#fn:139"><sup>139</sup></a></li><li>PERK<a class="footnote-ref" id="fnref:140" href="#fn:140"><sup>140</sup></a></li><li>RYDE<a class="footnote-ref" id="fnref:141" href="#fn:141"><sup>141</sup></a></li><li>SDitH<a class="footnote-ref" id="fnref:142" href="#fn:142"><sup>142</sup></a></li></ul></td></tr><tr><td>Multivariate</td><td><ul><li>MAYO<a class="footnote-ref" id="fnref:143" href="#fn:143"><sup>143</sup></a></li><li>QR-UOV<a class="footnote-ref" id="fnref:144" href="#fn:144"><sup>144</sup></a></li><li>SNOVA<a class="footnote-ref" id="fnref:145" href="#fn:145"><sup>145</sup></a></li><li>UOV<a class="footnote-ref" id="fnref:146" href="#fn:146"><sup>146</sup></a></li></ul></td></tr><tr><td>Supersingular elliptic curve isogeny</td><td><ul><li><a href="/facts/SQIsign/B5z3QfMX">SQIsign</a><a class="footnote-ref" id="fnref:147" href="#fn:147"><sup>147</sup></a></li></ul></td></tr><tr><td>Symmetric-based</td><td><ul><li>FAEST<a class="footnote-ref" id="fnref:148" href="#fn:148"><sup>148</sup></a></li></ul></td></tr></tbody></table> <h2 id="see-also">See also</h2> <ul><li><a href="/facts/Advanced_Encryption_Standard_process/UkHpAuEj">Advanced Encryption Standard process</a></li> <li><a href="/facts/CAESAR_Competition/L7oFqMqo">CAESAR Competition</a> – Competition to design authenticated encryption schemes</li> <li><a href="/facts/Lattice-based_cryptography/66HyNf1P">Lattice-based cryptography</a></li> <li><a href="/facts/NIST_hash_function_competition/DFxbPNbx">NIST hash function competition</a></li></ul> <h2 id="external-links">External links</h2> <ul><li><a href="https://csrc.nist.gov/Projects/Post-Quantum-Cryptography">NIST's official Website on the standardization process</a></li> <li><a href="https://pqcrypto.org/">Post-quantum cryptography website</a> by <a href="/facts/Daniel_J._Bernstein/KQLuMRTx">djb</a></li></ul> <h2 id="references">References</h2> <ol> <li id="fn:1"><p>"Post-Quantum Cryptography PQC". 3 January 2017. <a href="https://csrc.nist.gov/projects/post-quantum-cryptography" target="_blank">https://csrc.nist.gov/projects/post-quantum-cryptography</a> <a href="#fnref:1" class="footnote-back-ref">↩</a></p></li> <li id="fn:2"><p>"Post-Quantum Cryptography Standardization – Post-Quantum Cryptography". Csrc.nist.gov. 3 January 2017. Retrieved 31 January 2019. <a href="https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization" target="_blank">https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization</a> <a href="#fnref:2" class="footnote-back-ref">↩</a></p></li> <li id="fn:3"><p>Moody, Dustin (24 November 2020). "The Future Is Now: Spreading the Word About Post-Quantum Cryptography". NIST. <a href="https://www.nist.gov/blogs/taking-measure/future-now-spreading-word-about-post-quantum-cryptography" target="_blank">https://www.nist.gov/blogs/taking-measure/future-now-spreading-word-about-post-quantum-cryptography</a> <a href="#fnref:3" class="footnote-back-ref">↩</a></p></li> <li id="fn:4"><p>"Final Submission received". Archived from the original on 29 December 2017. Retrieved 29 December 2017. <a href="https://web.archive.org/web/20171229232437/https://post-quantum.ch/" target="_blank">https://web.archive.org/web/20171229232437/https://post-quantum.ch/</a> <a href="#fnref:4" class="footnote-back-ref">↩</a></p></li> <li id="fn:5"><p>NIST Releases First 3 Finalized Post-Quantum Encryption Standards, NIST, August 13, 2024 <a href="https://www.nist.gov/news-events/news/2024/08/nist-releases-first-3-finalized-post-quantum-encryption-standards" target="_blank">https://www.nist.gov/news-events/news/2024/08/nist-releases-first-3-finalized-post-quantum-encryption-standards</a> <a href="#fnref:5" class="footnote-back-ref">↩</a></p></li> <li id="fn:6"><p>Hong, Zhu (2001). "Survey of Computational Assumptions Used in Cryptography Broken or Not by Shor's Algorithm" (PDF). <a href="http://crypto.cs.mcgill.ca/~crepeau/PDF/memoire-hong.pdf" target="_blank">http://crypto.cs.mcgill.ca/~crepeau/PDF/memoire-hong.pdf</a> <a href="#fnref:6" class="footnote-back-ref">↩</a></p></li> <li id="fn:7"><p>"NIST Released NISTIR 8105, Report on Post-Quantum Cryptography". 21 December 2016. Retrieved 5 November 2019. <a href="https://csrc.nist.gov/News/2016/NIST-Released-NISTIR-8105,-Report-on-Post-Quantum" target="_blank">https://csrc.nist.gov/News/2016/NIST-Released-NISTIR-8105,-Report-on-Post-Quantum</a> <a href="#fnref:7" class="footnote-back-ref">↩</a></p></li> <li id="fn:8"><p>"NIST Asks Public to Help Future-Proof Electronic Information". NIST. 20 December 2016. Retrieved 5 November 2019. <a href="https://www.nist.gov/news-events/news/2016/12/nist-asks-public-help-future-proof-electronic-information" target="_blank">https://www.nist.gov/news-events/news/2016/12/nist-asks-public-help-future-proof-electronic-information</a> <a href="#fnref:8" class="footnote-back-ref">↩</a></p></li> <li id="fn:9"><p>Computer Security Division, Information Technology Laboratory (3 January 2017). "Round 1 Submissions – Post-Quantum Cryptography – CSRC". Csrc.nist.gov. Retrieved 31 January 2019. <a href="https://csrc.nist.gov/Projects/Post-Quantum-Cryptography/Round-1-Submissions" target="_blank">https://csrc.nist.gov/Projects/Post-Quantum-Cryptography/Round-1-Submissions</a> <a href="#fnref:9" class="footnote-back-ref">↩</a></p></li> <li id="fn:10"><p>"NIST Post Quantum Crypto Submission". Archived from the original on 29 December 2017. Retrieved 29 December 2017. <a href="https://web.archive.org/web/20171229114632/https://www.onboardsecurity.com/nist-post-quantum-crypto-submission" target="_blank">https://web.archive.org/web/20171229114632/https://www.onboardsecurity.com/nist-post-quantum-crypto-submission</a> <a href="#fnref:10" class="footnote-back-ref">↩</a></p></li> <li id="fn:11"><p>"Google Groups". Groups.google.com. Retrieved 31 January 2019. <a href="https://groups.google.com/a/list.nist.gov/forum/#!topic/pqc-forum/YsGkKEJTt5c" target="_blank">https://groups.google.com/a/list.nist.gov/forum/#!topic/pqc-forum/YsGkKEJTt5c</a> <a href="#fnref:11" class="footnote-back-ref">↩</a></p></li> <li id="fn:12"><p>"NIST Post Quantum Crypto Submission". Archived from the original on 29 December 2017. Retrieved 29 December 2017. <a href="https://web.archive.org/web/20171229114632/https://www.onboardsecurity.com/nist-post-quantum-crypto-submission" target="_blank">https://web.archive.org/web/20171229114632/https://www.onboardsecurity.com/nist-post-quantum-crypto-submission</a> <a href="#fnref:12" class="footnote-back-ref">↩</a></p></li> <li id="fn:13"><p>qTESLA team. "Efficient and post-quantum secure lattice-based signature scheme". qTESLA.org. Archived from the original on 9 December 2023. Retrieved 4 March 2024. <a href="https://web.archive.org/web/20231209220840/https://qtesla.org/" target="_blank">https://web.archive.org/web/20231209220840/https://qtesla.org/</a> <a href="#fnref:13" class="footnote-back-ref">↩</a></p></li> <li id="fn:14"><p>"qTESLA". Microsoft Research. Archived from the original on 31 December 2022. Retrieved 4 March 2024. <a href="https://www.microsoft.com/en-us/research/project/qtesla/" target="_blank">https://www.microsoft.com/en-us/research/project/qtesla/</a> <a href="#fnref:14" class="footnote-back-ref">↩</a></p></li> <li id="fn:15"><p>"ROLLO". Pqc-rollo.org. Retrieved 31 January 2019. <a href="http://www.pqc-rollo.org/" target="_blank">http://www.pqc-rollo.org/</a> <a href="#fnref:15" class="footnote-back-ref">↩</a></p></li> <li id="fn:16"><p>RSA using 231 4096-bit primes for a total key size of 1 TiB. "Key almost fits on a hard drive" Bernstein, Daniel (28 May 2010). "McBits and Post-Quantum RSA" (PDF). Retrieved 10 December 2019. <a href="/wiki/Daniel_J._Bernstein" target="_blank">/wiki/Daniel_J._Bernstein</a> <a href="#fnref:16" class="footnote-back-ref">↩</a></p></li> <li id="fn:17"><p>Bernstein, Daniel; Heninger, Nadia (19 April 2017). "Post-quantum RSA" (PDF). Retrieved 10 December 2019. <a href="/wiki/Daniel_J._Bernstein" target="_blank">/wiki/Daniel_J._Bernstein</a> <a href="#fnref:17" class="footnote-back-ref">↩</a></p></li> <li id="fn:18"><p>"Dear all, the following Python script quickly recovers the message from a given "Guess Again" ciphertext without knowledge of the private key" (PDF). Csrc.nist.gov. Retrieved 30 January 2019. <a href="https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/round-1/official-comments/guess-again-official-comment.pdf" target="_blank">https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/round-1/official-comments/guess-again-official-comment.pdf</a> <a href="#fnref:18" class="footnote-back-ref">↩</a></p></li> <li id="fn:19"><p>Panny, Lorenz (25 December 2017). "Fast key recovery attack against the "RVB" submission to #NISTPQC: t .... Computes private from public key". Twitter. Retrieved 31 January 2019. <a href="https://twitter.com/yx7__/status/945283780851400704" target="_blank">https://twitter.com/yx7__/status/945283780851400704</a> <a href="#fnref:19" class="footnote-back-ref">↩</a></p></li> <li id="fn:20"><p>"Comments on RaCoSS". Archived from the original on 26 December 2017. Retrieved 4 January 2018. <a href="https://web.archive.org/web/20171226100156/https://helaas.org/racoss/" target="_blank">https://web.archive.org/web/20171226100156/https://helaas.org/racoss/</a> <a href="#fnref:20" class="footnote-back-ref">↩</a></p></li> <li id="fn:21"><p>"Comments on HK17". Archived from the original on 5 January 2018. Retrieved 4 January 2018. <a href="https://web.archive.org/web/20180105070112/https://helaas.org/hk17/" target="_blank">https://web.archive.org/web/20180105070112/https://helaas.org/hk17/</a> <a href="#fnref:21" class="footnote-back-ref">↩</a></p></li> <li id="fn:22"><p>"Dear all, We have broken SRTPI under CPA and TPSig under KMA" (PDF). Csrc.nist.gov. Retrieved 30 January 2019. <a href="https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/round-1/official-comments/SRTPI-official-comment.pdf" target="_blank">https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/round-1/official-comments/SRTPI-official-comment.pdf</a> <a href="#fnref:22" class="footnote-back-ref">↩</a></p></li> <li id="fn:23"><p>Beullens, Ward; Blackburn, Simon R. (2018). "Practical attacks against the Walnut digital signature scheme". Cryptology ePrint Archive. <a href="https://eprint.iacr.org/2018/318" target="_blank">https://eprint.iacr.org/2018/318</a> <a href="#fnref:23" class="footnote-back-ref">↩</a></p></li> <li id="fn:24"><p>Kotov, Matvei; Menshov, Anton; Ushakov, Alexander (2018). "An attack on the walnut digital signature algorithm". Cryptology ePrint Archive. <a href="https://eprint.iacr.org/2018/393" target="_blank">https://eprint.iacr.org/2018/393</a> <a href="#fnref:24" class="footnote-back-ref">↩</a></p></li> <li id="fn:25"><p>Yu, Yang; Ducas, Léo (2018). "Learning strikes again: the case of the DRS signature scheme". Cryptology ePrint Archive. <a href="https://eprint.iacr.org/2018/294" target="_blank">https://eprint.iacr.org/2018/294</a> <a href="#fnref:25" class="footnote-back-ref">↩</a></p></li> <li id="fn:26"><p>Barelli, Elise; Couvreur, Alain (2018). "An efficient structural attack on NIST submission DAGS". arXiv:1805.05429 [cs.CR]. <a href="/wiki/ArXiv_(identifier)" target="_blank">/wiki/ArXiv_(identifier)</a> <a href="#fnref:26" class="footnote-back-ref">↩</a></p></li> <li id="fn:27"><p>Lequesne, Matthieu; Tillich, Jean-Pierre (2018). "Attack on the Edon-K Key Encapsulation Mechanism". arXiv:1802.06157 [cs.CR]. <a href="/wiki/ArXiv_(identifier)" target="_blank">/wiki/ArXiv_(identifier)</a> <a href="#fnref:27" class="footnote-back-ref">↩</a></p></li> <li id="fn:28"><p>Couvreur, Alain; Lequesne, Matthieu; Tillich, Jean-Pierre (2018). "Recovering short secret keys of RLCE in polynomial time". arXiv:1805.11489 [cs.CR]. <a href="/wiki/ArXiv_(identifier)" target="_blank">/wiki/ArXiv_(identifier)</a> <a href="#fnref:28" class="footnote-back-ref">↩</a></p></li> <li id="fn:29"><p>Bernstein, Daniel J.; Groot Bruinderink, Leon; Lange, Tanja; Lange, Lorenz (2017). "Hila5 Pindakaas: On the CCA security of lattice-based encryption with error correction". Cryptology ePrint Archive. <a href="https://eprint.iacr.org/2017/1214" target="_blank">https://eprint.iacr.org/2017/1214</a> <a href="#fnref:29" class="footnote-back-ref">↩</a></p></li> <li id="fn:30"><p>"Official Comments" (PDF). Csrc.nist.gov. 13 September 2018. <a href="https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/round-1/official-comments/Giophantus-official-comment.pdf" target="_blank">https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/round-1/official-comments/Giophantus-official-comment.pdf</a> <a href="#fnref:30" class="footnote-back-ref">↩</a></p></li> <li id="fn:31"><p>Debris-Alazard, Thomas; Tillich, Jean-Pierre (2018). "Two attacks on rank metric code-based schemes: RankSign and an Identity-Based-Encryption scheme". arXiv:1804.02556 [cs.CR]. <a href="/wiki/ArXiv_(identifier)" target="_blank">/wiki/ArXiv_(identifier)</a> <a href="#fnref:31" class="footnote-back-ref">↩</a></p></li> <li id="fn:32"><p>"I am afraid the parameters in this proposal have at most 4 to 6-bits security under the Information Set Decoding (ISD) attack" (PDF). Csrc.nist.gov. Retrieved 30 January 2019. <a href="https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/round-1/official-comments/McNie-official-comment.pdf" target="_blank">https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/round-1/official-comments/McNie-official-comment.pdf</a> <a href="#fnref:32" class="footnote-back-ref">↩</a></p></li> <li id="fn:33"><p>Lau, Terry Shue Chien; Tan, Chik How (31 January 2019). "Key Recovery Attack on McNie Based on Low Rank Parity Check Codes and Its Reparation". In Inomata, Atsuo; Yasuda, Kan (eds.). Advances in Information and Computer Security. Lecture Notes in Computer Science. Vol. 11049. Springer International Publishing. pp. 19–34. doi:10.1007/978-3-319-97916-8_2. ISBN 978-3-319-97915-1. <a href="978-3-319-97915-1" target="_blank">978-3-319-97915-1</a> <a href="#fnref:33" class="footnote-back-ref">↩</a></p></li> <li id="fn:34"><p>Computer Security Division, Information Technology Laboratory (3 January 2017). "Round 2 Submissions – Post-Quantum Cryptography – CSRC". Csrc.nist.gov. Retrieved 31 January 2019. <a href="https://csrc.nist.gov/projects/post-quantum-cryptography/round-2-submissions" target="_blank">https://csrc.nist.gov/projects/post-quantum-cryptography/round-2-submissions</a> <a href="#fnref:34" class="footnote-back-ref">↩</a></p></li> <li id="fn:35"><p>Schwabe, Peter. "CRYSTALS". Pq-crystals.org. Retrieved 31 January 2019. <a href="https://pq-crystals.org/" target="_blank">https://pq-crystals.org/</a> <a href="#fnref:35" class="footnote-back-ref">↩</a></p></li> <li id="fn:36"><p>"FrodoKEM". Frodokem.org. Retrieved 31 January 2019. <a href="https://frodokem.org/" target="_blank">https://frodokem.org/</a> <a href="#fnref:36" class="footnote-back-ref">↩</a></p></li> <li id="fn:37"><p>Schwabe, Peter. "NewHope". Newhopecrypto.org. Retrieved 31 January 2019. <a href="https://newhopecrypto.org/" target="_blank">https://newhopecrypto.org/</a> <a href="#fnref:37" class="footnote-back-ref">↩</a></p></li> <li id="fn:38"><p>"NIST Post Quantum Crypto Submission". Archived from the original on 29 December 2017. Retrieved 29 December 2017. <a href="https://web.archive.org/web/20171229114632/https://www.onboardsecurity.com/nist-post-quantum-crypto-submission" target="_blank">https://web.archive.org/web/20171229114632/https://www.onboardsecurity.com/nist-post-quantum-crypto-submission</a> <a href="#fnref:38" class="footnote-back-ref">↩</a></p></li> <li id="fn:39"><p>"NTRU Prime: Intro". Archived from the original on 1 September 2019. Retrieved 30 January 2019. <a href="https://web.archive.org/web/20190901185114/https://ntruprime.cr.yp.to/" target="_blank">https://web.archive.org/web/20190901185114/https://ntruprime.cr.yp.to/</a> <a href="#fnref:39" class="footnote-back-ref">↩</a></p></li> <li id="fn:40"><p>"Google Groups". Groups.google.com. Retrieved 31 January 2019. <a href="https://groups.google.com/a/list.nist.gov/forum/#!topic/pqc-forum/YsGkKEJTt5c" target="_blank">https://groups.google.com/a/list.nist.gov/forum/#!topic/pqc-forum/YsGkKEJTt5c</a> <a href="#fnref:40" class="footnote-back-ref">↩</a></p></li> <li id="fn:41"><p>"SABER". Retrieved 17 June 2019. <a href="https://www.esat.kuleuven.be/cosic/pqcrypto/saber/index.html" target="_blank">https://www.esat.kuleuven.be/cosic/pqcrypto/saber/index.html</a> <a href="#fnref:41" class="footnote-back-ref">↩</a></p></li> <li id="fn:42"><p>"ThreeBears". SourceForge.net. Retrieved 31 January 2019. <a href="https://sourceforge.net/projects/threebears/" target="_blank">https://sourceforge.net/projects/threebears/</a> <a href="#fnref:42" class="footnote-back-ref">↩</a></p></li> <li id="fn:43"><p>Schwabe, Peter. "CRYSTALS". Pq-crystals.org. Retrieved 31 January 2019. <a href="https://pq-crystals.org/" target="_blank">https://pq-crystals.org/</a> <a href="#fnref:43" class="footnote-back-ref">↩</a></p></li> <li id="fn:44"><p>"Falcon". Falcon. Retrieved 26 June 2019. <a href="https://falcon-sign.info/" target="_blank">https://falcon-sign.info/</a> <a href="#fnref:44" class="footnote-back-ref">↩</a></p></li> <li id="fn:45"><p>"BIKE – Bit Flipping Key Encapsulation". Bikesuite.org. Retrieved 31 January 2019. <a href="https://bikesuite.org/" target="_blank">https://bikesuite.org/</a> <a href="#fnref:45" class="footnote-back-ref">↩</a></p></li> <li id="fn:46"><p>"HQC". Pqc-hqc.org. Retrieved 31 January 2019. <a href="https://pqc-hqc.org/" target="_blank">https://pqc-hqc.org/</a> <a href="#fnref:46" class="footnote-back-ref">↩</a></p></li> <li id="fn:47"><p>"LEDAkem Key Encapsulation Module". Ledacrypt.org. Retrieved 31 January 2019. <a href="https://www.ledacrypt.org/LEDAkem/" target="_blank">https://www.ledacrypt.org/LEDAkem/</a> <a href="#fnref:47" class="footnote-back-ref">↩</a></p></li> <li id="fn:48"><p>"LEDApkc Public Key Cryptosystem". Ledacrypt.org. Retrieved 31 January 2019. <a href="https://www.ledacrypt.org/LEDApkc/" target="_blank">https://www.ledacrypt.org/LEDApkc/</a> <a href="#fnref:48" class="footnote-back-ref">↩</a></p></li> <li id="fn:49"><p>"NTS-Kem". Archived from the original on 29 December 2017. Retrieved 29 December 2017. <a href="https://web.archive.org/web/20171229103229/https://nts-kem.io/" target="_blank">https://web.archive.org/web/20171229103229/https://nts-kem.io/</a> <a href="#fnref:49" class="footnote-back-ref">↩</a></p></li> <li id="fn:50"><p>"ROLLO". Pqc-rollo.org. Retrieved 31 January 2019. <a href="http://www.pqc-rollo.org/" target="_blank">http://www.pqc-rollo.org/</a> <a href="#fnref:50" class="footnote-back-ref">↩</a></p></li> <li id="fn:51"><p>"RQC". Pqc-rqc.org. Retrieved 31 January 2019. <a href="http://pqc-rqc.org/" target="_blank">http://pqc-rqc.org/</a> <a href="#fnref:51" class="footnote-back-ref">↩</a></p></li> <li id="fn:52"><p>"Sphincs". Sphincs.org. Retrieved 19 June 2023. <a href="https://sphincs.org/" target="_blank">https://sphincs.org/</a> <a href="#fnref:52" class="footnote-back-ref">↩</a></p></li> <li id="fn:53"><p>"GeMSS". Archived from the original on 31 January 2019. Retrieved 30 January 2019. <a href="https://web.archive.org/web/20190131040055/https://www-polsys.lip6.fr/Links/NIST/GeMSS.html" target="_blank">https://web.archive.org/web/20190131040055/https://www-polsys.lip6.fr/Links/NIST/GeMSS.html</a> <a href="#fnref:53" class="footnote-back-ref">↩</a></p></li> <li id="fn:54"><p>"LUOV -- An MQ signature scheme". Retrieved 22 January 2020. <a href="https://www.esat.kuleuven.be/cosic/pqcrypto/luov/" target="_blank">https://www.esat.kuleuven.be/cosic/pqcrypto/luov/</a> <a href="#fnref:54" class="footnote-back-ref">↩</a></p></li> <li id="fn:55"><p>"MQDSS post-quantum signature". Mqdss.org. Retrieved 31 January 2019. <a href="http://mqdss.org/" target="_blank">http://mqdss.org/</a> <a href="#fnref:55" class="footnote-back-ref">↩</a></p></li> <li id="fn:56"><p>"SIKE – Supersingular Isogeny Key Encapsulation". Sike.org. Retrieved 31 January 2019. <a href="https://sike.org/" target="_blank">https://sike.org/</a> <a href="#fnref:56" class="footnote-back-ref">↩</a></p></li> <li id="fn:57"><p>"Picnic. A Family of Post-Quantum Secure Digital Signature Algorithms". microsoft.github.io. Retrieved 26 February 2019. <a href="https://microsoft.github.io/Picnic/" target="_blank">https://microsoft.github.io/Picnic/</a> <a href="#fnref:57" class="footnote-back-ref">↩</a></p></li> <li id="fn:58"><p>Moody, Dustin; Alagic, Gorjan; Apon, Daniel C.; Cooper, David A.; Dang, Quynh H.; Kelsey, John M.; Liu, Yi-Kai; Miller, Carl A.; Peralta, Rene C.; Perlner, Ray A.; Robinson, Angela Y.; Smith-Tone, Daniel C.; Alperin-Sheriff, Jacob (2020). "Status Report on the Second Round of the NIST Post-Quantum Cryptography Standardization Process". doi:10.6028/NIST.IR.8309. S2CID 243755462. Retrieved 23 July 2020. <a href="https://csrc.nist.gov/publications/detail/nistir/8309/final" target="_blank">https://csrc.nist.gov/publications/detail/nistir/8309/final</a> <a href="#fnref:58" class="footnote-back-ref">↩</a></p></li> <li id="fn:59"><p>Third PQC Standardization Conference - Session I Welcome/Candidate Updates, 10 June 2021, retrieved 6 July 2021 <a href="https://www.nist.gov/video/third-pqc-standardization-conference-session-i-welcomecandidate-updates" target="_blank">https://www.nist.gov/video/third-pqc-standardization-conference-session-i-welcomecandidate-updates</a> <a href="#fnref:59" class="footnote-back-ref">↩</a></p></li> <li id="fn:60"><p>Computer Security Division, Information Technology Laboratory (10 February 2021). "Third PQC Standardization Conference | CSRC". CSRC | NIST. Retrieved 6 July 2021. <a href="https://csrc.nist.gov/Events/2021/third-pqc-standardization-conference" target="_blank">https://csrc.nist.gov/Events/2021/third-pqc-standardization-conference</a> <a href="#fnref:60" class="footnote-back-ref">↩</a></p></li> <li id="fn:61"><p>"Submission Requirements and Evaluation Criteria" (PDF). <a href="https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/call-for-proposals-final-dec-2016.pdf" target="_blank">https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/call-for-proposals-final-dec-2016.pdf</a> <a href="#fnref:61" class="footnote-back-ref">↩</a></p></li> <li id="fn:62"><p>Beullens, Ward (2022). "Breaking Rainbow Takes a Weekend on a Laptop" (PDF). Eprint.iacr.org. <a href="https://eprint.iacr.org/2022/214.pdf" target="_blank">https://eprint.iacr.org/2022/214.pdf</a> <a href="#fnref:62" class="footnote-back-ref">↩</a></p></li> <li id="fn:63"><p>Grubbs, Paul; Maram, Varun; Paterson, Kenneth G. (2021). "Anonymous, Robust Post-Quantum Public Key Encryption". Cryptology ePrint Archive. <a href="https://eprint.iacr.org/2021/708" target="_blank">https://eprint.iacr.org/2021/708</a> <a href="#fnref:63" class="footnote-back-ref">↩</a></p></li> <li id="fn:64"><p>Karabulut, Emre; Aysu, Aydin (2021). "Falcon Down: Breaking Falcon Post-Quantum Signature Scheme through Side-Channel Attacks". Cryptology ePrint Archive. <a href="https://eprint.iacr.org/2021/772" target="_blank">https://eprint.iacr.org/2021/772</a> <a href="#fnref:64" class="footnote-back-ref">↩</a></p></li> <li id="fn:65"><p>"NIST Announces First Four Quantum-Resistant Cryptographic Algorithms". NIST. 5 July 2022. Retrieved 9 July 2022. <a href="https://www.nist.gov/news-events/news/2022/07/nist-announces-first-four-quantum-resistant-cryptographic-algorithms" target="_blank">https://www.nist.gov/news-events/news/2022/07/nist-announces-first-four-quantum-resistant-cryptographic-algorithms</a> <a href="#fnref:65" class="footnote-back-ref">↩</a></p></li> <li id="fn:66"><p>"Selected Algorithms 2022". CSRC | NIST. 5 July 2022. Retrieved 9 July 2022. <a href="https://csrc.nist.gov/Projects/post-quantum-cryptography/selected-algorithms-2022" target="_blank">https://csrc.nist.gov/Projects/post-quantum-cryptography/selected-algorithms-2022</a> <a href="#fnref:66" class="footnote-back-ref">↩</a></p></li> <li id="fn:67"><p>"Round 4 Submissions". CSRC | NIST. 5 July 2022. Retrieved 9 July 2022. <a href="https://csrc.nist.gov/Projects/post-quantum-cryptography/round-4-submissions" target="_blank">https://csrc.nist.gov/Projects/post-quantum-cryptography/round-4-submissions</a> <a href="#fnref:67" class="footnote-back-ref">↩</a></p></li> <li id="fn:68"><p>"SIKE Team - Foreword and postscript" (PDF). <a href="https://csrc.nist.gov/csrc/media/Projects/post-quantum-cryptography/documents/round-4/submissions/sike-team-note-insecure.pdf" target="_blank">https://csrc.nist.gov/csrc/media/Projects/post-quantum-cryptography/documents/round-4/submissions/sike-team-note-insecure.pdf</a> <a href="#fnref:68" class="footnote-back-ref">↩</a></p></li> <li id="fn:69"><p>Goodin, Dan (2 August 2022). "Post-quantum encryption contender is taken out by single-core PC and 1 hour". Ars Technica. Retrieved 6 August 2022. <a href="https://arstechnica.com/information-technology/2022/08/sike-once-a-post-quantum-encryption-contender-is-koed-in-nist-smackdown/" target="_blank">https://arstechnica.com/information-technology/2022/08/sike-once-a-post-quantum-encryption-contender-is-koed-in-nist-smackdown/</a> <a href="#fnref:69" class="footnote-back-ref">↩</a></p></li> <li id="fn:70"><p>https://nvlpubs.nist.gov/nistpubs/ir/2025/NIST.IR.8545.pdf <a href="https://nvlpubs.nist.gov/nistpubs/ir/2025/NIST.IR.8545.pdf" target="_blank">https://nvlpubs.nist.gov/nistpubs/ir/2025/NIST.IR.8545.pdf</a> <a href="#fnref:70" class="footnote-back-ref">↩</a></p></li> <li id="fn:71"><p>"NIST Selects HQC as Fifth Algorithm for Post-Quantum Encryption". NIST. 11 March 2025. Retrieved 20 May 2025. <a href="https://www.nist.gov/news-events/news/2025/03/nist-selects-hqc-fifth-algorithm-post-quantum-encryption" target="_blank">https://www.nist.gov/news-events/news/2025/03/nist-selects-hqc-fifth-algorithm-post-quantum-encryption</a> <a href="#fnref:71" class="footnote-back-ref">↩</a></p></li> <li id="fn:72"><p>NIST Releases First 3 Finalized Post-Quantum Encryption Standards, NIST, August 13, 2024 <a href="https://www.nist.gov/news-events/news/2024/08/nist-releases-first-3-finalized-post-quantum-encryption-standards" target="_blank">https://www.nist.gov/news-events/news/2024/08/nist-releases-first-3-finalized-post-quantum-encryption-standards</a> <a href="#fnref:72" class="footnote-back-ref">↩</a></p></li> <li id="fn:73"><p>"NIST Selects HQC as Fifth Algorithm for Post-Quantum Encryption". NIST. 11 March 2025. Retrieved 20 May 2025. <a href="https://www.nist.gov/news-events/news/2025/03/nist-selects-hqc-fifth-algorithm-post-quantum-encryption" target="_blank">https://www.nist.gov/news-events/news/2025/03/nist-selects-hqc-fifth-algorithm-post-quantum-encryption</a> <a href="#fnref:73" class="footnote-back-ref">↩</a></p></li> <li id="fn:74"><p>https://nvlpubs.nist.gov/nistpubs/ir/2025/NIST.IR.8545.pdf <a href="https://nvlpubs.nist.gov/nistpubs/ir/2025/NIST.IR.8545.pdf" target="_blank">https://nvlpubs.nist.gov/nistpubs/ir/2025/NIST.IR.8545.pdf</a> <a href="#fnref:74" class="footnote-back-ref">↩</a></p></li> <li id="fn:75"><p>Moody, Dustin (17 July 2023). "Onramp submissions are posted!". <a href="https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/4zNPlO_NHas" target="_blank">https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/4zNPlO_NHas</a> <a href="#fnref:75" class="footnote-back-ref">↩</a></p></li> <li id="fn:76"><p>"Digital Signature Schemes". csrc.nist.gov. 29 August 2022. Retrieved 17 July 2023. <a href="https://csrc.nist.gov/Projects/pqc-dig-sig/round-1-additional-signatures" target="_blank">https://csrc.nist.gov/Projects/pqc-dig-sig/round-1-additional-signatures</a> <a href="#fnref:76" class="footnote-back-ref">↩</a></p></li> <li id="fn:77"><p>"SMAUG & HAETAE - HAETAE". <a href="https://kpqc.cryptolab.co.kr/haetae" target="_blank">https://kpqc.cryptolab.co.kr/haetae</a> <a href="#fnref:77" class="footnote-back-ref">↩</a></p></li> <li id="fn:78"><p>"Hufu". <a href="http://123.56.244.4/" target="_blank">http://123.56.244.4/</a> <a href="#fnref:78" class="footnote-back-ref">↩</a></p></li> <li id="fn:79"><p>"RACCOON – Not just a signature, a whole family of it !". <a href="https://raccoonfamily.org/" target="_blank">https://raccoonfamily.org/</a> <a href="#fnref:79" class="footnote-back-ref">↩</a></p></li> <li id="fn:80"><p>"masksign/raccoon: Raccoon Signature Scheme -- Reference Code". GitHub. <a href="https://github.com/masksign/raccoon/" target="_blank">https://github.com/masksign/raccoon/</a> <a href="#fnref:80" class="footnote-back-ref">↩</a></p></li> <li id="fn:81"><p>"Squirrels - Introduction". <a href="https://www.squirrels-pqc.org/" target="_blank">https://www.squirrels-pqc.org/</a> <a href="#fnref:81" class="footnote-back-ref">↩</a></p></li> <li id="fn:82"><p>"CROSS crypto". <a href="https://cross-crypto.com/" target="_blank">https://cross-crypto.com/</a> <a href="#fnref:82" class="footnote-back-ref">↩</a></p></li> <li id="fn:83"><p>"FuLeeca: A Lee-based Signature Scheme - Lehrstuhl für Nachrichtentechnik". <a href="https://www.ce.cit.tum.de/lnt/forschung/professur-fuer-coding-and-cryptography/fuleeca/" target="_blank">https://www.ce.cit.tum.de/lnt/forschung/professur-fuer-coding-and-cryptography/fuleeca/</a> <a href="#fnref:83" class="footnote-back-ref">↩</a></p></li> <li id="fn:84"><p>"LESS project". <a href="https://www.less-project.com/" target="_blank">https://www.less-project.com/</a> <a href="#fnref:84" class="footnote-back-ref">↩</a></p></li> <li id="fn:85"><p>"MEDS". <a href="https://www.meds-pqc.org/" target="_blank">https://www.meds-pqc.org/</a> <a href="#fnref:85" class="footnote-back-ref">↩</a></p></li> <li id="fn:86"><p>"WAVE". <a href="https://wave-sign.org/" target="_blank">https://wave-sign.org/</a> <a href="#fnref:86" class="footnote-back-ref">↩</a></p></li> <li id="fn:87"><p>"MIRA". <a href="https://pqc-mira.org/" target="_blank">https://pqc-mira.org/</a> <a href="#fnref:87" class="footnote-back-ref">↩</a></p></li> <li id="fn:88"><p>"MiRitH". <a href="https://pqc-mirith.org/" target="_blank">https://pqc-mirith.org/</a> <a href="#fnref:88" class="footnote-back-ref">↩</a></p></li> <li id="fn:89"><p>"MQOM". <a href="https://www.mqom.org/" target="_blank">https://www.mqom.org/</a> <a href="#fnref:89" class="footnote-back-ref">↩</a></p></li> <li id="fn:90"><p>"PERK". <a href="https://pqc-perk.org/" target="_blank">https://pqc-perk.org/</a> <a href="#fnref:90" class="footnote-back-ref">↩</a></p></li> <li id="fn:91"><p>"RYDE". <a href="https://pqc-ryde.org/" target="_blank">https://pqc-ryde.org/</a> <a href="#fnref:91" class="footnote-back-ref">↩</a></p></li> <li id="fn:92"><p>"SD-in-the-Head". <a href="https://sdith.org/" target="_blank">https://sdith.org/</a> <a href="#fnref:92" class="footnote-back-ref">↩</a></p></li> <li id="fn:93"><p>Smith-Tone, Daniel (17 July 2023). "OFFICIAL COMMENT: 3WISE". <a href="https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/fsfGqHCgGvY" target="_blank">https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/fsfGqHCgGvY</a> <a href="#fnref:93" class="footnote-back-ref">↩</a></p></li> <li id="fn:94"><p>"Home". <a href="https://www.biscuit-pqc.org/" target="_blank">https://www.biscuit-pqc.org/</a> <a href="#fnref:94" class="footnote-back-ref">↩</a></p></li> <li id="fn:95"><p>"OFFICIAL COMMENT: DME Key Recovery Attack". groups.google.com. Retrieved 10 September 2023. <a href="https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/aoXpl4TlNh4" target="_blank">https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/aoXpl4TlNh4</a> <a href="#fnref:95" class="footnote-back-ref">↩</a></p></li> <li id="fn:96"><p>"MAYO". <a href="https://pqmayo.org/" target="_blank">https://pqmayo.org/</a> <a href="#fnref:96" class="footnote-back-ref">↩</a></p></li> <li id="fn:97"><p>"PROV". <a href="https://prov-sign.github.io/" target="_blank">https://prov-sign.github.io/</a> <a href="#fnref:97" class="footnote-back-ref">↩</a></p></li> <li id="fn:98"><p>"QR-UOV". <a href="https://info.isl.ntt.co.jp/crypt/qruov/" target="_blank">https://info.isl.ntt.co.jp/crypt/qruov/</a> <a href="#fnref:98" class="footnote-back-ref">↩</a></p></li> <li id="fn:99"><p>"SNOVA". snova.pqclab.org. Retrieved 23 September 2023. <a href="https://snova.pqclab.org/" target="_blank">https://snova.pqclab.org/</a> <a href="#fnref:99" class="footnote-back-ref">↩</a></p></li> <li id="fn:100"><p>"TUOV". <a href="https://www.tuovsig.org/" target="_blank">https://www.tuovsig.org/</a> <a href="#fnref:100" class="footnote-back-ref">↩</a></p></li> <li id="fn:101"><p>"UOV". <a href="https://www.uovsig.org/" target="_blank">https://www.uovsig.org/</a> <a href="#fnref:101" class="footnote-back-ref">↩</a></p></li> <li id="fn:102"><p>"VOX". <a href="https://vox-sign.com/" target="_blank">https://vox-sign.com/</a> <a href="#fnref:102" class="footnote-back-ref">↩</a></p></li> <li id="fn:103"><p>"SQIsign". <a href="https://sqisign.org/" target="_blank">https://sqisign.org/</a> <a href="#fnref:103" class="footnote-back-ref">↩</a></p></li> <li id="fn:104"><p>"AIMer Signature". <a href="https://aimer-signature.org/" target="_blank">https://aimer-signature.org/</a> <a href="#fnref:104" class="footnote-back-ref">↩</a></p></li> <li id="fn:105"><p>"Come and join the FAEST | FAEST Signature Algorithm". <a href="https://faest.info/" target="_blank">https://faest.info/</a> <a href="#fnref:105" class="footnote-back-ref">↩</a></p></li> <li id="fn:106"><p>"ALTEQ". <a href="https://pqcalteq.github.io/" target="_blank">https://pqcalteq.github.io/</a> <a href="#fnref:106" class="footnote-back-ref">↩</a></p></li> <li id="fn:107"><p>Smith-Tone, Daniel (17 July 2023). "OFFICIAL COMMENT: 3WISE". <a href="https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/fsfGqHCgGvY" target="_blank">https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/fsfGqHCgGvY</a> <a href="#fnref:107" class="footnote-back-ref">↩</a></p></li> <li id="fn:108"><p>Tibouchi, Mehdi (17 July 2023). "Round 1 (Additional Signatures) OFFICIAL COMMENT: EagleSign". <a href="https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/zas5PLiBe6A" target="_blank">https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/zas5PLiBe6A</a> <a href="#fnref:108" class="footnote-back-ref">↩</a></p></li> <li id="fn:109"><p>Bernstein, D.J. (17 July 2023). "OFFICIAL COMMENT: KAZ-SIGN". <a href="https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/2ljDcgtawFw" target="_blank">https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/2ljDcgtawFw</a> <a href="#fnref:109" class="footnote-back-ref">↩</a></p></li> <li id="fn:110"><p>Fluhrer, Scott (17 July 2023). "KAZ-SIGN". <a href="https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/aCbi4BMDeUs" target="_blank">https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/aCbi4BMDeUs</a> <a href="#fnref:110" class="footnote-back-ref">↩</a></p></li> <li id="fn:111"><p>Panny, Lorenz (17 July 2023). "Round 1 (Additional Signatures) OFFICIAL COMMENT: Xifrat1-Sign.I". <a href="https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/9FXtBZKWueA" target="_blank">https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/9FXtBZKWueA</a> <a href="#fnref:111" class="footnote-back-ref">↩</a></p></li> <li id="fn:112"><p>Tibouchi, Mehdi (18 July 2023). "Round 1 (Additional Signatures) OFFICIAL COMMENT: EagleSign". <a href="https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/zas5PLiBe6A/m/EVmNzzglBQAJ" target="_blank">https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/zas5PLiBe6A/m/EVmNzzglBQAJ</a> <a href="#fnref:112" class="footnote-back-ref">↩</a></p></li> <li id="fn:113"><p>Panny, Lorenz. "Round 1 (Additional Signatures) OFFICIAL COMMENT: EagleSign". groups.google.com. Retrieved 13 May 2025. <a href="https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/zas5PLiBe6A/m/AKIzf2q8BgAJ" target="_blank">https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/zas5PLiBe6A/m/AKIzf2q8BgAJ</a> <a href="#fnref:113" class="footnote-back-ref">↩</a></p></li> <li id="fn:114"><p>Beullens, Ward (18 July 2023). "Round 1 (Additional Signatures) OFFICIAL COMMENT: HPPC". <a href="https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/KRh8w03PW4E" target="_blank">https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/KRh8w03PW4E</a> <a href="#fnref:114" class="footnote-back-ref">↩</a></p></li> <li id="fn:115"><p>Perlner, Ray (21 July 2023). "Round 1 (Additional Signatures) OFFICIAL COMMENT: HPPC". <a href="https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/KRh8w03PW4E/m/IYGDdEJEBgAJ" target="_blank">https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/KRh8w03PW4E/m/IYGDdEJEBgAJ</a> <a href="#fnref:115" class="footnote-back-ref">↩</a></p></li> <li id="fn:116"><p>Saarinen, Markku-Juhani O. (18 July 2023). "OFFICIAL COMMENT: ALTEQ". <a href="https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/-LCPCJCyLlc" target="_blank">https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/-LCPCJCyLlc</a> <a href="#fnref:116" class="footnote-back-ref">↩</a></p></li> <li id="fn:117"><p>Bouillaguet, Charles (19 July 2023). "Round 1 (Additional Signatures) OFFICIAL COMMENT: Biscuit". <a href="https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/sw8NueiNek0" target="_blank">https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/sw8NueiNek0</a> <a href="#fnref:117" class="footnote-back-ref">↩</a></p></li> <li id="fn:118"><p>Niederhagen, Ruben (19 July 2023). "Round 1 (Additional Signatures) OFFICIAL COMMENT: MEDS". <a href="https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/CtCe8WXUoXI/m/jgWQ0ia7BQAJ" target="_blank">https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/CtCe8WXUoXI/m/jgWQ0ia7BQAJ</a> <a href="#fnref:118" class="footnote-back-ref">↩</a></p></li> <li id="fn:119"><p>van Woerden, Wessel (20 July 2023). "Round 1 (Additional Signatures) OFFICIAL COMMENT: FuLeeca". <a href="https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/KvIege2EbuM" target="_blank">https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/KvIege2EbuM</a> <a href="#fnref:119" class="footnote-back-ref">↩</a></p></li> <li id="fn:120"><p>Persichetti, Edoardo (21 July 2023). "OFFICIAL COMMENT: LESS". <a href="https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/Z36SPZJI8Ok" target="_blank">https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/Z36SPZJI8Ok</a> <a href="#fnref:120" class="footnote-back-ref">↩</a></p></li> <li id="fn:121"><p>Saarinen, Markku-Juhani O. "Round 1 (Additional Signatures) OFFICIAL COMMENT: DME-Sign". <a href="https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/E0mMMGI5eWE" target="_blank">https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/E0mMMGI5eWE</a> <a href="#fnref:121" class="footnote-back-ref">↩</a></p></li> <li id="fn:122"><p>"OFFICIAL COMMENT: DME Key Recovery Attack". groups.google.com. Retrieved 10 September 2023. <a href="https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/aoXpl4TlNh4" target="_blank">https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/aoXpl4TlNh4</a> <a href="#fnref:122" class="footnote-back-ref">↩</a></p></li> <li id="fn:123"><p>van Woerden, Wessel (25 July 2023). "Round 1 (Additional Signatures) OFFICIAL COMMENT: EHTv3". <a href="https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/mFl_5Rq6-RU" target="_blank">https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/mFl_5Rq6-RU</a> <a href="#fnref:123" class="footnote-back-ref">↩</a></p></li> <li id="fn:124"><p>Suhl, Adam (29 July 2023). "Round 1 (Additional Signatures) OFFICIAL COMMENT: EHT". <a href="https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/bkJKBFq3TDY" target="_blank">https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/bkJKBFq3TDY</a> <a href="#fnref:124" class="footnote-back-ref">↩</a></p></li> <li id="fn:125"><p>VASSEUR, Valentin (29 July 2023). "Round 1 (Additional Signatures) OFFICIAL COMMENT: Enhanced pqsigRM". <a href="https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/yQ1CKOLbGng" target="_blank">https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/yQ1CKOLbGng</a> <a href="#fnref:125" class="footnote-back-ref">↩</a></p></li> <li id="fn:126"><p>"Round 1 (Additional Signatures) OFFICIAL COMMENT: Enhanced pqsigRM". groups.google.com. Retrieved 30 September 2023. <a href="https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/4_nUCDvDqqs" target="_blank">https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/4_nUCDvDqqs</a> <a href="#fnref:126" class="footnote-back-ref">↩</a></p></li> <li id="fn:127"><p>Saarinen, Markku-Juhani O. (27 July 2023). "Buffer overflows in HAETAE / On crypto vs implementation errors". <a href="https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/ImcSqGLFdoo" target="_blank">https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/ImcSqGLFdoo</a> <a href="#fnref:127" class="footnote-back-ref">↩</a></p></li> <li id="fn:128"><p>Saarinen, Markku-Juhani O. (29 July 2023). "HuFu: Big-flipping forgeries and buffer overflows". <a href="https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/Hq-wRFDbIaU" target="_blank">https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/Hq-wRFDbIaU</a> <a href="#fnref:128" class="footnote-back-ref">↩</a></p></li> <li id="fn:129"><p>Carrier, Kevin (3 August 2023). "Round 1 (Additional Signatures) OFFICIAL COMMENT: SDitH". <a href="https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/d_BcUfFGl5o" target="_blank">https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/d_BcUfFGl5o</a> <a href="#fnref:129" class="footnote-back-ref">↩</a></p></li> <li id="fn:130"><p>Carrier, Kevin; Hatey, Valérian; Tillich, Jean-Pierre (5 December 2023). "Projective Space Stern Decoding and Application to SDitH". arXiv:2312.02607 [cs.IT]. <a href="/wiki/ArXiv_(identifier)" target="_blank">/wiki/ArXiv_(identifier)</a> <a href="#fnref:130" class="footnote-back-ref">↩</a></p></li> <li id="fn:131"><p>Furue, Hiroki (28 August 2023). "Round 1 (Additional Signatures) OFFICIAL COMMENT: VOX". <a href="https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/icHfTrzkfw4" target="_blank">https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/icHfTrzkfw4</a> <a href="#fnref:131" class="footnote-back-ref">↩</a></p></li> <li id="fn:132"><p>Liu, Fukang; Mahzoun, Mohammad; Øygarden, Morten; Meier, Willi (10 November 2023). "Algebraic Attacks on RAIN and AIM Using Equivalent Representations". IACR ePrint (2023/1133). <a href="https://eprint.iacr.org/2023/1133" target="_blank">https://eprint.iacr.org/2023/1133</a> <a href="#fnref:132" class="footnote-back-ref">↩</a></p></li> <li id="fn:133"><p>Ikematsu, Yasuhiko; Akiyama, Rika (2024), Revisiting the security analysis of SNOVA, retrieved 28 January 2024 <a href="https://eprint.iacr.org/2024/096" target="_blank">https://eprint.iacr.org/2024/096</a> <a href="#fnref:133" class="footnote-back-ref">↩</a></p></li> <li id="fn:134"><p>Ferreira, River Moreira; Perret, Ludovic (2024), Polynomial-Time Key-Recovery Attack on the ${\tt NIST}$ Specification of ${\tt PROV}$, retrieved 4 April 2024 <a href="https://eprint.iacr.org/2024/279" target="_blank">https://eprint.iacr.org/2024/279</a> <a href="#fnref:134" class="footnote-back-ref">↩</a></p></li> <li id="fn:135"><p>Moody, Dustin (24 October 2024). "Status Report on the First Round of the Additional Digital Signature Schemes for the NIST Post-Quantum Cryptography Standardization Process". <a href="https://csrc.nist.gov/pubs/ir/8528/final" target="_blank">https://csrc.nist.gov/pubs/ir/8528/final</a> <a href="#fnref:135" class="footnote-back-ref">↩</a></p></li> <li id="fn:136"><p>"CROSS crypto". <a href="https://cross-crypto.com/" target="_blank">https://cross-crypto.com/</a> <a href="#fnref:136" class="footnote-back-ref">↩</a></p></li> <li id="fn:137"><p>"LESS project". <a href="https://www.less-project.com/" target="_blank">https://www.less-project.com/</a> <a href="#fnref:137" class="footnote-back-ref">↩</a></p></li> <li id="fn:138"><p>"Mirath". <a href="https://pqc-mirath.org/" target="_blank">https://pqc-mirath.org/</a> <a href="#fnref:138" class="footnote-back-ref">↩</a></p></li> <li id="fn:139"><p>"MQOM". <a href="https://www.mqom.org/" target="_blank">https://www.mqom.org/</a> <a href="#fnref:139" class="footnote-back-ref">↩</a></p></li> <li id="fn:140"><p>"PERK". <a href="https://pqc-perk.org/" target="_blank">https://pqc-perk.org/</a> <a href="#fnref:140" class="footnote-back-ref">↩</a></p></li> <li id="fn:141"><p>"RYDE". <a href="https://pqc-ryde.org/" target="_blank">https://pqc-ryde.org/</a> <a href="#fnref:141" class="footnote-back-ref">↩</a></p></li> <li id="fn:142"><p>"SD-in-the-Head". <a href="https://sdith.org/" target="_blank">https://sdith.org/</a> <a href="#fnref:142" class="footnote-back-ref">↩</a></p></li> <li id="fn:143"><p>"MAYO". <a href="https://pqmayo.org/" target="_blank">https://pqmayo.org/</a> <a href="#fnref:143" class="footnote-back-ref">↩</a></p></li> <li id="fn:144"><p>"QR-UOV". <a href="https://info.isl.ntt.co.jp/crypt/qruov/" target="_blank">https://info.isl.ntt.co.jp/crypt/qruov/</a> <a href="#fnref:144" class="footnote-back-ref">↩</a></p></li> <li id="fn:145"><p>"SNOVA". snova.pqclab.org. Retrieved 23 September 2023. <a href="https://snova.pqclab.org/" target="_blank">https://snova.pqclab.org/</a> <a href="#fnref:145" class="footnote-back-ref">↩</a></p></li> <li id="fn:146"><p>"UOV". <a href="https://www.uovsig.org/" target="_blank">https://www.uovsig.org/</a> <a href="#fnref:146" class="footnote-back-ref">↩</a></p></li> <li id="fn:147"><p>"SQIsign". <a href="https://sqisign.org/" target="_blank">https://sqisign.org/</a> <a href="#fnref:147" class="footnote-back-ref">↩</a></p></li> <li id="fn:148"><p>"Come and join the FAEST | FAEST Signature Algorithm". <a href="https://faest.info/" target="_blank">https://faest.info/</a> <a href="#fnref:148" class="footnote-back-ref">↩</a></p></li> </ol>