NIST Post-Quantum Cryptography Standardization

Last updated

Post-Quantum Cryptography Standardization [1] is a program and competition by NIST to update their standards to include post-quantum cryptography. [2] It was announced at PQCrypto 2016. [3] 23 signature schemes and 59 encryption/KEM schemes were submitted by the initial submission deadline at the end of 2017 [4] of which 69 total were deemed complete and proper and participated in the first round. Seven of these, of which 3 are signature schemes, have advanced to the third round, which was announced on July 22, 2020.

Contents

Background

Academic research on the potential impact of quantum computing dates back to at least 2001. [5] A NIST published report from April 2016 cites experts that acknowledge the possibility of quantum technology to render the commonly used RSA algorithm insecure by 2030. [6] As a result, a need to standardize quantum-secure cryptographic primitives was pursued. Since most symmetric primitives are relatively easy to modify in a way that makes them quantum resistant, efforts have focused on public-key cryptography, namely digital signatures and key encapsulation mechanisms. In December 2016 NIST initiated a standardization process by announcing a call for proposals. [7]

The competition is now in its third round out of expected four, where in each round some algorithms are discarded and others are studied more closely. NIST hopes to publish the standardization documents by 2024, but may speed up the process if major breakthroughs in quantum computing are made.

It is currently undecided whether the future standards will be published as FIPS or as NIST Special Publication (SP).

Round one

Under consideration were: [8]
(strikethrough means it had been withdrawn)

TypePKE/KEM SignatureSignature & PKE/KEM
Lattice
  • Compact LWE
  • CRYSTALS-Kyber
  • Ding Key Exchange
  • EMBLEM and R.EMBLEM
  • FrodoKEM
  • HILA5 (withdrawn and merged into Round5)
  • KCL (pka OKCN/AKCN/CNKE)
  • KINDI
  • LAC
  • LIMA
  • Lizard
  • LOTUS
  • NewHope
  • NTRUEncrypt [9]
  • NTRU-HRSS-KEM
  • NTRU Prime
  • Odd Manhattan
  • Round2 (withdrawn and merged into Round5)
  • Round5 (merger of Round2 and Hila5, announced 4 August 2018) [10]
  • SABER
  • Three Bears
  • Titanium
Code-based
  • BIG QUAKE
  • BIKE
  • Classic McEliece + NTS- KEM
  • DAGS
  • Edon-K
  • HQC
  • LAKE (withdrawn and merged into ROLLO)
  • LEDAkem
  • LEDApkc
  • Lepton
  • LOCKER (withdrawn and merged into ROLLO)
  • McNie
  • NTS-KEM
  • ROLLO (merger of Ouroboros-R, LAKE and LOCKER) [13]
  • Ouroboros-R (withdrawn and merged into ROLLO)
  • QC-MDPC KEM
  • Ramstake
  • RLCE-KEM
  • RQC
  • pqsigRM
  • RaCoSS
  • RankSign
Hash-based
  • Gravity-SPHINCS
  • SPHINCS+
Multivariate
  • CFPKM
  • Giophantus
  • DualModeMS
  • GeMSS
  • Gui
  • HiMQ-3
  • LUOV
  • MQDSS
  • Rainbow
  • SRTPI
  • DME
Braid group
  • WalnutDSA
Supersingular elliptic curve isogeny
Satirical submission
Other
  • Guess Again
  • HK17
  • Mersenne-756839
  • RVB
  • Picnic

Round one submissions published attacks

Round two

Candidates moving on to the second round were announced on January 30, 2019. They are: [32]

TypePKE/KEMSignature
Lattice
  • CRYSTALS-Kyber [33]
  • FrodoKEM [34]
  • LAC
  • NewHope [35]
  • NTRU (merger of NTRUEncrypt and NTRU-HRSS-KEM) [9]
  • NTRU Prime [36]
  • Round5 (merger of Round2 and Hila5, announced 4 August 2018) [10]
  • SABER [37]
  • Three Bears [38]
Code-based
Hash-based
Multivariate
Supersingular elliptic curve isogeny
Zero-knowledge proofs

Round three

On July 22, 2020, NIST announced seven finalists ("first track"), as well as eight alternate algorithms ("second track"). The first track contains the algorithms which appear to have the most promise, and will be considered for standardization at the end of the third round. Algorithms in the second track could still become part of the standard, after the third round ends. [52] NIST expects some of the alternate candidates to be considered in a fourth round. NIST also suggests it may re-open the signature category for new schemes proposals in the future. [53]

On June 7–9, 2021, NIST conducted the third PQC standardization conference, virtually. [54] The conference included candidates' updates and discussions on implementations, on performances, and on security issues of the candidates. A small amount of focus was spent on intellectual property concerns.

Finalists

TypePKE/KEMSignature
Lattice
Code-based
Multivariate

Alternate candidates

TypePKE/KEMSignature
Lattice
  • FrodoKEM
  • NTRU Prime
Code-based
Hash-based
  • SPHINCS+
Multivariate
  • GeMSS
Supersingular elliptic curve isogeny
Zero-knowledge proofs
  • Picnic

Intellectual property concerns

After NIST's announcement regarding the finalists and the alternate candidates, various intellectual property concerns were voiced, notably surrounding lattice-based schemes such as Kyber and NewHope. NIST holds signed statements from submitting groups clearing any legal claims, but there is still a concern that third parties could raise claims. NIST claims that they will take such considerations into account while picking the winning algorithms. [55]

Round three submissions published attacks

Adaptations

During this round, some candidates have shown to be vulnerable to some attack vectors. It forces these candidates to adapt accordingly:

CRYSTAL-Kyber and SABER
may change the nested hashes used in their proposals in order for their security claims to hold. [57]
FALCON
side channel attack by . A masking may be added in order to resist the attack. This adaptation affects performance and should be considered while standardizing. [58]

Selected Algorithms 2022

On July 5, 2022, NIST announced the first group of winners from its six-year competition. [59] [60]

TypePKE/KEMSignature
Lattice
Hash-based

Round four

On July 5, 2022, NIST announced four candidates for PQC Standardization Round 4. [61]

TypePKE/KEM
Code-based
Supersingular elliptic curve isogeny

Round four submissions published attacks

Additional Digital Signature Schemes Round One

NIST received 50 submissions and deemed 40 to be complete and proper according to the submission requirements. [64] Under consideration are: [65]
(strikethrough means it has been withdrawn)

TypeSignature
Lattice
Code-based
MPC-in-the-Head
Multivariate
  • 3WISE ("the submitter agrees that the scheme is insecure, but prefers to not withdraw in the hope that studying the scheme will advance cryptanalysis" [82] )
  • Biscuit [83]
  • DME-Sign ("Our first impression is that the attack works and we are checking the details of the attack .We are implementing a variant of the DME that may resist the attack but we have to verify it." [84] )
  • HPPC
  • MAYO [85]
  • PROV [86]
  • QR-UOV [87]
  • SNOVA [88]
  • TUOV [89]
  • UOV [90]
  • VOX [91]
Supersingular elliptic curve isogeny
Symmetric-based
  • AIMer [93]
  • Ascon-Sign
  • FAEST [94]
  • SPHINCS-alpha
Other
  • ALTEQ [95]
  • eMLE-Sig 2.0
  • KAZ-SIGN
  • Preon
  • Xifrat1-Sign.I

Additional signature round one submissions published attacks

See also

Related Research Articles

Elliptic-curve cryptography (ECC) is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. ECC allows smaller keys compared to non-EC cryptography to provide equivalent security.

The Advanced Encryption Standard (AES), the symmetric block cipher ratified as a standard by National Institute of Standards and Technology of the United States (NIST), was chosen using a process lasting from 1997 to 2000 that was markedly more open and transparent than its predecessor, the Data Encryption Standard (DES). This process won praise from the open cryptographic community, and helped to increase confidence in the security of the winning algorithm from those who were suspicious of backdoors in the predecessor, DES.

<span class="mw-page-title-main">Daniel J. Bernstein</span> American mathematician, cryptologist and computer scientist

Daniel Julius Bernstein is an American mathematician, cryptologist, and computer scientist. He is a visiting professor at CASA at Ruhr University Bochum, as well as a research professor of Computer Science at the University of Illinois at Chicago. Before this, he was a visiting professor in the department of mathematics and computer science at the Eindhoven University of Technology.

NTRU is an open-source public-key cryptosystem that uses lattice-based cryptography to encrypt and decrypt data. It consists of two algorithms: NTRUEncrypt, which is used for encryption, and NTRUSign, which is used for digital signatures. Unlike other popular public-key cryptosystems, it is resistant to attacks using Shor's algorithm. NTRUEncrypt was patented, but it was placed in the public domain in 2017. NTRUSign is patented, but it can be used by software under the GPL.

In cryptography, the McEliece cryptosystem is an asymmetric encryption algorithm developed in 1978 by Robert McEliece. It was the first such scheme to use randomization in the encryption process. The algorithm has never gained much acceptance in the cryptographic community, but is a candidate for "post-quantum cryptography", as it is immune to attacks using Shor's algorithm and – more generally – measuring coset states using Fourier sampling.

Brian A. LaMacchia is a computer security specialist.

<span class="mw-page-title-main">Paulo S. L. M. Barreto</span> Brazilian-American cryptographer

Paulo Licciardi Barreto is a Brazilian-American cryptographer and one of the designers of the Whirlpool hash function and the block ciphers Anubis and KHAZAD, together with Vincent Rijmen. He has also co-authored a number of research works on elliptic curve cryptography and pairing-based cryptography, including the eta pairing technique, identity-based cryptographic protocols, and the family of Barreto–Naehrig (BN) and Barreto–Lynn-Scott (BLS) pairing-friendly elliptic curves. More recently he has been focusing his research on post-quantum cryptography, being one of the discoverers of quasi-dyadic codes and quasi-cyclic moderate-density parity-check (QC-MDPC) codes to instantiate the McEliece and Niederreiter cryptosystems and related schemes.

NTRUSign, also known as the NTRU Signature Algorithm, is an NTRU public-key cryptography digital signature algorithm based on the GGH signature scheme. The original version of NTRUSign was Polynomial Authentication and Signature Scheme (PASS), and was published at CrypTEC'99. The improved version of PASS was named as NTRUSign, and was presented at the rump session of Asiacrypt 2001 and published in peer-reviewed form at the RSA Conference 2003. The 2003 publication included parameter recommendations for 80-bit security. A subsequent 2005 publication revised the parameter recommendations for 80-bit security, presented parameters that gave claimed security levels of 112, 128, 160, 192 and 256 bits, and described an algorithm to derive parameter sets at any desired security level. NTRU Cryptosystems, Inc. have applied for a patent on the algorithm.

Multivariate cryptography is the generic term for asymmetric cryptographic primitives based on multivariate polynomials over a finite field . In certain cases those polynomials could be defined over both a ground and an extension field. If the polynomials have the degree two, we talk about multivariate quadratics. Solving systems of multivariate polynomial equations is proven to be NP-complete. That's why those schemes are often considered to be good candidates for post-quantum cryptography. Multivariate cryptography has been very productive in terms of design and cryptanalysis. Overall, the situation is now more stable and the strongest schemes have withstood the test of time. It is commonly admitted that Multivariate cryptography turned out to be more successful as an approach to build signature schemes primarily because multivariate schemes provide the shortest signature among post-quantum algorithms.

In cryptography, the unbalanced oil and vinegar (UOV) scheme is a modified version of the oil and vinegar scheme designed by J. Patarin. Both are digital signature protocols. They are forms of multivariate cryptography. The security of this signature scheme is based on an NP-hard mathematical problem. To create and validate signatures, a minimal quadratic equation system must be solved. Solving m equations with n variables is NP-hard. While the problem is easy if m is either much much larger or much much smaller than n, importantly for cryptographic purposes, the problem is thought to be difficult in the average case when m and n are nearly equal, even when using a quantum computer. Multiple signature schemes have been devised based on multivariate equations with the goal of achieving quantum resistance.

Lattice-based cryptography is the generic term for constructions of cryptographic primitives that involve lattices, either in the construction itself or in the security proof. Lattice-based constructions support important standards of post-quantum cryptography. Unlike more widely used and known public-key schemes such as the RSA, Diffie-Hellman or elliptic-curve cryptosystems — which could, theoretically, be defeated using Shor's algorithm on a quantum computer — some lattice-based constructions appear to be resistant to attack by both classical and quantum computers. Furthermore, many lattice-based constructions are considered to be secure under the assumption that certain well-studied computational lattice problems cannot be solved efficiently.

The NIST hash function competition was an open competition held by the US National Institute of Standards and Technology (NIST) to develop a new hash function called SHA-3 to complement the older SHA-1 and SHA-2. The competition was formally announced in the Federal Register on November 2, 2007. "NIST is initiating an effort to develop one or more additional hash algorithms through a public competition, similar to the development process for the Advanced Encryption Standard (AES)." The competition ended on October 2, 2012, when NIST announced that Keccak would be the new SHA-3 hash algorithm.

SHA-3 is the latest member of the Secure Hash Algorithm family of standards, released by NIST on August 5, 2015. Although part of the same series of standards, SHA-3 is internally different from the MD5-like structure of SHA-1 and SHA-2.

Post-quantum cryptography (PQC), sometimes referred to as quantum-proof, quantum-safe, or quantum-resistant, is the development of cryptographic algorithms that are thought to be secure against a cryptanalytic attack by a quantum computer. The problem with popular algorithms currently used in the market is that their security relies on one of three hard mathematical problems: the integer factorization problem, the discrete logarithm problem or the elliptic-curve discrete logarithm problem. All of these problems could be easily solved on a sufficiently powerful quantum computer running Shor's algorithm or even faster and less demanding alternatives.

BLISS is a digital signature scheme proposed by Léo Ducas, Alain Durmus, Tancrède Lepoint and Vadim Lyubashevsky in their 2013 paper "Lattice Signature and Bimodal Gaussians".

Hash-based cryptography is the generic term for constructions of cryptographic primitives based on the security of hash functions. It is of interest as a type of post-quantum cryptography.

In post-quantum cryptography, NewHope is a key-agreement protocol by Erdem Alkim, Léo Ducas, Thomas Pöppelmann, and Peter Schwabe that is designed to resist quantum computer attacks.

Kyber is a key encapsulation mechanism (KEM) designed to be resistant to cryptanalytic attacks with future powerful quantum computers. It is used to establish a shared secret between two communicating parties without an (IND-CCA2) attacker in the transmission system being able to decrypt it. This asymmetric cryptosystem uses a variant of the learning with errors lattice problem as its basic trapdoor function. It won the NIST competition for the first post-quantum cryptography (PQ) standard. NIST calls its draft standard Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM). However, at least for Kyber512, there are claims that NIST's security calculations were amiss.

Falcon is a post-quantum signature scheme selected by the NIST at the fourth round of the post-quantum standardisation process. It has been designed by Thomas Prest, Pierre-Alain Fouque, Jeffrey Hoffstein, Paul Kirchner, Vadim Lyubashevsky, Thomas Pornin, Thomas Ricosset, Gregor Seiler, William Whyte and Zhenfei Zhang. It relies on the hash-and-sign technique over the Gentry, Peikert and Vaikuntanathan framework over NTRU lattices. The name Falcon is an acronym for Fast Fourier lattice-based compact signatures over NTRU.

Extendable-output function (XOF) is an extension of the cryptographic hash that allows its output to be arbitrarily long. In particular, the sponge construction makes any sponge hash a natural XOF: the squeeze operation can be repeated, and the regular hash functions with a fixed-size result are obtained from a sponge mechanism by stopping the squeezing phase after obtaining the fixed number of bits).

References

  1. "Post-Quantum Cryptography PQC". 3 January 2017.
  2. "Post-Quantum Cryptography Standardization – Post-Quantum Cryptography". Csrc.nist.gov. 3 January 2017. Retrieved 31 January 2019.
  3. Moody, Dustin (24 November 2020). "The Future Is Now: Spreading the Word About Post-Quantum Cryptography". NIST.
  4. "Final Submission received". Archived from the original on 29 December 2017. Retrieved 29 December 2017.
  5. Hong, Zhu (2001). "Survey of Computational Assumptions Used in Cryptography Broken or Not by Shor's Algorithm" (PDF).
  6. "NIST Released NISTIR 8105, Report on Post-Quantum Cryptography". 21 December 2016. Retrieved 5 November 2019.
  7. "NIST Asks Public to Help Future-Proof Electronic Information". NIST. 20 December 2016. Retrieved 5 November 2019.
  8. Computer Security Division, Information Technology Laboratory (3 January 2017). "Round 1 Submissions – Post-Quantum Cryptography – CSRC". Csrc.nist.gov. Retrieved 31 January 2019.
  9. 1 2 3 "NIST Post Quantum Crypto Submission". Archived from the original on 29 December 2017. Retrieved 29 December 2017.
  10. 1 2 "Google Groups". Groups.google.com. Retrieved 31 January 2019.
  11. qTESLA team. "Efficient and post-quantum secure lattice-based signature scheme". qTESLA.org. Archived from the original on 9 December 2023. Retrieved 4 March 2024.
  12. "qTESLA". Microsoft Research. Archived from the original on 31 December 2022. Retrieved 4 March 2024.
  13. 1 2 "ROLLO". Pqc-rollo.org. Retrieved 31 January 2019.
  14. RSA using 231 4096-bit primes for a total key size of 1 TiB. "Key almost fits on a hard drive" Bernstein, Daniel (28 May 2010). "McBits and Post-Quantum RSA" (PDF). Retrieved 10 December 2019.
  15. Bernstein, Daniel; Heninger, Nadia (19 April 2017). "Post-quantum RSA" (PDF). Retrieved 10 December 2019.
  16. "Dear all, the following Python script quickly recovers the message from a given "Guess Again" ciphertext without knowledge of the private key" (PDF). Csrc.nist.gov. Retrieved 30 January 2019.
  17. Panny, Lorenz (25 December 2017). "Fast key recovery attack against the "RVB" submission to #NISTPQC: t .... Computes private from public key". Twitter . Retrieved 31 January 2019.
  18. "Comments on RaCoSS". Archived from the original on 26 December 2017. Retrieved 4 January 2018.
  19. "Comments on HK17". Archived from the original on 5 January 2018. Retrieved 4 January 2018.
  20. "Dear all, We have broken SRTPI under CPA and TPSig under KMA" (PDF). Csrc.nist.gov. Retrieved 30 January 2019.
  21. Beullens, Ward; Blackburn, Simon R. (2018). "Practical attacks against the Walnut digital signature scheme". Cryptology ePrint Archive.
  22. Kotov, Matvei; Menshov, Anton; Ushakov, Alexander (2018). "An attack on the walnut digital signature algorithm". Cryptology ePrint Archive.
  23. Yu, Yang; Ducas, Léo (2018). "Learning strikes again: the case of the DRS signature scheme". Cryptology ePrint Archive.
  24. Barelli, Elise; Couvreur, Alain (2018). "An efficient structural attack on NIST submission DAGS". arXiv: 1805.05429 [cs.CR].
  25. Lequesne, Matthieu; Tillich, Jean-Pierre (2018). "Attack on the Edon-K Key Encapsulation Mechanism". arXiv: 1802.06157 [cs.CR].
  26. Couvreur, Alain; Lequesne, Matthieu; Tillich, Jean-Pierre (2018). "Recovering short secret keys of RLCE in polynomial time". arXiv: 1805.11489 [cs.CR].
  27. Bernstein, Daniel J.; Groot Bruinderink, Leon; Lange, Tanja; Lange, Lorenz (2017). "Hila5 Pindakaas: On the CCA security of lattice-based encryption with error correction". Cryptology ePrint Archive.
  28. "Official Comments" (PDF). Csrc.nist.gov. 13 September 2018.
  29. Debris-Alazard, Thomas; Tillich, Jean-Pierre (2018). "Two attacks on rank metric code-based schemes: RankSign and an Identity-Based-Encryption scheme". arXiv: 1804.02556 [cs.CR].
  30. "I am afraid the parameters in this proposal have at most 4 to 6-bits security under the Information Set Decoding (ISD) attack" (PDF). Csrc.nist.gov. Retrieved 30 January 2019.
  31. Lau, Terry Shue Chien; Tan, Chik How (31 January 2019). "Key Recovery Attack on McNie Based on Low Rank Parity Check Codes and Its Reparation". In Inomata, Atsuo; Yasuda, Kan (eds.). Advances in Information and Computer Security. Lecture Notes in Computer Science. Vol. 11049. Springer International Publishing. pp. 19–34. doi:10.1007/978-3-319-97916-8_2. ISBN   978-3-319-97915-1.
  32. Computer Security Division, Information Technology Laboratory (3 January 2017). "Round 2 Submissions – Post-Quantum Cryptography – CSRC". Csrc.nist.gov. Retrieved 31 January 2019.
  33. 1 2 Schwabe, Peter. "CRYSTALS". Pq-crystals.org. Retrieved 31 January 2019.
  34. "FrodoKEM". Frodokem.org. Retrieved 31 January 2019.
  35. Schwabe, Peter. "NewHope". Newhopecrypto.org. Retrieved 31 January 2019.
  36. "NTRU Prime: Intro". Archived from the original on 1 September 2019. Retrieved 30 January 2019.
  37. "SABER" . Retrieved 17 June 2019.
  38. "ThreeBears". SourceForge.net. Retrieved 31 January 2019.
  39. "Falcon". Falcon. Retrieved 26 June 2019.
  40. "BIKE – Bit Flipping Key Encapsulation". Bikesuite.org. Retrieved 31 January 2019.
  41. "HQC". Pqc-hqc.org. Retrieved 31 January 2019.
  42. "LEDAkem Key Encapsulation Module". Ledacrypt.org. Retrieved 31 January 2019.
  43. "LEDApkc Public Key Cryptosystem". Ledacrypt.org. Retrieved 31 January 2019.
  44. "NTS-Kem". Archived from the original on 29 December 2017. Retrieved 29 December 2017.
  45. "RQC". Pqc-rqc.org. Retrieved 31 January 2019.
  46. "Sphincs". Sphincs.org. Retrieved 19 June 2023.
  47. "GeMSS". Archived from the original on 31 January 2019. Retrieved 30 January 2019.
  48. "LUOV -- An MQ signature scheme" . Retrieved 22 January 2020.
  49. "MQDSS post-quantum signature". Mqdss.org. Retrieved 31 January 2019.
  50. "SIKE – Supersingular Isogeny Key Encapsulation". Sike.org. Retrieved 31 January 2019.
  51. "Picnic. A Family of Post-Quantum Secure Digital Signature Algorithms". microsoft.github.io. Retrieved 26 February 2019.
  52. Moody, Dustin; Alagic, Gorjan; Apon, Daniel C.; Cooper, David A.; Dang, Quynh H.; Kelsey, John M.; Liu, Yi-Kai; Miller, Carl A.; Peralta, Rene C.; Perlner, Ray A.; Robinson, Angela Y.; Smith-Tone, Daniel C.; Alperin-Sheriff, Jacob (2020). "Status Report on the Second Round of the NIST Post-Quantum Cryptography Standardization Process". doi: 10.6028/NIST.IR.8309 . S2CID   243755462 . Retrieved 23 July 2020.
  53. Third PQC Standardization Conference - Session I Welcome/Candidate Updates, 10 June 2021, retrieved 6 July 2021
  54. Computer Security Division, Information Technology Laboratory (10 February 2021). "Third PQC Standardization Conference | CSRC". CSRC | NIST. Retrieved 6 July 2021.
  55. "Submission Requirements and Evaluation Criteria" (PDF).
  56. Beullens, Ward (2022). "Breaking Rainbow Takes a Weekend on a Laptop" (PDF). Eprint.iacr.org.
  57. Grubbs, Paul; Maram, Varun; Paterson, Kenneth G. (2021). "Anonymous, Robust Post-Quantum Public Key Encryption". Cryptology ePrint Archive.
  58. Karabulut, Emre; Aysu, Aydin (2021). "Falcon Down: Breaking Falcon Post-Quantum Signature Scheme through Side-Channel Attacks". Cryptology ePrint Archive.
  59. "NIST Announces First Four Quantum-Resistant Cryptographic Algorithms". NIST. 5 July 2022. Retrieved 9 July 2022.
  60. "Selected Algorithms 2022". CSRC | NIST. 5 July 2022. Retrieved 9 July 2022.
  61. "Round 4 Submissions". CSRC | NIST. 5 July 2022. Retrieved 9 July 2022.
  62. "SIKE Team - Foreword and postscript" (PDF).
  63. Goodin, Dan (2 August 2022). "Post-quantum encryption contender is taken out by single-core PC and 1 hour". Ars Technica. Retrieved 6 August 2022.
  64. Moody, Dustin (17 July 2023). "Onramp submissions are posted!".
  65. "Digital Signature Schemes". csrc.nist.gov. 29 August 2022. Retrieved 17 July 2023.
  66. "SMAUG & HAETAE - HAETAE".
  67. "Hufu".
  68. "RACCOON – Not just a signature, a whole family of it !".
  69. "masksign/raccoon: Raccoon Signature Scheme -- Reference Code". GitHub .
  70. "Squirrels - Introduction".
  71. "CROSS crypto".
  72. "FuLeeca: A Lee-based Signature Scheme - Lehrstuhl für Nachrichtentechnik".
  73. "LESS project".
  74. "MEDS".
  75. "WAVE".
  76. "MIRA".
  77. "MiRitH".
  78. "MQOM".
  79. "PERK".
  80. "RYDE".
  81. "SD-in-the-Head".
  82. 1 2 Smith-Tone, Daniel (17 July 2023). "OFFICIAL COMMENT: 3WISE".
  83. "Home".
  84. "OFFICIAL COMMENT: DME Key Recovery Attack". groups.google.com. Retrieved 10 September 2023.
  85. "MAYO".
  86. "PROV".
  87. "QR-UOV".
  88. "SNOVA". snova.pqclab.org. Retrieved 23 September 2023.
  89. "TUOV".
  90. "UOV".
  91. "VOX".
  92. "SQIsign".
  93. "AIMer Signature".
  94. "Come and join the FAEST | FAEST Signature Algorithm".
  95. "ALTEQ".
  96. Tibouchi, Mehdi (17 July 2023). "Round 1 (Additional Signatures) OFFICIAL COMMENT: EagleSign".
  97. Bernstein, D.J. (17 July 2023). "OFFICIAL COMMENT: KAZ-SIGN".
  98. Fluhrer, Scott (17 July 2023). "KAZ-SIGN".
  99. Panny, Lorenz (17 July 2023). "Round 1 (Additional Signatures) OFFICIAL COMMENT: Xifrat1-Sign.I".
  100. Tibouchi, Mehdi (18 July 2023). "Round 1 (Additional Signatures) OFFICIAL COMMENT: EagleSign".
  101. Beullens, Ward (18 July 2023). "Round 1 (Additional Signatures) OFFICIAL COMMENT: HPPC".
  102. Perlner, Ray (21 July 2023). "Round 1 (Additional Signatures) OFFICIAL COMMENT: HPPC".
  103. Saarinen, Markku-Juhani O. (18 July 2023). "OFFICIAL COMMENT: ALTEQ".
  104. Bouillaguet, Charles (19 July 2023). "Round 1 (Additional Signatures) OFFICIAL COMMENT: Biscuit".
  105. Niederhagen, Ruben (19 July 2023). "Round 1 (Additional Signatures) OFFICIAL COMMENT: MEDS".
  106. van Woerden, Wessel (20 July 2023). "Round 1 (Additional Signatures) OFFICIAL COMMENT: FuLeeca".
  107. Persichetti, Edoardo (21 July 2023). "OFFICIAL COMMENT: LESS".
  108. Saarinen, Markku-Juhani O. "Round 1 (Additional Signatures) OFFICIAL COMMENT: DME-Sign".
  109. "OFFICIAL COMMENT: DME Key Recovery Attack". groups.google.com. Retrieved 10 September 2023.
  110. van Woerden, Wessel (25 July 2023). "Round 1 (Additional Signatures) OFFICIAL COMMENT: EHTv3".
  111. Suhl, Adam (29 July 2023). "Round 1 (Additional Signatures) OFFICIAL COMMENT: EHT".
  112. VASSEUR, Valentin (29 July 2023). "Round 1 (Additional Signatures) OFFICIAL COMMENT: Enhanced pqsigRM".
  113. "Round 1 (Additional Signatures) OFFICIAL COMMENT: Enhanced pqsigRM". groups.google.com. Retrieved 30 September 2023.
  114. Saarinen, Markku-Juhani O. (27 July 2023). "Buffer overflows in HAETAE / On crypto vs implementation errors".
  115. Saarinen, Markku-Juhani O. (29 July 2023). "HuFu: Big-flipping forgeries and buffer overflows".
  116. Carrier, Kevin (3 August 2023). "Round 1 (Additional Signatures) OFFICIAL COMMENT: SDitH".
  117. Carrier, Kevin; Hatey, Valérian; Tillich, Jean-Pierre (5 December 2023). "Projective Space Stern Decoding and Application to SDitH". arXiv: 2312.02607 [cs.IT].
  118. Furue, Hiroki (28 August 2023). "Round 1 (Additional Signatures) OFFICIAL COMMENT: VOX".
  119. Liu, Fukang; Mahzoun, Mohammad; Øygarden, Morten; Meier, Willi (10 November 2023). "Algebraic Attacks on RAIN and AIM Using Equivalent Representations". IACR ePrint (2023/1133).
  120. Ikematsu, Yasuhiko; Akiyama, Rika (2024), Revisiting the security analysis of SNOVA , retrieved 28 January 2024
  121. Ferreira, River Moreira; Perret, Ludovic (2024), Polynomial-Time Key-Recovery Attack on the ${\tt NIST}$ Specification of ${\tt PROV}$ , retrieved 4 April 2024
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.