The National Institute of Standards and Technology (NIST) has announced the final choices for Round 3 of their post-quantum competition. Like all good thrillers, the Round 3 chapter has ended with a bit of a twist.
As a refresh, in December 2016, NIST announced a competition to select new quantum-resistant public key encryption algorithms that will eventually replace standard public key cryptography algorithms (think RSA) as they are becoming increasingly vulnerable to advances in technology. If you’re interested in learning more about this, my colleague Ted Shorter recently covered the history of the competition and why it is important in his Forbes column.
The algorithms on the standardization list are CRYSTALS-KYBER, CRYSTALS-Dilithium, Falcon, and SPHINCS+. The first is an encryption algorithm, or more precisely a Key-Encapsulation Mechanism (KEM), and the last three are signature algorithms. This is a bit of a surprise as the original stated intention was to select two algorithms in each category and only one lattice-based algorithm in each class. Instead, we have one KEM and three signatures, with two of the signature algorithms both lattice-based!
A Round 4 has also been announced, with the following algorithms being selected: BIKE, Classic McEliece, HQC, and SIKE. These are all KEMs as well. While this is not to say the search for signature algorithms is over, it does mean that a new call for signature algorithms will be issued later this year. And, we may see some of the previous Round 3 candidates or alternative candidates revived for submission there.
Where does this leave us now? If you want to restrict yourself to the Round 3 finalists, the simplest answer is to look at the CRYSTALS framework. If bandwidth usage and verification speed are important to you, you may want to look at Falcon as well. On the other hand, if you are looking for a conservative signature scheme that relies on a (relatively) simple primitive, SPHINCS+, while a bit slower and a bit bigger is a good option as well.
If KEMs are your thing, keep in mind Round 4. While CRYSTALS-KYBER has established itself as the first choice, the characteristics of some of the Round 4 algorithms are pretty different from CRYSTALS-KYBER. Hence, there is still room for trade-offs between bandwidth needs and the speed of different operations.
If you are interested in further reading, the status report for Round 3 is available here. The document, especially Section 4, is well worth a read. Possibly the most important point here is that it appears only Rainbow and GeMSS, as presented in Round 3, were ultimately rejected for security reasons. FrodoKEM for example was even rated laudable for its conservative design, just not its performance. It is likely we will hear more about some of the other Round 3 candidates in the future.
Finally, from the Bouncy Castle perspective, we now have the latest version SPHINCS+ available as well as the Round 4 candidates SIKE, and Classic McEliece. We hope to be publishing the others soon. You can find these on Bouncy Castle’s GitHub repository here with implementations in both Java and C#. Bouncy Castle has also allocated some unofficial identifiers to make certificate generation possible and SPHINCS+ is now also in the latest release of Signserver Community with others to follow.
Keep in mind even the agreed finalists may change slightly before NIST publishes the final standards. So, these are not implementations you want to rush into production, particularly if anything long-term is involved, but if you want to find out how really crypto-agile your systems are, the new algorithms are well worth trying and there are now the tools to make that possible.