NIST’s Post-Quantum Cryptography

Standardization Project: Round 3.5

Daniel Apon
[email protected]

Crypto Technology Group

Computer Security Division
Information Technology Lab
 The Quantum Threat
• NIST public-key crypto standards
• SP 800-56A: Recommendation for Pair-Wise Key-
Establishment Schemes Using Discrete Logarithm
Cryptography
• SP 800-56B: Recommendation for Pair-Wise Key-
Establishment Using Integer Factorization Cryptography
• FIPS 186: The Digital Signature Standard
vulnerable to attacks from a
(large-scale) quantum computer
• Shor’s algorithm would break
RSA, ECDSA, (EC)DH, DSA
• Symmetric-key crypto standards would
also be affected, but less dramatically
Post-Quantum Cryptography
• Post-Quantum Cryptography (PQC)
• Cryptosystems which run on classical computers, and are believed to be
resistant to attacks from both classical and quantum computers

• How soon do we need to worry?

Theorem (Mosca): If x + y > z, then worry

What do we do here??
𝒙 – time of maintaining data security
𝒚 – time for PQC standardization and adoption
y x
𝒛 – time for quantum computer to be developed
z
secret keys revealed

time
When will a Quantum Computer be Built?
When will a Quantum Computer be Built?

Source: M. Mosca, M. Piani, Quantum Threat Timeline Report, Oct 2019

available at: https://globalriskinstitute.org/publications/quantum-threat-timeline/
NIST PQC Milestones and Timelines
2016
Determined criteria and requirements, published NISTIR 8105
Announced call for proposals
2017
Received 82 submissions
Announced 69 1st round candidates
2018
Held the 1st NIST PQC standardization Conference
2019
Announced 26 2nd round candidates, NISTIR 8240
Held the 2nd NIST PQC Standardization Conference
2020
Announced 3rd round 7 finalists and 8 alternate candidates. NISTIR 8309

2021 (June 7-9!)

Hold the 3rd NIST PQC Standardization Conference
2022-2023
Release draft standards and call for public comments
 Evaluation Criteria
Security – against both classical and quantum attacks

Level Security Description

I At least as hard to break as AES128 (exhaustive key search)
II At least as hard to break as SHA256 (collision search)
III At least as hard to break as AES192 (exhaustive key search)
IV At least as hard to break as SHA384 (collision search)
V At least as hard to break as AES256 (exhaustive key search)

NIST asked submitters to focus on levels 1,2, and 3. (Levels 4 and 5 are for very high security)
Performance – measured on various classical platforms
Other properties: Drop-in replacements, Perfect forward secrecy, Resistance to side-
channel attacks, Simplicity and flexibility, Misuse resistance, etc.
The 1st Round

• A lot of schemes quickly attacked!

• Many similar schemes (esp. lattice KEMs)
• 1st NIST PQC Standardization workshop
• Over 300 ”official comments” and 900 posts on
the pqc-forum
Signatures KEM/Encryption Overall
• Research and performance numbers Lattice-based 5 21 26
Code-based 2 17 19
Multi-variate 7 2 9
• After a year: 26 schemes move on Stateless Hash or 3 3
Symmetric based
Other 2 5 7
Total 19 45 64
 The 2nd Round

• 4 merged submissions
• Maintained diversity of algorithms
• Cryptanalysis continued
• 7 of the 26 round 2 schemes were broken

• 2nd NIST PQC Standardization workshop

• More benchmarking and real world Signatures KEM/Encryption Overall
experiments Lattice-based 3 9 12
Code-based 7 7
Multi-variate 4 4
Stateless Hash or 2 2
• After 18 months: 15 submissions move on Symmetric based
Isogeny 1 1
Total 10 16 26
The 1st Round Candidates
BIG QUAKE FrodoKEM LEDApkc Odd Manhattan RLCE-KEM
BIKE GeMSS Lepton Ouroboros-R Round2
CFPKM Giophantus LIMA Picnic RQC
Classic McEliece Gravity-SPHINCS Lizard Post-quantum RSA RVB
Compact LWE Guess Again LOCKER Encryption SABER
CRYSTALS-DILITHIUM Gui LOTUS Post-quantum RSA SIKE
Signature
CRYSTALS-KYBER HILA5 LUOV SPHINCS+
pqNTRUSign
DAGS HiMQ-3 McNie SRTPI
pqsigRM
Ding Key Exchange HK-17 Mersenne-756839 Three Bears
QC-MDPC-KEM
DME HQC MQDSS Titanium
qTESLA
DRS KCL NewHope WalnutDSA
RaCoSS
DualModeMS KINDI NTRUEncrypt
Rainbow
Edon-K LAC NTRU-HRSS-KEM
Ramstake
EMBLEM/R.EMBLEM LAKE NTRU Prime
RankSign
FALCON LEDAkem NTS-KEM
The 2nd Round Candidates
BIG QUAKE FrodoKEM LEDApkc Odd Manhattan Round2
BIKE GeMSS Lepton Ouroboros-R RQC
CFPKM Giophantus LIMA Picnic RVB
Classic McEliece Gravity-SPHINCS Lizard Post-quantum RSA SABER
Compact LWE Guess Again LOCKER Encryption SIKE
CRYSTALS-DILITHIUM Gui LOTUS Post-quantum RSA SPHINCS+
Signature
CRYSTALS-KYBER HILA5 LUOV SRTPI
pqNTRUSign
DAGS HiMQ-3 McNie Three Bears
pqsigRM
Ding Key Exchange HK-17 Mersenne-756839 Titanium
QC-MDPC-KEM
DME HQC MQDSS WalnutDSA
qTESLA
DRS KCL NewHope LEDAcrypt
RaCoSS
DualModeMS KINDI NTRUEncrypt NTRU
Rainbow
Edon-K LAC NTRU-HRSS-KEM Rollo
Ramstake
EMBLEM/R.EMBLEM LAKE NTRU Prime Round5
RankSign
FALCON LEDAkem NTS-KEM
RLCE-KEM
Challenges and Considerations in Selecting Algorithms
Security
• Security levels offered
• (confidence in) security proof
• Any attacks
• Classical/quantum complexity
Performance 1st round
• Size of parameters
• Speed of KeyGen, Enc/Dec, Sign/Verify
• Decryption failures
Algorithm and implementation characteristics
• IP issues 2nd round
• Side channel resistance
• Simplicity and clarity of documentation
• Flexible
Other
• Round 2 changes
• Official comments/pqc-forum discussion 3rd round
• Papers published/presented
 Two Tracks

• Finalists
• Algorithms that could be ready to be
standardized at the end of the 3rd round
• Most promising to fit the majority of use cases

• The 2nd track: Alternates

• Crucial point – had to have potential for
standardization
• not just be of interest for future research
 The 3rd Round Finalists and Alternates
• NIST selected 7 Finalists and 8 Alternates

• KEM finalists: Kyber, NTRU, SABER, Classic McEliece

• Signature finalists: Dilithium, Falcon, Rainbow
Signatures KEM/Encryption Overall
Lattice-based 2 3 2 5 2
• KEM alternates:
Code-based 1 2 1 2
• Bike, FrodoKEM, HQC, NTRUprime, SIKE
Multi-variate 1 1 1 1
Stateless Hash or 2 2
• Signature alternates: Symmetric based
• GeMSS, Picnic, Sphincs+ Isogeny 1 1
Total 3 3 4 5 7 8
Lattice-based KEMs

• Crystals-Kyber
• Great all-around → Finalist
• Saber
• Great all-around → Finalist
• NTRU
• Older, clear IP situation → Finalist
• NTRUprime
• Different design choices → Alternate
• FrodoKEM
• Conservative/Backup → Alternate
 Isogeny- and Code-based KEMs
(001) (011)
• Classic McEliece
(111)
• Oldest submission, large public keys but small (101)

ciphertexts→ Finalist
• BIKE (000)
(010)
• Good performance, CCA security?, more time to be
stable → Alternate (100) (110)

• HQC
• Better security analysis/larger keys (than BIKE) →
Alternate
• SIKE
• Newer security problem, an order slower → Alternate
 The Signatures

• Dilithium and Falcon

• Both balanced, efficient lattice-based signatures
• → Finalist
• SPHINCS+ and Picnic
• SPHINCS+ is stable, conservative security, larger/slower
→ Alternate (well, it’s a pseudo-Finalist…)
• Picnic not stable yet, but has lots of potential → Alternate
• Rainbow and GeMMS
• Both have large public keys, small signatures.
Rainbow a bit better → Finalist, GeMMS → Alternate
 Round 3 Cryptanalysis

■ Multivariate signature schemes Rainbow and GeMSS

■ Both substantially attacked by new MinRank-style attacks [Beullens and Tao/Petzoldt/Ding]

■ (Was not part of end-of-2nd-Round decision-making)

■ Rainbow loses ~16 bits of security at Level 1, and ~55 bits of security at Level 5
■ (Rainbow team proposes new security analysis accounting for memory costs – correct?)

■ GeMSS loses up to 71 bits of security at Level 1, and up to 196 bits of security at Level 5
■ Notably, there seems to be very little security gain between their Level 1 and Level 5
parameter sets now
State of the signature schemes
• Dilithium – lattice based • Picnic – ZKP/MPC-in-the head
• Falcon – lattice-based • Rainbow – multivariate
• SPHINCS+ - hash-based • GeMSS - multivariate

• From our 2nd Round Report (NISTIR 8309):

• "NIST sees SPHINCS+ as an extremely conservative choice for standardization. If NIST’s
confidence in better performing signature algorithms is shaken by new analysis ,
SPHINCS+ could provide an immediately available algorithm for standardization at the end
of the third round. "

• “NIST is pleased with the progress of the PQC standardization effort but recognizes that
current and future research may lead to promising schemes which were not part of the
NIST PQC Standardization Project. NIST may adopt a mechanism to accept such proposals
at a later date. In particular, NIST would be interested in a general-purpose digital
signature scheme which is not based on structured lattices.”
Timeline
• The 3rd round will last 12-18 months
• NIST will then select which finalist algorithms to standardize
• NIST will also select which alternates to keep studying in a 4th round (*)
• The 4th round will similarly be 12-18 months
• NIST may decide to consider new schemes at some point

• NIST will hold a virtual 3rd PQC Standardization Conference

• June 7-9, 2021

• We expect to release draft standards for public comment in 2022-2023

• The finalized standard will hopefully be ready by 2024

Research Challenges
• Many important topics to be studied:
• Security proofs in both the ROM and QROM
• Does the specific ring/module/field choice matter for security?
• Or choice of noise distribution?
• Does “product” or “quotient” style LWE matter?
• Finer-grained metrics for security of lattice-based crypto (coreSVP vs. real-world security)
• Are there any important attack avenues that have gone unnoticed?
• Side-channel attacks/resistant implementations for finalists and alternates
• More hardware implementations
• Ease of implementations – decryption failures, floating point arithmetic, noise sampling, etc.

• Specific algorithm questions

• Decoding analysis for BIKE, category 1 security levels for Kyber/Saber/Dilithium, algebraic
cryptanalysis of cyclotomics for lattices, etc…
A Recent, Major Research Question
• Specific algorithm questions
• Decoding analysis for BIKE, category 1 security levels for Kyber/Saber/Dilithium, algebraic
cryptanalysis of cyclotomics for lattices, etc…
• Analysis of the distribution of Dimensions For Free (d4f) in canonical
lattice cryptanalysis (e.g., G6K); does it converge? When?
 Other Challenges

• Many other challenges to work on

• IP issues
• Continued performance benchmarking in different platforms and environments
• For hardware – NIST suggested Artix-7 and Cortex M4 (with all options) for easier comparison
• Real world experiments
• How do these algorithms work in actual protocols and applications.
• Are some key sizes too large?
• Transition
• Hybrid solutions – combining classical and PQC algorithms. Allowed in SP 800-56C, Rev. 2 (Aug 2020)
• NIST will issue more guidance in the coming years
 NIST Transition Guideline for PQC?
NIST has published transition guidelines for algorithms and key lengths
NIST SP 800-131A Revision 2 “Transitioning the Use of Cryptographic Algorithms and Key Lengths”
- Examples
• Three-key Triple DES
Encryption - Deprecated through 2023 Disallowed after 2023
Decryption - Legacy use
• SHA-1
Digital signature generation - Disallowed, except where specifically allowed by NIST protocol-specific guidance
Digital signature verification - Legacy use
Non-digital signature applications – Acceptable
• Key establishment methods with strength < 112 bits (e.g. DH mod p, |p| < 2048 )
Disallowed

NIST will provide transition guidelines to PQC standards

• The timeframe will be based on a risk assessment of quantum attacks
• NCCoE hosted a workshop on Considerations in Migrating to Post-Quantum Cryptographic
Algorithms on October 7
 Stateful Hash Based Signatures for Early Adoption

Stateful hash-based signatures were Internet Engineering Task Force (IETF) has
proposed in 1970s released two RFCs on hash-based signatures
• Rely on assumptions on hash functions, that • RFC 8391 “XMSS: eXtended Merkle Signature Scheme”
is, not on number theory complexity (By Internet Research Task Force (IRTF))
assumptions • RFC 8554 “Leighton-Micali Hash-Based Signatures” (By
Internet Research Task Force (IRTF))
• It is essentially limited-time signatures,
which require state management

ISO/IEC JTC 1 SC27 WG2 Project on hash-

NIST specification on stateful hash- based signatures
• Stateful hash-based signatures will be specified in
based signatures ISO/IEC 14888 Part 4
• NIST SP 800-208 “Recommendation for • It is in the 1st Working Draft stage
Stateful Hash-Based Signature Schemes”
What can organizations do now?
• Perform a quantum risk assessment within your organization
• Identify information assets and their current crypto protection
• Identify what ‘x’, ‘y’, and ‘z’ might be for you – determine your quantum risk
• Prioritize activities required to maintain awareness, and to migrate technology to quantum-safe solutions
• Evaluate vendor products with quantum safe features
• Know which products are not quantum safe
• Ask vendors for quantum safe features in procurement templates

• Develop an internal knowledge base amongst IT staff

• Track developments in quantum computing and quantum safe solutions, and to
establish a roadmap to quantum readiness for your organization

• Act now – it will be less expensive, less disruptive, and less likely to have
mistakes caused by rushing and scrambling
Conclusion
• We can start to see the end?

• NIST is grateful for everybody’s efforts

• Check out www.nist.gov/pqcrypto

• Sign up for the pqc-forum for
announcements & discussion
• send e-mail to [email protected]
Taking all questions (technical or not)

[email protected]