Multi-Party Threshold Cryptography MPTC

Prospective teams (interested in an upcoming future submission, and not having submitted a Preview Writeup within the 1st round) are encouraged to submit to NIST-MPTC a Preview Writeup by 2026-apr-20, for consideration within the 2nd round of previews.

Before an actual package submission, each prospective team needs to submit a "Preview Writeup" (plan of upcoming package submission) and (if accepted) present a "Preview Talk". For consideration within the 3rd round of previews, teams should submit their preview writeup by 2026-jun-22.

[To appear: Each package will include Technical Specification, Open-Source Reference Implementation, Report on Experimental Evaluation, Notes in Patent Claims]

The submission of packages will be handled after the phase of previews.

The latex template for Technical Specification, Report on Experimental Evaluation, and Notes in Patent Claims is expected to be made available in February 2026, following the structure outlined in the NIST Threshold Call.

The NIST-MPTC project collects reference materials on advanced cryptography (including threshold schemes, FHE and ZKP). In particular, the NIST Threshold Call (NIST IR 8214C) motivates the community of cryptography experts to submit threshold schemes and other primitives in scope, to form a public body of reference material. The analysis of submitted crypto-systems will support future recommendations for subsequent processes, which may include development of technical recommendations.

IR 8214C publication (Final, Drafts, Public Feedback)

• 2026-Jan-20: NISTIR 8214C — NIST First Call for Multi-Party Threshold Schemes (final version). See the publication page.
• 2025-Mar-27: NISTIR 8214C 2pd — NIST First Call for Multi-Party Threshold Schemes (Second Public Draft). See the publication page.
• 2023-Sep-26–28: NIST workshop on Multi-Party Threshold Schemes (MPTS 2023), focused on the topics of the Threshold Call. All presentations are available online.
• 2023-Jan-25: NISTIR 8214C ipd — NIST First Call for multi-party threshold schemes (initial public draft). The publication page shows the period of public comments (open until 2023-April-10). There is a compilation of public comments (see PDF file)
• 2021-Jul-02: Call 2021a for Feedback on Criteria for Threshold Schemes (see PDF file). There is a compilation of public comments (see PDF file).
• Other related publications: NIST IR 8214, NIST IR 8214A, NIST IR 8214B ipd

Selected notes of updates in the final version (as compared to the second public draft):

• Indexed list of requirements
• Refinement of the preview phases (increasing from 2 to 3) and timelines
• Refined description of the structure of expected components (Technical Specification, Reference Implementation, Report on Experimental Evaluation, Notes of Patent Claims)
• Expansion of the allowed set of open-source licenses
• Overall editorial improvement across the document

Selected notes of updates in the Second Public Draft (as compared to the initial public draft):

• New indexation of categories: N1...N4 (instead of old C1.1...C1.5); S1...S7 (instead of old C2.1...C2.8).
• Categories N1 (old C1.1) and N2 (old C.1.2) include primitives from the recent NIST-PQC standards.
• Category N3 (old C1.4) includes primitives from the upcoming NIST Lightweight Cryptography (Ascon-based) standard.
• Category S5 (old C2.6) narrowed the scope, becoming focused on FHE.
• The KeyGen categories (N4, S4) now also include the scope of the old subcategories about key-establishment (C1.3, C2.3).

The Threshold Call organizes its technical scope into categories.

The primitives in scope are organized into multiple categories, across two classes:

• Class N: NIST-specified primitives
• Class S: Special primitives not specified by NIST

Class N (related to NIST Standardized schemes/primitives)

Table 1. Categories of interest in Class N

Category: Type	Families of specifications	Sections (in the call)
N1: Signing	[PreQ] EdDSA sign; ECDSA sign; RSADSA sign [QR stateless] ML-DSA sign; SLH-DSA sign [QR stateful]: XMSS sign; LMS sign	10.1, A.1
N2: PKE	[PreQ] RSA encryp & decrypt [QR] K-PKE (from ML-KEM) encrypt & decrypt	10.2, A.2
N3: Symmetric	Ciphers: AES encipher/decipher, ASCON-AEAD encrypt/decrypt Hash and XOF: functions from SHA2, SHA3, SHAKE, ASCON MAC: C/H/K-MAC	10.3, A.3
N4: Keygen (aka DKG)	ECC keygen; ECC-CDH & ECC-MQV primitives RSA keygen; bitstring keygen QR keygen for ML, SLH, and stateful-HBS	10.4, A.4

Legend: 2KA = pair-wise key-agreement; AES = Advanced Encryption Standard; CDH = Cofactor Diffie-Hellman; DKG = Distributed key-generation. ECC = Elliptic-curve cryptography; ECDSA = Elliptic-curve Digital Signature Algorithm; EdDSA = Edwards-Curve Digital Signature Algorithm; KC = Key confirmation; KDM = Key derivation mechanism; Keygen = Key-generation; ML = Module Lattice (based). MQV = Menezes-Qu-Vanstone; PKE = Public-key encryption; PQC = Post-Quantum Cryptography. PreQ = pre-quantum; QR = quantum resistant; RSA = Rivest-Shamir-Adleman; RSADSA = RSA digital signature algorithm; stfl-HBS = stateful hash-based signatures.

Note: This table reflects the categories in NISTIR 8214C 2pd (mar-2025). The initial public draft (jan-2023) had a different organization.

Class S (related to other "Special" primitives/schemes)

Table 2. Subcategories and examples of primitives in Class S

TF-PQ is a desired combination for any type of scheme; some examples show just TF to emphasize that it is welcome even if not PQ.

Legend:  Keygen = key-generation; PKE = Public-key encryption; PRF = pseudorandom function (family); PRP = pseudorandom permutation (family); PQ = post-quantum (i.e., quantum resistant); TagGen = Tag generation. TF = threshold friendly; XOF = eXtendable output function. ZKPoK = Zero-knowledge proof of knowledge.

Note: This table reflects the categories in NISTIR 8214C 2pd (mar-2025). The initial public draft (jan-2023) had a different organization: class S was category 2; categories N1...N7 were subcategories C2.1...C2.8. Category S5 is now focused on FHE (whereas the previous C2.6 was more open-ended to special types of encryption).

The NIST Threshold Call establishes a phase of "Previews" (for presentation of plans of upcoming submissions) before the actual deadline for submitting "Packages". Each future package will include a Technical Specification, an open-source Reference Implementation, a Report on Experimental Evaluation. Additionally, each package submission requires disclosure of known applicable patent claims associated with the team members.

Previews (Plans of Upcoming Package Submissions)

As a condition for an upcoming package submission, teams have to participate in at least one of three (3) expected "Preview" subphases (a.k.a. rounds or opportunities). In each preview opportunity, teams can submit "Preview Writeups". After a brief process of review by NIST-MPTC, which may include request for editorial revision, accepted preview writeups will be posted online, and then be followed by corresponding "Preview Talks" in a public session. After each session of Preview Talks, NIST-MPTC will also set a period for teams to revise their Preview Writeups, taking into account possible received feedback. In any case, teams can also participate in subsequent preview opportunities for further update of their plans.

Packages with Crypto-Systems

The submission of packages will be handled after the phase of previews. Each package will include Technical Specification, Reference Implementation, Report on Experimental Evaluation, and Notes in Patent Claims.