Post-Quantum Cryptography Standardization
Post-Quantum Cryptography PQC
Minimum Acceptability Requirements
Post-quantum candidate algorithm nominations are due November 30, 2017.
Call for Proposals
Those submission packages that are deemed by NIST to be “complete” will be evaluated for the inclusion of a “proper” post-quantum public-key cryptosystem. To be considered as a “proper” post-quantum public-key cryptosystem (and continue further in the standardization process), the scheme shall meet the following minimum acceptability requirements:
- The algorithms shall be publicly disclosed and made available for public review and the evaluation process, and for standardization if selected, freely (i.e., shall be dedicated to the public), or shall be made available in accordance with Sections 2.D.1, 2.D.2 and 2.D.3, as applicable.
- The algorithms shall not incorporate major components that are believed to be insecure against quantum computers. (For example, hybrid schemes that include encryption or signatures based on factoring or discrete logs will not be considered for standardization by NIST in this context.)
- The algorithms shall provide at least one of the following functionalities: public-key encryption, key exchange, or digital signature:
- Public-key encryption schemes shall include algorithms for key generation, encryption, and decryption. The key generation algorithm shall generate public and private keys, such that messages or symmetric keys encrypted with the public key are recoverable with high probability by decryption with the corresponding private key. If decryption failure is a possibility, it shall occur at a rate consistent with claims made by the submitter. At a minimum, the scheme shall support the encryption and decryption of messages that contain symmetric keys of length at least 256 bits.
- KEM schemes shall include algorithms for key generation, encapsulation and decapsulation. The key generation algorithm shall generate public and private key pairs, such that encapsulation with the public key and decapsulation with the private key produce the same shared secret, when the encapsulated ciphertext is given as an input to the decapsulate function. If decapsulation failure is a possibility, it shall occur at a rate consistent with claims made by the submitter. At a minimum, the KEM functionality shall support the establishment of shared keys of length at least 256 bits.
- Digital-signature schemes shall include algorithms for key generation, signature, and verification. The key generation algorithm shall generate public and private keys, such that a message signed with the private key will be successfully verified with the corresponding public key. The scheme shall be capable of supporting a message size up to 263 bits.
- The submission package shall provide concrete values for any parameters and settings required to achieve the claimed security properties (to the best of the submitter’s knowledge.)
A submission package that is complete (as defined in Section 2) and meets the minimum acceptability requirements (as defined immediately above) will be deemed to be a “complete and proper” submission. A submission that NIST deems otherwise at the close of the submission period will receive no further consideration. Submissions that are “complete and proper” will be posted at http://www.nist.gov/pqcrypto for public review.
Created January 03, 2017, Updated April 06, 2021