On Thursday August 24, the U.S. National Institute of Standards and Technology, NIST, published the long-awaited drafts of the future standards for post-quantum cryptography (PQC). The algorithms that are the basis for these standards have been known already since summer 2022 when NIST announced CRYSTALS-Kyber, CRYSTALS-Dilithium, Falcon, and SPHINCS+ as the winners of Round 3 of the NIST PQC competition. Specifically, NIST now released three documents and requests comments for them:
- FIPS 203 (Draft): Module-Lattice-Based Key Encapsulation Mechanism Standard
- FIPS 204 (Draft): Module-Lattice-Based Digital Signature Standard
- FIPS 205 (Draft): Stateless Hash-Based Digital Signature Standard
FIPS 203 describes three algorithms ML-KEM-512, ML-KEM-768, and ML-KEM-1024 targeting three different security levels. They are based on the Kyber variants Kyber-512, Kyber-768, and Kyber-1024, respectively.
FIPS 204 similarly describes three algorithms ML-DSA-44, ML-DSA-65, and ML-DSA-87 based on Dilithium-2, Dilithium-3, and Dilithium-5.
FIPS 205 includes in total 12 algorithms for three different security levels, two options for the underlying hash standards (SHA-2 or SHAKE-256), and either relatively small signatures or fast signing.
The announced winners of Round 3 included also a fourth algorithm called FALCON, which is another digital signature algorithm. A draft for a standard based on FALCON was not released in this batch, but NIST says that it intends to develop a standard for FALCON later.
The drafts of FIPS 203, 204, and 205 are now open for commenting until November 22, 2023. NIST then takes the received comments into account and proposes the standards for approval to the U.S. Secretary of Commerce. It is likely that the final standards will be available during 2024.
The algorithms to be standardised include a few changes compared to the submission versions of CRYSTALS-Kyber, CRYSTALS-Dilithium, and SPHINCS+. The changes are relatively small and include changes in the lengths of certain hash values, slightly modified Fujisaki-Okamoto transform for Kyber, removal of certain hash computations that were safeguarding against flawed random number generators, changes on the way how specific seed values are to be generated, small modifications of which hash functions are used inside the algorithms, etc.
Xiphera will soon release modified versions of the xQlave® family of post-quantum cryptography so that they comply with these changes. “We anticipate that the changes will not have major impacts on the resource requirements or performance of the products”, says Kimmo Järvinen, co-founder and CTO of Xiphera.