It has been almost a year and a half since the second round of the NIST PQC Standardization Process began. After careful consideration, NIST would like to announce the candidates that will be moving on to the third round. The seven third-round Finalists are:
Third Round Finalists
Public-Key Encryption/KEMs
Classic McEliece
CRYSTALS-KYBER
NTRU
SABER
Digital Signatures
CRYSTALS-DILITHIUM
FALCON
Rainbow
In addition, the following eight candidate algorithms will advance to the third round:
Alternate Candidates
Public-Key Encryption/KEMs
BIKE;
FrodoKEM
HQC
NTRU Prime
SIKE
Digital Signatures
GeMSS
Picnic
SPHINCS+
During the third round, the term "finalist" will refer to the first seven algorithms listed above, and the terms "alternate" or "alternate candidate" will be used for the other eight algorithms also advancing. The finalists will continue to be reviewed for consideration for standardization at the conclusion of the third round. As CRYSTALS-KYBER, NTRU, and SABER are all structured lattice schemes, NIST intends to select, at most, one for the standard. The same is true for the signature schemes CRYSTALS-DILITHIUM and FALCON. In NIST's current view, these structured lattice schemes appear to be the most promising general-purpose algorithms for public-key encryption/KEM and digital signature schemes.
For the eight alternate candidate algorithms being advanced into the third round, NIST notes that these algorithms may still potentially be standardized, although that most likely will not occur at the end of the third round. NIST expects to have a fourth round of evaluation for some of the candidates on this track. Several of these alternate candidates have worse performance than the finalists but might be selected for standardization based on a high confidence in their security. Other candidates have acceptable performance but require additional analysis or other work to inspire sufficient confidence in their security or security rationale. In addition, some alternates were selected based on NIST's desire for a broader range of hardness assumptions in future post-quantum security standards, their suitability for targeted use cases, or their potential for further improvement.
NIST would like to thank all of the submission teams for their efforts in this standardization process. It was not an easy decision to narrow down the submissions. A detailed description of the decision process and rationale for selection are available in NIST Internal Report (NISTIR) 8309, Status Report on the Second Round of the NIST Post-Quantum Cryptography Standardization Process. It is also available on the NIST post-quantum webpage, www.nist.gov/pqcrypto
