Cyber Centre welcomes round 2 of NIST’s additional digital signature scheme standardization process

In October 2024, the National Institute of Standards and Technology (NIST) in the United States launched round 2 in its ongoing process to standardize additional post-quantum digital signature Digital signatureA cryptologic mechanism used to validate an item's (e.g. document, software) authenticity and integrity. schemes. Digital signature schemes are used to authenticate data and remote systems to protect against unauthorized access and are an essential part of cyber security Cyber securityThe protection of digital information, as well as the integrity of the infrastructure housing and transmitting digital information. More specifically, cyber security includes the body of technologies, processes, practices and response and mitigation measures designed to protect networks, computers, programs and data from attack, damage or unauthorized access so as to ensure confidentiality, integrity and availability. solutions. Post-quantum cryptography CryptographyThe study of techniques used to make plain information unreadable, as well as to convert it back to a readable form. (PQC), including post-quantum digital signatures, are designed to remain secure even against the emerging threat posed by quantum computers.

The first round of NIST's additional digital signature scheme standardization process began in 2022, with the publication of 40 candidates. For this second round, NIST has reduced the number of candidates to 14. This allows researchers worldwide, including those within the Cyber Centre, to dedicate more time to examining the remaining schemes.

How this initiative contributes to the post-quantum cryptography migration

NIST has already published standards for 2 post-quantum digital signature schemes, the Module-Lattice-Based Digital Signature Algorithm (ML-DSA) and the Stateless Hash-Based digital Signature Algorithm (SLH-DSA). Read our announcement of these new NIST post-quantum standards to learn more.

We expect NIST to release a draft standard for a third digital signature scheme, the Fast-Fourier transform over NTRU-Lattice-Based Digital Signature Algorithm (FN-DSA) soon.

With so many options already chosen for standardization, practitioners may wonder why NIST is considering the standardization of additional schemes. Both ML-DSA and FN-DSA are based on hard problems over structured lattices. The nearly 30-year history of lattice-based cryptography has given rise to a robust understanding of the security of lattice-based cryptographic schemes. Nonetheless, in order to diversify cryptographic primitives, NIST has indicated that they are primarily interested in additional schemes based on hard problems other than structured lattices.

While ML-DSA is intended to replace non-post-quantum digital signing algorithms in nearly all applications, there may be niche cases requiring schemes with alternative performance characteristics. Although SLH-DSA or FN-DSA are expected to cover most of these situations, NIST is particularly interested in finding schemes with small signature sizes and fast verification to support the migration to PQC in all situations.

Signature schemes under consideration for standardization

Of the 14 remaining schemes:

  • 5 are built using multi-party computation (MPC) in-the-head techniques
  • 4 are multivariate signatures
  • 2 are code-based
  • 1 is isogeny-based
  • 1 is symmetric-based
  • 1 is lattice-based

For a review of these categories, see the "Mathematical Families" section of the Cyber Centre's summary review of final candidates for NIST Post‑Quantum Cryptography standards. Most of the approaches for building signature schemes have been previously considered in NIST 's standardization process.

A notable development in the signature on-ramp has been the proliferation of signature schemes using MPC-in-the-head techniques. These signature schemes borrow ideas from multiparty computation to “prove” knowledge of some secret value.

How to prepare for the post-quantum transition

To ensure Canadian organizations are ready to make the transition to PQC once standardized algorithms are available, practitioners should review the Cyber Centre's advice in the following publications:

Our guidance on securely configuring network protocols will be updated once these protocols support standardized PQC algorithms.

The Cyber Centre advises consumers to procure and use cryptographic modules that are tested and validated under the Cryptographic Module Validation Program (CMVP) with algorithm certificates from the Cryptographic Algorithm Validation Program (CAVP). The Cyber Centre partners with NIST to manage both programs and we work jointly to update them to support the testing of new digital signature schemes that get standardized.

The Cyber Centre also recommends that cyber security products be evaluated and certified to meet the Common Criteria standard with a Security Target and Certification Report that includes the desired protocol security requirements. Once protocol standards are updated, Common Criteria Testing Laboratories will need to support testing and evaluation methods for protocols utilizing the new PQC algorithms.

The Cyber Centre is working within the Government of Canada and with critical infrastructure Critical infrastructureProcesses, systems, facilities, technologies, networks, assets, and services essential to the health, safety, security, or economic well-being of Canadians and the effective functioning of government. Critical infrastructure can be stand-alone or interconnected and interdependent within and across provinces, territories, and national borders. Disruptions of critical infrastructure could result in catastrophic loss of life, adverse economic effects, and significant harm to public confidence. to ensure a smooth and timely transition to PQC . Contact the Cyber Centre by email at cryptography-cryptographie@cyber.gc.ca or by phone at 1-888-CYBER-88 if you have further questions.

Date modified: