In October 2024, the National Institute of Standards and Technology (NIST) in the United States launched round 2 in its ongoing process to standardize additional post-quantum digital signature schemes. Digital signature schemes are used to authenticate data and remote systems to protect against unauthorized access and are an essential part of cyber security solutions. Post-quantum cryptography (PQC), including post-quantum digital signatures, are designed to remain secure even against the emerging threat posed by quantum computers.
The first round of NIST's additional digital signature scheme standardization process began in 2022, with the publication of 40 candidates. For this second round, NIST has reduced the number of candidates to 14. This allows researchers worldwide, including those within the Cyber Centre, to dedicate more time to examining the remaining schemes.
How this initiative contributes to the post-quantum cryptography migration
NIST has already published standards for 2 post-quantum digital signature schemes, the Module-Lattice-Based Digital Signature Algorithm (ML-DSA) and the Stateless Hash-Based digital Signature Algorithm (SLH-DSA). Read our announcement of these new NIST post-quantum standards to learn more.
We expect NIST to release a draft standard for a third digital signature scheme, the Fast-Fourier transform over NTRU-Lattice-Based Digital Signature Algorithm (FN-DSA) soon.
With so many options already chosen for standardization, practitioners may wonder why NIST is considering the standardization of additional schemes. Both ML-DSA and FN-DSA are based on hard problems over structured lattices. The nearly 30-year history of lattice-based cryptography has given rise to a robust understanding of the security of lattice-based cryptographic schemes. Nonetheless, in order to diversify cryptographic primitives, NIST has indicated that they are primarily interested in additional schemes based on hard problems other than structured lattices.
While ML-DSA is intended to replace non-post-quantum digital signing algorithms in nearly all applications, there may be niche cases requiring schemes with alternative performance characteristics. Although SLH-DSA or FN-DSA are expected to cover most of these situations, NIST is particularly interested in finding schemes with small signature sizes and fast verification to support the migration to PQC in all situations.
Signature schemes under consideration for standardization
Of the 14 remaining schemes:
- 5 are built using multi-party computation (MPC) in-the-head techniques
- 4 are multivariate signatures
- 2 are code-based
- 1 is isogeny-based
- 1 is symmetric-based
- 1 is lattice-based
For a review of these categories, see the "Mathematical Families" section of the Cyber Centre's summary review of final candidates for NIST Post‑Quantum Cryptography standards. Most of the approaches for building signature schemes have been previously considered in NIST 's standardization process.
A notable development in the signature on-ramp has been the proliferation of signature schemes using MPC-in-the-head techniques. These signature schemes borrow ideas from multiparty computation to “prove” knowledge of some secret value.
How to prepare for the post-quantum transition
To ensure Canadian organizations are ready to make the transition to PQC once standardized algorithms are available, practitioners should review the Cyber Centre's advice in the following publications:
- Preparing your organization for the quantum threat to cryptography (ITSAP.00.017)
- Guidance on becoming cryptographically agile (ITSAP.40.018)
- Guidance on securely configuring network protocols (ITSP.40.062)
- Cryptographic algorithms for UNCLASSIFIED, PROTECTED A, and PROTECTED B information (ITSP.40.111)
Our guidance on securely configuring network protocols will be updated once these protocols support standardized PQC algorithms.
The Cyber Centre advises consumers to procure and use cryptographic modules that are tested and validated under the Cryptographic Module Validation Program (CMVP) with algorithm certificates from the Cryptographic Algorithm Validation Program (CAVP). The Cyber Centre partners with NIST to manage both programs and we work jointly to update them to support the testing of new digital signature schemes that get standardized.
The Cyber Centre also recommends that cyber security products be evaluated and certified to meet the Common Criteria standard with a Security Target and Certification Report that includes the desired protocol security requirements. Once protocol standards are updated, Common Criteria Testing Laboratories will need to support testing and evaluation methods for protocols utilizing the new PQC algorithms.
The Cyber Centre is working within the Government of Canada and with critical infrastructure to ensure a smooth and timely transition to PQC . Contact the Cyber Centre by email at cryptography-cryptographie@cyber.gc.ca or by phone at 1-888-CYBER-88 if you have further questions.