support for more post-quantum-cryptography (pqc) algorithms in NIST round 3 submission

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

support for more post-quantum-cryptography (pqc) algorithms in NIST round 3 submission

javacrypto
Dear all,

I'm missing Bouncy Castle (Java) support for most of the candidates in
the actual NIST round 3 submission in finding the new PQC-standards.

The webpage with all candidates can be found here:
https://csrc.nist.gov/Projects/post-quantum-cryptography/round-3-submissions

and here are the round 3 finalists and my findings in actual version
1.66 of BC:

Public-key Encryption and Key-establishment Algorithms
- Classic McEliece: seems to be available
- CRYSTALS-KYBER: n.a.
- NTRU: seems to be available
- SABER: n.a.

Digital Signature Algorithms
- CRYSTALS-DILITHIUM: n.a.
- FALCON: n.a.
- Rainbow: seems to be available

Alternate Candidates: Public-key Encryption and Key-establishment Algorithms
- BIKE: n.a.
- FrodoKEM: n.a.
- HQC: n.a.
- NTRU Prime: n.a.
- SIKE: n.a.

Alternate Candidates: Digital Signature Algorithms
- GeMSS: seems to be available
- Picnic:n.a.
- SPHINCS+: seems to be available

Are there any plans to expand the list of available algorithms so we can
test the candidates ? If "yes" what is the timeline to implement them?

Kind regards
Michael



Reply | Threaded
Open this post in threaded view
|

Re: support for more post-quantum-cryptography (pqc) algorithms in NIST round 3 submission

David Hook-3

Okay, so the official line from NIST at the moment is that it's quite
risky to try implementing anything right now, people are still changing
security parameters, analytical techniques are changing also, and both
algorithms and parameters are still being tweaked as a result. As we're
still trying to finish TLS 1.3, dealing with the newly introduced ACVP,
and trying to understand the FIPS 140-3 implementation guidance,
implementing the PQC finalists is on the back burner as there's still a
strong chance that we may end up doing them twice, or more, if we start
now. We are paying attention to what's going on though.

I note we were following qTesla closely, but we had help from
TU-Darmstadt to do so (and unfortunately qTesla has been eliminated,
which if anything does prove the risks are real).

NIST have also made it clear that only one lattice-based candidate will
get through in each category, and of the list of finalists I believe no
more than 2 from each category will end up being chosen. At any rate
baring breakthroughs in analysis, not every entry on the current list is
equal.

Concerning what we have implementations for now, XMSS/XMSS^MT (RFC 8391)
and LMS/HSS (RFC 8554) are the only two which can really claim to be
standards. I should point out that SP 800-208 does seem to have room in
it for further parameters for XMSS, but it does also seem to cover the
current IETF standard.

It is not safe to assume that any of the algorithms we currently
implement are in line with any of the algorithms that have the same or
similar names in the post-quantum competition, although what we
currently have will give you a feel for what is going on if you would
like to try them. For example, SPHINCS-256 is related to SPHINCS+, but
they are not the same.

Round 3 is due to close in May 2021. I'd expect we'll have something
more representative in place around then.

Regards,

David

On 17/10/20 9:30 am, javacrypto wrote:

> Dear all,
>
> I'm missing Bouncy Castle (Java) support for most of the candidates in
> the actual NIST round 3 submission in finding the new PQC-standards.
>
> The webpage with all candidates can be found here:
> https://csrc.nist.gov/Projects/post-quantum-cryptography/round-3-submissions
>
>
> and here are the round 3 finalists and my findings in actual version
> 1.66 of BC:
>
> Public-key Encryption and Key-establishment Algorithms
> - Classic McEliece: seems to be available
> - CRYSTALS-KYBER: n.a.
> - NTRU: seems to be available
> - SABER: n.a.
>
> Digital Signature Algorithms
> - CRYSTALS-DILITHIUM: n.a.
> - FALCON: n.a.
> - Rainbow: seems to be available
>
> Alternate Candidates: Public-key Encryption and Key-establishment
> Algorithms
> - BIKE: n.a.
> - FrodoKEM: n.a.
> - HQC: n.a.
> - NTRU Prime: n.a.
> - SIKE: n.a.
>
> Alternate Candidates: Digital Signature Algorithms
> - GeMSS: seems to be available
> - Picnic:n.a.
> - SPHINCS+: seems to be available
>
> Are there any plans to expand the list of available algorithms so we can
> test the candidates ? If "yes" what is the timeline to implement them?
>
> Kind regards
> Michael
>
>
>