马里兰州盖瑟斯堡 — 美国商务部国家标准与技术研究院 (NIST) 发布了一份信息请求，征求公众对如何最好地实施美国政府关键和新兴技术国家标准战略 ( USG NSSCET ) 的意见。 美国商务部负责标准与技术的副部长兼 NIST 主任 Laurie E. Locascio 表示：“对于我们的经济和国家安全来说，我们对关键和新兴技术制定高质量标准至关重要，这些技术将改变我们的生活和工作方式。” “我们要求专家和利益相关者分享他们实施国家战略的最佳想法，该战略将加强美国在每个领域的领导力和竞争力。”该战略提倡技术健全的标准，帮助美国工业在公平的竞争环境中进行国际竞争，并旨在支持和补充现有的私营部门主导的活动。该战略重点关注关键和新兴技术，其中包括： 通信和网络技术 半导体和微电子 人工智能和机器学习 生物技术 定位、导航和授时服务 数字身份基础设施和分布式账本技术 清洁能源生产和储存 量子信息技术 NIST 正在寻求信息来支持制定最有效的 USG NSSCET 实施计划，该计划于5 月发布。该机构正在就与相关利益相关者合作的最佳方式征求公众意见，消除参与国际标准制定的障碍，并加强美国政府对开放、基于共识并由私营部门主导的国际标准体系的支持。 RFI 在四大类中分别提出了几个问题：投资、参与、劳动力以及诚信和包容性。在专门寻求有关这些主题的意见的同时，NIST 欢迎利益相关者认为将支持该战略的稳健和成功实施的所有回应。

去年，美国国家标准与技术研究所（NIST）选择了四种算法，以抵御量子计算机的攻击。现在，该机构已经开始标准化这些算法的过程——在提供这些数学工具之前的最后一步，以便世界各地的组织能够将它们集成到他们的加密基础设施中。 今天，NIST发布了2022年选定的四种算法中三种算法的标准草案。FALCON的第四个算法标准草案将在大约一年后发布。 NIST呼吁全球密码社区在2023年11月22日之前提供关于标准草案的反馈。 NIST数学家、该项目负责人达斯汀？穆迪（DustinMoody）说：“我们正接近隧道尽头的光明，人们将有他们在实践中可以使用的标准。”。“目前，我们正在征求对草稿的反馈意见。我们是否需要更改任何内容，是否遗漏了任何内容？” 敏感的电子信息，如电子邮件和银行转帐，目前使用公钥加密技术加以保护，这种技术是基于传统计算机无法轻易解决的数学问题。量子计算机仍处于初级阶段，但一个足够强大的计算机可以解决这些问题，击败加密。新标准一旦完成，将为世界提供第一批保护敏感信息免受这种新威胁的工具。 多年评估过程 NIST开发量子抵抗算法的努力始于2016年，当时该机构呼吁世界密码专家向NIST的后量子密码标准化项目提交候选算法。截至2017年11月的截止日期，来自数十个国家的专家提交了69个合格算法。 NIST随后发布了69个候选算法供专家分析，并在可能的情况下进行破解。这一过程是公开和透明的，许多世界上最优秀的密码专家参加了多轮评估，从而减少了候选人的数量。 虽然量子计算机的强大到足以击败目前的加密算法还不存在，安全专家说，这是很重要的计划提前，部分原因是需要多年来集成新的算法在所有的计算机系统。 每一份新出版物都是关于NIST于2022年7月选定的四种算法之一的联邦信息处理标准（FIPS）草案： CRYSTALS Kyber是为创建安全网站等一般加密目的而设计的，包含在FIPS 203中。 晶体二锂，旨在保护我们在远程签署文件时使用的数字签名，包含在FIPS 204中。 括约肌+也是为数字签名设计的，包含在FIPS 205中。 FALCON也是为数字签名设计的，计划在2024年收到自己的FIP草案。 这些出版物提供了帮助用户在自己的系统中实现算法的详细信息，例如算法的完整技术规范和有效实现的注释。穆迪说，附加指南将在相关出版物中公布。 附加算法标准 虽然这三个将构成NIST创建的第一组后量子加密标准，但它们不会是最后一组。 除了NIST去年选择的四种算法外，项目团队还选择了第二组算法进行持续评估，以扩充第一组算法。NIST将在明年公布这些算法的标准草案，这些算法都是经过标准化选择的。穆迪说，这些额外的算法（可能是一种或两种）是为一般加密而设计的，但它们基于与CRYSTALS Kyber不同的数学问题，如果选定的算法中有一种在未来显示出弱点，它们将提供替代的防御方法。 去年，当一个最初属于第二组的算法被证明是脆弱的：NIST以外的专家用一台传统计算机破解了SIKE时，这种对备份的需求得到了强调。穆迪表示，这一突破之所以不同寻常，只是因为它在评估过程中来得相对较晚。“这主要是一个迹象，表明我们的进程正在按其应有的方式运作，”他说。 团队成员还希望确保他们考虑了后量子密码的所有最新想法，特别是数字签名。迄今为止选定的三种后量子数字签名方法中有两种是基于一种称为结构格的数学思想。如果结构化格中出现任何弱点，则有助于开发基于其他想法的其他方法。NIST团队最近要求提交额外的签名算法，这些算法是自2017年首次提交截止日期以来密码学家设计的，该团队计划在未来几年内通过多轮公共计划对这些提交进行评估。符合验收标准的40份提交文件发布在此处。 最终，完成的后量子加密标准将取代三个最易受量子计算机攻击的NIST加密标准和指南：FIPS 186-5、NIST SP 800-56A和NIST SP 800-56B。

The National Institute of Standards and Technology is in the process of selecting publickey cryptographic algorithms through a public, competition-like process. The new publickey cryptography standards will specify additional digital signature, public-key encryption, and key-establishment algorithms to augment Federal Information Processing Standard (FIPS) 186-4, Digital Signature Standard (DSS), as well as NIST Special Publication (SP) 800-56A Revision 3, Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography, and SP 800-56B Revision 2, Recommendation for Pair-Wise Key Establishment Using Integer Factorization Cryptography. It is intended that these algorithms will be capable of protecting sensitive information well into the foreseeable future, including after the advent of quantum computers. This report describes the evaluation and selection process of the NIST Post-Quantum Cryptography Standardization process third-round candidates based on public feedback and internal review. The report summarizes each of the 15 third-round candidate algorithms and identifies those selected for standardization, as well as those that will continue to be evaluated in a fourth round of analysis. The public-key encryption and key-establishment algorithm that will be standardized is CRYSTALS–KYBER. The digital signatures that will be standardized are CRYSTALS–Dilithium, FALCON, and SPHINCS+. While there are multiple signature algorithms selected, NIST recommends CRYSTALS–Dilithium as the primary algorithm to be implemented. In addition, four of the alternate key-establishment candidate algorithms will advance to a fourth round of evaluation: BIKE, Classic McEliece, HQC, and SIKE. These candidates are still being considered for future standardization. NIST will also issue a new Call for Proposals for public-key digital signature algorithms to augment and diversify its signature portfolio.

Cryptographic technologies are used throughout government and industry to authenticate the source and protect the confidentiality and integrity of information that we communicate and store. The paper describes the impact of quantum computing technology on classical cryptography, particularly on public-key cryptographic systems. This paper also introduces adoption challenges associated with post-quantum cryptography after the standardization process is completed. Planning requirements for migration to post-quantum cryptography are discussed. The paper concludes with NIST’s next steps for helping with the migration to post-quantum cryptography.

The National Institute of Standards and Technology is in the process of selecting one or more public-key cryptographic algorithms through a public, competition-like process. The new publickey cryptography standards will specify one or more additional digital signatures, public-key encryption, and key-establishment algorithms to augment Federal Information Processing Standard (FIPS) 186-4, Digital Signature Standard (DSS), as well as NIST Special Publication (SP) 800-56A Revision 3, Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography, and SP 800-56B Revision 2, Recommendation for Pair-Wise Key Establishment Using Integer Factorization Cryptography. It is intended that these algorithms will be capable of protecting sensitive information well into the foreseeable future, including after the advent of quantum computers. The NIST Post-Quantum Cryptography Standardization Process began in 2017 with 69 candidate algorithms that met both the minimum acceptance criteria and submission requirements. The first round lasted until January 2019, during which candidate algorithms were evaluated based on their security, performance, and other characteristics. NIST selected 26 algorithms to advance to the second round for more analysis. This report describes the evaluation and selection process, based on public feedback and internal review, of the second-round candidates. The report summarizes the 26 second-round candidate algorithms and identifies those selected to move forward to the third round of the competition. The third-round finalist public-key encryption and key-establishment algorithms are Classic McEliece, CRYSTALS-KYBER, NTRU, and SABER. The third-round finalists for digital signatures are CRYSTALS-DILITHIUM, FALCON, and Rainbow. These finalists will be considered for standardization at the end of the third round. In addition, eight alternate candidate algorithms will also advance to the third round: BIKE, FrodoKEM, HQC, NTRU Prime, SIKE, GeMSS, Picnic, and SPHINCS+. These additional candidates are still being considered for standardization, although this is unlikely to occur at the end of the third round. NIST hopes that the announcement of these finalists and additional candidates will serve to focus the cryptographic community’s attention during the next round.

The National Institute of Standards and Technology is in the process of selecting one or more public-key cryptographic algorithms through a public competition-like process. The new publickey cryptography standards will specify one or more additional digital signature, public-key encryption, and key-establishment algorithms to augment FIPS 186-4, Digital Signature Standard (DSS), as well as special publications SP 800-56A Revision 2, Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography, and SP 800-56B, Recommendation for Pair-Wise Key-Establishment Schemes Using Integer Factorization. It is intended that these algorithms will be capable of protecting sensitive information well into the foreseeable future, including after the advent of quantum computers. In November 2017, 82 candidate algorithms were submitted to NIST for consideration. Among these, 69 met both the minimum acceptance criteria and our submission requirements, and were accepted as First-Round Candidates on Dec. 20, 2017, marking the beginning of the First Round of the NIST Post-Quantum Cryptography Standardization Process. This report describes the evaluation criteria and selection process, based on public feedback and internal review of the first-round candidates, and summarizes the 26 candidate algorithms announced on January 30, 2019 for moving forward to the second round of the competition. The 17 Second-Round Candidate public-key encryption and key-establishment algorithms are BIKE, Classic McEliece, CRYSTALS-KYBER, FrodoKEM, HQC, LAC, LEDAcrypt (merger of LEDAkem/LEDApkc), NewHope, NTRU (merger of NTRUEncrypt/NTRU-HRSS-KEM), NTRU Prime, NTS-KEM, ROLLO (merger of LAKE/LOCKER/Ouroboros-R), Round5 (merger of Hila5/Round2), RQC, SABER, SIKE, and Three Bears. The 9 Second-Round Candidates for digital signatures are CRYSTALS-DILITHIUM, FALCON, GeMSS, LUOV, MQDSS, Picnic, qTESLA, Rainbow, and SPHINCS+.

In recent years, there has been a substantial amount of research on quantum computers – machines that exploit quantum mechanical phenomena to solve mathematical problems that are difficult or intractable for conventional computers. If large-scale quantum computers are ever built, they will be able to break many of the public-key cryptosystems currently in use. This would seriously compromise the confidentiality and integrity of digital communications on the Internet and elsewhere. The goal of post-quantum cryptography (also called quantum-resistant cryptography) is to develop cryptographic systems that are secure against both quantum and classical computers, and can interoperate with existing communications protocols and networks. This Internal Report shares the National Institute of Standards and Technology (NIST)’s current understanding about the status of quantum computing and post-quantum cryptography, and outlines NIST’s initial plan to move forward in this space. The report also recognizes the challenge of moving to new cryptographic infrastructures and therefore emphasizes the need for agencies to focus on crypto agility.