Fiona 
#NIST chose #HQC as their backup KEM and elected not to standardize #ClassicMcElice for now among other reasons pointing to the standardization with #ISO.
The argument to choose HQC over Bike is a higher confidence in IND-CCA-security of HQC. I cannot comment on whether that is a reasonable assessment, though I have no reason to doubt it, but I can say that in terms of reasons to make a choice this is of course a pretty good one.
I’m not sure how I think about the decision regarding McElice, but I can to an extend see where they are coming from.
This means there are now 9 post quantum algorithms approved, standardized or chosen for standardization by generally respected organizations:
Key Encapsulation Mechanisms (“KEMs”):
* ML-KEM (“Kyber”), based on Lattices, standardized by NIST
* HQC, based on Codes, chosen for standardization by NIST
* Classic McElice, based on codes, approved by BSI (de), ANSSI(fr), and NCSC (nl)
* Frodo, based on lattices, approved by BSI (de), ANSSI(fr), and NCSC (nl)
Signatures:
* ML-DSA (“Dilithium”), based on Lattices, standardized by NIST
* SLH-DSA (“SPHINCS+”), based on hashes, standardized by NIST
* FN-DSA (“Falcon”), based on lattices, chosen for standardization by NIST
Stateful Signatures:
* XMSS, based on hashes, standardized by IEEE
* LMS, based on hashes, standardized by IEEE
Overall, this looks like a decent portfolio. Future standardization might add schemes based on multivariate-equations and isogonies, but for now this should do and give us a basis from which we can design more efficient schemes without being to concerned about the entire ground suddenly giving in because one random guy/gal finds a new attack-vector.
#postquantumcryptography #PQC #PQCrypto
The argument to choose HQC over Bike is a higher confidence in IND-CCA-security of HQC. I cannot comment on whether that is a reasonable assessment, though I have no reason to doubt it, but I can say that in terms of reasons to make a choice this is of course a pretty good one.
I’m not sure how I think about the decision regarding McElice, but I can to an extend see where they are coming from.
This means there are now 9 post quantum algorithms approved, standardized or chosen for standardization by generally respected organizations:
Key Encapsulation Mechanisms (“KEMs”):
* ML-KEM (“Kyber”), based on Lattices, standardized by NIST
* HQC, based on Codes, chosen for standardization by NIST
* Classic McElice, based on codes, approved by BSI (de), ANSSI(fr), and NCSC (nl)
* Frodo, based on lattices, approved by BSI (de), ANSSI(fr), and NCSC (nl)
Signatures:
* ML-DSA (“Dilithium”), based on Lattices, standardized by NIST
* SLH-DSA (“SPHINCS+”), based on hashes, standardized by NIST
* FN-DSA (“Falcon”), based on lattices, chosen for standardization by NIST
Stateful Signatures:
* XMSS, based on hashes, standardized by IEEE
* LMS, based on hashes, standardized by IEEE
Overall, this looks like a decent portfolio. Future standardization might add schemes based on multivariate-equations and isogonies, but for now this should do and give us a basis from which we can design more efficient schemes without being to concerned about the entire ground suddenly giving in because one random guy/gal finds a new attack-vector.
#postquantumcryptography #PQC #PQCrypto