| OP | ID | Validity | Proposal | Variant | Round | Owner | Type | Description | Assumption | Functionality | Public Key<br>(bytes) | Private Key<br>(bytes) | Data Size <br>(bytes) | Comments | Security Type | Challenge | Notes | Date | Cmt_link | Website |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| R1_01 | 1 | BIG QUAKE | 1 | R1_01 | code | QC Binary Goppa | QC-SDP | KEM | level 1: 25482,level 3: 84132,level 5: 149800 | level 1: 14772,level 3: 30860,level 5: 41804 | level 1: 201,level 3: 406,level 5: 492 | IND-CCA (HHK) Not detailed | ||||||||
| R1_02 | 1 | BIKE | 1 | R1_02 | code | QC-MDPC | Comment on parity of ciphertexts (not a security issue). | |||||||||||||
| R1_03 | 1 | CFPKM | 1 | R1_03 | multivariate | Noisy Polynomials | PoSSo with Noise | KEM | level 1: 696, level 2: 928 | level 1: 128, level 2: 182 | level 1: 81, level 2: 116 | IND-CPA | Attacked by Ron Steinfeld: link | |||||||
| R1_04 | 1 | Classic McEliece | 1 | R1_04 | code | Conservative Binary Goppa | SDP | KEM | level 5: 1047319,level 5: 1044992 | level 5: 13908,level 5: 13892 | level 5: 226,level 5: 240 | Comment on Classic vs NTS document. | IND-CCA (BP) | |||||||
| R1_05 | 1 | Compact LWE | 1 | R1_05 | lattice | LWE | Compact-LWE | PKE | level 3: 2064 | level 3: 232 | level 3: 2376 | Original proposal broken! | IND-CCA | |||||||
| R1_06 | 1 | CRYSTALS-DILITHIUM | 1 | R1_06 | lattice | LWE/SIS on Module Lattices | MLWE, MSIS | Signature | level 1: 1184,level 2: 1472,level 3: 1760 | level 1: 2800,level 2: 3504,level 3: 3856 | level 1: 2044,level 2: 2701,level 3: 3366 | SUF-CMA | ||||||||
| R1_07 | 1 | CRYSTALS-KYBER | 1 | R1_07 | lattice | LWE on Module Lattices | MLWE | KEM | level 1: 736,level 3: 1088,level 5: 1440 | level 1: 1632,level 3: 2400,level 5: 3168 | level 1: 800, level 3: 1152, level 5: 1504 | IND-CCA | ||||||||
| R1_08 | 1 | DAGS | 1 | R1_08 | code | QD Generalized Srivastava | QD-SDP | KEM | level 1: 8112,level 3: 11264,level 5: 19712 | level 1: 2496,level 3: 4864,level 5: 6400 | level 1: 656,level 3: 1248,level 5: 1632 | Attack from Barelli-Couvreur (fixed) | IND-CCA (HHK) | |||||||
| R1_09 | 1 | Ding Key Exchange | 1 | R1_09 | lattice | RLWE on DH | RLWE | KEM | level 1: 848,level 3: 1680,level 5: 1680 | - | level 1: 896,level 3: 1792,level 5: 1792 | Private key sizes not specified in original document. | ||||||||
| R1_10 | 1 | DME | 1 | R1_10 | multivariate | Double Exponentiation with Matrix Exponents | DME | KEM | level 5: 2304 | Level 5: 288 | Level 5: 36 | Attack from Ward Beullens (fixed). | IND-CCA2 | |||||||
| R1_11 | 1 | DRS | 1 | R1_11 | lattice | GGH | uSVP | Signature | level 1: 5081123, level 3: 8278638, level 5: 14288842 | level 1: 51274, level 3: 83769, level 5: 144527 | level 1: 8531, level 3: 10901, level 5: 14339 | Statistical attack! Increase parameters. | ||||||||
| R1_12 | 1 | DualModeMS | 1 | R1_12 | multivariate | SBP | HFEv- | Signature | level 1: 528, level 3: 1560, level 5: 2112 | level 1: 18038184, level 3: -, level 5: - | level 1: 32640, level 3: 79415, level 5: 149029 | EUF-CMA | ||||||||
| R1_13 | 1 | Edon-K | 1 | R1_13 | code | McEliece with Quasi-binary, Quasi-orthogonal Matrices | SDP | KEM | level 1: 2576,level 3: 2192 | level 1: 32,level 3: 32 | level 1: 2336,level 3: 2736 | Attack from Lequesne, Sendrier, Tillich (fatal). | IND-CCA (Ad Hoc) | Withdrawn. | ||||||
| R1_14 | 1 | EMBLEM and R.EMBLEM | 1 | R1_14 | lattice | LWE/RLWE | ||||||||||||||
| R1_15 | 1 | FALCON | 1 | R1_15 | lattice | NTRU | NTRU | Signature | level 1: 897,level 3: 1441,level 5: 1793 | level 1: -, level 3: -, level 5: - | level 1: 618,level 3: 994,level 5: 1234 | EUF-CMA | ||||||||
| R1_16 | 1 | FrodoKEM | 1 | R1_16 | lattice | LWE | LWE | KEM | level 1: 9616,level 3: 15632 | level 1: 19872,level 3: 31272 | level 1: 9736,level 3: 15768 | IND-CCA | ||||||||
| R1_17 | 1 | GeMSS | 1 | R1_17 | multivariate | Hidden Field Equations | HFEv- | Signature | level 1: 417408, level 3: 1304192 , level 5: 3603792 | level 1: 14208, level 3: 39440, level 5: 82056 | level 1: 48, level 3: 88, level 5: 104 | EUF-CMA | All sizes taken from reference implementation. | |||||||
| R1_18 | 1 | Giophantus | 1 | R1_18 | multivariate | ASC | Solving Indeterminate Equations | PKE | level 1: 14412,level 3: 20796,level 5: 27204 | level 1: 601,level 3: 867,level 5: 1134 | level 1: 28824,level 3: 41592,level 5: 54408 | Attack on IND-CPA. | IND-CPA | |||||||
| R1_19 | 1 | Gravity-SPHINCS | 1 | R1_19 | hash | SPHINCS | PRF | Signature | level 2: 32768, level 2: 1048576, level 2: 524288 | level 2: 65536 ,level 2: 2097152 ,level 2: 1048576 | level 2: 12640 ,level 2: 28929 ,level 2: 35168 | Fault injection attack. | Parameter sets Small, Medium and Large (signature size). | |||||||
| R1_20 | 1 | Guess Again | 1 | R1_20 | other | Simple symmetric random walks | Asymptotic conditional probability assumptions. | PKE | level 1: 2250 | level 1: 2000 | level 1: 2250 | Official comment by Lorenz Panny (no response by the designers): a python script is provided claiming a ciphertext-only attack. | Unconditional security | The probabilities are computed as a function of the system parameters and variables. For more details in the assumptions, see Sections 9.1 and 9.2 in the “guess again.pdf†in the supporitng documents folder of the submission. For single bit encryption with decryption failure of (1-0.999996) | ||||||
| R1_21 | 1 | Gui | 1 | R1_21 | multivariate | Hidden Field Equations | HFEv | Signature | level 1: 416300,level 3: 1955100,level 5: 5789200 | level 1: 19100,level 3: 59300,level 5: 155900 | level 1: 45,level 3: 63,level 5: 83 | Comment by Ward Beullens, (confirmed by the designers): for the level 1 security, k should be changed from 2 to 3, resulting an increase in the signature size from 360 to 392 bits (45 to 49 bytes). It is reported that PK/SK sizes do not change. | EUF-CMA | Level 1 signature size should change from 45 to 49 after revising k from 2 to 3. | ||||||
| R1_22 | 1 | HILA5 | 1 | R1_22 | lattice | RLWE | RLWE | PKE/KEM | level 5: 1824 | level 5: 1792 | level 5: 2012 | Attack from Bernstein, Groot Bruinderink, Lange and Panny on incorrect IND-CCA claim. | IND-CPA | |||||||
| R1_23 | 1 | HiMQ-3 | 1 | R1_23 | multivariate | High-Speed MQ | MQ | Signature | level 1 : 128744,level 1 : 100878 | level 1 : 12074,level 1 : 14878 | level 1 : 75,level 1 : 67 | Originally submitted parameters at the 128-bit security level have been revised by the designers after an improved key recovery attack discussed in the comments by Ward Beullens and the designers: (GF(256), 31,15,15,14) → (GF(256), 36,15,15,15) and (GF(256),24,11,17,15) → (GF(256),36,13,17,15) for HiMQ-3 and HiMQ-3F, respectively. | EUF-CMA | The submission does not seem to be revised to reflect how the recommended changes in the parameter choices will affect the protocol size. (Signature sizes should probably change from 75 and 67 to 81). Signature sizes of 131 and 182 are just a guess. Protocol size for level 3 and 5 do not seem to be explicitly reported on the proposal. Note 4: There seems to be some conflict between the protocol size numbers in “Limitations†paragraph and the tables. | ||||||
| R1_24 | 1 | HK17 | 1 | R1_24 | other | Octonions on DH | GSDP/DP | PKE/KEM | - | - | - | Several attacks have been discussed in the comments, attacks have been confirmed by the designers. | IND-CCA | Withdrawn. Parameters and sizes not specified. | ||||||
| R1_25 | 1 | HQC | 1 | R1_25 | code | QC Random Codes - No Decoding | Decision QC-SDP | KEM | level 1: 2819,level 3: 5115,level 5: 7417 | level 1: 40,level 3: 40,level 5: 40 | level 1: 5622,level 3: 10214,level 5: 14818 | Comment on parity of ciphertexts (not a security issue) | IND-CCA (HHK) | Many parameters: we have chosen the best of each set, calculating only the ones using seed expander (most efficient). | ||||||
| R1_26 | 1 | KCL (pka OKCN/AKCN/CNKE) | 1 | R1_26 | lattice | LWE and Variants | ||||||||||||||
| R1_27 | 1 | KINDI | 1 | R1_27 | lattice | LWE | ||||||||||||||
| R1_28 | 1 | LAC | 1 | R1_28 | lattice | poly-LWE | poly-LWE | KEM | level 1:544,level 3:1056,level 5:1056 | level 1:1056,level 3:2080,level 5:2080 | level 1:1024,level 3:1536,level 5:2048 | IND-CCA | ||||||||
| R1_29 | 1 | LAKE | 1 | R1_29 | code | Ideal LRPC Codes | Ideal Rank-SDP | KEM | level 1: 394,level 3: 590,level 5: 790 | level 1: 788,level 3: 1180,level 5: 1580 | level 1: 394,level 3: 590,level 5: 790 | IND-CPA | The private key and ciphertext sizes are not provided in the original document and had to be calculated. | |||||||
| R1_30 | 1 | LEDAkem | 1 | R1_30 | code | QC-LDPC | QC-SDP | KEM | level 1: 6408,level 3: 13152,level 5: 22704 | level 1: 24,level 3: 32,level 5: 40 | level 1: 2136,level 3: 4384,level 5: 7568 | IND-CPA | Many parameter sets. We reported only those corresponding to n_0=2. | |||||||
| R1_31 | 1 | LEDApkc | 1 | R1_31 | code | QC-LDPC | QC-SDP | PKE | level 1: 6408,level 3: 13152,level 5: 22704 | level 1: 24,level 3: 32,level 5: 40 | level 1: 8544,level 3: 17536,level 5: 30272 | OW-CPA | Many parameter sets. We reported only those corresponding to n_0=2. | |||||||
| R1_32 | 1 | Lepton | 1 | R1_32 | code | LPN-based | Ring-CLPN | KEM | level 1: 1045,level 3: 2052,level 5: 4128 | level 1: 1085,level 3: 2108,level 5: 4198 | level 1: 1998,level 3: 3005,level 5: 5335 | Comment on security and citation (Gaborit) Official comment by authors: parameters outdated (and not replaced until Round 2?) | IND-CCA (HHK) | |||||||
| R1_33 | 1 | LIMA | 1 | R1_33 | lattice | RLWE | ||||||||||||||
| R1_34 | 1 | Lizard | 1 | R1_34 | lattice | RLWE/RLWR | RLWE, RLWR | PKE/KEM | level 1: 4096,level 3: 4096,level 3: 8192,level 5: 8192 | level 1: 385,level 3 : 641,level 3 : 625,level 5: 769 | level 1: 2080,level 3 : 4144,level 3 : 8240,level 5: 8256 | IND-CCA | ||||||||
| R1_35 | 1 | LOCKER | 1 | R1_35 | code | Ideal LRPC Codes | Ideal Rank-SDP | PKE | level 1: 1546,level 3: 1882,level 5: 2140 | level 1: 3092,level 3: 3764,level 5: 4280 | level 1: 1610,level 3: 1946,level 5: 2204 | IND-CCA (HHK) | The private key and ciphertext sizes are not provided in the original document and had to be calculated. | |||||||
| R1_36 | 1 | LOTUS | 1 | R1_36 | lattice | LWE | ||||||||||||||
| R1_37 | 1 | LUOV | 1 | R1_37 | multivariate | UOV | ||||||||||||||
| R1_38 | 1 | McNie | 1 | R1_38 | code | Rank Metric | Rank-SDP | PKE | level 1: 795,level 3: 1156,level 5: 1384 | level 1: 330,level 3: 463,level 5: 547 | level 1: 1060,level 3: 1541,level 5: 1846 | Attack by Gaborit (security reduced by number of bits). | IND-CCA | IND-CCA with decoding failures? The private key and ciphertext sizes are not provided in the original document and had to be calculated. | ||||||
| R1_39 | 1 | Mersenne-756839 | 1 | R1_39 | other | Number Theory | Mersenne Low Hamming Weight Combination | KEM | level 5: 189210 | level 5: 32 | level 5:160141 | IND-CCA | Protocol size is not explicitly stated in the submission and we used the following formula based on the protocol description: PK size = (2*756839) bits = 189210 bytes. SK size = 256 bits = 32 bytes. Cipher size = (756839 + 2048*256) = (756839+524288) bits = 160141 bytes | |||||||
| R1_40 | 1 | MQDSS | 1 | R1_40 | multivariate | MQ Fiat-Shamir | MQ | Signature | level 1-2: 46, level 3-4: 64 | level 1-2: 16, level 3-4: 24 | level 1-2: 16534, level 3-4: 34032 | EUF-CMA | ||||||||
| R1_41 | 1 | NewHope | 1 | R1_41 | lattice | RLWE | RLWE | KEM | level 1: 928,level 5: 1824 | level 1: 1888,level 5: 3680 | level 1: 1120,level 5: 2208 | IND-CCA | ||||||||
| R1_42 | 1 | NTRUEncrypt | 1 | R1_42 | lattice | NTRU | NTRU | KEM | level 1: 611,level 4: 1023,level 5: 4097 | level 1: 701,level 4: 1173,level 5: 8194 | level 1: 611,level 4: 1023,level 5: 4097 | IND-CCA | ||||||||
| R1_43 | 1 | PqNTRUSign | 1 | R1_43 | lattice | NTRU Signatures | NTRU | Signature | level 5: 2604 | level 5: 2065 | level 5: 2065 | CMA attack and then a fix. | EUF-CMA | |||||||
| R1_44 | 1 | NTRU-HRSS-KEM | 1 | R1_44 | lattice | NTRU | NTRU | KEM | level 1: 1138 | level 1: 1418 | level 1: 1278 | IND-CCA | ||||||||
| R1_45 | 1 | NTRU Prime | 1 | R1_45 | lattice | NTRU prime | NTRU prime | KEM | level 5: 1218,level 5: 1047 | level 5: 1600,level 5: 1238 | level 5: 1047,level 5: 1175 | IND-CCA (Dent) | NTRU over prime-degree number field with a large Galois group and with inert modulus. | |||||||
| R1_46 | 1 | NTS-KEM | 1 | R1_46 | code | Conservative Binary Goppa | SDP | KEM | level 1: 319488,level 3: 929760,level 5: 1419704 | level 1: 9216,level 3: 17524,level 5: 19890 | level 1: 1024,level 3: 1296,level 5: 2024 | Comment replying to Classic vs NTS document. | IND-CCA (Ad Hoc) | |||||||
| R1_47 | 1 | Odd Manhattan | 1 | R1_47 | lattice | SVP | SVP, BDD | KEM | level 1: 1626240,level 3: 1627648,level 5: 180224 | level 1: 2563260,level 3: 2565055,level 5: 344640 | level 1: 4454241,level 3: 4456650,level 5: 616704 | It is shown that Odd Manhattan fails to achieve CCA security. The claim is confirmed by the designers and the proposal is revised. It is claimed by the designers that previously proposed attack does not apply anymore. | IND-CCA | |||||||
| R1_48 | 1 | Ouroboros-R | 1 | R1_48 | code | QC Random Codes - No Decoding | QC Rank-SDP | KEM | level 1: 676,level 3: 807,level 5: 1112 | level 1: 40,level 3: 40,level 5: 40 | level 1: 1272,level 3: 1534,level 5: 2144 | IND-CPA | The private key and ciphertext sizes are not provided in the original document and had to be calculated. | |||||||
| R1_49 | 1 | Picnic | 1 | R1_49 | hash | Non-interactive Proof of Knowledge | ||||||||||||||
| R1_50 | 1 | Post-quantum RSA-Encryption | 1 | R1_50 | other | RSA | Factoring | PKE/KEM | level 2: 1073741824 | level 2: 1073741824 | level 2: 1073741824 | IND-CCA | ||||||||
| R1_51 | 1 | Post-quantum RSA-Signature | 1 | R1_51 | other | RSA | Factoring | Signature | level 2: 1073741824 | level 2: 1073741824 | level 2: 32 | EUF-CMA | ||||||||
| R1_52 | 1 | PqsigRM | 1 | R1_52 | code | Hash-and-Sign with Reed-Muller Codes | SDP | Signature | level 1: 262144,level 3: 1285120,level 5: 4194304 | level 1: 137732,level 3: 328518,level 5: 2123972 | level 1: 256,level 3: 512,level 5: 1024 | Comment on wrong number of cycles. Attack by Perlner and Alperin-Sheriff (many iterations). Scheme broken? | EUF-CMA | Signature size not given in spec (and therefore calculated as length of error vector e). | ||||||
| R1_53 | 1 | QC-MDPC KEM | 1 | R1_53 | code | QC-MDPC | QC-SDP | KEM | level 1: 4097 | level 1: 548 | level 1: 8226 | IND-CPA | Submission erroneously claimed category 3 security. | |||||||
| R1_54 | 1 | qTESLA | 1 | R1_54 | lattice | RLWE | RLWE | Signature | level 1: 2976,level 3: 6176,level 5: 6432 | level 1: 1856,level 3: 4160,level 5: 4128 | level 1: 2720,level 3: 5664,level 5: 5920 | EUF-CMA | ||||||||
| R1_55 | 1 | RaCoSS | 1 | R1_55 | code | Fiat-Shamir with Hamming metric | SDP | Signature | level 1: 99600 | level 1: 703000 | level 1: 586 | Comment on insecure hash function, attack from Huelsing et al. | SUF-CMA | Broken beyond repair? | ||||||
| R1_56 | 1 | Rainbow | 1 | R1_56 | multivariate | UOV | MQ | Signature | level 1: 148500, level 3: 512100, level 4: 552200, level 5: 1319700 | level 1: 97900, level 3: 371400, level 4: 367300, level 5: 871200 | level 1: 64, level 3: 112, level 4: 92, level 5: 118 | EUF-CMA | ||||||||
| R1_57 | 1 | Ramstake | 1 | R1_57 | code | Mersenne Primes and GRS Codes | LHDHS | KEM | level 1: 27044,level 5: 94637 | level 1: 54056,level 5: 189242 | level 1: 28064,level 5: 96111 | Comment on implementation. | IND-CCA (Ad Hoc) | |||||||
| R1_58 | 1 | RankSign | 1 | R1_58 | code | Rank Metric | Rank-SDP | Signature | level 1: 10080,level 3: 19440,level 5: 28560 | - | level 1: 1376,level 3: 2160,level 5: 2928 | Attack by Debris-Alazard and Tillich (fatal). | EUF-CMA | Withdrawn. Private key size was not specified. | ||||||
| R1_59 | 1 | RLCE-KEM | 1 | R1_59 | code | GRS Codes | SDP | KEM | level 1: 188001,level 3: 450761,level 5: 1232001 | level 1: 310116,level 3: 747393,level 5: 1773271 | level 1: 988,level 3: 1545,level 5: 2640 | Comment on improper connection to NP-Hardness,Attack by Couvreur, Lequesne, Tillich breaking IND-CCA (OAEP) | ||||||||
| R1_60 | 1 | Round2 | 1 | R1_60 | lattice | LWR | GLWR | PKE/KEM | - | - | - | Doubts about IND-CPA and IND-CCA security. | IND-CCA | Over 30 different parameter sets proposed, none are reported here. | ||||||
| R1_61 | 1 | RQC | 1 | R1_61 | code | Rank Metric | Rank-SDP | KEM | level 1: 786,level 3: 1411,level 5: 1795 | level 1: 40,level 3: 40,level 5: 40 | level 1: 1555,level 3: 2805,level 5: 3574 | IND-CCA (HHK) | ||||||||
| R1_62 | 1 | RVB | 1 | R1_62 | other | Chebyshev Polynomials | Chebyshev Polynomials | KEM | - | - | - | Attack by Lorenz Panny (fatal). | Withdrawn. Parameters were not clearly specified. | |||||||
| R1_63 | 1 | SABER | 1 | R1_63 | lattice | LWR | MLWR | KEM | level 1: 672,level 3: 992,level 5: 1312 | level 1: 992,level 3: 1344,level 5: 1760 | level 1: 736,level 3: 1088,level 5: 1472 | IND-CCA | ||||||||
| R1_64 | 1 | SIKE | 1 | R1_64 | other | Isogenies | SIDH | KEM | level 1: 378,level 3: 564 434,level 5: 726 | level 1: 434,level 3: 644,level 5: 826 | level 1: 402,level 3: 596,level 5: 766 | IND-CCA (HHK) | ||||||||
| R1_65 | 1 | SPHINCS+ | 1 | R1_65 | hash | Stateless XMSS | ||||||||||||||
| R1_66 | 1 | SRTPI | 1 | R1_66 | multivariate | UOV | MQ | PKE/Signature | - | - | - | Attack by Bo-Yin Yang (fatal). | IND-CCA/EUF-CMA | Withdrawn. Parameters were not clearly specified. | ||||||
| R1_67 | 1 | Three Bears | 1 | R1_67 | lattice | IMLWE | IMLWE | KEM | level 2: 804, level 4: 1194, level 5: 1584 | level 2: 40, level 4: 40, level 5: 40 | level 2: 917, level 4: 1307, level 5: 1697 | IND-CCA (Ad Hoc) | ||||||||
| R1_68 | 1 | Titanium | 1 | R1_68 | lattice | LWE | MP-LWE | PKE/KEM | level 1: 16352,level 3: 20512,level 5: 26912 | level 1: 32,level 3: 32,level 5: 32 | level 1: 3552,level 3: 6048,level 5: 8352 | IND-CCA | We have reported only IND-CCA parameters due to the minimal overhead with IND-CPA parameters. | |||||||
| R1_69 | 1 | WalnutDSA | 1 | R1_69 | other | Braid Groups | Braid Groups | Signature | level 1: 83, level 5: 128 | level 1: 132, level 5: 287 | level 1: 647, level 5: 1248 | Various attacks by several authors. | EUF-CMA | For signature size we have reported the average value indicated in specification document. | ||||||
| R1_70 | 0 | BIKE 1 | 1 | R1_02 | code | QC-CF, QC-SDP | KEM | level 1: 2541,level 3: 4974,level 5: 8188 | level 1: 267,level 3: 387,level 5: 548 | level 1: 2541,level 3: 4974,level 5: 8188 | IND-CPA | |||||||||
| R1_71 | 0 | BIKE 2 | 1 | R1_02 | code | QC-CF, QC-SDP | KEM | level 1: 1271,level 3: 2482,level 5: 4094 | level 1: 267,level 3: 387,level 5: 548 | level 1: 1271,level 3: 2482,level 5: 4094 | IND-CPA | |||||||||
| R1_72 | 0 | BIKE 3 | 1 | R1_02 | code | QC-SDP | KEM | level 1: 2757,level 3: 5421,level 5: 9033 | level 1: 252,level 3: 372,level 5: 532 | level 1: 2757,level 3: 5421,level 5: 9033 | IND-CPA | |||||||||
| R1_73 | 0 | Picnic-FS | 1 | R1_49 | other | ZKB++ | Signature | level 1: 32,level 3: 16,level 5: 34000 | level 1: 48,level 3: 24,level 5: 76740 | level 1: 64,level 3: 32,level 5: 132824 | SUF-CMA | |||||||||
| R1_74 | 0 | Picnic-UR | 1 | R1_49 | other | ZKB++ | Signature | level 1: 32,level 3: 16,level 5: 34000 | level 1: 48,level 3: 24,level 5: 76740 | level 1: 53929,level 3: 121813,level 5: 209474 | SUF-CMA | |||||||||
| R1_75 | 0 | KINDI Kem | 1 | R1_27 | lattice | MLWE | KEM | level 2 : 1184,level 4 : 1456,level 4 : 1728,level 5 : 1984,level 5: 2368 | level 2: 1472,level 4 : 1712,level 4 : 2112,level 5 : 2304,level 5 : 2752 | level 2 : 1792,level 4 : 2496,level 4 : 2688,level 5 : 2688,level 5 : 3328 | IND-CPA | |||||||||
| R1_76 | 0 | KINDI-Encryption | 1 | R1_27 | lattice | MLWE | PKE | level 2 : 1184,level 4 : 1456,level 4 : 1728,level 5 : 1984,level 5: 2368 | level 2: 1472,level 4 : 1712,level 4 : 2112,level 5 : 2304,level 5 : 2752 | level 2 : 1792,level 4 : 2496,level 4 : 2688,level 5 : 2688,level 5 : 3328 | IND-CPA | |||||||||
| R1_77 | 0 | LOTUS-KEM | 1 | R1_36 | lattice | LWE | KEM | level 1: 658950,level 3: 1025000,level 5: 1471000 | level 1: 700420,level 3: 1101000,level 5: 1590800 | level 1: 1144,level 3: 1456,level 5: 1768 | It is shown that KEM LOTUS 128 fails to achieve CCA security. The claim is confirmed by the designers and the proposal is revised. It is claimed by the designers that previously proposed attack does not apply anymore. | IND-CCA | ||||||||
| R1_78 | 0 | LOTUS-PKE | 1 | R1_36 | lattice | LWE | PKE | level 1: 658950,level 3: 1025000,level 5: 1471000 | level 1: 700420,level 3: 1101000,level 5: 1590800 | level 1: 1144,level 3: 1456,level 5: 1768 | IND-CCA | |||||||||
| R1_79 | 0 | LUOV (small signatures) | 1 | R1_37 | multivariate | MQ | Signature | level 2: 15500, level 4: 45000, level 5: 98600 | level 2: 32, level 4: 32, level 5: 32 | level 2: 319, level 4: 441, level 5: 521 | EUF-CMA | |||||||||
| R1_80 | 0 | LUOV (small public keys) | 1 | R1_37 | multivariate | MQ | Signature | level 2: 7300, level 4: 19500, level 5: 39300 | level 2: 32, level 4: 32, level 5: 32 | level 2: 1700, level 4: 3100, level 5: 4700 | EUF-CMA | |||||||||
| R1_81 | 0 | EMBLEM | 1 | R1_14 | lattice | LWE | Binary LWE | KEM | level 1: 3041, level 1: 2528, level 1: 96320, level 1: 79904 | level 1: 32, level 1: 32, level 1: 32, level 1: 32 | level 1: 74048, level 1: 58784, level 1: 2438, level 1: 1961 | IND-CPA | Several parameter sets offer tradeoff. We reported only maximised choices (sets I.A, II.A, I.F and II.F). | |||||||
| R1_82 | 0 | R.EMBLEM | 1 | R1_14 | lattice | RLWE | Binary RLWE | KEM | level 1: 958, level 1: 672, level 1: 914, level 1: 797 | level 1: 32, level 1: 32, level 1: 32, level 1: 32 | level 1: 1470, level 1: 1184, level 1: 1362, level 1: 1245 | IND-CPA | ||||||||
| R1_83 | 0 | [KCL] AKCN-SEC | 1 | R1_26 | lattice | RLWE | KEM | - | - | - | IND-CPA | Parameters not specified clearly in document. | ||||||||
| R1_84 | 0 | [KCL] OKCN-SEC | 1 | R1_26 | lattice | RLWE | KEM | - | - | - | IND-CPA | Parameters not specified clearly in document. | ||||||||
| R1_85 | 0 | [KCL] OKCN-MLWE | 1 | R1_26 | lattice | MLWE | KEM | level 4: 992 | level 4: 288 | level 4: 1120 | IND-CPA | |||||||||
| R1_86 | 0 | [KCL] AKCN-MLWE | 1 | R1_26 | lattice | MLWE | KEM | level 4: 991 | level 4: 288 | level 4: 1120 | IND-CPA | |||||||||
| R1_87 | 0 | [KCL] AKCN-MLWE-CCA | 1 | R1_26 | lattice | MLWE | PKE | level 4: 992 | level 4: 1312 | level 4: 1168 | IND-CCA | |||||||||
| R1_88 | 0 | LIMA–2p | 1 | R1_33 | lattice | RLWE | PKE/KEM | level 1: 1792, level 4: 3840 | level 1: 2688, level 4: 5760 | level 1: 1539, level 4: 2563 | IND-CCA | For short, we reported only parameters for KEM, at IND-CCA security level (compressed). | ||||||||
| R1_89 | 0 | LIMA-sp | 1 | R1_33 | lattice | RLWE | PKE/KEM | level 1: 6108, level 2: 8489, level 3: 11843 | level 1: 9162, level 2: 12734, level 3: 17765 | level 1: 3825, level 2: 6251, level 3: 8315 | IND-CCA | For short, we reported only parameters for KEM, at IND-CCA security level (compressed). | ||||||||
| R1_90 | 0 | SPHINCS+ Small | 1 | R1_65 | hash | Stateless XMSS | PRF | Signature | level 1: 32, level 3: 48, level 5: 64 | level 1: 64, level 3: 96, level 5: 128 | level 1: 8080, level 3: 17064, level 5: 29792 | EUF-CMA | ||||||||
| R1_91 | 0 | SPHINCS+ Fast | 1 | R1_65 | hash | Stateless XMSS | PRF | Signature | level 1: 32, level 3: 48, level 5: 64 | level 1: 64, level 3: 96, level 5: 128 | level 1: 16976, level 3: 35664, level 5: 49216 | EUF-CMA |
| OP | ID | Validity | Proposal | Variant | Round | Owner | Type | Description | Assumption | Functionality | Public Key<br>(bytes) | Private Key<br>(bytes) | Data Size <br>(bytes) | Comments | Security Type | Challenge | Notes | Date | Cmt_link | Website |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| R2_01 | 1 | BIKE | 2 | R2_01 | code | QC-MDPC | Comment on parity of ciphertexts (not a security issue). | Code-based challenges | ||||||||||||
| R2_02 | 1 | Classic McEliece | 2 | R2_02 | code | Conservative Binary Goppa | SDP | KEM | level 1: 261120, level 3: 524160, level 5: 1044992,level 5: 1047319, level 5: 1357824 | level 1: 6452, level 3: 13568, level 5: 13892, level 5: 13908, level 5: 14080 | level 1: 128, level 3: 188, level 5: 240, level 5: 226, level 5: 240 | IND-CCA (BP) | Goppa-McEliece Challenge | |||||||
| R2_03 | 1 | CRYSTALS-DILITHIUM | 2 | R2_03 | lattice | LWE on Module Lattices | MLWE, MSIS | Signature | level 1: 1184, level 2: 1472, level 3: 1760 | level 1: 2800, level 2: 3504, level 3: 3856 | level 1: 2044, level 2: 2701, level 3: 3366 | SUF-CMA | ||||||||
| R2_04 | 1 | CRYSTALS-KYBER | 2 | R2_04 | lattice | LWE on Module Lattices | MLWE | KEM | level 1: 800, level 3: 1184, level 5: 1568 | level 1: 1632, level 3: 2400, level 5: 3168 | level 1: 736, level 3: 1088, level 5: 1568 | IND-CCA 2 | ||||||||
| R2_05 | 1 | FALCON | 2 | R2_05 | lattice | NTRU | NTRU | Signature | level 1: 897, level 3: 1441, level 5: 1793 | level 1: -, level 3: -, level 5: - | level 1: 618, level 3: 994, level 5: 1234 | EUF-CMA | ||||||||
| R2_06 | 1 | FrodoKEM | 2 | R2_06 | lattice | LWE | LWE | KEM | level 1: 9616, level 3: 15632, level 5: 21520 | level 1: 19888, level 3: 31296, level 5: 43088 | level 1: 9720, level 3: 15744, level 5: 21632 | IND-CCA | ||||||||
| R2_07 | 1 | GeMSS | 2 | R2_07 | multivariate | Hidden Field Equations | HFEv- | Signature | level 1: 417408, level 3: 1304192, level 5: 3046848 | level 1: 14520, level 3: 40280, level 5: 83688 | level 1: 33, level 3: 52, level 5: 72 | EUF-CMA | All sizes taken from reference implementation. | |||||||
| R2_08 | 1 | HQC | 2 | R2_08 | code | QC random codes - no decoding | Decision QC-SDP | KEM | level 1: 6170, level 3: 10918, level 5: 15898 | level 1: 252, level 3: 404, level 5: 532 | level 1: 6234, level 3: 10981, level 5: 15960 | Comment on parity of ciphertexts (not a security issue). | IND-CCA (HHK) | |||||||
| R2_09 | 1 | LAC | 2 | R2_09 | lattice | poly-LWE | poly-LWE | KEM | level 1: 544, level 3: 1056, level 5: 1056 | level 1: 512, level 3: 1024, level 5: 1024 | level 1: 712, level 3: 1188, level 5: 1424 | IND-CCA | ||||||||
| R2_10 | 1 | LEDAcrypt | 2 | R2_10 | code | QC-LDPC | ,, | ,, | Merger of LEDAkem and LEDApkc. | Code-based challenges | ||||||||||
| R2_11 | 1 | LUOV | 2 | R2_11 | multivariate | UOV | ,, | ,, | ||||||||||||
| R2_13 | 1 | NewHope | 2 | R2_13 | lattice | RLWE | ||||||||||||||
| R2_14 | 1 | NTRU | 2 | R2_14 | lattice | NTRU | ,, | Merger of NTRUEncrypt and NTRU-HRSS-KEM. | ||||||||||||
| R2_15 | 1 | NTRU Prime | 2 | R2_15 | lattice | NTRU Prime | ||||||||||||||
| R2_16 | 1 | NTS-KEM | 2 | R2_16 | code | Conservative Binary Goppa | SDP | KEM | level 1: 319488, level 3: 92976, level 5: 1419704 | level 1: 9248, level 3: 17556, level 5: 19922 | level 1: 1024, level 3: 1296, level 5: 2024 | Comment replying to Classic vs NTS document. | IND-CCA (HHK) | Goppa-McEliece Challenge | ||||||
| R2_17 | 1 | Picnic | 2 | R2_17 | hash | Non-interactive Proof of Knowledge | ||||||||||||||
| R2_18 | 1 | qTESLA | 2 | R2_18 | lattice | RLWE | EUF-CMA | |||||||||||||
| R2_19 | 1 | Rainbow | 2 | R2_19 | multivariate | UOV | ||||||||||||||
| R2_20 | 1 | ROLLO | 2 | R2_20 | code | Rank Metric | ,, | ,, | ,, | Merger of LAKE, LOCKER and Ouroboros-R. | ||||||||||
| R2_21 | 1 | Round5 | 2 | R2_21 | lattice | LWR | Merger of HILA5 and Round2. | A Note on Parameter Choices of Round5 | ||||||||||||
| R2_22 | 1 | RQC | 2 | R2_22 | code | Rank QC random codes - no decoding | Decisional Ideal RSD | KEM | level 1: 853, level 3: 1391, level 5: 2284 | level 1: 40, level 3: 40, level 5: 40 | level 1: 1690, level 3: 2766, level 5: 4552 | IND-CCA (HHK) | ||||||||
| R2_23 | 1 | SABER | 2 | R2_23 | lattice | LWR | MLWR | KEM | level 1: 672, level 3: 992, level 5: 1312 | level 1: 832, level 3: 1248, level 5: 1664 | level 1: 736, level 3: 1088, level 5: 1472 | IND-CCA | ||||||||
| R2_24 | 1 | SIKE | 2 | R2_24 | other | Isogenies | ,, | ,, | ,, | |||||||||||
| R2_25 | 1 | SPHINCS+ | 2 | R2_25 | hash | Stateless XMSS | ,, | ,, | ,, | |||||||||||
| R2_26 | 1 | Three Bears | 2 | R2_26 | lattice | IMLWE | IMLWE | KEM | level 2: 804, level 4: 1194, level 5: 1584 | level 2: 40, level 4: 40, level 5: 40 | level 2: 917, level 4: 1307, level 5: 1697 | IND-CCA (Ad Hoc) | Mike challenges | |||||||
| R2_27 | 0 | BIKE-1 | 2 | R2_01 | code | QC-CF, QC-SDP | KEM | level 1: 2541, level 3: 4963, level 5: 8187 | level 1: 249, level 3: 386, level 5: 513 | level 1: 2541, level 3: 4963, level 5: 8187 | IND-CPA | |||||||||
| R2_28 | 0 | BIKE-2 | 2 | R2_01 | code | QC-CF, QC-SDP | KEM | level 1: 1270, level 3: 2482, level 5: 4094 | level 1: 249, level 3: 386, level 5: 513 | level 1: 1270, level 3: 2482, level 5: 4094 | IND-CPA | |||||||||
| R2_29 | 0 | BIKE-3 | 2 | R2_01 | code | QC-SDP | KEM | level 1: 2757, level 3: 5421, level 5: 9033 | level 1: 234, level 3: 371, level 5: 532 | level 1: 2757, level 3: 5421, level 5: 9033 | IND-CPA | |||||||||
| R2_30 | 0 | BIKE-1-CCA | 2 | R2_01 | code | QC-CF, QC-SDP | KEM | level 1: 2945, level 3: 6206, level 5: 10150 | level 1: 3194, level 3: 6592, level 5: 10698 | level 1: 2945, level 3: 6206, level 5: 10150 | IND-CCA (HHK) | |||||||||
| R2_31 | 0 | BIKE-2-CCA | 2 | R2_01 | code | QC-CF, QC-SDP | KEM | level 1: 1473, level 3: 3103, level 5: 5075 | level 1: 3194, level 3: 6592, level 5: 10698 | level 1: 1505, level 3: 3135, level 5: 5107 | IND-CCA (HHK) | |||||||||
| R2_32 | 0 | BIKE-3-CCA | 2 | R2_01 | code | QC-SDP | KEM | level 1: 3068, level 3: 6761, level 5: 11217 | level 1: 3302, level 3: 7132, level 5: 11749 | level 1: 3100, level 3: 6793, level 5: 11249 | IND-CCA (HHK) | |||||||||
| R2_33 | 0 | LEDAcrypt KEM | 2 | R2_10 | code | QC-SDP | KEM | level 1: 1872, level 3: 3216, level 5: 4616 | level 1: 24, level 3: 32, level 5: 40 | level 1: 1872, level 3: 3216, level 5: 4616 | IND-CPA | |||||||||
| R2_34 | 0 | LEDAcrypt KEM-LT | 2 | R2_10 | code | QC-SDP | KEM | level 1: 6520, level 3: 12032, level 5: 19040 | level 1: 25, level 3: 33, level 5: 41 | level 1: 6520, level 3: 12032, level 5: 19040 | IND-CCA (HHK) | |||||||||
| R2_35 | 0 | LEDAcrypt PKC | 2 | R2_10 | code | QC-SDP | PKE | level 1: 6520, level 3: 12032, level 5: 19040 | level 1: 25, level 3: 33, level 5:41 | level 1: 6554, level 3: 12077, level 5: 19095 | IND-CCA (Kobara-Imai) | |||||||||
| R2_36 | 0 | LUOV (small signatures) | 2 | R2_11 | multivariate | MQ | Signature | level 2: 12100, level 4: 34100, level 5: 75500 | level 2: 32, level 4: 32, level 5: 32 | level 2: 311, level 4: 421, level 5: 494 | EUF-CMA | |||||||||
| R2_37 | 0 | LUOV (small public keys) | 2 | R2_11 | multivariate | MQ | Signature | level 2: 5000, level 4: 14100, level 5: 27100 | level 2: 32, level 4: 32, level 5: 32 | level 2: 1606, level 4: 2904, level 5: 4390 | EUF-CMA | |||||||||
| R2_38 | 0 | NewHope-CPA-KEM | 2 | R2_13 | lattice | RLWE | KEM | level 1: 928, level 5: 1824 | level 1: 869, level 5: 1792 | level 1: 1088, level 5: 2176 | IND-CPA | |||||||||
| R2_39 | 0 | NewHope-CCA-KEM | 2 | R2_13 | lattice | RLWE | KEM | level 1: 928, level 5: 1824 | level 1: 1888, level 5: 3680 | level 1: 1120, level 5: 2208 | IND-CCA | |||||||||
| R2_40 | 0 | NTRU-HPS | 2 | R2_14 | lattice | NTRU | KEM | level 1: 699, level 3: 931, level 5: 1230 | level 1: 935, level 3: 1235, level 5: 1592 | level 1: 699, level 3: 931, level 5: 1230 | IND-CCA (SXY) | |||||||||
| R2_41 | 0 | NTRU-HRSS | 2 | R2_14 | lattice | NTRU | KEM | level 3: 1138 | level 3: 1452 | level 3: 1138 | IND-CCA (SXY) | |||||||||
| R2_42 | 0 | Streamlined NTRUPrime | 2 | R2_15 | lattice | NTRU Prime | KEM | level 2: 994, level 3: 1158, level 4: 1322 | level 2: 1518, level 3: 1763, level 4: 1999 | level 2: 897, level 3: 1039, level 4: 1184 | IND-CCA (Dent) | |||||||||
| R2_43 | 0 | NTRU LPRime | 2 | R2_15 | lattice | NTRU Prime | KEM | level 2: 897, level 3: 1039, level 4: 1184 | level 2: 1125, level 3: 1294, level 4: 1463 | level 2: 1025, level 3: 1167, level 4: 1312 | IND-CCA (Dent) | |||||||||
| R2_44 | 0 | Picnic-FS | 2 | R2_17 | other | ZKB++ | Signature | level 1: 32, level 3: 48, level 5: 64 | level 1: 16, level 3: 24, level 5: 32 | level 1: 34032, level 3: 76772, level 5: 132856 | SUF-CMA | |||||||||
| R2_45 | 0 | Picnic-UR | 2 | R2_17 | other | ZKB++ | Signature | level 1: 32, level 3: 48, level 5: 65 | level 1: 16, level 3: 24, level 5: 33 | level 1: 53961, level 3: 121845, level 5: 209506 | SUF-CMA | |||||||||
| R2_46 | 0 | Picnic2-FS | 2 | R2_17 | other | ZKB++ | Signature | level 1: 32, level 3: 48, level 5: 66 | level 1: 16, level 3: 24, level 5: 34 | level 1: 13802, level 3: 29750, level 5: 54732 | SUF-CMA | |||||||||
| R2_47 | 0 | qTESLA-Heuristic | 2 | R2_18 | lattice | RLWE | Signature | level 1: 1504, level 2: 2336, level 3: 3104, level 5: 6432,level 5: 5024 | level 1: 1216, level 2: 1600, level 3: 2368, level 5: 4672, level 5: 3520 | level 1: 1376, level 2: 2144, level 3: 2848, level 5: 5920, level 5: 4640 | EUF-CMA | Withdrawn. | ||||||||
| R2_48 | 0 | qTESLA-Provably Secure | 2 | R2_18 | lattice | RLWE | Signature | level 1: 14880, level 3: 38432 | level 1: 5184, level 3: 12352 | level 1: 2592, level 3: 5664 | EUF-CMA | |||||||||
| R2_49 | 0 | Rainbow | 2 | R2_19 | multivariate | MQ | Signature | level 1: 149000, level 3: 710600, level 5: 1705500 | level 1: 93000, level 3: 511400, level 5: 1227100 | level 1: 64, level 3: 156, level 5: 204 | EUF-CMA | |||||||||
| R2_50 | 0 | Compressed Rainbow | 2 | R2_19 | multivariate | MQ | Signature | level 1: 58100, level 3: 206700, level 5: 491900 | level 1: 93000, level 3: 511400, level 5: 1227100 | level 1: 64, level 3: 156, level 5: 205 | EUF-CMA | |||||||||
| R2_51 | 0 | ROLLO-I | 2 | R2_20 | code | Ideal LRPC | KEM | level 1: 465, level 3: 590, level 5: 947 | level 1: 40, level 3: 40, level 5: 40 | level 1: 465, level 3: 590, level 5: 947 | IND-CPA | |||||||||
| R2_52 | 0 | ROLLO-II | 2 | R2_20 | code | Ideal LRPC | PKE | level 1: 1546, level 3: 2020, level 5: 2493 | level 1: 40, level 3: 40, level 5: 40 | level 1: 1674, level 3: 2148, level 5: 2621 | IND-CCA (HHK) | |||||||||
| R2_53 | 0 | ROLLO-III | 2 | R2_20 | code | Decisional Ideal RSD | KEM | level 1: 634, level 3: 830, level 5: 1138 | level 1: 40, level 3: 40, level 5: 40 | level 1: 1188, level 3: 1580, level 5: 2196 | IND-CPA | |||||||||
| R2_54 | 0 | R5ND_KEM_5d | 2 | R2_21 | lattice | RLWR | KEM | level 1: 445, level 3: 780, level 5: 972 | level 1: 16, level 3: 24, level 5: 32 | level 1: 549, level 3: 859, level 5: 1063 | IND-CPA | |||||||||
| R2_55 | 0 | R5ND_PKE_5d | 2 | R2_21 | lattice | RLWR | PKE | level 1: 461, level 3: 780, level 5: 978 | level 1: 493, level 3: 828, level 5: 1042 | level 1: 636, level 3: 950, level 5: 1301 | IND-CCA | |||||||||
| R2_56 | 0 | R5ND_KEM_0d | 2 | R2_21 | lattice | RLWR | KEM | level 1: 634, level 3: 909, level 5: 1178 | level 1: 16, level 3: 24, level 5: 32 | level 1: 682, level 3: 981, level 5: 1274 | IND-CPA | |||||||||
| R2_57 | 0 | R5ND_PKE_0d | 2 | R2_21 | lattice | RLWR | PKE | level 1: 676, level 3: 983, level 5: 1349 | level 1: 708, level 3: 1031, level 5: 1413 | level 1: 756, level 3: 1119, level 5: 1525 | IND-CCA | |||||||||
| R2_58 | 0 | R5N1_KEM_0d | 2 | R2_21 | lattice | LWR | KEM | level 1: 5214, level 3: 8834, level 5: 14264 | level 1: 16, level 3: 24, level 5: 32 | level 1: 5236, level 3: 8866, level 5: 14288 | IND-CPA | |||||||||
| R2_59 | 0 | R5N1_PKE_0d | 2 | R2_21 | lattice | LWR | PKE | level 1: 5740, level 3: 9660, level 5: 14636 | level 1: 5772, level 3: 9708, level 5: 14700 | level 1: 5804, level 3: 9732, level 5: 14724 | IND-CCA | |||||||||
| R2_60 | 0 | SIKE | 2 | R2_24 | other | SIDH | KEM | level 1: 330, level 2: 378, level 3: 462, level 5: 564 | level 1: 374, level 2: 434, level 3: 524, level 5: 644 | level 1: 346, level 2: 402, level 3: 486, level 5: 596 | IND-CCA (HHK) | |||||||||
| R2_61 | 0 | SIKE_compressed | 2 | R2_24 | other | SIDH | KEM | level 1: 196, level 2: 224, level 3:273, level 5: 331 | level 1: 239, level 2: 280, level 3:336, level 5: 413 | level 1: 209, level 2: 248, level 3:297, level 5: 363 | IND-CCA (HHK) | |||||||||
| R2_62 | 0 | SPHINCS+ Small | 2 | R2_25 | hash | PRF | Signature | level 1: 32, level 3: 48, level 5: 64 | level 1: 64, level 3: 96, level 5: 128 | level 1: 8080, level 3: 17064, level 5: 29792 | EUF-CMA | |||||||||
| R2_63 | 0 | SPHINCS+ Fast | 2 | R2_25 | hash | PRF | Signature | level 1: 32, level 3: 48, level 5: 64 | level 1: 64, level 3: 96, level 5: 128 | level 1: 16976, level 3: 35664, level 5: 49216 | EUF-CMA |
FINALISTS
A. Public-key Encryption and Key-establishment Algorithms
| OP | ID | Validity | Proposal | Variant | Round | Owner | Type | Description | Assumption | Functionality | Public Key (bytes) |
Private Key (bytes) |
Data Size (bytes) |
Comments | Security Type | Challenge | Notes | Date | Cmt_link | Website |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| R3_02 | 1 | Classic McEliece | 2 | R3_02 | code | Conservative Binary Goppa | SDP | KEM | level 1: 261120, level 3: 524160, level 5: 1044992,level 5: 1047319, level 5: 1357824 | level 1: 6492, level 3: 13608, level 5: 13932, level 5: 13948, level 5: 14120 | level 1: 128, level 3: 188, level 5: 240, level 5: 226, level 5: 240 | Merger of Classic McEliece and NTS-KEM | IND-CCA2 | Goppa-McEliece Challenge | https://groups.google.com/a/list.nist.gov/forum/#!searchin/pqc-forum/$20Classic$20McEliece$20%09%7Csort:date/pqc-forum/PvkX7Ne_9qI/6C3iwP9zAAAJ | https://classic.mceliece.org | ||||
| R3_04 | 1 | CRYSTALS-KYBER | 2 | R3_04 | lattice | Module-LWE | MLWE | KEM | level 1: 800, level 3: 1184, level 5: 1568 | level 1: 1632, level 3: 2400, level 5: 3168 | level 1: 768, level 3: 1088, level 5: 1568 | IND-CCA | LWE, RLWE | https://pq-crystals.org/ | ||||||
| R3_14 | 1 | NTRU | 2 | R3_14 | lattice | NTRU | ,, | Merger of NTRUEncrypt and NTRU-HRSS-KEM. | https://ntru.org/ | |||||||||||
| R3_40 | 0 | NTRU-HPS | 2 | R3_14 | lattice | NTRU | KEM | level 1: 931, level 3: 1230 | level 1: 1235, level 3: 1592 | level 1: 931, level 3: 1230 | IND-CCA (SXY) | The evaluations are on non-local models. For local models, the evaluation increse from level 1 to 3, 3 to 5 | h | |||||||
| R3_41 | 0 | NTRU-HRSS | 2 | R3_14 | lattice | NTRU | KEM | level 3: 1138 | level 3: 1452 | level 3: 1138 | IND-CCA (SXY) | The evaluations are on non-local models. For local models, the evaluation increse from level 1 to 3, 3 to 5 | ||||||||
| R3_23 | 1 | SABER | 2 | R3_23 | lattice | LWR | MLWR | KEM | level 1: 672, level 3: 992, level 5: 1312 | level 1: 1568 (992), level 3: 2304 (1344), level 5: 3040 (1760) | level 1: 736, level 3: 1088, level 5: 1472 | IND-CCA | https://groups.google.com/a/list.nist.gov/forum/#!searchin/pqc-forum/official$20comment$20round$202%7Csort:date | https://www.esat.kuleuven.be/cosic/pqcrypto/saber/ |
B. Digital Signature Algorithms
| OP | ID | Validity | Proposal | Variant | Round | Owner | Type | Description | Assumption | Functionality | Public Key (bytes) |
Private Key (bytes) |
Signature Size (bytes) |
Comments | Security Type | Challenge | Notes | Date | Cmt_link | Website |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| R3_03 | 1 | CRYSTALS-DILITHIUM | 2 | R3_03 | lattice | Module-LWE | MLWE, MSIS | Signature | level 2: 1312, level 3: 1952, level 5: 2592 | level 2: 2420, level 3: 3293, level 5: 4595 | SUF-CMA | LWE, RLWE | https://pq-crystals.org/dilithium/ | |||||||
| R3_05 | 1 | FALCON | 2 | R3_05 | lattice | NTRU | NTRU | Signature | level 1: 897, level 3: -, level 5: 1793 | level 1: 666, level 3: -, level 5: 280 | EUF-CMA | https://falcon-sign.info/ | ||||||||
| R3_19 | 1 | Rainbow | 2 | R3_19 | multivariate | UOV | ||||||||||||||
| R3_49 | 0 | Standard Rainbow | 2 | R3_19 | multivariate | MQ | Signature | level 1: 157800, level 3: 861400, level 5: 1885400 | level 1: 101200, level 3: 611300, level 5: 1375700 | level 1: 66, level 3: 164, level 5: 212 | EUF-CMA | |||||||||
| R3_49 | 0 | CZ-Rainbow | 2 | R3_19 | multivariate | MQ | Signature | level 1: 58800, level 3: 258400, level 5: 523600 | level 1: 101200, level 3: 611300, level 5: 1375700 | level 1: 64, level 3: 156, level 5: 204 | EUF-CMA | |||||||||
| R3_50 | 0 | Compressed Rainbow | 2 | R3_19 | multivariate | MQ | Signature | level 1: 58800, level 3: 258400, level 5: 523600 | level 1: 60, level 3: 60, level 5: 60 | level 1: 64, level 3: 156, level 5: 204 | EUF-CMA |
ALTERNATE CANDIDATES
A. Public-key Encryption and Key-establishment Algorithms
| OP | ID | Validity | Proposal | Variant | Round | Owner | Type | Description | Assumption | Functionality | Public Key (bytes) |
Private Key (bytes) |
Data Size (bytes) |
Comments | Security Type | Challenge | Notes | Date | Cmt_link | Website |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| R3_01 | 1 | BIKE | 3a | R3_01 | code | QC-MDPC | QC-SD,QC-CF | KEM | level 1: 1540, level 3: 3082, level 5: 5099 | level 1: 280, level 3: 418, level 5: 580 | level 1: 1572, level 3: 3114, level 5: 5153 | IND-CPA (BGF decoder),IND-CCA (low DFR) | SD Challenge | http://bikesuite.org/ | ||||||
| R3_06 | 1 | FrodoKEM | 3a | R3_06 | lattice | LWE | LWE | KEM | level 1: 9616, level 3: 15632, level 5: 21520 | level 1: 19888, level 3: 31296, level 5: 43088 | level 1: 9720, level 3: 15744, level 5: 21632 | IND-CCA | LWE | https://groups.google.com/a/list.nist.gov/forum/#!searchin/pqc-forum/official$20comment$20round$202|sort:date/pqc-forum/_kBMTq3RM28/Zj2CpnEzBgAJ | https://frodokem.org/ | |||||
| R3_08 | 1 | HQC | 3a | R3_08 | code | QC random codes - no decoding | Decision QC-SDP | KEM | level 1: 2249, level 3: 4522, level 5: 7245 | level 1: 40, level 3: 40, level 5: 40 | level 1: 4481, level 3: 9026, level 5: 14469 | IND-CCA (HHK) | SD Challenge | https://pqc-hqc.org/ | ||||||
| R3_15 | 1 | NTRU Prime | 3a | R3_15 | lattice | NTRU Prime | https://groups.google.com/a/list.nist.gov/forum/#!searchin/pqc-forum/official$20comment$20round$202|sort:date/pqc-forum/V1RNjpio5Ng/uzEDmsogAgAJ | https://ntruprime.cr.yp.to | ||||||||||||
| R3_42 | 0 | Streamlined NTRUPrime | 3a | R3_15 | lattice | NTRU Prime | KEM | level 1: 994, level 2: 1158, level 3: 1322, level 4: 1349 , level 5: 2067 | level 1: 1518, level 2: 1763, level 3: 1999, level 4: 1652, level 5: 3059 | level 1: 897, level 2: 1039, level 3: 1184, level 4: 1477, level 5: 1847 | IND-CCA2 | https://groups.google.com/a/list.nist.gov/forum/#!searchin/pqc-forum/official$20comment$20round$202|sort:date/pqc-forum/V1RNjpio5Ng/uzEDmsogAgAJ | https://ntruprime.cr.yp.to | |||||||
| R3_43 | 0 | NTRU LPRime | 3a | R3_15 | lattice | NTRU Prime | KEM | level 1: 897, level 2: 1039, level 3: 1184, level 4: 1455 , level 5: 1847 | level 1: 1125, level 2: 1294, level 3: 1463, level 4: 1773, level 5: 2231 | level 1: 1025, level 2: 1167, level 3: 1312, level 4: 1583, level 5: 1975 | IND-CCA2 | https://groups.google.com/a/list.nist.gov/forum/#!searchin/pqc-forum/official$20comment$20round$202|sort:date/pqc-forum/V1RNjpio5Ng/uzEDmsogAgAJ | https://ntruprime.cr.yp.to | |||||||
| R3_24 | 1 | SIKE | 3a | R3_24 | other | Isogenies | ,, | ,, | ,, | https://groups.google.com/a/list.nist.gov/forum/#!searchin/pqc-forum/$20ROUND$202$20OFFICIAL$20COMMENT$3A$20SIKE%7Csort:date/pqc-forum/q4mEDtl6kt4/PF6P6XUpBwAJ | http://sike.org/ | |||||||||
| R3_60 | 0 | SIKE | 3a | R3_24 | other | SIDH | KEM | level 1: 330, level 2: 378, level 3: 462, level 5: 564 | level 1: 374, level 2: 434, level 3: 524, level 5: 644 | level 1: 346, level 2: 402, level 3: 486, level 5: 596 | IND-CCA (HHK) | |||||||||
| R3_61 | 0 | SIKE_compressed | 3a | R3_24 | other | SIDH | KEM | level 1: 197, level 2: 225, level 3:274, level 5: 335 | level 1: 350, level 2: 407, level 3:491, level 5: 602 | level 1: 236, level 2: 280, level 3:336, level 5: 410 | IND-CCA (HHK) |
B. Digital Signature Algorithms
| OP | ID | Validity | Proposal | Variant | Round | Owner | Type | Description | Assumption | Functionality | Public Key (bytes) |
Private Key (bytes) |
Data Size (bytes) |
Comments | Security Type | Challenge | Notes | Date | Cmt_link | Website |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| R3_07 | 1 | GeMSS | 2 | R3_07 | multivariate | Hidden Field Equations | HFEv- | Signature | level 1: 352188, level 3: 1237963, level 5: 3040700 | level 1: 16, level 3: 24, level 5: 32 | level 1: 33, level 3: 52, level 5: 72 | EUF-CMA | All sizes taken from reference implementation. | https://www-polsys.lip6.fr/Links/NIST/GeMSS.html | ||||||
| R3_17 | 1 | Picnic | 2 | R3_17 | hash | Non-interactive Proof of Knowledge | https://microsoft.github.io/Picnic/ | |||||||||||||
| R3_44 | 0 | Picnic-FS | 2 | R3_17 | other | ZKB++ | Signature | level 1: 32, level 3: 48, level 5: 64 | level 1: 16, level 3: 24, level 5: 32 | level 1: 34032, level 3: 76772, level 5: 132856 | SUF-CMA | |||||||||
| R3_45 | 0 | Picnic-UR | 2 | R3_17 | other | ZKB++ | Signature | level 1: 32, level 3: 48, level 5: 64 | level 1: 16, level 3: 24, level 5: 32 | level 1: 53961, level 3: 121845, level 5: 209506 | SUF-CMA | |||||||||
| R3_46 | 0 | Picnic-full | 2 | R3_17 | other | ZKB++ | Signature | level 1: 34, level 3: 48, level 5: 66 | level 1: 17, level 3: 24, level 5: 32 | level 1: 320161, level 3: 71179, level 5: 126286 | SUF-CMA | |||||||||
| R3_46 | 0 | Picnic3 | 2 | R3_17 | other | ZKB++ | Signature | level 1: 34, level 3: 48, level 5: 66 | level 1: 17, level 3: 24, level 5: 32 | level 1: 13802, level 3: 29750, level 5: 54732 | SUF-CMA | |||||||||
| R3_25 | 1 | SPHINCS+ | 2 | R3_25 | hash | Stateless XMSS | ,, | ,, | ,, | https://sphincs.org/ | ||||||||||
| R3_62 | 0 | SPHINCS+ Small | 2 | R3_25 | hash | PRF | Signature | level 1: 32, level 3: 48, level 5: 64 | level 1: 64, level 3: 96, level 5: 128 | level 1: 7856, level 3: 16224, level 5: 29792 | EUF-CMA | https://sphincs.org/ | ||||||||
| R3_63 | 0 | SPHINCS+ Fast | 2 | R3_25 | hash | PRF | Signature | level 1: 32, level 3: 48, level 5: 64 | level 1: 64, level 3: 96, level 5: 128 | level 1: 17088, level 3: 35664, level 5: 49856 | EUF-CMA | https://sphincs.org/ |
Retrieved from "http://pqc-wiki.fau.edu/w/Special:DatabaseHome"
