SETTING
Processing...
OP | Proposal | Variant | Type | Assumption | Functionality | Public Key (bytes) | Private Key (bytes) | Data Size (bytes) | Comments | Security Type | Challenge | Notes |
---|
OP | Proposal | Variant | Type | Assumption | Functionality | Public Key (bytes) | Private Key (bytes) | Data Size (bytes) | Comments | Security Type | Challenge | Notes |
---|---|---|---|---|---|---|---|---|---|---|---|---|
BIG QUAKE | [QC Binary Goppa] | QC-SDP | KEM | level 1: 25482 level 3: 84132 level 5: 149800 | level 1: 14772 level 3: 30860 level 5: 41804 | level 1: 201 level 3: 406 level 5: 492 | IND-CCA (HHK) Not detailed | |||||
BIKE | [QC-MDPC] | Comment on parity of ciphertexts (not a security issue). | ||||||||||
BIKE 1 | QC-CF QC-SDP | KEM | level 1: 2541 level 3: 4974 level 5: 8188 | level 1: 267 level 3: 387 level 5: 548 | level 1: 2541 level 3: 4974 level 5: 8188 | IND-CPA | ||||||
BIKE 2 | QC-CF QC-SDP | KEM | level 1: 1271 level 3: 2482 level 5: 4094 | level 1: 267 level 3: 387 level 5: 548 | level 1: 1271 level 3: 2482 level 5: 4094 | IND-CPA | ||||||
BIKE 3 | QC-SDP | KEM | level 1: 2757 level 3: 5421 level 5: 9033 | level 1: 252 level 3: 372 level 5: 532 | level 1: 2757 level 3: 5421 level 5: 9033 | IND-CPA | ||||||
CFPKM | [Noisy Polynomials] | PoSSo with Noise | KEM | level 1: 696 level 2: 928 | level 1: 128 level 2: 182 | level 1: 81 level 2: 116 | IND-CPA | Attacked by Ron Steinfeld: link | ||||
Classic McEliece | [Conservative Binary Goppa] | SDP | KEM | level 5: 1047319 level 5: 1044992 | level 5: 13908 level 5: 13892 | level 5: 226 level 5: 240 | Comment on Classic vs NTS document. | IND-CCA (BP) | ||||
Compact LWE | [LWE] | Compact-LWE | PKE | level 3: 2064 | level 3: 232 | level 3: 2376 | Original proposal broken! | IND-CCA | ||||
CRYSTALS-DILITHIUM | [LWE/SIS on Module Lattices] | MLWE MSIS | Signature | level 1: 1184 level 2: 1472 level 3: 1760 | level 1: 2800 level 2: 3504 level 3: 3856 | level 1: 2044 level 2: 2701 level 3: 3366 | SUF-CMA | |||||
CRYSTALS-KYBER | [LWE on Module Lattices] | MLWE | KEM | level 1: 736 level 3: 1088 level 5: 1440 | level 1: 1632 level 3: 2400 level 5: 3168 | level 1: 800 level 3: 1152 level 5: 1504 | IND-CCA | |||||
DAGS | [QD Generalized Srivastava] | QD-SDP | KEM | level 1: 8112 level 3: 11264 level 5: 19712 | level 1: 2496 level 3: 4864 level 5: 6400 | level 1: 656 level 3: 1248 level 5: 1632 | Attack from Barelli-Couvreur (fixed) | IND-CCA (HHK) | ||||
Ding Key Exchange | [RLWE on DH] | RLWE | KEM | level 1: 848 level 3: 1680 level 5: 1680 | - | level 1: 896 level 3: 1792 level 5: 1792 | Private key sizes not specified in original document. | |||||
DME | [Double Exponentiation with Matrix Exponents] | DME | KEM | level 5: 2304 | Level 5: 288 | Level 5: 36 | Attack from Ward Beullens (fixed). | IND-CCA2 | ||||
DRS | [GGH] | uSVP | Signature | level 1: 5081123 level 3: 8278638 level 5: 14288842 | level 1: 51274 level 3: 83769 level 5: 144527 | level 1: 8531 level 3: 10901 level 5: 14339 | Statistical attack! Increase parameters. | |||||
DualModeMS | [SBP] | HFEv- | Signature | level 1: 528 level 3: 1560 level 5: 2112 | level 1: 18038184 level 3: - level 5: - | level 1: 32640 level 3: 79415 level 5: 149029 | EUF-CMA | |||||
Edon-K | [McEliece with Quasi-binary, Quasi-orthogonal Matrices] | SDP | KEM | level 1: 2576 level 3: 2192 | level 1: 32 level 3: 32 | level 1: 2336 level 3: 2736 | Attack from Lequesne, Sendrier, Tillich (fatal). | IND-CCA (Ad Hoc) | Withdrawn. | |||
EMBLEM and R.EMBLEM | [LWE/RLWE] | |||||||||||
EMBLEM | Binary LWE | KEM | level 1: 3041 level 1: 2528 level 1: 96320 level 1: 79904 | level 1: 32 level 1: 32 level 1: 32 level 1: 32 | level 1: 74048 level 1: 58784 level 1: 2438 level 1: 1961 | IND-CPA | Several parameter sets offer tradeoff. We reported only maximised choices (sets I.A, II.A, I.F and II.F). | |||||
R.EMBLEM | Binary RLWE | KEM | level 1: 958 level 1: 672 level 1: 914 level 1: 797 | level 1: 32 level 1: 32 level 1: 32 level 1: 32 | level 1: 1470 level 1: 1184 level 1: 1362 level 1: 1245 | IND-CPA | ||||||
FALCON | [NTRU] | NTRU | Signature | level 1: 897 level 3: 1441 level 5: 1793 | level 1: - level 3: - level 5: - | level 1: 618 level 3: 994 level 5: 1234 | EUF-CMA | |||||
FrodoKEM | [LWE] | LWE | KEM | level 1: 9616 level 3: 15632 | level 1: 19872 level 3: 31272 | level 1: 9736 level 3: 15768 | IND-CCA | |||||
GeMSS | [Hidden Field Equations] | HFEv- | Signature | level 1: 417408 level 3: 1304192 level 5: 3603792 | level 1: 14208 level 3: 39440 level 5: 82056 | level 1: 48 level 3: 88 level 5: 104 | EUF-CMA | All sizes taken from reference implementation. | ||||
Giophantus | [ASC] | Solving Indeterminate Equations | PKE | level 1: 14412 level 3: 20796 level 5: 27204 | level 1: 601 level 3: 867 level 5: 1134 | level 1: 28824 level 3: 41592 level 5: 54408 | Attack on IND-CPA. | IND-CPA | ||||
Gravity-SPHINCS | [SPHINCS] | PRF | Signature | level 2: 32768 level 2: 1048576 level 2: 524288 | level 2: 65536 level 2: 2097152 level 2: 1048576 | level 2: 12640 level 2: 28929 level 2: 35168 | Fault injection attack. | Parameter sets Small, Medium and Large (signature size). | ||||
Guess Again | [Simple symmetric random walks] | Asymptotic conditional probability assumptions. | PKE | level 1: 2250 | level 1: 2000 | level 1: 2250 | Official comment by Lorenz Panny (no response by the designers): a python script is provided claiming a ciphertext-only attack. | Unconditional security | ||||
Gui | [Hidden Field Equations] | HFEv | Signature | level 1: 416300 level 3: 1955100 level 5: 5789200 | level 1: 19100 level 3: 59300 level 5: 155900 | level 1: 45 level 3: 63 level 5: 83 | EUF-CMA | Level 1 signature size should change from 45 to 49 after revising k from 2 to 3. | ||||
HILA5 | [RLWE] | RLWE | KEM PKE | level 5: 1824 | level 5: 1792 | level 5: 2012 | Attack from Bernstein, Groot Bruinderink, Lange and Panny on incorrect IND-CCA claim. | IND-CPA | ||||
HiMQ-3 | [High-Speed MQ] | MQ | Signature | level 1 : 128744 level 1 : 100878 | level 1 : 12074 level 1 : 14878 | level 1 : 75 level 1 : 67 | EUF-CMA | |||||
HK17 | [Octonions on DH] | GSDP/DP | KEM PKE | - | - | - | Several attacks have been discussed in the comments, attacks have been confirmed by the designers. | IND-CCA | Withdrawn. Parameters and sizes not specified. | |||
HQC | [QC Random Codes - No Decoding] | Decision QC-SDP | KEM | level 1: 2819 level 3: 5115 level 5: 7417 | level 1: 40 level 3: 40 level 5: 40 | level 1: 5622 level 3: 10214 level 5: 14818 | Comment on parity of ciphertexts (not a security issue) | IND-CCA (HHK) | Many parameters: we have chosen the best of each set, calculating only the ones using seed expander (most efficient). | |||
KCL (pka OKCN/AKCN/CNKE) | [LWE and Variants] | |||||||||||
[KCL] AKCN-SEC | RLWE | KEM | - | - | - | IND-CPA | Parameters not specified clearly in document. | |||||
[KCL] OKCN-SEC | RLWE | KEM | - | - | - | IND-CPA | Parameters not specified clearly in document. | |||||
[KCL] OKCN-MLWE | MLWE | KEM | level 4: 992 | level 4: 288 | level 4: 1120 | IND-CPA | ||||||
[KCL] AKCN-MLWE | MLWE | KEM | level 4: 991 | level 4: 288 | level 4: 1120 | IND-CPA | ||||||
[KCL] AKCN-MLWE-CCA | MLWE | PKE | level 4: 992 | level 4: 1312 | level 4: 1168 | IND-CCA | ||||||
KINDI | [LWE] | |||||||||||
KINDI Kem | MLWE | KEM | level 2 : 1184 level 4 : 1456 level 4 : 1728 level 5 : 1984 level 5: 2368 | level 2: 1472 level 4 : 1712 level 4 : 2112 level 5 : 2304 level 5 : 2752 | level 2 : 1792 level 4 : 2496 level 4 : 2688 level 5 : 2688 level 5 : 3328 | IND-CPA | ||||||
KINDI-Encryption | MLWE | PKE | level 2 : 1184 level 4 : 1456 level 4 : 1728 level 5 : 1984 level 5: 2368 | level 2: 1472 level 4 : 1712 level 4 : 2112 level 5 : 2304 level 5 : 2752 | level 2 : 1792 level 4 : 2496 level 4 : 2688 level 5 : 2688 level 5 : 3328 | IND-CPA | ||||||
LAC | [poly-LWE] | poly-LWE | KEM | level 1:544 level 3:1056 level 5:1056 | level 1:1056 level 3:2080 level 5:2080 | level 1:1024 level 3:1536 level 5:2048 | IND-CCA | |||||
LAKE | [Ideal LRPC Codes] | Ideal Rank-SDP | KEM | level 1: 394 level 3: 590 level 5: 790 | level 1: 788 level 3: 1180 level 5: 1580 | level 1: 394 level 3: 590 level 5: 790 | IND-CPA | The private key and ciphertext sizes are not provided in the original document and had to be calculated. | ||||
LEDAkem | [QC-LDPC] | QC-SDP | KEM | level 1: 6408 level 3: 13152 level 5: 22704 | level 1: 24 level 3: 32 level 5: 40 | level 1: 2136 level 3: 4384 level 5: 7568 | IND-CPA | Many parameter sets. We reported only those corresponding to n_0=2. | ||||
LEDApkc | [QC-LDPC] | QC-SDP | PKE | level 1: 6408 level 3: 13152 level 5: 22704 | level 1: 24 level 3: 32 level 5: 40 | level 1: 8544 level 3: 17536 level 5: 30272 | OW-CPA | Many parameter sets. We reported only those corresponding to n_0=2. | ||||
Lepton | [LPN-based] | Ring-CLPN | KEM | level 1: 1045 level 3: 2052 level 5: 4128 | level 1: 1085 level 3: 2108 level 5: 4198 | level 1: 1998 level 3: 3005 level 5: 5335 | Comment on security and citation (Gaborit) Official comment by authors: parameters outdated (and not replaced until Round 2?) | IND-CCA (HHK) | ||||
LIMA | [RLWE] | |||||||||||
LIMA–2p | RLWE | KEM PKE | level 1: 1792 level 4: 3840 | level 1: 2688 level 4: 5760 | level 1: 1539 level 4: 2563 | IND-CCA | For short, we reported only parameters for KEM, at IND-CCA security level (compressed). | |||||
LIMA-sp | RLWE | KEM PKE | level 1: 6108 level 2: 8489 level 3: 11843 | level 1: 9162 level 2: 12734 level 3: 17765 | level 1: 3825 level 2: 6251 level 3: 8315 | IND-CCA | For short, we reported only parameters for KEM, at IND-CCA security level (compressed). | |||||
Lizard | [RLWE/RLWR] | RLWE RLWR | KEM PKE | level 1: 4096 level 3: 4096 level 3: 8192 level 5: 8192 | level 1: 385 level 3 : 641 level 3 : 625 level 5: 769 | level 1: 2080 level 3 : 4144 level 3 : 8240 level 5: 8256 | IND-CCA | |||||
LOCKER | [Ideal LRPC Codes] | Ideal Rank-SDP | PKE | level 1: 1546 level 3: 1882 level 5: 2140 | level 1: 3092 level 3: 3764 level 5: 4280 | level 1: 1610 level 3: 1946 level 5: 2204 | IND-CCA (HHK) | The private key and ciphertext sizes are not provided in the original document and had to be calculated. | ||||
LOTUS | [LWE] | |||||||||||
LOTUS-KEM | LWE | KEM | level 1: 658950 level 3: 1025000 level 5: 1471000 | level 1: 700420 level 3: 1101000 level 5: 1590800 | level 1: 1144 level 3: 1456 level 5: 1768 | IND-CCA | ||||||
LOTUS-PKE | LWE | PKE | level 1: 658950 level 3: 1025000 level 5: 1471000 | level 1: 700420 level 3: 1101000 level 5: 1590800 | level 1: 1144 level 3: 1456 level 5: 1768 | IND-CCA | ||||||
LUOV | [UOV] | |||||||||||
LUOV (small signatures) | MQ | Signature | level 2: 15500 level 4: 45000 level 5: 98600 | level 2: 32 level 4: 32 level 5: 32 | level 2: 319 level 4: 441 level 5: 521 | EUF-CMA | ||||||
LUOV (small public keys) | MQ | Signature | level 2: 7300 level 4: 19500 level 5: 39300 | level 2: 32 level 4: 32 level 5: 32 | level 2: 1700 level 4: 3100 level 5: 4700 | EUF-CMA | ||||||
McNie | [Rank Metric] | Rank-SDP | PKE | level 1: 795 level 3: 1156 level 5: 1384 | level 1: 330 level 3: 463 level 5: 547 | level 1: 1060 level 3: 1541 level 5: 1846 | Attack by Gaborit (security reduced by number of bits). | IND-CCA | IND-CCA with decoding failures? The private key and ciphertext sizes are not provided in the original document and had to be calculated. | |||
Mersenne-756839 | [Number Theory] | Mersenne Low Hamming Weight Combination | KEM | level 5: 189210 | level 5: 32 | level 5:160141 | IND-CCA | |||||
MQDSS | [MQ Fiat-Shamir] | MQ | Signature | level 1-2: 46 level 3-4: 64 | level 1-2: 16 level 3-4: 24 | level 1-2: 16534 level 3-4: 34032 | EUF-CMA | |||||
NewHope | [RLWE] | RLWE | KEM | level 1: 928 level 5: 1824 | level 1: 1888 level 5: 3680 | level 1: 1120 level 5: 2208 | IND-CCA | |||||
NTRUEncrypt | [NTRU] | NTRU | KEM | level 1: 611 level 4: 1023 level 5: 4097 | level 1: 701 level 4: 1173 level 5: 8194 | level 1: 611 level 4: 1023 level 5: 4097 | IND-CCA | |||||
PqNTRUSign | [NTRU Signatures] | NTRU | Signature | level 5: 2604 | level 5: 2065 | level 5: 2065 | CMA attack and then a fix. | EUF-CMA | ||||
NTRU-HRSS-KEM | [NTRU] | NTRU | KEM | level 1: 1138 | level 1: 1418 | level 1: 1278 | IND-CCA | |||||
NTRU Prime | [NTRU prime] | NTRU prime | KEM | level 5: 1218 level 5: 1047 | level 5: 1600 level 5: 1238 | level 5: 1047 level 5: 1175 | IND-CCA (Dent) | NTRU over prime-degree number field with a large Galois group and with inert modulus. | ||||
NTS-KEM | [Conservative Binary Goppa] | SDP | KEM | level 1: 319488 level 3: 929760 level 5: 1419704 | level 1: 9216 level 3: 17524 level 5: 19890 | level 1: 1024 level 3: 1296 level 5: 2024 | Comment replying to Classic vs NTS document. | IND-CCA (Ad Hoc) | ||||
Odd Manhattan | [SVP] | SVP BDD | KEM | level 1: 1626240 level 3: 1627648 level 5: 180224 | level 1: 2563260 level 3: 2565055 level 5: 344640 | level 1: 4454241 level 3: 4456650 level 5: 616704 | IND-CCA | |||||
Ouroboros-R | [QC Random Codes - No Decoding] | QC Rank-SDP | KEM | level 1: 676 level 3: 807 level 5: 1112 | level 1: 40 level 3: 40 level 5: 40 | level 1: 1272 level 3: 1534 level 5: 2144 | IND-CPA | The private key and ciphertext sizes are not provided in the original document and had to be calculated. | ||||
Picnic | [Non-interactive Proof of Knowledge] | |||||||||||
Picnic-FS | ZKB++ | Signature | level 1: 32 level 3: 16 level 5: 34000 | level 1: 48 level 3: 24 level 5: 76740 | level 1: 64 level 3: 32 level 5: 132824 | SUF-CMA | ||||||
Picnic-UR | ZKB++ | Signature | level 1: 32 level 3: 16 level 5: 34000 | level 1: 48 level 3: 24 level 5: 76740 | level 1: 53929 level 3: 121813 level 5: 209474 | SUF-CMA | ||||||
Post-quantum RSA-Encryption | [RSA] | Factoring | KEM PKE | level 2: 1073741824 | level 2: 1073741824 | level 2: 1073741824 | IND-CCA | |||||
Post-quantum RSA-Signature | [RSA] | Factoring | Signature | level 2: 1073741824 | level 2: 1073741824 | level 2: 32 | EUF-CMA | |||||
PqsigRM | [Hash-and-Sign with Reed-Muller Codes] | SDP | Signature | level 1: 262144 level 3: 1285120 level 5: 4194304 | level 1: 137732 level 3: 328518 level 5: 2123972 | level 1: 256 level 3: 512 level 5: 1024 | Comment on wrong number of cycles. Attack by Perlner and Alperin-Sheriff (many iterations). Scheme broken? | EUF-CMA | Signature size not given in spec (and therefore calculated as length of error vector e). | |||
QC-MDPC KEM | [QC-MDPC] | QC-SDP | KEM | level 1: 4097 | level 1: 548 | level 1: 8226 | IND-CPA | Submission erroneously claimed category 3 security. | ||||
qTESLA | [RLWE] | RLWE | Signature | level 1: 2976 level 3: 6176 level 5: 6432 | level 1: 1856 level 3: 4160 level 5: 4128 | level 1: 2720 level 3: 5664 level 5: 5920 | EUF-CMA | |||||
RaCoSS | [Fiat-Shamir with Hamming metric] | SDP | Signature | level 1: 99600 | level 1: 703000 | level 1: 586 | Comment on insecure hash function, attack from Huelsing et al. | SUF-CMA | Broken beyond repair? | |||
Rainbow | [UOV] | MQ | Signature | level 1: 148500 level 3: 512100 level 4: 552200 level 5: 1319700 | level 1: 97900 level 3: 371400 level 4: 367300 level 5: 871200 | level 1: 64 level 3: 112 level 4: 92 level 5: 118 | EUF-CMA | |||||
Ramstake | [Mersenne Primes and GRS Codes] | LHDHS | KEM | level 1: 27044 level 5: 94637 | level 1: 54056 level 5: 189242 | level 1: 28064 level 5: 96111 | Comment on implementation. | IND-CCA (Ad Hoc) | ||||
RankSign | [Rank Metric] | Rank-SDP | Signature | level 1: 10080 level 3: 19440 level 5: 28560 | - | level 1: 1376 level 3: 2160 level 5: 2928 | Attack by Debris-Alazard and Tillich (fatal). | EUF-CMA | Withdrawn. Private key size was not specified. | |||
RLCE-KEM | [GRS Codes] | SDP | KEM | level 1: 188001 level 3: 450761 level 5: 1232001 | level 1: 310116 level 3: 747393 level 5: 1773271 | level 1: 988 level 3: 1545 level 5: 2640 | Comment on improper connection to NP-Hardness,Attack by Couvreur, Lequesne, Tillich breaking IND-CCA (OAEP) | |||||
Round2 | [LWR] | GLWR | KEM PKE | - | - | - | Doubts about IND-CPA and IND-CCA security. | IND-CCA | Over 30 different parameter sets proposed, none are reported here. | |||
RQC | [Rank Metric] | Rank-SDP | KEM | level 1: 786 level 3: 1411 level 5: 1795 | level 1: 40 level 3: 40 level 5: 40 | level 1: 1555 level 3: 2805 level 5: 3574 | IND-CCA (HHK) | |||||
RVB | [Chebyshev Polynomials] | Chebyshev Polynomials | KEM | - | - | - | Attack by Lorenz Panny (fatal). | Withdrawn. Parameters were not clearly specified. | ||||
SABER | [LWR] | MLWR | KEM | level 1: 672 level 3: 992 level 5: 1312 | level 1: 992 level 3: 1344 level 5: 1760 | level 1: 736 level 3: 1088 level 5: 1472 | IND-CCA | |||||
SIKE | [Isogenies] | SIDH | KEM | level 1: 378 level 3: 564 434 level 5: 726 | level 1: 434 level 3: 644 level 5: 826 | level 1: 402 level 3: 596 level 5: 766 | IND-CCA (HHK) | |||||
SPHINCS+ | [Stateless XMSS] | |||||||||||
SPHINCS+ Small | PRF | Signature | level 1: 32 level 3: 48 level 5: 64 | level 1: 64 level 3: 96 level 5: 128 | level 1: 8080 level 3: 17064 level 5: 29792 | EUF-CMA | ||||||
SPHINCS+ Fast | PRF | Signature | level 1: 32 level 3: 48 level 5: 64 | level 1: 64 level 3: 96 level 5: 128 | level 1: 16976 level 3: 35664 level 5: 49216 | EUF-CMA | ||||||
SRTPI | [UOV] | MQ | Signature PKE | - | - | - | Attack by Bo-Yin Yang (fatal). | IND-CCA/EUF-CMA | Withdrawn. Parameters were not clearly specified. | |||
Three Bears | [IMLWE] | IMLWE | KEM | level 2: 804 level 4: 1194 level 5: 1584 | level 2: 40 level 4: 40 level 5: 40 | level 2: 917 level 4: 1307 level 5: 1697 | IND-CCA (Ad Hoc) | |||||
Titanium | [LWE] | MP-LWE | KEM PKE | level 1: 16352 level 3: 20512 level 5: 26912 | level 1: 32 level 3: 32 level 5: 32 | level 1: 3552 level 3: 6048 level 5: 8352 | IND-CCA | We have reported only IND-CCA parameters due to the minimal overhead with IND-CPA parameters. | ||||
WalnutDSA | [Braid Groups] | Braid Groups | Signature | level 1: 83 level 5: 128 | level 1: 132 level 5: 287 | level 1: 647 level 5: 1248 | Various attacks by several authors. | EUF-CMA | For signature size we have reported the average value indicated in specification document. |
SETTING
Processing...
OP | Proposal | Variant | Type | Assumption | Functionality | Public Key (bytes) | Private Key (bytes) | Data Size (bytes) | Comments | Security Type | Challenge | Notes |
---|
OP | Proposal | Variant | Type | Assumption | Functionality | Public Key (bytes) | Private Key (bytes) | Data Size (bytes) | Comments | Security Type | Challenge | Notes |
---|---|---|---|---|---|---|---|---|---|---|---|---|
BIKE | [QC-MDPC] | Comment on parity of ciphertexts (not a security issue). | Code-based challenges | |||||||||
BIKE-1 | QC-CF QC-SDP | KEM | level 1: 2541 level 3: 4963 level 5: 8187 | level 1: 249 level 3: 386 level 5: 513 | level 1: 2541 level 3: 4963 level 5: 8187 | IND-CPA | ||||||
BIKE-2 | QC-CF QC-SDP | KEM | level 1: 1270 level 3: 2482 level 5: 4094 | level 1: 249 level 3: 386 level 5: 513 | level 1: 1270 level 3: 2482 level 5: 4094 | IND-CPA | ||||||
BIKE-3 | QC-SDP | KEM | level 1: 2757 level 3: 5421 level 5: 9033 | level 1: 234 level 3: 371 level 5: 532 | level 1: 2757 level 3: 5421 level 5: 9033 | IND-CPA | ||||||
BIKE-1-CCA | QC-CF QC-SDP | KEM | level 1: 2945 level 3: 6206 level 5: 10150 | level 1: 3194 level 3: 6592 level 5: 10698 | level 1: 2945 level 3: 6206 level 5: 10150 | IND-CCA (HHK) | ||||||
BIKE-2-CCA | QC-CF QC-SDP | KEM | level 1: 1473 level 3: 3103 level 5: 5075 | level 1: 3194 level 3: 6592 level 5: 10698 | level 1: 1505 level 3: 3135 level 5: 5107 | IND-CCA (HHK) | ||||||
BIKE-3-CCA | QC-SDP | KEM | level 1: 3068 level 3: 6761 level 5: 11217 | level 1: 3302 level 3: 7132 level 5: 11749 | level 1: 3100 level 3: 6793 level 5: 11249 | IND-CCA (HHK) | ||||||
Classic McEliece | [Conservative Binary Goppa] | SDP | KEM | level 1: 261120 level 3: 524160 level 5: 1044992 level 5: 1047319 level 5: 1357824 | level 1: 6452 level 3: 13568 level 5: 13892 level 5: 13908 level 5: 14080 | level 1: 128 level 3: 188 level 5: 240 level 5: 226 level 5: 240 | IND-CCA (BP) | Goppa-McEliece Challenge | ||||
CRYSTALS-DILITHIUM | [LWE on Module Lattices] | MLWE MSIS | Signature | level 1: 1184 level 2: 1472 level 3: 1760 | level 1: 2800 level 2: 3504 level 3: 3856 | level 1: 2044 level 2: 2701 level 3: 3366 | SUF-CMA | |||||
CRYSTALS-KYBER | [LWE on Module Lattices] | MLWE | KEM | level 1: 800 level 3: 1184 level 5: 1568 | level 1: 1632 level 3: 2400 level 5: 3168 | level 1: 736 level 3: 1088 level 5: 1568 | IND-CCA 2 | |||||
FALCON | [NTRU] | NTRU | Signature | level 1: 897 level 3: 1441 level 5: 1793 | level 1: - level 3: - level 5: - | level 1: 618 level 3: 994 level 5: 1234 | EUF-CMA | |||||
FrodoKEM | [LWE] | LWE | KEM | level 1: 9616 level 3: 15632 level 5: 21520 | level 1: 19888 level 3: 31296 level 5: 43088 | level 1: 9720 level 3: 15744 level 5: 21632 | IND-CCA | |||||
GeMSS | [Hidden Field Equations] | HFEv- | Signature | level 1: 417408 level 3: 1304192 level 5: 3046848 | level 1: 14520 level 3: 40280 level 5: 83688 | level 1: 33 level 3: 52 level 5: 72 | EUF-CMA | All sizes taken from reference implementation. | ||||
HQC | [QC random codes - no decoding] | Decision QC-SDP | KEM | level 1: 6170 level 3: 10918 level 5: 15898 | level 1: 252 level 3: 404 level 5: 532 | level 1: 6234 level 3: 10981 level 5: 15960 | Comment on parity of ciphertexts (not a security issue). | IND-CCA (HHK) | ||||
LAC | [poly-LWE] | poly-LWE | KEM | level 1: 544 level 3: 1056 level 5: 1056 | level 1: 512 level 3: 1024 level 5: 1024 | level 1: 712 level 3: 1188 level 5: 1424 | IND-CCA | |||||
LEDAcrypt | [QC-LDPC] | Merger of LEDAkem and LEDApkc. | Code-based challenges | |||||||||
LEDAcrypt KEM | QC-SDP | KEM | level 1: 1872 level 3: 3216 level 5: 4616 | level 1: 24 level 3: 32 level 5: 40 | level 1: 1872 level 3: 3216 level 5: 4616 | IND-CPA | ||||||
LEDAcrypt KEM-LT | QC-SDP | KEM | level 1: 6520 level 3: 12032 level 5: 19040 | level 1: 25 level 3: 33 level 5: 41 | level 1: 6520 level 3: 12032 level 5: 19040 | IND-CCA (HHK) | ||||||
LEDAcrypt PKC | QC-SDP | PKE | level 1: 6520 level 3: 12032 level 5: 19040 | level 1: 25 level 3: 33 level 5:41 | level 1: 6554 level 3: 12077 level 5: 19095 | IND-CCA (Kobara-Imai) | ||||||
LUOV | [UOV] | |||||||||||
LUOV (small signatures) | MQ | Signature | level 2: 12100 level 4: 34100 level 5: 75500 | level 2: 32 level 4: 32 level 5: 32 | level 2: 311 level 4: 421 level 5: 494 | EUF-CMA | ||||||
LUOV (small public keys) | MQ | Signature | level 2: 5000 level 4: 14100 level 5: 27100 | level 2: 32 level 4: 32 level 5: 32 | level 2: 1606 level 4: 2904 level 5: 4390 | EUF-CMA | ||||||
NewHope | [RLWE] | |||||||||||
NewHope-CPA-KEM | RLWE | KEM | level 1: 928 level 5: 1824 | level 1: 869 level 5: 1792 | level 1: 1088 level 5: 2176 | IND-CPA | ||||||
NewHope-CCA-KEM | RLWE | KEM | level 1: 928 level 5: 1824 | level 1: 1888 level 5: 3680 | level 1: 1120 level 5: 2208 | IND-CCA | ||||||
NTRU | [NTRU] | Merger of NTRUEncrypt and NTRU-HRSS-KEM. | ||||||||||
NTRU-HPS | NTRU | KEM | level 1: 699 level 3: 931 level 5: 1230 | level 1: 935 level 3: 1235 level 5: 1592 | level 1: 699 level 3: 931 level 5: 1230 | IND-CCA (SXY) | ||||||
NTRU-HRSS | NTRU | KEM | level 3: 1138 | level 3: 1452 | level 3: 1138 | IND-CCA (SXY) | ||||||
NTRU Prime | [NTRU Prime] | |||||||||||
Streamlined NTRUPrime | NTRU Prime | KEM | level 2: 994 level 3: 1158 level 4: 1322 | level 2: 1518 level 3: 1763 level 4: 1999 | level 2: 897 level 3: 1039 level 4: 1184 | IND-CCA (Dent) | ||||||
NTRU LPRime | NTRU Prime | KEM | level 2: 897 level 3: 1039 level 4: 1184 | level 2: 1125 level 3: 1294 level 4: 1463 | level 2: 1025 level 3: 1167 level 4: 1312 | IND-CCA (Dent) | ||||||
NTS-KEM | [Conservative Binary Goppa] | SDP | KEM | level 1: 319488 level 3: 92976 level 5: 1419704 | level 1: 9248 level 3: 17556 level 5: 19922 | level 1: 1024 level 3: 1296 level 5: 2024 | Comment replying to Classic vs NTS document. | IND-CCA (HHK) | Goppa-McEliece Challenge | |||
Picnic | [Non-interactive Proof of Knowledge] | |||||||||||
Picnic-FS | ZKB++ | Signature | level 1: 32 level 3: 48 level 5: 64 | level 1: 16 level 3: 24 level 5: 32 | level 1: 34032 level 3: 76772 level 5: 132856 | SUF-CMA | ||||||
Picnic-UR | ZKB++ | Signature | level 1: 32 level 3: 48 level 5: 65 | level 1: 16 level 3: 24 level 5: 33 | level 1: 53961 level 3: 121845 level 5: 209506 | SUF-CMA | ||||||
Picnic2-FS | ZKB++ | Signature | level 1: 32 level 3: 48 level 5: 66 | level 1: 16 level 3: 24 level 5: 34 | level 1: 13802 level 3: 29750 level 5: 54732 | SUF-CMA | ||||||
qTESLA | [RLWE] | EUF-CMA | ||||||||||
qTESLA-Heuristic | RLWE | Signature | level 1: 1504 level 2: 2336 level 3: 3104 level 5: 6432 level 5: 5024 | level 1: 1216 level 2: 1600 level 3: 2368 level 5: 4672 level 5: 3520 | level 1: 1376 level 2: 2144 level 3: 2848 level 5: 5920 level 5: 4640 | EUF-CMA | Withdrawn. | |||||
qTESLA-Provably Secure | RLWE | Signature | level 1: 14880 level 3: 38432 | level 1: 5184 level 3: 12352 | level 1: 2592 level 3: 5664 | EUF-CMA | ||||||
Rainbow | [UOV] | |||||||||||
Rainbow | MQ | Signature | level 1: 149000 level 3: 710600 level 5: 1705500 | level 1: 93000 level 3: 511400 level 5: 1227100 | level 1: 64 level 3: 156 level 5: 204 | EUF-CMA | ||||||
Compressed Rainbow | MQ | Signature | level 1: 58100 level 3: 206700 level 5: 491900 | level 1: 93000 level 3: 511400 level 5: 1227100 | level 1: 64 level 3: 156 level 5: 205 | EUF-CMA | ||||||
ROLLO | [Rank Metric] | Merger of LAKE, LOCKER and Ouroboros-R. | ||||||||||
ROLLO-I | Ideal LRPC | KEM | level 1: 465 level 3: 590 level 5: 947 | level 1: 40 level 3: 40 level 5: 40 | level 1: 465 level 3: 590 level 5: 947 | IND-CPA | ||||||
ROLLO-II | Ideal LRPC | PKE | level 1: 1546 level 3: 2020 level 5: 2493 | level 1: 40 level 3: 40 level 5: 40 | level 1: 1674 level 3: 2148 level 5: 2621 | IND-CCA (HHK) | ||||||
ROLLO-III | Decisional Ideal RSD | KEM | level 1: 634 level 3: 830 level 5: 1138 | level 1: 40 level 3: 40 level 5: 40 | level 1: 1188 level 3: 1580 level 5: 2196 | IND-CPA | ||||||
Round5 | [LWR] | Merger of HILA5 and Round2. | A Note on Parameter Choices of Round5 | |||||||||
R5ND_KEM_5d | RLWR | KEM | level 1: 445 level 3: 780 level 5: 972 | level 1: 16 level 3: 24 level 5: 32 | level 1: 549 level 3: 859 level 5: 1063 | IND-CPA | ||||||
R5ND_PKE_5d | RLWR | PKE | level 1: 461 level 3: 780 level 5: 978 | level 1: 493 level 3: 828 level 5: 1042 | level 1: 636 level 3: 950 level 5: 1301 | IND-CCA | ||||||
R5ND_KEM_0d | RLWR | KEM | level 1: 634 level 3: 909 level 5: 1178 | level 1: 16 level 3: 24 level 5: 32 | level 1: 682 level 3: 981 level 5: 1274 | IND-CPA | ||||||
R5ND_PKE_0d | RLWR | PKE | level 1: 676 level 3: 983 level 5: 1349 | level 1: 708 level 3: 1031 level 5: 1413 | level 1: 756 level 3: 1119 level 5: 1525 | IND-CCA | ||||||
R5N1_KEM_0d | LWR | KEM | level 1: 5214 level 3: 8834 level 5: 14264 | level 1: 16 level 3: 24 level 5: 32 | level 1: 5236 level 3: 8866 level 5: 14288 | IND-CPA | ||||||
R5N1_PKE_0d | LWR | PKE | level 1: 5740 level 3: 9660 level 5: 14636 | level 1: 5772 level 3: 9708 level 5: 14700 | level 1: 5804 level 3: 9732 level 5: 14724 | IND-CCA | ||||||
RQC | [Rank QC random codes - no decoding] | Decisional Ideal RSD | KEM | level 1: 853 level 3: 1391 level 5: 2284 | level 1: 40 level 3: 40 level 5: 40 | level 1: 1690 level 3: 2766 level 5: 4552 | IND-CCA (HHK) | |||||
SABER | [LWR] | MLWR | KEM | level 1: 672 level 3: 992 level 5: 1312 | level 1: 832 level 3: 1248 level 5: 1664 | level 1: 736 level 3: 1088 level 5: 1472 | IND-CCA | |||||
SIKE | [Isogenies] | |||||||||||
SIKE | SIDH | KEM | level 1: 330 level 2: 378 level 3: 462 level 5: 564 | level 1: 374 level 2: 434 level 3: 524 level 5: 644 | level 1: 346 level 2: 402 level 3: 486 level 5: 596 | IND-CCA (HHK) | ||||||
SIKE_compressed | SIDH | KEM | level 1: 196 level 2: 224 level 3:273 level 5: 331 | level 1: 239 level 2: 280 level 3:336 level 5: 413 | level 1: 209 level 2: 248 level 3:297 level 5: 363 | IND-CCA (HHK) | ||||||
SPHINCS+ | [Stateless XMSS] | |||||||||||
SPHINCS+ Small | PRF | Signature | level 1: 32 level 3: 48 level 5: 64 | level 1: 64 level 3: 96 level 5: 128 | level 1: 8080 level 3: 17064 level 5: 29792 | EUF-CMA | ||||||
SPHINCS+ Fast | PRF | Signature | level 1: 32 level 3: 48 level 5: 64 | level 1: 64 level 3: 96 level 5: 128 | level 1: 16976 level 3: 35664 level 5: 49216 | EUF-CMA | ||||||
Three Bears | [IMLWE] | IMLWE | KEM | level 2: 804 level 4: 1194 level 5: 1584 | level 2: 40 level 4: 40 level 5: 40 | level 2: 917 level 4: 1307 level 5: 1697 | IND-CCA (Ad Hoc) | Mike challenges |
FINALISTS
A. Public-key Encryption and Key-establishment Algorithms
Proposal | Variant | Type | Assumption | Functionality | Public Key (bytes) | Private Key (bytes) | Data Size (bytes) | Comments | Security Type | Challenge | Notes |
---|---|---|---|---|---|---|---|---|---|---|---|
Classic McEliece | [Conservative Binary Goppa] |
SDP |
KEM | level 1: 261120 level 3: 524160 level 5: 1044992 level 5: 1047319 level 5: 1357824 |
level 1: 6492 level 3: 13608 level 5: 13932 level 5: 13948 level 5: 14120 |
level 1: 128 level 3: 188 level 5: 240 level 5: 226 level 5: 240 |
Official Comments Merger of Classic McEliece and NTS-KEM |
IND-CCA2 |
Goppa-McEliece Challenge | ||
CRYSTALS-KYBER | [Module-LWE] |
MLWE |
KEM | level 1: 800 level 3: 1184 level 5: 1568 |
level 1: 1632 level 3: 2400 level 5: 3168 |
level 1: 768 level 3: 1088 level 5: 1568 |
IND-CCA |
LWE, RLWE | |||
NTRU | [NTRU] |
Merger of NTRUEncrypt and NTRU-HRSS-KEM. | |||||||||
NTRU-HPS | NTRU |
KEM | level 1: 931 level 3: 1230 |
level 1: 1235 level 3: 1592 |
level 1: 931 level 3: 1230 |
IND-CCA (SXY) |
The evaluations are on non-local models. For local models, the evaluation increse from level 1 to 3, 3 to 5 | ||||
NTRU-HRSS | NTRU |
KEM | level 3: 1138 | level 3: 1452 | level 3: 1138 | IND-CCA (SXY) |
The evaluations are on non-local models. For local models, the evaluation increse from level 1 to 3, 3 to 5 | ||||
SABER | [LWR] |
MLWR |
KEM | level 1: 672 level 3: 992 level 5: 1312 |
level 1: 1568 (992) level 3: 2304 (1344) level 5: 3040 (1760) |
level 1: 736 level 3: 1088 level 5: 1472 |
Official Comments |
IND-CCA |
B. Digital Signature Algorithms
Proposal | Variant | Type | Assumption | Functionality | Public Key (bytes) | Private Key (bytes) | Data Size (bytes) | Comments | Security Type | Challenge | Notes |
---|---|---|---|---|---|---|---|---|---|---|---|
CRYSTALS-DILITHIUM | [Module-LWE] |
MLWE MSIS |
Signature | level 2: 1312 level 3: 1952 level 5: 2592 |
level 2: 2420 level 3: 3293 level 5: 4595 |
SUF-CMA |
LWE, RLWE | ||||
FALCON | [NTRU] |
NTRU |
Signature | level 1: 897 level 3: - level 5: 1793 |
level 1: 666 level 3: - level 5: 280 |
EUF-CMA |
|||||
Rainbow | [UOV] |
||||||||||
Standard Rainbow | MQ |
Signature | level 1: 157800 level 3: 861400 level 5: 1885400 |
level 1: 101200 level 3: 611300 level 5: 1375700 |
level 1: 66 level 3: 164 level 5: 212 |
EUF-CMA |
|||||
CZ-Rainbow | MQ |
Signature | level 1: 58800 level 3: 258400 level 5: 523600 |
level 1: 101200 level 3: 611300 level 5: 1375700 |
level 1: 64 level 3: 156 level 5: 204 |
EUF-CMA |
|||||
Compressed Rainbow | MQ |
Signature | level 1: 58800 level 3: 258400 level 5: 523600 |
level 1: 60 level 3: 60 level 5: 60 |
level 1: 64 level 3: 156 level 5: 204 |
EUF-CMA |
ALTERNATE CANDIDATES
A. Public-key Encryption and Key-establishment Algorithms
Proposal | Variant | Type | Assumption | Functionality | Public Key (bytes) | Private Key (bytes) | Data Size (bytes) | Comments | Security Type | Challenge | Notes |
---|---|---|---|---|---|---|---|---|---|---|---|
BIKE | [QC-MDPC] |
QC-SD QC-CF |
KEM | level 1: 1540 level 3: 3082 level 5: 5099 |
level 1: 280 level 3: 418 level 5: 580 |
level 1: 1572 level 3: 3114 level 5: 5153 |
IND-CPA (BGF decoder) IND-CCA (low DFR) |
SD Challenge | |||
FrodoKEM | [LWE] |
LWE |
KEM | level 1: 9616 level 3: 15632 level 5: 21520 |
level 1: 19888 level 3: 31296 level 5: 43088 |
level 1: 9720 level 3: 15744 level 5: 21632 |
Official Comments |
IND-CCA |
LWE | ||
HQC | [QC random codes - no decoding] |
Decision QC-SDP |
KEM | level 1: 2249 level 3: 4522 level 5: 7245 |
level 1: 40 level 3: 40 level 5: 40 |
level 1: 4481 level 3: 9026 level 5: 14469 |
IND-CCA (HHK) |
SD Challenge | |||
NTRU Prime | [NTRU Prime] |
Official Comments |
|||||||||
Streamlined NTRUPrime | NTRU Prime |
KEM | level 1: 994 level 2: 1158 level 3: 1322 level 4: 1349 level 5: 2067 |
level 1: 1518 level 2: 1763 level 3: 1999 level 4: 1652 level 5: 3059 |
level 1: 897 level 2: 1039 level 3: 1184 level 4: 1477 level 5: 1847 |
IND-CCA2 |
|||||
NTRU LPRime | NTRU Prime |
KEM | level 1: 897 level 2: 1039 level 3: 1184 level 4: 1455 level 5: 1847 |
level 1: 1125 level 2: 1294 level 3: 1463 level 4: 1773 level 5: 2231 |
level 1: 1025 level 2: 1167 level 3: 1312 level 4: 1583 level 5: 1975 |
IND-CCA2 |
|||||
SIKE | [Isogenies] |
Official Comments |
|||||||||
SIKE | SIDH |
KEM | level 1: 330 level 2: 378 level 3: 462 level 5: 564 |
level 1: 374 level 2: 434 level 3: 524 level 5: 644 |
level 1: 346 level 2: 402 level 3: 486 level 5: 596 |
IND-CCA (HHK) |
|||||
SIKE_compressed | SIDH |
KEM | level 1: 197 level 2: 225 level 3:274 level 5: 335 |
level 1: 350 level 2: 407 level 3:491 level 5: 602 |
level 1: 236 level 2: 280 level 3:336 level 5: 410 |
IND-CCA (HHK) |
B. Digital Signature Algorithms
Proposal | Variant | Type | Assumption | Functionality | Public Key (bytes) | Private Key (bytes) | Data Size (bytes) | Comments | Security Type | Challenge | Notes |
---|---|---|---|---|---|---|---|---|---|---|---|
GeMSS | [Hidden Field Equations] |
HFEv- |
Signature | level 1: 352188 level 3: 1237963 level 5: 3040700 |
level 1: 16 level 3: 24 level 5: 32 |
level 1: 33 level 3: 52 level 5: 72 |
EUF-CMA |
All sizes taken from reference implementation. | |||
Picnic | [Non-interactive Proof of Knowledge] |
||||||||||
Picnic-FS | ZKB++ |
Signature | level 1: 32 level 3: 48 level 5: 64 |
level 1: 16 level 3: 24 level 5: 32 |
level 1: 34032 level 3: 76772 level 5: 132856 |
SUF-CMA |
|||||
Picnic-UR | ZKB++ |
Signature | level 1: 32 level 3: 48 level 5: 64 |
level 1: 16 level 3: 24 level 5: 32 |
level 1: 53961 level 3: 121845 level 5: 209506 |
SUF-CMA |
|||||
Picnic-full | ZKB++ |
Signature | level 1: 34 level 3: 48 level 5: 66 |
level 1: 17 level 3: 24 level 5: 32 |
level 1: 320161 level 3: 71179 level 5: 126286 |
SUF-CMA |
|||||
Picnic3 | ZKB++ |
Signature | level 1: 34 level 3: 48 level 5: 66 |
level 1: 17 level 3: 24 level 5: 32 |
level 1: 13802 level 3: 29750 level 5: 54732 |
SUF-CMA |
|||||
SPHINCS+ | [Stateless XMSS] |
||||||||||
SPHINCS+ Small | PRF |
Signature | level 1: 32 level 3: 48 level 5: 64 |
level 1: 64 level 3: 96 level 5: 128 |
level 1: 7856 level 3: 16224 level 5: 29792 |
EUF-CMA |
|||||
SPHINCS+ Fast | PRF |
Signature | level 1: 32 level 3: 48 level 5: 64 |
level 1: 64 level 3: 96 level 5: 128 |
level 1: 17088 level 3: 35664 level 5: 49856 |
EUF-CMA |
Retrieved from "http://pqc-wiki.fau.edu/w/Special:DatabaseHome"