NIST Round 1 Candidates
Candidate | Submitters | Type | Sub-type | Class | Round | Status | Claimed Security | Notes |
---|---|---|---|---|---|---|---|---|
BIKE Zip file | Nicolas Aragon /Paulo S.L.M. Barreto /Slim Bettaieb /Loic Bidoux /Olivier Blazy /Jean-Christophe Deneuville /Phillipe Gaborit /Shay Gueron /Tim Guneysu /Carlos Aguilar Melchor /Rafael Misoczki /Edoardo Persichetti /Nicolas Sendrier /Jean-Pierre Tillich /Gilles Zemor | Code | Quasi-Cyclic Moderate Density Parity-Check (QC-MDPC) codes | KEM | Round 1 | Patented | CPA | Clarification added on KAT files |
Classic McEliece Zip file | Daniel J. Bernstein /Tung Chou /Tanja Lange /Ingo von Maurich /Rafael Misoczki /Ruben Niederhagen /Edoardo Persichetti /Christiane Peters /Peter Schwabe /Nicolas Sendrier /Jakub Szefer /Wen Wang | Code | Binary Goppa codes | KEM | Round 1 | CCA2 | ||
Ramstake Zip file | Alan Szepieniec | Other | KEM | Round 1 | CCA | |||
HQC Zip file | Carlos Aguilar Melchor /Nicolas Aragon /Slim Bettaieb /Loïc Bidoux /Olivier Blazy /Jean-Christophe Deneuville /Philippe Gaborit /Edoardo Persichetti /Gilles Zémor | Code | Quasi-cyclic codes, BCH codes | KEM | Round 1 | MERGED with LAKE and LOCKER to become ROLLO | CCA2 | |
Ouroboros-R Zip file | Carlos Aguilar Melchor /Nicolas Aragon /Slim Bettaieb /Loic Bidoux /Olivier Blazy /Jean-Christophe Deneuville /Phillipe Gaborit /Adrien Hauteville /Gilles Zemor | Code | Rank metric codes | KEM | Round 1 | Patented | CPA | |
RQC Zip file | Carlos Aguilar Melchor /Nicolas Aragon /Slim Bettaieb /Loic Bidoux /Olivier Blazy /Jean-Christophe Deneuville /Phillippe Gaborit /Gilles Zemor | Code | Rank Quasi-Cyclic codes | KEM | Round 1 | Patented | CCA2 | |
RLCE-KEM Zip file | Yongge Wang | Code | Random Linear Code Based Public Key Encryption (RLCE) | KEM | Round 1 | ATTACKED Patented | CCA2 | -Group 1 parameters insecure |
RaCoSS Zip file | Kazuhide Fukushima / Partha Sarathi Roy /Rui Xu /Shinsaku Kiyomoto /Kirill Morozov / Tsuyoshi Takagi | Code | Random code based Signature scheme | Signature | Round 1 | ATTACKED | sEUF-CMA | The low-weight hash function used in RaCoSS is not secure. RaCoSS can quickly sign any message for any public key with the Specified RaCoSS parameters, without knowing the secret key. |
QC-MDPC KEM Zip file | Atsushi Yamada /Edward Eaton /Kassem Kalach /Philip Lafrance /Alex Parent | Code | Quasi-Cyclic Moderate Density Parity-Check (QCMDPC) | KEM | Round 1 | Patented | CCA2 | |
LEDAkem Zip file | Marco Baldi /Alessandro Barenghi /Franco Chiaraluce /Gerardo Pelosi /Paolo Santini | Code | Quasi-Cyclic Low Density Parity-Check (QC-LDPC) | KEM | Round 1 | MERGED with LEDApkc | CCA | |
LEDApkc Zip file | Marco Baldi /Alessandro Barenghi /Franco Chiaraluce /Gerardo Pelosi /Paolo Santini | Code | Quasi-Cyclic Low Density Parity Check (QC-LDPC) codes | Encryption | Round 1 | MERGED with LEDAkem | CCA2 | |
DAGS Zip file | Gustavo Banegas /Paulo S.L.M. Barreto /Brice Odilon Boidje /Pierre-Louis Cayrel /Gilbert Ndollane Dione /Kris Gaj /Cheikh Thiecoumba Gueye /Richard Haeussler /Jean Belo Klamti /Ousmane N'diaye /Duc Tri Nguyen /Edoardo Persichetti /Jefferson E. Ricardini | Code | Quasi-Dyadic Generalized Srivastava codes | KEM | Round 1 | CCA | Structural attacks on parameter sets 1, 3 and 5- *patched with parameter modification* | |
RankSign Zip file | Nicolas Aragon /Phillipe Gaborit /Adrien Hautevillle /Olivier Ruatta /Gilles Zemor | Code | LRPC code | Signature | Round 1 | WITHDRAWN | CCA2 | |
McNie Zip file | Lucky Galvez /Jon-Lark Kim /Myeong Jae Kim /Young-Sik Kim /Nari Lee | Code | McEliece Niederreiter cryptosystems | Encryption | Round 1 | ATTACKED | CCA2 | Known Attack: Security can be reduced by a factor of 2, revised parameter set given by the authors. |
LOCKER Zip file | Nicolas Aragon /Olivier Blazy /Jean-Christophe Deneuville /Philippe Gaborit /Adrien Hauteville /Olivier Ruatta /Jean-Pierre Tillich /Gilles Zemor | Code | Ideal-LRPC codes | KEM | Round 1 | MERGED with LAKE and Ouroboros-R to become ROLLO | CCA2 | -Minor implementation problem: fixed -Key recovery attack stronger than originally anticipated |
LAKE Zip file | Nicolas Aragon /Olivier Blazy /Jean-Christophe Deneuville /Philippe Gaborit /Adrien Hauteville /Olivier Ruatta /Jean-Pierre Tillich /Gilles Zemor | Code | Ideal-LRPC codes | KEM | Round 1 | MERGED with Ouroboros-R and LOCKER to become ROLLO | CPA | -Minor implementation problem: fixed -Key recovery attack stronger than originally anticipated |
Edon-K Zip file | Danilo Gligoroski /Kristian Gjosteen | Code | McEliece public key scheme variant | KEM | Round 1 | WITHDRAWN | CCA2 | Attack recovers secret key from ciphertext |
pqsigRM Zip file | Wijik Lee /Young-Sik Kim /Yong-Woo Lee /Jong-Seon No | Code | punctured Reed-Muller (RM) Code | Signature | Round 1 | EUF-CMA | Private key can be recovered for 128- and 192-bit parameter sets *patched* | |
NTS-KEM Zip file | Martin Albrecht /Carlos Cid /Kenneth G. Paterson /Cen Jung Tjhai /Martin Tomlinson | Code | McEliece, Niederreiter variant | KEM | Round 1 | Patented | CCA | |
BIG QUAKE Zip file | Alain Couvreur /Magali Bardet /Elise Barelli /Olivier Blazy /Rodolfo Canto-Torres /Philippe Gaborit /Ayoub Otmani /Nicolas Sendrier /Jean-Pierre Tillich | Code | quasi-cyclic Goppa codes | KEM | Round 1 | CCA2 | ||
Picnic Zip file | Greg Zaverucha / Melissa Chase /David Derler /Steven Goldfeder /Claudio Orlandi /Sebastian Ramacher /Christian Rechberger /Daniel Slamanig | Other | Signature | Round 1 | sEUF-CMA | |||
Gravity-SPHINCS Zip file | Jean-Phillippe Aumasson /Guillaume Endignoux | Hash | Signature | Round 1 | EUF-CMA | Fault injection attack | ||
SPHINCS+ Zip file | Andreas Hulsing /Daniel J. Bernstein /Christoph Dobraunig /Maria Eichlseder /Scott Fluhrer /Stefan-Lukas Gazdag /Panos Kampanakis /Stefan Kolbl / Tanja Lange /Martin M Lauridsen /Florian Mendel /Ruben Niederhagen /Christian Rechberger /Joost Rijneveld /Peter Schwabe | Hash | Signature | Round 1 | EUF-CMA | -Fault injection attack -Concerns over security proof |
||
Odd Manhattan Zip file | Thomas Plantard | Lattice | Standard | Encryption | Round 1 | CPA | Not CCA secure-*patched* | |
NTRU Prime Zip file | Daniel J. Bernstein /Chitchanok Chuengsatiansup /Tanja Lange /Christine van Vredendaal | Lattice | Ring | KEM | Round 1 | CCA2 | ||
Three Bears Zip file | Mike Hamburg | Lattice | Module | KEM | Round 1 | CCA | ||
CRYSTALS- KYBER Zip file | Peter Schwabe /Roberto Avanzi /Joppe Bos /Leo Ducas /Eike Kiltz /Tancrede Lepoint /Vadim Lyubashevsky /John M. Schanck /Gregor Seiler /Damien Stehle | Lattice | Module | KEM | Round 1 | CCA2 | Concerns surrounding proof of IND-CPA security | |
LOTUS Zip file | Le Trieu Phong /Takuya Hayashi /Yoshinori Aono /Shiho Moriai | Lattice | Standard | KEM Encryption | Round 1 | CCA2 | CCA attack-*patched* | |
NTRUEncrypt Zip file | Zhenfei Zhang /Cong Chen /Jeffrey Hoffstein /William Whyte | Lattice | Ring | KEM Encryption | Round 1 | MERGED with NTRU-HRSS-KEM | CCA2 | |
pqNTRUsign Zip file | Zhenfei Zhang /Cong Chen /Jeffrey Hoffstein /William Whyte | Lattice | Ring Module | Signature | Round 1 | Patented | EUF-CMA | Vulnerable to CMA attack - *patched* |
SABER Zip file | Jan-Pieter D'Anvers /Angshuman Karmakar /Sujoy Sinha Roy /Frederik Vercauteren | Lattice | Module | KEM | Round 1 | CCA | ||
Compact LWE Zip file | Dongxi Liu /Nan Li Jongkil Kim /Surya Nepa | Lattice | Standard | Encryption | Round 1 | ATTACKED | CCA2 | Secret key can be recovered from ciphertext |
Ding Key Exchange Zip file | Jintai Ding /Tsuyoshi Takagi /Xinwei Gao /Yuntao Wang | Lattice | Ring | KEM | Round 1 | CPA | ||
KINDI Zip file | Rachid El Bansarkhani | Lattice | Ring | KEM Encryption | Round 1 | CCA | ||
Lizard Zip file | Jung Hee Cheon /Sangjoon Park /Joohee Lee /Duhyeong Kim /Yongsoo Song /Seungwan Hong /Dongwoo Kim /Jinsu Kim /Seong-Min Hong /Aaram Yun /Jeongsu Kim Haeryong Park /Eunyoung Choi /Kimoon kim /Jun-Sub Kim /Jieun Lee | Lattice | Standard, Ring | KEM Encryption | Round 1 | Patented | CCA2 | |
Round2 Zip file | Oscar Garcia-Morchon /Zhenfei Zhang /Sauvik Bhattacharya /Ronald Rietman /Ludo Tolhuizen /Jose-Luis Torre-Arce | Lattice | Standard, Ring | KEM Encryption | Round 1 | MERGED with Hila5 to become Round5 Patented | CCA | -Concerns surrounding proof of the IND‐CPA security -Potential CCA attack |
LIMA Zip file | Nigel P. Smart /Martin R. Albrecht /Yehuda Lindell /Emmanuela Orsini /Valery Osheter /Kenny Paterson /Guy Peer | Lattice | Ring | KEM Encryption | Round 1 | CCA | Concerns surrounding rejection sampling analysis - patch proposed | |
EMBLEM and R.EMBLEM Zip file | Minhye Seo /Jong Hwan Park /Dong Hoon Lee /Suhri Kim /Seung-Joon Lee | Lattice | Standard, Ring | Encryption | Round 1 | CPA | ||
NewHope Zip file | Thomas Poppelmann /Erdem Alkim /Roberto Avanzi /Joppe Bos /Leo Ducas /Antonio de la Piedra /Peter Schwabe /Douglas Stebila | Lattice | Ring | KEM | Round 1 | CCA | ||
Titanium Zip file | Ron Steinfeld /Amin Sakzad /Raymond K. Zhao | Lattice | Poly | KEM Encryption | Round 1 | CCA CPA | ||
HILA5 Zip file | Markku-Juhani O. Saarinen | Lattice | Ring | KEM | Round 1 | MERGED with Round2 to become Round5 | CPA | |
qTESLA Zip file | Nina Bindel /Sedat Akleylek /Erdem Alkim /Paulo S.L.M. Barreto /Johannes Buchmann /Edward Eaton /Gus Gutoski /Juliane Kramer/ Patrick Longa /Harun Polat / Jefferson E. Ricardini /Gustavo Zanon | Lattice | Ring | Signature | Round 1 | EUF-CMA | ||
CRYSTALS- DILITHIUM Zip file | Vadim Lyubashevsky/ Leo Ducas / Eike Kiltz /Tancrede Lepoint/ Peter Schwabe /Gregor Seiler /Damien Stehle | Lattice | Module | Signature | Round 1 | SUF-CMA | ||
KCL (OKCN/AKCN/CNKE) Zip file | Yunlei Zhao /Zhengzhong jin /Boru Gong /Guangye Sui | Lattice | Standard, Ring | KEM Encryption | Round 1 | CCA | ||
LAC Zip file | Xianhui Lu /Yamin Liu /Dingding Jia /Haiyang Xue /Jingnan He /Zhenfei Zhang | Lattice | Poly | KEM Encryption | Round 1 | CCA | -Failure rate potentially worse than expected -Timing attack on the underlying ECC to break IND-CCA security |
|
DRS Zip file | Thomas Plantard/ Arnaud Sipasseuth/ Cedric Dumondelle/ Willy Susilo | Lattice | Standard | Signature | Round 1 | ATTACKED | EUF-CMA | Statistical attack to recover partial information on secret key |
FrodoKEM Zip file | Michael Naehrig /Erdem Alkim /Joppe Bos /Leo Ducas /Karen Easterbrook /Brian LaMacchia /Patrick Longa /Ilya Mironov /Valeria Nikolaenko /Christopher Peikert /Ananth Raghunathan /Douglas Stebila | Lattice | Standard | KEM | Round 1 | CCA | ||
Giophantus Zip file | Koichiro Akiyama /Yasuhiro Goto /Shinya Okumura /Tsuyoshi Takagi /Koji Nuida /Goichiro Hanaoka /Hideo Shimizu /Yasuhiko Ikematsu | Lattice | Standard | Encryption | Round 1 | ATTACKED | CPA | Distinguishing attack that breaks the claimed IND‐CPA security-addressed in revised paper Claimed security levels revised |
NTRU-HRSS-KEM Zip file | John M. Schanck /Andreas Hulsing /Joost Rijneveld /Peter Schwabe | Lattice | Ring | KEM | Round 1 | MERGED with NTRUEncrypt | CCA2 | |
FALCON Zip file | Thomas Prest / Pierre-Alain Fouque /Jeffrey Hoffstein /Paul Kirchner /Vadim Lyubashevsky /Thomas Pornin /Thomas Ricosset /Gregor Seiler /William Whyte /Zhenfei Zhang | Lattice | Ring | Signature | Round 1 | EUF-CMA | ||
Lepton Zip file | Yu Yu /Jiang Zhang | LPN (Lattice/Code) | KEM | Round 1 | CCA | |||
DME Zip file | Ignacio Luengo / Martin Avendano / Michael Marco | Multivariate | PK | KEM | Round 1 | CPA | Attacked-patch proposed | |
SRTPI Zip file | Joseph Peretz / Nerya Granot | Multivariate Quadratic | Encryption | Round 1 | WITHDRAWN | CCA2 | Broken under CPA: decryption operations are affine | |
DualModeMS Zip file | J.-C. Faugère /L Perret /J Ryckeghem | Multivariate Quadratic | HFE | Signature | Round 1 | EUF-CMA | ||
LUOV Zip file | Ward Beullens / Bart Preneel / Alan Szepieniec / Frederik Vercauteren | Multivariate Quadratic | Signature | Round 1 | EUF-CMA | |||
GeMSS Zip file | A. Casanova /J.-C. Faugère /G. Macario-Rat J Patarin /L Perret /J Ryckeghem | Multivariate Quadratic | HFE | Signature | Round 1 | EUF-CMA | ||
MQDSS Zip file | Simona Samardjiska / Ming-Shing Chen / Andreas Hulsing / Joost Rijneveld / Peter Schwabe | Multivariate Quadratic | Signature | Round 1 | Patented | EUF-CMA | ||
DME Zip file | Ignacio Luengo / Martin Avendano / Michael Marco | Multivariate Quadratic | PK | Signature | Round 1 | EUF-CMA | Attacked-patch proposed | |
HiMQ-3 Zip file | Kyuang-Ah Shim / Cheol-Min Park / Aeyoung Kim | Multivariate Quadratic | HFE | Signature | Round 1 | EUF-CMA | Flaw in EUF-CMA security proof | |
Gui Zip file | Jintai Ding / Ming-Shen Chen / Albrecht Petzoldt / Dieter Schmidt / Bo-Yin Yang | Multivariate Quadratic | HFE | Signature | Round 1 | EUF-CMA | Parameter set 1 vulnerability | |
Rainbow Zip file | Jintai Ding \Ming-Shing Chen \Albrecht Petzoldt \Dieter Schmidt \Bo-Yin Yang | Multivariate Quadratic | Signature | Round 1 | Patented | EUF-CMA | ||
SRTPI Zip file | Joseph Peretz | Multivariate Quadratic (or MQE) | Signature | Round 1 | WITHDRAWN | sEUF-CMA | Broken under KMA: signature secret key operation is linear | |
CFPKM Zip file | O. Chakraborty /J. C-Faugère /L Perret / | Multivariate Quadratic | KEM | Round 1 | ATTACKED | CPA | known attack - breaks IND-CPA security for CFPKM128, CFPKM182 parameter sets. Attack on shared secret: shared secret can be recovered from the public values within the scheme |
|
WalnutDSA Zip file | Derek Atkins / Iris Anshel / Dorian Goldfeld / Paul E. Gunnells | Other Braids | Group theoretic OWF | Signature | Round 1 | Patented | EUF-CMA | -Multiple patched attacks -Scheme may also be vulnerable to 'square root' attacks. |
RVB Zip file | C. B. Roellgen / G. Brands | Other Chebyshev polynomials | KEM | Round 1 | WITHDRAWN | CCA2 | ATTACKED: secret key can be quickly computed from a public key. Uses LLL. | |
HK17 Zip file | Juan Pedro Hecht / Jorge Alejandro Kamlofsky | Other Hypercomplex numbers | Key Agreement Protocol | Round 1 | WITHDRAWN | CCA2 | ATTACKED: using invertibility property of the public key Doesn't fall into a particular category. Issue with protocol No secret randomness. |
|
Mersenne-756839 Zip file | Divesh Aggarwal / Antoine Joux / Anupam Prakash / Mikos Santha | Lattices/Other | KEM | Round 1 | CCA | |||
Guess Again Zip file | Vladimir Shpilrain / Mariya Bessonov / Alexey Gribov / Dima Grigoriev | Other Random Walk | Encryption | Round 1 | ATTACKED | CCA2 | ATTACKED: For KATs, the message can be recovered from ciphertext without private key | |
Post-Quantum RSA Encryption Zip file | Daniel J Bernstein /Josh Fried /Naia Heninger /Paul Lou /Luke Valenta | Other RSA | Encryption | Round 1 | MERGED with Post-Quantum RSA Signature to become Post-Quantum RSA | CCA2 | ||
Post-Quantum RSA Signature Zip file | Daniel J Bernstein /Josh Fried /Naia Heninger /Paul Lou /Luke Valenta | Other RSA | Signature | Round 1 | MERGED with Post-Quantum RSA Encryption to become Post-Quantum RSA | EUF-CMA | ||
SIKE Zip file | David Jao / Reza Azarderakhsh / Matthew Campagna / Craig Costello / Luca De Feo / Basil Hess / Amir Jalali / Brian Koziel / Brian LaMacchia / Patrick Longa / Michael Naehrig / Joost Renes / Vladimir Soukharev / David Urbanik | SIDH | KEM Encryption | Round 1 | CCA CPA | -Quantum attacks overestimated -Potential lower-running-cost attack |