HQC

#NIST chose #HQC as their backup KEM and elected not to standardize #ClassicMcElice for now among other reasons pointing to the standardization with #ISO.

The argument to choose HQC over Bike is a higher confidence in IND-CCA-security of HQC. I cannot comment on whether that is a reasonable assessment, though I have no reason to doubt it, but I can say that in terms of reasons to make a choice this is of course a pretty good one.

I’m not sure how I think about the decision regarding McElice, but I can to an extend see where they are coming from.

This means there are now 9 post quantum algorithms approved, standardized or chosen for standardization by generally respected organizations:

Key Encapsulation Mechanisms (“KEMs”):

* ML-KEM (“Kyber”), based on Lattices, standardized by NIST

* HQC, based on Codes, chosen for standardization by NIST

* Classic McElice, based on codes, approved by BSI (de), ANSSI(fr), and NCSC (nl)

* Frodo, based on lattices, approved by BSI (de), ANSSI(fr), and NCSC (nl)

Signatures:

* ML-DSA (“Dilithium”), based on Lattices, standardized by NIST

* SLH-DSA (“SPHINCS+”), based on hashes, standardized by NIST

* FN-DSA (“Falcon”), based on lattices, chosen for standardization by NIST

Stateful Signatures:

* XMSS, based on hashes, standardized by IEEE

* LMS, based on hashes, standardized by IEEE

Overall, this looks like a decent portfolio. Future standardization might add schemes based on multivariate-equations and isogonies, but for now this should do and give us a basis from which we can design more efficient schemes without being to concerned about the entire ground suddenly giving in because one random guy/gal finds a new attack-vector.

#postquantumcryptography #PQC #PQCrypto