NIST Advances Nine Candidates to the Third Round of Additional Post-Quantum Digital Signatures
The U.S. National Institute of Standards and Technology (NIST) announced on May 14, 2026, nine digital signature algorithms advancing to the third round of its Additional Digital Signatures for the Post-Quantum Cryptography (PQC) Standardization Process. These nine algorithms were selected after 18 months of intensive scrutiny and evaluation. The goal brings NIST closer to expanding its portfolio of quantum-resistant signatures.
Why Additional Signatures Matter
NIST has already standardized several core PQC algorithms, including lattice-based schemes (for example, CRYSTALS-Dilithium (FIPS 204)) and hash-based options. However, the agency recognized the need for greater algorithmic diversity. Different applications demand trade-offs in signature size, verification speed, key generation performance, and implementation simplicity. Bandwidth-constrained environments such as IoT devices or certificate chains may favor compact signatures, while high-volume software signing benefits from fast verification.
The “on-ramp” or additional signatures track seeks algorithms complementing existing standards, offering better performance in specific use cases or relying on alternative hard mathematical problems. The algorithmic diversity strengthens overall cybersecurity-ecosystem resilience against future cryptanalytic advances and quantum threats.
The Nine Advancing Candidates
The selected algorithms represent a thoughtful mix of cryptographic families:
Isogeny-based: SQIsign stands out for its exceptionally compact signatures, making it attractive for bandwidth-limited scenarios. For example, at NIST security Level I, SQIsign achieves a combined public key + signature size of roughly 212 bytes (64-byte public key + 148-byte signature), significantly smaller than many lattice-based alternatives like ML-DSA, which can exceed several kilobytes.
Lattice-based: HAWK offers strong performance with integer-only arithmetic, potentially easing hardware and software implementations. For instance, HAWK-512 signs in under 0.1 ms on a standard desktop and requires no floating-point unit, allowing efficient deployment on low-end embedded devices like ARM Cortex-M0 processors with as little as 6–14 kiB of RAM.
MPC-in-the-Head (MPCitH): FAEST, MQOM, and SDitH advanced from a highly competitive category. NIST praised their solid security foundations rooted in symmetric primitives or coding problems, along with promising deployment characteristics. FAEST, for example, leverages AES hardness for security comparable to SLH-DSA while delivering better overall performance metrics; MQOM stands out with competitive small public-key and signature sizes; and SDitH benefits from conservative hardness assumptions that support efficient threshold variants.
Multivariate: All remaining candidates — MAYO, QR-UOV, SNOVA, and UOV — moved forward. Despite recent cryptanalytic attention on certain multivariate parameter sets, NIST valued their performance advantages and decided to retain them for further scrutiny. UOV, for example, offers extremely small signatures around 96 bytes with fast verification, ideal for scenarios where the large public key (~67 kB) can be pre-distributed; MAYO and SNOVA further improve this by dramatically shrinking public keys (e.g., to a few kB) while retaining signing/verification speeds far faster than many lattice schemes.
These nine will now submit updated specifications and implementations — known as “tweaks” — to address feedback from earlier rounds. The third-round evaluation, expected to last approximately two years, will involve deeper security analysis, performance benchmarking, and public comments. NIST plans to host the 7th PQC Standardization Conference in late spring or early summer 2027, likely near NIST’s headquarters in Gaithersburg, Maryland.
The third-round evaluation, expected to last approximately two years, will involve deeper security analysis, performance benchmarking, and public comments. NIST plans to host the 7th PQC Standardization Conference in late spring or early summer 2027, likely near NIST’s headquarters in Gaithersburg, Maryland.
Evaluation and Next Steps
Detailed rationale appears in NIST Internal Report (IR) 8610, Status Report on the Second Round of the Additional Digital Signature Schemes. Selection criteria emphasized security, cost-performance, and unique implementation traits relative to already-standardized schemes.
Public participation remains a key component. Comments on the third-round candidates can be submitted via the project website for each algorithm, found here.
Broader Context and Implications
Quantum computers running Shor’s algorithm could eventually break widely used classical signatures such as RSA and ECDSA. Organizations worldwide are racing to migrate to PQC to protect long-lived data and systems. By advancing a broad set of algorithm candidates, NIST aims to provide flexible, high-assurance tools for everything from TLS certificates and code signing to embedded systems.
The full list of candidates, submission details, and comment portals are available on NIST’s PQC Digital Signature project page. As evaluations continue, expect further refinements and potential new standards likely to shape secure communications for decades to come.
Related Articles
Juliang Guangqi Raises $28M+ USD Angel Round to Industrialize Superconducting Quantum in China
Juliang Guangqi has closed a $28M+ USD angel round, one of the largest early-stage quantum hardware financings in China. The Shanghai startup is forging silicon-substrate
Quantum Computing Weekly Round-Up: Week Ending May 16, 2026
This quantum computing weekly roundup for the week ending May 16, 2026 showcases impressive hardware progress including silicon spin qubits that teleport states across a
Quantum Computing Weekly Round-Up: Week Ending May 9, 2026
This quantum computing weekly round-up captures a week full of tangible progress. New 180-qubit hardware, massive funding, and practical applications signal the sector moving from