The U.S. National Institute of Standards and Technology advanced nine digital signature algorithms to the third round of its additional post-quantum cryptography standardization effort, as the agency continues preparing encryption systems capable of resisting future attacks from quantum computers. In a newly released report detailing the second-round evaluation process, NIST selected FAEST, HAWK, MAYO, MQOM, QR-UOV, SDitH, SNOVA, SQIsign, and UOV for further review after assessing public feedback, security analysis, implementation performance, and deployment considerations. The algorithms are being evaluated as potential additions to the agency’s growing portfolio of post-quantum cryptographic standards designed to protect sensitive information well beyond arrival of practical quantum computing.
The latest round reflects increasing urgency across governments and industry to prepare critical infrastructure, communications systems, cloud services, and digital identity frameworks for a post-quantum transition that could take years to fully implement. NIST received 50 submissions in response to its 2022 call, accepted 40 first-round candidates, and narrowed the field to 14 second-round finalists before selecting the remaining nine candidates this month.
The agency said selected algorithms underwent extensive analysis from NIST researchers and broader cryptographic community, including theoretical security reviews, performance testing, and implementation studies aimed at assessing long-term viability for real-world deployment.
NIST launched its broader Post-Quantum Cryptography Standardization Process in 2016 amid growing concern that advances in quantum computing could eventually break widely used public-key cryptographic systems. Since then, the agency has conducted a multi-round, competition-style review process to identify quantum-resistant key encapsulation mechanisms and digital signature schemes suitable for federal and commercial deployment.
The agency previously standardized several algorithms through earlier rounds, including lattice-based and hash-based signature standards, but issued a separate call for additional digital signature proposals in 2022 to diversify cryptographic portfolio beyond lattice-based approaches and identify schemes optimized for shorter signatures and faster verification performance.
NIST said its evaluation of second-round post-quantum digital signature candidates focused on three primary areas: security, cost and performance, and overall algorithm and implementation characteristics. NIST also emphasized need to diversify beyond previously standardized cryptographic approaches, requiring lattice-based submissions to demonstrate major performance gains over CRYSTALS-Dilithium and Falcon, while non-lattice schemes needed to significantly outperform SPHINCS+ in at least one area.
Security remained the agency’s highest priority because the future algorithms are intended for widespread deployment across internet protocols, firmware updates, document signing, certificate systems, and critical digital infrastructure. NIST highlighted the importance of strong unforgeability protections, resistance to side-channel and multi-key attacks, and transparent disclosure of known cryptanalytic weaknesses.
Several second-round candidates, particularly multivariate schemes based on Unbalanced Oil and Vinegar (UOV), faced major attacks during the review process, affecting parameter sets in UOV, MAYO, and SNOVA. However, NIST noted that unbroken parameter sets still exist for those algorithms, including all proposed parameters for QR-UOV.
The agency also evaluated practical deployment considerations such as key and signature sizes, computational efficiency, memory requirements, and hardware performance. NIST said several candidates achieved substantial performance gains during the second round through architectural redesigns and newer techniques such as Threshold Computation in the Head and Vector Oblivious Linear Evaluation in the Head, which improved signing and verification speed while reducing signature sizes.
At the same time, NIST continued monitoring implementation simplicity, side-channel resilience, and intellectual property concerns, stating that no side-channel findings during the second round were severe enough to eliminate any candidate from advancing to third round.
NIST detailed that CROSS, a code-based signature scheme built on the Restricted Syndrome Decoding problem, underwent additional security analysis and parameter updates during the second round. However, the agency said the scheme’s performance profile remained too similar to SPHINCS+, with only modest signing improvements and very large signatures, leading NIST to eliminate it from further consideration.
The agency said LESS, which is based on the Linear Code Equivalence problem, achieved notable reductions in signature sizes during the second round through canonical-form optimizations. Even so, the agency concluded that its large public keys, slower signing and verification performance, and newly published attacks against parameter security margins outweighed its signature-size advantages, resulting in its removal from the competition.
NIST described SQIsign as one of the most distinctive candidates because of its exceptionally small combined public-key and signature sizes, making it attractive for certificates and firmware updates. The agency said architectural refinements improved signing performance by roughly 20 times while maintaining resistance against attacks that compromised the earlier SIKE scheme. Despite concerns around implementation complexity and side-channel resistance, SQIsign advanced to the third round due to its compactness and growing maturity.
The agency said HAWK stood out as a lattice-based scheme that eliminates Falcon’s reliance on floating-point arithmetic by using only integer operations. NIST highlighted its compact signatures, efficient implementation profile, and suitability for constrained devices, while noting that recent cryptanalysis did not produce practical attacks. HAWK advanced to the third round, although the agency encouraged additional analysis of its underlying security assumptions.
NIST described FAEST as a VOLE-in-the-Head signature scheme that relies heavily on well-established symmetric cryptographic primitives such as AES. The agency said second-round refinements improved both efficiency and quantum-era security proofs while maintaining a conservative overall design. Although researchers demonstrated new side-channel and fault-injection attacks against certain implementations, NIST concluded those risks were manageable and selected FAEST for the third round.
The agency said Mirath, an MPC-in-the-Head scheme based on the MinRank problem, benefited from major performance improvements and stronger quantum security proofs during the second round. However, NIST determined that competing MPCitH candidates offered either more mature security assumptions or stronger performance characteristics, leading the agency to eliminate Mirath despite its progress.
NIST said MQOM emerged as one of the strongest MPCitH candidates because of its highly competitive performance profile and relatively small public-key and signature sizes. Built on the hardness of solving multivariate quadratic equations, MQOM advanced to the third round despite the agency noting that its quantum security proofs still require further refinement and broader analysis.
The agency said PERK, which is based on proving knowledge of secret permutations through MPC-in-the-Head techniques, significantly reduced signature sizes during the second round. However, NIST found that PERK remained substantially slower than competing schemes such as FAEST, and concluded that its modest signature-size benefits did not justify the computational trade-offs, resulting in its elimination.
NIST described RYDE as an MPC-in-the-Head signature algorithm built on a variant of the Rank Syndrome Decoding problem. The agency said second-round updates greatly improved implementation efficiency and reduced signature sizes by roughly half. Still, NIST concluded that RYDE’s overall profile overlapped too closely with stronger-performing MPCitH candidates such as MQOM and decided not to advance it.
The agency said SDitH distinguished itself through conservative security assumptions based on long-studied syndrome decoding problem for random linear codes. Although NIST acknowledged the scheme’s relatively high computational costs and complex design evolution, the agency selected SDitH for third round because of confidence in its mathematical foundations and long-term security potential.
NIST described UOV as a foundational multivariate signature design valued for its extremely small signatures and fast verification speeds, despite its very large public keys. The agency acknowledged that recent wedge attacks weakened confidence in several parameter sets but maintained that broader UOV framework remains resilient and important for algorithmic diversity. UOV advanced to third round with recommendations for revised parameter selections and further exploration of odd-characteristic implementations.
The agency said MAYO remained attractive because it balances reduced public-key sizes with efficient signing and verification performance through a structured “whipping” transformation of the UOV framework. Although wedge attacks significantly impacted one of MAYO’s category-1 parameter sets, NIST concluded the issues were linked more to parameter choices than core architecture and selected MAYO to continue into third round.
NIST highlighted QR-UOV as one of the more stable multivariate candidates after it largely avoided the wedge attacks that affected many characteristic-2 schemes. By using odd-characteristic fields and quotient ring techniques, QR-UOV achieved substantial public-key reductions while preserving strong security margins and delivering major performance improvements during second round. These factors led NIST to advance QR-UOV to the third round.
The agency said SNOVA continues to show promise despite suffering repeated cryptanalytic attacks across both evaluation rounds. Designed to aggressively shrink public-key sizes while maintaining fast verification performance, SNOVA introduced revised odd-characteristic parameter sets that demonstrated highly competitive efficiency, including public keys and signatures smaller than Falcon in some configurations. NIST said the scheme has not yet reached a stable form but retained it in the third round because of its long-term potential as a compact, high-performance signature scheme.
NIST selected nine digital signature algorithms to advance to third round of its additional post-quantum cryptography standardization effort after evaluating 14 second-round candidates across security, performance, and implementation criteria.
The agency said overall quality of submissions made selection decisions particularly difficult, with evaluations considering cryptographic maturity, resistance to attacks, key and signature sizes, computational efficiency, and differences from already standardized post-quantum schemes. NIST ultimately advanced HAWK and SQIsign for their compact signatures and algorithmic diversity, while selecting FAEST, MQOM, and SDitH from the competitive MPC-in-the-Head category because of their stronger security foundations, performance profiles, and broader potential for deployment.
NIST also chose to retain all four remaining multivariate candidates, including UOV, MAYO, QR-UOV, and SNOVA, despite recent cryptanalytic attacks affecting several parameter sets. The agency said the schemes continue to offer distinct advantages, including very small signatures, reduced public-key sizes, and algorithmic diversity, while unbroken parameter sets remain available for each. NIST indicated that recent attacks against multivariate cryptography will likely extend the timeline for any future standardization decisions in this category.
Meanwhile, CROSS and LESS were eliminated after NIST concluded their security uncertainties and performance trade-offs did not compare favorably with competing candidates or existing post-quantum standards.
In conclusion, the NIST said selection of nine third-round candidates marks the next phase of its effort to standardize additional post-quantum digital signature algorithms capable of protecting sensitive systems against future quantum-enabled attacks. NIST said the remaining candidates will undergo deeper analysis focused on security, implementation maturity, and real-world deployment performance as the agency works to expand and diversify its post-quantum cryptography portfolio.
NIST said submitters will be allowed to make limited refinements to address weaknesses, inconsistencies, or implementation concerns before updated submission packages are due on Aug. 14, 2026. The agency cautioned that major redesigns could indicate a lack of standardization readiness, although some schemes, particularly newer multivariate candidates, may require broader adjustments.
Over the coming months, NIST is calling on the global cryptographic community to further test the remaining algorithms, including evaluating optimized implementations, constrained-device performance, hardware acceleration, and resistance to emerging attacks, ahead of another planned PQC standardization conference in 2027.
In January, the Cybersecurity and Infrastructure Security Agency (CISA) released an initial list of hardware and software categories that currently support, or are expected to support, post-quantum cryptography standards. The list helps organizations plan PQC migration strategies and evaluate future technology investments in an evolving cybersecurity landscape. It includes examples of widely available products within these categories that use PQC standards to protect sensitive information.
