· Michal Pietrus · 3 min read
NIST Additional Digital Signature Schemes: Third Round of PQC Selection
PQC cryptography, for now, doesn't bring simple answers and requires integrators to have broad knowledge of specific cryptographic schemes — and there will be quite a few in the coming decade.
With the publication of NIST IR 8610, nine candidates in the “Additional Digital Signature Schemes” process advance to the third round as post-quantum cryptography (PQC) digital signature schemes.
Although this is not yet a final decision, it is a reminder that NIST is actively evaluating new schemes that may strengthen the existing ML-DSA, SLH-DSA and FN-DSA families. At the same time, if we reduce the candidate list to 2–4, we still end up with 5–7 schemes for digital signatures alone. Each of them has different properties, and none of them comes close to the characteristics of pre-quantum variants such as ECC or RSA. One notable exception is SQIsign, an isogeny-based scheme that offers very compact public keys and signatures. The caveat, however, is the known compromise history of isogeny-based cryptography, most notably the SIKE KEM scheme.
The chart below illustrates the problem quite well: 
Source: NIST Signatures Zoo
Another chart worth looking at is the signing/verification cycles comparison, which gives perspective on the computational resources needed when considering a particular scheme, and this is where SQIsign no longer looks quite as attractive.
The Call for Proposals stated that submissions should meet at least one of the following criteria:
- Lattice-based schemes should offer at least one significant performance advantage over ML-DSA and FN-DSA.
- Non-lattice-based schemes should provide at least one significant performance advantage over SLH-DSA.
The important algorithm families analyzed in this round are: isogenies, multivariate schemes and MPC-in-the-Head (MPCitH). The latter group is particularly interesting because it builds signature schemes on a relatively new conceptual model: locally simulated multi-party computation (MPC) with virtual parties and zero-knowledge proofs (ZKP).
You can think of MPCitH as splitting a secret, the private key, among virtual parties, each of which maintains its own local execution state and generates commitments to that state. The list of all interactions between a given party and the others is called a view, effectively a log of interactions. The signer then aggregates commitments to these views and selectively reveals fragments of them to the verifier in the form of a ZKP.
The role of the verifier is, by analogy, somewhat similar to a replica (or node) in a practical Byzantine Fault Tolerance (pBFT)-style distributed system, looking for inconsistencies in the supplied proofs. The MPCitH signature verifier does exactly that: it looks for inconsistencies.
AIMer, one of the MPCitH variants, has already been standardized by the South Korean Quantum-Resistant Cryptography Research Group.
I covered South Korea’s approach to cryptographic sovereignty here.
Compared to SLH-DSA, MPCitH variants offer smaller signatures and better verification performance:
| Scheme | Family | Parameter Set | pk (B) | sig (B) | Sign (cycles) | Verify (cycles) |
|---|---|---|---|---|---|---|
| FAEST | MPCitH | 128f | 32 | 5,924 | 1.7M | 1.4M |
| FAEST | MPCitH | EM-128f | 32 | 5,060 | 1.4M | 1.1M |
| MQOM | MPCitH | L1-gf2-fast-3r | 52 | 3,212 | 6.8M | 6.3M |
| MQOM | MPCitH | L1-gf16-fast-3r | 60 | 3,484 | 2.8M | 2.4M |
| MQOM | MPCitH | L1-gf256-fast-3r | 80 | 4,164 | 3.5M | 3.0M |
| SDitH | MPCitH | SDitH2-L1-gf2-fast | 70 | 4,484 | 5.0M | 4.5M |
| SLH-DSA | hash-based | SHAKE-128f | 32 | 17,088 | 239.8M | 12.9M |
Source: NIST Signatures Zoo
Compare, for example, SLH-DSA 128f with FAEST 128f. The paradox of SLH-DSA is that it often fits infrastructure use cases very well because of its relatively simple construction (more here), but that same simplicity is also its Achilles’ heel in terms of performance and computational requirements. MPCitH, on the other hand, is a relatively new concept, coming at the cost of significantly more complex proof systems, not to mention potential side-channel vectors that stem precisely from the complexity of the concept and its non-trivial implementation.
Trade-offs. Good morning.
