NIST Advances Nine Candidates to the Third Round of Additional Post-Quantum Digital Signatures

The U.S. National Institute of Standards and Technology (NIST) announced on May 14, 2026, nine digital signature algorithms advancing to the third round of its Additional Digital Signatures for the Post-Quantum Cryptography (PQC) Standardization Process. These nine algorithms were selected after 18 months of intensive scrutiny and evaluation. The goal brings NIST closer to expanding its portfolio of quantum-resistant signatures.NIST has already standardized several core PQC algorithms, including lattice-based schemes (for example, CRYSTALS-Dilithium (FIPS 204)) and hash-based options. However, the agency recognized the need for greater algorithmic diversity. Different applications demand trade-offs in signature size, verification speed, key generation performance, and implementation simplicity. Bandwidth-constrained environments such as IoT devices or certificate chains may favor compact signatures, while high-volume software signing benefits from fast verification.The “on-ramp” or additional signatures track seeks algorithms complementing existing standards, offering better performance in specific use cases or relying on alternative hard mathematical problems. The algorithmic diversity strengthens overall cybersecurity-ecosystem resilience against future cryptanalytic advances and quantum threats.The selected algorithms represent a thoughtful mix of cryptographic families:Isogeny-based: SQIsign stands out for its exceptionally compact signatures, making it attractive for bandwidth-limited scenarios. For example, at NIST security Level I, SQIsign achieves a combined public key + signature size of roughly 212 bytes (64-byte public key + 148-byte signature), significantly smaller than many lattice-based alternatives like ML-DSA, which can exceed several kilobytes.Lattice-based: HAWK offers strong performance with integer-only arithmetic, potentially easing hardware and software implementations. For instance, HAWK-512 signs in under 0.1 ms on a standard desktop and requires no floating-point unit, allowing efficient deployment on low-end embedded devices like ARM Cortex-M0 processors with as little as 6–14 kiB of RAM.MPC-in-the-Head (MPCitH): FAEST, MQOM, and SDitH advanced from a highly competitive category. NIST praised their solid security foundations rooted in symmetric primitives or coding problems, along with promising deployment characteristics. FAEST, for example, leverages AES hardness for security comparable to SLH-DSA while delivering better overall performance metrics; MQOM stands out with competitive small public-key and signature sizes; and SDitH benefits from conservative hardness assumptions that support efficient threshold variants.Multivariate: All remaining candidates — MAYO, QR-UOV, SNOVA, and UOV — moved forward. Despite recent cryptanalytic attention on certain multivariate parameter sets, NIST valued their performance advantages and decided to retain them for further scrutiny. UOV, for example, offers extremely small signatures around 96 bytes with fast verification, ideal for scenarios where the large public key (~67 kB) can be pre-distributed; MAYO and SNOVA further improve this by dramatically shrinking public keys (e.g., to a few kB) while retaining signing/verification speeds far faster than many lattice schemes.These nine will now submit updated specifications and implementations — known as “tweaks” — to address feedback from earlier rounds. The third-round evaluation, expected to last approximately two years, will involve deeper security analysis, performance benchmarking, and public comments. NIST plans to host the 7th PQC Standardization Conference in late spring or early summer 2027, likely near NIST’s headquarters in Gaithersburg, Maryland. The third-round evaluation, expected to last approximately two years, will involve deeper security analysis, performance benchmarking, and public comments. NIST plans to host the 7th PQC Standardization Conference in late spring or early summer 2027, likely near NIST’s headquarters in Gaithersburg, Maryland. Detailed rationale appears in NIST Internal Report (IR) 8610, Status Report on the Second Round of the Additional Digital Signature Schemes. Selection criteria emphasized security, cost-performance, and unique implementation traits relative to already-standardized schemes.Public participation remains a key component. Comments on the third-round candidates can be submitted via the project website for each algorithm, found here.Quantum computers running Shor’s algorithm could eventually break widely used classical signatures such as RSA and ECDSA. Organizations worldwide are racing to migrate to PQC to protect long-lived data and systems. By advancing a broad set of algorithm candidates, NIST aims to provide flexible, high-assurance tools for everything from TLS certificates and code signing to embedded systems.The full list of candidates, submission details, and comment portals are available on NIST’s PQC Digital Signature project page. As evaluations continue, expect further refinements and potential new standards likely to shape secure communications for decades to come.SourceThis quantum computing weekly roundup for the week ending May 16, 2026 showcases impressive hardware progress including silicon spin qubits that teleport states across a This quantum computing weekly round-up captures a week full of tangible progress. New 180-qubit hardware, massive funding, and practical applications signal the sector moving from Origin Quantum has introduced its fourth-generation superconducting quantum computer, the Origin Wukong-180, featuring 180 computational qubits. Built on a complete domestic stack, the system offers Sign up to receive our newsletter and other reports.We keep your data private and share your data only with third parties that make this service possible. Read our privacy policy for more info.Check your inbox or spam folder to confirm your subscription.