Try the new CSRC.nist.gov and let us know what you think!
(Note: Beta site content may not be complete.)
Each submission must include:
Further details are described below.
2.B.1
A complete written specification of the algorithms shall be included, consisting of all necessary mathematical operations, equations, tables, and diagrams that are needed to implement the algorithms. The document shall also include a design rationale, and an explanation for all the important design decisions that have been made.
Each submission package shall describe a collection of algorithms, also called a cryptosystem or cryptographic scheme, that implements one or more of the following functionalities: public-key encryption, key encapsulation mechanism1 (KEM), and digital signature. Public-key encryption schemes shall include algorithms for key generation, encryption, and decryption. KEM schemes shall include algorithms for key generation, encapsulation, and decapsulation. Digital-signature schemes shall include algorithms for key generation, signature generation and signature verification.
If a submission includes more than one type of scheme, NIST will evaluate the schemes of each type separately. Submitters may choose to combine different types of schemes into a single submission. They may also instead prepare and submit a complete submission package for each algorithm, making sure to include all supporting documents and intellectual property statements in each individual package.
As the KEM and public-key encryption functionalities can generally be interconverted, unless the submitter specifies otherwise, NIST will apply standard conversion techniques to convert between schemes if necessary.
For algorithms that have tunable parameters (such as the dimension of some underlying vector space, or the number of equations and variables), the submission document shall specify concrete values for these parameters. If possible, the submission should specify several parameter sets that allow the selection of a range of possible security/performance tradeoffs. In addition, the submitter should provide an analysis of how the security and performance of the algorithms depend on these parameters. To facilitate the analysis of these algorithms by the cryptographic community, submitters are encouraged to also specify parameter sets that provide lower security levels, and to provide concrete examples that demonstrate how certain parameter settings affect the feasibility of known cryptanalytic attacks.
Specific parameter sets may permit NIST to select a different performance/security tradeoff than originally specified by the submitter, in light of discovered attacks or other analysis, and in light of the alternative algorithms that are available. NIST will consult with the submitter of the algorithm, as well as the cryptographic community, if it plans to select that algorithm for development as a NIST standard, but with a different parameter set than originally specified by the submitter.
A complete submission shall specify any padding mechanisms and any uses of NIST-approved cryptographic primitives that are needed in order to achieve security. If the scheme uses a cryptographic primitive that has not been approved by NIST, the submitter shall provide an explanation for why a NIST-approved primitive would not be suitable.
To help rule out the existence of possible back-doors in an algorithm, the submitter shall explain the provenance of any constants or tables used in the algorithm.
Back to Top
2.B.3 In addition, each submission package is required to include Known Answer Test (KAT) values that can be used to determine the correctness of an implementation of the submitted algorithms. The KATs are individual input tuples that produce single output values, e.g., an input tuple of a key and plaintext resulting in an output of the corresponding ciphertext. If an algorithm uses random values, the KAT should specify a fixed value for the random bits used by the algorithm, in order to force the algorithm to produce a fixed output value. Separate KATs should be provided to test different aspects of the algorithm, e.g., key generation, encryption, decryption, sign, verify, etc.
The KATs shall be included as specified below. All of these KAT values shall be submitted electronically, in separate files, on a CD–ROM, DVD, USB flash drive, or included in a zip file as described in Section 2.C.
Each file must be clearly labeled with header information listing:
The list must be followed by a set of tuples where all values within the tuple are clearly labeled (e.g., Plaintext, PublicKey, RandomBits, Ciphertext, etc.). Sample files for these KAT values will be posted at http://www.nist.gov/pqcrypto.
All applicable KATs that can be used to verify various features of the algorithm shall be included. A set of KATs shall be included for each security strength specified in Section 4.A. Required KATs include:
Note: The submitter is encouraged to include any other KATs that test different features of the algorithm (e.g., for permutation tables, padding scheme, etc.). The purposes of these tests shall be clearly described in the file containing the test values.
Back to Top2.B.4 The submission package shall include a statement of the expected security strength of the cryptosystem, along with a supporting rationale. For each parameter set the submitter wishes NIST to consider for standardization, the submitter shall specify a security definition from sections 4.A.2, 4.A.3, or 4.A.4, as well as an estimated security strength according to the categories given in section 4.A.5. All submitters are advised to be somewhat conservative in assigning parameters to a given category, but submitters of algorithms where the complexity of the best known attack has recently decreased significantly, or is otherwise poorly understood, should be especially conservative. Submitters should give quantitative estimates for any additional security provided by their settings above and beyond the minimum security strength provided by the relevant security strength category. Such estimates should include, at a minimum, a claimed classical security strength. Furthermore, the statement should address the additional attack scenarios identified in Section 4.A.6.
2.B.5 The submission package shall include a statement that summarizes the known cryptanalytic attacks on the scheme, and provides estimates of the complexity of these attacks.
The submitter shall provide a list of references to any published materials describing or analyzing the security of the submitted algorithm or cryptosystem. When possible, the submission of copies of these materials (accompanied by a waiver of copyright or permission from the copyright holder for public evaluation purposes) is encouraged.
2.B.6 The submission package shall include a statement that lists and describes the advantages and limitations of the cryptosystem. Such advantages and limitations may involve the assessment of the cryptosystem’s security against classical and quantum attacks, as well as any unusual characteristics of the scheme, such as extra functionalities, performance tradeoffs, and unusual vulnerabilities. This statement may also discuss the ease of implementing and deploying the algorithms, and their compatibility with existing protocols, networks and applications. This could include, for example, the suitability of the algorithm for use in hybrid schemes, which may be part of the transition to post-quantum cryptosystems.
In addition, this statement may address the ability to implement the algorithms in various environments, including, but not limited to 8-bit processors (e.g., smartcards), voice applications, satellite applications, or other environments where low power, constrained memory, or limited real-estate are consideration factors. To demonstrate the efficiency of a hardware implementation of the algorithm, the submitter may include a specification of the algorithm in a nonproprietary hardware description language (HDL).
1While the terms public-key encryption and KEM are widely used in academic literature, previous NIST publications have tended to describe KEMs using the term “key agreement” (also known as key exchange), and have tended to describe public key encryption schemes using the term “key transport.”
Return to Submission Requirements