Date Published: March 27, 2025
Comments Due:
Email Comments to:
Author(s)
Luís T. A. N. Brandão (NIST, Strativia), Rene Peralta (NIST)
Announcement
This is a second public draft. Threshold schemes should NOT be submitted until the final version of this report is published. However, the present draft can be used as a baseline to prepare for future submissions.
The scope of the call is organized into categories related to signing (Sign), public-key encryption (PKE), symmetric-key cryptography and hashing (Symm), key generation (KeyGen), fully homomorphic encryption (FHE), zero-knowledge proofs of knowledge (ZKP), and auxiliary gadgets. The categories are organized into two classes:
- Class N (old Cat1): NIST-specified primitives (i.e., in Sign, PKE, Symmetric, KeyGen)
- Class S (old Cat2): Special others (i.e., in Sign, PKE, Symmetric, KeyGen, FHE, ZKPoK, Gadgets)
The scope of some categories (old subcategories) has been updated:
- The Class N categories (see Sections 2.1 and 9, and Appendix A) now also include primitives that have been selected by the NIST Post-Quantum Cryptography and Lightweight Cryptography standardization processes.
- The old subcategory of primitives for ECC pair-wise key exchange is now considered within the KeyGen category N1.
- In Class S (see Section 10.5 and Appendix B.1), the old “advanced” subcategory has been adapted to a category (S5) focused only on FHE.
The submission logistics and explanation of requirements have also been updated. For example:
- Section 4.1 specifies an initial “Previews” phase, which encourages the submission of a “planning summary” of the future package submission.
- Section 4.4 discusses implied agreements, licensing and patents disclosure.
- Section 5 refines the specification requirements, now allowing multiple crypto-systems.
- Section 6 clarifies the open-source implementation requirements, now allowing external dependencies.
- All requirements (“shall” statements) are now included in the main matter (including in the new Sections 8, 9 and 10), whereas the appendices contain informative material.
- Appendix D provides a detailed list of changes made since the initial public draft.
The public comment period is open through April 30, 2025. Public comments should be submitted by email to nistir-8214C-comments@nist.gov. Comments will be compiled and made publicly available.
For announcements and discussions related to the NIST Multi-Party Threshold Cryptography project, please join the MPTC-forum.
NOTE: A call for patent claims is included in front matter of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy – Inclusion of Patents in ITL Publications.
This document calls for public submissions of multi-party threshold schemes, and other related crypto-systems, to support the United States National Institute of Standards and Technology (NIST) in gathering a public body of reference material on advanced cryptography. In a threshold scheme, an underlying cryptographic primitive (e.g., signature, encryption, decryption, key generation) is computed in a distributed manner, while a private/secret key is or becomes secret shared across various parties. Threshold schemes submitted in reply to this “NIST Threshold Call” should produce outputs that are “interchangeable” with a reference conventional (non-threshold) primitive of interest, from various categories organized into two classes: Class N, for selected NIST-specified primitives; and Class S, for special primitives that are not specified by NIST but are threshold-friendlier or have useful functional features. The scope of Class S also includes fully-homomorphic encryption, zero-knowledge proofs, and auxiliary gadgets. This document specifies the requirements for submission (including specification, implementation, and evaluation), along with phases and deadlines. The ensuing public analysis will support the elaboration of a characterization report, which may help assess new interests beyond the cryptographic techniques currently standardized by NIST, and may include recommendations for subsequent processes.
This document calls for public submissions of multi-party threshold schemes, and other related crypto-systems, to support the United States National Institute of Standards and Technology (NIST) in gathering a public body of reference material on advanced cryptography. In a threshold scheme, an...
See full abstract
This document calls for public submissions of multi-party threshold schemes, and other related crypto-systems, to support the United States National Institute of Standards and Technology (NIST) in gathering a public body of reference material on advanced cryptography. In a threshold scheme, an underlying cryptographic primitive (e.g., signature, encryption, decryption, key generation) is computed in a distributed manner, while a private/secret key is or becomes secret shared across various parties. Threshold schemes submitted in reply to this “NIST Threshold Call” should produce outputs that are “interchangeable” with a reference conventional (non-threshold) primitive of interest, from various categories organized into two classes: Class N, for selected NIST-specified primitives; and Class S, for special primitives that are not specified by NIST but are threshold-friendlier or have useful functional features. The scope of Class S also includes fully-homomorphic encryption, zero-knowledge proofs, and auxiliary gadgets. This document specifies the requirements for submission (including specification, implementation, and evaluation), along with phases and deadlines. The ensuing public analysis will support the elaboration of a characterization report, which may help assess new interests beyond the cryptographic techniques currently standardized by NIST, and may include recommendations for subsequent processes.
Hide full abstract
Keywords
Crypto-systems; distributed systems; fully-homomorphic encryption (FHE); post-quantum cryptography (PQC); secure multi-party computation (MPC); threshold cryptography; threshold encryption; threshold schemes; threshold signatures; zero-knowledge proofs (ZKP)
Control Families
None selected
