The original Post Quantum 2016 competition yielded the core trio we all know already: ML-KEM (Kyber) for key encapsulation, plus ML-DSA (Dilithium), SLH-DSA (SPHINCS+), and FN-DSA (Falcon) for signatures. But three of those four signatures, ML-DSA and FN-DSA, are lattice-based. That’s a known concentration risk. If someone finds a serious break in structured lattices, you lose your KEM and most of your signatures at once. SLH-DSA is the only hash-based hedge, and it’s large and slow.

So, six years later in 2022, NIST opened a separate “on-ramp” call specifically for signatures, with two stated goals: schemes built on different math (code-based, multivariate, MPC-in-the-head, isogeny). It was to expand beyond one assumption, and find schemes with better performance profiles for cases where lattice signatures are awkward, like small signatures or fast verification.

NIST has announced they have selected nine candidates for the third round of the Additional Digital Signatures process, which reflect the deliberate mathematical spread: SQIsign is isogeny-based (very small signatures), MAYO/QR-UOV/SNOVA/UOV are multivariate, FAEST/SDitH/MQOM are MPC-in-the-head, HAWK is lattice but a different construction.

After 18 months of evaluation, NIST has selected nine candidates for the third round of the Additional Digital Signatures for the Post-Quantum Cryptography (PQC) Standardization Process.