The original Post Quantum 2016 competition yielded the core we all know already: ML-KEM (Kyber) for key encapsulation, plus ML-DSA (Dilithium), SLH-DSA (SPHINCS+), and FN-DSA (Falcon) for signatures. But ML-DSA and FN-DSA are lattice-based, which means a known concentration risk. If someone finds a serious break in structured lattices, you lose your KEM and most of your signatures at once. SLH-DSA is the only hash-based hedge, and it’s large and slow.

So, six years later in 2022, NIST opened a separate “on-ramp” call specifically for signatures, with a stated goal of schemes built on different math (code-based, multivariate, MPC-in-the-head, isogeny). It was to expand beyond the one assumption, and find schemes with better performance profiles for cases where lattice signatures are awkward, like small signatures or fast verification (e.g. medical devices).

NIST has announced they have selected nine candidates for the third round of this Additional Digital Signatures process with a deliberate mathematical spread: SQIsign is isogeny-based (very small signatures), MAYO/QR-UOV/SNOVA/UOV are multivariate, FAEST/SDitH/MQOM are MPC-in-the-head, HAWK is lattice but a different construction.

After 18 months of evaluation, NIST has selected nine candidates for the third round of the Additional Digital Signatures for the Post-Quantum Cryptography (PQC) Standardization Process.