NIST Additional Digital Signature Schemes
The NIST additional digital signature schemes effort, often called the signature “on-ramp,” is an ongoing NIST competition, started in 2022, to standardize more post-quantum digital signature algorithms beyond the ones already finalized, with a deliberate preference for designs built on math other than structured lattices so the world’s signing infrastructure doesn’t rest on a single hard problem. It’s a multi-round evaluation, not a finished standard, and as of 2026 it’s in its third round.
The short version:
- NIST already standardized its primary post-quantum signatures (ML-DSA and FN-DSA on lattices, SLH-DSA on hashes). The on-ramp is a separate, later call to add more.
- NIST issued the call in September 2022 and is primarily looking for general-purpose signatures that are not based on structured lattices, plus schemes with short signatures and fast verification.
- 40 submissions entered Round 1 in 2023, 14 advanced to Round 2 in October 2024, and 9 advanced to Round 3 in May 2026.
- The 9 still standing span several math families: isogenies (SQIsign), a different lattice problem (HAWK), symmetric AES-based design (FAEST), MPC-in-the-head (MQOM and SDitH), and the multivariate oil-and-vinegar family (UOV, MAYO, QR-UOV, SNOVA).
- Nothing from the on-ramp is a finished standard yet, so treat these as research candidates, not algorithms to deploy.
Why did NIST run a second signature competition?
Think of it the way a manufacturer thinks about sourcing a critical component. If every part comes from one supplier, a single failure at that supplier stops the whole line. NIST’s finished signature standards mostly rest on one kind of math: ML-DSA and FN-DSA are both lattice-based, and the one exception, SLH-DSA, is hash-based but produces large, slow signatures that are impractical for many high-volume uses. So the standardized signing world leans heavily on lattices.
That’s a concentration risk. If a serious cryptanalytic result ever weakened lattice signatures, the standardized alternatives would be thin. The on-ramp exists to widen the field: to bring signature schemes built on genuinely different mathematical assumptions through the same rigorous public evaluation, so that a break in one area doesn’t leave the ecosystem without a working option. It’s the same logic that led NIST to add the code-based KEM HQC as a backup to the lattice-based ML-KEM, applied now to signatures.
The lesson underneath it is fresh. Isogeny-based SIDH/SIKE looked healthy for roughly a decade and then fell to an ordinary classical computer in 2022. A whole math family can look solid and then collapse, which is exactly why NIST wants more than one basket to hold its signature eggs.
What kind of signatures is NIST looking for?
NIST spelled out its priorities in the call, and they’re specific:
- General-purpose signatures not based on structured lattices. This is the headline goal. NIST said it’s “primarily interested in additional general-purpose signature schemes that are not based on structured lattices.”
- Short signatures and fast verification. For applications like certificate transparency, where signatures are verified constantly and stored at scale, small size and quick checking matter more than anything.
- Lattice schemes only if they clearly win. NIST left the door open to new lattice designs, but only ones that “significantly outperform” the already-standardized CRYSTALS-Dilithium and FALCON in real applications.
The through-line is that this competition is graded differently from the original one. The first NIST process was hunting for anything that worked and was efficient. This one is hunting for what’s missing from the shelf: different math, and different size-and-speed trade-offs.
Source: NIST, “Request for Additional PQC Digital Signature Schemes,” September 6, 2022, csrc.nist.gov.
How does the on-ramp process work, and what round is it in?
It runs as a multi-round elimination, the same public-cryptanalysis model as the original NIST post-quantum process. Each round, submission teams publish their designs, the global cryptography community attacks them, NIST reviews the results, and a narrowed set advances.
| Date | Milestone |
|---|---|
| September 6, 2022 | Call for additional signatures issued |
| June 1, 2023 | Submission deadline; 40 complete-and-proper submissions enter Round 1 |
| October 25, 2024 | IR 8528 published; 14 candidates advance to Round 2 |
| May 14, 2026 | IR 8610 published; 9 candidates advance to Round 3 |
| August 14, 2026 | Deadline for Round 3 teams to submit updated specifications |
Sources: NIST IR 8528, “Status Report on the First Round of the Additional Digital Signature Schemes,” October 2024, csrc.nist.gov; NIST IR 8610, “Status Report on the Second Round of the Additional Digital Signature Schemes,” May 14, 2026, csrc.nist.gov.
The important framing for anyone planning a migration: this is deliberately slow. A third round in 2026 means real standards, if any, are still years out. These are candidates under active study, not options you build on today.
Which candidates are still in the running?
Nine schemes advanced to Round 3 in May 2026, and together they cover a wide spread of mathematical approaches, which is the whole point of the exercise:
| Candidate | Family / approach |
|---|---|
| SQIsign | Isogeny-based (compact signatures, mathematical diversity from lattices) |
| HAWK | Lattice-based (built on the lattice isomorphism problem, a different lattice assumption than ML-DSA) |
| FAEST | Symmetric-key (built on AES, using the VOLE-in-the-head technique) |
| MQOM | MPC-in-the-head (over the multivariate quadratic problem) |
| SDitH | MPC-in-the-head (over code-based syndrome decoding) |
| UOV | Multivariate (Unbalanced Oil and Vinegar, the family baseline) |
| MAYO | Multivariate (a UOV variant) |
| QR-UOV | Multivariate (a UOV variant) |
| SNOVA | Multivariate (a UOV variant) |
Source: NIST, “Round 3 Additional Signatures,” csrc.nist.gov; NIST IR 8610, csrc.nist.gov.
Two things stand out:
- SQIsign survived, valued for its very small signatures and for offering math unlike anything else in the standardized lineup, even though the isogeny family’s flagship key-exchange scheme was the one that famously broke in 2022.
- The multivariate “oil and vinegar” family is heavily represented, with four of the nine candidates being UOV or a close variant, which reflects how much recent research has clustered on that approach.
What happened to the candidates that were cut?
Five schemes were dropped after Round 2: CROSS, LESS, Mirath, PERK, and RYDE. Some were eliminated on performance and maturity grounds, and the second round was also an unusually rough one for cryptanalysis.
The heaviest damage landed on the multivariate side. A series of attacks during Round 2 hit oil-and-vinegar designs hard, forcing parameter-set changes on UOV, MAYO, and SNOVA to restore their claimed security. That’s the on-ramp working as intended: sustained public attack is how a scheme earns trust, and better to find the weakness in Round 2 than after standardization. It’s also a reminder that a scheme surviving a round is not the same as a scheme being proven safe.
Source: NIST IR 8610, “Status Report on the Second Round of the Additional Digital Signature Schemes,” May 14, 2026, csrc.nist.gov.
Is any of this a finished standard yet?
No. As of 2026, the additional signatures effort is in Round 3, which is an active evaluation phase, and no on-ramp algorithm has been published as a Federal Information Processing Standard. This matters because it’s easy to see a name like SQIsign or MAYO in a product roadmap and assume it’s ready. It isn’t. The only finalized post-quantum signature standards are FIPS 204 (ML-DSA) and FIPS 205 (SLH-DSA), with FIPS 206 (FN-DSA) still in draft. Everything in the on-ramp is a candidate that may or may not become a standard, on a timeline measured in years.
For a migration happening now, the guidance is unchanged: deploy the finalized standards, and build for crypto-agility so that whatever the on-ramp eventually produces can be adopted as a configuration change rather than a rebuild.
How does this relate to ML-DSA and SLH-DSA?
The on-ramp doesn’t replace or compete with the finalized signatures; it supplements them. ML-DSA stays the general-purpose default, SLH-DSA stays the conservative hash-based hedge, and FN-DSA is the compact lattice option once its standard finalizes. The additional schemes are meant to fill gaps those three leave: a well-studied signature on non-lattice math, and options that are smaller or faster for specialized uses. If one graduates to a standard, it becomes another tool on the shelf, chosen when its particular trade-off fits, not a wholesale swap for what’s already there.
Common misconceptions
- “These are new NIST-approved algorithms you can use.” They’re candidates in an ongoing competition rather than finished standards. Nothing from the on-ramp is finalized, and deploying one today would mean building on something that could still be cut or changed.
- “NIST is running out of confidence in ML-DSA.” The opposite. ML-DSA remains the recommended default. The on-ramp is about adding diversity as insurance, not about doubting the primary standard.
- “SQIsign proves isogeny cryptography is fine after SIKE broke.” SQIsign is a distinct construction from the broken SIDH/SIKE line, and its survival in the process reflects promise, not a clean bill of health. It’s still under active cryptanalysis like every other candidate.
- “The signature on-ramp fixes the harvest-now-decrypt-later problem.” It doesn’t touch it. Harvest-now-decrypt-later is a key-establishment risk, solved by ML-KEM. Signatures only fail once a quantum computer is real, which is why this track can move more slowly.
- “More candidates means more secure.” A larger field means more diversity to choose from, but each scheme still has to survive the cryptanalysis. Several candidates were weakened or cut precisely because the scrutiny is doing its job.
Questions people ask
What does “on-ramp” mean here? It’s the informal name for this second, later call for signature submissions, opened after the original NIST post-quantum competition had already selected its winners. The metaphor is a highway on-ramp: new schemes merging into the standardization process after it was already moving.
Why does NIST want signatures that aren’t lattice-based? Because its finalized signature standards lean heavily on lattices, and concentrating on one math family is a risk. If lattice cryptanalysis ever advanced significantly, NIST wants proven alternatives on entirely different assumptions already in hand.
Which of the candidates is most likely to be standardized? NIST hasn’t committed to standardizing any of them, and predicting a winner would be guessing. The nine Round 3 candidates each have different strengths, and the process is designed so that cryptanalysis over the coming rounds decides, not early favorites.
Can I deploy SQIsign, MAYO, or FAEST now? No. They’re research candidates without a finalized standard, reference-grade FIPS validation, or the long track record that production signing demands. Use the finalized standards and stay agile.
How long until one becomes a standard? There’s no published finalization date, and a third round in 2026 means any resulting standard is still years away. Treat the timeline as open and track NIST’s status reports rather than planning around a specific date.
Is this the same as the original NIST post-quantum competition? It’s a continuation of the same overall standardization program but a separate track with its own call, its own submissions, and its own rounds, focused specifically on adding signature diversity that the first process didn’t produce.
What are MPC-in-the-head and multivariate schemes? They’re two of the non-lattice families in the running. MPC-in-the-head builds a signature from a simulated secure computation, and multivariate schemes (the oil-and-vinegar family) base security on the difficulty of solving systems of quadratic equations. Both give NIST math that’s independent of lattices.
Everything here is the map, given freely. When your team needs help telling a finalized standard you can deploy from a research candidate you can’t, that’s what an alignment briefing is for.
Last verified 2026-07-09 · Maintained by Addie LaMarr, LaMarr Labs.