Lattice-based cryptography
Lattice-based cryptography derives its security from the related problems of finding a short vector in a lattice or finding a lattice vector that is close to a target vector not in the lattice. These systems are fairly well-studied in cryptologic literature, and analysis suggests that these systems can be secure when well-parameterized. We agree with the NIST assessment, documented in NISTIR 8309: Status Report on the Second Round of the NIST Post-Quantum Cryptography Standardization Process, that these are among the most efficient post-quantum designs. Based on their history of analysis and implementation efforts, NSA CSD expects that a NIST-candidate lattice-based signature and a NIST-candidate lattice-based key encapsulation mechanism will be approved for NSS.
Hash-based signatures
Hash-based signatures are based on the well-understood security of inverting a hash function. These systems are also fairly well-studied in cryptologic literature, and analysis suggests that these systems can be secure when well-parameterized. However, the stateful versions have a limited number of allowable signatures per public key and require the signer to maintain an internal state. Because of this, they are not suitable for all applications. NSA CSD expects that the stateful signatures LMS and XMSS will be standardized by NIST in NIST SP 800-208 and approved for NSS solutions for certain niche applications where maintaining state is not a problem.
At the present time, NSA CSD does not anticipate the need to approve other post-quantum cryptographic technologies for NSS usage, but recognizes circumstances could change going forward. A variety of factors—including confidence in security and performance, interoperability, systems engineering, budgeting, procurement, and other requirements—could affect such decisions.