`5656`

`8803`

`8803`

`8803`

`8803`

`52080`

`5656`

- Managing a smooth transition from early adoption algorithm versions to production versions where there is no compatibility.
- Supporting different algorithm versions from different NIST rounds
- Identifying different key serialization strategies
- Identifying compressed and uncompressed keys

- T: mt x k matrix

- delta: nonce
- C : column selections
- g : monic irreducible polynomial
- alpha: field orderings
- s : uniform random n-bit string

- mceliece{n}{t}[f]-r3 in the algorithm field of AlgorithmIdentifier
- McEliecePrivateKey in the privateKey field, which is an OCTET STRING.

- t: encoded vector A*s+e, where A is a public matrix over a constant-sized polynomial ring, s and e are vectors over the same ring.
- rho: public seed (32 bytes)

- s: encoded sample from a centered binomial distribution B_{eta_1} (12*k*n/8 bytes)
- H(pk): hashed public key (32 bytes). Kyber uses SHA3-256 as H by default. The '90s' variants use SHA256 instead.
- z: a nonce (32 bytes)

- kyber-(n*k)-r3 in the algorithm field of AlgorithmIdentifier
- KyberPrivateKey in the privateKey field, which is an OCTET STRING.

- a polynomial h that satisfies h*f=3*g in the ring Rq=Z[x]/(q, Phi_1*Phi_n).

- a polynomial f that is a ternary (coefficients fi are in {-1, 0, 1}) polynomial of degree n - 2, with the additional property that ∑_(i=0)^{n-3} f_i*f_{i+1}≥0,
- a polynomial f_p that satisfies f*f_p=1 in the ring Rq=Z[x]/(3, Phi_n),
- a polynomial h_q that satisfies h*h_q=1 in the ring Rq=Z[x]/(q, Phi_n), and
- a seed=fg_bits || prf_key=f_bits || g_bits || prf_key containing the randomness for the key sampling and the implicit rejection mechanism. Optionally implementers may expand this from a 32-byte seed.

- >f_bits having n - 1 bytes,
- >g_bits having n - 1 bytes for ntruhrss701, ceiling(30/8*(n-1)) bytes for the other parameter sets,
- prf_key having 32 bytes.

- ntruhps-(size)-r3 / ntruhrss701-r3 in the algorithm field of AlgorithmIdentifier
- NTRUPrivateKey in the privateKey field, which is an OCTET STRING.

- >seed_A: public seed (32 bytes)
- polynomials of degree 256 with 10-bit integer coefficients denoted by vector b.

- a 256-bit uniform random value z
- l polynomials of degree 256 with 13-bit integer coefficients denoted by s
- H(pk): hashed public key (32 bytes)

- one of the three algorithm alternatives {LightSaber-r3, Saber-r3, FireSaber-r3} in the algorithm field of AlgorithmIdentifier
- SABERPrivateKey in the privateKey field, which is an OCTET STRING.

- rho: nonce
- t1: a vector encoded in 320*k bytes

- rho: nonce
- K: a key/seed/D
- tr: PRF bytes
- s1: vector (L)
- s2: vector (K)
- t0: k polynomials

- dilithium-(kxl)-r3 in the algorithm field of AlgorithmIdentifier
- DilithiumPrivateKey in the privateKey field, which is an OCTET STRING.

- falcon-(degree)-r3 in the algorithm field of AlgorithmIdentifier
- FALCONPrivateKey in the privateKey field, which is an OCTET STRING.

- P: a mapping from F^{n} to F^{m}
- ell: length of the used salt. Needs to be included to reach EUF- CMA security.

- S: affine map from F^{m} to F^{m}
- T: affine map from F^{n} to F^{n}
- F: quadratic central map of F^{n} to F^{n}
- ell: length of the used salt. Needs to be included to reach EUF- CMA security.

- 256-bit seed spub
- P: a partially stored mapping from Fn to Fm
- ell: length of the used salt. Needs to be included to reach EUF- CMA security

- rainbow-{eclvl}-r3 in the algorithm field of AlgorithmIdentifier
- RainbowPrivateKey in the privateKey field, which is an OCTET STRING.