On May 21, 2026, NIST announced that nine digital signature algorithms had advanced to the third round of its Additional Digital Signatures for the Post-Quantum Cryptography Standardization Process. The nine candidates are FAEST, HAWK, MAYO, MQOM, QR-UOV, SDitH, SNOVA, SQIsign, and UOV. Their eventual standardization will extend the world's post-quantum cryptographic toolkit — and close one of the more significant remaining gaps in the transition away from encryption that quantum computers could break.
Why digital signatures are different from encryption
When most people think about the quantum threat to cryptography, they think about encryption — the scrambling of data in transit. But digital signatures are equally critical and often overlooked. Every software update you install was verified by a digital signature. Every TLS connection you make relies on one. Every certificate authority that your browser trusts is anchored by one. Digital signatures authenticate identity and verify integrity across virtually all of modern digital infrastructure.
The problem is that the most widely used signature schemes — RSA and ECDSA — are vulnerable to Shor's algorithm running on a sufficiently large quantum computer. NIST's first wave of post-quantum standards, finalized in 2024, addressed this partially: ML-DSA (based on CRYSTALS-Dilithium) and FN-DSA (FALCON) are quantum-resistant signature schemes. SLH-DSA (SPHINCS+) added a hash-based backup. But all three rely on a narrow set of mathematical foundations — primarily structured lattice problems. The nine new candidates are designed to diversify that base.
The nine algorithms and what makes them different
The diversity is deliberate. FAEST uses zero-knowledge proofs built on AES — meaning its security reduces to the hardness of AES, which is widely trusted. SQIsign uses isogeny-based mathematics, a family entirely distinct from lattices. SDitH is based on the hardness of syndrome decoding, a coding-theory problem studied for decades. MAYO, QR-UOV, SNOVA, and UOV are all multivariate polynomial schemes — a different mathematical family again. This spread ensures that a breakthrough against one mathematical class does not simultaneously compromise all post-quantum standards.
What the third round means
NIST's post-quantum standardization process is exhaustive by design. The first round, launched in 2017, received 82 candidates. That pool was reduced to 26 in round two, then to seven finalists and eight alternates in round three. The current nine candidates are part of a separate track — the Additional Digital Signatures process — launched in 2022 specifically to expand the pool of standardized signature schemes beyond the lattice-heavy first cohort.
Third-round evaluation is expected to last approximately two years. During this period, submission teams update their technical specifications and software implementations, and the broader cryptographic community subjects each candidate to intensive public scrutiny. Not all nine will be standardized — some may be eliminated for performance, implementation complexity, or newly discovered weaknesses. But the most promising candidates will emerge as formal NIST standards, likely around 2028 — just ahead of the Q-Day risk window identified by Google and major security agencies.
Cryptographic agility: the real goal
The underlying strategic objective is not simply to have more algorithms — it is to build cryptographic agility into global infrastructure. Cryptographic agility means the ability to swap one algorithm for another quickly, without requiring a full system redesign, if a vulnerability is discovered. The collapse of SIKE — an isogeny-based candidate that was broken in 2022 by a classical algorithm running on a laptop — demonstrated exactly why agility matters: a scheme that passed years of expert review can fail unexpectedly. Multiple standardized algorithms from multiple mathematical families reduce the risk that any single failure cascades into a systemic compromise.
For organizations planning their post-quantum migration, this has a practical implication: the systems you design today should be architecture-agnostic where possible, supporting algorithm updates without requiring replacement of entire cryptographic stacks. The NIST process will take until approximately 2028 to produce finalized additional standards — but the migration planning needs to happen now. Q-Day does not wait for a standards body's publication schedule.
Where this fits in the Q-Day timeline
NIST's first post-quantum standards (ML-KEM for key exchange, ML-DSA and FN-DSA for signatures) are already final and available for deployment. The nine new candidates represent the next layer — additional options for specific use cases where shorter signatures, faster verification, or different mathematical foundations are required. Together, they complete a picture of a cryptographic ecosystem intentionally designed to survive the arrival of a quantum computer powerful enough to break today's defaults. That arrival, on current hardware trajectories, is now estimated by Google's security team at 2029 and by the NSA's CNSA 2.0 roadmap as a critical planning horizon of 2030. The timeline is not theoretical.