Published: 2025-06-17
Impacted Documents
Included from Documents
References
FCS_COP.1.1/SigGen
FCS_COP.1.1/SigVer
FCS_CKM.1/AKG
FCS_COP.1.1/KeyEncap
Issue Description
To meet NIAP requirements regarding CNSA 2.0, PQC algorithms have been requested to be added to the cPP.
Resolution
ML-DSA, HashML-DSA and ML-KEM are added to the signature algorithm lists where appropriate in the cPP and corresponding changes to the SD are made to support algorithm testing for these new algorithms.
cPP_DSC_V2.0
The cPP is updated as follows (yellow highlights for additions, strikethrough for deletions) per section that is being updated:
FCS_COP.1.1/SigGen
Table 6. Allowed choices for FCS_COP.1/SigGen is updated to add the following two rows at the bottom:
Identifier | Cryptographic Algorithm | Cryptographic Algorithm Parameters | List of Standards |
---|---|---|---|
ML-DSA |
ML-DSA.Sign |
Parameter set = [selection: ML-DSA-44, ML-DSA-65, ML-DSA-87] |
NIST FIPS 204 (Section 5.2) |
HashML-DSA |
HashML-DSA.Sign |
Parameter set = [selection: ML-DSA-44, ML-DSA-65, ML-DSA-87] and hash function [selection: SHA-256, SHA-512/256, SHA3-256, SHAKE128, SHA-384, SHA3-384, SHA-512, SHA3-512, SHAKE256] |
NIST FIPS 204 (Section 5.4) |
Application Note 7 adds the following text at the end:
Per Section 5.4 of NIST FIPS 204, the collision strength of the hash function selected for the pre-hash of HashML-DSA must be at least the strength of the signature algorithm.
FCS_COP.1.1/SigVer
Table 7. Allowed choices for FCS_COP.1/SigVer is updated to add the following two rows at the bottom:
Identifier | Cryptographic Algorithm | Cryptographic Algorithm Parameters | List of Standards |
---|---|---|---|
ML-DSA |
ML-DSA.Verify |
Parameter set = [selection: ML-DSA-44, ML-DSA-65, ML-DSA-87] |
NIST FIPS 204 (Section 5.2) |
HashML-DSA |
HashML-DSA.Verify |
Parameter set = [selection: ML-DSA-44, ML-DSA-65, ML-DSA-87] and hash function [selection: SHA-256, SHA-512/256, SHA3-256, SHAKE128, SHA-384, SHA3-384, SHA-512, SHA3-512, SHAKE256] |
NIST FIPS 204 (Section 5.4) |
Application Note 8 adds the following text at the end:
Per Section 5.4 of NIST FIPS 204, the collision strength of the hash function selected for the pre-hash of HashML-DSA must be at least the strength of the signature algorithm.
FCS_CKM.1/AKG
Table 15. Allowed choices for FCS_CKM.1/AKG is updated to add the following two rows at the bottom:
Cryptographic Key Generation Algorithm | Cryptographic Algorithm Parameters | List of Standards |
---|---|---|
ML-KEM |
Parameter set = [selection: ML-KEM-512, ML-KEM-768, ML-KEM-1024] |
NIST FIPS 203 (Section 7.1) |
ML-DSA |
Parameter set = [selection: ML-DSA-44, ML-DSA-65, ML-DSA-87] |
NIST FIPS 204 (Section 5.1) |
FCS_COP.1.1/KeyEncap
Table 21. Allowed choices for FCS_COP.1/KeyEncap is updated to add the following row at the bottom:
Cryptographic Key Generation Algorithm | Cryptographic Algorithm Parameters | List of Standards |
---|---|---|
ML-KEM |
Parameters set [selection: ML-KEM-512, ML-KEM-768, ML-KEM-1024] |
NIST FIPS 203 (Section 7.2) |
SD_DSC_V2.0
The SD is updated as follows (yellow highlights for additions, strikethrough for deletions) per section that is being updated (only the surrounding text is included, not the entire section being updated):
2.1.2.3.3. Test
-
Modulus size (RSA)
-
Curve (ECDSA, EC-KCDSA, EdDSA)
-
Group size (DSA, KCDSA)
-
Private key size (LMS, HSS, XMSS, XMSSMT)
-
Parameter set (ML-DSA, HashML-DSA)
-
Padding scheme (RSA)
-
Hash or XOF algorithm
2.1.2.4.3. Test
-
Modulus size (RSA)
-
Curve (ECDSA, EC-KCDSA, EdDSA)
-
Group size (DSA, KCDSA)
-
Private key size (LMS, HSS, XMSS, XMSSMT)
-
Parameter set (ML-DSA, HashML-DSA)
-
Padding scheme (RSA)
-
Hash or XOF algorithm
4.1.1.1.3. Test
-
Modulus size (RSA)
-
Curve (ECC, EdDSA, EC-KCDSA)
-
Domain parameters (FFC)
-
Group size (KCDSA)
-
Private key size (LMS, HSS, XMSS, XMSSMT)
-
Parameter set (ML-KEM, ML-DSA)
Each test group shall consist of at least 10 test cases meeting the following requirements:
4.1.2.3.3. Test
The developer shall provide sufficient information to the evaluator to properly define the implementation of the algorithm. The evaluator shall define at least one test group (a configuration of algorithm properties and associated test cases) for each combination of the following parameters, according to the implementation of the algorithm:
-
Modulus size (RSA)
-
Parameter set (ML-KEM)
-
Key agreement role (initiator or responder) or operation (encapsulation or decapsulation)
-
Hash algorithm (if applicable)
-
Associated data pattern (if applicable)
-
KDF configuration (if applicable)