DSCA0006 - Post-Quantum Algorithm Support

Published: 2025-06-17

Impacted Documents

cPP_DSC_V2.0 PDF | cPP_DSC_V2.0 HTML

SD_DSC_V2.0 PDF | SD_DSC_V2.0 HTML

Included from Documents

cPP_DSC_V2.0.1 PDF | cPP_DSC_V2.0.1 HTML

SD_DSC_V2.0.1 PDF | SD_DSC_V2.0.1 HTML

References

FCS_COP.1.1/SigGen

FCS_COP.1.1/SigVer

FCS_CKM.1/AKG

FCS_COP.1.1/KeyEncap

Issue Description

To meet NIAP requirements regarding CNSA 2.0, PQC algorithms have been requested to be added to the cPP.

Resolution

ML-DSA, HashML-DSA and ML-KEM are added to the signature algorithm lists where appropriate in the cPP and corresponding changes to the SD are made to support algorithm testing for these new algorithms.

cPP_DSC_V2.0

The cPP is updated as follows (yellow highlights for additions, strikethrough for deletions) per section that is being updated:

FCS_COP.1.1/SigGen

Table 6. Allowed choices for FCS_COP.1/SigGen is updated to add the following two rows at the bottom:

Identifier	Cryptographic Algorithm	Cryptographic Algorithm Parameters	List of Standards
ML-DSA	ML-DSA.Sign	Parameter set = [selection: ML-DSA-44, ML-DSA-65, ML-DSA-87]	NIST FIPS 204 (Section 5.2)
HashML-DSA	HashML-DSA.Sign	Parameter set = [selection: ML-DSA-44, ML-DSA-65, ML-DSA-87] and hash function [selection: SHA-256, SHA-512/256, SHA3-256, SHAKE128, SHA-384, SHA3-384, SHA-512, SHA3-512, SHAKE256]	NIST FIPS 204 (Section 5.4)

Identifier

Cryptographic Algorithm

Cryptographic Algorithm Parameters

List of Standards

ML-DSA

ML-DSA.Sign

Parameter set = [selection: ML-DSA-44, ML-DSA-65, ML-DSA-87]

NIST FIPS 204 (Section 5.2)

HashML-DSA

HashML-DSA.Sign

Parameter set = [selection: ML-DSA-44, ML-DSA-65, ML-DSA-87] and hash function [selection: SHA-256, SHA-512/256, SHA3-256, SHAKE128, SHA-384, SHA3-384, SHA-512, SHA3-512, SHAKE256]

NIST FIPS 204 (Section 5.4)

Application Note 7 adds the following text at the end:

Per Section 5.4 of NIST FIPS 204, the collision strength of the hash function selected for the pre-hash of HashML-DSA must be at least the strength of the signature algorithm.

FCS_COP.1.1/SigVer

Table 7. Allowed choices for FCS_COP.1/SigVer is updated to add the following two rows at the bottom:

Identifier	Cryptographic Algorithm	Cryptographic Algorithm Parameters	List of Standards
ML-DSA	ML-DSA.Verify	Parameter set = [selection: ML-DSA-44, ML-DSA-65, ML-DSA-87]	NIST FIPS 204 (Section 5.2)
HashML-DSA	HashML-DSA.Verify	Parameter set = [selection: ML-DSA-44, ML-DSA-65, ML-DSA-87] and hash function [selection: SHA-256, SHA-512/256, SHA3-256, SHAKE128, SHA-384, SHA3-384, SHA-512, SHA3-512, SHAKE256]	NIST FIPS 204 (Section 5.4)

Identifier

Cryptographic Algorithm

Cryptographic Algorithm Parameters

List of Standards

ML-DSA

ML-DSA.Verify

Parameter set = [selection: ML-DSA-44, ML-DSA-65, ML-DSA-87]

NIST FIPS 204 (Section 5.2)

HashML-DSA

HashML-DSA.Verify

Parameter set = [selection: ML-DSA-44, ML-DSA-65, ML-DSA-87] and hash function [selection: SHA-256, SHA-512/256, SHA3-256, SHAKE128, SHA-384, SHA3-384, SHA-512, SHA3-512, SHAKE256]

NIST FIPS 204 (Section 5.4)

Application Note 8 adds the following text at the end:

Per Section 5.4 of NIST FIPS 204, the collision strength of the hash function selected for the pre-hash of HashML-DSA must be at least the strength of the signature algorithm.

FCS_CKM.1/AKG

Table 15. Allowed choices for FCS_CKM.1/AKG is updated to add the following two rows at the bottom:

Cryptographic Key Generation Algorithm	Cryptographic Algorithm Parameters	List of Standards
ML-KEM	Parameter set = [selection: ML-KEM-512, ML-KEM-768, ML-KEM-1024]	NIST FIPS 203 (Section 7.1)
ML-DSA	Parameter set = [selection: ML-DSA-44, ML-DSA-65, ML-DSA-87]	NIST FIPS 204 (Section 5.1)

Cryptographic Key Generation Algorithm

Cryptographic Algorithm Parameters

List of Standards

ML-KEM

Parameter set = [selection: ML-KEM-512, ML-KEM-768, ML-KEM-1024]

NIST FIPS 203 (Section 7.1)

ML-DSA

Parameter set = [selection: ML-DSA-44, ML-DSA-65, ML-DSA-87]

NIST FIPS 204 (Section 5.1)

FCS_COP.1.1/KeyEncap

Table 21. Allowed choices for FCS_COP.1/KeyEncap is updated to add the following row at the bottom:

Cryptographic Key Generation Algorithm	Cryptographic Algorithm Parameters	List of Standards
ML-KEM	Parameters set [selection: ML-KEM-512, ML-KEM-768, ML-KEM-1024]	NIST FIPS 203 (Section 7.2)

Cryptographic Key Generation Algorithm

Cryptographic Algorithm Parameters

List of Standards

ML-KEM

Parameters set [selection: ML-KEM-512, ML-KEM-768, ML-KEM-1024]

NIST FIPS 203 (Section 7.2)

SD_DSC_V2.0

The SD is updated as follows (yellow highlights for additions, strikethrough for deletions) per section that is being updated (only the surrounding text is included, not the entire section being updated):

2.1.2.3.3. Test

Modulus size (RSA)
Curve (ECDSA, EC-KCDSA, EdDSA)
Group size (DSA, KCDSA)
Private key size (LMS, HSS, XMSS, XMSS^MT)
Parameter set (ML-DSA, HashML-DSA)
Padding scheme (RSA)
Hash or XOF algorithm

2.1.2.4.3. Test

Modulus size (RSA)
Curve (ECDSA, EC-KCDSA, EdDSA)
Group size (DSA, KCDSA)
Private key size (LMS, HSS, XMSS, XMSS^MT)
Parameter set (ML-DSA, HashML-DSA)
Padding scheme (RSA)
Hash or XOF algorithm

4.1.1.1.3. Test

Modulus size (RSA)
Curve (ECC, EdDSA, EC-KCDSA)
Domain parameters (FFC)
Group size (KCDSA)
Private key size (LMS, HSS, XMSS, XMSS^MT)
Parameter set (ML-KEM, ML-DSA)

Each test group shall consist of at least 10 test cases meeting the following requirements:

4.1.2.3.3. Test

The developer shall provide sufficient information to the evaluator to properly define the implementation of the algorithm. The evaluator shall define at least one test group (a configuration of algorithm properties and associated test cases) for each combination of the following parameters, according to the implementation of the algorithm:

Modulus size (RSA)
Parameter set (ML-KEM)
Key agreement role (initiator or responder) or operation (encapsulation or decapsulation)
Hash algorithm (if applicable)
Associated data pattern (if applicable)
KDF configuration (if applicable)

Tracking

Issue #441

Pull Reqeust #427