FIPS or SP800
35 views
Skip to first unread message
Robert Moskowitz
Jun 23, 2023, 11:25:47 AM6/23/23
to lwc-forum
At first blush I like going the SP800 route.
But the devil is always in the details.
I deal regularly with pushback of "Not FIPS certifiable". SP800-185 is
built on FIPS-202 so we can wave a flag that it is just a function call
to your FIPS module.
FINALLY got FIPS 186-5 for EdDSA.
Without a path for equivalent certification, I would see a barrier for
NIST-ASCON adoption.
Are there alternative pathways that don't add 6 years to the process?
thanks
Bob
But the devil is always in the details.
I deal regularly with pushback of "Not FIPS certifiable". SP800-185 is
built on FIPS-202 so we can wave a flag that it is just a function call
to your FIPS module.
FINALLY got FIPS 186-5 for EdDSA.
Without a path for equivalent certification, I would see a barrier for
NIST-ASCON adoption.
Are there alternative pathways that don't add 6 years to the process?
thanks
Bob
McKay, Kerry A. (Fed)
Jun 30, 2023, 11:48:38 AM6/30/23
to Robert Moskowitz, lwc-forum
Dear forum members,
During the Sixth Lightweight Cryptography Workshop last week, NIST stated that the Ascon family could be specified in a Special Publication (SP) format rather than a Federal Information Processing Standards (FIPS) to shorten the standardization process.
On June 23, Robert Moskowitz raised some concerns on using the SP format. Thank you Robert for sharing your concerns.
To avoid confusion, we would like to clarify that when an implementation is FIPS-validated, it means that it has successfully completed the FIPS 140-3 validation process. NIST standards can be validated regardless of whether an algorithm is described in a FIPS or an SP. Therefore, specifying Ascon in a special publication will not prevent its inclusion in the FIPS 140-3 validation process.
Regarding SP 800-185, it is part of the FIPS 140-3 validation program. Programmatic guidance on cryptographic module validation can always be found in the latest FIPS 140-3 Implementation Guidance (IG) (https://csrc.nist.gov/Projects/cryptographic-module-validation-program/fips-140-3-ig-announcements) and other resources on the cryptographic module validation program page (https://csrc.nist.gov/projects/cryptographic-module-validation-program). In addition, SP 800-140Cr1 (https://doi.org/10.6028/NIST.SP.800-140Cr1) and SP 800-140Dr1 (https://doi.org/10.6028/NIST.SP.800-140Dr1) list the algorithms that are part of the validation program, along with the relevant publications.
Kind regards,
Kerry
--
To unsubscribe from this group, send email to lwc-forum+...@list.nist.gov <mailto:lwc-forum+...@list.nist.gov>
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/lwc-forum <https://groups.google.com/a/list.nist.gov/d/forum/lwc-forum>
During the Sixth Lightweight Cryptography Workshop last week, NIST stated that the Ascon family could be specified in a Special Publication (SP) format rather than a Federal Information Processing Standards (FIPS) to shorten the standardization process.
On June 23, Robert Moskowitz raised some concerns on using the SP format. Thank you Robert for sharing your concerns.
To avoid confusion, we would like to clarify that when an implementation is FIPS-validated, it means that it has successfully completed the FIPS 140-3 validation process. NIST standards can be validated regardless of whether an algorithm is described in a FIPS or an SP. Therefore, specifying Ascon in a special publication will not prevent its inclusion in the FIPS 140-3 validation process.
Regarding SP 800-185, it is part of the FIPS 140-3 validation program. Programmatic guidance on cryptographic module validation can always be found in the latest FIPS 140-3 Implementation Guidance (IG) (https://csrc.nist.gov/Projects/cryptographic-module-validation-program/fips-140-3-ig-announcements) and other resources on the cryptographic module validation program page (https://csrc.nist.gov/projects/cryptographic-module-validation-program). In addition, SP 800-140Cr1 (https://doi.org/10.6028/NIST.SP.800-140Cr1) and SP 800-140Dr1 (https://doi.org/10.6028/NIST.SP.800-140Dr1) list the algorithms that are part of the validation program, along with the relevant publications.
Kind regards,
Kerry
To unsubscribe from this group, send email to lwc-forum+...@list.nist.gov <mailto:lwc-forum+...@list.nist.gov>
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/lwc-forum <https://groups.google.com/a/list.nist.gov/d/forum/lwc-forum>
Reply all
Reply to author
Forward
0 new messages