Updates for FIPS 205

[Moody, Dustin (Fed)]

Hello all,

We received comments from 23 different commenters on FIPS 205 IPD during the 90 day official comment period. (These comments are available at https://csrc.nist.gov/pubs/fips/205/ipd). As was described at the 5th PQC Standardization Conference (https://csrc.nist.gov/Presentations/2024/fips-205), most of the comments that were received were editorial. We appreciate these comments and have made changes to FIPS 205 to improve its readability in response.

A few technical changes are planned for FIPS 205, however it is unlikely that these changes will require changes to cryptographic modules that were developed based on FIPS 205 IPD.

We received a few comments requesting that the number of parameter sets specified in FIPS 205 be reduced. We also received comments requesting the additional, smaller parameter sets (i.e., parameter sets that only remain secure if the number of signature generated is smaller than 2^64). Given a lack of consensus among commenters about whether or which parameter sets should be removed, all 12 parameter sets in FIPS 205 IPD will remain in FIPS 205. No additional parameter sets will be added, but a Special Publication will be developed that specifies some smaller parameter sets.

As will be described in a separate message, FIPS 205 will specify the use of domain separation in order to support both "pure" and "pre-hash" versions of SLH-DSA signature generation and signature verification. However, since the message M' may be constructed outside of the cryptographic module, implementation of this may require changes to libraries that support SLH-DSA, but are unlikely to require changes within the boundary of the cryptographic module.

Also as will be described in separate message, FIPS 205 will specify separate internal and API functions for key generation, signature generation, and signature verification, with the internal functions being deterministic. The internal functions are essentially the same as the key generation, signature generation, and signature verification functions in FIPS 205 IPD, except that any required random values are passed as inputs in order to support known-answer testing. Cryptographic modules will need to support these deterministic internal functions for testing purposes, as these are the interfaces that will be tested by the Cryptographic Algorithm Validation Program (CAVP).

Finally, while Appendix B of FIPS 205 IPD notes that implementations should not use floating-point arithmetic, FIPS 205 will prohibit the use of floating-point arithmetic in the implementation of SLH-DSA.

Please let us know if you have any feedback or questions about the planned changes to FIPS 205.

Thanks,

David Cooper

NIST PQC