Algorithms in 3.5.0 vs 3.5.4 FIPS providers
18 views
Skip to first unread message
Ladd, Watson
Apr 15, 2026, 1:54:14 PMApr 15
to 'Michael Wojcik' via openssl-users
Dear all,
I'm a bit confused about which modules are in process when. Right now 3.5.0 supports X25519MLKEM for TLS. I'm not sure what algorithms it is that are only in 3.5.4, and the in process list has just one entry without the version number.
What is the state of play/what has been approved so far under FIPS 140-3?
Sincerely,
Watson
Viktor Dukhovni
Apr 22, 2026, 1:45:22 AM (8 days ago) Apr 22
to openss...@openssl.org
On Wed, Apr 15, 2026 at 05:54:00PM +0000, 'Ladd, Watson' via openssl-users wrote:
> I'm a bit confused about which modules are in process when. Right now
> 3.5.0 supports X25519MLKEM[768] for TLS. I'm not sure what algorithms it is
> I'm a bit confused about which modules are in process when. Right now
> that are only in 3.5.4, and the in process list has just one entry
> without the version number.
>
> What is the state of play/what has been approved so far under FIPS 140-3?
I don't know that anything has been approved, the FIPS validation
> without the version number.
>
> What is the state of play/what has been approved so far under FIPS 140-3?
process takes time. As for 3.5.0 vs. 3.5.4, no new algorithms were
implemented in the later version, but if you're asking about which
PQC algorithms are in the validation pipeline, I expect that includes:
- X25519MLKEM768, SecP256r1MLKEM768 and SecP384r1MLKEM1024
- ML-DSA-44, ML-DSA-65, ML-DSA-87
- All the SLH-DSA variants.
The ML-DSA code in 3.5 supports one-shot signing only, (IUF was added in
3.6), but 3.5 does support external-μ, so it is possible to sign larger
messages without instantiating the entire message in memory. Prior to
the addition of the "ML-DSA-MU" pseudo-digest in OpenSSL 4.0,
computation of external-μ is an exercise for the reader.
--
Viktor. 🇺🇦 Слава Україні!
Reply all
Reply to author
Forward
0 new messages