Releases: usnistgov/ACVP-Server
v1.1.0.40
Demo: 2025-6-11
Prod: 2025-6-23
IMPORTANT: PLEASE NOTE THE IMPACT OF THIS RELEASE'S DEPLOYMENT TO THE ACVTS DEMO ENVIRONMENT FOR ML-KEM / encapDecap / FIPS203 TEST VECTORS THAT WERE GENERATED BY RELEASES PRIOR TO RELEASE V1.1.0.40 WITH "isSample": false. SEE THE ML-KEM / encapDecap / FIPS203 BULLET BELOW FOR THIS INFORMATION.
- New Algorithms (Demo only):
- Adds HMAC revision 2.0 testing, e.g., HMAC-SHA-1 / 2.0, HMAC-SHA2-224 / 2.0, HMAC-SHA2-256 / 2.0, etc. (Algo / Revision) - Adds a new revision 2.0 to HMAC that adds
msgLen
as a registration property and moves themsgLen
,keyLen
andmacLen
properties into the test case instead of the test group for the prompt. This reduces the number of test groups and test cases.
- Adds HMAC revision 2.0 testing, e.g., HMAC-SHA-1 / 2.0, HMAC-SHA2-224 / 2.0, HMAC-SHA2-256 / 2.0, etc. (Algo / Revision) - Adds a new revision 2.0 to HMAC that adds
- ACVP-AES-XTS / "2.0" (Algo / Revision) - Updates the testing to reverse the assumption that "all lengths listed by the payloadLen property are also valid data unit lengths." The updated assumption is that "all lengths listed by the dataUnitLen property are also valid payload lengths. As such, the values for the payloadLen property MUST include all dataUnitLen values."
- KMAC-128 and KMAC-256 - Updates testing to ensure both block-aligned and non-block-aligned key sizes are tested.
- ML-KEM / encapDecap / FIPS203 (Algo / Mode / Revision)
- Adds "encapsulationKeyCheck" and "decapsulationKeyCheck" as functions for ML-KEM Encap/Decap FIPS203 to exercise an implementation's capability to perform the Encapsulation Key Check in FIPS 203 Section 7.2 and the Decapsulation Key Check in FIPS 203 Section 7.3. These tests are only included if the appropriate function is present in the registration. They operate by providing a valid or invalid key and expecting the IUT to return a
true
for a valid key orfalse
for an invalid key. - The test group and test case formats for decapsulation test groups and test cases are updated so that
dk
is provided at the test case level rather than at the test group level.- IMPLICATIONS FOR ACVTS DEMO RELEASE: test vectors that were generated by releases prior to v1.1.0.40 with "isSample": false will fail on validation as a result of this update and will need to be regenerated using ACVTS release v1.1.0.40 or higher. CAVP will implement a workaround as part of the v1.1.0.40 release's deployment to Prod so that test vectors will not need to be regenerated on Prod.
- Adds "encapsulationKeyCheck" and "decapsulationKeyCheck" as functions for ML-KEM Encap/Decap FIPS203 to exercise an implementation's capability to perform the Encapsulation Key Check in FIPS 203 Section 7.2 and the Decapsulation Key Check in FIPS 203 Section 7.3. These tests are only included if the appropriate function is present in the registration. They operate by providing a valid or invalid key and expecting the IUT to return a
- Ascon / AEAD128 / SP800-232, Ascon / Hash256 / SP800-232, Ascon / XOF128 / SP800-232, and Ascon / CXOF128 / SP800-232 (Algo / Mode / Revision)
- Updates property names to more closely match those of other algorithms supported by ACVTS.
- Fixes issues with domains not being respected by increment.
- Adds decryption failure test cases to check the authentication element of the AEAD128 mode.
- Updates the minimum tag length for Ascon / AEAD128 / SP800-232 from 64 bits to 32 bits
- Fixes a bug in the Ascon / AEAD128 / SP800-232 nonceMasking encrypt tests
- Addresses: #1568, usnistgov/ACVP#1570, usnistgov/ACVP#1571, usnistgov/ACVP#1572, usnistgov/ACVP#1573, usnistgov/ACVP#1574, usnistgov/ACVP#1575, usnistgov/ACVP#1576, and usnistgov/ACVP#1577
- Updates ACVTS to provide a meaningful error message when an ACVTS Prod registration contains
"isSample" : true
. NOTE: the only valid value for "isSample" for an ACVTS Prod registration isfalse
.- Addresses #393
v1.1.0.39
Demo: 2025-4-23
Prod: 2025-5-9
- New Algorithms (Demo only):
- Ascon / AEAD128 / SP800-232, Ascon / Hash256 / SP800-232, Ascon / XOF128 / SP800-232, and Ascon / CXOF128 / SP800-232 - (Algo / Mode / Revision) - testing for Ascon-based family of algorithms based on the SP 800-232 Initial Public Draft.
- ML-DSA sigGen FIPS204 - Adds two ML-DSA Signature Generation corner cases. The first corner case assumes an implementation strictly adheres to the pseudocode in FIPS 204 and tests the four defined rejection paths. The second corner case tests whether an IUT is able to compute a signature when a significant number of rejections, specifically, 64, have occurred. See https://pages.nist.gov/ACVP/draft-celi-acvp-ml-dsa.html#name-ml-dsa-siggen-test-types for more information. These corner case tests are only available for IUTs that advertise support for: 1) testing the internal signature interface; 2) being able to compute mu internal to the algorithm implementation (some implementations may not be able to compute mu internally. They may require mu to be pre-computed and passed as an argument to the implementation.); 3) deterministic signature generation; and 4) must support computing signatures of messages that are 256 bits in length.
- Sample JSON files
- Updates the LMS keyGen 1.0, LMS sigGen 1.0, and LMS sigVer 1.0 sample JSON files to include test cases for all LMS modes instead of for a representative subset of the modes.
- DetECDSA sigGen FIPS186-5
- addresses an issue where the signature values recorded in the sample json files were incorrect. The per-message secret numbers used to create the signatures were being generated incorrectly.
- adds extra tests to the sample JSON files that purposefully use small values for the private key. The use of small values for the private keys forces implementations to demonstrate that the private keys are being converted to octet strings and padded to the correct lengths as part of computing the per-message secret number.
- #377
- ECDSA sigGen 1.0, ECDSA sigGen FIPS186-5, and DetECDSA sigGen FIPS186-5 - Addresses issue where values used for k were not included in the InternalProjection json files
- Adds two new implementation/module types: softwarehybrid and firmwarehybrid. See https://pages.nist.gov/ACVP/draft-fussell-acvp-spec.html#name-modules.
v1.1.0.38
Demo: 2025-01-14
Prod: 2025-01-31
ATTENTION: THIS RELEASE INTRODUCES SEVERAL IMPORTANT CHANGES AND INCOMPATIBILITIES RELATED TO THE EDDSA sigGen 1.0, SLH-DSA, ML-DSA, AND ML-KEM ALGORITHM TESTING. PLEASE READ THE RELEASE NOTES THAT FOLLOW CAREFULLY. IF YOU HAVE ANY QUESTIONS, FEEL FREE TO OPEN A NEW ISSUE AT https://github.com/usnistgov/ACVP/issues OR https://github.com/usnistgov/ACVP-Server/issues.
- EDDSA sigGen 1.0
- Testing is updated to make the contextLength registration property mandatory, when applicable, i.e., when curve contains ED-448 or preHash == true. contextLength is now also disallowed when not applicable, i.e., when curve == ED-25519 and preHash == false.
- Addresses #359
- Fixes an issue where test cases could include contexts with lengths that are unsupported as per the supplied registration.
- Testing is updated to make the contextLength registration property mandatory, when applicable, i.e., when curve contains ED-448 or preHash == true. contextLength is now also disallowed when not applicable, i.e., when curve == ED-25519 and preHash == false.
- ML-DSA sigGen FIPS204, ML-DSA sigVer FIPS204, SLH-DSA sigGen FIPS205, and SLH-DSA sigVer FIPS205 - Updates ML-DSA and SLH-DSA sign and verify testing to include tests for the external interfaces defined in FIPS 204 Section 5 and FIPS 205 Section 10. Also updates the ML-DSA sign and verify testing to support externally computed mu as allowed in the FIPS 204 comments for Algorithm 7 Line 6 and Algorithm 8 Line 7.
- Please note that adding support for ML-DSA and SLH-DSA external interface testing changes the format of ML-DSA and SLH-DSA sigGen and sigVer registrations significantly. Please consult the ML-DSA and SLH-DSA algorithm specifications at https://pages.nist.gov/ACVP/#supported and the sample test vectors at https://github.com/usnistgov/ACVP-Server/tree/master/gen-val/json-files for the updated formats for ML-DSA and SLH-DSA sigGen and sigVer registrations.
- Please also note that any ML-DSA and SLH-DSA sigGen and sigVer test vectors that were generated on an ACVTS release prior to v1.1.0.38 cannot have their responses submitted for validation using an ACVTS release >= v1.1.0.38. Any such test vectors will need to be abandoned and new test vectors created.
- ML-KEM encapDecap FIPS203 - ML-KEM encapDecap FIPS203 decapsulation test vectors that were generated on an ACVTS release prior to v1.1.0.38 cannot have their responses submitted for validation using an ACVTS release >= v1.1.0.38. Any such test vectors will need to be abandoned and new test vectors created.
- SHAKE-128 1.0 and SHAKE-256 1.0 - Corrects issue where message digest values were computed incorrectly for non-byte-aligned outputLens. (Note that the completeness of this fix is still being investigating relative to some recent feedback.)
v1.1.0.37
Demo: 2024-11-5
Prod: 2024-11-16
- KDA HKDF SP800-56Cr1 and KDA HKDF SP800-56Cr2 - Updates testing to provide an error message when a registration is missing the required macSaltMethods property.
- TupleHash-128 and TupleHash-256 - Updates testing to include the hexCustomization property in the prompt
- sample JSON files:
- Removes sample SHA3-224-1.0 JSON files as the SHA3 1.0 testing is deprecated.
- Updates the SLH-DSA keyGen FIPS205, SLH-DSA sigGen FIPS205, and SLH-DSA sigVer FIPS205 sample JSON files to include test cases for all SLH-DSA parameter sets instead of for a representative subset of the parameter sets.
v1.1.0.36
Demo: 2024-10-7
Prod: 2024-10-11
- ECDSA sigGen FIPS186-5 and ECDSA sigVer FIPS186-5 - updates testing to use the correct output lengths when SHAKE128 and SHAKE256 are used.
- ECDSA sigGen 1.0 and ECDSA sigGen FIPS186-5 - improves error handling to provide error messages that are more descriptive.
- ECDSA sigVer 1.0 and ECDSA sigVer FIPS186-5 - removes support for the componentTest registration property.
- EDDSA sigGen FIPS186-5 - fixes an issue where test cases with non-zero length contexts were provided for IUTs that indicated support for "contextLength": [0].
- sample JSON files - corrects an issue where the SHA2-384, SHA2-512, SHA2-512-224, and SHA2-512-256 sample JSON files were computed using the SHA2-256 algorithm.
- KDA HKDF Sp800-56Cr2 and KDA TwoStep Sp800-56Cr2 - updates error messages to use the correct casing when referring to the usesSharedHybridSecret and auxSharedSecretLen registration properties.
- ACVP-AES-CCM - updates testing to allow 96-bit nonce lengths.
- ACVP-AES-XTS 2.0 - Addresses issue where test cases sometimes used an invalid Data Unit Sequence Number or sequenceNumber.
- RSA sigGen FIPS186-5 and RSA sigVer FIPS186-5 - updates testing to reject registrations that include maskFunction or saltLen for pkcs1v1.5.
- RSA sigGen FIPS186-5 - updates testing to no longer include the maskFunction and saltLen properties for the pkcs1v1.5 tests.
v1.1.0.35
Demo: 2024-6-14
Prod: 2024-7-23
- New Algorithms:
- SLH-DSA keyGen FIPS205, SLH-DSA sigGen FIPS205 and SLH-DSA sigVer FIPS205 - adds testing for Stateless Hash-Based Digital Signature Standard algorithms.
- ML-KEM keyGen FIPS 203 - updates testing to include domain separation. Domain separation for key generation did not appear in the FIPS 203 Initial Public Draft, but was added in the final published version of FIPS 203. See FIPS 203 Appendix C.2. (https://csrc.nist.gov/pubs/fips/203/final)
- ML-DSA keyGen FIPS 204 - updates testing to include domain separation. Domain separation for key generation did not appear in the FIPS 204 Initial Public Draft, but was added in the final published version of FIPS 204. See FIPS 204 Appendix D.3. (https://csrc.nist.gov/pubs/fips/204/final)
- ECDSA sigVer FIPS186-5 - addresses issue where test groups using SHAKE were incorrectly identified as being component tests.
- EDDSA sigGen FIPS186-5 - Adds a check to enforce the requirement that at least one of the the "pure" or "preHash" registration properties must be set to "true."
- RSA keyGen FIPS186-5
- addresses an issue where submitting the response resulted in "General exception. Contact service provider."
- updates testing to indicate which hash algorithm is used for probableWithProvableAux
- GenValAppRunner sample application - changes the flag used to specify the "answer" file from "-a" to "-n" as .NET now uses "-a" to specify architecture.
2024-8-13 Prod Update
On 2024-8-13 the following algorithms were enabled on ACVTS Prod:
- SLH-DSA keyGen FIPS205, SLH-DSA sigGen FIPS205 and SLH-DSA sigVer FIPS205
- ML-DSA keyGen FIPS204, ML-DSA sigGen FIPS204 and ML-DSA sigVer FIPS204
- ML-KEM keyGen FIPS203 andML-KEM encapDecap FIPS203
v1.1.0.34
Demo: 2024-4-1
Prod: 2024-6-6
- New Algorithms (Demo only):
- ML-DSA keyGen FIPS204, ML-DSA sigGen FIPS204 and ML-DSA sigVer FIPS204 - testing for Module-Lattice-Based Digital Signature Standard based on the FIPS 204 Initial Public Draft.
- NOTE: The ML-DSA testing was updated on 5/23/24 to incorporate updates to the FIPS 204 draft and to add the messageLength registration property to ML-DSA sigGen FIPS204. For more information, refer to the comments included in the following discussion: #332.
- ML-KEM encapDecap FIPS203 and ML-KEM keyGen FIPS203 - testing for Module-Lattice-Based Key-Encapsulation Mechanism based on the FIPS 203 Initial Public Draft
- ML-DSA keyGen FIPS204, ML-DSA sigGen FIPS204 and ML-DSA sigVer FIPS204 - testing for Module-Lattice-Based Digital Signature Standard based on the FIPS 204 Initial Public Draft.
- AES-GCM-SIV - addresses an issue where, when an IUT reports that a decryption operation which should fail has failed, the server marks the IUT's result as being incorrect. Fix provided by jvdsn at #308.
- ECDSA keyGen FIPS186-5, ECDSA keyVer FIPS186-5, ECDSA sigGen FIPS186-5, ECDSA sigVer FIPS186-5, DetECDSA sigGen FIPS186-5 - adds testing for the B and K curves
- ECDSA sigGen FIPS186-5 and ECDSA sigVer FIPS186-5 - updates testing to use the correct output lengths for SHAKE-128 and SHAKE-256
- EDDSA sigGen 1.0 - Adds support for custom contextLength based on support outlined in sections 7.6 and 7.8 of FIPS 186-5
- RSA keyGen FIPS186-5 - removes support for testing the 15360 modulus. The runtimes involved in testing this modulus are too high.
v1.1.0.33
Demo: 2024-1-31
Prod: 2024-2-9
- EDDSA keyGen 1.0 - Adds check to ensure that user-supplied private key D values conform to FIPS 186-5 requirements
- RSA keyGen FIPS186-5 - updates testing to no longer require auxiliary values for deferred test cases
- RSA sigVer FIPS186-5 - removes SHA1 as a valid hash function
- hashDRBG, hmacDRBG, ctrDRBG - Updates testing to check that entropy input length + nonce length is >= 3/2 security strength in place of requiring the nonce length be >= 1/2 security strength bits.
- ACVP-AES-XTS 2.0 - Addresses an issue where the tweak value was sometimes incremented incorrectly
- GenValAppRunner sample application - Adds a feature whereby the correctness of algorithm capabilities can be verified without starting the the Orleans server.
v1.1.0.32
Demo: 2023-11-21
Prod: 2023-12-14
- Purchase endpoint - The /purchase endpoint is updated to allow a purchaseOrderNumber to be supplied as part of the request. An optional purchase number can be included in the request and will be included on the invoice from NIST for the purchase. See https://github.com/usnistgov/ACVP-Server/wiki/ACVTS-Purchasing-Endpoints#2-purchase for additional information.
- ConditioningComponent AES-CBC-MAC SP800-90B - Adds support for the IUT to be able to supply the key used for testing
- KDA HKDF Sp800-56Cr2
- Fixes an issue where, when a required registration property was omitted from the registration, A) an error was logged to the prompt file instead of B) the registration being rejected and citing the error.
- Adds the saltLens registration property to support IUTs that are constrained by the salt lengths that they support.
- LMS sigVer 1.0 - Addresses an issue related to parsing unusual public keys
- RSA decryptionPrimitive Sp800-56Br2 - Adds support for testing IUTs that require a fixed public exponent
- SHA1, SHA2-, and SHA3- - Corrects an issue where the server computed incorrect results for the "MCT" testType when mctVersion was set to "alternate".
Prod Update: 2024-01-18
- RSA signaturePrimitive 2.0 algorithm enabled on Prod
v1.1.0.31
Demo: 2023-9-21
Prod: 2023-10-6
CLIENT BREAKING CHANGE: SEE THE RSA decryptionPrimitive Sp800-56Br2 and RSA signaturePrimitive 2.0 SECTIONS OF THE RELEASE NOTES BELOW
- RSA decryptionPrimitive Sp800-56Br2 - renames the "modulus" registration property to "modulo" to be consistent with other RSA testing.
- RSA signaturePrimitive 2.0 - renames the "modulus" registration property to "modulo" to be consistent with other RSA testing.
- RSA sigGen FIPS186-5 - Updates the MGF1 mask function to account for the proper output lengths for SHAKE128 and SHAKE256 as defined by FIPS 186-5, i.e., to use 256 and 512 bits (instead of 128 and 256 bits).
- hashDRBG and hmacDRBG - adds SHA3-224, SHA3-256, SHA3-384, and SHA3-512 as newly supported modes.
- RSA keyGen FIPS186-5 - corrects an issue where test cases using the "standard" keyFormat were being marked as "failed" with the error "Internal key is unexpected type".
- RSA keyGen FIPS186-4 and RSA sigVer FIPS186-4 - resolves an issue where the supplied values for e were, in some cases, invalid.
- LMS keyGen 1.0 - Addresses truncation issue with M=24. Note: this issue only presented when generating test vectors using the GenValAppRunner as opposed to obtaining test vectors via ACVTS.
- Corrects issue where the timestamps returned by
GET /testSessions/{testSessionId}
were not in RFC3339 format with no local timezone adjustment, e.g.,2018-06-01T20:10:33Z
.