v1.1.0.35

Demo: 2024-6-14
Prod: 2024-7-23

• New Algorithms:
  • SLH-DSA keyGen FIPS205, SLH-DSA sigGen FIPS205 and SLH-DSA sigVer FIPS205 - adds testing for Stateless Hash-Based Digital Signature Standard algorithms.
• ML-KEM keyGen FIPS 203 - updates testing to include domain separation. Domain separation for key generation did not appear in the FIPS 203 Initial Public Draft, but was added in the final published version of FIPS 203. See FIPS 203 Appendix C.2. (https://csrc.nist.gov/pubs/fips/203/final)
• ML-DSA keyGen FIPS 204 - updates testing to include domain separation. Domain separation for key generation did not appear in the FIPS 204 Initial Public Draft, but was added in the final published version of FIPS 204. See FIPS 204 Appendix D.3. (https://csrc.nist.gov/pubs/fips/204/final)
• ECDSA sigVer FIPS186-5 - addresses issue where test groups using SHAKE were incorrectly identified as being component tests.
  • #336
• EDDSA sigGen FIPS186-5 - Adds a check to enforce the requirement that at least one of the the "pure" or "preHash" registration properties must be set to "true."
• RSA keyGen FIPS186-5
  • addresses an issue where submitting the response resulted in "General exception. Contact service provider."
    • #315
  • updates testing to indicate which hash algorithm is used for probableWithProvableAux
    • usnistgov/ACVP#1514
• GenValAppRunner sample application - changes the flag used to specify the "answer" file from "-a" to "-n" as .NET now uses "-a" to specify architecture.

2024-8-13 Prod Update
On 2024-8-13 the following algorithms were enabled on ACVTS Prod:

• SLH-DSA keyGen FIPS205, SLH-DSA sigGen FIPS205 and SLH-DSA sigVer FIPS205
• ML-DSA keyGen FIPS204, ML-DSA sigGen FIPS204 and ML-DSA sigVer FIPS204
• ML-KEM keyGen FIPS203 andML-KEM encapDecap FIPS203

v1.1.0.34

Demo: 2024-4-1
Prod: 2024-6-6

• New Algorithms (Demo only):
  • ML-DSA keyGen FIPS204, ML-DSA sigGen FIPS204 and ML-DSA sigVer FIPS204 - testing for Module-Lattice-Based Digital Signature Standard based on the FIPS 204 Initial Public Draft.
    • NOTE: The ML-DSA testing was updated on 5/23/24 to incorporate updates to the FIPS 204 draft and to add the messageLength registration property to ML-DSA sigGen FIPS204. For more information, refer to the comments included in the following discussion: #332.
  • ML-KEM encapDecap FIPS203 and ML-KEM keyGen FIPS203 - testing for Module-Lattice-Based Key-Encapsulation Mechanism based on the FIPS 203 Initial Public Draft
• AES-GCM-SIV - addresses an issue where, when an IUT reports that a decryption operation which should fail has failed, the server marks the IUT's result as being incorrect. Fix provided by jvdsn at #308.
  • #305
• ECDSA keyGen FIPS186-5, ECDSA keyVer FIPS186-5, ECDSA sigGen FIPS186-5, ECDSA sigVer FIPS186-5, DetECDSA sigGen FIPS186-5 - adds testing for the B and K curves
  • #309
• ECDSA sigGen FIPS186-5 and ECDSA sigVer FIPS186-5 - updates testing to use the correct output lengths for SHAKE-128 and SHAKE-256
  • #301
• EDDSA sigGen 1.0 - Adds support for custom contextLength based on support outlined in sections 7.6 and 7.8 of FIPS 186-5
  • #311
• RSA keyGen FIPS186-5 - removes support for testing the 15360 modulus. The runtimes involved in testing this modulus are too high.
  • #313

v1.1.0.33

Demo: 2024-1-31
Prod: 2024-2-9

• EDDSA keyGen 1.0 - Adds check to ensure that user-supplied private key D values conform to FIPS 186-5 requirements
• RSA keyGen FIPS186-5 - updates testing to no longer require auxiliary values for deferred test cases
  • #293
• RSA sigVer FIPS186-5 - removes SHA1 as a valid hash function
  • usnistgov/ACVP#1464
• hashDRBG, hmacDRBG, ctrDRBG - Updates testing to check that entropy input length + nonce length is >= 3/2 security strength in place of requiring the nonce length be >= 1/2 security strength bits.
  • usnistgov/ACVP#1432
• ACVP-AES-XTS 2.0 - Addresses an issue where the tweak value was sometimes incremented incorrectly
  • usnistgov/ACVP#1475
  • #302
• GenValAppRunner sample application - Adds a feature whereby the correctness of algorithm capabilities can be verified without starting the the Orleans server.
  • Provided by Iuriim34. See #278.

v1.1.0.32

Demo: 2023-11-21
Prod: 2023-12-14

• Purchase endpoint - The /purchase endpoint is updated to allow a purchaseOrderNumber to be supplied as part of the request. An optional purchase number can be included in the request and will be included on the invoice from NIST for the purchase. See https://github.com/usnistgov/ACVP-Server/wiki/ACVTS-Purchasing-Endpoints#2-purchase for additional information.
• ConditioningComponent AES-CBC-MAC SP800-90B - Adds support for the IUT to be able to supply the key used for testing
• KDA HKDF Sp800-56Cr2
  • Fixes an issue where, when a required registration property was omitted from the registration, A) an error was logged to the prompt file instead of B) the registration being rejected and citing the error.
    • usnistgov/ACVP#1399
  • Adds the saltLens registration property to support IUTs that are constrained by the salt lengths that they support.
    • usnistgov/ACVP#1424
• LMS sigVer 1.0 - Addresses an issue related to parsing unusual public keys
• RSA decryptionPrimitive Sp800-56Br2 - Adds support for testing IUTs that require a fixed public exponent
  • usnistgov/ACVP#1467
• SHA1, SHA2-, and SHA3- - Corrects an issue where the server computed incorrect results for the "MCT" testType when mctVersion was set to "alternate".
  • #289

Prod Update: 2024-01-18

• RSA signaturePrimitive 2.0 algorithm enabled on Prod

v1.1.0.31

Demo: 2023-9-21
Prod: 2023-10-6

CLIENT BREAKING CHANGE: SEE THE RSA decryptionPrimitive Sp800-56Br2 and RSA signaturePrimitive 2.0 SECTIONS OF THE RELEASE NOTES BELOW

• RSA decryptionPrimitive Sp800-56Br2 - renames the "modulus" registration property to "modulo" to be consistent with other RSA testing.
• RSA signaturePrimitive 2.0 - renames the "modulus" registration property to "modulo" to be consistent with other RSA testing.
  • usnistgov/ACVP#1451
• RSA sigGen FIPS186-5 - Updates the MGF1 mask function to account for the proper output lengths for SHAKE128 and SHAKE256 as defined by FIPS 186-5, i.e., to use 256 and 512 bits (instead of 128 and 256 bits).
  • #277
• hashDRBG and hmacDRBG - adds SHA3-224, SHA3-256, SHA3-384, and SHA3-512 as newly supported modes.
• RSA keyGen FIPS186-5 - corrects an issue where test cases using the "standard" keyFormat were being marked as "failed" with the error "Internal key is unexpected type".
  • usnistgov/ACVP#1465
• RSA keyGen FIPS186-4 and RSA sigVer FIPS186-4 - resolves an issue where the supplied values for e were, in some cases, invalid.
  • usnistgov/ACVP#1460 and usnistgov/ACVP#1116
• LMS keyGen 1.0 - Addresses truncation issue with M=24. Note: this issue only presented when generating test vectors using the GenValAppRunner as opposed to obtaining test vectors via ACVTS.
  • #279
• Corrects issue where the timestamps returned by GET /testSessions/{testSessionId} were not in RFC3339 format with no local timezone adjustment, e.g., 2018-06-01T20:10:33Z.
  • #159

v1.1.0.30

Demo: 2023-7-13
Prod: 2023-7-26

CLIENT BREAKING CHANGE: SEE THE SHA1, SHA2- and SHA3- SECTIONS OF THE RELEASE NOTES BELOW**

• SHA1 and SHA2-* - The MCT update that was introduced in release v1.1.0.28-hotfix-1 is reworked to account for what is expected of test harnesses. This is a client breaking change. The pseudocode that must be implemented in a test harness has changed. In the new version of the MCT pseudocode the test harness is no longer required to have knowledge of the contents of the algorithm registration. See the updated SHA1/SHA2 MCT pseudocode in the SHA ACVP algorithm specification.
• SHA3-* - The MCT update that was introduced in release v1.1.0.29 is reworked to account for what is expected of test harnesses. This is a client breaking change. The pseudocode that must be implemented in a test harness has changed. In the new version of the MCT pseudocode the test harness is no longer required to have knowledge of the contents of the algorithm registration. See the updated SHA3 MCT pseudocode in the SHA3 ACVP algorithm specification.
• EdDSA sigVer 1.0 - Updates testing to honor "preHash": true
  • #268
• KDF KMAC Sp800-108r1 - Fixes issue where ACVTS would sometimes generate incorrect answers.
  • #274
• AES-XTS 2.0 - Corrects how AES XTS tweak is incremented for Multi-data unit payloads
  • #241

v1.1.0.29-hotfix-1

Demo: 2023-6-9
Prod: 2023-6-23

CLIENT BREAKING CHANGE: SEE THE ConditioningComponent BlockCipher_DF SP800-90B SECTION OF THE RELEASE NOTES BELOW

• ConditioningComponent BlockCipher_DF SP800-90B - Adds outputLen as a required registration property. This is a CLIENT BREAKING CHANGE. Clients must provide outputLen for ConditioningComponent BlockCipher_DF SP800-90B registrations.
• RSA sigGen FIPS186-5 and RSA sigVer FIPS186-5
  • Further updates to testing so that correct OIDs for the SHA3 algorithms are used
    • #256
    • #257
• kdf-components tls 1.0 - adds keyBlockLength as an optional registration property.
• SHA3-* 2.0 - updates MCT so that IUTs that do not support digestSize as a supported messageLength can be tested <-- completes this update from the v1.1.0.29 release. Part of this update was missing from the v1.1.0.29 release.
  • #259

v1.1.0.29

Demo: 2023-06-01

• New Algorithm (Demo Only):
  • RSA signaturePrimitive 2.0 - Tests RSASP1 from RFC 3447. Whereas RSA signaturePrimitive 1.0 only supports testing a 2048 bit modulus, RSA signaturePrimitive 2.0 supports testing the 2048, 3072 and 4096 moduli.
• RSA sigGen FIPS186-5 and RSA sigVer FIPS186-5
  • updates testing to use the correct OIDs for the SHA3 algorithms
    • #256
    • #257
  • Updates PSS to support the correct max salt lengths for SHAKE-128 and SHAKE-256. Corrects the output lengths used when SHAKE-128 or SHAKE-256 are used for the PSS "Hash".
    • #258
• EDDSA keyGen 1.0 - removes secretGenerationMode as a valid registration property
  • usnistgov/ACVP#1422
• SHA3-* 2.0 - updates MCT so that IUTs that do not support digestSize as a supported messageLength can be tested
  • #259
• TLS-v1.2 KDF RFC7627 - Adds keyBlockLength as a registration property. If keyBlockLength is omitted, a 1024-bit key block length is assumed
• ACVP-AES-FF1 1.0 - Adds corner cases for AES-FF1 testing on particular radix-payloadLength pairs to catch rounding errors
• LMS sigGen 1.0 - Fixes issue where test cases were not generated when "isSample": false
  • #263

v1.1.0.28-hotfix-2

Demo: 2023-4-28
Prod: 2023-4-28

• LMS sigVer 1.0 - Fixes an issue where signature verification tests that should not fail are marked as failing.
  • #247
• RSA decryptionPrimitive Sp800-56Br2 - Includes additional test case information in the prompt file, i.e., values for e, p, q, n & d. Updates the testing to check for the failure conditions identified in section 7.1.2 of SP 800-56Br2, i.e., "c: the ciphertext; an integer such that 1 < c < (n – 1)".
  • usnistgov/ACVP#1408
  • usnistgov/ACVP#1409

Prod Update: 2023-05-12

• RSA decryptionPrimitive Sp800-56Br2 algorithm enabled on Prod.

v1.1.0.28-hotfix-1

Demo: 2023-3-24
Prod: 2023-4-12

• LMS keyGen 1.0 - Decreases the number of test cases.
• SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256 - The MCTs are updated to support the case where !SupportedMessageLengths.Contains(3*digestSize), a limitation of the original MCT design. This change is backwards compatible.
  • #237

Prod Update: 2023-04-19

• LMS keyGen 1.0, LMS sigGen 1.0 and LMS sigVer 1.0 algorithms enabled on Prod.