Common Criteria / FIPS?

[deknos]

Hello, on https://github.com/FoxCryptoNL/xmss you mention you want to have it on the quality so it can be used for Software and Services which fullfill Common Criteria standards. Do you also consider having it FIPS-certified?

Kind regards

[dorssel]

XMSS is not part of any FIPS standard. It is also not part of the NIST Cryptographic Algorithm Validation Program. NIST does have a recommendation for XMSS in NIST SP 800-208, which this library follows. Note that the recommendation includes requirements for the hardware platform running the XMSS library, which is beyond the scope of this software library (but the library is compatible with those requirements). All-in-all, a generic NIST validation is not possible; only a complete product (including the hardware platform) evaluation would be possible.

Common Criteria (and possibly other evaluation standards) do provide component evaluation, which allows for certification of the library itself. That certainly is in scope of this project and, in fact, planned for the near future.

[deknos]

You are right, that XMSS is not part of FIPS, but SHA algorithms are. And if you want to run in FIPS mode, which is a requirement for some operational modes of systems running in some protection profiles, than your hash algorithms have to be certified as well regarding 180-4 / 202. And from a glance, i only see OpenSSL embedded in the tests but you seem to have an own implementation of SHA and SHAKE algorithms in your src/, no? I mean you even seem to do zeroisation which is a requirement for proper fips modes?

Do i mix up things oder misunderstand something here?

[dorssel]

We do include both SHA-2 and SHA-3 default implementations. However, we do not expect users of our library to use our library just to get a FIPS-certified hash implementation. In fact, one use of the library is to easily plugin your own (possibly already certified) existing hash implementation. In that case, the default implementation will in fact not be part of the binary image.

In short: we will not do a FIPS certification ourselves just for the sake of getting the hash functions certified. There are plenty of certified hash implementations available. And in most cases we expect users with certified hardware to plugin a hardware accelerated platform implementation. The XMSS library we provide is all about implementing the XMSS algorithm in a robust, production-ready manner, with regard for fault tolerance and secure backup (partitioning, in our case of statefulness). We use any hash implementation; we only provide a default implementation in case an existing platform implementation is not available (neither in the existing code base, nor in hardware).

That said, the hash implementations we provide are part of the same development security as the rest of the library, and they will withstand the scrutiny of evaluation. But a FIPS certification for just the hashing part, without an evaluation of the XMSS implementation itself, does not make much sense to us. Unless you require it, for legal reasons or so. In that case you have the option to either plugin an already certified implementation, or sponsor the certification of our implementation, which we are willing to cooperate with.