fndsa comments

README.md

@@ -120,7 +120,6 @@ The prod server (acvts.nist.gov) also supports ACVP version 1.0, with the same e
 * [AES-XTS 2.0](https://pages.nist.gov/ACVP/draft-celi-acvp-symmetric.txt) - [HTML](https://pages.nist.gov/ACVP/draft-celi-acvp-symmetric.html)
 * [AES-FF1](https://pages.nist.gov/ACVP/draft-celi-acvp-symmetric.txt) - [HTML](https://pages.nist.gov/ACVP/draft-celi-acvp-symmetric.html)
 * [AES-FF3-1](https://pages.nist.gov/ACVP/draft-celi-acvp-symmetric.txt) - [HTML](https://pages.nist.gov/ACVP/draft-celi-acvp-symmetric.html) - DEMO only
-* [Ascon-AEAD128](https://pages.nist.gov/ACVP/draft-ross-acvp-ascon.txt) - [HTML](https://pages.nist.gov/ACVP/draft-ross-acvp-ascon.html)
 * [TDES-CBC](https://pages.nist.gov/ACVP/draft-celi-acvp-symmetric.txt) - [HTML](https://pages.nist.gov/ACVP/draft-celi-acvp-symmetric.html)
 * [TDES-CBCI](https://pages.nist.gov/ACVP/draft-celi-acvp-symmetric.txt) - [HTML](https://pages.nist.gov/ACVP/draft-celi-acvp-symmetric.html)
 * [TDES-CFB1](https://pages.nist.gov/ACVP/draft-celi-acvp-symmetric.txt) - [HTML](https://pages.nist.gov/ACVP/draft-celi-acvp-symmetric.html)
@@ -136,7 +135,6 @@ The prod server (acvts.nist.gov) also supports ACVP version 1.0, with the same e
 * [TDES-OFBI](https://pages.nist.gov/ACVP/draft-celi-acvp-symmetric.txt) - [HTML](https://pages.nist.gov/ACVP/draft-celi-acvp-symmetric.html)
 
 ### Secure Hash
-* [Ascon-Hash256](https://pages.nist.gov/ACVP/draft-ross-acvp-ascon.txt) - [HTML](https://pages.nist.gov/ACVP/draft-ross-acvp-ascon.html)
 * [SHA-1](https://pages.nist.gov/ACVP/draft-celi-acvp-sha.txt) - [HTML](https://pages.nist.gov/ACVP/draft-celi-acvp-sha.html)
 * [SHA-224](https://pages.nist.gov/ACVP/draft-celi-acvp-sha.txt) - [HTML](https://pages.nist.gov/ACVP/draft-celi-acvp-sha.html)
 * [SHA-256](https://pages.nist.gov/ACVP/draft-celi-acvp-sha.txt) - [HTML](https://pages.nist.gov/ACVP/draft-celi-acvp-sha.html)
@@ -154,8 +152,6 @@ The prod server (acvts.nist.gov) also supports ACVP version 1.0, with the same e
 * [SHA3-512 2.0](https://pages.nist.gov/ACVP/draft-celi-acvp-sha3.txt) - [HTML](https://pages.nist.gov/ACVP/draft-celi-acvp-sha3.html)
 
 ### XOFs
-* [Ascon-XOF128](https://pages.nist.gov/ACVP/draft-ross-acvp-ascon.txt) - [HTML](https://pages.nist.gov/ACVP/draft-ross-acvp-ascon.html)
-* [Ascon-CXOF128](https://pages.nist.gov/ACVP/draft-ross-acvp-ascon.txt) - [HTML](https://pages.nist.gov/ACVP/draft-ross-acvp-ascon.html)
 * [SHAKE-128](https://pages.nist.gov/ACVP/draft-celi-acvp-sha3.txt) - [HTML](https://pages.nist.gov/ACVP/draft-celi-acvp-sha3.html)
 * [SHAKE-256](https://pages.nist.gov/ACVP/draft-celi-acvp-sha3.txt) - [HTML](https://pages.nist.gov/ACVP/draft-celi-acvp-sha3.html)
 * [cSHAKE-128](https://pages.nist.gov/ACVP/draft-celi-acvp-xof.txt) - [HTML](https://pages.nist.gov/ACVP/draft-celi-acvp-xof.html)
@@ -371,6 +367,11 @@ Standalone KDA testing from SP800-56Cr1 or SP800-56Cr2. Can be used in conjuncti
 * [ML-KEM keyGen](https://pages.nist.gov/ACVP/draft-celi-acvp-ml-kem.txt) - [HTML](https://pages.nist.gov/ACVP/draft-celi-acvp-ml-kem.html)
 * [ML-KEM encapDecap](https://pages.nist.gov/ACVP/draft-celi-acvp-ml-kem.txt) - [HTML](https://pages.nist.gov/ACVP/draft-celi-acvp-ml-kem.html)
 
+### NTRU Lattice-Based Signatures
+* [FN-DSA keyGen](https://pages.nist.gov/ACVP/draft-ciadoux-acvp-fn-dsa.txt) - [HTML](https://pages.nist.gov/ACVP/draft-ciadoux-acvp-fn-dsa.html)
+* [FN-DSA sigGen](https://pages.nist.gov/ACVP/draft-ciadoux-acvp-fn-dsa.txt) - [HTML](https://pages.nist.gov/ACVP/draft-ciadoux-acvp-fn-dsa.html)
+* [FN-DSA sigVer](https://pages.nist.gov/ACVP/draft-ciadoux-acvp-fn-dsa.txt) - [HTML](https://pages.nist.gov/ACVP/draft-ciadoux-acvp-fn-dsa.html)
+
 See [the algorithm endpoint](https://pages.nist.gov/ACVP/draft-fussell-acvp-spec.html#name-algorithms) to learn which algorithms are available on a given ACVP server.
 
 # Accessing the Demo Server

index.html

@@ -176,7 +176,6 @@ <h2 id="ciphers">Block Cipher Modes</h2>
 					<li><a href="https://pages.nist.gov/ACVP/draft-celi-acvp-symmetric.txt">AES-XTS 2.0</a> - <a href="https://pages.nist.gov/ACVP/draft-celi-acvp-symmetric.html">HTML</a></li>
 					<li><a href="https://pages.nist.gov/ACVP/draft-celi-acvp-symmetric.txt">AES-FF1</a> - <a href="https://pages.nist.gov/ACVP/draft-celi-acvp-symmetric.html">HTML</a></li>
 					<li><a href="https://pages.nist.gov/ACVP/draft-celi-acvp-symmetric.txt">AES-FF3-1</a> - <a href="https://pages.nist.gov/ACVP/draft-celi-acvp-symmetric.html">HTML</a> - DEMO only</li>
-					<li><a href="https://pages.nist.gov/ACVP/draft-ross-acvp-ascon.txt">Ascon-AEAD128</a> - <a href="https://pages.nist.gov/ACVP/draft-ross-acvp-ascon.html">HTML</a></li>
 					<li><a href="https://pages.nist.gov/ACVP/draft-celi-acvp-symmetric.txt">TDES-CBC</a> - <a href="https://pages.nist.gov/ACVP/draft-celi-acvp-symmetric.html">HTML</a></li>
 					<li><a href="https://pages.nist.gov/ACVP/draft-celi-acvp-symmetric.txt">TDES-CBCI</a> - <a href="https://pages.nist.gov/ACVP/draft-celi-acvp-symmetric.html">HTML</a></li>
 					<li><a href="https://pages.nist.gov/ACVP/draft-celi-acvp-symmetric.txt">TDES-CFB1</a> - <a href="https://pages.nist.gov/ACVP/draft-celi-acvp-symmetric.html">HTML</a></li>
@@ -194,7 +193,6 @@ <h2 id="ciphers">Block Cipher Modes</h2>
 
 				<h2 id="hashes">Secure Hash</h2>
 				<ul>
-					<li><a href="https://pages.nist.gov/ACVP/draft-ross-acvp-ascon.txt">Ascon-Hash256</a> - <a href="https://pages.nist.gov/ACVP/draft-ross-acvp-ascon.html">HTML</a></li>
 					<li><a href="https://pages.nist.gov/ACVP/draft-celi-acvp-sha.txt">SHA-1</a> - <a href="https://pages.nist.gov/ACVP/draft-celi-acvp-sha.html">HTML</a></li>
 					<li><a href="https://pages.nist.gov/ACVP/draft-celi-acvp-sha.txt">SHA-224</a> - <a href="https://pages.nist.gov/ACVP/draft-celi-acvp-sha.html">HTML</a></li>
 					<li><a href="https://pages.nist.gov/ACVP/draft-celi-acvp-sha.txt">SHA-256</a> - <a href="https://pages.nist.gov/ACVP/draft-celi-acvp-sha.html">HTML</a></li>
@@ -214,8 +212,6 @@ <h2 id="hashes">Secure Hash</h2>
 
 				<h2 id="xofs">XOFs</h2>
 				<ul>
-					<li><a href="https://pages.nist.gov/ACVP/draft-ross-acvp-ascon.txt">Ascon-XOF128</a> - <a href="https://pages.nist.gov/ACVP/draft-ross-acvp-ascon.html">HTML</a></li>
-					<li><a href="https://pages.nist.gov/ACVP/draft-ross-acvp-ascon.txt">Ascon-CXOF128</a> - <a href="https://pages.nist.gov/ACVP/draft-ross-acvp-ascon.html">HTML</a></li>
 					<li><a href="https://pages.nist.gov/ACVP/draft-celi-acvp-sha3.txt">SHAKE-128</a> - <a href="https://pages.nist.gov/ACVP/draft-celi-acvp-sha3.html">HTML</a></li>
 					<li><a href="https://pages.nist.gov/ACVP/draft-celi-acvp-sha3.txt">SHAKE-256</a> - <a href="https://pages.nist.gov/ACVP/draft-celi-acvp-sha3.html">HTML</a></li>
 					<li><a href="https://pages.nist.gov/ACVP/draft-celi-acvp-xof.txt">cSHAKE-128</a> - <a href="https://pages.nist.gov/ACVP/draft-celi-acvp-xof.html">HTML</a></li>
@@ -458,6 +454,13 @@ <h2 id="module-lattice-algorithms">Module-Lattice Algorithms</h2>
 					<li><a href="https://pages.nist.gov/ACVP/draft-celi-acvp-ml-kem.txt">ML-KEM encapsulation and decapsulation</a> - <a href="https://pages.nist.gov/ACVP/draft-celi-acvp-ml-kem.html">HTML</a></li>
 				</ul>
 
+				<h2 id="NTRU lattice-based-signatures">NTRU Lattice-Based Signatures</h2>
+				<ul>
+					<li><a href="https://pages.nist.gov/ACVP/draft-ciadoux-acvp-fn-dsa.txt">FN-DSA keyGen</a> - <a href="https://pages.nist.gov/ACVP/draft-ciadoux-acvp-fn-dsa.html">HTML</a></li>
+					<li><a href="https://pages.nist.gov/ACVP/draft-ciadoux-acvp-fn-dsa.txt">FN-DSA sigGen</a> - <a href="https://pages.nist.gov/ACVP/draft-ciadoux-acvp-fn-dsa.html">HTML</a></li>
+					<li><a href="https://pages.nist.gov/ACVP/draft-ciadoux-acvp-fn-dsa.txt">FN-DSA sigVer</a> - <a href="https://pages.nist.gov/ACVP/draft-ciadoux-acvp-fn-dsa.html">HTML</a></li>
+				</ul>
+
 				<p>See <a href="https://pages.nist.gov/ACVP/draft-fussell-acvp-spec.html#name-algorithms">the algorithm endpoint</a> to learn which algorithms are available on a given ACVP server.</p>
 
 				<h1 id="access">Accessing the Demo Server</h1>

src/draft-ciadoux-acvp-fn-dsa.adoc

@@ -0,0 +1,76 @@
+= ACVP FN-DSA JSON Specification
+:doctype: internet-draft
+:docname: acvp-fn
+:docnumber: draft-ciadoux-acvp-fn-dsa-01
+:abbrev: ACVP FN-DSA
+:ipr: trust200902
+:submission-type: independent
+:area: Internet
+:intended-series: informational
+:revdate: 2025-04-01
+:forename_initials: P.C.
+:lastname: Ciadoux
+:fullname: Pierre Ciadoux
+:organization: National Institute of Standards and Technology
+:street: 100 Bureau Drive
+:city: Gaithersburg
+:code: 20899
+:country: United States of America
+:email: pierre.ciadoux@nist.gov
+:role: editor
+:docfile: draft-ciadoux-acvp-fn-dsa.adoc
+:mn-document-class: ietf
+:mn-output-extensions: xml,rfc,txt,html
+:area: General
+:keyword: acvp, crypto
+
+// Singular name of the algorithm
+:spec-algorithm: FFT-Over-NTRU-Lattice-Based Digital Signature Algorithm (FN-DSA)
+:algo-short-name: FN-DSA
+
+include::common/common-sections/00-abstract.adoc[]
+
+include::common/common-sections/01-intro.adoc[]
+
+include::common/common-sections/02-conventions.adoc[]
+
+include::fn-dsa/sections/03-supported.adoc[]
+
+include::fn-dsa/sections/04-testtypes.adoc[]
+
+include::common/common-sections/05-capabilities-description.adoc[]
+
+include::common/common-sections/051-prerequisites.adoc[]
+
+include::fn-dsa/sections/05-capabilities.adoc[]
+
+include::fn-dsa/sections/05-fn-dsa-keygen-capabilities.adoc[]
+
+include::fn-dsa/sections/05-fn-dsa-siggen-capabilities.adoc[]
+
+include::fn-dsa/sections/05-fn-dsa-sigver-capabilities.adoc[]
+
+include::fn-dsa/sections/06-test-vectors.adoc[]
+
+include::fn-dsa/sections/06-fn-dsa-keygen-test-vectors.adoc[]
+
+include::fn-dsa/sections/06-fn-dsa-siggen-test-vectors.adoc[]
+
+include::fn-dsa/sections/06-fn-dsa-sigver-test-vectors.adoc[]
+
+include::fn-dsa/sections/07-responses.adoc[]
+
+include::fn-dsa/sections/07-fn-dsa-keygen-responses.adoc[]
+
+include::fn-dsa/sections/07-fn-dsa-siggen-responses.adoc[]
+
+include::fn-dsa/sections/07-fn-dsa-sigver-responses.adoc[]
+
+include::common/common-sections/10-security.adoc[]
+
+include::common/common-sections/11-iana.adoc[]
+
+include::common/common-sections/99-acknowledgements.adoc[]
+
+// References must be given before appendixes
+include::fn-dsa/sections/98-references.adoc[]

src/fn-dsa/sections/03-supported.adoc

@@ -0,0 +1,9 @@
+
+[#supported]
+== Supported FN-DSA Algorithms
+
+The following FN-DSA algorithms *MAY* be advertised by the ACVP compliant cryptographic module. The list is in the form "algorithm / mode / revision".
+
+* FN-DSA / keyGen / FIPS206
+* FN-DSA / sigGen / FIPS206
+* FN-DSA / sigVer / FIPS206

src/fn-dsa/sections/04-testtypes.adoc

@@ -0,0 +1,55 @@
+
+[#testtypes]
+== Test Types and Test Coverage
+
+[#ttypes]
+=== Test Types
+
+The ACVP server performs a set of tests on the specified FN-DSA algorithm in order to assess the correctness and robustness of the implementation. A typical ACVP validation session *SHALL* require multiple tests to be performed for every supported permutation of FN-DSA capabilities. This section describes the design of the tests used to validate implementations of the FN-DSA algorithms. The number of tests *MAY* vary but the minimum number required by each test type *SHALL* be included by the server. The test type describes the format of the test rather than the intention of the test. Multiple tests of the same test type *MAY* cover different assurances regarding the implementation. 
+
+==== FN-DSA KeyGen Test Types
+
+* FN-DSA / keyGen / * "AFT" - Algorithm Functional Test.
+
+For each test case provided, the IUT *SHALL* generate a key pair from a provided seed. The key pair is communicated to the ACVP server and compared against the key pair generated by the server. This tests the implementation of Algorithm 6 `FN-DSA.KeyGen_internal()` from <<FIPS206>>. The server *SHALL* provide at least 1000 tests for each combination of capabilities. Since the use of floating points or fixed points can induce differences in the key generation algorithm, a more comprehensive validation is performed.
+// TBD for more on that
+
+==== FN-DSA SigGen Test Types
+
+* FN-DSA / sigGen / * "AFT" - Algorithm Functional Test. 
+
+
+The IUT *SHALL* generate valid signatures based on the ACVP-provided message, mu (for external mu testing), private key, context (for external interface testing), hashAlg (for preHash testing), and randomness (for non-deterministic signature testing). The signature is then compared to the known signature by the ACVP server. This tests the implementation of Algorithm 2 `FN-DSA.Sign()`, Algorithm 4 `HashFN-DSA.Sign()`, and Algorithm 7 `FN-DSA.Sign_internal()` from <<FIPS206>>. 
+
+There are several assurances to obtain from AFTs. First is correctness of the algorithm implementation. The server *SHALL* include at least 15 tests for each combination of capabilities to meet this assurance. The `"hashAlg"` capability *MAY* be excluded from the combination of capabilities due to the number of supported hash functions. Each `"hashAlg"` provided by the IUT *SHALL* be covered within the at least 15 tests generated for each combination of capabilities. 
+
+// The second assurance is correctness under all rejection paths. Within FN-DSA sigGen, the algorithm enters a loop until a valid signature is found. The loop contains two potential reasons to reject a candidate signature: if the L2 norm of (s1, s2) is too large or if the infinity norm of (s1, s2) is too large. These two conditions occur with a rather low probability that can make it difficult to test each error condition with randomized testing. If an implementation adheres strictly to the pseudocode in <<FIPS206>>, the following table provides helpful known answer tests that trigger each rejection case exactly once. If the implementation varies from the pseudocode, it would be prudent to use a debugger or other tooling to ensure that all rejection cases are triggered by testing. TBD
+
+
+==== FN-DSA SigVer Test Types
+
+* FN-DSA / sigVer / * "AFT" - Algorithm Functional Test. 
+
+The IUT *SHALL* determine the validity of the signature based on the ACVP-provided message, mu (for external mu testing), context (for external interface testing), hashAlg (for preHash testing), public key, and signature. This tests the implementation of Algorithm 3 `FN-DSA.Verify()`, Algorithm 5 `HashFN-DSA.Verify()`, and Algorithm 8 `FN-DSA.Verify_internal()` from <<FIPS206>>. Tests for signature verification are performed by the server modifying a valid signature to obtain specific assurances from the implementation. The server *SHALL* include at least 3 tests for each modification type (including "valid signature") for all combinations of capabilities. The `"hashAlg"` capability *MAY* be excluded from the combination of capabilities due to the number of supported hash functions. Each `"hashAlg"` provided by the IUT *SHALL* be covered within the at least 15 tests generated for each combination of capabilities.
+
+The signature modifications are:
+
+* "valid signature and message - signature should verify successfully" - No modification is made and the signature is valid.
+* "modified message" - The message that was signed has been changed. The signature is not valid.
+* "modified signature" - The signature has been changed. The signature is not valid.
+* "modified signature - encoding minus 0" - A component of the signature, the positive sign bit for an encoded coefficient of 0 in s2, has been changed. The signature is not valid.
+
+[[test_coverage]]
+=== Test Coverage
+
+The tests described in this document have the intention of ensuring an implementation is conformant to <<FIPS206>>.
+
+[[requirements_covered]]
+==== Requirements Covered
+
+* The tests will ensure conformity and correctness of an implementation of the algorithms supported. 
+
+[[requirements_not_covered]]
+==== Requirements Not Covered
+
+* FIPS 206 Section 3.5. Additional Requirements. Requirements outlined in this section are not testable by an ACVP server. An ACVP server will not test the zeroization of intermediate values, security strength of the deterministic random bit generators (DRBGs), or incorrect length signatures or public keys.

src/fn-dsa/sections/05-capabilities.adoc

@@ -0,0 +1,15 @@
+
+[[prereq_algs]]
+=== Required Prerequisite Algorithms for FN-DSA Validations
+
+Each FN-DSA implementation relies on other cryptographic primitives. For example, FN-DSA keyGen uses an underlying SHA algorithm. Each of these underlying algorithm primitives must be validated, either separately or as part of the same submission. ACVP provides a mechanism for specifying the required prerequisites:
+
+[[rereqs_table]]
+.Required FN-DSA Prerequisite Algorithms JSON Values
+|===
+| JSON Value | Description | JSON Type | Valid Values
+
+| algorithm | a prerequisite algorithm | string | SHA, or DRBG
+| valValue | algorithm validation number| string | Actual number or "same"
+| prereqAlgVal | prerequisite algorithm validation | object with algorithm and valValue properties | See above
+|===

src/fn-dsa/sections/05-fn-dsa-keygen-capabilities.adoc

@@ -0,0 +1,37 @@
+
+[[FN-DSA_keyGen_capabilities]]
+=== FN-DSA keyGen Registration Properties
+
+Each FN-DSA keyGen algorithm capability advertised is a self-contained JSON object using the following values.
+
+[[FN-DSA_keygen_caps_table]]
+.FN-DSA keyGen Algorithm Capabilities JSON Values
+|===
+| JSON Value | Description | JSON Type | Valid Values
+
+| algorithm | The FN-DSA algorithm to be validated | string | "FN-DSA"
+| mode | The FN-DSA mode to be validated | string | "keyGen"
+| revision | The algorithm testing revision to use | string | "FIPS206"
+| prereqVals | Prerequisite algorithm validations | array of prereqAlgVal objects | See <<prereq_algs>>
+| parameterSets | The FN-DSA parameter sets supported | array of strings | "FN-DSA-512", "FN-DSA-1024"
+|===
+
+==== FN-DSA keyGen Mode Capabilities Example
+
+Below is an example of the registration for FN-DSA / keyGen / FIPS206
+
+[source, json]
+----
+{
+    "algorithm": "FN-DSA",
+    "mode": "keyGen",
+    "revision": "FIPS206",
+    "prereqVals": [
+        {
+            "algorithm": "SHAKE256",
+            "valValue": "123456"
+        }
+    ],
+    "parameterSets": ["FN-DSA-512", "FN-DSA-1024"]
+}
+----