The v1.0.0 module is In Review!

The status of the v1.0.0 is now In Review (12/4/2025), so we might get to the final Coordination step soon! This will also be the last opportunity to make changes to Vendor Affirmed OEs, if you need any.

Here’s what the lab had to say about this stage:

We have not yet been contacted about the module, though I would expect that we have feedback on the submission fairly soon. It’s not odd for modules to be “In-Review” for a little while before receiving any comments. If we haven’t heard in a few weeks, I can see if we can submit a status request on it to understand when we could expect comments.

v1.26.0 progress update

The Go cryptographic Module v1.26.0 has shipped with Go 1.26.0, and can be selected using GOFIPS140=v1.26.0. It includes (unexposed, for now) ML-DSA, more GCM nonce modes (including HPKE and QUIC, also unexposed for now), and faster ML-KEM.

We completed all algorithm and functional testing, and are working on finalizing the submission of the CMVP validation report, to enter the Modules In Process list, but we are blocked on the issuance of the ESV certificate.

See below for a couple action items.

CAVP certificate A8028 issued!

The CAVP certificate for our v1.26.0 module has been issued, and can be viewed on NIST’s website. (Warning: the page takes a while to load, we have a lot of algorithms and a lot of OEs, for a total of 3366 rows!)

Please check that the OE descriptions match your expectations.

Note that according to updated CAVP guidance, OE names now follow the structure "{OS} on {PROCESSOR} [with/without PAA/PAI]." The hardware platform name will be listed on the Security Policy, while CMVP module pages on NIST's website don't list the OEs at all anymore.

Security Policy text draft

We uploaded the draft of the v1.26.0 Security Policy text to the shared folder. Note that this is the custom text which will later be joined with the tabular data, not the complete Security Policy.

Please review the text and let us know of any comments within the next two weeks.

The main changes are the descriptions of the new GCM nonce modes, and the updated entropy section.

ESV

We just heard back comments from NIST on our ESV submission, which is a blocker for the v1.26.0 CMVP submission.

Unfortunately, it looks like the lab did not request from us data that might be required to justify the over-sampling rate (OSR) under the new CPU Jitter heuristic test procedures. These procedures don't appear to be publicly documented, so we're relying on the lab's guidance.

We are working with the lab to find a solution that does not require collecting that data from every Operating Environment.

ML-DSA API

FYI, we have proposed introducing an ML-DSA package in the Go standard library in Go 1.27, exposing the implementation in the v1.26.0 FIPS 140-3 module.

Let us know if you have any comments by responding here or on the issue.

FIPS 140-3 validations for other non-C libraries

In the latest excellent episode of Security Cryptography Whatever about the issues that pyca/cryptography is having with OpenSSL, there was a nice brief conversation on how our work on obtaining a FIPS 140-3 validation for Go might serve as a model for other non-C (and non-JVM [Ed.]) cryptography libraries.

Geomys is focused on the Go ecosystem, but we’d be happy to help get such an effort set up. If you’re interested in specific libraries or ecosystems, let us know and we will try to pass it on to the right maintainer teams.