--- title: "FIPS Crypto Algorithms FAQ (AES, SHA, Signatures, PQC)" canonical_url: "https://www.sorena.io/artifacts/global/fips-crypto-algorithms/faq" source_url: "https://www.sorena.io/artifacts/global/fips-crypto-algorithms/faq" author: "Sorena AI" description: "FAQ for FIPS crypto adoption: AES, SHA-2 and SHA-3, digital signatures, post-quantum standards." published_at: "2026-03-04" updated_at: "2026-03-04" keywords: - "FIPS crypto algorithms FAQ" - "FIPS approved algorithms FAQ" - "AES FIPS 197 FAQ" - "SHA-2 FIPS 180-4 FAQ" - "SHA-3 FIPS 202 FAQ" - "FIPS 186-5 FAQ" - "FIPS 203 204 205 FAQ" - "post-quantum cryptography FIPS FAQ" - "FIPS 140-3 evidence" - "GLOBAL compliance" - "FIPS crypto" - "FAQ" - "AES" - "SHA" - "PQC" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # FIPS Crypto Algorithms FAQ (AES, SHA, Signatures, PQC) FAQ for FIPS crypto adoption: AES, SHA-2 and SHA-3, digital signatures, post-quantum standards. *FAQ* *GLOBAL* ## FIPS Crypto Algorithms FAQ Common questions about adopting FIPS crypto standards in real products and protocols. Focused on practical selection, interoperability, and evidence, not generic crypto summaries. This FAQ is implementation guidance, not legal advice. Validate final decisions against NIST primary sources and the assurance scheme you are targeting. ## Do FIPS publications validate my implementation automatically? No. FIPS publications define standards and algorithms. They do not automatically validate a product implementation. In assurance contexts, the real question is whether you implement the algorithm correctly, constrain it safely, and can prove that with documentation, tests, and operational evidence. ## Does FIPS 197 tell me which AES mode to use? No. FIPS 197 defines AES itself. The standard says AES shall be used with a FIPS-approved or NIST-recommended mode of operation. That means the secure design choice is the whole bundle: AES plus mode plus IV or nonce rules plus key management plus error handling. ## What is the difference between FIPS 180-4 and FIPS 202? FIPS 180-4 specifies the Secure Hash Standard and includes SHA-1 and the SHA-2 family. FIPS 202 specifies SHA-3 and the XOFs SHAKE128 and SHAKE256. FIPS 202 explicitly says SHA-3 supplements FIPS 180-4 and that the two standards together provide resilience because they use fundamentally different design principles. ## Are SHAKE128 and SHAKE256 just hash functions? No. In FIPS 202 they are approved XOFs, not approved hash functions in the general sense. Their approved uses are specified in NIST Special Publications. That distinction matters because XOF output length is variable, which creates parameter and interoperability obligations that fixed-output hashes do not have. ## What changed in FIPS 186-5 compared with older DSS guidance? FIPS 186-5 is broader and more modern. It covers RSA signatures through RFC 8017, specifies ECDSA, approves deterministic ECDSA, and approves EdDSA with additional requirements. It also no longer approves DSA for new signature generation, although DSA may still be used to verify signatures generated before the new standard took effect. ## What do FIPS 203, 204, and 205 do? FIPS 203 specifies ML-KEM for post-quantum key establishment. FIPS 204 specifies ML-DSA for post-quantum digital signatures. FIPS 205 specifies SLH-DSA for stateless hash-based digital signatures. All three were published on 13 August 2024 and should be treated as part of a crypto-agility and migration program, not as isolated algorithm swaps. ## Do we need FIPS 140-3 to use FIPS algorithms? No. You can implement FIPS algorithms without pursuing FIPS 140-3 module validation. But if you do pursue FIPS 140-3, the algorithm choices have to line up with the module boundary, services mapping, approved mode behavior, self-tests, and documentation. ## What evidence should we retain as a minimum useful pack? Keep enough evidence to answer four questions quickly: where crypto is used, which algorithms and parameters are allowed, how misuse is prevented, and how changes are controlled. In practice that means a crypto inventory, configuration manifests, verification artifacts, key-management evidence, and change-control history. *Recommended next step* *Placement: after the FAQ section* ## Use FIPS Crypto Algorithms FAQ as a cited research workflow Research Copilot can take FIPS Crypto Algorithms FAQ from cited answers to recurring questions on this topic to a reusable workflow inside Sorena. Teams working on FIPS Crypto Algorithms can keep owners, evidence, and next steps aligned without copying this guide into separate documents. - [Open Research Copilot for FIPS Crypto Algorithms FAQ](/solutions/research-copilot.md): Start from FIPS Crypto Algorithms FAQ and answer scope, timing, and interpretation questions with cited outputs. - [Talk through FIPS Crypto Algorithms](/contact.md): Review your current process, evidence gaps, and next steps for FIPS Crypto Algorithms FAQ. ## Primary sources - [FIPS 197 upd1: Advanced Encryption Standard (AES)](https://doi.org/10.6028/NIST.FIPS.197-upd1?ref=sorena.io) - Primary AES reference. - [FIPS 180-4 (Secure Hash Standard)](https://doi.org/10.6028/NIST.FIPS.180-4?ref=sorena.io) - Primary SHA-2 family reference. - [FIPS 202 (SHA-3 Standard)](https://doi.org/10.6028/NIST.FIPS.202?ref=sorena.io) - Primary SHA-3 and SHAKE reference. - [FIPS 186-5 (Digital Signature Standard)](https://doi.org/10.6028/NIST.FIPS.186-5?ref=sorena.io) - Primary signature-standard reference. - [FIPS 203 (ML-KEM)](https://doi.org/10.6028/NIST.FIPS.203?ref=sorena.io) - Primary post-quantum key-establishment reference. - [FIPS 140-3 (Security Requirements for Cryptographic Modules)](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-3.pdf?ref=sorena.io) - Context for algorithm use inside validated modules. ## Related Topic Guides - [AES (FIPS 197) - How to Use AES Safely](/artifacts/global/fips-crypto-algorithms/aes-fips-197.md): Advanced implementation guide for AES under FIPS 197 upd1: AES-128, AES-192, AES-256, approved modes. - [Digital Signatures (FIPS 186-5 DSS and FIPS 204 ML-DSA)](/artifacts/global/fips-crypto-algorithms/digital-signatures-fips-186-5-and-fips-204.md): Advanced guide to FIPS digital signatures: RSA, ECDSA, deterministic ECDSA, EdDSA, and post-quantum ML-DSA. - [Post-Quantum Cryptography (FIPS 203, 204, 205) - Migration Guide](/artifacts/global/fips-crypto-algorithms/post-quantum-fips-203-204-205.md): Practical post-quantum cryptography migration guidance grounded in FIPS 203, FIPS 204, and FIPS 205. - [Secure Hash (FIPS 180-4 SHA-2, FIPS 202 SHA-3, SHAKE)](/artifacts/global/fips-crypto-algorithms/secure-hash-fips-180-4-and-fips-202.md): Deep guide to FIPS secure hash standards: SHA-2 under FIPS 180-4 and SHA-3 plus SHAKE under FIPS 202. Learn digest selection, XOF rules, and evidence strategy. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/global/fips-crypto-algorithms/faq