Request for recommendation of the advertisement JSON for ECDH key agreement test

[RoyHSYoo]

Protocol Section Is your question regarding a specific section of the protocol? You can link it here.

Just click on the table of contents in the question area of the protocol to get a URL directly to that section.

Examples: https://pages.nist.gov/ACVP/#how-to-use-metanorma https://pages.nist.gov/ACVP/draft-celi-acvp-symmetric.html#name-aes-requirements-covered

Protocol Question What is your question?

Hello,

I'm preparing to test ECDH key agreement through ACVP. Currently I am studying on the documents on this github page to follow up the guide. Because there are so many supported algorithms & modes, thus I struggled to find the fit to our purpose. Can you suggest the proper advertisement JSON example for the below scenario?

• Scenario
  1. The target "T" will perform ECDH key agreement. The curve is P-256.
  2. The tester generates EC key pair "ECK_1" on the other side of "T".
  3. "T" generates EC key pair "ECK_2" in itself as black-box. The private key of "ECK_2" is not exposure to the out side.
  4. The tester provides the public key of "ECK_1" to "T".
  5. "T" performs ECDH key agreement using those keys. Zab is generated as the result of.
  6. The tester performs ECDH key agreement using its own private key and the public key of "ECK_2". There is also Zab generated.
  7. Compare 2 Zab

[Kritner]

KAS-ECC-SSC testing against the "ephemeral unified" scheme sounds like what you're describing. This tests when two parties generate keys upon request to compute a shared secret of z.

[RoyHSYoo]

Thank you. I will try. By the way, i have more questions.

1. Can you explain the detail of each ECC Scheme?

   • ephemeralUnified - keyConfirmation not supported
   • fullMqv
   • fullUnified
   • onePassDh - Can only provide unilateral key confirmation party V to party U.
   • onePassMqv
   • onePassUnified
   • staticUnified

2. In case of "noKdfNoKc" parameter, "hashAlg" is required. But in my understanding, hash algorithm is used for KDF. What is the purpose of "hashAlg" in "noKdfNoKc"? -> [Edited] Never mind this one. I confused to "KCC-ECC" instead of "KCC-ECC-SSC".

3. Even though there are two members in "kasRole", the expected behavior of IUT looks the same for those. Is there any difference in terms of IUT?

[Kritner]

The details of each scheme are describe in the SP, the gist is each scheme uses:

• different requirements for keypairs from each party (static/ephemeral) or ephemeral data (like nonces)
• a different shared secret primitive (DH or MQP)

Even though there are two members in "kasRole", the expected behavior of IUT looks the same for those. Is there any difference in terms of IUT?

There may be no difference in initiator/responder in some cases, for some schemes, for SSC.