New algorithm specification - KAS-ECC-SSC SP800-56Ar3

usnistgov / ACVP

Industry Working Group on Automated Cryptographic Algorithm Validation

https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program

170 stars 66 forks source link

New algorithm specification - KAS-ECC-SSC SP800-56Ar3 #890

Closed Kritner closed 4 years ago

Kritner commented 4 years ago

KAS-ECC-SSC will be introduced on demo in the coming weeks; SSC being "shared secret computation".

This new algorithm will encompass testing of the DH/MQV primitives against the defined KAS-ECC schemes from SP800-56Ar3.

The registrations will look very similar to the full KAS registrations albeit smaller. The registration will be made up of:

Schemes to test
Roles to test per scheme
Domain parameter generation methods (ECC curves)
an optional hashFunctionZ to accommodate clients with the inability to return z in the clear.

An example registration:

{
  "algorithm": "KAS-ECC-SSC",
  "revision": "Sp800-56Ar3",
  "scheme": {
    "fullMqv": {
      "kasRole": [
        "initiator",
        "responder"
      ]
    },
    "staticUnified": {
      "kasRole": [
        "initiator",
        "responder"
      ]
    }
  },
  "domainParameterGenerationMethods": [
    "K-233"
  ],
  "hashFunctionZ": "SHA3-512"
}

smuellerDD commented 4 years ago

testvectors obtained successfully

smuellerDD commented 4 years ago

Test successfully performed with OpenSSL and P-256, P-384, P521, with and without hashing. Just like with FFC, the VAL testing contains only two expected errors, but many more passes.

smuellerDD commented 4 years ago

I have successful tests with the Linux kernel, NSS, GnuTLS and OpenSSL.

gx2955 commented 3 years ago

Hi, my registration is {"algorithms":[ { "algorithm":"KAS-ECC-SSC", "revision":"Sp800-56Ar3", "scheme":{ "ephemeralUnified":{ "kasRole":[ "initiator", "responder" ] } }, "domainParameterGenerationMethods":[ "P-256", "P-384", "P-521" ]}]}

where I do not include "hashFunctionZ" since I can have z return. However, it seems I always get a 256 bytes shared secret(z) in return from ACVP. Same thing in KAS-FFC-SSC. Is this size fixed? I do not find the SP800 56Ar3 talks about the size of z, and I am not able to conclude this from the mathematical expression.

Kritner commented 3 years ago

Do you have a vector set ID and environment you can share so I can take a look?

gx2955 commented 3 years ago

Hi, @Kritner

One example VSID is 413355.

smuellerDD commented 3 years ago

Am Donnerstag, dem 17.12.2020 um 14:15 -0800 schrieb GX-Joe:

where I do not include "hashFunctionZ" since I can have z return. However, it seems I always get a 256 bytes shared secret(z) in return from ACVP. Same thing in KAS-FFC-SSC. Is this size fixed? I do not find the SP800 56Ar3 talks about the size of z, and I am not able to conclude this from the mathematical expression.

The size is defined by P-256: the scalar multiplication returns a 256 bit value.

Kritner commented 3 years ago

As @smuellerDD pointed out, the length of z is based on the security strength of the domain parameters being used.

gx2955 commented 3 years ago

Hi, @smuellerDD and @Kritner

Sorry for late reply, thank you very much! After some checking, it is caused by P-256.