ACVP-Server icon indicating copy to clipboard operation
ACVP-Server copied to clipboard
verified publisher icon usnistgov

KAS-ECC-SSC AFT sample vectors missing information

Open jms111111 opened this issue 7 months ago • 5 comments

environment Demo

testSessionId 615055

vsId 3126459

Expected behavior Sample test expected results which allow for verification of AFT tests.

Additional context I want to generate expected results for a sample test vector of KAS ECC SSC ephemeralUnified Sp800-56Ar3. For the AFT tests, the server provides the server public key and expects to receive the IUT public and z. The sample expected results provide a precalculated IUT public and the expected z, but without a corresponding IUT private, there is no way to generate a corresponding z. 

In order for sample expected results to be viable, it seems it would have to include the IUT private, which would deviate from the specified response structure, so I guessed that was why it wasn't included, but I wanted to check if there was a way around this / a way to get sample AFT vectors, or if this was just a limitation we would have to work around. Any insight would be appreciated!

Josh

jms111111 avatar May 15 '25 15:05 jms111111

Hi was hoping to get some eyes on this, if anyone has any ideas

jms111111 avatar Jun 03 '25 15:06 jms111111

Sorry we haven't gotten back to you before now. @jbrock24 should have a chance to take a look at this sometime in the next week.

Best,

Ben

livebe01 avatar Jun 03 '25 18:06 livebe01

Hi @jms111111, I believe the answers lie within SP800-56Ar3's section 6, Key Agreement Schemes. Within the sample json files, test group 2 is AFT and is using the fullMQV scheme with the role of responder (PartyV). In Table 8 we see that FullMQV is a Catetory/SubCat C(2e)/C(2e, 2s) scheme.

Section 6.1.1 defines the category for this test group:

For these schemes, each party (U and
V) contributes a static key pair and generates an ephemeral key pair during the key-
agreement process. All key pairs shall be generated using the same domain parameters. Party
U and party V obtain each other’s static public keys, which have been generated prior to the
key-establishment process. Both parties generate ephemeral private/public key pairs and
exchange the ephemeral public keys. Using the static and ephemeral keys, both parties
generate a shared secret. The secret keying material is derived from the shared secret.

Json example test case:

{
          "staticPublicServerX": "009E129CF7A8F1A469124550FFC4C9EB871B049419EE41DDF378A5A4DA2C",
          "staticPublicServerY": "00274703DB60AC682C479135FA28CFA9C8F38F8E6B05543805675F3B1AA3",
          "ephemeralPublicServerX": "0128424840393DB6DBF44C71857E3E67E60A6D88B4355580F09A4BF45E3C",
          "ephemeralPublicServerY": "018387ADFB390569BAF0DA898054806460E431C9A6DB9FC6C107958B7E90",
          "tcId": 6
        },

You can see the response file from the IUT should be the same, but providing the Z. We then calculate the Z from the provided data.

     "tests": [
        {
          "staticPublicIutX": "014DC09001AB9C8C10FD847BDB4BD56D4F6A9A38F28F3C2BB7726A76CEBD",
          "staticPublicIutY": "000F4DE4C4AEF8D56BE1453E8D29FF905913C60344CE8B34D53D25F4D68B",
          "ephemeralPublicIutX": "00445C65A2B16CD40092265C0CE22AE8EA44BB1C0F858CE3FB59239D24F6",
          "ephemeralPublicIutY": "01EE251DEDC7B9613D541566BCE7F8A5D56E6A236E770106FF81616C04D5",
          "tcId": 6,
          "z": "01156CA0A23E7D095A7BFB37AAB7E005C10AEE91E78EF0B6AB8B4DA02753"
        },

For Test Group 3, it's now the initiator (PartyU) and using the staticUnified scheme. Based on the Table 8, that is a Catetory/SubCat C(0e)/C(0e, 2s).

As stated in section 6.3:

In this category, the parties use only static key pairs. Each party obtains the other party’s
static public key.

Json example test case:

      "tests": [
        {
          "staticPublicServerX": "0034F4912B8C45267CFE65342863CB00891FB9FDB28BEB4A4DD68F5BBA3731804218F183",
          "staticPublicServerY": "00CF8D441CCDC76CD0D2736AF84A1717C022E87BCEFBB47E5F6C92407918DE026C6E4E4D",
          "tcId": 11
        },

The Results for test group 3 are also providing just the static as expected, but the Z for Validation.

      "tests": [
        {
          "staticPublicIutX": "00C9EBCE9D3A8EAC9A19E9D5DFDA825C70503E2F5F23827AA509824B2CA92CDBE99E8BC3",
          "staticPublicIutY": "038C600451DAA3E6E8A3CF7B7F1939C56B5B6EBA31AC74AE150327D5E6569DEAD728FB35",
          "tcId": 11,
          "z": "025D51B786F0BB63CAA5598E05EDF1C0CAB4594CA05D2687DD06CA28C3A349AA6F1FD55C"
        },

Basically, what you need to compute the value of Z is provided, all the calculations for generating Z are provided within the different schemes listed in the documentation.

If you have any questions or concerns please let me know.

Thanks!

jbrock24 avatar Aug 19 '25 14:08 jbrock24

@jbrock24 Thanks for getting back to me, I think I'm still missing something in my understanding. I'm using C(2e, 0s) with the ephemeral unified model, but I believe the concepts should translate.

In the vectors you are posting, the demo server is generating z from the received public and its own private. The z can't exist until both parts of the pair are available, which means in the case of a sample test, the whole key pair must be provided in order for the z to be calculated from the start. The IUT key pair isn't known at the time of sample answer generation, so there isn't a way for the IUT to reach the calculated z unless its given both its own private and the server public as constants within the sample answers.

jms111111 avatar Aug 19 '25 23:08 jms111111

Hi @jms111111 - So for this situation, we can send you the InternalProjection.json files which include everything for specific runs, but if something is required long-term for this, or more than on rare occasions, we can figure something else out. Thanks for the reply, apologies for the response time. If you have any other questions, please let me know, otherwise, close at your convenience. Thanks!

jbrock24 avatar Aug 29 '25 19:08 jbrock24