idnits 2.17.00 (12 Aug 2021) /tmp/idnits44658/draft-irtf-cfrg-cpace-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- -- The document date (14 January 2022) is 120 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Informational ---------------------------------------------------------------------------- == Missing Reference: 'CI' is mentioned on line 436, but not defined == Missing Reference: 'ADa' is mentioned on line 440, but not defined == Missing Reference: 'ADb' is mentioned on line 442, but not defined == Missing Reference: '-1' is mentioned on line 1320, but not defined == Outdated reference: A later version (-03) exists of draft-irtf-cfrg-ristretto255-decaf448-01 == Outdated reference: A later version (-14) exists of draft-irtf-cfrg-hash-to-curve-13 -- Obsolete informational reference (is this intentional?): RFC 5246 (Obsoleted by RFC 8446) Summary: 0 errors (**), 0 flaws (~~), 6 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group M. Abdalla 3 Internet-Draft DFINITY - Zurich 4 Intended status: Informational B. Haase 5 Expires: 18 July 2022 Endress + Hauser Liquid Analysis - Gerlingen 6 J. Hesse 7 IBM Research Europe - Zurich 8 14 January 2022 10 CPace, a balanced composable PAKE 11 draft-irtf-cfrg-cpace-05 13 Abstract 15 This document describes CPace which is a protocol for two parties 16 that share a low-entropy secret (password) to derive a strong shared 17 key without disclosing the secret to offline dictionary attacks. 18 This method was tailored for constrained devices, is compatible with 19 any group of both prime- and non-prime order, and comes with a 20 security proof providing composability guarantees. 22 Discussion Venues 24 This note is to be removed before publishing as an RFC. 26 Discussion of this document takes place on the Crypto Forum Research 27 Group mailing list (cfrg@ietf.org), which is archived at 28 https://mailarchive.ietf.org/arch/search/?email_list=cfrg. 30 Source for this draft and an issue tracker can be found at 31 https://github.com/cfrg/draft-irtf-cfrg-cpace. 33 Status of This Memo 35 This Internet-Draft is submitted in full conformance with the 36 provisions of BCP 78 and BCP 79. 38 Internet-Drafts are working documents of the Internet Engineering 39 Task Force (IETF). Note that other groups may also distribute 40 working documents as Internet-Drafts. The list of current Internet- 41 Drafts is at https://datatracker.ietf.org/drafts/current/. 43 Internet-Drafts are draft documents valid for a maximum of six months 44 and may be updated, replaced, or obsoleted by other documents at any 45 time. It is inappropriate to use Internet-Drafts as reference 46 material or to cite them other than as "work in progress." 48 This Internet-Draft will expire on 18 July 2022. 50 Copyright Notice 52 Copyright (c) 2022 IETF Trust and the persons identified as the 53 document authors. All rights reserved. 55 This document is subject to BCP 78 and the IETF Trust's Legal 56 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 57 license-info) in effect on the date of publication of this document. 58 Please review these documents carefully, as they describe your rights 59 and restrictions with respect to this document. Code Components 60 extracted from this document must include Revised BSD License text as 61 described in Section 4.e of the Trust Legal Provisions and are 62 provided without warranty as described in the Revised BSD License. 64 Table of Contents 66 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 5 67 2. Requirements Notation . . . . . . . . . . . . . . . . . . . . 5 68 3. Definition CPace . . . . . . . . . . . . . . . . . . . . . . 6 69 3.1. Setup . . . . . . . . . . . . . . . . . . . . . . . . . . 6 70 3.1.1. Hash function H . . . . . . . . . . . . . . . . . . . 6 71 3.1.2. Group environment G . . . . . . . . . . . . . . . . . 7 72 3.2. Inputs . . . . . . . . . . . . . . . . . . . . . . . . . 7 73 3.3. Notation . . . . . . . . . . . . . . . . . . . . . . . . 8 74 3.3.1. Notation for group operations . . . . . . . . . . . . 9 75 4. The CPace protocol . . . . . . . . . . . . . . . . . . . . . 9 76 4.1. Session identifier establishment . . . . . . . . . . . . 10 77 4.2. Protocol flow . . . . . . . . . . . . . . . . . . . . . . 10 78 4.3. CPace protocol instructions . . . . . . . . . . . . . . . 10 79 5. CPace cipher suites . . . . . . . . . . . . . . . . . . . . . 11 80 6. Implementation of recommended CPace cipher suites . . . . . . 12 81 6.1. Common function for computing generators . . . . . . . . 12 82 6.2. CPace group objects G_X25519 and G_X448 for 83 single-coordinate Ladders on Montgomery curves . . . . . 13 84 6.2.1. Verification tests . . . . . . . . . . . . . . . . . 14 85 6.3. CPace group objects G_Ristretto255 and G_Decaf448 for 86 prime-order group abstractions . . . . . . . . . . . . . 15 87 6.3.1. Verification tests . . . . . . . . . . . . . . . . . 17 88 6.4. CPace group objects for curves in Short-Weierstrass 89 representation . . . . . . . . . . . . . . . . . . . . . 17 90 6.4.1. Curves and associated functions . . . . . . . . . . . 17 91 6.4.2. Suitable encode_to_curve methods . . . . . . . . . . 18 92 6.4.3. Definition of the group environment G for 93 Short-Weierstrass curves . . . . . . . . . . . . . . 18 94 6.4.4. Verification tests . . . . . . . . . . . . . . . . . 20 95 7. Implementation verification . . . . . . . . . . . . . . . . . 20 96 8. Security Considerations . . . . . . . . . . . . . . . . . . . 20 97 8.1. Party identifiers and relay attacks . . . . . . . . . . . 20 98 8.2. Hashing and key derivation . . . . . . . . . . . . . . . 21 99 8.3. Key confirmation . . . . . . . . . . . . . . . . . . . . 21 100 8.4. Sampling of scalars . . . . . . . . . . . . . . . . . . . 22 101 8.5. Single-coordinate CPace on Montgomery curves . . . . . . 22 102 8.6. Nonce values . . . . . . . . . . . . . . . . . . . . . . 23 103 8.7. Side channel attacks . . . . . . . . . . . . . . . . . . 23 104 8.8. Quantum computers . . . . . . . . . . . . . . . . . . . . 23 105 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 24 106 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 24 107 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 24 108 11.1. Normative References . . . . . . . . . . . . . . . . . . 24 109 11.2. Informative References . . . . . . . . . . . . . . . . . 25 110 Appendix A. CPace function definitions . . . . . . . . . . . . . 26 111 A.1. Definition and test vectors for string utility 112 functions . . . . . . . . . . . . . . . . . . . . . . . . 26 113 A.1.1. prepend_len function . . . . . . . . . . . . . . . . 26 114 A.1.2. prepend_len test vectors . . . . . . . . . . . . . . 26 115 A.1.3. prefix_free_cat function . . . . . . . . . . . . . . 27 116 A.1.4. Testvector for prefix_free_cat() . . . . . . . . . . 27 117 A.1.5. Examples for invalid encoded messages . . . . . . . . 27 118 A.2. Definition of generator_string function. . . . . . . . . 28 119 A.3. Definitions and test vector ordered concatenation . . . . 28 120 A.3.1. Definitions for lexiographical ordering . . . . . . . 28 121 A.3.2. Definitions for ordered concatenation . . . . . . . . 28 122 A.3.3. Test vectors ordered concatenation . . . . . . . . . 28 123 A.4. Decoding and Encoding functions according to RFC7748 . . 29 124 A.5. Elligator 2 reference implementation . . . . . . . . . . 29 125 Appendix B. Test vectors . . . . . . . . . . . . . . . . . . . . 30 126 B.1. Test vector for CPace using group X25519 and hash 127 SHA-512 . . . . . . . . . . . . . . . . . . . . . . . . . 30 128 B.1.1. Test vectors for calculate_generator with group 129 X25519 . . . . . . . . . . . . . . . . . . . . . . . 30 130 B.1.2. Test vector for MSGa . . . . . . . . . . . . . . . . 31 131 B.1.3. Test vector for MSGb . . . . . . . . . . . . . . . . 31 132 B.1.4. Test vector for secret points K . . . . . . . . . . . 32 133 B.1.5. Test vector for ISK calculation initiator/ 134 responder . . . . . . . . . . . . . . . . . . . . . . 32 135 B.1.6. Test vector for ISK calculation parallel execution . 32 136 B.1.7. Corresponding ANSI-C initializers . . . . . . . . . . 33 137 B.1.8. Test vectors for G_X25519.scalar_mult_vfy: low order 138 points . . . . . . . . . . . . . . . . . . . . . . . 34 139 B.2. Test vector for CPace using group X448 and hash 140 SHAKE-256 . . . . . . . . . . . . . . . . . . . . . . . . 35 141 B.2.1. Test vectors for calculate_generator with group 142 X448 . . . . . . . . . . . . . . . . . . . . . . . . 35 143 B.2.2. Test vector for MSGa . . . . . . . . . . . . . . . . 36 144 B.2.3. Test vector for MSGb . . . . . . . . . . . . . . . . 36 145 B.2.4. Test vector for secret points K . . . . . . . . . . . 37 146 B.2.5. Test vector for ISK calculation initiator/ 147 responder . . . . . . . . . . . . . . . . . . . . . . 37 148 B.2.6. Test vector for ISK calculation parallel execution . 38 149 B.2.7. Corresponding ANSI-C initializers . . . . . . . . . . 38 150 B.2.8. Test vectors for G_X448.scalar_mult_vfy: low order 151 points . . . . . . . . . . . . . . . . . . . . . . . 40 152 B.3. Test vector for CPace using group ristretto255 and hash 153 SHA-512 . . . . . . . . . . . . . . . . . . . . . . . . . 41 154 B.3.1. Test vectors for calculate_generator with group 155 ristretto255 . . . . . . . . . . . . . . . . . . . . 41 156 B.3.2. Test vector for MSGa . . . . . . . . . . . . . . . . 42 157 B.3.3. Test vector for MSGb . . . . . . . . . . . . . . . . 42 158 B.3.4. Test vector for secret points K . . . . . . . . . . . 43 159 B.3.5. Test vector for ISK calculation initiator/ 160 responder . . . . . . . . . . . . . . . . . . . . . . 43 161 B.3.6. Test vector for ISK calculation parallel execution . 43 162 B.3.7. Corresponding ANSI-C initializers . . . . . . . . . . 44 163 B.3.8. Test case for scalar_mult with valid inputs . . . . . 45 164 B.3.9. Invalid inputs for scalar_mult_vfy . . . . . . . . . 46 165 B.4. Test vector for CPace using group decaf448 and hash 166 SHAKE-256 . . . . . . . . . . . . . . . . . . . . . . . . 46 167 B.4.1. Test vectors for calculate_generator with group 168 decaf448 . . . . . . . . . . . . . . . . . . . . . . 46 169 B.4.2. Test vector for MSGa . . . . . . . . . . . . . . . . 47 170 B.4.3. Test vector for MSGb . . . . . . . . . . . . . . . . 47 171 B.4.4. Test vector for secret points K . . . . . . . . . . . 48 172 B.4.5. Test vector for ISK calculation initiator/ 173 responder . . . . . . . . . . . . . . . . . . . . . . 48 174 B.4.6. Test vector for ISK calculation parallel execution . 49 175 B.4.7. Corresponding ANSI-C initializers . . . . . . . . . . 49 176 B.4.8. Test case for scalar_mult with valid inputs . . . . . 51 177 B.4.9. Invalid inputs for scalar_mult_vfy . . . . . . . . . 51 178 B.5. Test vector for CPace using group NIST P-256 and hash 179 SHA-256 . . . . . . . . . . . . . . . . . . . . . . . . . 51 180 B.5.1. Test vectors for calculate_generator with group NIST 181 P-256 . . . . . . . . . . . . . . . . . . . . . . . . 51 182 B.5.2. Test vector for MSGa . . . . . . . . . . . . . . . . 52 183 B.5.3. Test vector for MSGb . . . . . . . . . . . . . . . . 52 184 B.5.4. Test vector for secret points K . . . . . . . . . . . 53 185 B.5.5. Test vector for ISK calculation initiator/ 186 responder . . . . . . . . . . . . . . . . . . . . . . 53 187 B.5.6. Test vector for ISK calculation parallel execution . 54 188 B.5.7. Corresponding ANSI-C initializers . . . . . . . . . . 55 189 B.5.8. Test case for scalar_mult_vfy with correct inputs . . 56 190 B.5.9. Invalid inputs for scalar_mult_vfy . . . . . . . . . 57 191 B.6. Test vector for CPace using group NIST P-384 and hash 192 SHA-384 . . . . . . . . . . . . . . . . . . . . . . . . . 57 194 B.6.1. Test vectors for calculate_generator with group NIST 195 P-384 . . . . . . . . . . . . . . . . . . . . . . . . 57 196 B.6.2. Test vector for MSGa . . . . . . . . . . . . . . . . 58 197 B.6.3. Test vector for MSGb . . . . . . . . . . . . . . . . 59 198 B.6.4. Test vector for secret points K . . . . . . . . . . . 59 199 B.6.5. Test vector for ISK calculation initiator/ 200 responder . . . . . . . . . . . . . . . . . . . . . . 59 201 B.6.6. Test vector for ISK calculation parallel execution . 60 202 B.6.7. Corresponding ANSI-C initializers . . . . . . . . . . 61 203 B.6.8. Test case for scalar_mult_vfy with correct inputs . . 63 204 B.6.9. Invalid inputs for scalar_mult_vfy . . . . . . . . . 63 205 B.7. Test vector for CPace using group NIST P-521 and hash 206 SHA-512 . . . . . . . . . . . . . . . . . . . . . . . . . 64 207 B.7.1. Test vectors for calculate_generator with group NIST 208 P-521 . . . . . . . . . . . . . . . . . . . . . . . . 64 209 B.7.2. Test vector for MSGa . . . . . . . . . . . . . . . . 64 210 B.7.3. Test vector for MSGb . . . . . . . . . . . . . . . . 65 211 B.7.4. Test vector for secret points K . . . . . . . . . . . 66 212 B.7.5. Test vector for ISK calculation initiator/ 213 responder . . . . . . . . . . . . . . . . . . . . . . 66 214 B.7.6. Test vector for ISK calculation parallel execution . 67 215 B.7.7. Corresponding ANSI-C initializers . . . . . . . . . . 68 216 B.7.8. Test case for scalar_mult_vfy with correct inputs . . 70 217 B.7.9. Invalid inputs for scalar_mult_vfy . . . . . . . . . 71 218 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 71 220 1. Introduction 222 This document describes CPace which is a protocol for two parties for 223 deriving a strong shared secret from a shared low-entropy secret 224 (password) without exposing the secret to offline dictionary attacks. 225 The CPace design was tailored for efficiency on constrained devices 226 such as secure-element chipsets and considers mitigations with 227 respect to adversaries that might become capable of breaking the 228 discrete logarithm problem on elliptic curves by quantum computers. 229 CPace comes with both game-based and simulation-based proofs, where 230 the latter provides composability guarantees that let CPace run 231 securely in concurrent settings. 233 2. Requirements Notation 235 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 236 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 237 "OPTIONAL" in this document are to be interpreted as described in 238 BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all 239 capitals, as shown here. 241 3. Definition CPace 243 3.1. Setup 245 For CPace both communication partners need to agree on a common 246 cipher suite. Cipher suites consist of a combination of a hash 247 function H and an elliptic curve environment G. We assume both G and 248 H to come with associated constants and functions as detailed below. 249 To access these we use an object-style notation such as, e.g., 250 H.b_in_bytes and G.sample_scalar(). 252 3.1.1. Hash function H 254 With H we denote a hash function. Common choices for H are SHA-512 255 [RFC6234] or SHAKE-256 [FIPS202]. (I.e. the hash function outputs 256 octet strings, and not group elements.) For considering both, 257 variable-output-length hashes and fixed-length output hashes, we use 258 the following convention. In case that the hash function is 259 specified for a fixed-size output, we define H.hash(m,l) such that it 260 returns the first l octets of the output. 262 We use the following notation for referring to the specific 263 properties of a hash function H: 265 * H.hash(m,l) is a function that operates on an input octet string m 266 and returns a hashing result of l octets. 268 * H.b_in_bytes denotes the default output size in bytes 269 corresponding to the symmetric security level of the hash 270 function. E.g. H.b_in_bytes = 64 for SHA-512 and SHAKE-256 and 271 H.b_in_bytes = 32 for SHA-256 and SHAKE-128. We use the notation 272 H.hash(m) = H.hash(m, H.b_in_bytes) and let the hash operation 273 output the default length if no explicit length parameter is 274 given. 276 * H.bmax_in_bytes denotes the _maximum_ output size in octets 277 supported by the hash function. In case of fixed-size hashes such 278 as SHA-256, this is the same as H.b_in_bytes, while there is no 279 such limit for hash functions such as SHAKE-256. 281 * H.s_in_bytes denotes the _input block size_ used by H. For 282 instance, for SHA-512 the input block size s_in_bytes is 128, 283 while for SHAKE-256 the input block size amounts to 136 bytes. 285 3.1.2. Group environment G 287 The group environment G specifies an elliptic curve group (also 288 denoted G for convenience) and associated constants and functions as 289 detailed below. In this document we use multiplicative notation for 290 the group operation. 292 * G.calculate_generator(H,PRS,CI,sid) denotes a function that 293 outputs a representation of a generator (referred to as 294 "generator" from now on) of the group which is derived from input 295 octet strings PRS, CI, and sid and with the help of the hash 296 function H. 298 * G.sample_scalar() is a function returning a representation of a 299 scalar (referred to as "scalar" from now on) appropriate as a 300 private Diffie-Hellman key for the group. 302 * G.scalar_mult(y,g) is a function operating on a scalar y and a 303 group element g. It returns an octet string representation of the 304 group element Y = g^y. 306 * G.I denotes a unique octet string representation of the neutral 307 element of the group. G.I is used for detecting and signaling 308 certain error conditions. 310 * G.scalar_mult_vfy(y,g) is a function operating on a scalar y and a 311 group element g. It returns an octet string representation of the 312 group element g^y. Additionally, scalar_mult_vfy specifies 313 validity conditions for y,g and g^y and outputs G.I in case they 314 are not met. 316 * G.DSI denotes a domain-separation identifier string which SHALL be 317 uniquely identifying the group environment G. 319 3.2. Inputs 321 * PRS denotes a password-related octet string which is a MANDATORY 322 input for all CPace instantiations and needs to be available to 323 both parties. Typically PRS is derived from a low-entropy secret 324 such as a user-supplied password (pw) or a personal identification 325 number, e.g. by use of a password-based key derivation function 326 PRS = PBKDF(pw). 328 * CI denotes an OPTIONAL octet string identifying a communication 329 channel that needs to be available to both parties. CI can be 330 used for binding a CPace execution to one specific channel. 331 Typically CI is obtained by concatenating strings that uniquely 332 identify the protocol partner's identities, such as their 333 networking addresses. 335 * sid denotes an OPTIONAL octet string serving as session identifier 336 that needs to be available to both parties. In application 337 scenarios where a higher-level protocol has established a unique 338 sid value, this parameter can be used to ensure strong 339 composability guarantees of CPace, and to bind a CPace execution 340 to the application. 342 * ADa and ADb denote OPTIONAL octet strings containing arbitrary 343 associated data, each available to one of the parties. They are 344 not required to be equal, and are publicly transmitted as part of 345 the protocol flow. ADa and ADb can for instance include party 346 identifiers or protocol version information (to avoid, e.g., 347 downgrade attacks). In a setting with initiator and responder 348 roles, the information ADa sent by the initiator can be used by 349 the responder for identifying which among possibly several 350 different PRS to use for the CPace session. 352 3.3. Notation 354 * bytes1 || bytes2 denotes concatenation of octet strings. 356 * oCat(bytes1,bytes2) denotes ordered concatenation of octet 357 strings, which places the lexiographically larger octet string 358 first. (Explicit code for this function is given in the 359 appendix.) 361 * concat(MSGa,MSGb) denotes a concatenation method allows both 362 parties to concatenate CPace's protocol messages in the same way. 363 In applications where CPace is used without clear initiator and 364 responder roles, i.e. where the ordering of messages is not 365 enforced by the protocol flow, concat(MSGa,MSGb) = oCat(MSGa,MSGb) 366 SHALL be used. In settings where the protocol flow enforces 367 ordering, concat(MSGa,MSGb) SHOULD BE implemented such that the 368 later message is appended to the earlier message, i.e., 369 concat(MSGa,MSGb) = MSGa||MSGb if MSGa is sent first. 371 * len(S) denotes the number of octets in a string S. 373 * nil denotes an empty octet string, i.e., len(nil) = 0. 375 * prepend_len(octet_string) denotes the octet sequence that is 376 obtained from prepending the length of the octet string to the 377 string itself. The length shall be prepended by using an LEB128 378 encoding of the length. This will result in a single-byte 379 encoding for values below 128. (Test vectors and reference 380 implementations are given in the appendix.) 382 * prefix_free_cat(a0,a1, ...) denotes a function that outputs the 383 prefix-free encoding of all input octet strings as the 384 concatenation of the individual strings with their respective 385 length prepended: prepend_len(a0) || prepend_len(a1) || ... . Such 386 prefix-free encoding of multiple substrings allows for parsing 387 individual subcomponents of a network message. (Test vectors and 388 reference implementations are given in the appendix.) 390 * sample_random_bytes(n) denotes a function that returns n octets 391 uniformly distributed between 0 and 255. 393 * zero_bytes(n) denotes a function that returns n octets with value 394 0. 396 3.3.1. Notation for group operations 398 We use multiplicative notation for the group, i.e., X^2 denotes the 399 element that is obtained by computing X*X, for group element X and 400 group operation *. 402 4. The CPace protocol 404 CPace is a one round protocol between two parties, A and B. At 405 invocation, A and B are provisioned with PRS,G,H and OPTIONAL public 406 CI,sid,ADa (for A) and CI,sid,ADb (for B). A sends a message MSGa to 407 B. MSGa contains the public share Ya and OPTIONAL associated data 408 ADa (i.e. an ADa field that MAY have a length of 0 bytes). Likewise, 409 B sends a message MSGb to A. MSGb contains the public share Yb and 410 OPTIONAL associated data ADb (i.e. an ADb field that MAY have a 411 length of 0 bytes). Both A and B use the received messages for 412 deriving a shared intermediate session key, ISK. Naming of this key 413 as "intermediate" session key highlights the fact that it is 414 RECOMMENDED to process ISK by use of a suitable strong key derivation 415 function KDF (such as defined in [RFC5869]) first, before using the 416 key in a higher-level protocol. 418 4.1. Session identifier establishment 420 It is RECOMMENDED to establish a unique session identifier sid in the 421 course of the higher-level protocol that invokes CPace, by 422 concatenating random bytes produced by A with random bytes produced 423 by B. In settings where such establishment is not an option, we can 424 let initiator A choose a fresh random sid and send it to B together 425 with the first message. This method works whenever the message 426 produced by party A comes first. 428 The sid string SHOULD HAVE a length of at least 8 bytes and it MAY 429 also be the empty string, nil. I.e., use of the sid string is 430 OPTIONAL. 432 4.2. Protocol flow 434 Optional parameters and messages are denoted with []. 436 public: G, H, [CI], [sid] 438 A: PRS,[ADa] B: PRS,[ADb] 439 --------------------------------------- 440 compute Ya | Ya, [ADa] | compute Yb 441 |----------------->| 442 | Yb, [ADb] | 443 |<-----------------| 444 verify data | | verify data 445 derive ISK | | derive ISK 446 --------------------------------------- 447 output ISK output ISK 449 4.3. CPace protocol instructions 451 A computes a generator g = G.calculate_generator(H,PRS,CI,sid), 452 scalar ya = G.sample_scalar() and group element Ya = G.scalar_mult 453 (ya,g). A then transmits MSGa = prefix_free_cat(Ya, ADa) with 454 optional associated data ADa to B. ADa MAY have length zero. 456 B computes a generator g = G.calculate_generator(H,PRS,CI,sid), 457 scalar yb = G.sample_scalar() and group element Yb = 458 G.scalar_mult(yb,g). B sends MSGb = prefix_free_cat(Yb, ADb) to A. 460 Note that as prefix_free_cat prepends the respectively length of the 461 input fields, the receivers can parse MSGa and MSGb for 462 subcomponents. 464 Upon reception of MSGa, B checks that MSGa was properly generated by 465 prefix_free_cat. I.e. it checks that the actual length of MSGa 466 matches the sum of the decoded prepended lengths for Ya and ADa. If 467 this parsing fails, then B MUST abort. (Testvectors of examples for 468 invalid messages are given in the appendix.) B then computes K = 469 G.scalar_mult_vfy(yb,Ya). B MUST abort if K=G.I. Otherwise B 470 returns ISK = H.hash(prefix_free_cat(G.DSI || "_ISK", sid, 471 K)||concat(MSGa, MSGb)). B returns ISK and terminates. 473 Upon reception of MSGb, A parses MSGb for Yb and ADb. I.e. it checks 474 that the actual length of MSGb matches the sum of the decoded 475 prepended lengths for Yb and ADb. If this parsing fails, then A MUST 476 abort. A then computes K = G.scalar_mult_vfy(ya,Yb). A MUST abort 477 if K=G.I. Otherwise A returns ISK = H.hash(prefix_free_cat(G.DSI || 478 "_ISK", sid, K) || concat(MSGa, MSGb). A returns ISK and terminates. 480 The session key ISK returned by A and B is identical if and only if 481 the supplied input parameters PRS, CI and sid match on both sides and 482 transcript view (containing of MSGa and MSGb) of both parties match. 484 We note that the above protocol instructions implement a parallel 485 setting with no specific initiator/responder and no assumptions about 486 the order in which messages arrive. If implemented as initiator- 487 responder protocol, the responder, say, B, starts with computation of 488 the generator only upon reception of MSGa. 490 5. CPace cipher suites 492 This section documents RECOMMENDED CPace cipher suite configurations. 493 Any cipher suite configuration for CPace is REQUIRED to specify 495 * A group environment G specified by 497 - Functions G.sample_scalar(), G.scalar_mult(), 498 G.scalar_mult_vfy() and G.calculate_generator() 500 - A neutral element G.I 502 - A domain separation identifier string G.DSI unique for this 503 cipher suite. 505 * A hash function H specified by 507 - Function H.hash() 509 - Constants H.b_in_bytes, H.bmax_in_bytes and H.s_in_bytes 511 For naming cipher suites we use the convention "CPACE-G-H". 512 Currently, test vectors are available for the following RECOMMENDED 513 cipher suites: 515 * CPACE-X25519-SHA512. This suite uses curve G_X25519 defined in 516 Section 6.2 and SHA-512 as hash function. 518 * CPACE-X448-SHAKE256. This suite uses curve G_X448 defined in 519 Section 6.2 and SHAKE-256 as hash function. 521 * CPACE-P256_XMD:SHA-256_SSWU_NU_-SHA256. This suite instantiates G 522 as specified in Section 6.4 using the encode_to_curve function 523 P256_XMD:SHA-256_SSWU_NU_ from [I-D.irtf-cfrg-hash-to-curve] on 524 curve NIST-P256, and hash function SHA-256. 526 * CPACE-P384_XMD:SHA-384_SSWU_NU_-SHA384. This suite instantiates G 527 as specified in Section 6.4 using the encode_to_curve function 528 P384_XMD:SHA-384_SSWU_NU_ from [I-D.irtf-cfrg-hash-to-curve] on 529 curve NIST-P384 with H = SHA-384. 531 * CPACE-P521_XMD:SHA-512_SSWU_NU_-SHA512. This suite instantiates G 532 as specified in Section 6.4 using the encode_to_curve function 533 P521_XMD:SHA-384_SSWU_NU_ from [I-D.irtf-cfrg-hash-to-curve] on 534 curve NIST-P384 with H = SHA-512. 536 * CPACE-RISTR255-SHA512. This suite uses G_ristretto255 defined in 537 Section 6.3 and H = SHA-512. 539 * CPACE-DECAF448-SHAKE256 This suite uses G_decaf448 defined in 540 Section 6.3 and H = SHAKE-256. 542 CPace can securely be implemented on further elliptic curves when 543 following the guidance given in Section 8. 545 6. Implementation of recommended CPace cipher suites 547 6.1. Common function for computing generators 549 The different cipher suites for CPace defined in the upcoming 550 sections share the same method for deterministically combining the 551 individual strings PRS, CI, sid and the domain-separation identifier 552 DSI to a generator string that we describe here. Let CPACE-G-H 553 denote the cipher suite. 555 * generator_string(G.DSI, PRS, CI, sid, s_in_bytes) denotes a 556 function that returns the string prefix_free_cat(G.DSI, PRS, 557 zero_bytes(len_zpad), CI, sid). 559 * len_zpad = MAX(0, s_in_bytes - len(prepend_len(PRS)) - 560 len(prepend_len(G.DSI)) - 1) 562 The zero padding of length len_zpad is designed such that the 563 encoding of G.DSI and PRS together with the zero padding field 564 completely fills the first input block (of length s_in_bytes) of the 565 hash. As a result the number of bytes to hash becomes independent of 566 the actual length of the password (PRS). (A reference implementation 567 and test vectors are provided in the appendix.) 569 The introduction of a zero-padding within the generator string also 570 helps mitigating attacks of a side-channel adversary that analyzes 571 correlations between publicly known variable information with the 572 low-entropy PRS string. Note that the hash of the first block is 573 intentionally made independent of session-specific inputs, such as 574 sid or CI. 576 6.2. CPace group objects G_X25519 and G_X448 for single-coordinate 577 Ladders on Montgomery curves 579 In this section we consider the case of CPace when using the X25519 580 and X448 Diffie-Hellman functions from [RFC7748] operating on the 581 Montgomery curves Curve25519 and Curve448 [RFC7748]. CPace 582 implementations using single-coordinate ladders on further Montgomery 583 curves SHALL use the definitions in line with the specifications for 584 X25519 and X448 and review the guidance given in Section 8. 586 For the group environment G_X25519 the following definitions apply: 588 * G_X25519.field_size_bytes = 32 590 * G_X25519.field_size_bits = 255 592 * G_X25519.sample_scalar() = sample_random_bytes(G.field_size_bytes) 594 * G_X25519.scalar_mult(y,g) = G.scalar_mult_vfy(y,g) = X25519(y,g) 596 * G_X25519.I = zero_bytes(G.field_size_bytes) 598 * G_X25519.DSI = "CPace255" 600 CPace cipher suites using G_X25519 MUST use a hash function producing 601 at least H.b_max_in_bytes >= 32 bytes of output. It is RECOMMENDED 602 to use G_X25519 in combination with SHA-512. 604 For X448 the following definitions apply: 606 * G_X448.field_size_bytes = 56 607 * G_X448.field_size_bits = 448 609 * G_X448.sample_scalar() = sample_random_bytes(G.field_size_bytes) 611 * G_X448.scalar_mult(y,g) = G.scalar_mult_vfy(y,g) = X448(y,g) 613 * G_X448.I = zero_bytes(G.field_size_bytes) 615 * G_X448.DSI = "CPace448" 617 CPace cipher suites using G_X448 MUST use a hash function producing 618 at least H.b_max_in_bytes >= 56 bytes of output. It is RECOMMENDED 619 to use G_X448 in combination with SHAKE-256. 621 For both G_X448 and G_X25519 the G.calculate_generator(H, PRS,sid,CI) 622 function shall be implemented as follows. 624 * First gen_str = generator_string(G.DSI,PRS,CI,sid, H.s_in_bytes) 625 SHALL BE calculated using the input block size of the chosen hash 626 function. 628 * This string SHALL then BE hashed to the required length 629 gen_str_hash = H.hash(gen_str, G.field_size_bytes). Note that 630 this implies that the permissible output length H.maxb_in_bytes 631 MUST BE larger or equal to the field size of the group G for 632 making a hashing function suitable. 634 * This result is then considered as a field coordinate using the u = 635 decodeUCoordinate(gen_str_hash, G.field_size_bits) function from 636 [RFC7748] which we repeat in the appendix for convenience. 638 * The result point g is then calculated as (g,v) = 639 map_to_curve_elligator2(u) using the function from 640 [I-D.irtf-cfrg-hash-to-curve]. Note that the v coordinate 641 produced by the map_to_curve_elligator2 function is not required 642 for CPace and discarded. The appendix repeats the definitions 643 from [I-D.irtf-cfrg-hash-to-curve] for convenience. 645 In the appendix we show sage code that can be used as reference 646 implementation. 648 6.2.1. Verification tests 650 For single-coordinate Montgomery ladders on Montgomery curves 651 verification tests according to Section 7 SHALL consider the u 652 coordinate values that encode a low-order point on either, the curve 653 or the quadratic twist. 655 In addition to that in case of G_X25519 the tests SHALL also verify 656 that the implementation of G.scalar_mult_vfy(y,g) produces the 657 expected results for non-canonical u coordinate values with bit #255 658 set, which also encode low-order points. 660 Corresponding test vectors are provided in the appendix. 662 6.3. CPace group objects G_Ristretto255 and G_Decaf448 for prime-order 663 group abstractions 665 In this section we consider the case of CPace using the Ristretto255 666 and Decaf448 group abstractions 667 [I-D.draft-irtf-cfrg-ristretto255-decaf448]. These abstractions 668 define an encode and decode function, group operations using an 669 internal encoding and a one-way-map. With the group abstractions 670 there is a distinction between an internal representation of group 671 elements and an external encoding of the same group element. In 672 order to distinguish between these different representations, we 673 prepend an underscore before values using the internal representation 674 within this section. 676 For Ristretto255 the following definitions apply: 678 * G_Ristretto255.DSI = "CPaceRistretto255" 680 * G_Ristretto255.field_size_bytes = 32 682 * G_Ristretto255.group_size_bits = 252 684 * G_Ristretto255.group_order = 2^252 + 685 27742317777372353535851937790883648493 687 CPace cipher suites using G_Ristretto255 MUST use a hash function 688 producing at least H.b_max_in_bytes >= 64 bytes of output. It is 689 RECOMMENDED to use G_Ristretto255 in combination with SHA-512. 691 For decaf448 the following definitions apply: 693 * G_Decaf448.DSI = "CPaceDecaf448" 695 * G_Decaf448.field_size_bytes = 56 697 * G_Decaf448.group_size_bits = 445 699 * G_Decaf448.group_order = l = 2^446 - 700 1381806680989511535200738674851542 701 6880336692474882178609894547503885 703 CPace cipher suites using G_Decaf448 MUST use a hash function 704 producing at least H.b_max_in_bytes >= 112 bytes of output. It is 705 RECOMMENDED to use G_Decaf448 in combination with SHAKE-256. 707 For both abstractions the following definitions apply: 709 * It is RECOMMENDED to implement G.sample_scalar() as follows. 711 - Set scalar = sample_random_bytes(G.group_size_bytes). 713 - Then clear the most significant bits larger than 714 G.group_size_bits. 716 - Interpret the result as the little-endian encoding of an 717 integer value and return the result. 719 * Alternatively, if G.sample_scalar() is not implemented according 720 to the above recommendation, it SHALL be implemented using uniform 721 sampling between 1 and (G.group_order - 1). Note that the more 722 complex uniform sampling process can provide a larger side-channel 723 attack surface for embedded systems in hostile environments. 725 * G.scalar_mult(y,_g) SHALL operate on a scalar y and a group 726 element _g in the internal representation of the group abstraction 727 environment. It returns the value Y = encode((_g)^y), i.e. it 728 returns a value using the public encoding. 730 * G.I = is the public encoding representation of the identity 731 element. 733 * G.scalar_mult_vfy(y,X) operates on a value using the public 734 encoding and a scalar and is implemented as follows. If the 735 decode(X) function fails, it returns G.I. Otherwise it returns 736 encode( decode(X)^y ). 738 * The G.calculate_generator(H, PRS,sid,CI) function SHALL return a 739 decoded point and SHALL BE implemented as follows. 741 - First gen_str = generator_string(G.DSI,PRS,CI,sid, 742 H.s_in_bytes) is calculated using the input block size of the 743 chosen hash function. 745 - This string is then hashed to the required length gen_str_hash 746 = H.hash(gen_str, 2 * G.field_size_bytes). Note that this 747 implies that the permissible output length H.maxb_in_bytes MUST 748 BE larger or equal to twice the field size of the group G for 749 making a hash function suitable. 751 - Finally the internal representation of the generator _g is 752 calculated as _g = one_way_map(gen_str_hash) using the one-way 753 map function from the abstraction. 755 Note that with these definitions the scalar_mult function operates on 756 a decoded point _g and returns an encoded point, while the 757 scalar_mult_vfy(y,X) function operates on an encoded point X (and 758 also returns an encoded point). 760 6.3.1. Verification tests 762 For group abstractions verification tests according to Section 7 763 SHALL consider encodings of the neutral element and an octet string 764 that does not decode to a valid group element. 766 6.4. CPace group objects for curves in Short-Weierstrass representation 768 The group environment objects G defined in this section for use with 769 Short-Weierstrass curves, are parametrized by the choice of an 770 elliptic curve and by choice of a suitable encode_to_curve(str) 771 function. encode_to_curve(str) must map an octet string str to a 772 point on the curve. 774 6.4.1. Curves and associated functions 776 Elliptic curves in Short-Weierstrass form are considered in 777 [IEEE1363]. [IEEE1363] allows for both, curves of prime and non- 778 prime order. However, for the procedures described in this section 779 any suitable group MUST BE of prime order. 781 The specification for the group environment objects specified in this 782 section closely follow the ECKAS-DH1 method from [IEEE1363]. I.e. we 783 use the same methods and encodings and protocol substeps as employed 784 in the TLS [RFC5246] [RFC8446] protocol family. 786 For CPace only the uncompressed full-coordinate encodings from [SEC1] 787 (x and y coordinate) SHOULD be used. Commonly used curve groups are 788 specified in [SEC2] and [RFC5639]. A typical representative of such 789 a Short-Weierstrass curve is NIST-P256. Point verification as used 790 in ECKAS-DH1 is described in Annex A.16.10. of [IEEE1363]. 792 For deriving Diffie-Hellman shared secrets ECKAS-DH1 from [IEEE1363] 793 specifies the use of an ECSVDP-DH method. We use ECSVDP-DH in 794 combination with the identy map such that it either returns "error" 795 or the x-coordinate of the Diffie-Hellman result point as shared 796 secret in big endian format (fixed length output by FE2OSP without 797 truncating leading zeros). 799 6.4.2. Suitable encode_to_curve methods 801 All the encode_to_curve methods specified in 802 [I-D.irtf-cfrg-hash-to-curve] are suitable for CPace. For Short- 803 Weierstrass curves it is RECOMMENDED to use the non-uniform variant 804 of the SSWU mapping primitive from [I-D.irtf-cfrg-hash-to-curve] if a 805 SSWU mapping is available for the chosen curve. (We recommend non- 806 uniform maps in order to give implementations the flexibility to opt 807 for x-coordinate-only scalar multiplication algorithms.) 809 6.4.3. Definition of the group environment G for Short-Weierstrass 810 curves 812 In this paragraph we use the following notation for defining the 813 group object G for a selected curve and encode_to_curve method: 815 * With group_order we denote the order of the elliptic curve which 816 MUST BE a prime. 818 * With is_valid(X) we denote a method which operates on an octet 819 stream according to [SEC1] of a point on the group and returns 820 true if the point is valid or false otherwise. This is_valid(X) 821 method SHALL be implemented according to Annex A.16.10. of 822 [IEEE1363]. I.e. it shall return false if X encodes either the 823 neutral element on the group or does not form a valid encoding of 824 a point on the group. 826 * With encode_to_curve(str) we denote a selected mapping function 827 from [I-D.irtf-cfrg-hash-to-curve]. I.e. a function that maps 828 octet string str to a point on the group. 829 [I-D.irtf-cfrg-hash-to-curve] considers both, uniform and non- 830 uniform mappings based on several different strategies. It is 831 RECOMMENDED to use the nonuniform variant of the SSWU mapping 832 primitive within [I-D.irtf-cfrg-hash-to-curve]. 834 * G.DSI denotes a domain-separation identifier string. G.DSI which 835 SHALL BE obtained by the concatenation of "CPace" and the 836 associated name of the cipher suite used for the encode_to_curve 837 function as specified in [I-D.irtf-cfrg-hash-to-curve]. E.g. when 838 using the map with the name "P384_XMD:SHA-384_SSWU_NU_" on curve 839 NIST-P384 the resulting value SHALL BE G.DSI = "CPaceP384_XMD:SHA- 840 384_SSWU_NU_". 842 Using the above definitions, the CPace functions required for the 843 group object G are defined as follows. 845 * G.sample_scalar() SHALL return a value between 1 and 846 (G.group_order - 1). The value sampling MUST BE uniformly random. 847 It is RECOMMENDED to use rejection sampling for converting a 848 uniform bitstring to a uniform value between 1 and (G.group_order 849 - 1). 851 * G.calculate_generator(H, PRS,sid,CI) function SHALL be implemented 852 as follows. 854 - First gen_str = generator_string(G.DSI,PRS,CI,sid, 855 H.s_in_bytes) is calculated. 857 - Then the output of a call to encode_to_curve(gen_str) is 858 returned, using the selected function from 859 [I-D.irtf-cfrg-hash-to-curve]. 861 * G.scalar_mult(s,X) is a function that operates on a scalar s and 862 an input point X. The input X shall use the same encoding as 863 produced by the G.calculate_generator method above. 864 G.scalar_mult(s,X) SHALL return an encoding of either the point 865 X^s or the point X^(-s) according to [SEC1]. Implementations 866 SHOULD use the full-coordinate format without compression, as 867 important protocols such as TLS 1.3 removed support for 868 compression. Implementations of scalar_mult(s,X) MAY output 869 either X^s or X^(-s) as both points X^s and X^(-s) have the same 870 x-coordinate and result in the same Diffie-Hellman shared secrets 871 K. (This allows implementations to opt for x-coordinate-only 872 scalar multiplication algorithms.) 874 * G.scalar_mult_vfy(s,X) merges verification of point X according to 875 [IEEE1363] A.16.10. and the the ECSVDP-DH procedure from 876 [IEEE1363]. It SHALL BE implemented as follows: 878 - If is_valid(X) = False then G.scalar_mult_vfy(s,X) SHALL return 879 "error" as specified in [IEEE1363] A.16.10 and 7.2.1. 881 - Otherwise G.scalar_mult_vfy(s,X) SHALL return the result of the 882 ECSVDP-DH procedure from [IEEE1363] (section 7.2.1). I.e. it 883 shall either return "error" (in case that X^s is the neutral 884 element) or the secret shared value "z" (otherwise). "z" SHALL 885 be encoded by using the big-endian encoding of the x-coordinate 886 of the result point X^s according to [SEC1]. 888 * We represent the neutral element G.I by using the representation 889 of the "error" result case from [IEEE1363] as used in the 890 G.scalar_mult_vfy method above. 892 6.4.4. Verification tests 894 For Short-Weierstrass curves verification tests according to 895 Section 7 SHALL consider encodings of the point at infinity and an 896 encoding of a point not on the group. 898 7. Implementation verification 900 Any CPace implementation MUST be tested against invalid or weak point 901 attacks. Implementation MUST be verified to abort upon conditions 902 where G.scalar_mult_vfy functions outputs G.I. For testing an 903 implementation it is RECOMMENDED to include weak or invalid points in 904 MSGa and MSGb and introduce this in a protocol run. It SHALL be 905 verified that the abort condition is properly handled. 907 Moreover any implementation MUST be tested with respect invalid 908 encodings of MSGa and MSGb where the length of the message does not 909 match the specified encoding (i.e. where the sum of the prepended 910 length information does not match the actual length of the message). 912 Corresponding test vectors are given in the appendix for all 913 recommended cipher suites. 915 8. Security Considerations 917 A security proof of CPace is found in [AHH21]. This proof covers all 918 recommended cipher suites included in this document. In the 919 following sections we describe how to protect CPace against several 920 attack families, such as relay-, length extension- or side channel 921 attacks. We also describe aspects to consider when deviating from 922 recommended cipher suites. 924 8.1. Party identifiers and relay attacks 926 If unique strings identifying the protocol partners are included 927 either as part of the channel identifier CI, the session id sid or 928 the associated data fields ADa, ADb, the ISK will provide implicit 929 authentication also regarding the party identities. Incorporating 930 party identifier strings is important for fending off relay attacks. 931 Such attacks become relevant in a setting where several parties, say, 932 A, B and C, share the same password PRS. An adversary might relay 933 messages from a honest user A, who aims at interacting with user B, 934 to a party C instead. If no party identifier strings are used, and B 935 and C use the same PRS value, A might be establishing a common ISK 936 key with C while assuming to interact with party B. Including and 937 checking party identifiers can fend off such relay attacks. 939 8.2. Hashing and key derivation 941 In order to prevent analysis of length extension attacks on hash 942 functions, all hash input strings in CPace are designed to be prefix- 943 free strings which have the length of individual substrings 944 prepended, enforced by the prefix_free_cat() function. This choice 945 was made in order to make CPace suitable also for hash function 946 instantiations using Merkle-Damgard constructions such as SHA-256 or 947 SHA-512 along the lines of [CDMP05]. In case that an application 948 whishes to use another form of encoding, the guidance given in 949 [CDMP05] SHOULD BE considered. 951 Although already K is a shared value, it MUST NOT itself be used as 952 an application key. Instead, ISK MUST BE used. Leakage of K to an 953 adversary can lead to offline dictionary attacks. 955 As noted already in Section 4 it is RECOMMENDED to process ISK by use 956 of a suitable strong key derivation function KDF (such as defined in 957 [RFC5869]) first, before using the key in a higher-level protocol. 959 8.3. Key confirmation 961 In many applications it is advisable to add an explicit key 962 confirmation round after the CPace protocol flow. However, as some 963 applications might only require implicit authentication and as 964 explicit authentication messages are already a built-in feature in 965 many higher-level protocols (e.g. TLS 1.3) the CPace protocol 966 described here does not mandate use of a key confirmation on the 967 level of the CPace sub-protocol. 969 Already without explicit key confirmation, CPace enjoys weak forward 970 security under the sCDH and sSDH assumptions [AHH21]. With added 971 explicit confirmation, CPace enjoys perfect forward security also 972 under the strong sCDH and sSDH assumptions [AHH21]. 974 Note that in [ABKLX21] it was shown that an idealized variant of 975 CPace also enjoys perfect forward security without explicit key 976 confirmation. However this proof does not explicitly cover the 977 recommended cipher suites in this document and requires the stronger 978 assumption of an algebraic adversary model. For this reason, we 979 recommend adding explicit key confirmation if perfect forward 980 security is required. 982 When implementing explicit key confirmation, it is recommended to use 983 an appropriate message-authentication code (MAC) such as HMAC 984 [RFC2104] or CMAC [RFC4493] using a key mac_key derived from ISK. 986 One suitable option that works also in the parallel setting without 987 message ordering is to proceed as follows. 989 * First calculate mac_key as as mac_key = H.hash(b"CPaceMac" || 990 ISK). 992 * Then let each party send an authenticator tag Ta, Tb that is 993 calculated over the protocol message that it has sent previously. 994 I.e. let party A calculate its transmitted authentication code Ta 995 as Ta = MAC(mac_key, MSGa) and let party B calculate its 996 transmitted authentication code Tb as Tb = MAC(mac_key, MSGb). 998 * Let the receiving party check the remote authentication tag for 999 the correct value and abort in case that it's incorrect. 1001 8.4. Sampling of scalars 1003 For curves over fields F_p where p is a prime close to a power of 1004 two, we recommend sampling scalars as a uniform bit string of length 1005 field_size_bits. We do so in order to reduce both, complexity of the 1006 implementation and reducing the attack surface with respect to side- 1007 channels for embedded systems in hostile environments. The effect of 1008 non-uniform sampling on security was demonstrated to be begning in 1009 [AHH21] for the case of Curve25519 and Curve448. This analysis 1010 however does not transfer to most curves in Short-Weierstrass form. 1011 As a result, we recommend rejection sampling if G is as in 1012 Section 6.4. 1014 8.5. Single-coordinate CPace on Montgomery curves 1016 The recommended cipher suites for the Montgomery curves Curve25519 1017 and Curve448 in Section 6.2 rely on the following properties [AHH21]: 1019 * The curve has order (p * c) with p prime and c a small cofactor. 1020 Also the curve's quadratic twist must be of order (p' * c') with 1021 p' prime and c' a cofactor. 1023 * The cofactor c' of the twist MUST BE EQUAL to or an integer 1024 multiple of the cofactor c of the curve. 1026 * Both field order q and group order p MUST BE close to a power of 1027 two along the lines of [AHH21], Appendix E. 1029 * The representation of the neutral element G.I MUST BE the same for 1030 both, the curve and its twist. 1032 * The implementation of G.scalar_mult_vfy(y,X) MUST map all c low- 1033 order points on the curve and all c' low-order points on the twist 1034 to G.I. 1036 Montgomery curves other than the ones recommended here can use the 1037 specifications given in Section 6.2, given that the above properties 1038 hold. 1040 8.6. Nonce values 1042 Secret scalars ya and yb MUST NOT be reused. Values for sid SHOULD 1043 NOT be reused since the composability guarantees established by the 1044 simulation-based proof rely on the uniqueness of session ids [AHH21]. 1046 If CPace is used in a concurrent system, it is RECOMMENDED that a 1047 unique sid is generated by the higher-level protocol and passed to 1048 CPace. One suitable option is that sid is generated by concatenating 1049 ephemeral random strings contributed by both parties. 1051 8.7. Side channel attacks 1053 All state-of-the art methods for realizing constant-time execution 1054 SHOULD be used. In case that side channel attacks are to be 1055 considered practical for a given application, it is RECOMMENDED to 1056 pay special attention on computing the secret generator 1057 G.calculate_generator(PRS,CI,sid). The most critical substep to 1058 consider might be the processing of the first block of the hash that 1059 includes the PRS string. The zero-padding introduced when hashing 1060 the sensitive PRS string can be expected to make the task for a side- 1061 channel attack somewhat more complex. Still this feature alone is 1062 not sufficient for ruling out power analysis attacks. 1064 8.8. Quantum computers 1066 CPace is proven secure under the hardness of the strong computational 1067 Simultaneous Diffie-Hellmann (sSDH) and strong computational Diffie- 1068 Hellmann (sCDH) assumptions in the group G (as defined in [AHH21]). 1069 These assumptions are not expected to hold any longer when large- 1070 scale quantum computers (LSQC) are available. Still, even in case 1071 that LSQC emerge, it is reasonable to assume that discrete-logarithm 1072 computations will remain costly. CPace with ephemeral session id 1073 values sid forces the adversary to solve one computational Diffie- 1074 Hellman problem per password guess [ES21]. In this sense, using the 1075 wording suggested by Steve Thomas on the CFRG mailing list, CPace is 1076 "quantum-annoying". 1078 9. IANA Considerations 1080 No IANA action is required. 1082 10. Acknowledgements 1084 Thanks to the members of the CFRG for comments and advice. Any 1085 comment and advice is appreciated. 1087 11. References 1089 11.1. Normative References 1091 [I-D.draft-irtf-cfrg-ristretto255-decaf448] 1092 Valence, H. D., Grigg, J., Tankersley, G., Valsorda, F., 1093 Lovecruft, I., and M. Hamburg, "The ristretto255 and 1094 decaf448 Groups", Work in Progress, Internet-Draft, draft- 1095 irtf-cfrg-ristretto255-decaf448-01, 4 August 2021, 1096 . 1099 [I-D.irtf-cfrg-hash-to-curve] 1100 Faz-Hernandez, A., Scott, S., Sullivan, N., Wahby, R. S., 1101 and C. A. Wood, "Hashing to Elliptic Curves", Work in 1102 Progress, Internet-Draft, draft-irtf-cfrg-hash-to-curve- 1103 13, 10 November 2021, 1104 . 1107 [IEEE1363] "Standard Specifications for Public Key Cryptography, IEEE 1108 1363", 2000. 1110 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1111 Requirement Levels", BCP 14, RFC 2119, 1112 DOI 10.17487/RFC2119, March 1997, 1113 . 1115 [RFC7748] Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves 1116 for Security", RFC 7748, DOI 10.17487/RFC7748, January 1117 2016, . 1119 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 1120 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 1121 May 2017, . 1123 [SEC1] Standards for Efficient Cryptography Group (SECG), "SEC 1: 1124 Elliptic Curve Cryptography", May 2009, 1125 . 1127 11.2. Informative References 1129 [ABKLX21] Abdalla, M., Barbosa, M., Katz, J., Loss, J., and J. Xu, 1130 "Algebraic Adversaries in the Universal Composability 1131 Framework.", n.d., . 1133 [AHH21] Abdalla, M., Haase, B., and J. Hesse, "Security analysis 1134 of CPace", n.d., . 1136 [CDMP05] Coron, J-S., Dodis, Y., Malinaud, C., and P. Puniya, 1137 "Merkle-Damgaard Revisited: How to Construct a Hash 1138 Function", In Advances in Cryptology - CRYPTO 2005, 1139 pages 430-448, DOI 10.1007/11535218_26, 2005, 1140 . 1142 [ES21] Eaton, E. and D. Stebila, "The 'quantum annoying' property 1143 of password-authenticated key exchange protocols.", n.d., 1144 . 1146 [FIPS202] National Institute of Standards and Technology (NIST), 1147 "SHA-3 Standard: Permutation-Based Hash and Extendable- 1148 Output Functions", August 2015, 1149 . 1152 [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- 1153 Hashing for Message Authentication", RFC 2104, 1154 DOI 10.17487/RFC2104, February 1997, 1155 . 1157 [RFC4493] Song, JH., Poovendran, R., Lee, J., and T. Iwata, "The 1158 AES-CMAC Algorithm", RFC 4493, DOI 10.17487/RFC4493, June 1159 2006, . 1161 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 1162 (TLS) Protocol Version 1.2", RFC 5246, 1163 DOI 10.17487/RFC5246, August 2008, 1164 . 1166 [RFC5639] Lochter, M. and J. Merkle, "Elliptic Curve Cryptography 1167 (ECC) Brainpool Standard Curves and Curve Generation", 1168 RFC 5639, DOI 10.17487/RFC5639, March 2010, 1169 . 1171 [RFC5869] Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand 1172 Key Derivation Function (HKDF)", RFC 5869, 1173 DOI 10.17487/RFC5869, May 2010, 1174 . 1176 [RFC6234] Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms 1177 (SHA and SHA-based HMAC and HKDF)", RFC 6234, 1178 DOI 10.17487/RFC6234, May 2011, 1179 . 1181 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 1182 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 1183 . 1185 [SEC2] Standards for Efficient Cryptography Group (SECG), "SEC 2: 1186 Recommended Elliptic Curve Domain Parameters", January 1187 2010, . 1189 Appendix A. CPace function definitions 1191 A.1. Definition and test vectors for string utility functions 1193 A.1.1. prepend_len function 1195 def prepend_len(data): 1196 "prepend LEB128 encoding of length" 1197 length = len(data) 1198 length_encoded = b"" 1199 while True: 1200 if length < 128: 1201 length_encoded += bytes([length]) 1202 else: 1203 length_encoded += bytes([(length & 0x7f) + 0x80]) 1204 length = int(length >> 7) 1205 if length == 0: 1206 break; 1207 return length_encoded + data 1209 A.1.2. prepend_len test vectors 1210 prepend_len(b""): (length: 1 bytes) 1211 00 1212 prepend_len(b"1234"): (length: 5 bytes) 1213 0431323334 1214 prepend_len(bytes(range(127))): (length: 128 bytes) 1215 7f000102030405060708090a0b0c0d0e0f101112131415161718191a1b 1216 1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738 1217 393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455 1218 565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172 1219 737475767778797a7b7c7d7e 1220 prepend_len(bytes(range(128))): (length: 130 bytes) 1221 8001000102030405060708090a0b0c0d0e0f101112131415161718191a 1222 1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031323334353637 1223 38393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f5051525354 1224 55565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f7071 1225 72737475767778797a7b7c7d7e7f 1227 A.1.3. prefix_free_cat function 1229 def prefix_free_cat(*args): 1230 result = b"" 1231 for arg in args: 1232 result += prepend_len(arg) 1233 return result 1235 A.1.4. Testvector for prefix_free_cat() 1237 prefix_free_cat(b"1234",b"5",b"",b"6789"): 1238 (length: 13 bytes) 1239 04313233340135000436373839 1241 A.1.5. Examples for invalid encoded messages 1243 The following messages are examples which have invalid encoded length 1244 fields. I.e. they are examples where parsing for the sum of the 1245 length of subfields as expected for a message generated for the 1246 prefix free concatenation does not give the correct length of the 1247 message. Parties MUST abort upon reception of such invalid messages 1248 as MSGa or MSGb. 1250 Inv_MSG1 with invalid encoded length: (length: 3 bytes) 1251 ffffff 1252 Inv_MSG2 with invalid encoded length: (length: 3 bytes) 1253 ffff03 1254 Inv_MSG3 with invalid encoded length: (length: 4 bytes) 1255 00ffff03 1256 Inv_MSG4 with invalid encoded length: (length: 4 bytes) 1257 00ffffff 1259 A.2. Definition of generator_string function. 1261 def generator_string(DSI,PRS,CI,sid,s_in_bytes): 1262 # Concat all input fields with prepended length information. 1263 # Add zero padding in the first hash block after DSI and PRS. 1264 len_zpad = max(0,s_in_bytes - 1 - len(prepend_len(PRS)) 1265 - len(prepend_len(DSI))) 1266 return prefix_free_cat(DSI, PRS, zero_bytes(len_zpad), 1267 CI, sid) 1269 A.3. Definitions and test vector ordered concatenation 1271 A.3.1. Definitions for lexiographical ordering 1273 For ordered concatenation lexiographical ordering of byte sequences 1274 is used: 1276 def lexiographically_larger(bytes1,bytes2): 1277 "Returns True if bytes1 > bytes2 using lexiographical ordering." 1278 min_len = min (len(bytes1), len(bytes2)) 1279 for m in range(min_len): 1280 if bytes1[m] > bytes2[m]: 1281 return True; 1282 elif bytes1[m] < bytes2[m]: 1283 return False; 1284 return len(bytes1) > len(bytes2) 1286 A.3.2. Definitions for ordered concatenation 1288 With the above definition of lexiographical ordering ordered 1289 concatenation is specified as follows. 1291 def oCAT(bytes1,bytes2): 1292 if lexiographically_larger(bytes1,bytes2): 1293 return bytes1 + bytes2 1294 else: 1295 return bytes2 + bytes1 1297 A.3.3. Test vectors ordered concatenation 1298 string comparison for oCAT: 1299 lexiographically_larger(b"\0", b"\0\0") == False 1300 lexiographically_larger(b"\1", b"\0\0") == True 1301 lexiographically_larger(b"\0\0", b"\0") == True 1302 lexiographically_larger(b"\0\0", b"\1") == False 1303 lexiographically_larger(b"\0\1", b"\1") == False 1304 lexiographically_larger(b"ABCD", b"BCD") == False 1306 oCAT(b"ABCD",b"BCD"): (length: 7 bytes) 1307 42434441424344 1308 oCAT(b"BCD",b"ABCDE"): (length: 8 bytes) 1309 4243444142434445 1311 A.4. Decoding and Encoding functions according to RFC7748 1313 def decodeLittleEndian(b, bits): 1314 return sum([b[i] << 8*i for i in range((bits+7)/8)]) 1316 def decodeUCoordinate(u, bits): 1317 u_list = [ord(b) for b in u] 1318 # Ignore any unused bits. 1319 if bits % 8: 1320 u_list[-1] &= (1<<(bits%8))-1 1321 return decodeLittleEndian(u_list, bits) 1323 def encodeUCoordinate(u, bits): 1324 u = u % p 1325 return ''.join([chr((u >> 8*i) & 0xff) 1326 for i in range((bits+7)/8)]) 1328 A.5. Elligator 2 reference implementation 1330 The Elligator 2 map requires a non-square field element Z which shall 1331 be calculated as follows. 1333 def find_z_ell2(F): 1334 # Find nonsquare for Elligator2 1335 # Argument: F, a field object, e.g., F = GF(2^255 - 19) 1336 ctr = F.gen() 1337 while True: 1338 for Z_cand in (F(ctr), F(-ctr)): 1339 # Z must be a non-square in F. 1340 if is_square(Z_cand): 1341 continue 1342 return Z_cand 1343 ctr += 1 1345 The values of the non-square Z only depend on the curve. The 1346 algorithm above results in a value of Z = 2 for Curve25519 and Z=-1 1347 for Ed448. 1349 The following code maps a field element r to an encoded field element 1350 which is a valid u-coordinate of a Montgomery curve with curve 1351 parameter A. 1353 def elligator2(r, q, A, field_size_bits): 1354 # Inputs: field element r, field order q, 1355 # curve parameter A and field size in bits 1356 Fq = GF(q); A = Fq(A); B = Fq(1); 1358 # get non-square z as specified in the hash2curve draft. 1359 z = Fq(find_z_ell2(Fq)) 1360 powerForLegendreSymbol = floor((q-1)/2) 1362 v = - A / (1 + z * r^2) 1363 epsilon = (v^3 + A * v^2 + B * v)^powerForLegendreSymbol 1364 x = epsilon * v - (1 - epsilon) * A/2 1365 return encodeUCoordinate(Integer(x), field_size_bits) 1367 Appendix B. Test vectors 1369 B.1. Test vector for CPace using group X25519 and hash SHA-512 1371 B.1.1. Test vectors for calculate_generator with group X25519 1372 Inputs 1373 H = SHA-512 with input block size 128 bytes. 1374 PRS = b'Password' ; ZPAD length: 109 ; DSI = b'CPace255' 1375 CI = b'\nAinitiator\nBresponder' 1376 CI = 0a41696e69746961746f720a42726573706f6e646572 1377 sid = 7e4b4791d6a8ef019b936c79fb7f2c57 1378 Outputs 1379 generator_string(G.DSI,PRS,CI,sid,H.s_in_bytes): 1380 (length: 168 bytes) 1381 0843506163653235350850617373776f72646d000000000000000000 1382 00000000000000000000000000000000000000000000000000000000 1383 00000000000000000000000000000000000000000000000000000000 1384 00000000000000000000000000000000000000000000000000000000 1385 00000000000000000000000000000000160a41696e69746961746f72 1386 0a42726573706f6e646572107e4b4791d6a8ef019b936c79fb7f2c57 1387 hash generator string: (length: 32 bytes) 1388 10047198e8c4cacf0ab8a6d0ac337b8ae497209d042f7f3a50945863 1389 94e821fc 1390 decoded field element of 255 bits: (length: 32 bytes) 1391 10047198e8c4cacf0ab8a6d0ac337b8ae497209d042f7f3a50945863 1392 94e8217c 1393 generator g: (length: 32 bytes) 1394 4e6098733061c0e8486611a904fe5edb049804d26130a44131a6229e 1395 55c5c321 1397 B.1.2. Test vector for MSGa 1399 Inputs 1400 ADa = b'ADa' 1401 ya (little endian): (length: 32 bytes) 1402 45acf93116ae5d3dae995a7c627df2924321a8e857d9a200807131e3 1403 8839b0c2 1404 Outputs 1405 Ya: (length: 32 bytes) 1406 6f7fd31863b18b0cc9830fc842c60dea80120ccf2fd375498225e45a 1407 52065361 1408 MSGa: (length: 37 bytes) 1409 206f7fd31863b18b0cc9830fc842c60dea80120ccf2fd375498225e4 1410 5a5206536103414461 1412 B.1.3. Test vector for MSGb 1413 Inputs 1414 ADb = b'ADb' 1415 yb (little endian): (length: 32 bytes) 1416 a145e914b347002d298ce2051394f0ed68cf3623dfe5db082c78ffa5 1417 a667acdc 1418 Outputs 1419 Yb: (length: 32 bytes) 1420 e1b730a4956c0f853d96c5d125cebeeea46952c07c6f66da65bd9ffd 1421 2f71a462 1422 MSGb: (length: 37 bytes) 1423 20e1b730a4956c0f853d96c5d125cebeeea46952c07c6f66da65bd9f 1424 fd2f71a46203414462 1426 B.1.4. Test vector for secret points K 1428 scalar_mult_vfy(ya,Yb): (length: 32 bytes) 1429 2a905bc5f0b93ee72ac4b6ea8723520941adfc892935bf6f86d9e199 1430 befa6024 1431 scalar_mult_vfy(yb,Ya): (length: 32 bytes) 1432 2a905bc5f0b93ee72ac4b6ea8723520941adfc892935bf6f86d9e199 1433 befa6024 1435 B.1.5. Test vector for ISK calculation initiator/responder 1437 unordered cat of transcript : (length: 74 bytes) 1438 206f7fd31863b18b0cc9830fc842c60dea80120ccf2fd375498225e4 1439 5a520653610341446120e1b730a4956c0f853d96c5d125cebeeea469 1440 52c07c6f66da65bd9ffd2f71a46203414462 1441 DSI = G.DSI_ISK, b'CPace255_ISK': (length: 12 bytes) 1442 43506163653235355f49534b 1443 prefix_free_cat(DSI,sid,K)||MSGa||MSGb: (length: 137 bytes) 1444 0c43506163653235355f49534b107e4b4791d6a8ef019b936c79fb7f 1445 2c57202a905bc5f0b93ee72ac4b6ea8723520941adfc892935bf6f86 1446 d9e199befa6024206f7fd31863b18b0cc9830fc842c60dea80120ccf 1447 2fd375498225e45a520653610341446120e1b730a4956c0f853d96c5 1448 d125cebeeea46952c07c6f66da65bd9ffd2f71a46203414462 1449 ISK result: (length: 64 bytes) 1450 99a9e0ff35acb94ad8af1cd6b32ac409dc7d00557ccd9a7d19d3b462 1451 9e5f1f084f9332096162438c7ecc78331b4eda17e1a229a47182eccc 1452 9ea58cd9cdcd8e9a 1454 B.1.6. Test vector for ISK calculation parallel execution 1455 ordered cat of transcript : (length: 74 bytes) 1456 20e1b730a4956c0f853d96c5d125cebeeea46952c07c6f66da65bd9f 1457 fd2f71a46203414462206f7fd31863b18b0cc9830fc842c60dea8012 1458 0ccf2fd375498225e45a5206536103414461 1459 DSI = G.DSI_ISK, b'CPace255_ISK': (length: 12 bytes) 1460 43506163653235355f49534b 1461 prefix_free_cat(DSI,sid,K)||oCAT(MSGa,MSGb): 1462 (length: 137 bytes) 1463 0c43506163653235355f49534b107e4b4791d6a8ef019b936c79fb7f 1464 2c57202a905bc5f0b93ee72ac4b6ea8723520941adfc892935bf6f86 1465 d9e199befa602420e1b730a4956c0f853d96c5d125cebeeea46952c0 1466 7c6f66da65bd9ffd2f71a46203414462206f7fd31863b18b0cc9830f 1467 c842c60dea80120ccf2fd375498225e45a5206536103414461 1468 ISK result: (length: 64 bytes) 1469 3cd6a9670fa3ff211d829b845baa0f5ba9ad580c3ba0ee790bd0e9cd 1470 556290a8ffce44419fbf94e4cb8e7fe9f454fd25dc13e689e4d6ab0a 1471 c2211c70a8ac0062 1473 B.1.7. Corresponding ANSI-C initializers 1475 const uint8_t tc_PRS[] = { 1476 0x50,0x61,0x73,0x73,0x77,0x6f,0x72,0x64, 1477 }; 1478 const uint8_t tc_CI[] = { 1479 0x0a,0x41,0x69,0x6e,0x69,0x74,0x69,0x61,0x74,0x6f,0x72,0x0a, 1480 0x42,0x72,0x65,0x73,0x70,0x6f,0x6e,0x64,0x65,0x72, 1481 }; 1482 const uint8_t tc_sid[] = { 1483 0x7e,0x4b,0x47,0x91,0xd6,0xa8,0xef,0x01,0x9b,0x93,0x6c,0x79, 1484 0xfb,0x7f,0x2c,0x57, 1485 }; 1486 const uint8_t tc_g[] = { 1487 0x4e,0x60,0x98,0x73,0x30,0x61,0xc0,0xe8,0x48,0x66,0x11,0xa9, 1488 0x04,0xfe,0x5e,0xdb,0x04,0x98,0x04,0xd2,0x61,0x30,0xa4,0x41, 1489 0x31,0xa6,0x22,0x9e,0x55,0xc5,0xc3,0x21, 1490 }; 1491 const uint8_t tc_ya[] = { 1492 0x45,0xac,0xf9,0x31,0x16,0xae,0x5d,0x3d,0xae,0x99,0x5a,0x7c, 1493 0x62,0x7d,0xf2,0x92,0x43,0x21,0xa8,0xe8,0x57,0xd9,0xa2,0x00, 1494 0x80,0x71,0x31,0xe3,0x88,0x39,0xb0,0xc2, 1495 }; 1496 const uint8_t tc_ADa[] = { 1497 0x41,0x44,0x61, 1498 }; 1499 const uint8_t tc_Ya[] = { 1500 0x6f,0x7f,0xd3,0x18,0x63,0xb1,0x8b,0x0c,0xc9,0x83,0x0f,0xc8, 1501 0x42,0xc6,0x0d,0xea,0x80,0x12,0x0c,0xcf,0x2f,0xd3,0x75,0x49, 1502 0x82,0x25,0xe4,0x5a,0x52,0x06,0x53,0x61, 1504 }; 1505 const uint8_t tc_yb[] = { 1506 0xa1,0x45,0xe9,0x14,0xb3,0x47,0x00,0x2d,0x29,0x8c,0xe2,0x05, 1507 0x13,0x94,0xf0,0xed,0x68,0xcf,0x36,0x23,0xdf,0xe5,0xdb,0x08, 1508 0x2c,0x78,0xff,0xa5,0xa6,0x67,0xac,0xdc, 1509 }; 1510 const uint8_t tc_ADb[] = { 1511 0x41,0x44,0x62, 1512 }; 1513 const uint8_t tc_Yb[] = { 1514 0xe1,0xb7,0x30,0xa4,0x95,0x6c,0x0f,0x85,0x3d,0x96,0xc5,0xd1, 1515 0x25,0xce,0xbe,0xee,0xa4,0x69,0x52,0xc0,0x7c,0x6f,0x66,0xda, 1516 0x65,0xbd,0x9f,0xfd,0x2f,0x71,0xa4,0x62, 1517 }; 1518 const uint8_t tc_K[] = { 1519 0x2a,0x90,0x5b,0xc5,0xf0,0xb9,0x3e,0xe7,0x2a,0xc4,0xb6,0xea, 1520 0x87,0x23,0x52,0x09,0x41,0xad,0xfc,0x89,0x29,0x35,0xbf,0x6f, 1521 0x86,0xd9,0xe1,0x99,0xbe,0xfa,0x60,0x24, 1522 }; 1523 const uint8_t tc_ISK_IR[] = { 1524 0x99,0xa9,0xe0,0xff,0x35,0xac,0xb9,0x4a,0xd8,0xaf,0x1c,0xd6, 1525 0xb3,0x2a,0xc4,0x09,0xdc,0x7d,0x00,0x55,0x7c,0xcd,0x9a,0x7d, 1526 0x19,0xd3,0xb4,0x62,0x9e,0x5f,0x1f,0x08,0x4f,0x93,0x32,0x09, 1527 0x61,0x62,0x43,0x8c,0x7e,0xcc,0x78,0x33,0x1b,0x4e,0xda,0x17, 1528 0xe1,0xa2,0x29,0xa4,0x71,0x82,0xec,0xcc,0x9e,0xa5,0x8c,0xd9, 1529 0xcd,0xcd,0x8e,0x9a, 1530 }; 1531 const uint8_t tc_ISK_SY[] = { 1532 0x3c,0xd6,0xa9,0x67,0x0f,0xa3,0xff,0x21,0x1d,0x82,0x9b,0x84, 1533 0x5b,0xaa,0x0f,0x5b,0xa9,0xad,0x58,0x0c,0x3b,0xa0,0xee,0x79, 1534 0x0b,0xd0,0xe9,0xcd,0x55,0x62,0x90,0xa8,0xff,0xce,0x44,0x41, 1535 0x9f,0xbf,0x94,0xe4,0xcb,0x8e,0x7f,0xe9,0xf4,0x54,0xfd,0x25, 1536 0xdc,0x13,0xe6,0x89,0xe4,0xd6,0xab,0x0a,0xc2,0x21,0x1c,0x70, 1537 0xa8,0xac,0x00,0x62, 1538 }; 1540 B.1.8. Test vectors for G_X25519.scalar_mult_vfy: low order points 1542 Test vectors for which G_X25519.scalar_mult_vfy(s_in,ux) must return 1543 the neutral element or would return the neutral element if bit #255 1544 of field element representation was not correctly cleared. (The 1545 decodeUCoordinate function from RFC7748 mandates clearing bit #255 1546 for field element representations for use in the X25519 function.). 1548 u0: 0000000000000000000000000000000000000000000000000000000000000000 1549 u1: 0100000000000000000000000000000000000000000000000000000000000000 1550 u2: ecffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f 1551 u3: e0eb7a7c3b41b8ae1656e3faf19fc46ada098deb9c32b1fd866205165f49b800 1552 u4: 5f9c95bca3508c24b1d0b1559c83ef5b04445cc4581c8e86d8224eddd09f1157 1553 u5: edffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f 1554 u6: daffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 1555 u7: eeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f 1556 u8: dbffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 1557 u9: d9ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 1558 ua: cdeb7a7c3b41b8ae1656e3faf19fc46ada098deb9c32b1fd866205165f49b880 1559 ub: 4c9c95bca3508c24b1d0b1559c83ef5b04445cc4581c8e86d8224eddd09f11d7 1561 u0 ... ub MUST be verified to produce the correct results q0 ... qb: 1563 Additionally, u0,u1,u2,u3,u4,u5 and u7 MUST trigger the abort case 1564 when included in MSGa or MSGb. 1566 s = af46e36bf0527c9d3b16154b82465edd62144c0ac1fc5a18506a2244ba449aff 1567 qN = G_X25519.scalar_mult_vfy(s, uX) 1568 q0: 0000000000000000000000000000000000000000000000000000000000000000 1569 q1: 0000000000000000000000000000000000000000000000000000000000000000 1570 q2: 0000000000000000000000000000000000000000000000000000000000000000 1571 q3: 0000000000000000000000000000000000000000000000000000000000000000 1572 q4: 0000000000000000000000000000000000000000000000000000000000000000 1573 q5: 0000000000000000000000000000000000000000000000000000000000000000 1574 q6: d8e2c776bbacd510d09fd9278b7edcd25fc5ae9adfba3b6e040e8d3b71b21806 1575 q7: 0000000000000000000000000000000000000000000000000000000000000000 1576 q8: c85c655ebe8be44ba9c0ffde69f2fe10194458d137f09bbff725ce58803cdb38 1577 q9: db64dafa9b8fdd136914e61461935fe92aa372cb056314e1231bc4ec12417456 1578 qa: e062dcd5376d58297be2618c7498f55baa07d7e03184e8aada20bca28888bf7a 1579 qb: 993c6ad11c4c29da9a56f7691fd0ff8d732e49de6250b6c2e80003ff4629a175 1581 B.2. Test vector for CPace using group X448 and hash SHAKE-256 1583 B.2.1. Test vectors for calculate_generator with group X448 1584 Inputs 1585 H = SHAKE-256 with input block size 136 bytes. 1586 PRS = b'Password' ; ZPAD length: 117 ; DSI = b'CPace448' 1587 CI = b'\nAinitiator\nBresponder' 1588 CI = 0a41696e69746961746f720a42726573706f6e646572 1589 sid = 5223e0cdc45d6575668d64c552004124 1590 Outputs 1591 generator_string(G.DSI,PRS,CI,sid,H.s_in_bytes): 1592 (length: 176 bytes) 1593 0843506163653434380850617373776f726475000000000000000000 1594 00000000000000000000000000000000000000000000000000000000 1595 00000000000000000000000000000000000000000000000000000000 1596 00000000000000000000000000000000000000000000000000000000 1597 000000000000000000000000000000000000000000000000160a4169 1598 6e69746961746f720a42726573706f6e646572105223e0cdc45d6575 1599 668d64c552004124 1600 hash generator string: (length: 56 bytes) 1601 769e06d6c41c8cf1c87aa3df8e687167f6d0a2e41821e856276a0221 1602 d88272359d0b43204b546174c9179c83c107b707f296eafaa1c5a293 1603 decoded field element of 448 bits: (length: 56 bytes) 1604 769e06d6c41c8cf1c87aa3df8e687167f6d0a2e41821e856276a0221 1605 d88272359d0b43204b546174c9179c83c107b707f296eafaa1c5a293 1606 generator g: (length: 56 bytes) 1607 6fdae14718eb7506dd96e3f7797896efdb8db9ec0797485c9c48a192 1608 2e44961da097f2908b084a5de33ab671630660d27d79ffd6ee8ec846 1610 B.2.2. Test vector for MSGa 1612 Inputs 1613 ADa = b'ADa' 1614 ya (little endian): (length: 56 bytes) 1615 21b4f4bd9e64ed355c3eb676a28ebedaf6d8f17bdc365995b3190971 1616 53044080516bd083bfcce66121a3072646994c8430cc382b8dc543e8 1617 Outputs 1618 Ya: (length: 56 bytes) 1619 396bd11daf223711e575cac6021e3fa31558012048a1cec7876292b9 1620 6c61eda353fe04f33028d2352779668a934084da776c1c51a58ce4b5 1621 MSGa: (length: 61 bytes) 1622 38396bd11daf223711e575cac6021e3fa31558012048a1cec7876292 1623 b96c61eda353fe04f33028d2352779668a934084da776c1c51a58ce4 1624 b503414461 1626 B.2.3. Test vector for MSGb 1627 Inputs 1628 ADb = b'ADb' 1629 yb (little endian): (length: 56 bytes) 1630 848b0779ff415f0af4ea14df9dd1d3c29ac41d836c7808896c4eba19 1631 c51ac40a439caf5e61ec88c307c7d619195229412eaa73fb2a5ea20d 1632 Outputs 1633 Yb: (length: 56 bytes) 1634 53c519fb490fde5a04bda8c18b327d0fc1a9391d19e0ac00c59df9c6 1635 0422284e593d6b092eac94f5aa644ed883f39bd4f04e4beb6af86d58 1636 MSGb: (length: 61 bytes) 1637 3853c519fb490fde5a04bda8c18b327d0fc1a9391d19e0ac00c59df9 1638 c60422284e593d6b092eac94f5aa644ed883f39bd4f04e4beb6af86d 1639 5803414462 1641 B.2.4. Test vector for secret points K 1643 scalar_mult_vfy(ya,Yb): (length: 56 bytes) 1644 e00af217556a40ccbc9822cc27a43542e45166a653aa4df746d5f8e1 1645 e8df483e9baff71c9eb03ee20a688ad4e4d359f70ac9ec3f6a659997 1646 scalar_mult_vfy(yb,Ya): (length: 56 bytes) 1647 e00af217556a40ccbc9822cc27a43542e45166a653aa4df746d5f8e1 1648 e8df483e9baff71c9eb03ee20a688ad4e4d359f70ac9ec3f6a659997 1650 B.2.5. Test vector for ISK calculation initiator/responder 1652 unordered cat of transcript : (length: 122 bytes) 1653 38396bd11daf223711e575cac6021e3fa31558012048a1cec7876292 1654 b96c61eda353fe04f33028d2352779668a934084da776c1c51a58ce4 1655 b5034144613853c519fb490fde5a04bda8c18b327d0fc1a9391d19e0 1656 ac00c59df9c60422284e593d6b092eac94f5aa644ed883f39bd4f04e 1657 4beb6af86d5803414462 1658 DSI = G.DSI_ISK, b'CPace448_ISK': (length: 12 bytes) 1659 43506163653434385f49534b 1660 prefix_free_cat(DSI,sid,K)||MSGa||MSGb: (length: 209 bytes) 1661 0c43506163653434385f49534b105223e0cdc45d6575668d64c55200 1662 412438e00af217556a40ccbc9822cc27a43542e45166a653aa4df746 1663 d5f8e1e8df483e9baff71c9eb03ee20a688ad4e4d359f70ac9ec3f6a 1664 65999738396bd11daf223711e575cac6021e3fa31558012048a1cec7 1665 876292b96c61eda353fe04f33028d2352779668a934084da776c1c51 1666 a58ce4b5034144613853c519fb490fde5a04bda8c18b327d0fc1a939 1667 1d19e0ac00c59df9c60422284e593d6b092eac94f5aa644ed883f39b 1668 d4f04e4beb6af86d5803414462 1669 ISK result: (length: 64 bytes) 1670 4030297722c1914711da6b2a224a44b53b30c05ab02c2a3d3ccc7272 1671 a3333ce3a4564c17031b634e89f65681f52d5c3d1df7baeb88523d2e 1672 481b3858aed86315 1674 B.2.6. Test vector for ISK calculation parallel execution 1676 ordered cat of transcript : (length: 122 bytes) 1677 3853c519fb490fde5a04bda8c18b327d0fc1a9391d19e0ac00c59df9 1678 c60422284e593d6b092eac94f5aa644ed883f39bd4f04e4beb6af86d 1679 580341446238396bd11daf223711e575cac6021e3fa31558012048a1 1680 cec7876292b96c61eda353fe04f33028d2352779668a934084da776c 1681 1c51a58ce4b503414461 1682 DSI = G.DSI_ISK, b'CPace448_ISK': (length: 12 bytes) 1683 43506163653434385f49534b 1684 prefix_free_cat(DSI,sid,K)||oCAT(MSGa,MSGb): 1685 (length: 209 bytes) 1686 0c43506163653434385f49534b105223e0cdc45d6575668d64c55200 1687 412438e00af217556a40ccbc9822cc27a43542e45166a653aa4df746 1688 d5f8e1e8df483e9baff71c9eb03ee20a688ad4e4d359f70ac9ec3f6a 1689 6599973853c519fb490fde5a04bda8c18b327d0fc1a9391d19e0ac00 1690 c59df9c60422284e593d6b092eac94f5aa644ed883f39bd4f04e4beb 1691 6af86d580341446238396bd11daf223711e575cac6021e3fa3155801 1692 2048a1cec7876292b96c61eda353fe04f33028d2352779668a934084 1693 da776c1c51a58ce4b503414461 1694 ISK result: (length: 64 bytes) 1695 925e95d1095dad1af6378d5ef8b9a998bd3855bfc7d36cb5ca05b0a7 1696 a93346abcb8cef04bceb28c38fdaf0cc608fd1dcd462ab523f3b7f75 1697 2c77c411be3ac8fb 1699 B.2.7. Corresponding ANSI-C initializers 1701 const uint8_t tc_PRS[] = { 1702 0x50,0x61,0x73,0x73,0x77,0x6f,0x72,0x64, 1703 }; 1704 const uint8_t tc_CI[] = { 1705 0x0a,0x41,0x69,0x6e,0x69,0x74,0x69,0x61,0x74,0x6f,0x72,0x0a, 1706 0x42,0x72,0x65,0x73,0x70,0x6f,0x6e,0x64,0x65,0x72, 1707 }; 1708 const uint8_t tc_sid[] = { 1709 0x52,0x23,0xe0,0xcd,0xc4,0x5d,0x65,0x75,0x66,0x8d,0x64,0xc5, 1710 0x52,0x00,0x41,0x24, 1711 }; 1712 const uint8_t tc_g[] = { 1713 0x6f,0xda,0xe1,0x47,0x18,0xeb,0x75,0x06,0xdd,0x96,0xe3,0xf7, 1714 0x79,0x78,0x96,0xef,0xdb,0x8d,0xb9,0xec,0x07,0x97,0x48,0x5c, 1715 0x9c,0x48,0xa1,0x92,0x2e,0x44,0x96,0x1d,0xa0,0x97,0xf2,0x90, 1716 0x8b,0x08,0x4a,0x5d,0xe3,0x3a,0xb6,0x71,0x63,0x06,0x60,0xd2, 1717 0x7d,0x79,0xff,0xd6,0xee,0x8e,0xc8,0x46, 1718 }; 1719 const uint8_t tc_ya[] = { 1720 0x21,0xb4,0xf4,0xbd,0x9e,0x64,0xed,0x35,0x5c,0x3e,0xb6,0x76, 1721 0xa2,0x8e,0xbe,0xda,0xf6,0xd8,0xf1,0x7b,0xdc,0x36,0x59,0x95, 1722 0xb3,0x19,0x09,0x71,0x53,0x04,0x40,0x80,0x51,0x6b,0xd0,0x83, 1723 0xbf,0xcc,0xe6,0x61,0x21,0xa3,0x07,0x26,0x46,0x99,0x4c,0x84, 1724 0x30,0xcc,0x38,0x2b,0x8d,0xc5,0x43,0xe8, 1725 }; 1726 const uint8_t tc_ADa[] = { 1727 0x41,0x44,0x61, 1728 }; 1729 const uint8_t tc_Ya[] = { 1730 0x39,0x6b,0xd1,0x1d,0xaf,0x22,0x37,0x11,0xe5,0x75,0xca,0xc6, 1731 0x02,0x1e,0x3f,0xa3,0x15,0x58,0x01,0x20,0x48,0xa1,0xce,0xc7, 1732 0x87,0x62,0x92,0xb9,0x6c,0x61,0xed,0xa3,0x53,0xfe,0x04,0xf3, 1733 0x30,0x28,0xd2,0x35,0x27,0x79,0x66,0x8a,0x93,0x40,0x84,0xda, 1734 0x77,0x6c,0x1c,0x51,0xa5,0x8c,0xe4,0xb5, 1735 }; 1736 const uint8_t tc_yb[] = { 1737 0x84,0x8b,0x07,0x79,0xff,0x41,0x5f,0x0a,0xf4,0xea,0x14,0xdf, 1738 0x9d,0xd1,0xd3,0xc2,0x9a,0xc4,0x1d,0x83,0x6c,0x78,0x08,0x89, 1739 0x6c,0x4e,0xba,0x19,0xc5,0x1a,0xc4,0x0a,0x43,0x9c,0xaf,0x5e, 1740 0x61,0xec,0x88,0xc3,0x07,0xc7,0xd6,0x19,0x19,0x52,0x29,0x41, 1741 0x2e,0xaa,0x73,0xfb,0x2a,0x5e,0xa2,0x0d, 1742 }; 1743 const uint8_t tc_ADb[] = { 1744 0x41,0x44,0x62, 1745 }; 1746 const uint8_t tc_Yb[] = { 1747 0x53,0xc5,0x19,0xfb,0x49,0x0f,0xde,0x5a,0x04,0xbd,0xa8,0xc1, 1748 0x8b,0x32,0x7d,0x0f,0xc1,0xa9,0x39,0x1d,0x19,0xe0,0xac,0x00, 1749 0xc5,0x9d,0xf9,0xc6,0x04,0x22,0x28,0x4e,0x59,0x3d,0x6b,0x09, 1750 0x2e,0xac,0x94,0xf5,0xaa,0x64,0x4e,0xd8,0x83,0xf3,0x9b,0xd4, 1751 0xf0,0x4e,0x4b,0xeb,0x6a,0xf8,0x6d,0x58, 1752 }; 1753 const uint8_t tc_K[] = { 1754 0xe0,0x0a,0xf2,0x17,0x55,0x6a,0x40,0xcc,0xbc,0x98,0x22,0xcc, 1755 0x27,0xa4,0x35,0x42,0xe4,0x51,0x66,0xa6,0x53,0xaa,0x4d,0xf7, 1756 0x46,0xd5,0xf8,0xe1,0xe8,0xdf,0x48,0x3e,0x9b,0xaf,0xf7,0x1c, 1757 0x9e,0xb0,0x3e,0xe2,0x0a,0x68,0x8a,0xd4,0xe4,0xd3,0x59,0xf7, 1758 0x0a,0xc9,0xec,0x3f,0x6a,0x65,0x99,0x97, 1759 }; 1760 const uint8_t tc_ISK_IR[] = { 1761 0x40,0x30,0x29,0x77,0x22,0xc1,0x91,0x47,0x11,0xda,0x6b,0x2a, 1762 0x22,0x4a,0x44,0xb5,0x3b,0x30,0xc0,0x5a,0xb0,0x2c,0x2a,0x3d, 1763 0x3c,0xcc,0x72,0x72,0xa3,0x33,0x3c,0xe3,0xa4,0x56,0x4c,0x17, 1764 0x03,0x1b,0x63,0x4e,0x89,0xf6,0x56,0x81,0xf5,0x2d,0x5c,0x3d, 1765 0x1d,0xf7,0xba,0xeb,0x88,0x52,0x3d,0x2e,0x48,0x1b,0x38,0x58, 1766 0xae,0xd8,0x63,0x15, 1767 }; 1768 const uint8_t tc_ISK_SY[] = { 1769 0x92,0x5e,0x95,0xd1,0x09,0x5d,0xad,0x1a,0xf6,0x37,0x8d,0x5e, 1770 0xf8,0xb9,0xa9,0x98,0xbd,0x38,0x55,0xbf,0xc7,0xd3,0x6c,0xb5, 1771 0xca,0x05,0xb0,0xa7,0xa9,0x33,0x46,0xab,0xcb,0x8c,0xef,0x04, 1772 0xbc,0xeb,0x28,0xc3,0x8f,0xda,0xf0,0xcc,0x60,0x8f,0xd1,0xdc, 1773 0xd4,0x62,0xab,0x52,0x3f,0x3b,0x7f,0x75,0x2c,0x77,0xc4,0x11, 1774 0xbe,0x3a,0xc8,0xfb, 1775 }; 1777 B.2.8. Test vectors for G_X448.scalar_mult_vfy: low order points 1779 Test vectors for which G_X448.scalar_mult_vfy(s_in,ux) must return 1780 the neutral element. This includes points that are non-canonicaly 1781 encoded, i.e. have coordinate values larger than the field prime. 1783 Weak points for X448 smaller than the field prime (canonical) 1785 u0: (length: 56 bytes) 1786 0000000000000000000000000000000000000000000000000000000000 1787 000000000000000000000000000000000000000000000000000000 1788 u1: (length: 56 bytes) 1789 0100000000000000000000000000000000000000000000000000000000 1790 000000000000000000000000000000000000000000000000000000 1791 u2: (length: 56 bytes) 1792 fefffffffffffffffffffffffffffffffffffffffffffffffffffffffe 1793 ffffffffffffffffffffffffffffffffffffffffffffffffffffff 1795 Weak points for X448 larger or equal to the field prime (non- 1796 canonical) 1798 u3: (length: 56 bytes) 1799 fffffffffffffffffffffffffffffffffffffffffffffffffffffffffe 1800 ffffffffffffffffffffffffffffffffffffffffffffffffffffff 1801 u4: (length: 56 bytes) 1802 00000000000000000000000000000000000000000000000000000000ff 1803 ffffffffffffffffffffffffffffffffffffffffffffffffffffff 1805 All of the above points u0 ... u4 MUST trigger the abort case 1806 when included in the protocol messages MSGa or MSGb. 1808 Expected results for X448 resp. G_X448.scalar_mult_vfy 1809 scalar s: (length: 56 bytes) 1810 af8a14218bf2a2062926d2ea9b8fe4e8b6817349b6ed2feb1e5d64d7a4 1811 523f15fceec70fb111e870dc58d191e66a14d3e9d482d04432cadd 1812 G_X448.scalar_mult_vfy(s,u0): (length: 56 bytes) 1813 0000000000000000000000000000000000000000000000000000000000 1814 000000000000000000000000000000000000000000000000000000 1815 G_X448.scalar_mult_vfy(s,u1): (length: 56 bytes) 1816 0000000000000000000000000000000000000000000000000000000000 1817 000000000000000000000000000000000000000000000000000000 1818 G_X448.scalar_mult_vfy(s,u2): (length: 56 bytes) 1819 0000000000000000000000000000000000000000000000000000000000 1820 000000000000000000000000000000000000000000000000000000 1821 G_X448.scalar_mult_vfy(s,u3): (length: 56 bytes) 1822 0000000000000000000000000000000000000000000000000000000000 1823 000000000000000000000000000000000000000000000000000000 1824 G_X448.scalar_mult_vfy(s,u4): (length: 56 bytes) 1825 0000000000000000000000000000000000000000000000000000000000 1826 000000000000000000000000000000000000000000000000000000 1828 Test vectors for scalar_mult with nonzero outputs 1830 scalar s: (length: 56 bytes) 1831 af8a14218bf2a2062926d2ea9b8fe4e8b6817349b6ed2feb1e5d64d7a4 1832 523f15fceec70fb111e870dc58d191e66a14d3e9d482d04432cadd 1833 point coordinate u_curve on the curve: (length: 56 bytes) 1834 ab0c68d772ec2eb9de25c49700e46d6325e66d6aa39d7b65eb84a68c55 1835 69d47bd71b41f3e0d210f44e146dec8926b174acb3f940a0b82cab 1836 G_X448.scalar_mult_vfy(s,u_curve): (length: 56 bytes) 1837 3b0fa9bc40a6fdc78c9e06ff7a54c143c5d52f365607053bf0656f5142 1838 0496295f910a101b38edc1acd3bd240fd55dcb7a360553b8a7627e 1840 point coordinate u_twist on the twist: (length: 56 bytes) 1841 c981cd1e1f72d9c35c7d7cf6be426757c0dc8206a2fcfa564a8e7618c0 1842 3c0e61f9a2eb1c3e0dd97d6e9b1010f5edd03397a83f5a914cb3ff 1843 G_X448.scalar_mult_vfy(s,u_twist): (length: 56 bytes) 1844 d0a2bb7e9c5c2c627793d8342f23b759fe7d9e3320a85ca4fd61376331 1845 50ffd9a9148a9b75c349fac43d64bec49a6e126cc92cbfbf353961 1847 B.3. Test vector for CPace using group ristretto255 and hash SHA-512 1849 B.3.1. Test vectors for calculate_generator with group ristretto255 1850 Inputs 1851 H = SHA-512 with input block size 128 bytes. 1852 PRS = b'Password' ; ZPAD length: 100 ; 1853 DSI = b'CPaceRistretto255' 1854 CI = b'\nAinitiator\nBresponder' 1855 CI = 0a41696e69746961746f720a42726573706f6e646572 1856 sid = 7e4b4791d6a8ef019b936c79fb7f2c57 1857 Outputs 1858 generator_string(G.DSI,PRS,CI,sid,H.s_in_bytes): 1859 (length: 168 bytes) 1860 11435061636552697374726574746f3235350850617373776f726464 1861 00000000000000000000000000000000000000000000000000000000 1862 00000000000000000000000000000000000000000000000000000000 1863 00000000000000000000000000000000000000000000000000000000 1864 00000000000000000000000000000000160a41696e69746961746f72 1865 0a42726573706f6e646572107e4b4791d6a8ef019b936c79fb7f2c57 1866 hash result: (length: 64 bytes) 1867 a5ce446f63a1ae6d1fee80fa67d0b4004a4b1283ec5549a462bf33a6 1868 c1ae06a0871f9bf48545f49b2a792eed255ac04f52758c9c60448306 1869 810b44e986e3dcbb 1870 encoded generator g: (length: 32 bytes) 1871 9c5712178570957204d89ac11acbef789dd076992ba361429acb2bc3 1872 8c71d14c 1874 B.3.2. Test vector for MSGa 1876 Inputs 1877 ADa = b'ADa' 1878 ya (little endian): (length: 32 bytes) 1879 1433dd19359992d4e06d740d3993d429af6338ffb4531ce175d22449 1880 853a790b 1881 Outputs 1882 Ya: (length: 32 bytes) 1883 a8fc42c4d57b3c7346661011122a00563d0995fd72b62123ae244400 1884 e86d7b1a 1885 MSGa: (length: 37 bytes) 1886 20a8fc42c4d57b3c7346661011122a00563d0995fd72b62123ae2444 1887 00e86d7b1a03414461 1889 B.3.3. Test vector for MSGb 1890 Inputs 1891 ADb = b'ADb' 1892 yb (little endian): (length: 32 bytes) 1893 0e6566d32d80a5a1135f99c27f2d637aa24da23027c3fa76b9d1cfd9 1894 742fdc00 1895 Outputs 1896 Yb: (length: 32 bytes) 1897 fc8e84ae4ab725909af05a56ef9714db6930e4a5589b3fee6cdd2662 1898 36676d63 1899 MSGb: (length: 37 bytes) 1900 20fc8e84ae4ab725909af05a56ef9714db6930e4a5589b3fee6cdd26 1901 6236676d6303414462 1903 B.3.4. Test vector for secret points K 1905 scalar_mult_vfy(ya,Yb): (length: 32 bytes) 1906 3efef1706f42efa354020b087b37fbd9f81cf72a16f4947e4a042a7f 1907 1aaa2b6f 1908 scalar_mult_vfy(yb,Ya): (length: 32 bytes) 1909 3efef1706f42efa354020b087b37fbd9f81cf72a16f4947e4a042a7f 1910 1aaa2b6f 1912 B.3.5. Test vector for ISK calculation initiator/responder 1914 unordered cat of transcript : (length: 74 bytes) 1915 20a8fc42c4d57b3c7346661011122a00563d0995fd72b62123ae2444 1916 00e86d7b1a0341446120fc8e84ae4ab725909af05a56ef9714db6930 1917 e4a5589b3fee6cdd266236676d6303414462 1918 DSI = G.DSI_ISK, b'CPaceRistretto255_ISK': 1919 (length: 21 bytes) 1920 435061636552697374726574746f3235355f49534b 1921 prefix_free_cat(DSI,sid,K)||MSGa||MSGb: (length: 146 bytes) 1922 15435061636552697374726574746f3235355f49534b107e4b4791d6 1923 a8ef019b936c79fb7f2c57203efef1706f42efa354020b087b37fbd9 1924 f81cf72a16f4947e4a042a7f1aaa2b6f20a8fc42c4d57b3c73466610 1925 11122a00563d0995fd72b62123ae244400e86d7b1a0341446120fc8e 1926 84ae4ab725909af05a56ef9714db6930e4a5589b3fee6cdd26623667 1927 6d6303414462 1928 ISK result: (length: 64 bytes) 1929 0e33c5822bd495dea94ba7af161501f1b2d6a16d464b5d6e1a53dcbf 1930 b9244b9ba66c09c430fffdfe4fb4e99b4ea46f991a272de0431c132c 1931 2c79fd6de1a7e5e4 1933 B.3.6. Test vector for ISK calculation parallel execution 1934 ordered cat of transcript : (length: 74 bytes) 1935 20fc8e84ae4ab725909af05a56ef9714db6930e4a5589b3fee6cdd26 1936 6236676d630341446220a8fc42c4d57b3c7346661011122a00563d09 1937 95fd72b62123ae244400e86d7b1a03414461 1938 DSI = G.DSI_ISK, b'CPaceRistretto255_ISK': 1939 (length: 21 bytes) 1940 435061636552697374726574746f3235355f49534b 1941 prefix_free_cat(DSI,sid,K)||oCAT(MSGa,MSGb): 1942 (length: 146 bytes) 1943 15435061636552697374726574746f3235355f49534b107e4b4791d6 1944 a8ef019b936c79fb7f2c57203efef1706f42efa354020b087b37fbd9 1945 f81cf72a16f4947e4a042a7f1aaa2b6f20fc8e84ae4ab725909af05a 1946 56ef9714db6930e4a5589b3fee6cdd266236676d630341446220a8fc 1947 42c4d57b3c7346661011122a00563d0995fd72b62123ae244400e86d 1948 7b1a03414461 1949 ISK result: (length: 64 bytes) 1950 ca36335be682a480a9fc63977d044a10ff7adfcda0f2978fbcf8713d 1951 2a4e23e25c05a9a02edcfbff2ede65b752f8ea1f4454d764ad8ed860 1952 7c158ef662614567 1954 B.3.7. Corresponding ANSI-C initializers 1956 const uint8_t tc_PRS[] = { 1957 0x50,0x61,0x73,0x73,0x77,0x6f,0x72,0x64, 1958 }; 1959 const uint8_t tc_CI[] = { 1960 0x0a,0x41,0x69,0x6e,0x69,0x74,0x69,0x61,0x74,0x6f,0x72,0x0a, 1961 0x42,0x72,0x65,0x73,0x70,0x6f,0x6e,0x64,0x65,0x72, 1962 }; 1963 const uint8_t tc_sid[] = { 1964 0x7e,0x4b,0x47,0x91,0xd6,0xa8,0xef,0x01,0x9b,0x93,0x6c,0x79, 1965 0xfb,0x7f,0x2c,0x57, 1966 }; 1967 const uint8_t tc_g[] = { 1968 0x9c,0x57,0x12,0x17,0x85,0x70,0x95,0x72,0x04,0xd8,0x9a,0xc1, 1969 0x1a,0xcb,0xef,0x78,0x9d,0xd0,0x76,0x99,0x2b,0xa3,0x61,0x42, 1970 0x9a,0xcb,0x2b,0xc3,0x8c,0x71,0xd1,0x4c, 1971 }; 1972 const uint8_t tc_ya[] = { 1973 0x14,0x33,0xdd,0x19,0x35,0x99,0x92,0xd4,0xe0,0x6d,0x74,0x0d, 1974 0x39,0x93,0xd4,0x29,0xaf,0x63,0x38,0xff,0xb4,0x53,0x1c,0xe1, 1975 0x75,0xd2,0x24,0x49,0x85,0x3a,0x79,0x0b, 1976 }; 1977 const uint8_t tc_ADa[] = { 1978 0x41,0x44,0x61, 1979 }; 1980 const uint8_t tc_Ya[] = { 1981 0xa8,0xfc,0x42,0xc4,0xd5,0x7b,0x3c,0x73,0x46,0x66,0x10,0x11, 1982 0x12,0x2a,0x00,0x56,0x3d,0x09,0x95,0xfd,0x72,0xb6,0x21,0x23, 1983 0xae,0x24,0x44,0x00,0xe8,0x6d,0x7b,0x1a, 1984 }; 1985 const uint8_t tc_yb[] = { 1986 0x0e,0x65,0x66,0xd3,0x2d,0x80,0xa5,0xa1,0x13,0x5f,0x99,0xc2, 1987 0x7f,0x2d,0x63,0x7a,0xa2,0x4d,0xa2,0x30,0x27,0xc3,0xfa,0x76, 1988 0xb9,0xd1,0xcf,0xd9,0x74,0x2f,0xdc,0x00, 1989 }; 1990 const uint8_t tc_ADb[] = { 1991 0x41,0x44,0x62, 1992 }; 1993 const uint8_t tc_Yb[] = { 1994 0xfc,0x8e,0x84,0xae,0x4a,0xb7,0x25,0x90,0x9a,0xf0,0x5a,0x56, 1995 0xef,0x97,0x14,0xdb,0x69,0x30,0xe4,0xa5,0x58,0x9b,0x3f,0xee, 1996 0x6c,0xdd,0x26,0x62,0x36,0x67,0x6d,0x63, 1997 }; 1998 const uint8_t tc_K[] = { 1999 0x3e,0xfe,0xf1,0x70,0x6f,0x42,0xef,0xa3,0x54,0x02,0x0b,0x08, 2000 0x7b,0x37,0xfb,0xd9,0xf8,0x1c,0xf7,0x2a,0x16,0xf4,0x94,0x7e, 2001 0x4a,0x04,0x2a,0x7f,0x1a,0xaa,0x2b,0x6f, 2002 }; 2003 const uint8_t tc_ISK_IR[] = { 2004 0x0e,0x33,0xc5,0x82,0x2b,0xd4,0x95,0xde,0xa9,0x4b,0xa7,0xaf, 2005 0x16,0x15,0x01,0xf1,0xb2,0xd6,0xa1,0x6d,0x46,0x4b,0x5d,0x6e, 2006 0x1a,0x53,0xdc,0xbf,0xb9,0x24,0x4b,0x9b,0xa6,0x6c,0x09,0xc4, 2007 0x30,0xff,0xfd,0xfe,0x4f,0xb4,0xe9,0x9b,0x4e,0xa4,0x6f,0x99, 2008 0x1a,0x27,0x2d,0xe0,0x43,0x1c,0x13,0x2c,0x2c,0x79,0xfd,0x6d, 2009 0xe1,0xa7,0xe5,0xe4, 2010 }; 2011 const uint8_t tc_ISK_SY[] = { 2012 0xca,0x36,0x33,0x5b,0xe6,0x82,0xa4,0x80,0xa9,0xfc,0x63,0x97, 2013 0x7d,0x04,0x4a,0x10,0xff,0x7a,0xdf,0xcd,0xa0,0xf2,0x97,0x8f, 2014 0xbc,0xf8,0x71,0x3d,0x2a,0x4e,0x23,0xe2,0x5c,0x05,0xa9,0xa0, 2015 0x2e,0xdc,0xfb,0xff,0x2e,0xde,0x65,0xb7,0x52,0xf8,0xea,0x1f, 2016 0x44,0x54,0xd7,0x64,0xad,0x8e,0xd8,0x60,0x7c,0x15,0x8e,0xf6, 2017 0x62,0x61,0x45,0x67, 2018 }; 2020 B.3.8. Test case for scalar_mult with valid inputs 2021 s: (length: 32 bytes) 2022 7cd0e075fa7955ba52c02759a6c90dbbfc10e6d40aea8d283e407d88 2023 cf538a05 2024 X: (length: 32 bytes) 2025 021ca069484e890c9e494d8ed6bb0f66cbd9a8f0ef67168f36c51e0e 2026 feb8f347 2027 G.scalar_mult(s,decode(X)): (length: 32 bytes) 2028 62aaa018755dc881902097c2a993c0b7c0a4fe33bce2c0182b46a44c 2029 40b95119 2030 G.scalar_mult_vfy(s,X): (length: 32 bytes) 2031 62aaa018755dc881902097c2a993c0b7c0a4fe33bce2c0182b46a44c 2032 40b95119 2034 B.3.9. Invalid inputs for scalar_mult_vfy 2036 For these test cases scalar_mult_vfy(y,.) MUST return the 2037 representation of the neutral element G.I. When points Y_i1 or Y_i2 2038 are included in MSGa or MSGb the protocol MUST abort. 2040 s: (length: 32 bytes) 2041 7cd0e075fa7955ba52c02759a6c90dbbfc10e6d40aea8d283e407d88 2042 cf538a05 2043 Y_i1: (length: 32 bytes) 2044 011ca069484e890c9e494d8ed6bb0f66cbd9a8f0ef67168f36c51e0e 2045 feb8f347 2046 Y_i2 == G.I: (length: 32 bytes) 2047 00000000000000000000000000000000000000000000000000000000 2048 00000000 2049 G.scalar_mult_vfy(s,Y_i1) = G.scalar_mult_vfy(s,Y_i2) = G.I 2051 B.4. Test vector for CPace using group decaf448 and hash SHAKE-256 2053 B.4.1. Test vectors for calculate_generator with group decaf448 2054 Inputs 2055 H = SHAKE-256 with input block size 136 bytes. 2056 PRS = b'Password' ; ZPAD length: 112 ; 2057 DSI = b'CPaceDecaf448' 2058 CI = b'\nAinitiator\nBresponder' 2059 CI = 0a41696e69746961746f720a42726573706f6e646572 2060 sid = 5223e0cdc45d6575668d64c552004124 2061 Outputs 2062 generator_string(G.DSI,PRS,CI,sid,H.s_in_bytes): 2063 (length: 176 bytes) 2064 0d435061636544656361663434380850617373776f72647000000000 2065 00000000000000000000000000000000000000000000000000000000 2066 00000000000000000000000000000000000000000000000000000000 2067 00000000000000000000000000000000000000000000000000000000 2068 000000000000000000000000000000000000000000000000160a4169 2069 6e69746961746f720a42726573706f6e646572105223e0cdc45d6575 2070 668d64c552004124 2071 hash result: (length: 112 bytes) 2072 8955b426ff1d3a22032d21c013cf94134cee9a4235e93261a4911edb 2073 f68f2945f0267c983954262c7f59badb9caf468ebe21b7e9885657af 2074 b8f1a3b783c2047ba519e113ecf81b2b580dd481f499beabd401cc77 2075 1d28915fb750011209040f5f03b2ceb5e5eb259c96b478382d5a5c57 2076 encoded generator g: (length: 56 bytes) 2077 c811b3f6b0d27b58a74d8274bf5f9ca6b7ada15b0bf57b79a6b45c13 2078 2eb0c28bdcc3abf4e5932cea97a80997ead1c146b98b1a1f1def30f3 2080 B.4.2. Test vector for MSGa 2082 Inputs 2083 ADa = b'ADa' 2084 ya (little endian): (length: 56 bytes) 2085 d8d2e26c821a12d7f59a8dee023d3f6155976152e16c73cbf68c303d 2086 f0404399f0a7b614a65df50a9788f00b410586b443f738ad7ff03930 2087 Outputs 2088 Ya: (length: 56 bytes) 2089 223f95a5430a2f2a499431696d23ea2d0a90f432e5491e45e4005f3d 2090 d785e7be1235b79252670099bc993c2df5c261dfb7a8989f091e2be3 2091 MSGa: (length: 61 bytes) 2092 38223f95a5430a2f2a499431696d23ea2d0a90f432e5491e45e4005f 2093 3dd785e7be1235b79252670099bc993c2df5c261dfb7a8989f091e2b 2094 e303414461 2096 B.4.3. Test vector for MSGb 2097 Inputs 2098 ADb = b'ADb' 2099 yb (little endian): (length: 56 bytes) 2100 91bae9793f4a8aceb1b5c54375a7ed1858a79a6e72dab959c8bdf3a7 2101 5ac9bb4de2a25af4d4a9a5c5bc5441d19b8e3f6fcce7196c6afc2236 2102 Outputs 2103 Yb: (length: 56 bytes) 2104 b6ba0a336c103c6c92019ae4cfbcb88d8f6bfc361e979c9e0d3a0967 2105 e630094ba3d1555821ac1f979996ef5ce79f012ffe279ac89b287bee 2106 MSGb: (length: 61 bytes) 2107 38b6ba0a336c103c6c92019ae4cfbcb88d8f6bfc361e979c9e0d3a09 2108 67e630094ba3d1555821ac1f979996ef5ce79f012ffe279ac89b287b 2109 ee03414462 2111 B.4.4. Test vector for secret points K 2113 scalar_mult_vfy(ya,Yb): (length: 56 bytes) 2114 dc504938fb70eb13916697aa3e076e82537c171aa326121399c896fe 2115 ea0e198b41b6bae300bb86f8c61d4b170eee4717b5497016f34364a9 2116 scalar_mult_vfy(yb,Ya): (length: 56 bytes) 2117 dc504938fb70eb13916697aa3e076e82537c171aa326121399c896fe 2118 ea0e198b41b6bae300bb86f8c61d4b170eee4717b5497016f34364a9 2120 B.4.5. Test vector for ISK calculation initiator/responder 2122 unordered cat of transcript : (length: 122 bytes) 2123 38223f95a5430a2f2a499431696d23ea2d0a90f432e5491e45e4005f 2124 3dd785e7be1235b79252670099bc993c2df5c261dfb7a8989f091e2b 2125 e30341446138b6ba0a336c103c6c92019ae4cfbcb88d8f6bfc361e97 2126 9c9e0d3a0967e630094ba3d1555821ac1f979996ef5ce79f012ffe27 2127 9ac89b287bee03414462 2128 DSI = G.DSI_ISK, b'CPaceDecaf448_ISK': (length: 17 bytes) 2129 435061636544656361663434385f49534b 2130 prefix_free_cat(DSI,sid,K)||MSGa||MSGb: (length: 214 bytes) 2131 11435061636544656361663434385f49534b105223e0cdc45d657566 2132 8d64c55200412438dc504938fb70eb13916697aa3e076e82537c171a 2133 a326121399c896feea0e198b41b6bae300bb86f8c61d4b170eee4717 2134 b5497016f34364a938223f95a5430a2f2a499431696d23ea2d0a90f4 2135 32e5491e45e4005f3dd785e7be1235b79252670099bc993c2df5c261 2136 dfb7a8989f091e2be30341446138b6ba0a336c103c6c92019ae4cfbc 2137 b88d8f6bfc361e979c9e0d3a0967e630094ba3d1555821ac1f979996 2138 ef5ce79f012ffe279ac89b287bee03414462 2139 ISK result: (length: 64 bytes) 2140 ebe28369491f8899a5af3b339d4993881b69d22607c58719da6eaab3 2141 8f0d9025eae413ca2b072b156ce4a0d4778ff471a63c4d908cab70bc 2142 2081951d504cbb03 2144 B.4.6. Test vector for ISK calculation parallel execution 2146 ordered cat of transcript : (length: 122 bytes) 2147 38b6ba0a336c103c6c92019ae4cfbcb88d8f6bfc361e979c9e0d3a09 2148 67e630094ba3d1555821ac1f979996ef5ce79f012ffe279ac89b287b 2149 ee0341446238223f95a5430a2f2a499431696d23ea2d0a90f432e549 2150 1e45e4005f3dd785e7be1235b79252670099bc993c2df5c261dfb7a8 2151 989f091e2be303414461 2152 DSI = G.DSI_ISK, b'CPaceDecaf448_ISK': (length: 17 bytes) 2153 435061636544656361663434385f49534b 2154 prefix_free_cat(DSI,sid,K)||oCAT(MSGa,MSGb): 2155 (length: 214 bytes) 2156 11435061636544656361663434385f49534b105223e0cdc45d657566 2157 8d64c55200412438dc504938fb70eb13916697aa3e076e82537c171a 2158 a326121399c896feea0e198b41b6bae300bb86f8c61d4b170eee4717 2159 b5497016f34364a938b6ba0a336c103c6c92019ae4cfbcb88d8f6bfc 2160 361e979c9e0d3a0967e630094ba3d1555821ac1f979996ef5ce79f01 2161 2ffe279ac89b287bee0341446238223f95a5430a2f2a499431696d23 2162 ea2d0a90f432e5491e45e4005f3dd785e7be1235b79252670099bc99 2163 3c2df5c261dfb7a8989f091e2be303414461 2164 ISK result: (length: 64 bytes) 2165 2996d1953320581b587f473cfd5c974c5a8597b22b37fefe49bdb7b8 2166 4073424f7f7a6e456498665a69530741398c6010bdb346f79944acc9 2167 0c5c537fa35cd29a 2169 B.4.7. Corresponding ANSI-C initializers 2171 const uint8_t tc_PRS[] = { 2172 0x50,0x61,0x73,0x73,0x77,0x6f,0x72,0x64, 2173 }; 2174 const uint8_t tc_CI[] = { 2175 0x0a,0x41,0x69,0x6e,0x69,0x74,0x69,0x61,0x74,0x6f,0x72,0x0a, 2176 0x42,0x72,0x65,0x73,0x70,0x6f,0x6e,0x64,0x65,0x72, 2177 }; 2178 const uint8_t tc_sid[] = { 2179 0x52,0x23,0xe0,0xcd,0xc4,0x5d,0x65,0x75,0x66,0x8d,0x64,0xc5, 2180 0x52,0x00,0x41,0x24, 2181 }; 2182 const uint8_t tc_g[] = { 2183 0xc8,0x11,0xb3,0xf6,0xb0,0xd2,0x7b,0x58,0xa7,0x4d,0x82,0x74, 2184 0xbf,0x5f,0x9c,0xa6,0xb7,0xad,0xa1,0x5b,0x0b,0xf5,0x7b,0x79, 2185 0xa6,0xb4,0x5c,0x13,0x2e,0xb0,0xc2,0x8b,0xdc,0xc3,0xab,0xf4, 2186 0xe5,0x93,0x2c,0xea,0x97,0xa8,0x09,0x97,0xea,0xd1,0xc1,0x46, 2187 0xb9,0x8b,0x1a,0x1f,0x1d,0xef,0x30,0xf3, 2188 }; 2189 const uint8_t tc_ya[] = { 2190 0xd8,0xd2,0xe2,0x6c,0x82,0x1a,0x12,0xd7,0xf5,0x9a,0x8d,0xee, 2191 0x02,0x3d,0x3f,0x61,0x55,0x97,0x61,0x52,0xe1,0x6c,0x73,0xcb, 2192 0xf6,0x8c,0x30,0x3d,0xf0,0x40,0x43,0x99,0xf0,0xa7,0xb6,0x14, 2193 0xa6,0x5d,0xf5,0x0a,0x97,0x88,0xf0,0x0b,0x41,0x05,0x86,0xb4, 2194 0x43,0xf7,0x38,0xad,0x7f,0xf0,0x39,0x30, 2195 }; 2196 const uint8_t tc_ADa[] = { 2197 0x41,0x44,0x61, 2198 }; 2199 const uint8_t tc_Ya[] = { 2200 0x22,0x3f,0x95,0xa5,0x43,0x0a,0x2f,0x2a,0x49,0x94,0x31,0x69, 2201 0x6d,0x23,0xea,0x2d,0x0a,0x90,0xf4,0x32,0xe5,0x49,0x1e,0x45, 2202 0xe4,0x00,0x5f,0x3d,0xd7,0x85,0xe7,0xbe,0x12,0x35,0xb7,0x92, 2203 0x52,0x67,0x00,0x99,0xbc,0x99,0x3c,0x2d,0xf5,0xc2,0x61,0xdf, 2204 0xb7,0xa8,0x98,0x9f,0x09,0x1e,0x2b,0xe3, 2205 }; 2206 const uint8_t tc_yb[] = { 2207 0x91,0xba,0xe9,0x79,0x3f,0x4a,0x8a,0xce,0xb1,0xb5,0xc5,0x43, 2208 0x75,0xa7,0xed,0x18,0x58,0xa7,0x9a,0x6e,0x72,0xda,0xb9,0x59, 2209 0xc8,0xbd,0xf3,0xa7,0x5a,0xc9,0xbb,0x4d,0xe2,0xa2,0x5a,0xf4, 2210 0xd4,0xa9,0xa5,0xc5,0xbc,0x54,0x41,0xd1,0x9b,0x8e,0x3f,0x6f, 2211 0xcc,0xe7,0x19,0x6c,0x6a,0xfc,0x22,0x36, 2212 }; 2213 const uint8_t tc_ADb[] = { 2214 0x41,0x44,0x62, 2215 }; 2216 const uint8_t tc_Yb[] = { 2217 0xb6,0xba,0x0a,0x33,0x6c,0x10,0x3c,0x6c,0x92,0x01,0x9a,0xe4, 2218 0xcf,0xbc,0xb8,0x8d,0x8f,0x6b,0xfc,0x36,0x1e,0x97,0x9c,0x9e, 2219 0x0d,0x3a,0x09,0x67,0xe6,0x30,0x09,0x4b,0xa3,0xd1,0x55,0x58, 2220 0x21,0xac,0x1f,0x97,0x99,0x96,0xef,0x5c,0xe7,0x9f,0x01,0x2f, 2221 0xfe,0x27,0x9a,0xc8,0x9b,0x28,0x7b,0xee, 2222 }; 2223 const uint8_t tc_K[] = { 2224 0xdc,0x50,0x49,0x38,0xfb,0x70,0xeb,0x13,0x91,0x66,0x97,0xaa, 2225 0x3e,0x07,0x6e,0x82,0x53,0x7c,0x17,0x1a,0xa3,0x26,0x12,0x13, 2226 0x99,0xc8,0x96,0xfe,0xea,0x0e,0x19,0x8b,0x41,0xb6,0xba,0xe3, 2227 0x00,0xbb,0x86,0xf8,0xc6,0x1d,0x4b,0x17,0x0e,0xee,0x47,0x17, 2228 0xb5,0x49,0x70,0x16,0xf3,0x43,0x64,0xa9, 2229 }; 2230 const uint8_t tc_ISK_IR[] = { 2231 0xeb,0xe2,0x83,0x69,0x49,0x1f,0x88,0x99,0xa5,0xaf,0x3b,0x33, 2232 0x9d,0x49,0x93,0x88,0x1b,0x69,0xd2,0x26,0x07,0xc5,0x87,0x19, 2233 0xda,0x6e,0xaa,0xb3,0x8f,0x0d,0x90,0x25,0xea,0xe4,0x13,0xca, 2234 0x2b,0x07,0x2b,0x15,0x6c,0xe4,0xa0,0xd4,0x77,0x8f,0xf4,0x71, 2235 0xa6,0x3c,0x4d,0x90,0x8c,0xab,0x70,0xbc,0x20,0x81,0x95,0x1d, 2236 0x50,0x4c,0xbb,0x03, 2237 }; 2238 const uint8_t tc_ISK_SY[] = { 2239 0x29,0x96,0xd1,0x95,0x33,0x20,0x58,0x1b,0x58,0x7f,0x47,0x3c, 2240 0xfd,0x5c,0x97,0x4c,0x5a,0x85,0x97,0xb2,0x2b,0x37,0xfe,0xfe, 2241 0x49,0xbd,0xb7,0xb8,0x40,0x73,0x42,0x4f,0x7f,0x7a,0x6e,0x45, 2242 0x64,0x98,0x66,0x5a,0x69,0x53,0x07,0x41,0x39,0x8c,0x60,0x10, 2243 0xbd,0xb3,0x46,0xf7,0x99,0x44,0xac,0xc9,0x0c,0x5c,0x53,0x7f, 2244 0xa3,0x5c,0xd2,0x9a, 2245 }; 2247 B.4.8. Test case for scalar_mult with valid inputs 2249 s: (length: 56 bytes) 2250 dd1bc7015daabb7672129cc35a3ba815486b139deff9bdeca7a4fc61 2251 34323d34658761e90ff079972a7ca8aa5606498f4f4f0ebc0933a819 2252 X: (length: 56 bytes) 2253 c803a6c8171ac38b66c5306553f45a487a24eb8581414444715bd2e5 2254 cf4c749a3b56a550f3c9a6ea3efa6e11ae6a6da12b98ef2f51174b9a 2255 G.scalar_mult(s,decode(X)): (length: 56 bytes) 2256 b831a1f804fd3c902ae82f731d298aebf9152ea855f5b5da5ee88584 2257 84c55a7f65cc3ccf5f678496dc4cb1c8d6bc7ed17d2fe535fdc8f60e 2258 G.scalar_mult_vfy(s,X): (length: 56 bytes) 2259 b831a1f804fd3c902ae82f731d298aebf9152ea855f5b5da5ee88584 2260 84c55a7f65cc3ccf5f678496dc4cb1c8d6bc7ed17d2fe535fdc8f60e 2262 B.4.9. Invalid inputs for scalar_mult_vfy 2264 For these test cases scalar_mult_vfy(y,.) MUST return the 2265 representation of the neutral element G.I. When points Y_i1 or Y_i2 2266 are included in MSGa or MSGb the protocol MUST abort. 2268 s: (length: 56 bytes) 2269 dd1bc7015daabb7672129cc35a3ba815486b139deff9bdeca7a4fc61 2270 34323d34658761e90ff079972a7ca8aa5606498f4f4f0ebc0933a819 2271 Y_i1: (length: 56 bytes) 2272 c703a6c8171ac38b66c5306553f45a487a24eb8581414444715bd2e5 2273 cf4c749a3b56a550f3c9a6ea3efa6e11ae6a6da12b98ef2f51174b9a 2274 Y_i2 == G.I: (length: 56 bytes) 2275 00000000000000000000000000000000000000000000000000000000 2276 00000000000000000000000000000000000000000000000000000000 2277 G.scalar_mult_vfy(s,Y_i1) = G.scalar_mult_vfy(s,Y_i2) = G.I 2279 B.5. Test vector for CPace using group NIST P-256 and hash SHA-256 2281 B.5.1. Test vectors for calculate_generator with group NIST P-256 2282 Inputs 2283 H = SHA-256 with input block size 64 bytes. 2284 PRS = b'Password' ; ZPAD length: 23 ; 2285 DSI = b'CPaceP256_XMD:SHA-256_SSWU_NU_' 2286 CI = b'\nAinitiator\nBresponder' 2287 CI = 0a41696e69746961746f720a42726573706f6e646572 2288 sid = 34b36454cab2e7842c389f7d88ecb7df 2289 Outputs 2290 generator_string(PRS,G.DSI,CI,sid,H.s_in_bytes): 2291 (length: 104 bytes) 2292 1e4350616365503235365f584d443a5348412d3235365f535357555f 2293 4e555f0850617373776f726417000000000000000000000000000000 2294 0000000000000000160a41696e69746961746f720a42726573706f6e 2295 6465721034b36454cab2e7842c389f7d88ecb7df 2296 generator g: (length: 65 bytes) 2297 04993b46e30ba9cfc3dc2d3ae2cf9733cf03994e74383c4e1b4a92e8 2298 d6d466b321c4a642979162fbde9e1c9a6180bd27a0594491e4c231f5 2299 1006d0bf7992d07127 2301 B.5.2. Test vector for MSGa 2303 Inputs 2304 ADa = b'ADa' 2305 ya (big endian): (length: 32 bytes) 2306 c9e47ca5debd2285727af47e55f5b7763fa79719da428f800190cc66 2307 59b4eafb 2308 Outputs 2309 Ya: (length: 65 bytes) 2310 0478ac925a6e3447a537627a2163be005a422f55c08385c1ef7d051c 2311 a94593df5946314120faa87165cba131c1da3aac429dc3d99a9bac7d 2312 4c4cbb8570b4d5ea10 2313 Alternative correct value for Ya: g^(-ya): 2314 (length: 65 bytes) 2315 0478ac925a6e3447a537627a2163be005a422f55c08385c1ef7d051c 2316 a94593df59b9cebede05578e9b345ece3e25c553bd623c2666645382 2317 b3b3447a8f4b2a15ef 2318 MSGa: (length: 70 bytes) 2319 410478ac925a6e3447a537627a2163be005a422f55c08385c1ef7d05 2320 1ca94593df5946314120faa87165cba131c1da3aac429dc3d99a9bac 2321 7d4c4cbb8570b4d5ea1003414461 2323 B.5.3. Test vector for MSGb 2324 Inputs 2325 ADb = b'ADb' 2326 yb (big endian): (length: 32 bytes) 2327 a0b768ba7555621d133012d1dee27a0013c1bcfddd675811df12771e 2328 44d77b10 2329 Outputs 2330 Yb: (length: 65 bytes) 2331 04df13ffa89b0ce3cc553b1495ff027886564d94b8d9165cd50e5f65 2332 4247959951bfac90839fca218bf8e2d1258eb7d7d9f733fe4cd558e6 2333 fa57bf1f801aae7d3a 2334 Alternative correct value for Yb: g^(-yb): 2335 (length: 65 bytes) 2336 04df13ffa89b0ce3cc553b1495ff027886564d94b8d9165cd50e5f65 2337 424795995140536f7b6035de75071d2eda7148282608cc01b42aa719 2338 05a840e07fe55182c5 2339 MSGb: (length: 70 bytes) 2340 4104df13ffa89b0ce3cc553b1495ff027886564d94b8d9165cd50e5f 2341 654247959951bfac90839fca218bf8e2d1258eb7d7d9f733fe4cd558 2342 e6fa57bf1f801aae7d3a03414462 2344 B.5.4. Test vector for secret points K 2346 scalar_mult_vfy(ya,Yb): (length: 32 bytes) 2347 27f7059d88f02007dc18c911c9b4034d3c0f13f8f7ed9603b0927f23 2348 fbab1037 2349 scalar_mult_vfy(yb,Ya): (length: 32 bytes) 2350 27f7059d88f02007dc18c911c9b4034d3c0f13f8f7ed9603b0927f23 2351 fbab1037 2353 B.5.5. Test vector for ISK calculation initiator/responder 2354 unordered cat of transcript : (length: 140 bytes) 2355 410478ac925a6e3447a537627a2163be005a422f55c08385c1ef7d05 2356 1ca94593df5946314120faa87165cba131c1da3aac429dc3d99a9bac 2357 7d4c4cbb8570b4d5ea10034144614104df13ffa89b0ce3cc553b1495 2358 ff027886564d94b8d9165cd50e5f654247959951bfac90839fca218b 2359 f8e2d1258eb7d7d9f733fe4cd558e6fa57bf1f801aae7d3a03414462 2360 DSI = G.DSI_ISK, b'CPaceP256_XMD:SHA-256_SSWU_NU__ISK': 2361 (length: 34 bytes) 2362 4350616365503235365f584d443a5348412d3235365f535357555f4e 2363 555f5f49534b 2364 prefix_free_cat(DSI,sid,K)||MSGa||MSGb: (length: 225 bytes) 2365 224350616365503235365f584d443a5348412d3235365f535357555f 2366 4e555f5f49534b1034b36454cab2e7842c389f7d88ecb7df2027f705 2367 9d88f02007dc18c911c9b4034d3c0f13f8f7ed9603b0927f23fbab10 2368 37410478ac925a6e3447a537627a2163be005a422f55c08385c1ef7d 2369 051ca94593df5946314120faa87165cba131c1da3aac429dc3d99a9b 2370 ac7d4c4cbb8570b4d5ea10034144614104df13ffa89b0ce3cc553b14 2371 95ff027886564d94b8d9165cd50e5f654247959951bfac90839fca21 2372 8bf8e2d1258eb7d7d9f733fe4cd558e6fa57bf1f801aae7d3a034144 2373 62 2374 ISK result: (length: 32 bytes) 2375 ddc1b133c387ecf344c0b496bc1223656cd6e7d99a5def8b3b026796 2376 50811fc9 2378 B.5.6. Test vector for ISK calculation parallel execution 2379 ordered cat of transcript : (length: 140 bytes) 2380 4104df13ffa89b0ce3cc553b1495ff027886564d94b8d9165cd50e5f 2381 654247959951bfac90839fca218bf8e2d1258eb7d7d9f733fe4cd558 2382 e6fa57bf1f801aae7d3a03414462410478ac925a6e3447a537627a21 2383 63be005a422f55c08385c1ef7d051ca94593df5946314120faa87165 2384 cba131c1da3aac429dc3d99a9bac7d4c4cbb8570b4d5ea1003414461 2385 DSI = G.DSI_ISK, b'CPaceP256_XMD:SHA-256_SSWU_NU__ISK': 2386 (length: 34 bytes) 2387 4350616365503235365f584d443a5348412d3235365f535357555f4e 2388 555f5f49534b 2389 prefix_free_cat(DSI,sid,K)||oCAT(MSGa,MSGb): 2390 (length: 225 bytes) 2391 224350616365503235365f584d443a5348412d3235365f535357555f 2392 4e555f5f49534b1034b36454cab2e7842c389f7d88ecb7df2027f705 2393 9d88f02007dc18c911c9b4034d3c0f13f8f7ed9603b0927f23fbab10 2394 374104df13ffa89b0ce3cc553b1495ff027886564d94b8d9165cd50e 2395 5f654247959951bfac90839fca218bf8e2d1258eb7d7d9f733fe4cd5 2396 58e6fa57bf1f801aae7d3a03414462410478ac925a6e3447a537627a 2397 2163be005a422f55c08385c1ef7d051ca94593df5946314120faa871 2398 65cba131c1da3aac429dc3d99a9bac7d4c4cbb8570b4d5ea10034144 2399 61 2400 ISK result: (length: 32 bytes) 2401 6ea775b0fb3c31502687565a52150fc595c63fe901a11d5fc1995cd5 2402 089a17ae 2404 B.5.7. Corresponding ANSI-C initializers 2406 const uint8_t tc_PRS[] = { 2407 0x50,0x61,0x73,0x73,0x77,0x6f,0x72,0x64, 2408 }; 2409 const uint8_t tc_CI[] = { 2410 0x0a,0x41,0x69,0x6e,0x69,0x74,0x69,0x61,0x74,0x6f,0x72,0x0a, 2411 0x42,0x72,0x65,0x73,0x70,0x6f,0x6e,0x64,0x65,0x72, 2412 }; 2413 const uint8_t tc_sid[] = { 2414 0x34,0xb3,0x64,0x54,0xca,0xb2,0xe7,0x84,0x2c,0x38,0x9f,0x7d, 2415 0x88,0xec,0xb7,0xdf, 2416 }; 2417 const uint8_t tc_g[] = { 2418 0x04,0x99,0x3b,0x46,0xe3,0x0b,0xa9,0xcf,0xc3,0xdc,0x2d,0x3a, 2419 0xe2,0xcf,0x97,0x33,0xcf,0x03,0x99,0x4e,0x74,0x38,0x3c,0x4e, 2420 0x1b,0x4a,0x92,0xe8,0xd6,0xd4,0x66,0xb3,0x21,0xc4,0xa6,0x42, 2421 0x97,0x91,0x62,0xfb,0xde,0x9e,0x1c,0x9a,0x61,0x80,0xbd,0x27, 2422 0xa0,0x59,0x44,0x91,0xe4,0xc2,0x31,0xf5,0x10,0x06,0xd0,0xbf, 2423 0x79,0x92,0xd0,0x71,0x27, 2424 }; 2425 const uint8_t tc_ya[] = { 2426 0xc9,0xe4,0x7c,0xa5,0xde,0xbd,0x22,0x85,0x72,0x7a,0xf4,0x7e, 2427 0x55,0xf5,0xb7,0x76,0x3f,0xa7,0x97,0x19,0xda,0x42,0x8f,0x80, 2428 0x01,0x90,0xcc,0x66,0x59,0xb4,0xea,0xfb, 2429 }; 2430 const uint8_t tc_ADa[] = { 2431 0x41,0x44,0x61, 2432 }; 2433 const uint8_t tc_Ya[] = { 2434 0x04,0x78,0xac,0x92,0x5a,0x6e,0x34,0x47,0xa5,0x37,0x62,0x7a, 2435 0x21,0x63,0xbe,0x00,0x5a,0x42,0x2f,0x55,0xc0,0x83,0x85,0xc1, 2436 0xef,0x7d,0x05,0x1c,0xa9,0x45,0x93,0xdf,0x59,0x46,0x31,0x41, 2437 0x20,0xfa,0xa8,0x71,0x65,0xcb,0xa1,0x31,0xc1,0xda,0x3a,0xac, 2438 0x42,0x9d,0xc3,0xd9,0x9a,0x9b,0xac,0x7d,0x4c,0x4c,0xbb,0x85, 2439 0x70,0xb4,0xd5,0xea,0x10, 2440 }; 2441 const uint8_t tc_yb[] = { 2442 0xa0,0xb7,0x68,0xba,0x75,0x55,0x62,0x1d,0x13,0x30,0x12,0xd1, 2443 0xde,0xe2,0x7a,0x00,0x13,0xc1,0xbc,0xfd,0xdd,0x67,0x58,0x11, 2444 0xdf,0x12,0x77,0x1e,0x44,0xd7,0x7b,0x10, 2445 }; 2446 const uint8_t tc_ADb[] = { 2447 0x41,0x44,0x62, 2448 }; 2449 const uint8_t tc_Yb[] = { 2450 0x04,0xdf,0x13,0xff,0xa8,0x9b,0x0c,0xe3,0xcc,0x55,0x3b,0x14, 2451 0x95,0xff,0x02,0x78,0x86,0x56,0x4d,0x94,0xb8,0xd9,0x16,0x5c, 2452 0xd5,0x0e,0x5f,0x65,0x42,0x47,0x95,0x99,0x51,0xbf,0xac,0x90, 2453 0x83,0x9f,0xca,0x21,0x8b,0xf8,0xe2,0xd1,0x25,0x8e,0xb7,0xd7, 2454 0xd9,0xf7,0x33,0xfe,0x4c,0xd5,0x58,0xe6,0xfa,0x57,0xbf,0x1f, 2455 0x80,0x1a,0xae,0x7d,0x3a, 2456 }; 2457 const uint8_t tc_K[] = { 2458 0x27,0xf7,0x05,0x9d,0x88,0xf0,0x20,0x07,0xdc,0x18,0xc9,0x11, 2459 0xc9,0xb4,0x03,0x4d,0x3c,0x0f,0x13,0xf8,0xf7,0xed,0x96,0x03, 2460 0xb0,0x92,0x7f,0x23,0xfb,0xab,0x10,0x37, 2461 }; 2462 const uint8_t tc_ISK_IR[] = { 2463 0xdd,0xc1,0xb1,0x33,0xc3,0x87,0xec,0xf3,0x44,0xc0,0xb4,0x96, 2464 0xbc,0x12,0x23,0x65,0x6c,0xd6,0xe7,0xd9,0x9a,0x5d,0xef,0x8b, 2465 0x3b,0x02,0x67,0x96,0x50,0x81,0x1f,0xc9, 2466 }; 2467 const uint8_t tc_ISK_SY[] = { 2468 0x6e,0xa7,0x75,0xb0,0xfb,0x3c,0x31,0x50,0x26,0x87,0x56,0x5a, 2469 0x52,0x15,0x0f,0xc5,0x95,0xc6,0x3f,0xe9,0x01,0xa1,0x1d,0x5f, 2470 0xc1,0x99,0x5c,0xd5,0x08,0x9a,0x17,0xae, 2471 }; 2473 B.5.8. Test case for scalar_mult_vfy with correct inputs 2474 s: (length: 32 bytes) 2475 f012501c091ff9b99a123fffe571d8bc01e8077ee581362e1bd21399 2476 0835643b 2477 X: (length: 65 bytes) 2478 0476ab88669dc640ca098b3d19ed87084d22d7e7c86b3b87451554d6 2479 93a7d98fb6bf0a6938fe0cec7be7563499ba3792909c8b9f4c936ef5 2480 2828b78a8d6254f49c 2481 G.scalar_mult(s,X) (full coordinates): (length: 65 bytes) 2482 0492b0eb1fe6a988797a85e6de8ec5de7ec685c83164570d79f0d568 2483 b918bfe7718b049dac20ea4631d8c4f321ddb48d70416f4929eb9a85 2484 2528114d3a560537c7 2485 G.scalar_mult_vfy(s,X) (only X-coordinate): 2486 (length: 32 bytes) 2487 92b0eb1fe6a988797a85e6de8ec5de7ec685c83164570d79f0d568b9 2488 18bfe771 2490 B.5.9. Invalid inputs for scalar_mult_vfy 2492 For these test cases scalar_mult_vfy(y,.) MUST return the 2493 representation of the neutral element G.I. When including Y_i1 or 2494 Y_i2 in MSGa or MSGb the protocol MUST abort. 2496 s: (length: 32 bytes) 2497 f012501c091ff9b99a123fffe571d8bc01e8077ee581362e1bd21399 2498 0835643b 2499 Y_i1: (length: 65 bytes) 2500 0476ab88669dc640ca098b3d19ed87084d22d7e7c86b3b87451554d6 2501 93a7d98fb6bf0a6938fe0cec7be7563499ba3792909c8b9f4c936ef5 2502 2828b78a8d6254f4f3 2503 Y_i2: (length: 1 bytes) 2504 00 2505 G.scalar_mult_vfy(s,Y_i1) = G.scalar_mult_vfy(s,Y_i2) = G.I 2507 B.6. Test vector for CPace using group NIST P-384 and hash SHA-384 2509 B.6.1. Test vectors for calculate_generator with group NIST P-384 2510 Inputs 2511 H = SHA-384 with input block size 128 bytes. 2512 PRS = b'Password' ; ZPAD length: 87 ; 2513 DSI = b'CPaceP384_XMD:SHA-384_SSWU_NU_' 2514 CI = b'\nAinitiator\nBresponder' 2515 CI = 0a41696e69746961746f720a42726573706f6e646572 2516 sid = 5b3773aa90e8f23c61563a4b645b276c 2517 Outputs 2518 generator_string(PRS,G.DSI,CI,sid,H.s_in_bytes): 2519 (length: 168 bytes) 2520 1e4350616365503338345f584d443a5348412d3338345f535357555f 2521 4e555f0850617373776f726457000000000000000000000000000000 2522 00000000000000000000000000000000000000000000000000000000 2523 00000000000000000000000000000000000000000000000000000000 2524 00000000000000000000000000000000160a41696e69746961746f72 2525 0a42726573706f6e646572105b3773aa90e8f23c61563a4b645b276c 2526 generator g: (length: 97 bytes) 2527 04bb6f046a601d0a0b134c6221e20e83c3f9ac0390be56c5a95b68eb 2528 f41c82ade6f4977ea21341239d194c38dabd1a7eb5887d9fed2550a1 2529 d5e6789327f2a039cd9c41239b240f775f5f2bef8744561b3a7e98f3 2530 2234cb1b318f66616de777aeef 2532 B.6.2. Test vector for MSGa 2534 Inputs 2535 ADa = b'ADa' 2536 ya (big endian): (length: 48 bytes) 2537 ef433dd5ad142c860e7cb6400dd315d388d5ec5420c550e9d6f0907f 2538 375d988bc4d704837e43561c497e7dd93edcdb9d 2539 Outputs 2540 Ya: (length: 97 bytes) 2541 047214fc512921b3fa0b555b41d841c9c20227fa1ab0dda5bfc051f6 2542 de9be7983e6df11d4e8da738b739adfbd85d8f5e80b2b4bbc66f3dff 2543 c02136ee19773d05f9c0242c0dd51857763de98a2fdfec73a4b1010c 2544 bc419c7b23b50adedbb3ff6644 2545 Alternative correct value for Ya: g^(-ya): 2546 (length: 97 bytes) 2547 047214fc512921b3fa0b555b41d841c9c20227fa1ab0dda5bfc051f6 2548 de9be7983e6df11d4e8da738b739adfbd85d8f5e804d4b443990c200 2549 3fdec911e688c2fa063fdbd3f22ae7a889c21675d020138c5a4efef3 2550 42be6384dc4af521254c0099bb 2551 MSGa: (length: 102 bytes) 2552 61047214fc512921b3fa0b555b41d841c9c20227fa1ab0dda5bfc051 2553 f6de9be7983e6df11d4e8da738b739adfbd85d8f5e80b2b4bbc66f3d 2554 ffc02136ee19773d05f9c0242c0dd51857763de98a2fdfec73a4b101 2555 0cbc419c7b23b50adedbb3ff664403414461 2557 B.6.3. Test vector for MSGb 2559 Inputs 2560 ADb = b'ADb' 2561 yb (big endian): (length: 48 bytes) 2562 50b0e36b95a2edfaa8342b843dddc90b175330f2399c1b36586dedda 2563 3c255975f30be6a750f9404fccc62a6323b5e471 2564 Outputs 2565 Yb: (length: 97 bytes) 2566 04e34cbd45b13ad11552ea7100b19899fa52662e268f2086e21262f7 2567 46efcb18e4b51ecfaf2e8ebab82addb6245f9bb1ff8138317c8045c4 2568 d2550e1566832b94acb91b670c4c4c00e59f5c15c74d4260e490caca 2569 aa860c11b8f369b72d5871bd94 2570 Alternative correct value for Yb: g^(-yb): 2571 (length: 97 bytes) 2572 04e34cbd45b13ad11552ea7100b19899fa52662e268f2086e21262f7 2573 46efcb18e4b51ecfaf2e8ebab82addb6245f9bb1ff7ec7ce837fba3b 2574 2daaf1ea997cd46b5346e498f3b3b3ff1a60a3ea38b2bd9f1a6f3535 2575 5479f3ee470c9648d3a78e426b 2576 MSGb: (length: 102 bytes) 2577 6104e34cbd45b13ad11552ea7100b19899fa52662e268f2086e21262 2578 f746efcb18e4b51ecfaf2e8ebab82addb6245f9bb1ff8138317c8045 2579 c4d2550e1566832b94acb91b670c4c4c00e59f5c15c74d4260e490ca 2580 caaa860c11b8f369b72d5871bd9403414462 2582 B.6.4. Test vector for secret points K 2584 scalar_mult_vfy(ya,Yb): (length: 48 bytes) 2585 e5ef578c410effb4ec114998a59fa5832f6101be479f1a97b021f224 2586 e378c3fb1f77f87a92e39fb415edf5458b3815bf 2587 scalar_mult_vfy(yb,Ya): (length: 48 bytes) 2588 e5ef578c410effb4ec114998a59fa5832f6101be479f1a97b021f224 2589 e378c3fb1f77f87a92e39fb415edf5458b3815bf 2591 B.6.5. Test vector for ISK calculation initiator/responder 2592 unordered cat of transcript : (length: 204 bytes) 2593 61047214fc512921b3fa0b555b41d841c9c20227fa1ab0dda5bfc051 2594 f6de9be7983e6df11d4e8da738b739adfbd85d8f5e80b2b4bbc66f3d 2595 ffc02136ee19773d05f9c0242c0dd51857763de98a2fdfec73a4b101 2596 0cbc419c7b23b50adedbb3ff6644034144616104e34cbd45b13ad115 2597 52ea7100b19899fa52662e268f2086e21262f746efcb18e4b51ecfaf 2598 2e8ebab82addb6245f9bb1ff8138317c8045c4d2550e1566832b94ac 2599 b91b670c4c4c00e59f5c15c74d4260e490cacaaa860c11b8f369b72d 2600 5871bd9403414462 2601 DSI = G.DSI_ISK, b'CPaceP384_XMD:SHA-384_SSWU_NU__ISK': 2602 (length: 34 bytes) 2603 4350616365503338345f584d443a5348412d3338345f535357555f4e 2604 555f5f49534b 2605 prefix_free_cat(DSI,sid,K)||MSGa||MSGb: (length: 305 bytes) 2606 224350616365503338345f584d443a5348412d3338345f535357555f 2607 4e555f5f49534b105b3773aa90e8f23c61563a4b645b276c30e5ef57 2608 8c410effb4ec114998a59fa5832f6101be479f1a97b021f224e378c3 2609 fb1f77f87a92e39fb415edf5458b3815bf61047214fc512921b3fa0b 2610 555b41d841c9c20227fa1ab0dda5bfc051f6de9be7983e6df11d4e8d 2611 a738b739adfbd85d8f5e80b2b4bbc66f3dffc02136ee19773d05f9c0 2612 242c0dd51857763de98a2fdfec73a4b1010cbc419c7b23b50adedbb3 2613 ff6644034144616104e34cbd45b13ad11552ea7100b19899fa52662e 2614 268f2086e21262f746efcb18e4b51ecfaf2e8ebab82addb6245f9bb1 2615 ff8138317c8045c4d2550e1566832b94acb91b670c4c4c00e59f5c15 2616 c74d4260e490cacaaa860c11b8f369b72d5871bd9403414462 2617 ISK result: (length: 48 bytes) 2618 401601de4a9f25bd57fc85985c9abf1de75191d68306b584547e6ac9 2619 e959cf2df49a9bf2205c3617ce99a169971bdbf8 2621 B.6.6. Test vector for ISK calculation parallel execution 2622 ordered cat of transcript : (length: 204 bytes) 2623 6104e34cbd45b13ad11552ea7100b19899fa52662e268f2086e21262 2624 f746efcb18e4b51ecfaf2e8ebab82addb6245f9bb1ff8138317c8045 2625 c4d2550e1566832b94acb91b670c4c4c00e59f5c15c74d4260e490ca 2626 caaa860c11b8f369b72d5871bd940341446261047214fc512921b3fa 2627 0b555b41d841c9c20227fa1ab0dda5bfc051f6de9be7983e6df11d4e 2628 8da738b739adfbd85d8f5e80b2b4bbc66f3dffc02136ee19773d05f9 2629 c0242c0dd51857763de98a2fdfec73a4b1010cbc419c7b23b50adedb 2630 b3ff664403414461 2631 DSI = G.DSI_ISK, b'CPaceP384_XMD:SHA-384_SSWU_NU__ISK': 2632 (length: 34 bytes) 2633 4350616365503338345f584d443a5348412d3338345f535357555f4e 2634 555f5f49534b 2635 prefix_free_cat(DSI,sid,K)||oCAT(MSGa,MSGb): 2636 (length: 305 bytes) 2637 224350616365503338345f584d443a5348412d3338345f535357555f 2638 4e555f5f49534b105b3773aa90e8f23c61563a4b645b276c30e5ef57 2639 8c410effb4ec114998a59fa5832f6101be479f1a97b021f224e378c3 2640 fb1f77f87a92e39fb415edf5458b3815bf6104e34cbd45b13ad11552 2641 ea7100b19899fa52662e268f2086e21262f746efcb18e4b51ecfaf2e 2642 8ebab82addb6245f9bb1ff8138317c8045c4d2550e1566832b94acb9 2643 1b670c4c4c00e59f5c15c74d4260e490cacaaa860c11b8f369b72d58 2644 71bd940341446261047214fc512921b3fa0b555b41d841c9c20227fa 2645 1ab0dda5bfc051f6de9be7983e6df11d4e8da738b739adfbd85d8f5e 2646 80b2b4bbc66f3dffc02136ee19773d05f9c0242c0dd51857763de98a 2647 2fdfec73a4b1010cbc419c7b23b50adedbb3ff664403414461 2648 ISK result: (length: 48 bytes) 2649 1eb17f7f7126a07acd510e9d60c84f63dc0113ac34f8d359e8f692a9 2650 06f828bde926d9ff65202c9801e9884aa05a43b6 2652 B.6.7. Corresponding ANSI-C initializers 2654 const uint8_t tc_PRS[] = { 2655 0x50,0x61,0x73,0x73,0x77,0x6f,0x72,0x64, 2656 }; 2657 const uint8_t tc_CI[] = { 2658 0x0a,0x41,0x69,0x6e,0x69,0x74,0x69,0x61,0x74,0x6f,0x72,0x0a, 2659 0x42,0x72,0x65,0x73,0x70,0x6f,0x6e,0x64,0x65,0x72, 2660 }; 2661 const uint8_t tc_sid[] = { 2662 0x5b,0x37,0x73,0xaa,0x90,0xe8,0xf2,0x3c,0x61,0x56,0x3a,0x4b, 2663 0x64,0x5b,0x27,0x6c, 2664 }; 2665 const uint8_t tc_g[] = { 2666 0x04,0xbb,0x6f,0x04,0x6a,0x60,0x1d,0x0a,0x0b,0x13,0x4c,0x62, 2667 0x21,0xe2,0x0e,0x83,0xc3,0xf9,0xac,0x03,0x90,0xbe,0x56,0xc5, 2668 0xa9,0x5b,0x68,0xeb,0xf4,0x1c,0x82,0xad,0xe6,0xf4,0x97,0x7e, 2669 0xa2,0x13,0x41,0x23,0x9d,0x19,0x4c,0x38,0xda,0xbd,0x1a,0x7e, 2670 0xb5,0x88,0x7d,0x9f,0xed,0x25,0x50,0xa1,0xd5,0xe6,0x78,0x93, 2671 0x27,0xf2,0xa0,0x39,0xcd,0x9c,0x41,0x23,0x9b,0x24,0x0f,0x77, 2672 0x5f,0x5f,0x2b,0xef,0x87,0x44,0x56,0x1b,0x3a,0x7e,0x98,0xf3, 2673 0x22,0x34,0xcb,0x1b,0x31,0x8f,0x66,0x61,0x6d,0xe7,0x77,0xae, 2674 0xef, 2675 }; 2676 const uint8_t tc_ya[] = { 2677 0xef,0x43,0x3d,0xd5,0xad,0x14,0x2c,0x86,0x0e,0x7c,0xb6,0x40, 2678 0x0d,0xd3,0x15,0xd3,0x88,0xd5,0xec,0x54,0x20,0xc5,0x50,0xe9, 2679 0xd6,0xf0,0x90,0x7f,0x37,0x5d,0x98,0x8b,0xc4,0xd7,0x04,0x83, 2680 0x7e,0x43,0x56,0x1c,0x49,0x7e,0x7d,0xd9,0x3e,0xdc,0xdb,0x9d, 2681 }; 2682 const uint8_t tc_ADa[] = { 2683 0x41,0x44,0x61, 2684 }; 2685 const uint8_t tc_Ya[] = { 2686 0x04,0x72,0x14,0xfc,0x51,0x29,0x21,0xb3,0xfa,0x0b,0x55,0x5b, 2687 0x41,0xd8,0x41,0xc9,0xc2,0x02,0x27,0xfa,0x1a,0xb0,0xdd,0xa5, 2688 0xbf,0xc0,0x51,0xf6,0xde,0x9b,0xe7,0x98,0x3e,0x6d,0xf1,0x1d, 2689 0x4e,0x8d,0xa7,0x38,0xb7,0x39,0xad,0xfb,0xd8,0x5d,0x8f,0x5e, 2690 0x80,0xb2,0xb4,0xbb,0xc6,0x6f,0x3d,0xff,0xc0,0x21,0x36,0xee, 2691 0x19,0x77,0x3d,0x05,0xf9,0xc0,0x24,0x2c,0x0d,0xd5,0x18,0x57, 2692 0x76,0x3d,0xe9,0x8a,0x2f,0xdf,0xec,0x73,0xa4,0xb1,0x01,0x0c, 2693 0xbc,0x41,0x9c,0x7b,0x23,0xb5,0x0a,0xde,0xdb,0xb3,0xff,0x66, 2694 0x44, 2695 }; 2696 const uint8_t tc_yb[] = { 2697 0x50,0xb0,0xe3,0x6b,0x95,0xa2,0xed,0xfa,0xa8,0x34,0x2b,0x84, 2698 0x3d,0xdd,0xc9,0x0b,0x17,0x53,0x30,0xf2,0x39,0x9c,0x1b,0x36, 2699 0x58,0x6d,0xed,0xda,0x3c,0x25,0x59,0x75,0xf3,0x0b,0xe6,0xa7, 2700 0x50,0xf9,0x40,0x4f,0xcc,0xc6,0x2a,0x63,0x23,0xb5,0xe4,0x71, 2701 }; 2702 const uint8_t tc_ADb[] = { 2703 0x41,0x44,0x62, 2704 }; 2705 const uint8_t tc_Yb[] = { 2706 0x04,0xe3,0x4c,0xbd,0x45,0xb1,0x3a,0xd1,0x15,0x52,0xea,0x71, 2707 0x00,0xb1,0x98,0x99,0xfa,0x52,0x66,0x2e,0x26,0x8f,0x20,0x86, 2708 0xe2,0x12,0x62,0xf7,0x46,0xef,0xcb,0x18,0xe4,0xb5,0x1e,0xcf, 2709 0xaf,0x2e,0x8e,0xba,0xb8,0x2a,0xdd,0xb6,0x24,0x5f,0x9b,0xb1, 2710 0xff,0x81,0x38,0x31,0x7c,0x80,0x45,0xc4,0xd2,0x55,0x0e,0x15, 2711 0x66,0x83,0x2b,0x94,0xac,0xb9,0x1b,0x67,0x0c,0x4c,0x4c,0x00, 2712 0xe5,0x9f,0x5c,0x15,0xc7,0x4d,0x42,0x60,0xe4,0x90,0xca,0xca, 2713 0xaa,0x86,0x0c,0x11,0xb8,0xf3,0x69,0xb7,0x2d,0x58,0x71,0xbd, 2714 0x94, 2715 }; 2716 const uint8_t tc_K[] = { 2717 0xe5,0xef,0x57,0x8c,0x41,0x0e,0xff,0xb4,0xec,0x11,0x49,0x98, 2718 0xa5,0x9f,0xa5,0x83,0x2f,0x61,0x01,0xbe,0x47,0x9f,0x1a,0x97, 2719 0xb0,0x21,0xf2,0x24,0xe3,0x78,0xc3,0xfb,0x1f,0x77,0xf8,0x7a, 2720 0x92,0xe3,0x9f,0xb4,0x15,0xed,0xf5,0x45,0x8b,0x38,0x15,0xbf, 2721 }; 2722 const uint8_t tc_ISK_IR[] = { 2723 0x40,0x16,0x01,0xde,0x4a,0x9f,0x25,0xbd,0x57,0xfc,0x85,0x98, 2724 0x5c,0x9a,0xbf,0x1d,0xe7,0x51,0x91,0xd6,0x83,0x06,0xb5,0x84, 2725 0x54,0x7e,0x6a,0xc9,0xe9,0x59,0xcf,0x2d,0xf4,0x9a,0x9b,0xf2, 2726 0x20,0x5c,0x36,0x17,0xce,0x99,0xa1,0x69,0x97,0x1b,0xdb,0xf8, 2727 }; 2728 const uint8_t tc_ISK_SY[] = { 2729 0x1e,0xb1,0x7f,0x7f,0x71,0x26,0xa0,0x7a,0xcd,0x51,0x0e,0x9d, 2730 0x60,0xc8,0x4f,0x63,0xdc,0x01,0x13,0xac,0x34,0xf8,0xd3,0x59, 2731 0xe8,0xf6,0x92,0xa9,0x06,0xf8,0x28,0xbd,0xe9,0x26,0xd9,0xff, 2732 0x65,0x20,0x2c,0x98,0x01,0xe9,0x88,0x4a,0xa0,0x5a,0x43,0xb6, 2733 }; 2735 B.6.8. Test case for scalar_mult_vfy with correct inputs 2737 s: (length: 48 bytes) 2738 6e8a99a5cdd408eae98e1b8aed286e7b12adbbdac7f2c628d9060ce9 2739 2ae0d90bd57a564fd3500fbcce3425dc94ba0ade 2740 X: (length: 97 bytes) 2741 04a32d8d8e1057d37b090d92f46d0bac1874e6cd7c13774774385c30 2742 39fa8fa3539884b436e49743d2d6279f5bd69dda5fe79fc6ecfb8547 2743 bf32d8c64ac51f177a70041a1300944f255eea38ca7e964c9d02c5e7 2744 e28d744e7cdc0bd80437363999 2745 G.scalar_mult(s,X) (full coordinates): (length: 97 bytes) 2746 045eb8202664ec20fed23ed6005c7be398174946a0f6a8a2e5fd2fed 2747 9ca159f22652899f820a2d472f926f57de30035a9d11e8006fb66e79 2748 f3db5d58bd5688954c7284d1e4a616a935dfb761955be13d29de5745 2749 074a863140dcc9a5c0056ced3b 2750 G.scalar_mult_vfy(s,X) (only X-coordinate): 2751 (length: 48 bytes) 2752 5eb8202664ec20fed23ed6005c7be398174946a0f6a8a2e5fd2fed9c 2753 a159f22652899f820a2d472f926f57de30035a9d 2755 B.6.9. Invalid inputs for scalar_mult_vfy 2757 For these test cases scalar_mult_vfy(y,.) MUST return the 2758 representation of the neutral element G.I. When including Y_i1 or 2759 Y_i2 in MSGa or MSGb the protocol MUST abort. 2761 s: (length: 48 bytes) 2762 6e8a99a5cdd408eae98e1b8aed286e7b12adbbdac7f2c628d9060ce9 2763 2ae0d90bd57a564fd3500fbcce3425dc94ba0ade 2764 Y_i1: (length: 97 bytes) 2765 04a32d8d8e1057d37b090d92f46d0bac1874e6cd7c13774774385c30 2766 39fa8fa3539884b436e49743d2d6279f5bd69dda5fe79fc6ecfb8547 2767 bf32d8c64ac51f177a70041a1300944f255eea38ca7e964c9d02c5e7 2768 e28d744e7cdc0bd80437363938 2769 Y_i2: (length: 1 bytes) 2770 00 2771 G.scalar_mult_vfy(s,Y_i1) = G.scalar_mult_vfy(s,Y_i2) = G.I 2773 B.7. Test vector for CPace using group NIST P-521 and hash SHA-512 2775 B.7.1. Test vectors for calculate_generator with group NIST P-521 2777 Inputs 2778 H = SHA-512 with input block size 128 bytes. 2779 PRS = b'Password' ; ZPAD length: 87 ; 2780 DSI = b'CPaceP521_XMD:SHA-512_SSWU_NU_' 2781 CI = b'\nAinitiator\nBresponder' 2782 CI = 0a41696e69746961746f720a42726573706f6e646572 2783 sid = 7e4b4791d6a8ef019b936c79fb7f2c57 2784 Outputs 2785 generator_string(PRS,G.DSI,CI,sid,H.s_in_bytes): 2786 (length: 168 bytes) 2787 1e4350616365503532315f584d443a5348412d3531325f535357555f 2788 4e555f0850617373776f726457000000000000000000000000000000 2789 00000000000000000000000000000000000000000000000000000000 2790 00000000000000000000000000000000000000000000000000000000 2791 00000000000000000000000000000000160a41696e69746961746f72 2792 0a42726573706f6e646572107e4b4791d6a8ef019b936c79fb7f2c57 2793 generator g: (length: 133 bytes) 2794 0400523c2be75a6fdb50e33d917597f182810ea6afe04b7297fccdfc 2795 f8c1c9f0f1a0c794056c729c275a654d1f9f52cd3d1d0ecc8f2f6a1b 2796 ab958d36cc539c558496a901bbe4fd573f2a6e6cc0c9afee3ee25c4b 2797 6f0474dd012eff5af0cbf55c4ec3c0ab4f1187353f815eb2a01ebc52 2798 d076d45a77a9b86d14fb21066df1d09f10b0a97546 2800 B.7.2. Test vector for MSGa 2801 Inputs 2802 ADa = b'ADa' 2803 ya (big endian): (length: 66 bytes) 2804 016fac7bb757452e7b788d68a1510eda90113c65db1213fa08927d50 2805 bcf2635fd66ca254e82927071001353e265082fd609af47ad06fab42 2806 0c2295df4056ee9ff997 2807 Outputs 2808 Ya: (length: 133 bytes) 2809 0400484dcee6d54cb356830cd764079360a03b06a7db1a82188e09c9 2810 2e02d7e78a1e3710da9554db11697d242893e2114d6cbee89f5999b7 2811 e545d9fdf59f4c9acd408901ad73e01ec22ae6ecc122cf257e81826e 2812 348cd410ddb9245c61889fe97b2bbb98b2038eb2ed23e989ec7013a6 2813 10fb2f3b4fb958cc860dd10c98745b9d89e37f2bf9 2814 Alternative correct value for Ya: g^(-ya): 2815 (length: 133 bytes) 2816 0400484dcee6d54cb356830cd764079360a03b06a7db1a82188e09c9 2817 2e02d7e78a1e3710da9554db11697d242893e2114d6cbee89f5999b7 2818 e545d9fdf59f4c9acd408900528c1fe13dd519133edd30da817e7d91 2819 cb732bef2246dba39e77601684d444674dfc714d12dc1676138fec59 2820 ef04d0c4b046a73379f22ef3678ba462761c80d406 2821 MSGa: (length: 139 bytes) 2822 85010400484dcee6d54cb356830cd764079360a03b06a7db1a82188e 2823 09c92e02d7e78a1e3710da9554db11697d242893e2114d6cbee89f59 2824 99b7e545d9fdf59f4c9acd408901ad73e01ec22ae6ecc122cf257e81 2825 826e348cd410ddb9245c61889fe97b2bbb98b2038eb2ed23e989ec70 2826 13a610fb2f3b4fb958cc860dd10c98745b9d89e37f2bf903414461 2828 B.7.3. Test vector for MSGb 2829 Inputs 2830 ADb = b'ADb' 2831 yb (big endian): (length: 66 bytes) 2832 011a946e2d0f48dc440ae3f4fd9126198237042fd1d41d037068c284 2833 6d43ec130cbc55ef1208496be068f8682bcaf6156e51598e27c1fb24 2834 d77b43957bbc129bab80 2835 Outputs 2836 Yb: (length: 133 bytes) 2837 0401edf767bd7d9e67ff137b8f3210c55e9192e9ac8a10f32a2f0eef 2838 9ce34524a543e0d4eb9b3328ca114b02ab23b291f61b5bc814639a9e 2839 caff07e870733131747637004c2df1bec8abe6b252e7fe91bdb6f724 2840 2e65c36e7b960646c89aaf0262a4803ee4c90d1b58775a409a135bd1 2841 8fedbf4ba0eae172b4fe8a0fada83d699e44f2f861 2842 Alternative correct value for Yb: g^(-yb): 2843 (length: 133 bytes) 2844 0401edf767bd7d9e67ff137b8f3210c55e9192e9ac8a10f32a2f0eef 2845 9ce34524a543e0d4eb9b3328ca114b02ab23b291f61b5bc814639a9e 2846 caff07e87073313174763701b3d20e413754194dad18016e424908db 2847 d19a3c918469f9b9376550fd9d5b7fc11b36f2e4a788a5bf65eca42e 2848 701240b45f151e8d4b0175f05257c29661bb0d079e 2849 MSGb: (length: 139 bytes) 2850 85010401edf767bd7d9e67ff137b8f3210c55e9192e9ac8a10f32a2f 2851 0eef9ce34524a543e0d4eb9b3328ca114b02ab23b291f61b5bc81463 2852 9a9ecaff07e870733131747637004c2df1bec8abe6b252e7fe91bdb6 2853 f7242e65c36e7b960646c89aaf0262a4803ee4c90d1b58775a409a13 2854 5bd18fedbf4ba0eae172b4fe8a0fada83d699e44f2f86103414462 2856 B.7.4. Test vector for secret points K 2858 scalar_mult_vfy(ya,Yb): (length: 66 bytes) 2859 0070a7460122c65d86bf9dd012ab45fc94be362619d1a1f0e75f1433 2860 3ed8b873b5724616b88dadaaba5f28bb783aeb01f60df5fdb8c0a237 2861 45900f462f405debfd51 2862 scalar_mult_vfy(yb,Ya): (length: 66 bytes) 2863 0070a7460122c65d86bf9dd012ab45fc94be362619d1a1f0e75f1433 2864 3ed8b873b5724616b88dadaaba5f28bb783aeb01f60df5fdb8c0a237 2865 45900f462f405debfd51 2867 B.7.5. Test vector for ISK calculation initiator/responder 2868 unordered cat of transcript : (length: 278 bytes) 2869 85010400484dcee6d54cb356830cd764079360a03b06a7db1a82188e 2870 09c92e02d7e78a1e3710da9554db11697d242893e2114d6cbee89f59 2871 99b7e545d9fdf59f4c9acd408901ad73e01ec22ae6ecc122cf257e81 2872 826e348cd410ddb9245c61889fe97b2bbb98b2038eb2ed23e989ec70 2873 13a610fb2f3b4fb958cc860dd10c98745b9d89e37f2bf90341446185 2874 010401edf767bd7d9e67ff137b8f3210c55e9192e9ac8a10f32a2f0e 2875 ef9ce34524a543e0d4eb9b3328ca114b02ab23b291f61b5bc814639a 2876 9ecaff07e870733131747637004c2df1bec8abe6b252e7fe91bdb6f7 2877 242e65c36e7b960646c89aaf0262a4803ee4c90d1b58775a409a135b 2878 d18fedbf4ba0eae172b4fe8a0fada83d699e44f2f86103414462 2879 DSI = G.DSI_ISK, b'CPaceP521_XMD:SHA-512_SSWU_NU__ISK': 2880 (length: 34 bytes) 2881 4350616365503532315f584d443a5348412d3531325f535357555f4e 2882 555f5f49534b 2883 prefix_free_cat(DSI,sid,K)||MSGa||MSGb: (length: 397 bytes) 2884 224350616365503532315f584d443a5348412d3531325f535357555f 2885 4e555f5f49534b107e4b4791d6a8ef019b936c79fb7f2c57420070a7 2886 460122c65d86bf9dd012ab45fc94be362619d1a1f0e75f14333ed8b8 2887 73b5724616b88dadaaba5f28bb783aeb01f60df5fdb8c0a23745900f 2888 462f405debfd5185010400484dcee6d54cb356830cd764079360a03b 2889 06a7db1a82188e09c92e02d7e78a1e3710da9554db11697d242893e2 2890 114d6cbee89f5999b7e545d9fdf59f4c9acd408901ad73e01ec22ae6 2891 ecc122cf257e81826e348cd410ddb9245c61889fe97b2bbb98b2038e 2892 b2ed23e989ec7013a610fb2f3b4fb958cc860dd10c98745b9d89e37f 2893 2bf90341446185010401edf767bd7d9e67ff137b8f3210c55e9192e9 2894 ac8a10f32a2f0eef9ce34524a543e0d4eb9b3328ca114b02ab23b291 2895 f61b5bc814639a9ecaff07e870733131747637004c2df1bec8abe6b2 2896 52e7fe91bdb6f7242e65c36e7b960646c89aaf0262a4803ee4c90d1b 2897 58775a409a135bd18fedbf4ba0eae172b4fe8a0fada83d699e44f2f8 2898 6103414462 2899 ISK result: (length: 64 bytes) 2900 2b2c534c352c446773bd334fac2f2c50ef8cd7991bd4e070f85b0367 2901 a2f7ffca445066cf20b756773687e1038b170896ec2677fe722acb0f 2902 9e6c2f11830e808a 2904 B.7.6. Test vector for ISK calculation parallel execution 2905 ordered cat of transcript : (length: 278 bytes) 2906 85010401edf767bd7d9e67ff137b8f3210c55e9192e9ac8a10f32a2f 2907 0eef9ce34524a543e0d4eb9b3328ca114b02ab23b291f61b5bc81463 2908 9a9ecaff07e870733131747637004c2df1bec8abe6b252e7fe91bdb6 2909 f7242e65c36e7b960646c89aaf0262a4803ee4c90d1b58775a409a13 2910 5bd18fedbf4ba0eae172b4fe8a0fada83d699e44f2f8610341446285 2911 010400484dcee6d54cb356830cd764079360a03b06a7db1a82188e09 2912 c92e02d7e78a1e3710da9554db11697d242893e2114d6cbee89f5999 2913 b7e545d9fdf59f4c9acd408901ad73e01ec22ae6ecc122cf257e8182 2914 6e348cd410ddb9245c61889fe97b2bbb98b2038eb2ed23e989ec7013 2915 a610fb2f3b4fb958cc860dd10c98745b9d89e37f2bf903414461 2916 DSI = G.DSI_ISK, b'CPaceP521_XMD:SHA-512_SSWU_NU__ISK': 2917 (length: 34 bytes) 2918 4350616365503532315f584d443a5348412d3531325f535357555f4e 2919 555f5f49534b 2920 prefix_free_cat(DSI,sid,K)||oCAT(MSGa,MSGb): 2921 (length: 397 bytes) 2922 224350616365503532315f584d443a5348412d3531325f535357555f 2923 4e555f5f49534b107e4b4791d6a8ef019b936c79fb7f2c57420070a7 2924 460122c65d86bf9dd012ab45fc94be362619d1a1f0e75f14333ed8b8 2925 73b5724616b88dadaaba5f28bb783aeb01f60df5fdb8c0a23745900f 2926 462f405debfd5185010401edf767bd7d9e67ff137b8f3210c55e9192 2927 e9ac8a10f32a2f0eef9ce34524a543e0d4eb9b3328ca114b02ab23b2 2928 91f61b5bc814639a9ecaff07e870733131747637004c2df1bec8abe6 2929 b252e7fe91bdb6f7242e65c36e7b960646c89aaf0262a4803ee4c90d 2930 1b58775a409a135bd18fedbf4ba0eae172b4fe8a0fada83d699e44f2 2931 f8610341446285010400484dcee6d54cb356830cd764079360a03b06 2932 a7db1a82188e09c92e02d7e78a1e3710da9554db11697d242893e211 2933 4d6cbee89f5999b7e545d9fdf59f4c9acd408901ad73e01ec22ae6ec 2934 c122cf257e81826e348cd410ddb9245c61889fe97b2bbb98b2038eb2 2935 ed23e989ec7013a610fb2f3b4fb958cc860dd10c98745b9d89e37f2b 2936 f903414461 2937 ISK result: (length: 64 bytes) 2938 78c4dd7136309a2bbe1fdef3cf24a08690006b0c9de253b770c147dd 2939 0800681c82e4e67a388ed1cd9182e595b8e9e3f2976a0e6dab48b2cd 2940 205b19489e20f571 2942 B.7.7. Corresponding ANSI-C initializers 2944 const uint8_t tc_PRS[] = { 2945 0x50,0x61,0x73,0x73,0x77,0x6f,0x72,0x64, 2946 }; 2947 const uint8_t tc_CI[] = { 2948 0x0a,0x41,0x69,0x6e,0x69,0x74,0x69,0x61,0x74,0x6f,0x72,0x0a, 2949 0x42,0x72,0x65,0x73,0x70,0x6f,0x6e,0x64,0x65,0x72, 2950 }; 2951 const uint8_t tc_sid[] = { 2952 0x7e,0x4b,0x47,0x91,0xd6,0xa8,0xef,0x01,0x9b,0x93,0x6c,0x79, 2953 0xfb,0x7f,0x2c,0x57, 2954 }; 2955 const uint8_t tc_g[] = { 2956 0x04,0x00,0x52,0x3c,0x2b,0xe7,0x5a,0x6f,0xdb,0x50,0xe3,0x3d, 2957 0x91,0x75,0x97,0xf1,0x82,0x81,0x0e,0xa6,0xaf,0xe0,0x4b,0x72, 2958 0x97,0xfc,0xcd,0xfc,0xf8,0xc1,0xc9,0xf0,0xf1,0xa0,0xc7,0x94, 2959 0x05,0x6c,0x72,0x9c,0x27,0x5a,0x65,0x4d,0x1f,0x9f,0x52,0xcd, 2960 0x3d,0x1d,0x0e,0xcc,0x8f,0x2f,0x6a,0x1b,0xab,0x95,0x8d,0x36, 2961 0xcc,0x53,0x9c,0x55,0x84,0x96,0xa9,0x01,0xbb,0xe4,0xfd,0x57, 2962 0x3f,0x2a,0x6e,0x6c,0xc0,0xc9,0xaf,0xee,0x3e,0xe2,0x5c,0x4b, 2963 0x6f,0x04,0x74,0xdd,0x01,0x2e,0xff,0x5a,0xf0,0xcb,0xf5,0x5c, 2964 0x4e,0xc3,0xc0,0xab,0x4f,0x11,0x87,0x35,0x3f,0x81,0x5e,0xb2, 2965 0xa0,0x1e,0xbc,0x52,0xd0,0x76,0xd4,0x5a,0x77,0xa9,0xb8,0x6d, 2966 0x14,0xfb,0x21,0x06,0x6d,0xf1,0xd0,0x9f,0x10,0xb0,0xa9,0x75, 2967 0x46, 2968 }; 2969 const uint8_t tc_ya[] = { 2970 0x01,0x6f,0xac,0x7b,0xb7,0x57,0x45,0x2e,0x7b,0x78,0x8d,0x68, 2971 0xa1,0x51,0x0e,0xda,0x90,0x11,0x3c,0x65,0xdb,0x12,0x13,0xfa, 2972 0x08,0x92,0x7d,0x50,0xbc,0xf2,0x63,0x5f,0xd6,0x6c,0xa2,0x54, 2973 0xe8,0x29,0x27,0x07,0x10,0x01,0x35,0x3e,0x26,0x50,0x82,0xfd, 2974 0x60,0x9a,0xf4,0x7a,0xd0,0x6f,0xab,0x42,0x0c,0x22,0x95,0xdf, 2975 0x40,0x56,0xee,0x9f,0xf9,0x97, 2976 }; 2977 const uint8_t tc_ADa[] = { 2978 0x41,0x44,0x61, 2979 }; 2980 const uint8_t tc_Ya[] = { 2981 0x04,0x00,0x48,0x4d,0xce,0xe6,0xd5,0x4c,0xb3,0x56,0x83,0x0c, 2982 0xd7,0x64,0x07,0x93,0x60,0xa0,0x3b,0x06,0xa7,0xdb,0x1a,0x82, 2983 0x18,0x8e,0x09,0xc9,0x2e,0x02,0xd7,0xe7,0x8a,0x1e,0x37,0x10, 2984 0xda,0x95,0x54,0xdb,0x11,0x69,0x7d,0x24,0x28,0x93,0xe2,0x11, 2985 0x4d,0x6c,0xbe,0xe8,0x9f,0x59,0x99,0xb7,0xe5,0x45,0xd9,0xfd, 2986 0xf5,0x9f,0x4c,0x9a,0xcd,0x40,0x89,0x01,0xad,0x73,0xe0,0x1e, 2987 0xc2,0x2a,0xe6,0xec,0xc1,0x22,0xcf,0x25,0x7e,0x81,0x82,0x6e, 2988 0x34,0x8c,0xd4,0x10,0xdd,0xb9,0x24,0x5c,0x61,0x88,0x9f,0xe9, 2989 0x7b,0x2b,0xbb,0x98,0xb2,0x03,0x8e,0xb2,0xed,0x23,0xe9,0x89, 2990 0xec,0x70,0x13,0xa6,0x10,0xfb,0x2f,0x3b,0x4f,0xb9,0x58,0xcc, 2991 0x86,0x0d,0xd1,0x0c,0x98,0x74,0x5b,0x9d,0x89,0xe3,0x7f,0x2b, 2992 0xf9, 2993 }; 2994 const uint8_t tc_yb[] = { 2995 0x01,0x1a,0x94,0x6e,0x2d,0x0f,0x48,0xdc,0x44,0x0a,0xe3,0xf4, 2996 0xfd,0x91,0x26,0x19,0x82,0x37,0x04,0x2f,0xd1,0xd4,0x1d,0x03, 2997 0x70,0x68,0xc2,0x84,0x6d,0x43,0xec,0x13,0x0c,0xbc,0x55,0xef, 2998 0x12,0x08,0x49,0x6b,0xe0,0x68,0xf8,0x68,0x2b,0xca,0xf6,0x15, 2999 0x6e,0x51,0x59,0x8e,0x27,0xc1,0xfb,0x24,0xd7,0x7b,0x43,0x95, 3000 0x7b,0xbc,0x12,0x9b,0xab,0x80, 3002 }; 3003 const uint8_t tc_ADb[] = { 3004 0x41,0x44,0x62, 3005 }; 3006 const uint8_t tc_Yb[] = { 3007 0x04,0x01,0xed,0xf7,0x67,0xbd,0x7d,0x9e,0x67,0xff,0x13,0x7b, 3008 0x8f,0x32,0x10,0xc5,0x5e,0x91,0x92,0xe9,0xac,0x8a,0x10,0xf3, 3009 0x2a,0x2f,0x0e,0xef,0x9c,0xe3,0x45,0x24,0xa5,0x43,0xe0,0xd4, 3010 0xeb,0x9b,0x33,0x28,0xca,0x11,0x4b,0x02,0xab,0x23,0xb2,0x91, 3011 0xf6,0x1b,0x5b,0xc8,0x14,0x63,0x9a,0x9e,0xca,0xff,0x07,0xe8, 3012 0x70,0x73,0x31,0x31,0x74,0x76,0x37,0x00,0x4c,0x2d,0xf1,0xbe, 3013 0xc8,0xab,0xe6,0xb2,0x52,0xe7,0xfe,0x91,0xbd,0xb6,0xf7,0x24, 3014 0x2e,0x65,0xc3,0x6e,0x7b,0x96,0x06,0x46,0xc8,0x9a,0xaf,0x02, 3015 0x62,0xa4,0x80,0x3e,0xe4,0xc9,0x0d,0x1b,0x58,0x77,0x5a,0x40, 3016 0x9a,0x13,0x5b,0xd1,0x8f,0xed,0xbf,0x4b,0xa0,0xea,0xe1,0x72, 3017 0xb4,0xfe,0x8a,0x0f,0xad,0xa8,0x3d,0x69,0x9e,0x44,0xf2,0xf8, 3018 0x61, 3019 }; 3020 const uint8_t tc_K[] = { 3021 0x00,0x70,0xa7,0x46,0x01,0x22,0xc6,0x5d,0x86,0xbf,0x9d,0xd0, 3022 0x12,0xab,0x45,0xfc,0x94,0xbe,0x36,0x26,0x19,0xd1,0xa1,0xf0, 3023 0xe7,0x5f,0x14,0x33,0x3e,0xd8,0xb8,0x73,0xb5,0x72,0x46,0x16, 3024 0xb8,0x8d,0xad,0xaa,0xba,0x5f,0x28,0xbb,0x78,0x3a,0xeb,0x01, 3025 0xf6,0x0d,0xf5,0xfd,0xb8,0xc0,0xa2,0x37,0x45,0x90,0x0f,0x46, 3026 0x2f,0x40,0x5d,0xeb,0xfd,0x51, 3027 }; 3028 const uint8_t tc_ISK_IR[] = { 3029 0x2b,0x2c,0x53,0x4c,0x35,0x2c,0x44,0x67,0x73,0xbd,0x33,0x4f, 3030 0xac,0x2f,0x2c,0x50,0xef,0x8c,0xd7,0x99,0x1b,0xd4,0xe0,0x70, 3031 0xf8,0x5b,0x03,0x67,0xa2,0xf7,0xff,0xca,0x44,0x50,0x66,0xcf, 3032 0x20,0xb7,0x56,0x77,0x36,0x87,0xe1,0x03,0x8b,0x17,0x08,0x96, 3033 0xec,0x26,0x77,0xfe,0x72,0x2a,0xcb,0x0f,0x9e,0x6c,0x2f,0x11, 3034 0x83,0x0e,0x80,0x8a, 3035 }; 3036 const uint8_t tc_ISK_SY[] = { 3037 0x78,0xc4,0xdd,0x71,0x36,0x30,0x9a,0x2b,0xbe,0x1f,0xde,0xf3, 3038 0xcf,0x24,0xa0,0x86,0x90,0x00,0x6b,0x0c,0x9d,0xe2,0x53,0xb7, 3039 0x70,0xc1,0x47,0xdd,0x08,0x00,0x68,0x1c,0x82,0xe4,0xe6,0x7a, 3040 0x38,0x8e,0xd1,0xcd,0x91,0x82,0xe5,0x95,0xb8,0xe9,0xe3,0xf2, 3041 0x97,0x6a,0x0e,0x6d,0xab,0x48,0xb2,0xcd,0x20,0x5b,0x19,0x48, 3042 0x9e,0x20,0xf5,0x71, 3043 }; 3045 B.7.8. Test case for scalar_mult_vfy with correct inputs 3046 s: (length: 66 bytes) 3047 0182dd7925f1753419e4bf83429763acd37d64000cd5a175edf53a15 3048 87dd986bc95acc1506991702b6ba1a9ee2458fee8efc00198cf0088c 3049 480965ef65ff2048b856 3050 X: (length: 133 bytes) 3051 0400bf0a2632f954515e65c55553e25cde4c8bf3a48e5df86a3ef845 3052 fcf15c8d9a4640171188ff835df48b8f934070d225daa591e270a9cc 3053 539b82e8dc145caf38aeb900c30b83a1c9792e95c4a25f75b58001d3 3054 6331c2b71a86591e1b510a1740335bc9947da1f6bab91b86900c9258 3055 b28ee7b5ea33af2a8138a75cde4287613ab6673bcc 3056 G.scalar_mult(s,X) (full coordinates): (length: 133 bytes) 3057 040100763e7ebe6a051e2195b1980686a2a5d7edbc1d9284e38d1e9e 3058 13673b65b6b3b5cb1b1ab146a315c32425edee8fdca06a07cf72d26d 3059 31e38ec6a38481b4f18d8600b2a7df9cc7db6cbf75b2eee98f9f14e5 3060 e24a789d45b9709278e8b74b30eb32d55fb8cfea4258dcf9de7fb36a 3061 67326584d5c8121c4802801115b908b937361c9828 3062 G.scalar_mult_vfy(s,X) (only X-coordinate): 3063 (length: 66 bytes) 3064 0100763e7ebe6a051e2195b1980686a2a5d7edbc1d9284e38d1e9e13 3065 673b65b6b3b5cb1b1ab146a315c32425edee8fdca06a07cf72d26d31 3066 e38ec6a38481b4f18d86 3068 B.7.9. Invalid inputs for scalar_mult_vfy 3070 For these test cases scalar_mult_vfy(y,.) MUST return the 3071 representation of the neutral element G.I. When including Y_i1 or 3072 Y_i2 in MSGa or MSGb the protocol MUST abort. 3074 s: (length: 66 bytes) 3075 0182dd7925f1753419e4bf83429763acd37d64000cd5a175edf53a15 3076 87dd986bc95acc1506991702b6ba1a9ee2458fee8efc00198cf0088c 3077 480965ef65ff2048b856 3078 Y_i1: (length: 133 bytes) 3079 0400bf0a2632f954515e65c55553e25cde4c8bf3a48e5df86a3ef845 3080 fcf15c8d9a4640171188ff835df48b8f934070d225daa591e270a9cc 3081 539b82e8dc145caf38aeb900c30b83a1c9792e95c4a25f75b58001d3 3082 6331c2b71a86591e1b510a1740335bc9947da1f6bab91b86900c9258 3083 b28ee7b5ea33af2a8138a75cde4287613ab6673b3a 3084 Y_i2: (length: 1 bytes) 3085 00 3086 G.scalar_mult_vfy(s,Y_i1) = G.scalar_mult_vfy(s,Y_i2) = G.I 3088 Authors' Addresses 3090 Michel Abdalla 3091 DFINITY - Zurich 3093 Email: michel.abdalla@gmail.com 3094 Bjoern Haase 3095 Endress + Hauser Liquid Analysis - Gerlingen 3097 Email: bjoern.m.haase@web.de 3099 Julia Hesse 3100 IBM Research Europe - Zurich 3102 Email: JHS@zurich.ibm.com