draft-irtf-cfrg-cpace-10.txt   draft-irtf-cfrg-cpace-11.txt 
Network Working Group M. Abdalla Network Working Group M. Abdalla
Internet-Draft DFINITY - Zurich Internet-Draft DFINITY - Zurich
Intended status: Informational B. Haase Intended status: Informational B. Haase
Expires: 28 March 2024 Endress + Hauser Liquid Analysis - Gerlingen Expires: 28 September 2024 Endress + Hauser Liquid Analysis - Gerlingen
J. Hesse J. Hesse
IBM Research Europe - Zurich IBM Research Europe - Zurich
25 September 2023 27 March 2024
CPace, a balanced composable PAKE CPace, a balanced composable PAKE
draft-irtf-cfrg-cpace-10 draft-irtf-cfrg-cpace-11
Abstract Abstract
This document describes CPace which is a protocol that allows two This document describes CPace which is a protocol that allows two
parties that share a low-entropy secret (password) to derive a strong parties that share a low-entropy secret (password) to derive a strong
shared key without disclosing the secret to offline dictionary shared key without disclosing the secret to offline dictionary
attacks. The CPace protocol was tailored for constrained devices and attacks. The CPace protocol was tailored for constrained devices and
can be used on groups of prime- and non-prime order. can be used on groups of prime- and non-prime order.
Discussion Venues Discussion Venues
skipping to change at page 1, line 48 skipping to change at page 1, line 48
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on 28 March 2024. This Internet-Draft will expire on 28 September 2024.
Copyright Notice Copyright Notice
Copyright (c) 2023 IETF Trust and the persons identified as the Copyright (c) 2024 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document. license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components and restrictions with respect to this document. Code Components
extracted from this document must include Revised BSD License text as extracted from this document must include Revised BSD License text as
described in Section 4.e of the Trust Legal Provisions and are described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License. provided without warranty as described in the Revised BSD License.
skipping to change at page 2, line 35 skipping to change at page 2, line 35
3.1. Optional CPace inputs . . . . . . . . . . . . . . . . . . 7 3.1. Optional CPace inputs . . . . . . . . . . . . . . . . . . 7
3.2. Responsibilities of the application layer . . . . . . . . 8 3.2. Responsibilities of the application layer . . . . . . . . 8
4. CPace cipher suites . . . . . . . . . . . . . . . . . . . . . 9 4. CPace cipher suites . . . . . . . . . . . . . . . . . . . . . 9
5. Definitions and notation . . . . . . . . . . . . . . . . . . 10 5. Definitions and notation . . . . . . . . . . . . . . . . . . 10
5.1. Hash function H . . . . . . . . . . . . . . . . . . . . . 10 5.1. Hash function H . . . . . . . . . . . . . . . . . . . . . 10
5.2. Group environment G . . . . . . . . . . . . . . . . . . . 11 5.2. Group environment G . . . . . . . . . . . . . . . . . . . 11
5.3. Notation for string operations . . . . . . . . . . . . . 11 5.3. Notation for string operations . . . . . . . . . . . . . 11
5.4. Notation for group operations . . . . . . . . . . . . . . 13 5.4. Notation for group operations . . . . . . . . . . . . . . 13
6. The CPace protocol . . . . . . . . . . . . . . . . . . . . . 13 6. The CPace protocol . . . . . . . . . . . . . . . . . . . . . 13
6.1. Protocol flow . . . . . . . . . . . . . . . . . . . . . . 13 6.1. Protocol flow . . . . . . . . . . . . . . . . . . . . . . 13
6.2. CPace protocol instructions . . . . . . . . . . . . . . . 13 6.2. CPace protocol instructions . . . . . . . . . . . . . . . 14
7. Implementation of recommended CPace cipher suites . . . . . . 14 7. Implementation of recommended CPace cipher suites . . . . . . 15
7.1. Common function for computing generators . . . . . . . . 14 7.1. Common function for computing generators . . . . . . . . 15
7.2. CPace group objects G_X25519 and G_X448 for 7.2. CPace group objects G_X25519 and G_X448 for
single-coordinate Ladders on Montgomery curves . . . . . 15 single-coordinate Ladders on Montgomery curves . . . . . 15
7.2.1. Verification tests . . . . . . . . . . . . . . . . . 16 7.2.1. Verification tests . . . . . . . . . . . . . . . . . 17
7.3. CPace group objects G_Ristretto255 and G_Decaf448 for 7.3. CPace group objects G_Ristretto255 and G_Decaf448 for
prime-order group abstractions . . . . . . . . . . . . . 17 prime-order group abstractions . . . . . . . . . . . . . 17
7.3.1. Verification tests . . . . . . . . . . . . . . . . . 19 7.3.1. Verification tests . . . . . . . . . . . . . . . . . 19
7.4. CPace group objects for curves in Short-Weierstrass 7.4. CPace group objects for curves in Short-Weierstrass
representation . . . . . . . . . . . . . . . . . . . . . 19 representation . . . . . . . . . . . . . . . . . . . . . 19
7.4.1. Curves and associated functions . . . . . . . . . . . 19 7.4.1. Curves and associated functions . . . . . . . . . . . 19
7.4.2. Suitable encode_to_curve methods . . . . . . . . . . 20 7.4.2. Suitable encode_to_curve methods . . . . . . . . . . 20
7.4.3. Definition of the group environment G for 7.4.3. Definition of the group environment G for
Short-Weierstrass curves . . . . . . . . . . . . . . 20 Short-Weierstrass curves . . . . . . . . . . . . . . 20
7.4.4. Verification tests . . . . . . . . . . . . . . . . . 22 7.4.4. Verification tests . . . . . . . . . . . . . . . . . 22
8. Implementation verification . . . . . . . . . . . . . . . . . 22 8. Implementation verification . . . . . . . . . . . . . . . . . 22
9. Security Considerations . . . . . . . . . . . . . . . . . . . 22 9. Security Considerations . . . . . . . . . . . . . . . . . . . 23
9.1. Party identifiers and relay attacks . . . . . . . . . . . 22 9.1. Party identifiers and relay attacks . . . . . . . . . . . 23
9.2. Network message encoding and hashing protocol 9.2. Network message encoding and hashing protocol
transcripts . . . . . . . . . . . . . . . . . . . . . . . 23 transcripts . . . . . . . . . . . . . . . . . . . . . . . 23
9.3. Key derivation . . . . . . . . . . . . . . . . . . . . . 23 9.3. Key derivation . . . . . . . . . . . . . . . . . . . . . 24
9.4. Key confirmation . . . . . . . . . . . . . . . . . . . . 23 9.4. Key confirmation . . . . . . . . . . . . . . . . . . . . 24
9.5. Sampling of scalars . . . . . . . . . . . . . . . . . . . 24 9.5. Sampling of scalars . . . . . . . . . . . . . . . . . . . 25
9.6. Single-coordinate CPace on Montgomery curves . . . . . . 25 9.6. Preconditions for using the simplified CPace specification
9.7. Nonce values . . . . . . . . . . . . . . . . . . . . . . 25 from Section 7.2 . . . . . . . . . . . . . . . . . . . . 25
9.8. Side channel attacks . . . . . . . . . . . . . . . . . . 25 9.7. Nonce values . . . . . . . . . . . . . . . . . . . . . . 26
9.9. Quantum computers . . . . . . . . . . . . . . . . . . . . 26 9.8. Side channel attacks . . . . . . . . . . . . . . . . . . 26
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 26 9.9. Quantum computers . . . . . . . . . . . . . . . . . . . . 27
11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 26 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 27
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 26 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 27
12.1. Normative References . . . . . . . . . . . . . . . . . . 26 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 27
12.2. Informative References . . . . . . . . . . . . . . . . . 27 12.1. Normative References . . . . . . . . . . . . . . . . . . 27
Appendix A. CPace function definitions . . . . . . . . . . . . . 29 12.2. Informative References . . . . . . . . . . . . . . . . . 28
Appendix A. CPace function definitions . . . . . . . . . . . . . 30
A.1. Definition and test vectors for string utility A.1. Definition and test vectors for string utility
functions . . . . . . . . . . . . . . . . . . . . . . . . 29 functions . . . . . . . . . . . . . . . . . . . . . . . . 30
A.1.1. prepend_len function . . . . . . . . . . . . . . . . 29 A.1.1. prepend_len function . . . . . . . . . . . . . . . . 30
A.1.2. prepend_len test vectors . . . . . . . . . . . . . . 29 A.1.2. prepend_len test vectors . . . . . . . . . . . . . . 30
A.1.3. lv_cat function . . . . . . . . . . . . . . . . . . . 29 A.1.3. lv_cat function . . . . . . . . . . . . . . . . . . . 31
A.1.4. Testvector for lv_cat() . . . . . . . . . . . . . . . 30 A.1.4. Testvector for lv_cat() . . . . . . . . . . . . . . . 31
A.1.5. Examples for messages not obtained from a lv_cat-based A.1.5. Examples for messages not obtained from a lv_cat-based
encoding . . . . . . . . . . . . . . . . . . . . . . 30 encoding . . . . . . . . . . . . . . . . . . . . . . 31
A.2. Definition of generator_string function. . . . . . . . . 30 A.2. Definition of generator_string function. . . . . . . . . 31
A.3. Definitions and test vector ordered concatenation . . . . 30 A.3. Definitions and test vector ordered concatenation . . . . 31
A.3.1. Definitions for lexiographical ordering . . . . . . . 30 A.3.1. Definitions for lexiographical ordering . . . . . . . 31
A.3.2. Definitions for ordered concatenation . . . . . . . . 31 A.3.2. Definitions for ordered concatenation . . . . . . . . 32
A.3.3. Test vectors ordered concatenation . . . . . . . . . 31 A.3.3. Test vectors ordered concatenation . . . . . . . . . 32
A.4. Decoding and Encoding functions according to RFC7748 . . 31 A.4. Decoding and Encoding functions according to RFC7748 . . 32
A.5. Elligator 2 reference implementation . . . . . . . . . . 32 A.5. Elligator 2 reference implementation . . . . . . . . . . 33
Appendix B. Test vectors . . . . . . . . . . . . . . . . . . . . 33 Appendix B. Test vectors . . . . . . . . . . . . . . . . . . . . 34
B.1. Test vector for CPace using group X25519 and hash B.1. Test vector for CPace using group X25519 and hash
SHA-512 . . . . . . . . . . . . . . . . . . . . . . . . . 33 SHA-512 . . . . . . . . . . . . . . . . . . . . . . . . . 34
B.1.1. Test vectors for calculate_generator with group B.1.1. Test vectors for calculate_generator with group
X25519 . . . . . . . . . . . . . . . . . . . . . . . 33 X25519 . . . . . . . . . . . . . . . . . . . . . . . 34
B.1.2. Test vector for MSGa . . . . . . . . . . . . . . . . 33 B.1.2. Test vector for MSGa . . . . . . . . . . . . . . . . 34
B.1.3. Test vector for MSGb . . . . . . . . . . . . . . . . 34 B.1.3. Test vector for MSGb . . . . . . . . . . . . . . . . 35
B.1.4. Test vector for secret points K . . . . . . . . . . . 34 B.1.4. Test vector for secret points K . . . . . . . . . . . 35
B.1.5. Test vector for ISK calculation initiator/ B.1.5. Test vector for ISK calculation initiator/
responder . . . . . . . . . . . . . . . . . . . . . . 34 responder . . . . . . . . . . . . . . . . . . . . . . 35
B.1.6. Test vector for ISK calculation parallel execution . 35 B.1.6. Test vector for ISK calculation parallel execution . 36
B.1.7. Corresponding ANSI-C initializers . . . . . . . . . . 35 B.1.7. Corresponding C programming language initializers . . 36
B.1.8. Test vectors for G_X25519.scalar_mult_vfy: low order B.1.8. Test vectors for G_X25519.scalar_mult_vfy: low order
points . . . . . . . . . . . . . . . . . . . . . . . 37 points . . . . . . . . . . . . . . . . . . . . . . . 38
B.2. Test vector for CPace using group X448 and hash B.2. Test vector for CPace using group X448 and hash
SHAKE-256 . . . . . . . . . . . . . . . . . . . . . . . . 38 SHAKE-256 . . . . . . . . . . . . . . . . . . . . . . . . 39
B.2.1. Test vectors for calculate_generator with group B.2.1. Test vectors for calculate_generator with group
X448 . . . . . . . . . . . . . . . . . . . . . . . . 38 X448 . . . . . . . . . . . . . . . . . . . . . . . . 39
B.2.2. Test vector for MSGa . . . . . . . . . . . . . . . . 38 B.2.2. Test vector for MSGa . . . . . . . . . . . . . . . . 39
B.2.3. Test vector for MSGb . . . . . . . . . . . . . . . . 38 B.2.3. Test vector for MSGb . . . . . . . . . . . . . . . . 39
B.2.4. Test vector for secret points K . . . . . . . . . . . 39 B.2.4. Test vector for secret points K . . . . . . . . . . . 40
B.2.5. Test vector for ISK calculation initiator/ B.2.5. Test vector for ISK calculation initiator/
responder . . . . . . . . . . . . . . . . . . . . . . 39 responder . . . . . . . . . . . . . . . . . . . . . . 40
B.2.6. Test vector for ISK calculation parallel execution . 40 B.2.6. Test vector for ISK calculation parallel execution . 41
B.2.7. Corresponding ANSI-C initializers . . . . . . . . . . 40 B.2.7. Corresponding C programming language initializers . . 41
B.2.8. Test vectors for G_X448.scalar_mult_vfy: low order B.2.8. Test vectors for G_X448.scalar_mult_vfy: low order
points . . . . . . . . . . . . . . . . . . . . . . . 42 points . . . . . . . . . . . . . . . . . . . . . . . 43
B.3. Test vector for CPace using group ristretto255 and hash B.3. Test vector for CPace using group ristretto255 and hash
SHA-512 . . . . . . . . . . . . . . . . . . . . . . . . . 43 SHA-512 . . . . . . . . . . . . . . . . . . . . . . . . . 44
B.3.1. Test vectors for calculate_generator with group B.3.1. Test vectors for calculate_generator with group
ristretto255 . . . . . . . . . . . . . . . . . . . . 43 ristretto255 . . . . . . . . . . . . . . . . . . . . 44
B.3.2. Test vector for MSGa . . . . . . . . . . . . . . . . 44 B.3.2. Test vector for MSGa . . . . . . . . . . . . . . . . 45
B.3.3. Test vector for MSGb . . . . . . . . . . . . . . . . 44 B.3.3. Test vector for MSGb . . . . . . . . . . . . . . . . 45
B.3.4. Test vector for secret points K . . . . . . . . . . . 45 B.3.4. Test vector for secret points K . . . . . . . . . . . 46
B.3.5. Test vector for ISK calculation initiator/ B.3.5. Test vector for ISK calculation initiator/
responder . . . . . . . . . . . . . . . . . . . . . . 45 responder . . . . . . . . . . . . . . . . . . . . . . 46
B.3.6. Test vector for ISK calculation parallel execution . 45 B.3.6. Test vector for ISK calculation parallel execution . 46
B.3.7. Corresponding ANSI-C initializers . . . . . . . . . . 46 B.3.7. Corresponding C programming language initializers . . 47
B.3.8. Test case for scalar_mult with valid inputs . . . . . 47 B.3.8. Test case for scalar_mult with valid inputs . . . . . 48
B.3.9. Invalid inputs for scalar_mult_vfy . . . . . . . . . 48 B.3.9. Invalid inputs for scalar_mult_vfy . . . . . . . . . 49
B.4. Test vector for CPace using group decaf448 and hash B.4. Test vector for CPace using group decaf448 and hash
SHAKE-256 . . . . . . . . . . . . . . . . . . . . . . . . 48 SHAKE-256 . . . . . . . . . . . . . . . . . . . . . . . . 49
B.4.1. Test vectors for calculate_generator with group B.4.1. Test vectors for calculate_generator with group
decaf448 . . . . . . . . . . . . . . . . . . . . . . 48 decaf448 . . . . . . . . . . . . . . . . . . . . . . 49
B.4.2. Test vector for MSGa . . . . . . . . . . . . . . . . 49 B.4.2. Test vector for MSGa . . . . . . . . . . . . . . . . 50
B.4.3. Test vector for MSGb . . . . . . . . . . . . . . . . 49 B.4.3. Test vector for MSGb . . . . . . . . . . . . . . . . 50
B.4.4. Test vector for secret points K . . . . . . . . . . . 50 B.4.4. Test vector for secret points K . . . . . . . . . . . 51
B.4.5. Test vector for ISK calculation initiator/ B.4.5. Test vector for ISK calculation initiator/
responder . . . . . . . . . . . . . . . . . . . . . . 50 responder . . . . . . . . . . . . . . . . . . . . . . 51
B.4.6. Test vector for ISK calculation parallel execution . 51 B.4.6. Test vector for ISK calculation parallel execution . 52
B.4.7. Corresponding ANSI-C initializers . . . . . . . . . . 51 B.4.7. Corresponding C programming language initializers . . 52
B.4.8. Test case for scalar_mult with valid inputs . . . . . 53 B.4.8. Test case for scalar_mult with valid inputs . . . . . 54
B.4.9. Invalid inputs for scalar_mult_vfy . . . . . . . . . 53 B.4.9. Invalid inputs for scalar_mult_vfy . . . . . . . . . 54
B.5. Test vector for CPace using group NIST P-256 and hash B.5. Test vector for CPace using group NIST P-256 and hash
SHA-256 . . . . . . . . . . . . . . . . . . . . . . . . . 53 SHA-256 . . . . . . . . . . . . . . . . . . . . . . . . . 54
B.5.1. Test vectors for calculate_generator with group NIST B.5.1. Test vectors for calculate_generator with group NIST
P-256 . . . . . . . . . . . . . . . . . . . . . . . . 53 P-256 . . . . . . . . . . . . . . . . . . . . . . . . 54
B.5.2. Test vector for MSGa . . . . . . . . . . . . . . . . 54 B.5.2. Test vector for MSGa . . . . . . . . . . . . . . . . 55
B.5.3. Test vector for MSGb . . . . . . . . . . . . . . . . 54 B.5.3. Test vector for MSGb . . . . . . . . . . . . . . . . 55
B.5.4. Test vector for secret points K . . . . . . . . . . . 55 B.5.4. Test vector for secret points K . . . . . . . . . . . 56
B.5.5. Test vector for ISK calculation initiator/ B.5.5. Test vector for ISK calculation initiator/
responder . . . . . . . . . . . . . . . . . . . . . . 55 responder . . . . . . . . . . . . . . . . . . . . . . 56
B.5.6. Test vector for ISK calculation parallel execution . 56 B.5.6. Test vector for ISK calculation parallel execution . 57
B.5.7. Corresponding ANSI-C initializers . . . . . . . . . . 57 B.5.7. Corresponding C programming language initializers . . 58
B.5.8. Test case for scalar_mult_vfy with correct inputs . . 58 B.5.8. Test case for scalar_mult_vfy with correct inputs . . 59
B.5.9. Invalid inputs for scalar_mult_vfy . . . . . . . . . 59 B.5.9. Invalid inputs for scalar_mult_vfy . . . . . . . . . 60
B.6. Test vector for CPace using group NIST P-384 and hash B.6. Test vector for CPace using group NIST P-384 and hash
SHA-384 . . . . . . . . . . . . . . . . . . . . . . . . . 59 SHA-384 . . . . . . . . . . . . . . . . . . . . . . . . . 60
B.6.1. Test vectors for calculate_generator with group NIST B.6.1. Test vectors for calculate_generator with group NIST
P-384 . . . . . . . . . . . . . . . . . . . . . . . . 59 P-384 . . . . . . . . . . . . . . . . . . . . . . . . 60
B.6.2. Test vector for MSGa . . . . . . . . . . . . . . . . 60 B.6.2. Test vector for MSGa . . . . . . . . . . . . . . . . 61
B.6.3. Test vector for MSGb . . . . . . . . . . . . . . . . 61 B.6.3. Test vector for MSGb . . . . . . . . . . . . . . . . 62
B.6.4. Test vector for secret points K . . . . . . . . . . . 61 B.6.4. Test vector for secret points K . . . . . . . . . . . 62
B.6.5. Test vector for ISK calculation initiator/ B.6.5. Test vector for ISK calculation initiator/
responder . . . . . . . . . . . . . . . . . . . . . . 61 responder . . . . . . . . . . . . . . . . . . . . . . 62
B.6.6. Test vector for ISK calculation parallel execution . 62 B.6.6. Test vector for ISK calculation parallel execution . 63
B.6.7. Corresponding ANSI-C initializers . . . . . . . . . . 63 B.6.7. Corresponding C programming language initializers . . 64
B.6.8. Test case for scalar_mult_vfy with correct inputs . . 65 B.6.8. Test case for scalar_mult_vfy with correct inputs . . 66
B.6.9. Invalid inputs for scalar_mult_vfy . . . . . . . . . 65 B.6.9. Invalid inputs for scalar_mult_vfy . . . . . . . . . 66
B.7. Test vector for CPace using group NIST P-521 and hash B.7. Test vector for CPace using group NIST P-521 and hash
SHA-512 . . . . . . . . . . . . . . . . . . . . . . . . . 66 SHA-512 . . . . . . . . . . . . . . . . . . . . . . . . . 67
B.7.1. Test vectors for calculate_generator with group NIST B.7.1. Test vectors for calculate_generator with group NIST
P-521 . . . . . . . . . . . . . . . . . . . . . . . . 66 P-521 . . . . . . . . . . . . . . . . . . . . . . . . 67
B.7.2. Test vector for MSGa . . . . . . . . . . . . . . . . 66 B.7.2. Test vector for MSGa . . . . . . . . . . . . . . . . 67
B.7.3. Test vector for MSGb . . . . . . . . . . . . . . . . 67 B.7.3. Test vector for MSGb . . . . . . . . . . . . . . . . 68
B.7.4. Test vector for secret points K . . . . . . . . . . . 68 B.7.4. Test vector for secret points K . . . . . . . . . . . 69
B.7.5. Test vector for ISK calculation initiator/ B.7.5. Test vector for ISK calculation initiator/
responder . . . . . . . . . . . . . . . . . . . . . . 68 responder . . . . . . . . . . . . . . . . . . . . . . 69
B.7.6. Test vector for ISK calculation parallel execution . 69 B.7.6. Test vector for ISK calculation parallel execution . 70
B.7.7. Corresponding ANSI-C initializers . . . . . . . . . . 70 B.7.7. Corresponding C programming language initializers . . 71
B.7.8. Test case for scalar_mult_vfy with correct inputs . . 72 B.7.8. Test case for scalar_mult_vfy with correct inputs . . 73
B.7.9. Invalid inputs for scalar_mult_vfy . . . . . . . . . 73 B.7.9. Invalid inputs for scalar_mult_vfy . . . . . . . . . 74
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 73 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 74
1. Introduction 1. Introduction
This document describes CPace which is a balanced Password- This document describes CPace which is a balanced Password-
Authenticated-Key-Establishment (PAKE) protocol for two parties where Authenticated-Key-Establishment (PAKE) protocol for two parties where
both parties derive a cryptographic key of high entropy from a shared both parties derive a cryptographic key of high entropy from a shared
secret of low-entropy. CPace protects the passwords against offline secret of low-entropy. CPace protects the passwords against offline
dictionary attacks by requiring adversaries to actively interact with dictionary attacks by requiring adversaries to actively interact with
a protocol party and by allowing for at most one single password a protocol party and by allowing for at most one single password
guess per active interaction. guess per active interaction.
skipping to change at page 6, line 25 skipping to change at page 6, line 25
* Post-quantum annoyance: CPace comes with mitigations with respect * Post-quantum annoyance: CPace comes with mitigations with respect
to adversaries that become capable of breaking the discrete to adversaries that become capable of breaking the discrete
logarithm problem on elliptic curves. logarithm problem on elliptic curves.
1.1. Outline of this document 1.1. Outline of this document
* Section 3 describes the expected properties of an application * Section 3 describes the expected properties of an application
using CPace, and discusses in particular which application-level using CPace, and discusses in particular which application-level
aspects are relevant for CPace's security. aspects are relevant for CPace's security.
* Section 4 gives an overview over the recommended cipher suites for * Section 4 gives an overview of the recommended cipher suites for
CPace which were optimized for different types of cryptographic CPace which were optimized for different types of cryptographic
library ecosystems. library ecosystems.
* Section 5 introduces the notation used throughout this document. * Section 5 introduces the notation used throughout this document.
* Section 6 specifies the CPace protocol. * Section 6 specifies the CPace protocol.
* The final section provides explicit reference implementations and * The final section provides explicit reference implementations and
test vectors of all of the functions defined for CPace in the test vectors of all of the functions defined for CPace in the
appendix. appendix.
skipping to change at page 10, line 38 skipping to change at page 10, line 38
that the hash function is specified for a fixed-size output, we that the hash function is specified for a fixed-size output, we
define H.hash(m,l) such that it returns the first l octets of the define H.hash(m,l) such that it returns the first l octets of the
output. output.
We use the following notation for referring to the specific We use the following notation for referring to the specific
properties of a hash function H: properties of a hash function H:
* H.hash(m,l) is a function that operates on an input octet string m * H.hash(m,l) is a function that operates on an input octet string m
and returns a hashing result of l octets. and returns a hashing result of l octets.
* H.b_in_bytes denotes the default output size in bytes * H.b_in_bytes denotes the minimum output size in bytes for
corresponding to the symmetric security level of the hash collision resistance for the security level target of the hash
function. E.g. H.b_in_bytes = 64 for SHA-512 and SHAKE-256 and function. E.g. H.b_in_bytes = 64 for SHA-512 and SHAKE-256 and
H.b_in_bytes = 32 for SHA-256 and SHAKE-128. We use the notation H.b_in_bytes = 32 for SHA-256 and SHAKE-128. We use the notation
H.hash(m) = H.hash(m, H.b_in_bytes) and let the hash operation H.hash(m) = H.hash(m, H.b_in_bytes) and let the hash operation
output the default length if no explicit length parameter is output the default length if no explicit length parameter is
given. given.
* H.bmax_in_bytes denotes the _maximum_ output size in octets * H.bmax_in_bytes denotes the _maximum_ output size in octets
supported by the hash function. In case of fixed-size hashes such supported by the hash function. In case of fixed-size hashes such
as SHA-256, this is the same as H.b_in_bytes, while there is no as SHA-256, this is the same as H.b_in_bytes, while there is no
such limit for hash functions such as SHAKE-256. such limit for hash functions such as SHAKE-256.
* H.s_in_bytes denotes the _input block size_ used by H. For * H.s_in_bytes denotes the _input block size_ used by H. This
instance, for SHA-512 the input block size s_in_bytes is 128, number denotes the maximum number of bytes that can be processed
while for SHAKE-256 the input block size amounts to 136 bytes. in a single block before applying the compression function or
permutation becomes necessary. (See also [RFC2104] for the
corresponding block size concepts). For instance, for SHA-512 the
input block size s_in_bytes is 128 as the compression function can
process up to 128 bytes, while for SHAKE-256 the input block size
amounts to 136 bytes before the permutation of the sponge state
needs to be applied.
5.2. Group environment G 5.2. Group environment G
The group environment G specifies an elliptic curve group (also The group environment G specifies an elliptic curve group (also
denoted G for convenience) and associated constants and functions as denoted G for convenience) and associated constants and functions as
detailed below. In this document we use multiplicative notation for detailed below. In this document we use additive notation for the
the group operation. group operation.
* G.calculate_generator(H,PRS,CI,sid) denotes a function that * G.calculate_generator(H,PRS,CI,sid) denotes a function that
outputs a representation of a generator (referred to as outputs a representation of a generator (referred to as
"generator" from now on) of the group which is derived from input "generator" from now on) of the group which is derived from input
octet strings PRS, CI, and sid and with the help of the hash octet strings PRS, CI, and sid and with the help of the hash
function H. function H.
* G.sample_scalar() is a function returning a representation of a * G.sample_scalar() is a function returning a representation of an
scalar (referred to as "scalar" from now on) appropriate as a integer (referred to as "scalar" from now on) appropriate as a
private Diffie-Hellman key for the group. private Diffie-Hellman key for the group.
* G.scalar_mult(y,g) is a function operating on a scalar y and a * G.scalar_mult(y,g) is a function operating on a scalar y and a
group element g. It returns an octet string representation of the group element g. It returns an octet string representation of the
group element Y = g^y. group element Y = g*y.
* G.I denotes a unique octet string representation of the neutral * G.I denotes a unique octet string representation of the neutral
element of the group. G.I is used for detecting and signaling element of the group. G.I is used for detecting and signaling
certain error conditions. certain error conditions.
* G.scalar_mult_vfy(y,g) is a function operating on a scalar y and a * G.scalar_mult_vfy(y,g) is a function operating on a scalar y and a
group element g. It returns an octet string representation of the group element g. It returns an octet string representation of the
group element g^y. Additionally, scalar_mult_vfy specifies group element g*y. Additionally, scalar_mult_vfy specifies
validity conditions for y,g and g^y and outputs G.I in case they validity conditions for y,g and g*y and outputs G.I in case they
are not met. are not met.
* G.DSI denotes a domain-separation identifier string which SHALL be * G.DSI denotes a domain-separation identifier octet string which
uniquely identifying the group environment G. SHALL be uniquely identifying the group environment G.
5.3. Notation for string operations 5.3. Notation for string operations
* bytes1 || bytes2 and denotes concatenation of octet strings. * bytes1 || bytes2 and denotes concatenation of octet strings.
* len(S) denotes the number of octets in a string S. * len(S) denotes the number of octets in an octet string S.
* nil denotes an empty octet string, i.e., len(nil) = 0. * nil denotes an empty octet string, i.e., len(nil) = 0.
* This document uses quotation marks "" both for general language
(e.g. for citation of notation used in other documents) and as
syntax for specifying octet strings as in b"CPace25519".
We use a preceeding lower-case letter b"" in front of the
quotation marks if a character sequence is representing an octet
string sequence. I.e. we use the notation for byte string
representations with single-byte ASCII character encodings from
the python programming language.
* prepend_len(octet_string) denotes the octet sequence that is * prepend_len(octet_string) denotes the octet sequence that is
obtained from prepending the length of the octet string to the obtained from prepending the length of the octet string to the
string itself. The length shall be prepended by using an LEB128 string itself. The length shall be prepended by using an LEB128
encoding of the length. This will result in a single-byte encoding of the length. This will result in a single-byte
encoding for values below 128. (Test vectors and reference encoding for values below 128. (Test vectors and reference
implementations for prepend_len and the LEB128 encodings are given implementations for prepend_len and the LEB128 encodings are given
in the appendix.) in the appendix.)
* lv_cat(a0,a1, ...) is the "length-value" encoding function which * lv_cat(a0,a1, ...) is the "length-value" encoding function which
returns the concatenation of the input strings with an encoding of returns the concatenation of the input strings with an encoding of
skipping to change at page 12, line 32 skipping to change at page 12, line 46
implementation of MSG = network_encode(Y,AD) SHALL allow the implementation of MSG = network_encode(Y,AD) SHALL allow the
receiver party to parse MSG for the individual subcomponents Y and receiver party to parse MSG for the individual subcomponents Y and
AD. For CPace we RECOMMEND to implement network_encode(Y,AD) as AD. For CPace we RECOMMEND to implement network_encode(Y,AD) as
network_encode(Y,AD) = lv_cat(Y,AD). network_encode(Y,AD) = lv_cat(Y,AD).
Other encodings, such as the network encoding used for the client- Other encodings, such as the network encoding used for the client-
hello and server-hello messages in TLS MAY also be used when hello and server-hello messages in TLS MAY also be used when
following the guidance given in the security consideration following the guidance given in the security consideration
section. section.
* sample_random_bytes(n) denotes a function that returns n octets * sample_random_bytes(n) denotes a function that returns n octets,
uniformly distributed between 0 and 255. each of which is to be independently sampled from an uniform
distribution between 0 and 255.
* zero_bytes(n) denotes a function that returns n octets with value * zero_bytes(n) denotes a function that returns n octets with value
0. 0.
* oCat(bytes1,bytes2) denotes ordered concatenation of octet * o_cat(bytes1,bytes2) denotes a function for ordered concatenation
strings, which places the lexiographically larger octet string of octet strings. It places the lexiographically larger octet
first. (Explicit reference code for this function is given in the string first and prepends the two bytes from the octet string
appendix.) b"oc" to the result. (Explicit reference code for this function
is given in the appendix.)
* transcript(MSGa,MSGb) denotes function outputing a string for the * transcript(MSGa,MSGb) denotes function outputing a string for the
protocol transcript with messages MSGa and MSGb. In applications protocol transcript with messages MSGa and MSGb. In applications
where CPace is used without clear initiator and responder roles, where CPace is used without clear initiator and responder roles,
i.e. where the ordering of messages is not enforced by the i.e. where the ordering of messages is not enforced by the
protocol flow, transcript(MSGa,MSGb) = oCat(MSGa,MSGb) SHOULD be protocol flow, transcript(MSGa,MSGb) = o_cat(MSGa,MSGb) SHALL be
used. In the initiator-responder setting transcript(MSGa,MSGb) used. In the initiator-responder setting transcript(MSGa,MSGb)
SHOULD BE implemented such that the later message is appended to SHALL BE implemented such that the later message is appended to
the earlier message, i.e., transcript(MSGa,MSGb) = MSGa||MSGb if the earlier message, i.e., transcript(MSGa,MSGb) = MSGa||MSGb if
MSGa is sent first. MSGa is sent first.
5.4. Notation for group operations 5.4. Notation for group operations
We use multiplicative notation for the group, i.e., X^2 denotes the We use additive notation for the group, i.e., X*2 denotes the element
element that is obtained by computing X*X, for group element X and that is obtained by computing X+X, for group element X and group
group operation *. operation +.
6. The CPace protocol 6. The CPace protocol
CPace is a one round protocol between two parties, A and B. At CPace is a one round protocol between two parties, A and B. At
invocation, A and B are provisioned with PRS,G,H and OPTIONAL invocation, A and B are provisioned with PRS,G,H and OPTIONAL
CI,sid,ADa (for A) and CI,sid,ADb (for B). A sends a message MSGa to CI,sid,ADa (for A) and CI,sid,ADb (for B). A sends a message MSGa to
B. MSGa contains the public share Ya and OPTIONAL associated data B. MSGa contains the public share Ya and OPTIONAL associated data
ADa (i.e. an ADa field that MAY have a length of 0 bytes). Likewise, ADa (i.e. an ADa field that MAY have a length of 0 bytes). Likewise,
B sends a message MSGb to A. MSGb contains the public share Yb and B sends a message MSGb to A. MSGb contains the public share Yb and
OPTIONAL associated data ADb (i.e. an ADb field that MAY have a OPTIONAL associated data ADb (i.e. an ADb field that MAY have a
length of 0 bytes). Both A and B use the received messages for length of 0 bytes). Both A and B use the received messages for
deriving a shared intermediate session key, ISK. deriving a shared intermediate session key, ISK.
6.1. Protocol flow 6.1. Protocol flow
Optional parameters and messages are denoted with []. Optional parameters and messages are denoted with [].
public: G, H, [CI], [sid] public: G, H
A: PRS,[ADa] B: PRS,[ADb] A: PRS,[ADa],[CI],[sid] B: PRS,[ADb],[CI],[sid]
--------------------------------------- ---------------------------------------
compute Ya | Ya,[ADa] | compute Yb compute Ya | Ya,[ADa] | compute Yb
|----------------->| |----------------->|
| Yb,[ADb] | | Yb,[ADb] |
verify inputs |<-----------------| verify inputs verify inputs |<-----------------| verify inputs
derive ISK | | derive ISK derive ISK | | derive ISK
--------------------------------------- ---------------------------------------
output ISK output ISK output ISK output ISK
6.2. CPace protocol instructions 6.2. CPace protocol instructions
skipping to change at page 14, line 5 skipping to change at page 14, line 29
A computes a generator g = G.calculate_generator(H,PRS,CI,sid), A computes a generator g = G.calculate_generator(H,PRS,CI,sid),
scalar ya = G.sample_scalar() and group element Ya = G.scalar_mult scalar ya = G.sample_scalar() and group element Ya = G.scalar_mult
(ya,g). A then transmits MSGa = network_encode(Ya, ADa) with (ya,g). A then transmits MSGa = network_encode(Ya, ADa) with
optional associated data ADa to B. optional associated data ADa to B.
B computes a generator g = G.calculate_generator(H,PRS,CI,sid), B computes a generator g = G.calculate_generator(H,PRS,CI,sid),
scalar yb = G.sample_scalar() and group element Yb = scalar yb = G.sample_scalar() and group element Yb =
G.scalar_mult(yb,g). B sends MSGb = network_encode(Yb, ADb) with G.scalar_mult(yb,g). B sends MSGb = network_encode(Yb, ADb) with
optional associated data ADb to A. optional associated data ADb to A.
Upon reception of MSGa, B checks that MSGa was properly generated Upon reception of MSGa, B checks that MSGa was properly generated in
conform with the chosen encoding of network messages (notably correct conformity with the chosen encoding of network messages (notably
length fields). If this parsing fails, then B MUST abort. correct length fields). If this parsing fails, then B MUST abort.
(Testvectors of examples for invalid messages when using lv_cat() as (Testvectors of examples for invalid messages when using lv_cat() as
network_encode function for CPace are given in the appendix.) B then network_encode function for CPace are given in the appendix.) B then
computes K = G.scalar_mult_vfy(yb,Ya). B MUST abort if K=G.I. computes K = G.scalar_mult_vfy(yb,Ya). B MUST abort if K=G.I.
Otherwise B returns ISK = H.hash(lv_cat(G.DSI || "_ISK", sid, Otherwise B calculates ISK = H.hash(lv_cat(G.DSI || b"_ISK", sid,
K)||transcript(MSGa, MSGb)). B returns ISK and terminates. K)||transcript(MSGa, MSGb)). B returns ISK and terminates.
Likewise upon reception of MSGb, A parses MSGb for Yb and ADb and Likewise upon reception of MSGb, A parses MSGb for Yb and ADb and
checks for a valid encoding. If this parsing fails, then A MUST checks for a valid encoding. If this parsing fails, then A MUST
abort. A then computes K = G.scalar_mult_vfy(ya,Yb). A MUST abort abort. A then computes K = G.scalar_mult_vfy(ya,Yb). A MUST abort
if K=G.I. Otherwise A returns ISK = H.hash(lv_cat(G.DSI || "_ISK", if K=G.I. Otherwise A calculates ISK = H.hash(lv_cat(G.DSI ||
sid, K) || transcript(MSGa, MSGb)). A returns ISK and terminates. b"_ISK", sid, K) || transcript(MSGa, MSGb)). A returns ISK and
terminates.
The session key ISK returned by A and B is identical if and only if The session key ISK returned by A and B is identical if and only if
the supplied input parameters PRS, CI and sid match on both sides and the supplied input parameters PRS, CI and sid match on both sides and
transcript view (containing of MSGa and MSGb) of both parties match. transcript view (containing of MSGa and MSGb) of both parties match.
(Note that in case of a symmetric protocol execution without clear (Note that in case of a symmetric protocol execution without clear
initiator/responder roles, transcript(MSGa, MSGb) needs to be initiator/responder roles, transcript(MSGa, MSGb) needs to be
implemented using ordered concatenation for generating a matching implemented using ordered concatenation for generating a matching
view by both parties.) view by both parties.)
skipping to change at page 14, line 47 skipping to change at page 15, line 23
* generator_string(DSI, PRS, CI, sid, s_in_bytes) denotes a function * generator_string(DSI, PRS, CI, sid, s_in_bytes) denotes a function
that returns the string lv_cat(DSI, PRS, zero_bytes(len_zpad), CI, that returns the string lv_cat(DSI, PRS, zero_bytes(len_zpad), CI,
sid). sid).
* len_zpad = MAX(0, s_in_bytes - len(prepend_len(PRS)) - * len_zpad = MAX(0, s_in_bytes - len(prepend_len(PRS)) -
len(prepend_len(G.DSI)) - 1) len(prepend_len(G.DSI)) - 1)
The zero padding of length len_zpad is designed such that the The zero padding of length len_zpad is designed such that the
encoding of DSI and PRS together with the zero padding field encoding of DSI and PRS together with the zero padding field
completely fills the first input block (of length s_in_bytes) of the completely fills at least the first input block (of length
hash. As a result for the common case of short PRS the number of s_in_bytes) of the hash. As a result for the common case of short
bytes to hash becomes independent of the actual length of the PRS the number of bytes to hash becomes independent of the actual
password (PRS). (A reference implementation and test vectors are length of the password (PRS). (A reference implementation and test
provided in the appendix.) vectors are provided in the appendix.)
The introduction of a zero-padding within the generator string also The introduction of a zero-padding within the generator string also
helps mitigating attacks of a side-channel adversary that analyzes helps mitigating attacks of a side-channel adversary that analyzes
correlations between publicly known variable information with the correlations between publicly known variable information with a short
low-entropy PRS string. Note that the hash of the first block is low-entropy PRS string. Note that the hash of the first block is
intentionally made independent of session-specific inputs, such as intentionally made independent of session-specific inputs, such as
sid or CI. sid or CI and that there is no limitation regarding the maximum
length of the PRS string.
7.2. CPace group objects G_X25519 and G_X448 for single-coordinate 7.2. CPace group objects G_X25519 and G_X448 for single-coordinate
Ladders on Montgomery curves Ladders on Montgomery curves
In this section we consider the case of CPace when using the X25519 In this section we consider the case of CPace when using the X25519
and X448 Diffie-Hellman functions from [RFC7748] operating on the and X448 Diffie-Hellman functions from [RFC7748] operating on the
Montgomery curves Curve25519 and Curve448 [RFC7748]. CPace Montgomery curves Curve25519 and Curve448 [RFC7748]. CPace
implementations using single-coordinate ladders on further Montgomery implementations using single-coordinate ladders on further Montgomery
curves SHALL use the definitions in line with the specifications for curves SHALL use the definitions in line with the specifications for
X25519 and X448 and review the guidance given in Section 9. X25519 and X448 and review the guidance given in Section 9.
skipping to change at page 15, line 26 skipping to change at page 16, line 4
Montgomery curves Curve25519 and Curve448 [RFC7748]. CPace Montgomery curves Curve25519 and Curve448 [RFC7748]. CPace
implementations using single-coordinate ladders on further Montgomery implementations using single-coordinate ladders on further Montgomery
curves SHALL use the definitions in line with the specifications for curves SHALL use the definitions in line with the specifications for
X25519 and X448 and review the guidance given in Section 9. X25519 and X448 and review the guidance given in Section 9.
For the group environment G_X25519 the following definitions apply: For the group environment G_X25519 the following definitions apply:
* G_X25519.field_size_bytes = 32 * G_X25519.field_size_bytes = 32
* G_X25519.field_size_bits = 255 * G_X25519.field_size_bits = 255
* G_X25519.sample_scalar() = sample_random_bytes(G.field_size_bytes) * G_X25519.sample_scalar() = sample_random_bytes(G.field_size_bytes)
* G_X25519.scalar_mult(y,g) = G.scalar_mult_vfy(y,g) = X25519(y,g) * G_X25519.scalar_mult(y,g) = G.scalar_mult_vfy(y,g) = X25519(y,g)
* G_X25519.I = zero_bytes(G.field_size_bytes) * G_X25519.I = zero_bytes(G.field_size_bytes)
* G_X25519.DSI = "CPace255" * G_X25519.DSI = b"CPace255"
CPace cipher suites using G_X25519 MUST use a hash function producing CPace cipher suites using G_X25519 MUST use a hash function producing
at least H.b_max_in_bytes >= 32 bytes of output. It is RECOMMENDED at least H.b_max_in_bytes >= 32 bytes of output. It is RECOMMENDED
to use G_X25519 in combination with SHA-512. to use G_X25519 in combination with SHA-512.
For X448 the following definitions apply: For X448 the following definitions apply:
* G_X448.field_size_bytes = 56 * G_X448.field_size_bytes = 56
* G_X448.field_size_bits = 448 * G_X448.field_size_bits = 448
* G_X448.sample_scalar() = sample_random_bytes(G.field_size_bytes) * G_X448.sample_scalar() = sample_random_bytes(G.field_size_bytes)
* G_X448.scalar_mult(y,g) = G.scalar_mult_vfy(y,g) = X448(y,g) * G_X448.scalar_mult(y,g) = G.scalar_mult_vfy(y,g) = X448(y,g)
* G_X448.I = zero_bytes(G.field_size_bytes) * G_X448.I = zero_bytes(G.field_size_bytes)
* G_X448.DSI = "CPace448" * G_X448.DSI = b"CPace448"
CPace cipher suites using G_X448 MUST use a hash function producing CPace cipher suites using G_X448 MUST use a hash function producing
at least H.b_max_in_bytes >= 56 bytes of output. It is RECOMMENDED at least H.b_max_in_bytes >= 56 bytes of output. It is RECOMMENDED
to use G_X448 in combination with SHAKE-256. to use G_X448 in combination with SHAKE-256.
For both G_X448 and G_X25519 the G.calculate_generator(H, PRS,sid,CI) For both G_X448 and G_X25519 the G.calculate_generator(H, PRS,sid,CI)
function shall be implemented as follows. function shall be implemented as follows.
* First gen_str = generator_string(G.DSI,PRS,CI,sid, H.s_in_bytes) * First gen_str = generator_string(G.DSI,PRS,CI,sid, H.s_in_bytes)
SHALL BE calculated using the input block size of the chosen hash SHALL BE calculated using the input block size of the chosen hash
function. function.
skipping to change at page 16, line 39 skipping to change at page 17, line 19
repeats the definitions from [RFC9380] for convenience. repeats the definitions from [RFC9380] for convenience.
In the appendix we show sage code that can be used as reference In the appendix we show sage code that can be used as reference
implementation. implementation.
7.2.1. Verification tests 7.2.1. Verification tests
For single-coordinate Montgomery ladders on Montgomery curves For single-coordinate Montgomery ladders on Montgomery curves
verification tests according to Section 8 SHALL check for proper verification tests according to Section 8 SHALL check for proper
handling of the abort conditions, when a party is receiving u handling of the abort conditions, when a party is receiving u
coordinate values that encode a low-order point on either, the curve coordinate values that encode a low-order point on either the curve
or the quadratic twist. or the quadratic twist.
In addition to that in case of G_X25519 the tests SHALL also verify In addition to that in case of G_X25519 the tests SHALL also verify
that the implementation of G.scalar_mult_vfy(y,g) produces the that the implementation of G.scalar_mult_vfy(y,g) produces the
expected results for non-canonical u coordinate values with bit #255 expected results for non-canonical u coordinate values with bit #255
set, which may also encode low-order points. set, which may also encode low-order points.
Corresponding test vectors are provided in the appendix. Corresponding test vectors are provided in the appendix.
7.3. CPace group objects G_Ristretto255 and G_Decaf448 for prime-order 7.3. CPace group objects G_Ristretto255 and G_Decaf448 for prime-order
skipping to change at page 17, line 22 skipping to change at page 17, line 46
internal encoding and an element-derivation function that maps a byte internal encoding and an element-derivation function that maps a byte
string to a group element. With the group abstractions there is a string to a group element. With the group abstractions there is a
distinction between an internal representation of group elements and distinction between an internal representation of group elements and
an external encoding of the same group element. In order to an external encoding of the same group element. In order to
distinguish between these different representations, we prepend an distinguish between these different representations, we prepend an
underscore before values using the internal representation within underscore before values using the internal representation within
this section. this section.
For Ristretto255 the following definitions apply: For Ristretto255 the following definitions apply:
* G_Ristretto255.DSI = "CPaceRistretto255" * G_Ristretto255.DSI = b"CPaceRistretto255"
* G_Ristretto255.field_size_bytes = 32 * G_Ristretto255.field_size_bytes = 32
* G_Ristretto255.group_size_bits = 252 * G_Ristretto255.group_size_bits = 252
* G_Ristretto255.group_order = 2^252 + * G_Ristretto255.group_order = 2^252 +
27742317777372353535851937790883648493 27742317777372353535851937790883648493
CPace cipher suites using G_Ristretto255 MUST use a hash function CPace cipher suites using G_Ristretto255 MUST use a hash function
producing at least H.b_max_in_bytes >= 64 bytes of output. It is producing at least H.b_max_in_bytes >= 64 bytes of output. It is
RECOMMENDED to use G_Ristretto255 in combination with SHA-512. RECOMMENDED to use G_Ristretto255 in combination with SHA-512.
For decaf448 the following definitions apply: For decaf448 the following definitions apply:
* G_Decaf448.DSI = "CPaceDecaf448" * G_Decaf448.DSI = b"CPaceDecaf448"
* G_Decaf448.field_size_bytes = 56 * G_Decaf448.field_size_bytes = 56
* G_Decaf448.group_size_bits = 445 * G_Decaf448.group_size_bits = 445
* G_Decaf448.group_order = l = 2^446 - * G_Decaf448.group_order = l = 2^446 -
1381806680989511535200738674851542 1381806680989511535200738674851542
6880336692474882178609894547503885 6880336692474882178609894547503885
CPace cipher suites using G_Decaf448 MUST use a hash function CPace cipher suites using G_Decaf448 MUST use a hash function
skipping to change at page 18, line 23 skipping to change at page 18, line 47
integer value and return the result. integer value and return the result.
* Alternatively, if G.sample_scalar() is not implemented according * Alternatively, if G.sample_scalar() is not implemented according
to the above recommendation, it SHALL be implemented using uniform to the above recommendation, it SHALL be implemented using uniform
sampling between 1 and (G.group_order - 1). Note that the more sampling between 1 and (G.group_order - 1). Note that the more
complex uniform sampling process can provide a larger side-channel complex uniform sampling process can provide a larger side-channel
attack surface for embedded systems in hostile environments. attack surface for embedded systems in hostile environments.
* G.scalar_mult(y,_g) SHALL operate on a scalar y and a group * G.scalar_mult(y,_g) SHALL operate on a scalar y and a group
element _g in the internal representation of the group abstraction element _g in the internal representation of the group abstraction
environment. It returns the value Y = encode((_g)^y), i.e. it environment. It returns the value Y = encode((_g) * y), i.e. it
returns a value using the public encoding. returns a value using the public encoding.
* G.I = is the public encoding representation of the identity * G.I = is the public encoding representation of the identity
element. element.
* G.scalar_mult_vfy(y,X) operates on a value using the public * G.scalar_mult_vfy(y,X) operates on a value using the public
encoding and a scalar and is implemented as follows. If the encoding and a scalar and is implemented as follows. If the
decode(X) function fails, it returns G.I. Otherwise it returns decode(X) function fails, it returns G.I. Otherwise it returns
encode( decode(X)^y ). encode( decode(X) * y ).
* The G.calculate_generator(H, PRS,sid,CI) function SHALL return a * The G.calculate_generator(H, PRS,sid,CI) function SHALL return a
decoded point and SHALL BE implemented as follows. decoded point and SHALL BE implemented as follows.
- First gen_str = generator_string(G.DSI,PRS,CI,sid, - First gen_str = generator_string(G.DSI,PRS,CI,sid,
H.s_in_bytes) is calculated using the input block size of the H.s_in_bytes) is calculated using the input block size of the
chosen hash function. chosen hash function.
- This string is then hashed to the required length gen_str_hash - This string is then hashed to the required length gen_str_hash
= H.hash(gen_str, 2 * G.field_size_bytes). Note that this = H.hash(gen_str, 2 * G.field_size_bytes). Note that this
skipping to change at page 20, line 38 skipping to change at page 21, line 12
either the neutral element on the group or does not form a valid either the neutral element on the group or does not form a valid
encoding of a point on the group. encoding of a point on the group.
* With encode_to_curve(str,DST) we denote a mapping function from * With encode_to_curve(str,DST) we denote a mapping function from
[RFC9380]. I.e. a function that maps octet string str to a point [RFC9380]. I.e. a function that maps octet string str to a point
on the group using the domain separation tag DST. [RFC9380] on the group using the domain separation tag DST. [RFC9380]
considers both, uniform and non-uniform mappings based on several considers both, uniform and non-uniform mappings based on several
different strategies. It is RECOMMENDED to use the nonuniform different strategies. It is RECOMMENDED to use the nonuniform
variant of the SSWU mapping primitive within [RFC9380]. variant of the SSWU mapping primitive within [RFC9380].
* G.DSI denotes a domain-separation identifier string. G.DSI which * G.DSI denotes a domain-separation identifier octet string. G.DSI
SHALL BE obtained by the concatenation of "CPace" and the which SHALL BE obtained by the concatenation of b"CPace" and the
associated name of the cipher suite used for the encode_to_curve associated name of the cipher suite used for the encode_to_curve
function as specified in [RFC9380]. E.g. when using the map with function as specified in [RFC9380]. E.g. when using the map with
the name "P384_XMD:SHA-384_SSWU_NU_" on curve NIST-P384 the the name P384_XMD:SHA-384_SSWU_NU_ on curve NIST-P384 the
resulting value SHALL BE G.DSI = "CPaceP384_XMD:SHA-384_SSWU_NU_". resulting value SHALL BE G.DSI = b"CPaceP384_XMD:SHA-
384_SSWU_NU_".
Using the above definitions, the CPace functions required for the Using the above definitions, the CPace functions required for the
group object G are defined as follows. group object G are defined as follows.
* G.DST denotes the domain-separation tag value to use in * G.DST denotes the domain-separation tag value to use in
conjunction with the encode_to_curve function from [RFC9380]. conjunction with the encode_to_curve function from [RFC9380].
G.DST shall be obtained by concatenating G.DSI and "_DST". G.DST shall be obtained by concatenating G.DSI and b"_DST".
* G.sample_scalar() SHALL return a value between 1 and * G.sample_scalar() SHALL return a value between 1 and
(G.group_order - 1). The value sampling MUST BE uniformly random. (G.group_order - 1). The sampling SHALL BE indistinguishable from
It is RECOMMENDED to use rejection sampling for converting a uniform random selection between 1 and (G.group_order - 1). It is
uniform bitstring to a uniform value between 1 and (G.group_order RECOMMENDED to use a constant-time rejection sampling algorithm
- 1). for converting a uniform bitstring to a uniform value between 1
and (G.group_order - 1).
* G.calculate_generator(H, PRS,sid,CI) function SHALL be implemented * G.calculate_generator(H, PRS,sid,CI) function SHALL be implemented
as follows. as follows.
- First gen_str = generator_string(G.DSI,PRS,CI,sid, - First gen_str = generator_string(G.DSI,PRS,CI,sid,
H.s_in_bytes) is calculated. H.s_in_bytes) is calculated.
- Then the output of a call to encode_to_curve(gen_str, G.DST) is - Then the output of a call to encode_to_curve(gen_str, G.DST) is
returned, using the selected suite from [RFC9380]. returned, using the selected suite from [RFC9380].
* G.scalar_mult(s,X) is a function that operates on a scalar s and * G.scalar_mult(s,X) is a function that operates on a scalar s and
an input point X. The input X shall use the same encoding as an input point X. The input X shall use the same encoding as
produced by the G.calculate_generator method above. produced by the G.calculate_generator method above.
G.scalar_mult(s,X) SHALL return an encoding of either the point G.scalar_mult(s,X) SHALL return an encoding of either the point
X^s or the point X^(-s) according to [SEC1]. Implementations X*s or the point X*(-s) according to [SEC1]. Implementations
SHOULD use the full-coordinate format without compression, as SHOULD use the full-coordinate format without compression, as
important protocols such as TLS 1.3 removed support for important protocols such as TLS 1.3 removed support for
compression. Implementations of scalar_mult(s,X) MAY output compression. Implementations of scalar_mult(s,X) MAY output
either X^s or X^(-s) as both points X^s and X^(-s) have the same either X*s or X*(-s) as both points X*s and X*(-s) have the same
x-coordinate and result in the same Diffie-Hellman shared secrets x-coordinate and result in the same Diffie-Hellman shared secrets
K. (This allows implementations to opt for x-coordinate-only K. (This allows implementations to opt for x-coordinate-only
scalar multiplication algorithms.) scalar multiplication algorithms.)
* G.scalar_mult_vfy(s,X) merges verification of point X according to * G.scalar_mult_vfy(s,X) merges verification of point X according to
[IEEE1363] A.16.10. and the the ECSVDP-DH procedure from [IEEE1363] A.16.10. and the the ECSVDP-DH procedure from
[IEEE1363]. It SHALL BE implemented as follows: [IEEE1363]. It SHALL BE implemented as follows:
- If is_valid(X) = False then G.scalar_mult_vfy(s,X) SHALL return - If is_valid(X) = False then G.scalar_mult_vfy(s,X) SHALL return
"error" as specified in [IEEE1363] A.16.10 and 7.2.1. "error" as specified in [IEEE1363] A.16.10 and 7.2.1.
- Otherwise G.scalar_mult_vfy(s,X) SHALL return the result of the - Otherwise G.scalar_mult_vfy(s,X) SHALL return the result of the
ECSVDP-DH procedure from [IEEE1363] (section 7.2.1). I.e. it ECSVDP-DH procedure from [IEEE1363] (section 7.2.1). I.e. it
shall either return "error" (in case that X^s is the neutral shall either return "error" (in case that X*s is the neutral
element) or the secret shared value "z" (otherwise). "z" SHALL element) or the secret shared value "z" (otherwise). "z" SHALL
be encoded by using the big-endian encoding of the x-coordinate be encoded by using the big-endian encoding of the x-coordinate
of the result point X^s according to [SEC1]. of the result point X*s according to [SEC1].
* We represent the neutral element G.I by using the representation * We represent the neutral element G.I by using the representation
of the "error" result case from [IEEE1363] as used in the of the "error" result case from [IEEE1363] as used in the
G.scalar_mult_vfy method above. G.scalar_mult_vfy method above.
7.4.4. Verification tests 7.4.4. Verification tests
For Short-Weierstrass curves verification tests according to For Short-Weierstrass curves verification tests according to
Section 8 SHALL check for proper handling of the abort conditions, Section 8 SHALL check for proper handling of the abort conditions,
when a party is receiving an encoding of the point at infinity and an when a party is receiving an encoding of the point at infinity and an
skipping to change at page 22, line 22 skipping to change at page 23, line 6
8. Implementation verification 8. Implementation verification
Any CPace implementation MUST be tested against invalid or weak point Any CPace implementation MUST be tested against invalid or weak point
attacks. Implementation MUST be verified to abort upon conditions attacks. Implementation MUST be verified to abort upon conditions
where G.scalar_mult_vfy functions outputs G.I. For testing an where G.scalar_mult_vfy functions outputs G.I. For testing an
implementation it is RECOMMENDED to include weak or invalid point implementation it is RECOMMENDED to include weak or invalid point
encodings within MSGa and MSGb and introduce this in a protocol run. encodings within MSGa and MSGb and introduce this in a protocol run.
It SHALL be verified that the abort condition is properly handled. It SHALL be verified that the abort condition is properly handled.
Moreover regarding the network format any implementation MUST be Moreover regarding the network format any implementation MUST be
tested with respect invalid encodings of MSGa and MSGb. E.g. when tested with respect to invalid encodings of MSGa and MSGb. E.g. when
lv_cat is used as network format for encoding MSGa and MSGb, the sum lv_cat is used as network format for encoding MSGa and MSGb, the sum
of the prepended lengths of the fields must be verified to match the of the prepended lengths of the fields must be verified to match the
actual length of the message. Tests SHALL verify that a party aborts actual length of the message. Tests SHALL verify that a party aborts
in case that incorrectly encoded messages are recieved. in case that incorrectly encoded messages are received.
Corresponding test vectors are given in the appendix for all Corresponding test vectors are given in the appendix for all
recommended cipher suites. recommended cipher suites.
9. Security Considerations 9. Security Considerations
A security proof of CPace is found in [AHH21]. This proof covers all A security proof of CPace is found in [AHH21]. This proof covers all
recommended cipher suites included in this document. In the recommended cipher suites included in this document. In the
following sections we describe how to protect CPace against several following sections we describe how to protect CPace against several
attack families, such as relay-, length extension- or side channel attack families, such as relay-, length extension- or side channel
skipping to change at page 23, line 11 skipping to change at page 23, line 44
to a party C instead. If no party identifier strings are used, and B to a party C instead. If no party identifier strings are used, and B
and C use the same PRS value, A might be establishing a common ISK and C use the same PRS value, A might be establishing a common ISK
key with C while assuming to interact with party B. Including and key with C while assuming to interact with party B. Including and
checking party identifiers can fend off such relay attacks. checking party identifiers can fend off such relay attacks.
9.2. Network message encoding and hashing protocol transcripts 9.2. Network message encoding and hashing protocol transcripts
It is RECOMMENDED to encode the (Ya,ADa) and (Yb,ADb) fields on the It is RECOMMENDED to encode the (Ya,ADa) and (Yb,ADb) fields on the
network by using network_encode(Y,AD) = lv_cat(Y,AD). I.e. we network by using network_encode(Y,AD) = lv_cat(Y,AD). I.e. we
RECOMMEND to prepend an encoding of the length of the subfields. RECOMMEND to prepend an encoding of the length of the subfields.
Prepending the length of of all variable-size input strings results Prepending the length of all variable-size input strings results in a
in a so-called prefix-free encoding of transcript strings, using so-called prefix-free encoding of transcript strings, using
terminology introduced in [CDMP05]. This property allows for terminology introduced in [CDMP05]. This property allows for
disregarding length-extension imperfections that come with the disregarding length-extension imperfections that come with the
commonly used Merkle-Damgard hash function constructions such as commonly used Merkle-Damgard hash function constructions such as
SHA256 and SHA512. SHA256 and SHA512.
Other alternative network encoding formats which prepend an encoding Other alternative network encoding formats which prepend an encoding
of the length of variable-size data fields in the protocol messages of the length of variable-size data fields in the protocol messages
are equally suitable. This includes, e.g., the type-length-value are equally suitable. This includes, e.g., the type-length-value
format specified in the DER encoding standard (X.690) or the protocol format specified in the DER encoding standard (X.690) or the protocol
message encoding used in the TLS protocol family for the TLS client- message encoding used in the TLS protocol family for the TLS client-
skipping to change at page 24, line 25 skipping to change at page 25, line 8
recommend adding explicit key confirmation if perfect forward recommend adding explicit key confirmation if perfect forward
security is required. security is required.
When implementing explicit key confirmation, it is recommended to use When implementing explicit key confirmation, it is recommended to use
an appropriate message-authentication code (MAC) such as HMAC an appropriate message-authentication code (MAC) such as HMAC
[RFC2104] or CMAC [RFC4493] using a key mac_key derived from ISK. [RFC2104] or CMAC [RFC4493] using a key mac_key derived from ISK.
One suitable option that works also in the parallel setting without One suitable option that works also in the parallel setting without
message ordering is to proceed as follows. message ordering is to proceed as follows.
* First calculate mac_key as as mac_key = H.hash(b"CPaceMac" || * First calculate mac_key as mac_key = H.hash(b"CPaceMac" || ISK).
ISK).
* Then let each party send an authenticator tag Ta, Tb that is * Then let each party send an authenticator tag Ta, Tb that is
calculated over the protocol message that it has sent previously. calculated over the protocol message that it has sent previously.
I.e. let party A calculate its transmitted authentication code Ta I.e. let party A calculate its transmitted authentication code Ta
as Ta = MAC(mac_key, MSGa) and let party B calculate its as Ta = MAC(mac_key, MSGa) and let party B calculate its
transmitted authentication code Tb as Tb = MAC(mac_key, MSGb). transmitted authentication code Tb as Tb = MAC(mac_key, MSGb).
* Let the receiving party check the remote authentication tag for * Let the receiving party check the remote authentication tag for
the correct value and abort in case that it's incorrect. the correct value and abort in case that it's incorrect.
9.5. Sampling of scalars 9.5. Sampling of scalars
For curves over fields F_p where p is a prime close to a power of For curves over fields F_q where q is a prime close to a power of
two, we recommend sampling scalars as a uniform bit string of length two, we recommend sampling scalars as a uniform bit string of length
field_size_bits. We do so in order to reduce both, complexity of the field_size_bits. We do so in order to reduce both, complexity of the
implementation and reducing the attack surface with respect to side- implementation and the attack surface with respect to side-channels
channels for embedded systems in hostile environments. The effect of for embedded systems in hostile environments. The effect of non-
non-uniform sampling on security was demonstrated to be begning in uniform sampling on security was demonstrated to be begnin in [AHH21]
[AHH21] for the case of Curve25519 and Curve448. This analysis for the case of Curve25519 and Curve448. This analysis however does
however does not transfer to most curves in Short-Weierstrass form. not transfer to most curves in Short-Weierstrass form.
As a result, we recommend rejection sampling if G is as in As a result, we recommend rejection sampling if G is as in
Section 7.4. Section 7.4. Alternatively an algorithm designed allong the lines of
the hash_to_field() function from [RFC9380] can also be used. There
oversampling to an integer significantly larger than the curve order
is followed by a modular reduction to the group order.
9.6. Single-coordinate CPace on Montgomery curves 9.6. Preconditions for using the simplified CPace specification from
Section 7.2
The recommended cipher suites for the Montgomery curves Curve25519 The security of the algorithms used for the recommended cipher suites
and Curve448 in Section 7.2 rely on the following properties [AHH21]: for the Montgomery curves Curve25519 and Curve448 in Section 7.2 rely
on the following properties [AHH21]:
* The curve has order (p * c) with p prime and c a small cofactor. * The curve has order (p * c) with p prime and c a small cofactor.
Also the curve's quadratic twist must be of order (p' * c') with Also the curve's quadratic twist must be of order (p' * c') with
p' prime and c' a cofactor. p' prime and c' a cofactor.
* The cofactor c' of the twist MUST BE EQUAL to or an integer * The cofactor c of the curve MUST BE EQUAL to or an integer
multiple of the cofactor c of the curve. multiple of the cofactor c' of the curve's quadratic twist. Also,
importantly, the implementation of the scalar_mult and
scalar_mult_vfy functions must ensure that all scalars actually
used for the group operation are integer multiples of c (e.g. such
as asserted by the specification of the decodeScalar functions in
[RFC7748]).
* Both field order q and group order p MUST BE close to a power of * Both field order q and group order p MUST BE close to a power of
two along the lines of [AHH21], Appendix E. two along the lines of [AHH21], Appendix E. Otherwise the
simplified scalar sampling specified in Section 7.2 needs to be
changed.
* The representation of the neutral element G.I MUST BE the same for * The representation of the neutral element G.I MUST BE the same for
both, the curve and its twist. both, the curve and its twist.
* The implementation of G.scalar_mult_vfy(y,X) MUST map all c low- * The implementation of G.scalar_mult_vfy(y,X) MUST map all c low-
order points on the curve and all c' low-order points on the twist order points on the curve and all c' low-order points on the twist
to G.I. to G.I.
Montgomery curves other than the ones recommended here can use the Algorithms for curves other than the ones recommended here can be
specifications given in Section 7.2, given that the above properties based on the principles from Section 7.2 given that the above
hold. properties hold.
9.7. Nonce values 9.7. Nonce values
Secret scalars ya and yb MUST NOT be reused. Values for sid SHOULD Secret scalars ya and yb MUST NOT be reused. Values for sid SHOULD
NOT be reused since the composability guarantees established by the NOT be reused since the composability guarantees established by the
simulation-based proof rely on the uniqueness of session ids [AHH21]. simulation-based proof rely on the uniqueness of session ids [AHH21].
If CPace is used in a concurrent system, it is RECOMMENDED that a If CPace is used in a concurrent system, it is RECOMMENDED that a
unique sid is generated by the higher-level protocol and passed to unique sid is generated by the higher-level protocol and passed to
CPace. One suitable option is that sid is generated by concatenating CPace. One suitable option is that sid is generated by concatenating
ephemeral random strings contributed by both parties. ephemeral random strings contributed by both parties.
9.8. Side channel attacks 9.8. Side channel attacks
All state-of-the art methods for realizing constant-time execution All state-of-the art methods for realizing constant-time execution
SHOULD be used. In case that side channel attacks are to be SHOULD be used. Special care is RECOMMENDED specifically for
considered practical for a given application, it is RECOMMENDED to elliptic curves in Short-Weierstrass form as important standard
pay special attention on computing the secret generator documents including [IEEE1363] describe curve operations with non-
G.calculate_generator(PRS,CI,sid). The most critical substep to constant-time algorithms.
consider might be the processing of the first block of the hash that
includes the PRS string. The zero-padding introduced when hashing In case that side channel attacks are to be considered practical for
the sensitive PRS string can be expected to make the task for a side- a given application, it is RECOMMENDED to pay special attention on
channel attack somewhat more complex. Still this feature alone is computing the secret generator G.calculate_generator(PRS,CI,sid).
not sufficient for ruling out power analysis attacks. The most critical substep to consider might be the processing of the
first block of the hash that includes the PRS string. The zero-
padding introduced when hashing the sensitive PRS string can be
expected to make the task for a side-channel attack somewhat more
complex. Still this feature alone is not sufficient for ruling out
power analysis attacks.
Even though the calculate_generator operation might be considered to
form the primary target for side-channel attacks as information on
long-term secrets might be exposed, also the subsequent operations on
ephemeral values, such as scalar sampling and scalar multiplication
should be protected from side-channels.
9.9. Quantum computers 9.9. Quantum computers
CPace is proven secure under the hardness of the strong computational CPace is proven secure under the hardness of the strong computational
Simultaneous Diffie-Hellmann (sSDH) and strong computational Diffie- Simultaneous Diffie-Hellmann (sSDH) and strong computational Diffie-
Hellmann (sCDH) assumptions in the group G (as defined in [AHH21]). Hellmann (sCDH) assumptions in the group G (as defined in [AHH21]).
These assumptions are not expected to hold any longer when large- These assumptions are not expected to hold any longer when large-
scale quantum computers (LSQC) are available. Still, even in case scale quantum computers (LSQC) are available. Still, even in case
that LSQC emerge, it is reasonable to assume that discrete-logarithm that LSQC emerge, it is reasonable to assume that discrete-logarithm
computations will remain costly. CPace with ephemeral session id computations will remain costly. CPace with ephemeral session id
skipping to change at page 26, line 43 skipping to change at page 28, line 7
[I-D.draft-irtf-cfrg-ristretto255-decaf448] [I-D.draft-irtf-cfrg-ristretto255-decaf448]
de Valence, H., Grigg, J., Hamburg, M., Lovecruft, I., de Valence, H., Grigg, J., Hamburg, M., Lovecruft, I.,
Tankersley, G., and F. Valsorda, "The ristretto255 and Tankersley, G., and F. Valsorda, "The ristretto255 and
decaf448 Groups", Work in Progress, Internet-Draft, draft- decaf448 Groups", Work in Progress, Internet-Draft, draft-
irtf-cfrg-ristretto255-decaf448-08, 5 September 2023, irtf-cfrg-ristretto255-decaf448-08, 5 September 2023,
<https://datatracker.ietf.org/doc/html/draft-irtf-cfrg- <https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-
ristretto255-decaf448-08>. ristretto255-decaf448-08>.
[I-D.irtf-cfrg-opaque] [I-D.irtf-cfrg-opaque]
Bourdrez, D., Krawczyk, H., Lewi, K., and C. A. Wood, "The Bourdrez, D., Krawczyk, H., Lewi, K., and C. A. Wood, "The
OPAQUE Asymmetric PAKE Protocol", Work in Progress, OPAQUE Augmented PAKE Protocol", Work in Progress,
Internet-Draft, draft-irtf-cfrg-opaque-11, 8 June 2023, Internet-Draft, draft-irtf-cfrg-opaque-14, 24 March 2024,
<https://datatracker.ietf.org/doc/html/draft-irtf-cfrg- <https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-
opaque-11>. opaque-14>.
[IEEE1363] "Standard Specifications for Public Key Cryptography, IEEE [IEEE1363] "Standard Specifications for Public Key Cryptography, IEEE
1363", 2000. 1363", 2000.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/rfc/rfc2119>. <https://www.rfc-editor.org/rfc/rfc2119>.
[RFC7748] Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves [RFC7748] Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves
skipping to change at page 31, line 20 skipping to change at page 32, line 20
return True; return True;
elif bytes1[m] < bytes2[m]: elif bytes1[m] < bytes2[m]:
return False; return False;
return len(bytes1) > len(bytes2) return len(bytes1) > len(bytes2)
A.3.2. Definitions for ordered concatenation A.3.2. Definitions for ordered concatenation
With the above definition of lexiographical ordering ordered With the above definition of lexiographical ordering ordered
concatenation is specified as follows. concatenation is specified as follows.
def oCAT(bytes1,bytes2): def o_cat(bytes1,bytes2):
if lexiographically_larger(bytes1,bytes2): if lexiographically_larger(bytes1,bytes2):
return bytes1 + bytes2 return b"oc" + bytes1 + bytes2
else: else:
return bytes2 + bytes1 return b"oc" + bytes2 + bytes1
A.3.3. Test vectors ordered concatenation A.3.3. Test vectors ordered concatenation
string comparison for oCAT: string comparison for o_cat:
lexiographically_larger(b"\0", b"\0\0") == False lexiographically_larger(b"\0", b"\0\0") == False
lexiographically_larger(b"\1", b"\0\0") == True lexiographically_larger(b"\1", b"\0\0") == True
lexiographically_larger(b"\0\0", b"\0") == True lexiographically_larger(b"\0\0", b"\0") == True
lexiographically_larger(b"\0\0", b"\1") == False lexiographically_larger(b"\0\0", b"\1") == False
lexiographically_larger(b"\0\1", b"\1") == False lexiographically_larger(b"\0\1", b"\1") == False
lexiographically_larger(b"ABCD", b"BCD") == False lexiographically_larger(b"ABCD", b"BCD") == False
oCAT(b"ABCD",b"BCD"): (length: 7 bytes) o_cat(b"ABCD",b"BCD"): (length: 9 bytes)
42434441424344 6f6342434441424344
oCAT(b"BCD",b"ABCDE"): (length: 8 bytes) o_cat(b"BCD",b"ABCDE"): (length: 10 bytes)
4243444142434445 6f634243444142434445
A.4. Decoding and Encoding functions according to RFC7748 A.4. Decoding and Encoding functions according to RFC7748
def decodeLittleEndian(b, bits): def decodeLittleEndian(b, bits):
return sum([b[i] << 8*i for i in range((bits+7)/8)]) return sum([b[i] << 8*i for i in range((bits+7)/8)])
def decodeUCoordinate(u, bits): def decodeUCoordinate(u, bits):
u_list = [ord(b) for b in u] u_list = [ord(b) for b in u]
# Ignore any unused bits. # Ignore any unused bits.
if bits % 8: if bits % 8:
u_list[-1] &= (1<<(bits%8))-1 u_list[-1] &= (1<<(bits%8))-1
skipping to change at page 34, line 7 skipping to change at page 35, line 7
10047198e8c4cacf0ab8a6d0ac337b8ae497209d042f7f3a50945863 10047198e8c4cacf0ab8a6d0ac337b8ae497209d042f7f3a50945863
94e8217c 94e8217c
generator g: (length: 32 bytes) generator g: (length: 32 bytes)
4e6098733061c0e8486611a904fe5edb049804d26130a44131a6229e 4e6098733061c0e8486611a904fe5edb049804d26130a44131a6229e
55c5c321 55c5c321
B.1.2. Test vector for MSGa B.1.2. Test vector for MSGa
Inputs Inputs
ADa = b'ADa' ADa = b'ADa'
ya (little endian): (length: 32 bytes) ya (little endian): (length: 32 bytes)
45acf93116ae5d3dae995a7c627df2924321a8e857d9a200807131e3 21b4f4bd9e64ed355c3eb676a28ebedaf6d8f17bdc365995b3190971
8839b0c2 53044080
Outputs Outputs
Ya: (length: 32 bytes) Ya: (length: 32 bytes)
6f7fd31863b18b0cc9830fc842c60dea80120ccf2fd375498225e45a f970e36f37cfcd9a39e37dd2d1fbc9156d6d2f9ae422f4722cbd9d32
52065361 e9b1e704
MSGa = lv_cat(Ya,ADa): (length: 37 bytes) MSGa = lv_cat(Ya,ADa): (length: 37 bytes)
206f7fd31863b18b0cc9830fc842c60dea80120ccf2fd375498225e4 20f970e36f37cfcd9a39e37dd2d1fbc9156d6d2f9ae422f4722cbd9d
5a5206536103414461 32e9b1e70403414461
B.1.3. Test vector for MSGb B.1.3. Test vector for MSGb
Inputs Inputs
ADb = b'ADb' ADb = b'ADb'
yb (little endian): (length: 32 bytes) yb (little endian): (length: 32 bytes)
a145e914b347002d298ce2051394f0ed68cf3623dfe5db082c78ffa5 848b0779ff415f0af4ea14df9dd1d3c29ac41d836c7808896c4eba19
a667acdc c51ac40a
Outputs Outputs
Yb: (length: 32 bytes) Yb: (length: 32 bytes)
e1b730a4956c0f853d96c5d125cebeeea46952c07c6f66da65bd9ffd 0178bbbab0804a4455b8f02e5d6e7d80997c6470bfb3618d7e74c396
2f71a462 47af5a29
MSGb = lv_cat(Yb,ADb): (length: 37 bytes) MSGb = lv_cat(Yb,ADb): (length: 37 bytes)
20e1b730a4956c0f853d96c5d125cebeeea46952c07c6f66da65bd9f 200178bbbab0804a4455b8f02e5d6e7d80997c6470bfb3618d7e74c3
fd2f71a46203414462 9647af5a2903414462
B.1.4. Test vector for secret points K B.1.4. Test vector for secret points K
scalar_mult_vfy(ya,Yb): (length: 32 bytes) scalar_mult_vfy(ya,Yb): (length: 32 bytes)
2a905bc5f0b93ee72ac4b6ea8723520941adfc892935bf6f86d9e199 42ba4c6dc4c184a1cf405d4503f64bf7f015e2a0107450e38b9efff3
befa6024 bee52412
scalar_mult_vfy(yb,Ya): (length: 32 bytes) scalar_mult_vfy(yb,Ya): (length: 32 bytes)
2a905bc5f0b93ee72ac4b6ea8723520941adfc892935bf6f86d9e199 42ba4c6dc4c184a1cf405d4503f64bf7f015e2a0107450e38b9efff3
befa6024 bee52412
B.1.5. Test vector for ISK calculation initiator/responder B.1.5. Test vector for ISK calculation initiator/responder
unordered cat of transcript : (length: 74 bytes) unordered cat of transcript : (length: 74 bytes)
206f7fd31863b18b0cc9830fc842c60dea80120ccf2fd375498225e4 20f970e36f37cfcd9a39e37dd2d1fbc9156d6d2f9ae422f4722cbd9d
5a520653610341446120e1b730a4956c0f853d96c5d125cebeeea469 32e9b1e70403414461200178bbbab0804a4455b8f02e5d6e7d80997c
52c07c6f66da65bd9ffd2f71a46203414462 6470bfb3618d7e74c39647af5a2903414462
DSI = G.DSI_ISK, b'CPace255_ISK': (length: 12 bytes) DSI = G.DSI_ISK, b'CPace255_ISK': (length: 12 bytes)
43506163653235355f49534b 43506163653235355f49534b
lv_cat(DSI,sid,K)||MSGa||MSGb: (length: 137 bytes) lv_cat(DSI,sid,K)||MSGa||MSGb: (length: 137 bytes)
0c43506163653235355f49534b107e4b4791d6a8ef019b936c79fb7f 0c43506163653235355f49534b107e4b4791d6a8ef019b936c79fb7f
2c57202a905bc5f0b93ee72ac4b6ea8723520941adfc892935bf6f86 2c572042ba4c6dc4c184a1cf405d4503f64bf7f015e2a0107450e38b
d9e199befa6024206f7fd31863b18b0cc9830fc842c60dea80120ccf 9efff3bee5241220f970e36f37cfcd9a39e37dd2d1fbc9156d6d2f9a
2fd375498225e45a520653610341446120e1b730a4956c0f853d96c5 e422f4722cbd9d32e9b1e70403414461200178bbbab0804a4455b8f0
d125cebeeea46952c07c6f66da65bd9ffd2f71a46203414462 2e5d6e7d80997c6470bfb3618d7e74c39647af5a2903414462
ISK result: (length: 64 bytes) ISK result: (length: 64 bytes)
99a9e0ff35acb94ad8af1cd6b32ac409dc7d00557ccd9a7d19d3b462 f5ef3c13fdb9dfe839bdbf8a9256e8cee7db8a8f1dfa74958a925450
9e5f1f084f9332096162438c7ecc78331b4eda17e1a229a47182eccc cf8089cd560d9a4e7956b7334b6f625c8559b75ea0764ac2be894b8f
9ea58cd9cdcd8e9a 3d434b30e87797d5
B.1.6. Test vector for ISK calculation parallel execution B.1.6. Test vector for ISK calculation parallel execution
ordered cat of transcript : (length: 74 bytes) ordered cat of transcript : (length: 76 bytes)
20e1b730a4956c0f853d96c5d125cebeeea46952c07c6f66da65bd9f 6f6320f970e36f37cfcd9a39e37dd2d1fbc9156d6d2f9ae422f4722c
fd2f71a46203414462206f7fd31863b18b0cc9830fc842c60dea8012 bd9d32e9b1e70403414461200178bbbab0804a4455b8f02e5d6e7d80
0ccf2fd375498225e45a5206536103414461 997c6470bfb3618d7e74c39647af5a2903414462
DSI = G.DSI_ISK, b'CPace255_ISK': (length: 12 bytes) DSI = G.DSI_ISK, b'CPace255_ISK': (length: 12 bytes)
43506163653235355f49534b 43506163653235355f49534b
lv_cat(DSI,sid,K)||oCAT(MSGa,MSGb): (length: 137 bytes) lv_cat(DSI,sid,K)||o_cat(MSGa,MSGb): (length: 139 bytes)
0c43506163653235355f49534b107e4b4791d6a8ef019b936c79fb7f 0c43506163653235355f49534b107e4b4791d6a8ef019b936c79fb7f
2c57202a905bc5f0b93ee72ac4b6ea8723520941adfc892935bf6f86 2c572042ba4c6dc4c184a1cf405d4503f64bf7f015e2a0107450e38b
d9e199befa602420e1b730a4956c0f853d96c5d125cebeeea46952c0 9efff3bee524126f6320f970e36f37cfcd9a39e37dd2d1fbc9156d6d
7c6f66da65bd9ffd2f71a46203414462206f7fd31863b18b0cc9830f 2f9ae422f4722cbd9d32e9b1e70403414461200178bbbab0804a4455
c842c60dea80120ccf2fd375498225e45a5206536103414461 b8f02e5d6e7d80997c6470bfb3618d7e74c39647af5a2903414462
ISK result: (length: 64 bytes) ISK result: (length: 64 bytes)
3cd6a9670fa3ff211d829b845baa0f5ba9ad580c3ba0ee790bd0e9cd f4051edc63b2620e10d5ecf76d9f0c5ccd1447858a98d4bf847fafac
556290a8ffce44419fbf94e4cb8e7fe9f454fd25dc13e689e4d6ab0a 737478c1350e14619bc0fcd4f028d10e4102dfca39f91fe9b829a503
c2211c70a8ac0062 ab3e0549bd835edf
B.1.7. Corresponding ANSI-C initializers B.1.7. Corresponding C programming language initializers
const uint8_t tc_PRS[] = { const unsigned char tc_PRS[] = {
0x50,0x61,0x73,0x73,0x77,0x6f,0x72,0x64, 0x50,0x61,0x73,0x73,0x77,0x6f,0x72,0x64,
}; };
const uint8_t tc_CI[] = { const unsigned char tc_CI[] = {
0x0a,0x41,0x69,0x6e,0x69,0x74,0x69,0x61,0x74,0x6f,0x72,0x0a, 0x0a,0x41,0x69,0x6e,0x69,0x74,0x69,0x61,0x74,0x6f,0x72,0x0a,
0x42,0x72,0x65,0x73,0x70,0x6f,0x6e,0x64,0x65,0x72, 0x42,0x72,0x65,0x73,0x70,0x6f,0x6e,0x64,0x65,0x72,
}; };
const uint8_t tc_sid[] = { const unsigned char tc_sid[] = {
0x7e,0x4b,0x47,0x91,0xd6,0xa8,0xef,0x01,0x9b,0x93,0x6c,0x79, 0x7e,0x4b,0x47,0x91,0xd6,0xa8,0xef,0x01,0x9b,0x93,0x6c,0x79,
0xfb,0x7f,0x2c,0x57, 0xfb,0x7f,0x2c,0x57,
}; };
const uint8_t tc_g[] = { const unsigned char tc_g[] = {
0x4e,0x60,0x98,0x73,0x30,0x61,0xc0,0xe8,0x48,0x66,0x11,0xa9, 0x4e,0x60,0x98,0x73,0x30,0x61,0xc0,0xe8,0x48,0x66,0x11,0xa9,
0x04,0xfe,0x5e,0xdb,0x04,0x98,0x04,0xd2,0x61,0x30,0xa4,0x41, 0x04,0xfe,0x5e,0xdb,0x04,0x98,0x04,0xd2,0x61,0x30,0xa4,0x41,
0x31,0xa6,0x22,0x9e,0x55,0xc5,0xc3,0x21, 0x31,0xa6,0x22,0x9e,0x55,0xc5,0xc3,0x21,
}; };
const uint8_t tc_ya[] = { const unsigned char tc_ya[] = {
0x45,0xac,0xf9,0x31,0x16,0xae,0x5d,0x3d,0xae,0x99,0x5a,0x7c, 0x21,0xb4,0xf4,0xbd,0x9e,0x64,0xed,0x35,0x5c,0x3e,0xb6,0x76,
0x62,0x7d,0xf2,0x92,0x43,0x21,0xa8,0xe8,0x57,0xd9,0xa2,0x00, 0xa2,0x8e,0xbe,0xda,0xf6,0xd8,0xf1,0x7b,0xdc,0x36,0x59,0x95,
0x80,0x71,0x31,0xe3,0x88,0x39,0xb0,0xc2, 0xb3,0x19,0x09,0x71,0x53,0x04,0x40,0x80,
}; };
const uint8_t tc_ADa[] = { const unsigned char tc_ADa[] = {
0x41,0x44,0x61, 0x41,0x44,0x61,
}; };
const uint8_t tc_Ya[] = { const unsigned char tc_Ya[] = {
0x6f,0x7f,0xd3,0x18,0x63,0xb1,0x8b,0x0c,0xc9,0x83,0x0f,0xc8, 0xf9,0x70,0xe3,0x6f,0x37,0xcf,0xcd,0x9a,0x39,0xe3,0x7d,0xd2,
0x42,0xc6,0x0d,0xea,0x80,0x12,0x0c,0xcf,0x2f,0xd3,0x75,0x49, 0xd1,0xfb,0xc9,0x15,0x6d,0x6d,0x2f,0x9a,0xe4,0x22,0xf4,0x72,
0x82,0x25,0xe4,0x5a,0x52,0x06,0x53,0x61, 0x2c,0xbd,0x9d,0x32,0xe9,0xb1,0xe7,0x04,
}; };
const uint8_t tc_yb[] = { const unsigned char tc_yb[] = {
0xa1,0x45,0xe9,0x14,0xb3,0x47,0x00,0x2d,0x29,0x8c,0xe2,0x05, 0x84,0x8b,0x07,0x79,0xff,0x41,0x5f,0x0a,0xf4,0xea,0x14,0xdf,
0x13,0x94,0xf0,0xed,0x68,0xcf,0x36,0x23,0xdf,0xe5,0xdb,0x08, 0x9d,0xd1,0xd3,0xc2,0x9a,0xc4,0x1d,0x83,0x6c,0x78,0x08,0x89,
0x2c,0x78,0xff,0xa5,0xa6,0x67,0xac,0xdc, 0x6c,0x4e,0xba,0x19,0xc5,0x1a,0xc4,0x0a,
}; };
const uint8_t tc_ADb[] = { const unsigned char tc_ADb[] = {
0x41,0x44,0x62, 0x41,0x44,0x62,
}; };
const uint8_t tc_Yb[] = { const unsigned char tc_Yb[] = {
0xe1,0xb7,0x30,0xa4,0x95,0x6c,0x0f,0x85,0x3d,0x96,0xc5,0xd1, 0x01,0x78,0xbb,0xba,0xb0,0x80,0x4a,0x44,0x55,0xb8,0xf0,0x2e,
0x25,0xce,0xbe,0xee,0xa4,0x69,0x52,0xc0,0x7c,0x6f,0x66,0xda, 0x5d,0x6e,0x7d,0x80,0x99,0x7c,0x64,0x70,0xbf,0xb3,0x61,0x8d,
0x65,0xbd,0x9f,0xfd,0x2f,0x71,0xa4,0x62, 0x7e,0x74,0xc3,0x96,0x47,0xaf,0x5a,0x29,
}; };
const uint8_t tc_K[] = { const unsigned char tc_K[] = {
0x2a,0x90,0x5b,0xc5,0xf0,0xb9,0x3e,0xe7,0x2a,0xc4,0xb6,0xea, 0x42,0xba,0x4c,0x6d,0xc4,0xc1,0x84,0xa1,0xcf,0x40,0x5d,0x45,
0x87,0x23,0x52,0x09,0x41,0xad,0xfc,0x89,0x29,0x35,0xbf,0x6f, 0x03,0xf6,0x4b,0xf7,0xf0,0x15,0xe2,0xa0,0x10,0x74,0x50,0xe3,
0x86,0xd9,0xe1,0x99,0xbe,0xfa,0x60,0x24, 0x8b,0x9e,0xff,0xf3,0xbe,0xe5,0x24,0x12,
}; };
const uint8_t tc_ISK_IR[] = { const unsigned char tc_ISK_IR[] = {
0x99,0xa9,0xe0,0xff,0x35,0xac,0xb9,0x4a,0xd8,0xaf,0x1c,0xd6, 0xf5,0xef,0x3c,0x13,0xfd,0xb9,0xdf,0xe8,0x39,0xbd,0xbf,0x8a,
0xb3,0x2a,0xc4,0x09,0xdc,0x7d,0x00,0x55,0x7c,0xcd,0x9a,0x7d, 0x92,0x56,0xe8,0xce,0xe7,0xdb,0x8a,0x8f,0x1d,0xfa,0x74,0x95,
0x19,0xd3,0xb4,0x62,0x9e,0x5f,0x1f,0x08,0x4f,0x93,0x32,0x09, 0x8a,0x92,0x54,0x50,0xcf,0x80,0x89,0xcd,0x56,0x0d,0x9a,0x4e,
0x61,0x62,0x43,0x8c,0x7e,0xcc,0x78,0x33,0x1b,0x4e,0xda,0x17, 0x79,0x56,0xb7,0x33,0x4b,0x6f,0x62,0x5c,0x85,0x59,0xb7,0x5e,
0xe1,0xa2,0x29,0xa4,0x71,0x82,0xec,0xcc,0x9e,0xa5,0x8c,0xd9, 0xa0,0x76,0x4a,0xc2,0xbe,0x89,0x4b,0x8f,0x3d,0x43,0x4b,0x30,
0xcd,0xcd,0x8e,0x9a, 0xe8,0x77,0x97,0xd5,
}; };
const uint8_t tc_ISK_SY[] = { const unsigned char tc_ISK_SY[] = {
0x3c,0xd6,0xa9,0x67,0x0f,0xa3,0xff,0x21,0x1d,0x82,0x9b,0x84, 0xf4,0x05,0x1e,0xdc,0x63,0xb2,0x62,0x0e,0x10,0xd5,0xec,0xf7,
0x5b,0xaa,0x0f,0x5b,0xa9,0xad,0x58,0x0c,0x3b,0xa0,0xee,0x79, 0x6d,0x9f,0x0c,0x5c,0xcd,0x14,0x47,0x85,0x8a,0x98,0xd4,0xbf,
0x0b,0xd0,0xe9,0xcd,0x55,0x62,0x90,0xa8,0xff,0xce,0x44,0x41, 0x84,0x7f,0xaf,0xac,0x73,0x74,0x78,0xc1,0x35,0x0e,0x14,0x61,
0x9f,0xbf,0x94,0xe4,0xcb,0x8e,0x7f,0xe9,0xf4,0x54,0xfd,0x25, 0x9b,0xc0,0xfc,0xd4,0xf0,0x28,0xd1,0x0e,0x41,0x02,0xdf,0xca,
0xdc,0x13,0xe6,0x89,0xe4,0xd6,0xab,0x0a,0xc2,0x21,0x1c,0x70, 0x39,0xf9,0x1f,0xe9,0xb8,0x29,0xa5,0x03,0xab,0x3e,0x05,0x49,
0xa8,0xac,0x00,0x62, 0xbd,0x83,0x5e,0xdf,
}; };
B.1.8. Test vectors for G_X25519.scalar_mult_vfy: low order points B.1.8. Test vectors for G_X25519.scalar_mult_vfy: low order points
Test vectors for which G_X25519.scalar_mult_vfy(s_in,ux) must return Test vectors for which G_X25519.scalar_mult_vfy(s_in,ux) must return
the neutral element or would return the neutral element if bit #255 the neutral element or would return the neutral element if bit #255
of field element representation was not correctly cleared. (The of field element representation was not correctly cleared. (The
decodeUCoordinate function from RFC7748 mandates clearing bit #255 decodeUCoordinate function from RFC7748 mandates clearing bit #255
for field element representations for use in the X25519 function.). for field element representations for use in the X25519 function.).
skipping to change at page 40, line 7 skipping to change at page 41, line 7
a58ce4b5034144613853c519fb490fde5a04bda8c18b327d0fc1a939 a58ce4b5034144613853c519fb490fde5a04bda8c18b327d0fc1a939
1d19e0ac00c59df9c60422284e593d6b092eac94f5aa644ed883f39b 1d19e0ac00c59df9c60422284e593d6b092eac94f5aa644ed883f39b
d4f04e4beb6af86d5803414462 d4f04e4beb6af86d5803414462
ISK result: (length: 64 bytes) ISK result: (length: 64 bytes)
4030297722c1914711da6b2a224a44b53b30c05ab02c2a3d3ccc7272 4030297722c1914711da6b2a224a44b53b30c05ab02c2a3d3ccc7272
a3333ce3a4564c17031b634e89f65681f52d5c3d1df7baeb88523d2e a3333ce3a4564c17031b634e89f65681f52d5c3d1df7baeb88523d2e
481b3858aed86315 481b3858aed86315
B.2.6. Test vector for ISK calculation parallel execution B.2.6. Test vector for ISK calculation parallel execution
ordered cat of transcript : (length: 122 bytes) ordered cat of transcript : (length: 124 bytes)
3853c519fb490fde5a04bda8c18b327d0fc1a9391d19e0ac00c59df9 6f633853c519fb490fde5a04bda8c18b327d0fc1a9391d19e0ac00c5
c60422284e593d6b092eac94f5aa644ed883f39bd4f04e4beb6af86d 9df9c60422284e593d6b092eac94f5aa644ed883f39bd4f04e4beb6a
580341446238396bd11daf223711e575cac6021e3fa31558012048a1 f86d580341446238396bd11daf223711e575cac6021e3fa315580120
cec7876292b96c61eda353fe04f33028d2352779668a934084da776c 48a1cec7876292b96c61eda353fe04f33028d2352779668a934084da
1c51a58ce4b503414461 776c1c51a58ce4b503414461
DSI = G.DSI_ISK, b'CPace448_ISK': (length: 12 bytes) DSI = G.DSI_ISK, b'CPace448_ISK': (length: 12 bytes)
43506163653434385f49534b 43506163653434385f49534b
lv_cat(DSI,sid,K)||oCAT(MSGa,MSGb): (length: 209 bytes) lv_cat(DSI,sid,K)||o_cat(MSGa,MSGb): (length: 211 bytes)
0c43506163653434385f49534b105223e0cdc45d6575668d64c55200 0c43506163653434385f49534b105223e0cdc45d6575668d64c55200
412438e00af217556a40ccbc9822cc27a43542e45166a653aa4df746 412438e00af217556a40ccbc9822cc27a43542e45166a653aa4df746
d5f8e1e8df483e9baff71c9eb03ee20a688ad4e4d359f70ac9ec3f6a d5f8e1e8df483e9baff71c9eb03ee20a688ad4e4d359f70ac9ec3f6a
6599973853c519fb490fde5a04bda8c18b327d0fc1a9391d19e0ac00 6599976f633853c519fb490fde5a04bda8c18b327d0fc1a9391d19e0
c59df9c60422284e593d6b092eac94f5aa644ed883f39bd4f04e4beb ac00c59df9c60422284e593d6b092eac94f5aa644ed883f39bd4f04e
6af86d580341446238396bd11daf223711e575cac6021e3fa3155801 4beb6af86d580341446238396bd11daf223711e575cac6021e3fa315
2048a1cec7876292b96c61eda353fe04f33028d2352779668a934084 58012048a1cec7876292b96c61eda353fe04f33028d2352779668a93
da776c1c51a58ce4b503414461 4084da776c1c51a58ce4b503414461
ISK result: (length: 64 bytes) ISK result: (length: 64 bytes)
925e95d1095dad1af6378d5ef8b9a998bd3855bfc7d36cb5ca05b0a7 4cd30768e2f75f0583449614bce823b421c31163c5a3bde4eed1c664
a93346abcb8cef04bceb28c38fdaf0cc608fd1dcd462ab523f3b7f75 284a32995ea3430b5c47fc7dd771b534ad38eaea5d8c8f97bd548966
2c77c411be3ac8fb 7facfc044615075f
B.2.7. Corresponding ANSI-C initializers B.2.7. Corresponding C programming language initializers
const uint8_t tc_PRS[] = { const unsigned char tc_PRS[] = {
0x50,0x61,0x73,0x73,0x77,0x6f,0x72,0x64, 0x50,0x61,0x73,0x73,0x77,0x6f,0x72,0x64,
}; };
const uint8_t tc_CI[] = { const unsigned char tc_CI[] = {
0x0a,0x41,0x69,0x6e,0x69,0x74,0x69,0x61,0x74,0x6f,0x72,0x0a, 0x0a,0x41,0x69,0x6e,0x69,0x74,0x69,0x61,0x74,0x6f,0x72,0x0a,
0x42,0x72,0x65,0x73,0x70,0x6f,0x6e,0x64,0x65,0x72, 0x42,0x72,0x65,0x73,0x70,0x6f,0x6e,0x64,0x65,0x72,
}; };
const uint8_t tc_sid[] = { const unsigned char tc_sid[] = {
0x52,0x23,0xe0,0xcd,0xc4,0x5d,0x65,0x75,0x66,0x8d,0x64,0xc5, 0x52,0x23,0xe0,0xcd,0xc4,0x5d,0x65,0x75,0x66,0x8d,0x64,0xc5,
0x52,0x00,0x41,0x24, 0x52,0x00,0x41,0x24,
}; };
const uint8_t tc_g[] = { const unsigned char tc_g[] = {
0x6f,0xda,0xe1,0x47,0x18,0xeb,0x75,0x06,0xdd,0x96,0xe3,0xf7, 0x6f,0xda,0xe1,0x47,0x18,0xeb,0x75,0x06,0xdd,0x96,0xe3,0xf7,
0x79,0x78,0x96,0xef,0xdb,0x8d,0xb9,0xec,0x07,0x97,0x48,0x5c, 0x79,0x78,0x96,0xef,0xdb,0x8d,0xb9,0xec,0x07,0x97,0x48,0x5c,
0x9c,0x48,0xa1,0x92,0x2e,0x44,0x96,0x1d,0xa0,0x97,0xf2,0x90, 0x9c,0x48,0xa1,0x92,0x2e,0x44,0x96,0x1d,0xa0,0x97,0xf2,0x90,
0x8b,0x08,0x4a,0x5d,0xe3,0x3a,0xb6,0x71,0x63,0x06,0x60,0xd2, 0x8b,0x08,0x4a,0x5d,0xe3,0x3a,0xb6,0x71,0x63,0x06,0x60,0xd2,
0x7d,0x79,0xff,0xd6,0xee,0x8e,0xc8,0x46, 0x7d,0x79,0xff,0xd6,0xee,0x8e,0xc8,0x46,
}; };
const uint8_t tc_ya[] = { const unsigned char tc_ya[] = {
0x21,0xb4,0xf4,0xbd,0x9e,0x64,0xed,0x35,0x5c,0x3e,0xb6,0x76, 0x21,0xb4,0xf4,0xbd,0x9e,0x64,0xed,0x35,0x5c,0x3e,0xb6,0x76,
0xa2,0x8e,0xbe,0xda,0xf6,0xd8,0xf1,0x7b,0xdc,0x36,0x59,0x95, 0xa2,0x8e,0xbe,0xda,0xf6,0xd8,0xf1,0x7b,0xdc,0x36,0x59,0x95,
0xb3,0x19,0x09,0x71,0x53,0x04,0x40,0x80,0x51,0x6b,0xd0,0x83, 0xb3,0x19,0x09,0x71,0x53,0x04,0x40,0x80,0x51,0x6b,0xd0,0x83,
0xbf,0xcc,0xe6,0x61,0x21,0xa3,0x07,0x26,0x46,0x99,0x4c,0x84, 0xbf,0xcc,0xe6,0x61,0x21,0xa3,0x07,0x26,0x46,0x99,0x4c,0x84,
0x30,0xcc,0x38,0x2b,0x8d,0xc5,0x43,0xe8, 0x30,0xcc,0x38,0x2b,0x8d,0xc5,0x43,0xe8,
}; };
const uint8_t tc_ADa[] = { const unsigned char tc_ADa[] = {
0x41,0x44,0x61, 0x41,0x44,0x61,
}; };
const uint8_t tc_Ya[] = { const unsigned char tc_Ya[] = {
0x39,0x6b,0xd1,0x1d,0xaf,0x22,0x37,0x11,0xe5,0x75,0xca,0xc6, 0x39,0x6b,0xd1,0x1d,0xaf,0x22,0x37,0x11,0xe5,0x75,0xca,0xc6,
0x02,0x1e,0x3f,0xa3,0x15,0x58,0x01,0x20,0x48,0xa1,0xce,0xc7, 0x02,0x1e,0x3f,0xa3,0x15,0x58,0x01,0x20,0x48,0xa1,0xce,0xc7,
0x87,0x62,0x92,0xb9,0x6c,0x61,0xed,0xa3,0x53,0xfe,0x04,0xf3, 0x87,0x62,0x92,0xb9,0x6c,0x61,0xed,0xa3,0x53,0xfe,0x04,0xf3,
0x30,0x28,0xd2,0x35,0x27,0x79,0x66,0x8a,0x93,0x40,0x84,0xda, 0x30,0x28,0xd2,0x35,0x27,0x79,0x66,0x8a,0x93,0x40,0x84,0xda,
0x77,0x6c,0x1c,0x51,0xa5,0x8c,0xe4,0xb5, 0x77,0x6c,0x1c,0x51,0xa5,0x8c,0xe4,0xb5,
}; };
const uint8_t tc_yb[] = { const unsigned char tc_yb[] = {
0x84,0x8b,0x07,0x79,0xff,0x41,0x5f,0x0a,0xf4,0xea,0x14,0xdf, 0x84,0x8b,0x07,0x79,0xff,0x41,0x5f,0x0a,0xf4,0xea,0x14,0xdf,
0x9d,0xd1,0xd3,0xc2,0x9a,0xc4,0x1d,0x83,0x6c,0x78,0x08,0x89, 0x9d,0xd1,0xd3,0xc2,0x9a,0xc4,0x1d,0x83,0x6c,0x78,0x08,0x89,
0x6c,0x4e,0xba,0x19,0xc5,0x1a,0xc4,0x0a,0x43,0x9c,0xaf,0x5e, 0x6c,0x4e,0xba,0x19,0xc5,0x1a,0xc4,0x0a,0x43,0x9c,0xaf,0x5e,
0x61,0xec,0x88,0xc3,0x07,0xc7,0xd6,0x19,0x19,0x52,0x29,0x41, 0x61,0xec,0x88,0xc3,0x07,0xc7,0xd6,0x19,0x19,0x52,0x29,0x41,
0x2e,0xaa,0x73,0xfb,0x2a,0x5e,0xa2,0x0d, 0x2e,0xaa,0x73,0xfb,0x2a,0x5e,0xa2,0x0d,
}; };
const uint8_t tc_ADb[] = { const unsigned char tc_ADb[] = {
0x41,0x44,0x62, 0x41,0x44,0x62,
}; };
const uint8_t tc_Yb[] = { const unsigned char tc_Yb[] = {
0x53,0xc5,0x19,0xfb,0x49,0x0f,0xde,0x5a,0x04,0xbd,0xa8,0xc1, 0x53,0xc5,0x19,0xfb,0x49,0x0f,0xde,0x5a,0x04,0xbd,0xa8,0xc1,
0x8b,0x32,0x7d,0x0f,0xc1,0xa9,0x39,0x1d,0x19,0xe0,0xac,0x00, 0x8b,0x32,0x7d,0x0f,0xc1,0xa9,0x39,0x1d,0x19,0xe0,0xac,0x00,
0xc5,0x9d,0xf9,0xc6,0x04,0x22,0x28,0x4e,0x59,0x3d,0x6b,0x09, 0xc5,0x9d,0xf9,0xc6,0x04,0x22,0x28,0x4e,0x59,0x3d,0x6b,0x09,
0x2e,0xac,0x94,0xf5,0xaa,0x64,0x4e,0xd8,0x83,0xf3,0x9b,0xd4, 0x2e,0xac,0x94,0xf5,0xaa,0x64,0x4e,0xd8,0x83,0xf3,0x9b,0xd4,
0xf0,0x4e,0x4b,0xeb,0x6a,0xf8,0x6d,0x58, 0xf0,0x4e,0x4b,0xeb,0x6a,0xf8,0x6d,0x58,
}; };
const uint8_t tc_K[] = { const unsigned char tc_K[] = {
0xe0,0x0a,0xf2,0x17,0x55,0x6a,0x40,0xcc,0xbc,0x98,0x22,0xcc, 0xe0,0x0a,0xf2,0x17,0x55,0x6a,0x40,0xcc,0xbc,0x98,0x22,0xcc,
0x27,0xa4,0x35,0x42,0xe4,0x51,0x66,0xa6,0x53,0xaa,0x4d,0xf7, 0x27,0xa4,0x35,0x42,0xe4,0x51,0x66,0xa6,0x53,0xaa,0x4d,0xf7,
0x46,0xd5,0xf8,0xe1,0xe8,0xdf,0x48,0x3e,0x9b,0xaf,0xf7,0x1c, 0x46,0xd5,0xf8,0xe1,0xe8,0xdf,0x48,0x3e,0x9b,0xaf,0xf7,0x1c,
0x9e,0xb0,0x3e,0xe2,0x0a,0x68,0x8a,0xd4,0xe4,0xd3,0x59,0xf7, 0x9e,0xb0,0x3e,0xe2,0x0a,0x68,0x8a,0xd4,0xe4,0xd3,0x59,0xf7,
0x0a,0xc9,0xec,0x3f,0x6a,0x65,0x99,0x97, 0x0a,0xc9,0xec,0x3f,0x6a,0x65,0x99,0x97,
}; };
const uint8_t tc_ISK_IR[] = { const unsigned char tc_ISK_IR[] = {
0x40,0x30,0x29,0x77,0x22,0xc1,0x91,0x47,0x11,0xda,0x6b,0x2a, 0x40,0x30,0x29,0x77,0x22,0xc1,0x91,0x47,0x11,0xda,0x6b,0x2a,
0x22,0x4a,0x44,0xb5,0x3b,0x30,0xc0,0x5a,0xb0,0x2c,0x2a,0x3d, 0x22,0x4a,0x44,0xb5,0x3b,0x30,0xc0,0x5a,0xb0,0x2c,0x2a,0x3d,
0x3c,0xcc,0x72,0x72,0xa3,0x33,0x3c,0xe3,0xa4,0x56,0x4c,0x17, 0x3c,0xcc,0x72,0x72,0xa3,0x33,0x3c,0xe3,0xa4,0x56,0x4c,0x17,
0x03,0x1b,0x63,0x4e,0x89,0xf6,0x56,0x81,0xf5,0x2d,0x5c,0x3d, 0x03,0x1b,0x63,0x4e,0x89,0xf6,0x56,0x81,0xf5,0x2d,0x5c,0x3d,
0x1d,0xf7,0xba,0xeb,0x88,0x52,0x3d,0x2e,0x48,0x1b,0x38,0x58, 0x1d,0xf7,0xba,0xeb,0x88,0x52,0x3d,0x2e,0x48,0x1b,0x38,0x58,
0xae,0xd8,0x63,0x15, 0xae,0xd8,0x63,0x15,
}; };
const uint8_t tc_ISK_SY[] = { const unsigned char tc_ISK_SY[] = {
0x92,0x5e,0x95,0xd1,0x09,0x5d,0xad,0x1a,0xf6,0x37,0x8d,0x5e, 0x4c,0xd3,0x07,0x68,0xe2,0xf7,0x5f,0x05,0x83,0x44,0x96,0x14,
0xf8,0xb9,0xa9,0x98,0xbd,0x38,0x55,0xbf,0xc7,0xd3,0x6c,0xb5, 0xbc,0xe8,0x23,0xb4,0x21,0xc3,0x11,0x63,0xc5,0xa3,0xbd,0xe4,
0xca,0x05,0xb0,0xa7,0xa9,0x33,0x46,0xab,0xcb,0x8c,0xef,0x04, 0xee,0xd1,0xc6,0x64,0x28,0x4a,0x32,0x99,0x5e,0xa3,0x43,0x0b,
0xbc,0xeb,0x28,0xc3,0x8f,0xda,0xf0,0xcc,0x60,0x8f,0xd1,0xdc, 0x5c,0x47,0xfc,0x7d,0xd7,0x71,0xb5,0x34,0xad,0x38,0xea,0xea,
0xd4,0x62,0xab,0x52,0x3f,0x3b,0x7f,0x75,0x2c,0x77,0xc4,0x11, 0x5d,0x8c,0x8f,0x97,0xbd,0x54,0x89,0x66,0x7f,0xac,0xfc,0x04,
0xbe,0x3a,0xc8,0xfb, 0x46,0x15,0x07,0x5f,
}; };
B.2.8. Test vectors for G_X448.scalar_mult_vfy: low order points B.2.8. Test vectors for G_X448.scalar_mult_vfy: low order points
Test vectors for which G_X448.scalar_mult_vfy(s_in,ux) must return Test vectors for which G_X448.scalar_mult_vfy(s_in,ux) must return
the neutral element. This includes points that are non-canonicaly the neutral element. This includes points that are non-canonicaly
encoded, i.e. have coordinate values larger than the field prime. encoded, i.e. have coordinate values larger than the field prime.
Weak points for X448 smaller than the field prime (canonical) Weak points for X448 smaller than the field prime (canonical)
skipping to change at page 46, line 4 skipping to change at page 47, line 4
83204fe8359addb53e95a2e98893853f20383a85dd236978f17f8c85 83204fe8359addb53e95a2e98893853f20383a85dd236978f17f8c85
45b50dabc52a39fcdab2cf8bc531ce040ff77ca82d0341446120a620 45b50dabc52a39fcdab2cf8bc531ce040ff77ca82d0341446120a620
6309c0e8e5f579295e35997ac4300ab3fecec3c17f7b604f3e698fa1 6309c0e8e5f579295e35997ac4300ab3fecec3c17f7b604f3e698fa1
383c03414462 383c03414462
ISK result: (length: 64 bytes) ISK result: (length: 64 bytes)
e91ccb2c0f5e0d0993a33956e3be59754f3f2b07db57631f5394452e e91ccb2c0f5e0d0993a33956e3be59754f3f2b07db57631f5394452e
a2e7b4354674eb1f5686c078462bf83bec72e8743df440108e638f35 a2e7b4354674eb1f5686c078462bf83bec72e8743df440108e638f35
26d9b90e85be096f 26d9b90e85be096f
B.3.6. Test vector for ISK calculation parallel execution B.3.6. Test vector for ISK calculation parallel execution
ordered cat of transcript : (length: 74 bytes) ordered cat of transcript : (length: 76 bytes)
20a6206309c0e8e5f579295e35997ac4300ab3fecec3c17f7b604f3e 6f6320a6206309c0e8e5f579295e35997ac4300ab3fecec3c17f7b60
698fa1383c0341446220383a85dd236978f17f8c8545b50dabc52a39 4f3e698fa1383c0341446220383a85dd236978f17f8c8545b50dabc5
fcdab2cf8bc531ce040ff77ca82d03414461 2a39fcdab2cf8bc531ce040ff77ca82d03414461
DSI = G.DSI_ISK, b'CPaceRistretto255_ISK': DSI = G.DSI_ISK, b'CPaceRistretto255_ISK':
(length: 21 bytes) (length: 21 bytes)
435061636552697374726574746f3235355f49534b 435061636552697374726574746f3235355f49534b
lv_cat(DSI,sid,K)||oCAT(MSGa,MSGb): (length: 146 bytes) lv_cat(DSI,sid,K)||o_cat(MSGa,MSGb): (length: 148 bytes)
15435061636552697374726574746f3235355f49534b107e4b4791d6 15435061636552697374726574746f3235355f49534b107e4b4791d6
a8ef019b936c79fb7f2c5720fa1d0318864e2cacb26875f1b791c9ae a8ef019b936c79fb7f2c5720fa1d0318864e2cacb26875f1b791c9ae
83204fe8359addb53e95a2e98893853f20a6206309c0e8e5f579295e 83204fe8359addb53e95a2e98893853f6f6320a6206309c0e8e5f579
35997ac4300ab3fecec3c17f7b604f3e698fa1383c0341446220383a 295e35997ac4300ab3fecec3c17f7b604f3e698fa1383c0341446220
85dd236978f17f8c8545b50dabc52a39fcdab2cf8bc531ce040ff77c 383a85dd236978f17f8c8545b50dabc52a39fcdab2cf8bc531ce040f
a82d03414461 f77ca82d03414461
ISK result: (length: 64 bytes) ISK result: (length: 64 bytes)
2472dedbff868bfc12b4c256f790539af0e2bab7efc28d1a995d18a1 1638fb6ff564a80a12af07c036870e10c4efb539fa847fdf3e9c4621
a58e5bec639273d4604512669ab7953153d437eb90314dcba7539724 7bf52cd4df4ca0fe51146492a9ba6dd6a42ac402bc2d60adb4084c81
02b0d9c5ec5283f8 758d754d1d81482a
B.3.7. Corresponding ANSI-C initializers B.3.7. Corresponding C programming language initializers
const uint8_t tc_PRS[] = { const unsigned char tc_PRS[] = {
0x50,0x61,0x73,0x73,0x77,0x6f,0x72,0x64, 0x50,0x61,0x73,0x73,0x77,0x6f,0x72,0x64,
}; };
const uint8_t tc_CI[] = { const unsigned char tc_CI[] = {
0x0a,0x41,0x69,0x6e,0x69,0x74,0x69,0x61,0x74,0x6f,0x72,0x0a, 0x0a,0x41,0x69,0x6e,0x69,0x74,0x69,0x61,0x74,0x6f,0x72,0x0a,
0x42,0x72,0x65,0x73,0x70,0x6f,0x6e,0x64,0x65,0x72, 0x42,0x72,0x65,0x73,0x70,0x6f,0x6e,0x64,0x65,0x72,
}; };
const uint8_t tc_sid[] = { const unsigned char tc_sid[] = {
0x7e,0x4b,0x47,0x91,0xd6,0xa8,0xef,0x01,0x9b,0x93,0x6c,0x79, 0x7e,0x4b,0x47,0x91,0xd6,0xa8,0xef,0x01,0x9b,0x93,0x6c,0x79,
0xfb,0x7f,0x2c,0x57, 0xfb,0x7f,0x2c,0x57,
}; };
const uint8_t tc_g[] = { const unsigned char tc_g[] = {
0x5e,0x25,0x41,0x1c,0xa1,0xad,0x7c,0x9d,0xeb,0xfd,0x0b,0x33, 0x5e,0x25,0x41,0x1c,0xa1,0xad,0x7c,0x9d,0xeb,0xfd,0x0b,0x33,
0xad,0x98,0x7a,0x95,0xce,0xfe,0xf2,0xd3,0xf1,0x5d,0xcc,0x8b, 0xad,0x98,0x7a,0x95,0xce,0xfe,0xf2,0xd3,0xf1,0x5d,0xcc,0x8b,
0xd2,0x64,0x15,0xa5,0xdf,0xe2,0xe1,0x5a, 0xd2,0x64,0x15,0xa5,0xdf,0xe2,0xe1,0x5a,
}; };
const uint8_t tc_ya[] = { const unsigned char tc_ya[] = {
0xda,0x3d,0x23,0x70,0x0a,0x9e,0x56,0x99,0x25,0x8a,0xef,0x94, 0xda,0x3d,0x23,0x70,0x0a,0x9e,0x56,0x99,0x25,0x8a,0xef,0x94,
0xdc,0x06,0x0d,0xfd,0xa5,0xeb,0xb6,0x1f,0x02,0xa5,0xea,0x77, 0xdc,0x06,0x0d,0xfd,0xa5,0xeb,0xb6,0x1f,0x02,0xa5,0xea,0x77,
0xfa,0xd5,0x3f,0x4f,0xf0,0x97,0x6d,0x08, 0xfa,0xd5,0x3f,0x4f,0xf0,0x97,0x6d,0x08,
}; };
const uint8_t tc_ADa[] = { const unsigned char tc_ADa[] = {
0x41,0x44,0x61, 0x41,0x44,0x61,
}; };
const uint8_t tc_Ya[] = { const unsigned char tc_Ya[] = {
0x38,0x3a,0x85,0xdd,0x23,0x69,0x78,0xf1,0x7f,0x8c,0x85,0x45, 0x38,0x3a,0x85,0xdd,0x23,0x69,0x78,0xf1,0x7f,0x8c,0x85,0x45,
0xb5,0x0d,0xab,0xc5,0x2a,0x39,0xfc,0xda,0xb2,0xcf,0x8b,0xc5, 0xb5,0x0d,0xab,0xc5,0x2a,0x39,0xfc,0xda,0xb2,0xcf,0x8b,0xc5,
0x31,0xce,0x04,0x0f,0xf7,0x7c,0xa8,0x2d, 0x31,0xce,0x04,0x0f,0xf7,0x7c,0xa8,0x2d,
}; };
const uint8_t tc_yb[] = { const unsigned char tc_yb[] = {
0xd2,0x31,0x6b,0x45,0x47,0x18,0xc3,0x53,0x62,0xd8,0x3d,0x69, 0xd2,0x31,0x6b,0x45,0x47,0x18,0xc3,0x53,0x62,0xd8,0x3d,0x69,
0xdf,0x63,0x20,0xf3,0x85,0x78,0xed,0x59,0x84,0x65,0x14,0x35, 0xdf,0x63,0x20,0xf3,0x85,0x78,0xed,0x59,0x84,0x65,0x14,0x35,
0xe2,0x94,0x97,0x62,0xd9,0x00,0xb8,0x0d, 0xe2,0x94,0x97,0x62,0xd9,0x00,0xb8,0x0d,
}; };
const uint8_t tc_ADb[] = { const unsigned char tc_ADb[] = {
0x41,0x44,0x62, 0x41,0x44,0x62,
}; };
const uint8_t tc_Yb[] = { const unsigned char tc_Yb[] = {
0xa6,0x20,0x63,0x09,0xc0,0xe8,0xe5,0xf5,0x79,0x29,0x5e,0x35, 0xa6,0x20,0x63,0x09,0xc0,0xe8,0xe5,0xf5,0x79,0x29,0x5e,0x35,
0x99,0x7a,0xc4,0x30,0x0a,0xb3,0xfe,0xce,0xc3,0xc1,0x7f,0x7b, 0x99,0x7a,0xc4,0x30,0x0a,0xb3,0xfe,0xce,0xc3,0xc1,0x7f,0x7b,
0x60,0x4f,0x3e,0x69,0x8f,0xa1,0x38,0x3c, 0x60,0x4f,0x3e,0x69,0x8f,0xa1,0x38,0x3c,
}; };
const uint8_t tc_K[] = { const unsigned char tc_K[] = {
0xfa,0x1d,0x03,0x18,0x86,0x4e,0x2c,0xac,0xb2,0x68,0x75,0xf1, 0xfa,0x1d,0x03,0x18,0x86,0x4e,0x2c,0xac,0xb2,0x68,0x75,0xf1,
0xb7,0x91,0xc9,0xae,0x83,0x20,0x4f,0xe8,0x35,0x9a,0xdd,0xb5, 0xb7,0x91,0xc9,0xae,0x83,0x20,0x4f,0xe8,0x35,0x9a,0xdd,0xb5,
0x3e,0x95,0xa2,0xe9,0x88,0x93,0x85,0x3f, 0x3e,0x95,0xa2,0xe9,0x88,0x93,0x85,0x3f,
}; };
const uint8_t tc_ISK_IR[] = { const unsigned char tc_ISK_IR[] = {
0xe9,0x1c,0xcb,0x2c,0x0f,0x5e,0x0d,0x09,0x93,0xa3,0x39,0x56, 0xe9,0x1c,0xcb,0x2c,0x0f,0x5e,0x0d,0x09,0x93,0xa3,0x39,0x56,
0xe3,0xbe,0x59,0x75,0x4f,0x3f,0x2b,0x07,0xdb,0x57,0x63,0x1f, 0xe3,0xbe,0x59,0x75,0x4f,0x3f,0x2b,0x07,0xdb,0x57,0x63,0x1f,
0x53,0x94,0x45,0x2e,0xa2,0xe7,0xb4,0x35,0x46,0x74,0xeb,0x1f, 0x53,0x94,0x45,0x2e,0xa2,0xe7,0xb4,0x35,0x46,0x74,0xeb,0x1f,
0x56,0x86,0xc0,0x78,0x46,0x2b,0xf8,0x3b,0xec,0x72,0xe8,0x74, 0x56,0x86,0xc0,0x78,0x46,0x2b,0xf8,0x3b,0xec,0x72,0xe8,0x74,
0x3d,0xf4,0x40,0x10,0x8e,0x63,0x8f,0x35,0x26,0xd9,0xb9,0x0e, 0x3d,0xf4,0x40,0x10,0x8e,0x63,0x8f,0x35,0x26,0xd9,0xb9,0x0e,
0x85,0xbe,0x09,0x6f, 0x85,0xbe,0x09,0x6f,
}; };
const uint8_t tc_ISK_SY[] = { const unsigned char tc_ISK_SY[] = {
0x24,0x72,0xde,0xdb,0xff,0x86,0x8b,0xfc,0x12,0xb4,0xc2,0x56, 0x16,0x38,0xfb,0x6f,0xf5,0x64,0xa8,0x0a,0x12,0xaf,0x07,0xc0,
0xf7,0x90,0x53,0x9a,0xf0,0xe2,0xba,0xb7,0xef,0xc2,0x8d,0x1a, 0x36,0x87,0x0e,0x10,0xc4,0xef,0xb5,0x39,0xfa,0x84,0x7f,0xdf,
0x99,0x5d,0x18,0xa1,0xa5,0x8e,0x5b,0xec,0x63,0x92,0x73,0xd4, 0x3e,0x9c,0x46,0x21,0x7b,0xf5,0x2c,0xd4,0xdf,0x4c,0xa0,0xfe,
0x60,0x45,0x12,0x66,0x9a,0xb7,0x95,0x31,0x53,0xd4,0x37,0xeb, 0x51,0x14,0x64,0x92,0xa9,0xba,0x6d,0xd6,0xa4,0x2a,0xc4,0x02,
0x90,0x31,0x4d,0xcb,0xa7,0x53,0x97,0x24,0x02,0xb0,0xd9,0xc5, 0xbc,0x2d,0x60,0xad,0xb4,0x08,0x4c,0x81,0x75,0x8d,0x75,0x4d,
0xec,0x52,0x83,0xf8, 0x1d,0x81,0x48,0x2a,
}; };
B.3.8. Test case for scalar_mult with valid inputs B.3.8. Test case for scalar_mult with valid inputs
s: (length: 32 bytes) s: (length: 32 bytes)
7cd0e075fa7955ba52c02759a6c90dbbfc10e6d40aea8d283e407d88 7cd0e075fa7955ba52c02759a6c90dbbfc10e6d40aea8d283e407d88
cf538a05 cf538a05
X: (length: 32 bytes) X: (length: 32 bytes)
2c3c6b8c4f3800e7aef6864025b4ed79bd599117e427c41bd47d93d6 2c3c6b8c4f3800e7aef6864025b4ed79bd599117e427c41bd47d93d6
54b4a51c 54b4a51c
G.scalar_mult(s,decode(X)): (length: 32 bytes) G.scalar_mult(s,decode(X)): (length: 32 bytes)
skipping to change at page 49, line 35 skipping to change at page 50, line 35
1d28915fb750011209040f5f03b2ceb5e5eb259c96b478382d5a5c57 1d28915fb750011209040f5f03b2ceb5e5eb259c96b478382d5a5c57
encoded generator g: (length: 56 bytes) encoded generator g: (length: 56 bytes)
682d1a4f49fc2a4834356ae4d7f58636bc9481521c845e66e6fb0b29 682d1a4f49fc2a4834356ae4d7f58636bc9481521c845e66e6fb0b29
69341df45fbaeaea9e2221b3f5babc54c5f8ce456988ffc519defaeb 69341df45fbaeaea9e2221b3f5babc54c5f8ce456988ffc519defaeb
B.4.2. Test vector for MSGa B.4.2. Test vector for MSGa
Inputs Inputs
ADa = b'ADa' ADa = b'ADa'
ya (little endian): (length: 56 bytes) ya (little endian): (length: 56 bytes)
d8d2e26c821a12d7f59a8dee023d3f6155976152e16c73cbf68c303d 33d561f13cfc0dca279c30e8cde895175dc25483892819eba132d58c
f0404399f0a7b614a65df50a9788f00b410586b443f738ad7ff03930 13c0462a8eb0d73fda941950594bef5191d8394691f86edffcad6c1e
Outputs Outputs
Ya: (length: 56 bytes) Ya: (length: 56 bytes)
d4b87d2fcdcac1096dba1898361f27e29dc1e019f74f84a71199bfd3 e233867540319ec86eaecc09a85dec233745db729f61c36bde14c034
dc8d09d2b823038f579f517591474be366968e2fb599bf14e55704f4 200994fc4b6e8d263008c169585fd1d186d8ac560cb9f7ad0d166965
MSGa = lv_cat(Ya,ADa): (length: 61 bytes) MSGa = lv_cat(Ya,ADa): (length: 61 bytes)
38d4b87d2fcdcac1096dba1898361f27e29dc1e019f74f84a71199bf 38e233867540319ec86eaecc09a85dec233745db729f61c36bde14c0
d3dc8d09d2b823038f579f517591474be366968e2fb599bf14e55704 34200994fc4b6e8d263008c169585fd1d186d8ac560cb9f7ad0d1669
f403414461 6503414461
B.4.3. Test vector for MSGb B.4.3. Test vector for MSGb
Inputs Inputs
ADb = b'ADb' ADb = b'ADb'
yb (little endian): (length: 56 bytes) yb (little endian): (length: 56 bytes)
91bae9793f4a8aceb1b5c54375a7ed1858a79a6e72dab959c8bdf3a7 2523c969f68fa2b2aea294c2539ef36eb1e0558abd14712a7828f16a
5ac9bb4de2a25af4d4a9a5c5bc5441d19b8e3f6fcce7196c6afc2236 85ed2c7e77e2bdd418994405fb1b57b6bbaadd66849892aac9d81402
Outputs Outputs
Yb: (length: 56 bytes) Yb: (length: 56 bytes)
d61c6c039c01560e8b19b8299fb39513f39302eebd4c462694a33155 5062a0f33478914bf162a80dad39b5b266c1dd02f408573b41827e38
a3a387e44aa613647fcf6303f918bad598aaab53bea849b9fd14da74 599b682afbf7a0735adfd68c39ab4994fd1b034846270e38332b4da9
MSGb = lv_cat(Yb,ADb): (length: 61 bytes) MSGb = lv_cat(Yb,ADb): (length: 61 bytes)
38d61c6c039c01560e8b19b8299fb39513f39302eebd4c462694a331 385062a0f33478914bf162a80dad39b5b266c1dd02f408573b41827e
55a3a387e44aa613647fcf6303f918bad598aaab53bea849b9fd14da 38599b682afbf7a0735adfd68c39ab4994fd1b034846270e38332b4d
7403414462 a903414462
B.4.4. Test vector for secret points K B.4.4. Test vector for secret points K
scalar_mult_vfy(ya,Yb): (length: 56 bytes) scalar_mult_vfy(ya,Yb): (length: 56 bytes)
e434cda1783ddaaef08fc1d5f2201f1540fbc295fe2dd7cc38f20385 dc9edef7c127e79d32f2584f9fcd3269174fe32226c2082963879a6d
64824c98dbbe1978f121bdfead8e1a638913a6952cbec54867eb770a eafefb9c14efcee9fc1245917ad3658037d2d62aff2d3f76fa4fca99
scalar_mult_vfy(yb,Ya): (length: 56 bytes) scalar_mult_vfy(yb,Ya): (length: 56 bytes)
e434cda1783ddaaef08fc1d5f2201f1540fbc295fe2dd7cc38f20385 dc9edef7c127e79d32f2584f9fcd3269174fe32226c2082963879a6d
64824c98dbbe1978f121bdfead8e1a638913a6952cbec54867eb770a eafefb9c14efcee9fc1245917ad3658037d2d62aff2d3f76fa4fca99
B.4.5. Test vector for ISK calculation initiator/responder B.4.5. Test vector for ISK calculation initiator/responder
unordered cat of transcript : (length: 122 bytes) unordered cat of transcript : (length: 122 bytes)
38d4b87d2fcdcac1096dba1898361f27e29dc1e019f74f84a71199bf 38e233867540319ec86eaecc09a85dec233745db729f61c36bde14c0
d3dc8d09d2b823038f579f517591474be366968e2fb599bf14e55704 34200994fc4b6e8d263008c169585fd1d186d8ac560cb9f7ad0d1669
f40341446138d61c6c039c01560e8b19b8299fb39513f39302eebd4c 6503414461385062a0f33478914bf162a80dad39b5b266c1dd02f408
462694a33155a3a387e44aa613647fcf6303f918bad598aaab53bea8 573b41827e38599b682afbf7a0735adfd68c39ab4994fd1b03484627
49b9fd14da7403414462 0e38332b4da903414462
DSI = G.DSI_ISK, b'CPaceDecaf448_ISK': (length: 17 bytes) DSI = G.DSI_ISK, b'CPaceDecaf448_ISK': (length: 17 bytes)
435061636544656361663434385f49534b 435061636544656361663434385f49534b
lv_cat(DSI,sid,K)||MSGa||MSGb: (length: 214 bytes) lv_cat(DSI,sid,K)||MSGa||MSGb: (length: 214 bytes)
11435061636544656361663434385f49534b105223e0cdc45d657566 11435061636544656361663434385f49534b105223e0cdc45d657566
8d64c55200412438e434cda1783ddaaef08fc1d5f2201f1540fbc295 8d64c55200412438dc9edef7c127e79d32f2584f9fcd3269174fe322
fe2dd7cc38f2038564824c98dbbe1978f121bdfead8e1a638913a695 26c2082963879a6deafefb9c14efcee9fc1245917ad3658037d2d62a
2cbec54867eb770a38d4b87d2fcdcac1096dba1898361f27e29dc1e0 ff2d3f76fa4fca9938e233867540319ec86eaecc09a85dec233745db
19f74f84a71199bfd3dc8d09d2b823038f579f517591474be366968e 729f61c36bde14c034200994fc4b6e8d263008c169585fd1d186d8ac
2fb599bf14e55704f40341446138d61c6c039c01560e8b19b8299fb3 560cb9f7ad0d16696503414461385062a0f33478914bf162a80dad39
9513f39302eebd4c462694a33155a3a387e44aa613647fcf6303f918 b5b266c1dd02f408573b41827e38599b682afbf7a0735adfd68c39ab
bad598aaab53bea849b9fd14da7403414462 4994fd1b034846270e38332b4da903414462
ISK result: (length: 64 bytes) ISK result: (length: 64 bytes)
13636dc9b7d233ac24a2d5c4a85a72fe20145f7a47ad51cab40e087c a752612fe6dec542e96629a6eb68ecb9bfe2257224975e916035aee7
057831b69ee59b9c828732bde171cfca99afda4852bcaf04fe9f0a97 47c6aba32af2e6fe25eeb96261e6140100edcf95686e0aaa134026b4
592cdf5e2c9a5948 b5254fd271b7a4da
B.4.6. Test vector for ISK calculation parallel execution B.4.6. Test vector for ISK calculation parallel execution
ordered cat of transcript : (length: 122 bytes) ordered cat of transcript : (length: 124 bytes)
38d61c6c039c01560e8b19b8299fb39513f39302eebd4c462694a331 6f6338e233867540319ec86eaecc09a85dec233745db729f61c36bde
55a3a387e44aa613647fcf6303f918bad598aaab53bea849b9fd14da 14c034200994fc4b6e8d263008c169585fd1d186d8ac560cb9f7ad0d
740341446238d4b87d2fcdcac1096dba1898361f27e29dc1e019f74f 16696503414461385062a0f33478914bf162a80dad39b5b266c1dd02
84a71199bfd3dc8d09d2b823038f579f517591474be366968e2fb599 f408573b41827e38599b682afbf7a0735adfd68c39ab4994fd1b0348
bf14e55704f403414461 46270e38332b4da903414462
DSI = G.DSI_ISK, b'CPaceDecaf448_ISK': (length: 17 bytes) DSI = G.DSI_ISK, b'CPaceDecaf448_ISK': (length: 17 bytes)
435061636544656361663434385f49534b 435061636544656361663434385f49534b
lv_cat(DSI,sid,K)||oCAT(MSGa,MSGb): (length: 214 bytes) lv_cat(DSI,sid,K)||o_cat(MSGa,MSGb): (length: 216 bytes)
11435061636544656361663434385f49534b105223e0cdc45d657566 11435061636544656361663434385f49534b105223e0cdc45d657566
8d64c55200412438e434cda1783ddaaef08fc1d5f2201f1540fbc295 8d64c55200412438dc9edef7c127e79d32f2584f9fcd3269174fe322
fe2dd7cc38f2038564824c98dbbe1978f121bdfead8e1a638913a695 26c2082963879a6deafefb9c14efcee9fc1245917ad3658037d2d62a
2cbec54867eb770a38d61c6c039c01560e8b19b8299fb39513f39302 ff2d3f76fa4fca996f6338e233867540319ec86eaecc09a85dec2337
eebd4c462694a33155a3a387e44aa613647fcf6303f918bad598aaab 45db729f61c36bde14c034200994fc4b6e8d263008c169585fd1d186
53bea849b9fd14da740341446238d4b87d2fcdcac1096dba1898361f d8ac560cb9f7ad0d16696503414461385062a0f33478914bf162a80d
27e29dc1e019f74f84a71199bfd3dc8d09d2b823038f579f51759147 ad39b5b266c1dd02f408573b41827e38599b682afbf7a0735adfd68c
4be366968e2fb599bf14e55704f403414461 39ab4994fd1b034846270e38332b4da903414462
ISK result: (length: 64 bytes) ISK result: (length: 64 bytes)
999e8f8486670bc1bf874a4d8f1496b9ebd8909eb01cf46b275ec942 e6c79d30d4381a45bd47b14b769d41354211aff553ece937d4ac134f
2f22593064b272ba9e9e201a4a34a18729e48859a2d038c7c8cf0a0f 09844896c72a723b1f1b6da1ab281d759a15624d2bcd0e423b70b8b8
e8a90ddcbdde1126 50a4d0ed126a3026
B.4.7. Corresponding ANSI-C initializers B.4.7. Corresponding C programming language initializers
const uint8_t tc_PRS[] = { const unsigned char tc_PRS[] = {
0x50,0x61,0x73,0x73,0x77,0x6f,0x72,0x64, 0x50,0x61,0x73,0x73,0x77,0x6f,0x72,0x64,
}; };
const uint8_t tc_CI[] = { const unsigned char tc_CI[] = {
0x0a,0x41,0x69,0x6e,0x69,0x74,0x69,0x61,0x74,0x6f,0x72,0x0a, 0x0a,0x41,0x69,0x6e,0x69,0x74,0x69,0x61,0x74,0x6f,0x72,0x0a,
0x42,0x72,0x65,0x73,0x70,0x6f,0x6e,0x64,0x65,0x72, 0x42,0x72,0x65,0x73,0x70,0x6f,0x6e,0x64,0x65,0x72,
}; };
const uint8_t tc_sid[] = { const unsigned char tc_sid[] = {
0x52,0x23,0xe0,0xcd,0xc4,0x5d,0x65,0x75,0x66,0x8d,0x64,0xc5, 0x52,0x23,0xe0,0xcd,0xc4,0x5d,0x65,0x75,0x66,0x8d,0x64,0xc5,
0x52,0x00,0x41,0x24, 0x52,0x00,0x41,0x24,
}; };
const uint8_t tc_g[] = { const unsigned char tc_g[] = {
0x68,0x2d,0x1a,0x4f,0x49,0xfc,0x2a,0x48,0x34,0x35,0x6a,0xe4, 0x68,0x2d,0x1a,0x4f,0x49,0xfc,0x2a,0x48,0x34,0x35,0x6a,0xe4,
0xd7,0xf5,0x86,0x36,0xbc,0x94,0x81,0x52,0x1c,0x84,0x5e,0x66, 0xd7,0xf5,0x86,0x36,0xbc,0x94,0x81,0x52,0x1c,0x84,0x5e,0x66,
0xe6,0xfb,0x0b,0x29,0x69,0x34,0x1d,0xf4,0x5f,0xba,0xea,0xea, 0xe6,0xfb,0x0b,0x29,0x69,0x34,0x1d,0xf4,0x5f,0xba,0xea,0xea,
0x9e,0x22,0x21,0xb3,0xf5,0xba,0xbc,0x54,0xc5,0xf8,0xce,0x45, 0x9e,0x22,0x21,0xb3,0xf5,0xba,0xbc,0x54,0xc5,0xf8,0xce,0x45,
0x69,0x88,0xff,0xc5,0x19,0xde,0xfa,0xeb, 0x69,0x88,0xff,0xc5,0x19,0xde,0xfa,0xeb,
}; };
const uint8_t tc_ya[] = { const unsigned char tc_ya[] = {
0xd8,0xd2,0xe2,0x6c,0x82,0x1a,0x12,0xd7,0xf5,0x9a,0x8d,0xee, 0x33,0xd5,0x61,0xf1,0x3c,0xfc,0x0d,0xca,0x27,0x9c,0x30,0xe8,
0x02,0x3d,0x3f,0x61,0x55,0x97,0x61,0x52,0xe1,0x6c,0x73,0xcb, 0xcd,0xe8,0x95,0x17,0x5d,0xc2,0x54,0x83,0x89,0x28,0x19,0xeb,
0xf6,0x8c,0x30,0x3d,0xf0,0x40,0x43,0x99,0xf0,0xa7,0xb6,0x14, 0xa1,0x32,0xd5,0x8c,0x13,0xc0,0x46,0x2a,0x8e,0xb0,0xd7,0x3f,
0xa6,0x5d,0xf5,0x0a,0x97,0x88,0xf0,0x0b,0x41,0x05,0x86,0xb4, 0xda,0x94,0x19,0x50,0x59,0x4b,0xef,0x51,0x91,0xd8,0x39,0x46,
0x43,0xf7,0x38,0xad,0x7f,0xf0,0x39,0x30, 0x91,0xf8,0x6e,0xdf,0xfc,0xad,0x6c,0x1e,
}; };
const uint8_t tc_ADa[] = { const unsigned char tc_ADa[] = {
0x41,0x44,0x61, 0x41,0x44,0x61,
}; };
const uint8_t tc_Ya[] = { const unsigned char tc_Ya[] = {
0xd4,0xb8,0x7d,0x2f,0xcd,0xca,0xc1,0x09,0x6d,0xba,0x18,0x98, 0xe2,0x33,0x86,0x75,0x40,0x31,0x9e,0xc8,0x6e,0xae,0xcc,0x09,
0x36,0x1f,0x27,0xe2,0x9d,0xc1,0xe0,0x19,0xf7,0x4f,0x84,0xa7, 0xa8,0x5d,0xec,0x23,0x37,0x45,0xdb,0x72,0x9f,0x61,0xc3,0x6b,
0x11,0x99,0xbf,0xd3,0xdc,0x8d,0x09,0xd2,0xb8,0x23,0x03,0x8f, 0xde,0x14,0xc0,0x34,0x20,0x09,0x94,0xfc,0x4b,0x6e,0x8d,0x26,
0x57,0x9f,0x51,0x75,0x91,0x47,0x4b,0xe3,0x66,0x96,0x8e,0x2f, 0x30,0x08,0xc1,0x69,0x58,0x5f,0xd1,0xd1,0x86,0xd8,0xac,0x56,
0xb5,0x99,0xbf,0x14,0xe5,0x57,0x04,0xf4, 0x0c,0xb9,0xf7,0xad,0x0d,0x16,0x69,0x65,
}; };
const uint8_t tc_yb[] = { const unsigned char tc_yb[] = {
0x91,0xba,0xe9,0x79,0x3f,0x4a,0x8a,0xce,0xb1,0xb5,0xc5,0x43, 0x25,0x23,0xc9,0x69,0xf6,0x8f,0xa2,0xb2,0xae,0xa2,0x94,0xc2,
0x75,0xa7,0xed,0x18,0x58,0xa7,0x9a,0x6e,0x72,0xda,0xb9,0x59, 0x53,0x9e,0xf3,0x6e,0xb1,0xe0,0x55,0x8a,0xbd,0x14,0x71,0x2a,
0xc8,0xbd,0xf3,0xa7,0x5a,0xc9,0xbb,0x4d,0xe2,0xa2,0x5a,0xf4, 0x78,0x28,0xf1,0x6a,0x85,0xed,0x2c,0x7e,0x77,0xe2,0xbd,0xd4,
0xd4,0xa9,0xa5,0xc5,0xbc,0x54,0x41,0xd1,0x9b,0x8e,0x3f,0x6f, 0x18,0x99,0x44,0x05,0xfb,0x1b,0x57,0xb6,0xbb,0xaa,0xdd,0x66,
0xcc,0xe7,0x19,0x6c,0x6a,0xfc,0x22,0x36, 0x84,0x98,0x92,0xaa,0xc9,0xd8,0x14,0x02,
}; };
const uint8_t tc_ADb[] = { const unsigned char tc_ADb[] = {
0x41,0x44,0x62, 0x41,0x44,0x62,
}; };
const uint8_t tc_Yb[] = { const unsigned char tc_Yb[] = {
0xd6,0x1c,0x6c,0x03,0x9c,0x01,0x56,0x0e,0x8b,0x19,0xb8,0x29, 0x50,0x62,0xa0,0xf3,0x34,0x78,0x91,0x4b,0xf1,0x62,0xa8,0x0d,
0x9f,0xb3,0x95,0x13,0xf3,0x93,0x02,0xee,0xbd,0x4c,0x46,0x26, 0xad,0x39,0xb5,0xb2,0x66,0xc1,0xdd,0x02,0xf4,0x08,0x57,0x3b,
0x94,0xa3,0x31,0x55,0xa3,0xa3,0x87,0xe4,0x4a,0xa6,0x13,0x64, 0x41,0x82,0x7e,0x38,0x59,0x9b,0x68,0x2a,0xfb,0xf7,0xa0,0x73,
0x7f,0xcf,0x63,0x03,0xf9,0x18,0xba,0xd5,0x98,0xaa,0xab,0x53, 0x5a,0xdf,0xd6,0x8c,0x39,0xab,0x49,0x94,0xfd,0x1b,0x03,0x48,
0xbe,0xa8,0x49,0xb9,0xfd,0x14,0xda,0x74, 0x46,0x27,0x0e,0x38,0x33,0x2b,0x4d,0xa9,
}; };
const uint8_t tc_K[] = { const unsigned char tc_K[] = {
0xe4,0x34,0xcd,0xa1,0x78,0x3d,0xda,0xae,0xf0,0x8f,0xc1,0xd5, 0xdc,0x9e,0xde,0xf7,0xc1,0x27,0xe7,0x9d,0x32,0xf2,0x58,0x4f,
0xf2,0x20,0x1f,0x15,0x40,0xfb,0xc2,0x95,0xfe,0x2d,0xd7,0xcc, 0x9f,0xcd,0x32,0x69,0x17,0x4f,0xe3,0x22,0x26,0xc2,0x08,0x29,
0x38,0xf2,0x03,0x85,0x64,0x82,0x4c,0x98,0xdb,0xbe,0x19,0x78, 0x63,0x87,0x9a,0x6d,0xea,0xfe,0xfb,0x9c,0x14,0xef,0xce,0xe9,
0xf1,0x21,0xbd,0xfe,0xad,0x8e,0x1a,0x63,0x89,0x13,0xa6,0x95, 0xfc,0x12,0x45,0x91,0x7a,0xd3,0x65,0x80,0x37,0xd2,0xd6,0x2a,
0x2c,0xbe,0xc5,0x48,0x67,0xeb,0x77,0x0a, 0xff,0x2d,0x3f,0x76,0xfa,0x4f,0xca,0x99,
}; };
const uint8_t tc_ISK_IR[] = { const unsigned char tc_ISK_IR[] = {
0x13,0x63,0x6d,0xc9,0xb7,0xd2,0x33,0xac,0x24,0xa2,0xd5,0xc4, 0xa7,0x52,0x61,0x2f,0xe6,0xde,0xc5,0x42,0xe9,0x66,0x29,0xa6,
0xa8,0x5a,0x72,0xfe,0x20,0x14,0x5f,0x7a,0x47,0xad,0x51,0xca, 0xeb,0x68,0xec,0xb9,0xbf,0xe2,0x25,0x72,0x24,0x97,0x5e,0x91,
0xb4,0x0e,0x08,0x7c,0x05,0x78,0x31,0xb6,0x9e,0xe5,0x9b,0x9c, 0x60,0x35,0xae,0xe7,0x47,0xc6,0xab,0xa3,0x2a,0xf2,0xe6,0xfe,
0x82,0x87,0x32,0xbd,0xe1,0x71,0xcf,0xca,0x99,0xaf,0xda,0x48, 0x25,0xee,0xb9,0x62,0x61,0xe6,0x14,0x01,0x00,0xed,0xcf,0x95,
0x52,0xbc,0xaf,0x04,0xfe,0x9f,0x0a,0x97,0x59,0x2c,0xdf,0x5e, 0x68,0x6e,0x0a,0xaa,0x13,0x40,0x26,0xb4,0xb5,0x25,0x4f,0xd2,
0x2c,0x9a,0x59,0x48, 0x71,0xb7,0xa4,0xda,
}; };
const uint8_t tc_ISK_SY[] = { const unsigned char tc_ISK_SY[] = {
0x99,0x9e,0x8f,0x84,0x86,0x67,0x0b,0xc1,0xbf,0x87,0x4a,0x4d, 0xe6,0xc7,0x9d,0x30,0xd4,0x38,0x1a,0x45,0xbd,0x47,0xb1,0x4b,
0x8f,0x14,0x96,0xb9,0xeb,0xd8,0x90,0x9e,0xb0,0x1c,0xf4,0x6b, 0x76,0x9d,0x41,0x35,0x42,0x11,0xaf,0xf5,0x53,0xec,0xe9,0x37,
0x27,0x5e,0xc9,0x42,0x2f,0x22,0x59,0x30,0x64,0xb2,0x72,0xba, 0xd4,0xac,0x13,0x4f,0x09,0x84,0x48,0x96,0xc7,0x2a,0x72,0x3b,
0x9e,0x9e,0x20,0x1a,0x4a,0x34,0xa1,0x87,0x29,0xe4,0x88,0x59, 0x1f,0x1b,0x6d,0xa1,0xab,0x28,0x1d,0x75,0x9a,0x15,0x62,0x4d,
0xa2,0xd0,0x38,0xc7,0xc8,0xcf,0x0a,0x0f,0xe8,0xa9,0x0d,0xdc, 0x2b,0xcd,0x0e,0x42,0x3b,0x70,0xb8,0xb8,0x50,0xa4,0xd0,0xed,
0xbd,0xde,0x11,0x26, 0x12,0x6a,0x30,0x26,
}; };
B.4.8. Test case for scalar_mult with valid inputs B.4.8. Test case for scalar_mult with valid inputs
s: (length: 56 bytes) s: (length: 56 bytes)
dd1bc7015daabb7672129cc35a3ba815486b139deff9bdeca7a4fc61 dd1bc7015daabb7672129cc35a3ba815486b139deff9bdeca7a4fc61
34323d34658761e90ff079972a7ca8aa5606498f4f4f0ebc0933a819 34323d34658761e90ff079972a7ca8aa5606498f4f4f0ebc0933a819
X: (length: 56 bytes) X: (length: 56 bytes)
601431d5e51f43d422a92d3fb2373bde28217aab42524c341aa404ea 601431d5e51f43d422a92d3fb2373bde28217aab42524c341aa404ea
ba5aa5541f7042dbb3253ce4c90f772b038a413dcb3a0f6bf3ae9e21 ba5aa5541f7042dbb3253ce4c90f772b038a413dcb3a0f6bf3ae9e21
skipping to change at page 54, line 36 skipping to change at page 55, line 36
Inputs Inputs
ADa = b'ADa' ADa = b'ADa'
ya (big endian): (length: 32 bytes) ya (big endian): (length: 32 bytes)
37574cfbf1b95ff6a8e2d7be462d4d01e6dde2618f34f4de9df869b2 37574cfbf1b95ff6a8e2d7be462d4d01e6dde2618f34f4de9df869b2
4f532c5d 4f532c5d
Outputs Outputs
Ya: (length: 65 bytes) Ya: (length: 65 bytes)
04b75c1bcda84a0f324aabb7f25cf853ed7fb327c33f23db6aeb320d 04b75c1bcda84a0f324aabb7f25cf853ed7fb327c33f23db6aeb320d
81df014649c2ac691925fce0eceac7dbc75eca25e6a1558066a610b4 81df014649c2ac691925fce0eceac7dbc75eca25e6a1558066a610b4
021488279e3b989d52 021488279e3b989d52
Alternative correct value for Ya: g^(-ya): Alternative correct value for Ya: g*(-ya):
(length: 65 bytes) (length: 65 bytes)
04b75c1bcda84a0f324aabb7f25cf853ed7fb327c33f23db6aeb320d 04b75c1bcda84a0f324aabb7f25cf853ed7fb327c33f23db6aeb320d
81df0146493d5396e5da031f1415382438a135da195eaa7f9a59ef4b 81df0146493d5396e5da031f1415382438a135da195eaa7f9a59ef4b
fdeb77d861c46762ad fdeb77d861c46762ad
MSGa = lv_cat(Ya,ADa): (length: 70 bytes) MSGa = lv_cat(Ya,ADa): (length: 70 bytes)
4104b75c1bcda84a0f324aabb7f25cf853ed7fb327c33f23db6aeb32 4104b75c1bcda84a0f324aabb7f25cf853ed7fb327c33f23db6aeb32
0d81df014649c2ac691925fce0eceac7dbc75eca25e6a1558066a610 0d81df014649c2ac691925fce0eceac7dbc75eca25e6a1558066a610
b4021488279e3b989d5203414461 b4021488279e3b989d5203414461
B.5.3. Test vector for MSGb B.5.3. Test vector for MSGb
Inputs Inputs
ADb = b'ADb' ADb = b'ADb'
yb (big endian): (length: 32 bytes) yb (big endian): (length: 32 bytes)
e5672fc9eb4e721f41d80181ec4c9fd9886668acc48024d33c82bb10 e5672fc9eb4e721f41d80181ec4c9fd9886668acc48024d33c82bb10
2aecba52 2aecba52
Outputs Outputs
Yb: (length: 65 bytes) Yb: (length: 65 bytes)
04bb2783a57337e74671f76452876b27839c0ea9e044e3aadaad2e64 04bb2783a57337e74671f76452876b27839c0ea9e044e3aadaad2e64
777ed27a90e80a99438e2f1c072462f2895c6dadf1b43867b92ffb65 777ed27a90e80a99438e2f1c072462f2895c6dadf1b43867b92ffb65
562b78c793947dcada 562b78c793947dcada
Alternative correct value for Yb: g^(-yb): Alternative correct value for Yb: g*(-yb):
(length: 65 bytes) (length: 65 bytes)
04bb2783a57337e74671f76452876b27839c0ea9e044e3aadaad2e64 04bb2783a57337e74671f76452876b27839c0ea9e044e3aadaad2e64
777ed27a9017f566bb71d0e3f9db9d0d76a392520e4bc79847d0049a 777ed27a9017f566bb71d0e3f9db9d0d76a392520e4bc79847d0049a
a9d487386c6b823525 a9d487386c6b823525
MSGb = lv_cat(Yb,ADb): (length: 70 bytes) MSGb = lv_cat(Yb,ADb): (length: 70 bytes)
4104bb2783a57337e74671f76452876b27839c0ea9e044e3aadaad2e 4104bb2783a57337e74671f76452876b27839c0ea9e044e3aadaad2e
64777ed27a90e80a99438e2f1c072462f2895c6dadf1b43867b92ffb 64777ed27a90e80a99438e2f1c072462f2895c6dadf1b43867b92ffb
65562b78c793947dcada03414462 65562b78c793947dcada03414462
B.5.4. Test vector for secret points K B.5.4. Test vector for secret points K
skipping to change at page 57, line 4 skipping to change at page 58, line 4
320d81df014649c2ac691925fce0eceac7dbc75eca25e6a1558066a6 320d81df014649c2ac691925fce0eceac7dbc75eca25e6a1558066a6
10b4021488279e3b989d52034144614104bb2783a57337e74671f764 10b4021488279e3b989d52034144614104bb2783a57337e74671f764
52876b27839c0ea9e044e3aadaad2e64777ed27a90e80a99438e2f1c 52876b27839c0ea9e044e3aadaad2e64777ed27a90e80a99438e2f1c
072462f2895c6dadf1b43867b92ffb65562b78c793947dcada034144 072462f2895c6dadf1b43867b92ffb65562b78c793947dcada034144
62 62
ISK result: (length: 32 bytes) ISK result: (length: 32 bytes)
7ae1e916606e44652e3c0d7231198af6519226339c241e546afd0bbf 7ae1e916606e44652e3c0d7231198af6519226339c241e546afd0bbf
48e1c96a 48e1c96a
B.5.6. Test vector for ISK calculation parallel execution B.5.6. Test vector for ISK calculation parallel execution
ordered cat of transcript : (length: 140 bytes) ordered cat of transcript : (length: 142 bytes)
4104bb2783a57337e74671f76452876b27839c0ea9e044e3aadaad2e 6f634104bb2783a57337e74671f76452876b27839c0ea9e044e3aada
64777ed27a90e80a99438e2f1c072462f2895c6dadf1b43867b92ffb ad2e64777ed27a90e80a99438e2f1c072462f2895c6dadf1b43867b9
65562b78c793947dcada034144624104b75c1bcda84a0f324aabb7f2 2ffb65562b78c793947dcada034144624104b75c1bcda84a0f324aab
5cf853ed7fb327c33f23db6aeb320d81df014649c2ac691925fce0ec b7f25cf853ed7fb327c33f23db6aeb320d81df014649c2ac691925fc
eac7dbc75eca25e6a1558066a610b4021488279e3b989d5203414461 e0eceac7dbc75eca25e6a1558066a610b4021488279e3b989d520341
4461
DSI = G.DSI_ISK, b'CPaceP256_XMD:SHA-256_SSWU_NU__ISK': DSI = G.DSI_ISK, b'CPaceP256_XMD:SHA-256_SSWU_NU__ISK':
(length: 34 bytes) (length: 34 bytes)
4350616365503235365f584d443a5348412d3235365f535357555f4e 4350616365503235365f584d443a5348412d3235365f535357555f4e
555f5f49534b 555f5f49534b
lv_cat(DSI,sid,K)||oCAT(MSGa,MSGb): (length: 225 bytes) lv_cat(DSI,sid,K)||o_cat(MSGa,MSGb): (length: 227 bytes)
224350616365503235365f584d443a5348412d3235365f535357555f 224350616365503235365f584d443a5348412d3235365f535357555f
4e555f5f49534b1034b36454cab2e7842c389f7d88ecb7df208fd12b 4e555f5f49534b1034b36454cab2e7842c389f7d88ecb7df208fd12b
283805750aeee6151bcd4211a6b71019e8fc416293ade24ed2bce12c 283805750aeee6151bcd4211a6b71019e8fc416293ade24ed2bce12c
394104bb2783a57337e74671f76452876b27839c0ea9e044e3aadaad 396f634104bb2783a57337e74671f76452876b27839c0ea9e044e3aa
2e64777ed27a90e80a99438e2f1c072462f2895c6dadf1b43867b92f daad2e64777ed27a90e80a99438e2f1c072462f2895c6dadf1b43867
fb65562b78c793947dcada034144624104b75c1bcda84a0f324aabb7 b92ffb65562b78c793947dcada034144624104b75c1bcda84a0f324a
f25cf853ed7fb327c33f23db6aeb320d81df014649c2ac691925fce0 abb7f25cf853ed7fb327c33f23db6aeb320d81df014649c2ac691925
eceac7dbc75eca25e6a1558066a610b4021488279e3b989d52034144 fce0eceac7dbc75eca25e6a1558066a610b4021488279e3b989d5203
61 414461
ISK result: (length: 32 bytes) ISK result: (length: 32 bytes)
c5b4e6d44f5bbb7637a77ec67afd768a1343c410f7e1f76f6549eb00 5600a5c5bea5e92695dd68bd33d7f7b58326199c27c9b7326d76e4f9
2623c0f1 cb2fb276
B.5.7. Corresponding ANSI-C initializers B.5.7. Corresponding C programming language initializers
const uint8_t tc_PRS[] = { const unsigned char tc_PRS[] = {
0x50,0x61,0x73,0x73,0x77,0x6f,0x72,0x64, 0x50,0x61,0x73,0x73,0x77,0x6f,0x72,0x64,
}; };
const uint8_t tc_CI[] = { const unsigned char tc_CI[] = {
0x0a,0x41,0x69,0x6e,0x69,0x74,0x69,0x61,0x74,0x6f,0x72,0x0a, 0x0a,0x41,0x69,0x6e,0x69,0x74,0x69,0x61,0x74,0x6f,0x72,0x0a,
0x42,0x72,0x65,0x73,0x70,0x6f,0x6e,0x64,0x65,0x72, 0x42,0x72,0x65,0x73,0x70,0x6f,0x6e,0x64,0x65,0x72,
}; };
const uint8_t tc_sid[] = { const unsigned char tc_sid[] = {
0x34,0xb3,0x64,0x54,0xca,0xb2,0xe7,0x84,0x2c,0x38,0x9f,0x7d, 0x34,0xb3,0x64,0x54,0xca,0xb2,0xe7,0x84,0x2c,0x38,0x9f,0x7d,
0x88,0xec,0xb7,0xdf, 0x88,0xec,0xb7,0xdf,
}; };
const uint8_t tc_g[] = { const unsigned char tc_g[] = {
0x04,0x1b,0x51,0x43,0x31,0x14,0xe0,0x96,0xc9,0xd5,0x95,0xf0, 0x04,0x1b,0x51,0x43,0x31,0x14,0xe0,0x96,0xc9,0xd5,0x95,0xf0,
0x95,0x5f,0x57,0x17,0xa7,0x51,0x69,0xaf,0xb9,0x55,0x57,0xf4, 0x95,0x5f,0x57,0x17,0xa7,0x51,0x69,0xaf,0xb9,0x55,0x57,0xf4,
0xa6,0xf5,0x11,0x55,0x03,0x5d,0xee,0x19,0xc7,0x68,0x87,0xbc, 0xa6,0xf5,0x11,0x55,0x03,0x5d,0xee,0x19,0xc7,0x68,0x87,0xbc,
0xe5,0xc7,0xc0,0x54,0xfa,0x1f,0xe4,0x8a,0x4a,0x62,0xc7,0xfb, 0xe5,0xc7,0xc0,0x54,0xfa,0x1f,0xe4,0x8a,0x4a,0x62,0xc7,0xfb,
0x96,0xdc,0x75,0xe3,0x42,0x59,0xd2,0xf7,0x2b,0x8d,0x41,0xf3, 0x96,0xdc,0x75,0xe3,0x42,0x59,0xd2,0xf7,0x2b,0x8d,0x41,0xf3,
0x1b,0x8e,0x58,0x6b,0xcd, 0x1b,0x8e,0x58,0x6b,0xcd,
}; };
const uint8_t tc_ya[] = { const unsigned char tc_ya[] = {
0x37,0x57,0x4c,0xfb,0xf1,0xb9,0x5f,0xf6,0xa8,0xe2,0xd7,0xbe, 0x37,0x57,0x4c,0xfb,0xf1,0xb9,0x5f,0xf6,0xa8,0xe2,0xd7,0xbe,
0x46,0x2d,0x4d,0x01,0xe6,0xdd,0xe2,0x61,0x8f,0x34,0xf4,0xde, 0x46,0x2d,0x4d,0x01,0xe6,0xdd,0xe2,0x61,0x8f,0x34,0xf4,0xde,
0x9d,0xf8,0x69,0xb2,0x4f,0x53,0x2c,0x5d, 0x9d,0xf8,0x69,0xb2,0x4f,0x53,0x2c,0x5d,
}; };
const uint8_t tc_ADa[] = { const unsigned char tc_ADa[] = {
0x41,0x44,0x61, 0x41,0x44,0x61,
}; };
const uint8_t tc_Ya[] = { const unsigned char tc_Ya[] = {
0x04,0xb7,0x5c,0x1b,0xcd,0xa8,0x4a,0x0f,0x32,0x4a,0xab,0xb7, 0x04,0xb7,0x5c,0x1b,0xcd,0xa8,0x4a,0x0f,0x32,0x4a,0xab,0xb7,
0xf2,0x5c,0xf8,0x53,0xed,0x7f,0xb3,0x27,0xc3,0x3f,0x23,0xdb, 0xf2,0x5c,0xf8,0x53,0xed,0x7f,0xb3,0x27,0xc3,0x3f,0x23,0xdb,
0x6a,0xeb,0x32,0x0d,0x81,0xdf,0x01,0x46,0x49,0xc2,0xac,0x69, 0x6a,0xeb,0x32,0x0d,0x81,0xdf,0x01,0x46,0x49,0xc2,0xac,0x69,
0x19,0x25,0xfc,0xe0,0xec,0xea,0xc7,0xdb,0xc7,0x5e,0xca,0x25, 0x19,0x25,0xfc,0xe0,0xec,0xea,0xc7,0xdb,0xc7,0x5e,0xca,0x25,
0xe6,0xa1,0x55,0x80,0x66,0xa6,0x10,0xb4,0x02,0x14,0x88,0x27, 0xe6,0xa1,0x55,0x80,0x66,0xa6,0x10,0xb4,0x02,0x14,0x88,0x27,
0x9e,0x3b,0x98,0x9d,0x52, 0x9e,0x3b,0x98,0x9d,0x52,
}; };
const uint8_t tc_yb[] = { const unsigned char tc_yb[] = {
0xe5,0x67,0x2f,0xc9,0xeb,0x4e,0x72,0x1f,0x41,0xd8,0x01,0x81, 0xe5,0x67,0x2f,0xc9,0xeb,0x4e,0x72,0x1f,0x41,0xd8,0x01,0x81,
0xec,0x4c,0x9f,0xd9,0x88,0x66,0x68,0xac,0xc4,0x80,0x24,0xd3, 0xec,0x4c,0x9f,0xd9,0x88,0x66,0x68,0xac,0xc4,0x80,0x24,0xd3,
0x3c,0x82,0xbb,0x10,0x2a,0xec,0xba,0x52, 0x3c,0x82,0xbb,0x10,0x2a,0xec,0xba,0x52,
}; };
const uint8_t tc_ADb[] = { const unsigned char tc_ADb[] = {
0x41,0x44,0x62, 0x41,0x44,0x62,
}; };
const uint8_t tc_Yb[] = { const unsigned char tc_Yb[] = {
0x04,0xbb,0x27,0x83,0xa5,0x73,0x37,0xe7,0x46,0x71,0xf7,0x64, 0x04,0xbb,0x27,0x83,0xa5,0x73,0x37,0xe7,0x46,0x71,0xf7,0x64,
0x52,0x87,0x6b,0x27,0x83,0x9c,0x0e,0xa9,0xe0,0x44,0xe3,0xaa, 0x52,0x87,0x6b,0x27,0x83,0x9c,0x0e,0xa9,0xe0,0x44,0xe3,0xaa,
0xda,0xad,0x2e,0x64,0x77,0x7e,0xd2,0x7a,0x90,0xe8,0x0a,0x99, 0xda,0xad,0x2e,0x64,0x77,0x7e,0xd2,0x7a,0x90,0xe8,0x0a,0x99,
0x43,0x8e,0x2f,0x1c,0x07,0x24,0x62,0xf2,0x89,0x5c,0x6d,0xad, 0x43,0x8e,0x2f,0x1c,0x07,0x24,0x62,0xf2,0x89,0x5c,0x6d,0xad,
0xf1,0xb4,0x38,0x67,0xb9,0x2f,0xfb,0x65,0x56,0x2b,0x78,0xc7, 0xf1,0xb4,0x38,0x67,0xb9,0x2f,0xfb,0x65,0x56,0x2b,0x78,0xc7,
0x93,0x94,0x7d,0xca,0xda, 0x93,0x94,0x7d,0xca,0xda,
}; };
const uint8_t tc_K[] = { const unsigned char tc_K[] = {
0x8f,0xd1,0x2b,0x28,0x38,0x05,0x75,0x0a,0xee,0xe6,0x15,0x1b, 0x8f,0xd1,0x2b,0x28,0x38,0x05,0x75,0x0a,0xee,0xe6,0x15,0x1b,
0xcd,0x42,0x11,0xa6,0xb7,0x10,0x19,0xe8,0xfc,0x41,0x62,0x93, 0xcd,0x42,0x11,0xa6,0xb7,0x10,0x19,0xe8,0xfc,0x41,0x62,0x93,
0xad,0xe2,0x4e,0xd2,0xbc,0xe1,0x2c,0x39, 0xad,0xe2,0x4e,0xd2,0xbc,0xe1,0x2c,0x39,
}; };
const uint8_t tc_ISK_IR[] = { const unsigned char tc_ISK_IR[] = {
0x7a,0xe1,0xe9,0x16,0x60,0x6e,0x44,0x65,0x2e,0x3c,0x0d,0x72, 0x7a,0xe1,0xe9,0x16,0x60,0x6e,0x44,0x65,0x2e,0x3c,0x0d,0x72,
0x31,0x19,0x8a,0xf6,0x51,0x92,0x26,0x33,0x9c,0x24,0x1e,0x54, 0x31,0x19,0x8a,0xf6,0x51,0x92,0x26,0x33,0x9c,0x24,0x1e,0x54,
0x6a,0xfd,0x0b,0xbf,0x48,0xe1,0xc9,0x6a, 0x6a,0xfd,0x0b,0xbf,0x48,0xe1,0xc9,0x6a,
}; };
const uint8_t tc_ISK_SY[] = { const unsigned char tc_ISK_SY[] = {
0xc5,0xb4,0xe6,0xd4,0x4f,0x5b,0xbb,0x76,0x37,0xa7,0x7e,0xc6, 0x56,0x00,0xa5,0xc5,0xbe,0xa5,0xe9,0x26,0x95,0xdd,0x68,0xbd,
0x7a,0xfd,0x76,0x8a,0x13,0x43,0xc4,0x10,0xf7,0xe1,0xf7,0x6f, 0x33,0xd7,0xf7,0xb5,0x83,0x26,0x19,0x9c,0x27,0xc9,0xb7,0x32,
0x65,0x49,0xeb,0x00,0x26,0x23,0xc0,0xf1, 0x6d,0x76,0xe4,0xf9,0xcb,0x2f,0xb2,0x76,
}; };
B.5.8. Test case for scalar_mult_vfy with correct inputs B.5.8. Test case for scalar_mult_vfy with correct inputs
s: (length: 32 bytes) s: (length: 32 bytes)
f012501c091ff9b99a123fffe571d8bc01e8077ee581362e1bd21399 f012501c091ff9b99a123fffe571d8bc01e8077ee581362e1bd21399
0835643b 0835643b
X: (length: 65 bytes) X: (length: 65 bytes)
0424648eb986c2be0af636455cef0550671d6bcd8aa26e0d72ffa1b1 0424648eb986c2be0af636455cef0550671d6bcd8aa26e0d72ffa1b1
fd12ba4e0f78da2b6d2184f31af39e566aef127014b6936c9a37346d fd12ba4e0f78da2b6d2184f31af39e566aef127014b6936c9a37346d
10a4ab2514faef5831 10a4ab2514faef5831
skipping to change at page 60, line 32 skipping to change at page 61, line 32
04f35a925fe82e54350e80b084a8013b1960cb3f73c49b0c2ae9b523 04f35a925fe82e54350e80b084a8013b1960cb3f73c49b0c2ae9b523
997846ddd14c66f24f62223112cf35b866065f91ad86674cce2a2876 997846ddd14c66f24f62223112cf35b866065f91ad86674cce2a2876
84904e49f01287b54666bb518df2ea53cec627fa6e1283f14c6ed4bc 84904e49f01287b54666bb518df2ea53cec627fa6e1283f14c6ed4bc
d11b33fbb962da3e2e4ff1345c d11b33fbb962da3e2e4ff1345c
B.6.2. Test vector for MSGa B.6.2. Test vector for MSGa
Inputs Inputs
ADa = b'ADa' ADa = b'ADa'
ya (big endian): (length: 48 bytes) ya (big endian): (length: 48 bytes)
7d5bc6a8959f9db2655b8b6642e393dc13d25150d69c6675fb3efd41 ef433dd5ad142c860e7cb6400dd315d388d5ec5420c550e9d6f0907f
ae6255bf54202b960f9aacd97fd6d2841b461f18 375d988bc4d704837e43561c497e7dd93edcdb9d
Outputs Outputs
Ya: (length: 97 bytes) Ya: (length: 97 bytes)
048b65b9ef4c5726664391ceeae241834b275960a6f9316799f5c974 04fd864c1a81f0e657a8a3f8e4ebafa421da712b6fb98f0abfa139ff
eceb71dfb6d36e989addf2ae8c4e338f204b2cd754e1c43b43a12692 971718cab474fa74c6a44b80a46468699280dd5d271252f3b9c05acc
8d8d81ce2e6edbc22a99ed478ad3487b87e1052bce2d94b6464a2228 93dbd8b939152987cd5a8d1fb7b70c45512c993ec5456cc10f1797c9
eab73c01f79d6b290af6b218cf 2fac2f1b7e363478a9ecd79e74
Alternative correct value for Ya: g^(-ya): Alternative correct value for Ya: g*(-ya):
(length: 97 bytes) (length: 97 bytes)
048b65b9ef4c5726664391ceeae241834b275960a6f9316799f5c974 04fd864c1a81f0e657a8a3f8e4ebafa421da712b6fb98f0abfa139ff
eceb71dfb6d36e989addf2ae8c4e338f204b2cd7541e3bc4bc5ed96d 971718cab474fa74c6a44b80a46468699280dd5d27edad0c463fa533
72727e31d191243dd56612b8752cb784781efad431d26b49b8b5ddd7 6c242746c6ead67832a572e04848f3baaed366c13aba933eefe86836
1448c3fe086294d6f6094de730 cf53d0e481c9cb87571328618b
MSGa = lv_cat(Ya,ADa): (length: 102 bytes) MSGa = lv_cat(Ya,ADa): (length: 102 bytes)
61048b65b9ef4c5726664391ceeae241834b275960a6f9316799f5c9 6104fd864c1a81f0e657a8a3f8e4ebafa421da712b6fb98f0abfa139
74eceb71dfb6d36e989addf2ae8c4e338f204b2cd754e1c43b43a126 ff971718cab474fa74c6a44b80a46468699280dd5d271252f3b9c05a
928d8d81ce2e6edbc22a99ed478ad3487b87e1052bce2d94b6464a22 cc93dbd8b939152987cd5a8d1fb7b70c45512c993ec5456cc10f1797
28eab73c01f79d6b290af6b218cf03414461 c92fac2f1b7e363478a9ecd79e7403414461
B.6.3. Test vector for MSGb B.6.3. Test vector for MSGb
Inputs Inputs
ADb = b'ADb' ADb = b'ADb'
yb (big endian): (length: 48 bytes) yb (big endian): (length: 48 bytes)
5cc9465bdb3ae626b77521ea36218fc93a9693c36ff126899e3d8777 50b0e36b95a2edfaa8342b843dddc90b175330f2399c1b36586dedda
c126ef05483e34c05576c9e8c64b1a0b6f5b53d1 3c255975f30be6a750f9404fccc62a6323b5e471
Outputs Outputs
Yb: (length: 97 bytes) Yb: (length: 97 bytes)
04cb68451813699abda3dc0ed9d521baf9108bc2c4b2a1dbcd90a083 04822b9874755c51adfdf624101eb4dc12a8ae433750be4fd6f4f7eb
63f5e458938d6fe634ed6393bc8440ec9b9f8a30841ffcc7cd65d9cf f6954ddb57837752a4effa4a5b44627a64b62a2db9d3c9c031c4ad37
9617155e129bccded9888ac738f78e940f9887f9089ab6275d36c3ab dbe7bf180d6bcba54feb4e84eeb876ebfa64a85d4c5ac2063dc05ba7
1bccbd048b088b1b80a0f56f27 26810824c41e1893faa9373a84
Alternative correct value for Yb: g^(-yb): Alternative correct value for Yb: g*(-yb):
(length: 97 bytes) (length: 97 bytes)
04cb68451813699abda3dc0ed9d521baf9108bc2c4b2a1dbcd90a083 04822b9874755c51adfdf624101eb4dc12a8ae433750be4fd6f4f7eb
63f5e458938d6fe634ed6393bc8440ec9b9f8a3084e00338329a2630 f6954ddb57837752a4effa4a5b44627a64b62a2db92c363fce3b52c8
69e8eaa1ed64332126777538c708716bf0677806f76549d8a1c93c54 241840e7f294345ab014b17b11478914059b57a2b3a53df9c13fa458
e33342fb74f774e4805f0a90d8 d87ef7db3be1e76c0656c8c57b
MSGb = lv_cat(Yb,ADb): (length: 102 bytes) MSGb = lv_cat(Yb,ADb): (length: 102 bytes)
6104cb68451813699abda3dc0ed9d521baf9108bc2c4b2a1dbcd90a0 6104822b9874755c51adfdf624101eb4dc12a8ae433750be4fd6f4f7
8363f5e458938d6fe634ed6393bc8440ec9b9f8a30841ffcc7cd65d9 ebf6954ddb57837752a4effa4a5b44627a64b62a2db9d3c9c031c4ad
cf9617155e129bccded9888ac738f78e940f9887f9089ab6275d36c3 37dbe7bf180d6bcba54feb4e84eeb876ebfa64a85d4c5ac2063dc05b
ab1bccbd048b088b1b80a0f56f2703414462 a726810824c41e1893faa9373a8403414462
B.6.4. Test vector for secret points K B.6.4. Test vector for secret points K
scalar_mult_vfy(ya,Yb): (length: 48 bytes) scalar_mult_vfy(ya,Yb): (length: 48 bytes)
c862709d6bfe7cc02f0c11dafdbf4ef8db1c5e4cb13a22985a83bef1 374290a54e07015baad085b311b18fbae1a20652e137c7c4bd13d565
8631361ed7d8cd97b12931844b7ac61b2f31d332 7d8b1ace028eb5acfba8c68d6211a79fff0965c9
scalar_mult_vfy(yb,Ya): (length: 48 bytes) scalar_mult_vfy(yb,Ya): (length: 48 bytes)
c862709d6bfe7cc02f0c11dafdbf4ef8db1c5e4cb13a22985a83bef1 374290a54e07015baad085b311b18fbae1a20652e137c7c4bd13d565
8631361ed7d8cd97b12931844b7ac61b2f31d332 7d8b1ace028eb5acfba8c68d6211a79fff0965c9
B.6.5. Test vector for ISK calculation initiator/responder B.6.5. Test vector for ISK calculation initiator/responder
unordered cat of transcript : (length: 204 bytes) unordered cat of transcript : (length: 204 bytes)
61048b65b9ef4c5726664391ceeae241834b275960a6f9316799f5c9 6104fd864c1a81f0e657a8a3f8e4ebafa421da712b6fb98f0abfa139
74eceb71dfb6d36e989addf2ae8c4e338f204b2cd754e1c43b43a126 ff971718cab474fa74c6a44b80a46468699280dd5d271252f3b9c05a
928d8d81ce2e6edbc22a99ed478ad3487b87e1052bce2d94b6464a22 cc93dbd8b939152987cd5a8d1fb7b70c45512c993ec5456cc10f1797
28eab73c01f79d6b290af6b218cf034144616104cb68451813699abd c92fac2f1b7e363478a9ecd79e74034144616104822b9874755c51ad
a3dc0ed9d521baf9108bc2c4b2a1dbcd90a08363f5e458938d6fe634 fdf624101eb4dc12a8ae433750be4fd6f4f7ebf6954ddb57837752a4
ed6393bc8440ec9b9f8a30841ffcc7cd65d9cf9617155e129bccded9 effa4a5b44627a64b62a2db9d3c9c031c4ad37dbe7bf180d6bcba54f
888ac738f78e940f9887f9089ab6275d36c3ab1bccbd048b088b1b80 eb4e84eeb876ebfa64a85d4c5ac2063dc05ba726810824c41e1893fa
a0f56f2703414462 a9373a8403414462
DSI = G.DSI_ISK, b'CPaceP384_XMD:SHA-384_SSWU_NU__ISK': DSI = G.DSI_ISK, b'CPaceP384_XMD:SHA-384_SSWU_NU__ISK':
(length: 34 bytes) (length: 34 bytes)
4350616365503338345f584d443a5348412d3338345f535357555f4e 4350616365503338345f584d443a5348412d3338345f535357555f4e
555f5f49534b 555f5f49534b
lv_cat(DSI,sid,K)||MSGa||MSGb: (length: 305 bytes) lv_cat(DSI,sid,K)||MSGa||MSGb: (length: 305 bytes)
224350616365503338345f584d443a5348412d3338345f535357555f 224350616365503338345f584d443a5348412d3338345f535357555f
4e555f5f49534b105b3773aa90e8f23c61563a4b645b276c30c86270 4e555f5f49534b105b3773aa90e8f23c61563a4b645b276c30374290
9d6bfe7cc02f0c11dafdbf4ef8db1c5e4cb13a22985a83bef1863136 a54e07015baad085b311b18fbae1a20652e137c7c4bd13d5657d8b1a
1ed7d8cd97b12931844b7ac61b2f31d33261048b65b9ef4c57266643 ce028eb5acfba8c68d6211a79fff0965c96104fd864c1a81f0e657a8
91ceeae241834b275960a6f9316799f5c974eceb71dfb6d36e989add a3f8e4ebafa421da712b6fb98f0abfa139ff971718cab474fa74c6a4
f2ae8c4e338f204b2cd754e1c43b43a126928d8d81ce2e6edbc22a99 4b80a46468699280dd5d271252f3b9c05acc93dbd8b939152987cd5a
ed478ad3487b87e1052bce2d94b6464a2228eab73c01f79d6b290af6 8d1fb7b70c45512c993ec5456cc10f1797c92fac2f1b7e363478a9ec
b218cf034144616104cb68451813699abda3dc0ed9d521baf9108bc2 d79e74034144616104822b9874755c51adfdf624101eb4dc12a8ae43
c4b2a1dbcd90a08363f5e458938d6fe634ed6393bc8440ec9b9f8a30 3750be4fd6f4f7ebf6954ddb57837752a4effa4a5b44627a64b62a2d
841ffcc7cd65d9cf9617155e129bccded9888ac738f78e940f9887f9 b9d3c9c031c4ad37dbe7bf180d6bcba54feb4e84eeb876ebfa64a85d
089ab6275d36c3ab1bccbd048b088b1b80a0f56f2703414462 4c5ac2063dc05ba726810824c41e1893faa9373a8403414462
ISK result: (length: 48 bytes) ISK result: (length: 48 bytes)
db1e8133be8359b9aa8cd563043ee784344f26580876862e28b3f98b a62d337820ce9cc1195a1adfb3c1efc2d844c0d8c6bc44bd060fe3cd
51b2f611a65362c1d77db66c879de466f5b6148a d4ee8d2343aca0168c2b58478354a37d8d8856bd
B.6.6. Test vector for ISK calculation parallel execution B.6.6. Test vector for ISK calculation parallel execution
ordered cat of transcript : (length: 204 bytes) ordered cat of transcript : (length: 206 bytes)
6104cb68451813699abda3dc0ed9d521baf9108bc2c4b2a1dbcd90a0 6f636104fd864c1a81f0e657a8a3f8e4ebafa421da712b6fb98f0abf
8363f5e458938d6fe634ed6393bc8440ec9b9f8a30841ffcc7cd65d9 a139ff971718cab474fa74c6a44b80a46468699280dd5d271252f3b9
cf9617155e129bccded9888ac738f78e940f9887f9089ab6275d36c3 c05acc93dbd8b939152987cd5a8d1fb7b70c45512c993ec5456cc10f
ab1bccbd048b088b1b80a0f56f270341446261048b65b9ef4c572666 1797c92fac2f1b7e363478a9ecd79e74034144616104822b9874755c
4391ceeae241834b275960a6f9316799f5c974eceb71dfb6d36e989a 51adfdf624101eb4dc12a8ae433750be4fd6f4f7ebf6954ddb578377
ddf2ae8c4e338f204b2cd754e1c43b43a126928d8d81ce2e6edbc22a 52a4effa4a5b44627a64b62a2db9d3c9c031c4ad37dbe7bf180d6bcb
99ed478ad3487b87e1052bce2d94b6464a2228eab73c01f79d6b290a a54feb4e84eeb876ebfa64a85d4c5ac2063dc05ba726810824c41e18
f6b218cf03414461 93faa9373a8403414462
DSI = G.DSI_ISK, b'CPaceP384_XMD:SHA-384_SSWU_NU__ISK': DSI = G.DSI_ISK, b'CPaceP384_XMD:SHA-384_SSWU_NU__ISK':
(length: 34 bytes) (length: 34 bytes)
4350616365503338345f584d443a5348412d3338345f535357555f4e 4350616365503338345f584d443a5348412d3338345f535357555f4e
555f5f49534b 555f5f49534b
lv_cat(DSI,sid,K)||oCAT(MSGa,MSGb): (length: 305 bytes) lv_cat(DSI,sid,K)||o_cat(MSGa,MSGb): (length: 307 bytes)
224350616365503338345f584d443a5348412d3338345f535357555f 224350616365503338345f584d443a5348412d3338345f535357555f
4e555f5f49534b105b3773aa90e8f23c61563a4b645b276c30c86270 4e555f5f49534b105b3773aa90e8f23c61563a4b645b276c30374290
9d6bfe7cc02f0c11dafdbf4ef8db1c5e4cb13a22985a83bef1863136 a54e07015baad085b311b18fbae1a20652e137c7c4bd13d5657d8b1a
1ed7d8cd97b12931844b7ac61b2f31d3326104cb68451813699abda3 ce028eb5acfba8c68d6211a79fff0965c96f636104fd864c1a81f0e6
dc0ed9d521baf9108bc2c4b2a1dbcd90a08363f5e458938d6fe634ed 57a8a3f8e4ebafa421da712b6fb98f0abfa139ff971718cab474fa74
6393bc8440ec9b9f8a30841ffcc7cd65d9cf9617155e129bccded988 c6a44b80a46468699280dd5d271252f3b9c05acc93dbd8b939152987
8ac738f78e940f9887f9089ab6275d36c3ab1bccbd048b088b1b80a0 cd5a8d1fb7b70c45512c993ec5456cc10f1797c92fac2f1b7e363478
f56f270341446261048b65b9ef4c5726664391ceeae241834b275960 a9ecd79e74034144616104822b9874755c51adfdf624101eb4dc12a8
a6f9316799f5c974eceb71dfb6d36e989addf2ae8c4e338f204b2cd7 ae433750be4fd6f4f7ebf6954ddb57837752a4effa4a5b44627a64b6
54e1c43b43a126928d8d81ce2e6edbc22a99ed478ad3487b87e1052b 2a2db9d3c9c031c4ad37dbe7bf180d6bcba54feb4e84eeb876ebfa64
ce2d94b6464a2228eab73c01f79d6b290af6b218cf03414461 a85d4c5ac2063dc05ba726810824c41e1893faa9373a8403414462
ISK result: (length: 48 bytes) ISK result: (length: 48 bytes)
519bfbb1477652e8ed1b4ec5774e310c4f44da46f3c36be91b0dd6b4 eebf988a62b5c854f0ba32822ab45d23329bd1c78c84a4a0e1b40704
e3a3245942cf4d9db8f79023dad6e1b57aed4891 c99c0a6f6c01c29af5fc6943254b883ce8a65ea1
B.6.7. Corresponding ANSI-C initializers B.6.7. Corresponding C programming language initializers
const uint8_t tc_PRS[] = { const unsigned char tc_PRS[] = {
0x50,0x61,0x73,0x73,0x77,0x6f,0x72,0x64, 0x50,0x61,0x73,0x73,0x77,0x6f,0x72,0x64,
}; };
const uint8_t tc_CI[] = { const unsigned char tc_CI[] = {
0x0a,0x41,0x69,0x6e,0x69,0x74,0x69,0x61,0x74,0x6f,0x72,0x0a, 0x0a,0x41,0x69,0x6e,0x69,0x74,0x69,0x61,0x74,0x6f,0x72,0x0a,
0x42,0x72,0x65,0x73,0x70,0x6f,0x6e,0x64,0x65,0x72, 0x42,0x72,0x65,0x73,0x70,0x6f,0x6e,0x64,0x65,0x72,
}; };
const uint8_t tc_sid[] = { const unsigned char tc_sid[] = {
0x5b,0x37,0x73,0xaa,0x90,0xe8,0xf2,0x3c,0x61,0x56,0x3a,0x4b, 0x5b,0x37,0x73,0xaa,0x90,0xe8,0xf2,0x3c,0x61,0x56,0x3a,0x4b,
0x64,0x5b,0x27,0x6c, 0x64,0x5b,0x27,0x6c,
}; };
const uint8_t tc_g[] = { const unsigned char tc_g[] = {
0x04,0xf3,0x5a,0x92,0x5f,0xe8,0x2e,0x54,0x35,0x0e,0x80,0xb0, 0x04,0xf3,0x5a,0x92,0x5f,0xe8,0x2e,0x54,0x35,0x0e,0x80,0xb0,
0x84,0xa8,0x01,0x3b,0x19,0x60,0xcb,0x3f,0x73,0xc4,0x9b,0x0c, 0x84,0xa8,0x01,0x3b,0x19,0x60,0xcb,0x3f,0x73,0xc4,0x9b,0x0c,
0x2a,0xe9,0xb5,0x23,0x99,0x78,0x46,0xdd,0xd1,0x4c,0x66,0xf2, 0x2a,0xe9,0xb5,0x23,0x99,0x78,0x46,0xdd,0xd1,0x4c,0x66,0xf2,
0x4f,0x62,0x22,0x31,0x12,0xcf,0x35,0xb8,0x66,0x06,0x5f,0x91, 0x4f,0x62,0x22,0x31,0x12,0xcf,0x35,0xb8,0x66,0x06,0x5f,0x91,
0xad,0x86,0x67,0x4c,0xce,0x2a,0x28,0x76,0x84,0x90,0x4e,0x49, 0xad,0x86,0x67,0x4c,0xce,0x2a,0x28,0x76,0x84,0x90,0x4e,0x49,
0xf0,0x12,0x87,0xb5,0x46,0x66,0xbb,0x51,0x8d,0xf2,0xea,0x53, 0xf0,0x12,0x87,0xb5,0x46,0x66,0xbb,0x51,0x8d,0xf2,0xea,0x53,
0xce,0xc6,0x27,0xfa,0x6e,0x12,0x83,0xf1,0x4c,0x6e,0xd4,0xbc, 0xce,0xc6,0x27,0xfa,0x6e,0x12,0x83,0xf1,0x4c,0x6e,0xd4,0xbc,
0xd1,0x1b,0x33,0xfb,0xb9,0x62,0xda,0x3e,0x2e,0x4f,0xf1,0x34, 0xd1,0x1b,0x33,0xfb,0xb9,0x62,0xda,0x3e,0x2e,0x4f,0xf1,0x34,
0x5c, 0x5c,
}; };
const uint8_t tc_ya[] = { const unsigned char tc_ya[] = {
0x7d,0x5b,0xc6,0xa8,0x95,0x9f,0x9d,0xb2,0x65,0x5b,0x8b,0x66, 0xef,0x43,0x3d,0xd5,0xad,0x14,0x2c,0x86,0x0e,0x7c,0xb6,0x40,
0x42,0xe3,0x93,0xdc,0x13,0xd2,0x51,0x50,0xd6,0x9c,0x66,0x75, 0x0d,0xd3,0x15,0xd3,0x88,0xd5,0xec,0x54,0x20,0xc5,0x50,0xe9,
0xfb,0x3e,0xfd,0x41,0xae,0x62,0x55,0xbf,0x54,0x20,0x2b,0x96, 0xd6,0xf0,0x90,0x7f,0x37,0x5d,0x98,0x8b,0xc4,0xd7,0x04,0x83,
0x0f,0x9a,0xac,0xd9,0x7f,0xd6,0xd2,0x84,0x1b,0x46,0x1f,0x18, 0x7e,0x43,0x56,0x1c,0x49,0x7e,0x7d,0xd9,0x3e,0xdc,0xdb,0x9d,
}; };
const uint8_t tc_ADa[] = { const unsigned char tc_ADa[] = {
0x41,0x44,0x61, 0x41,0x44,0x61,
}; };
const uint8_t tc_Ya[] = { const unsigned char tc_Ya[] = {
0x04,0x8b,0x65,0xb9,0xef,0x4c,0x57,0x26,0x66,0x43,0x91,0xce, 0x04,0xfd,0x86,0x4c,0x1a,0x81,0xf0,0xe6,0x57,0xa8,0xa3,0xf8,
0xea,0xe2,0x41,0x83,0x4b,0x27,0x59,0x60,0xa6,0xf9,0x31,0x67, 0xe4,0xeb,0xaf,0xa4,0x21,0xda,0x71,0x2b,0x6f,0xb9,0x8f,0x0a,
0x99,0xf5,0xc9,0x74,0xec,0xeb,0x71,0xdf,0xb6,0xd3,0x6e,0x98, 0xbf,0xa1,0x39,0xff,0x97,0x17,0x18,0xca,0xb4,0x74,0xfa,0x74,
0x9a,0xdd,0xf2,0xae,0x8c,0x4e,0x33,0x8f,0x20,0x4b,0x2c,0xd7, 0xc6,0xa4,0x4b,0x80,0xa4,0x64,0x68,0x69,0x92,0x80,0xdd,0x5d,
0x54,0xe1,0xc4,0x3b,0x43,0xa1,0x26,0x92,0x8d,0x8d,0x81,0xce, 0x27,0x12,0x52,0xf3,0xb9,0xc0,0x5a,0xcc,0x93,0xdb,0xd8,0xb9,
0x2e,0x6e,0xdb,0xc2,0x2a,0x99,0xed,0x47,0x8a,0xd3,0x48,0x7b, 0x39,0x15,0x29,0x87,0xcd,0x5a,0x8d,0x1f,0xb7,0xb7,0x0c,0x45,
0x87,0xe1,0x05,0x2b,0xce,0x2d,0x94,0xb6,0x46,0x4a,0x22,0x28, 0x51,0x2c,0x99,0x3e,0xc5,0x45,0x6c,0xc1,0x0f,0x17,0x97,0xc9,
0xea,0xb7,0x3c,0x01,0xf7,0x9d,0x6b,0x29,0x0a,0xf6,0xb2,0x18, 0x2f,0xac,0x2f,0x1b,0x7e,0x36,0x34,0x78,0xa9,0xec,0xd7,0x9e,
0xcf, 0x74,
}; };
const uint8_t tc_yb[] = { const unsigned char tc_yb[] = {
0x5c,0xc9,0x46,0x5b,0xdb,0x3a,0xe6,0x26,0xb7,0x75,0x21,0xea, 0x50,0xb0,0xe3,0x6b,0x95,0xa2,0xed,0xfa,0xa8,0x34,0x2b,0x84,
0x36,0x21,0x8f,0xc9,0x3a,0x96,0x93,0xc3,0x6f,0xf1,0x26,0x89, 0x3d,0xdd,0xc9,0x0b,0x17,0x53,0x30,0xf2,0x39,0x9c,0x1b,0x36,
0x9e,0x3d,0x87,0x77,0xc1,0x26,0xef,0x05,0x48,0x3e,0x34,0xc0, 0x58,0x6d,0xed,0xda,0x3c,0x25,0x59,0x75,0xf3,0x0b,0xe6,0xa7,
0x55,0x76,0xc9,0xe8,0xc6,0x4b,0x1a,0x0b,0x6f,0x5b,0x53,0xd1, 0x50,0xf9,0x40,0x4f,0xcc,0xc6,0x2a,0x63,0x23,0xb5,0xe4,0x71,
}; };
const uint8_t tc_ADb[] = { const unsigned char tc_ADb[] = {
0x41,0x44,0x62, 0x41,0x44,0x62,
}; };
const uint8_t tc_Yb[] = { const unsigned char tc_Yb[] = {
0x04,0xcb,0x68,0x45,0x18,0x13,0x69,0x9a,0xbd,0xa3,0xdc,0x0e, 0x04,0x82,0x2b,0x98,0x74,0x75,0x5c,0x51,0xad,0xfd,0xf6,0x24,
0xd9,0xd5,0x21,0xba,0xf9,0x10,0x8b,0xc2,0xc4,0xb2,0xa1,0xdb, 0x10,0x1e,0xb4,0xdc,0x12,0xa8,0xae,0x43,0x37,0x50,0xbe,0x4f,
0xcd,0x90,0xa0,0x83,0x63,0xf5,0xe4,0x58,0x93,0x8d,0x6f,0xe6, 0xd6,0xf4,0xf7,0xeb,0xf6,0x95,0x4d,0xdb,0x57,0x83,0x77,0x52,
0x34,0xed,0x63,0x93,0xbc,0x84,0x40,0xec,0x9b,0x9f,0x8a,0x30, 0xa4,0xef,0xfa,0x4a,0x5b,0x44,0x62,0x7a,0x64,0xb6,0x2a,0x2d,
0x84,0x1f,0xfc,0xc7,0xcd,0x65,0xd9,0xcf,0x96,0x17,0x15,0x5e, 0xb9,0xd3,0xc9,0xc0,0x31,0xc4,0xad,0x37,0xdb,0xe7,0xbf,0x18,
0x12,0x9b,0xcc,0xde,0xd9,0x88,0x8a,0xc7,0x38,0xf7,0x8e,0x94, 0x0d,0x6b,0xcb,0xa5,0x4f,0xeb,0x4e,0x84,0xee,0xb8,0x76,0xeb,
0x0f,0x98,0x87,0xf9,0x08,0x9a,0xb6,0x27,0x5d,0x36,0xc3,0xab, 0xfa,0x64,0xa8,0x5d,0x4c,0x5a,0xc2,0x06,0x3d,0xc0,0x5b,0xa7,
0x1b,0xcc,0xbd,0x04,0x8b,0x08,0x8b,0x1b,0x80,0xa0,0xf5,0x6f, 0x26,0x81,0x08,0x24,0xc4,0x1e,0x18,0x93,0xfa,0xa9,0x37,0x3a,
0x27, 0x84,
}; };
const uint8_t tc_K[] = { const unsigned char tc_K[] = {
0xc8,0x62,0x70,0x9d,0x6b,0xfe,0x7c,0xc0,0x2f,0x0c,0x11,0xda, 0x37,0x42,0x90,0xa5,0x4e,0x07,0x01,0x5b,0xaa,0xd0,0x85,0xb3,
0xfd,0xbf,0x4e,0xf8,0xdb,0x1c,0x5e,0x4c,0xb1,0x3a,0x22,0x98, 0x11,0xb1,0x8f,0xba,0xe1,0xa2,0x06,0x52,0xe1,0x37,0xc7,0xc4,
0x5a,0x83,0xbe,0xf1,0x86,0x31,0x36,0x1e,0xd7,0xd8,0xcd,0x97, 0xbd,0x13,0xd5,0x65,0x7d,0x8b,0x1a,0xce,0x02,0x8e,0xb5,0xac,
0xb1,0x29,0x31,0x84,0x4b,0x7a,0xc6,0x1b,0x2f,0x31,0xd3,0x32, 0xfb,0xa8,0xc6,0x8d,0x62,0x11,0xa7,0x9f,0xff,0x09,0x65,0xc9,
}; };
const uint8_t tc_ISK_IR[] = { const unsigned char tc_ISK_IR[] = {
0xdb,0x1e,0x81,0x33,0xbe,0x83,0x59,0xb9,0xaa,0x8c,0xd5,0x63, 0xa6,0x2d,0x33,0x78,0x20,0xce,0x9c,0xc1,0x19,0x5a,0x1a,0xdf,
0x04,0x3e,0xe7,0x84,0x34,0x4f,0x26,0x58,0x08,0x76,0x86,0x2e, 0xb3,0xc1,0xef,0xc2,0xd8,0x44,0xc0,0xd8,0xc6,0xbc,0x44,0xbd,
0x28,0xb3,0xf9,0x8b,0x51,0xb2,0xf6,0x11,0xa6,0x53,0x62,0xc1, 0x06,0x0f,0xe3,0xcd,0xd4,0xee,0x8d,0x23,0x43,0xac,0xa0,0x16,
0xd7,0x7d,0xb6,0x6c,0x87,0x9d,0xe4,0x66,0xf5,0xb6,0x14,0x8a, 0x8c,0x2b,0x58,0x47,0x83,0x54,0xa3,0x7d,0x8d,0x88,0x56,0xbd,
}; };
const uint8_t tc_ISK_SY[] = { const unsigned char tc_ISK_SY[] = {
0x51,0x9b,0xfb,0xb1,0x47,0x76,0x52,0xe8,0xed,0x1b,0x4e,0xc5, 0xee,0xbf,0x98,0x8a,0x62,0xb5,0xc8,0x54,0xf0,0xba,0x32,0x82,
0x77,0x4e,0x31,0x0c,0x4f,0x44,0xda,0x46,0xf3,0xc3,0x6b,0xe9, 0x2a,0xb4,0x5d,0x23,0x32,0x9b,0xd1,0xc7,0x8c,0x84,0xa4,0xa0,
0x1b,0x0d,0xd6,0xb4,0xe3,0xa3,0x24,0x59,0x42,0xcf,0x4d,0x9d, 0xe1,0xb4,0x07,0x04,0xc9,0x9c,0x0a,0x6f,0x6c,0x01,0xc2,0x9a,
0xb8,0xf7,0x90,0x23,0xda,0xd6,0xe1,0xb5,0x7a,0xed,0x48,0x91, 0xf5,0xfc,0x69,0x43,0x25,0x4b,0x88,0x3c,0xe8,0xa6,0x5e,0xa1,
}; };
B.6.8. Test case for scalar_mult_vfy with correct inputs B.6.8. Test case for scalar_mult_vfy with correct inputs
s: (length: 48 bytes) s: (length: 48 bytes)
6e8a99a5cdd408eae98e1b8aed286e7b12adbbdac7f2c628d9060ce9 6e8a99a5cdd408eae98e1b8aed286e7b12adbbdac7f2c628d9060ce9
2ae0d90bd57a564fd3500fbcce3425dc94ba0ade 2ae0d90bd57a564fd3500fbcce3425dc94ba0ade
X: (length: 97 bytes) X: (length: 97 bytes)
045b4cd53c4506cc04ba4c44f2762d5d32c3e55df25b8baa5571b165 045b4cd53c4506cc04ba4c44f2762d5d32c3e55df25b8baa5571b165
7ad9576efea8259f0684de065a470585b4be876748c7797054f3defe 7ad9576efea8259f0684de065a470585b4be876748c7797054f3defe
skipping to change at page 67, line 17 skipping to change at page 68, line 17
006367e9c2aeff9f1db19af600cca73343d47cbe446cebbd1ccd783f 006367e9c2aeff9f1db19af600cca73343d47cbe446cebbd1ccd783f
82755a872da86fd0707eb3767c6114f1803deb62d63bdd1e613f67e6 82755a872da86fd0707eb3767c6114f1803deb62d63bdd1e613f67e6
3e8c141ee5310e3ee819 3e8c141ee5310e3ee819
Outputs Outputs
Ya: (length: 133 bytes) Ya: (length: 133 bytes)
04003701ec35caafa3dd416cad29ba1774551f9d2ed89f7e1065706d 04003701ec35caafa3dd416cad29ba1774551f9d2ed89f7e1065706d
ca230b86a11d02e4cee8b3fde64380d4a05983167d8a2414bc594ad5 ca230b86a11d02e4cee8b3fde64380d4a05983167d8a2414bc594ad5
286c068792ab7ca60ff6ea00919c41c00e789dabc2f42fd94178d7bf 286c068792ab7ca60ff6ea00919c41c00e789dabc2f42fd94178d7bf
d8fbe1aff1c1854b3dafb3a0ea13f5a5fc1703860f022bd271740469 d8fbe1aff1c1854b3dafb3a0ea13f5a5fc1703860f022bd271740469
bb322b07c179c7c225499b31727c0ea3ee65578634 bb322b07c179c7c225499b31727c0ea3ee65578634
Alternative correct value for Ya: g^(-ya): Alternative correct value for Ya: g*(-ya):
(length: 133 bytes) (length: 133 bytes)
04003701ec35caafa3dd416cad29ba1774551f9d2ed89f7e1065706d 04003701ec35caafa3dd416cad29ba1774551f9d2ed89f7e1065706d
ca230b86a11d02e4cee8b3fde64380d4a05983167d8a2414bc594ad5 ca230b86a11d02e4cee8b3fde64380d4a05983167d8a2414bc594ad5
286c068792ab7ca60ff6ea016e63be3ff18762543d0bd026be872840 286c068792ab7ca60ff6ea016e63be3ff18762543d0bd026be872840
27041e500e3e7ab4c2504c5f15ec0a5a03e8fc79f0fdd42d8e8bfb96 27041e500e3e7ab4c2504c5f15ec0a5a03e8fc79f0fdd42d8e8bfb96
44cdd4f83e86383ddab664ce8d83f15c119aa879cb 44cdd4f83e86383ddab664ce8d83f15c119aa879cb
MSGa = lv_cat(Ya,ADa): (length: 139 bytes) MSGa = lv_cat(Ya,ADa): (length: 139 bytes)
850104003701ec35caafa3dd416cad29ba1774551f9d2ed89f7e1065 850104003701ec35caafa3dd416cad29ba1774551f9d2ed89f7e1065
706dca230b86a11d02e4cee8b3fde64380d4a05983167d8a2414bc59 706dca230b86a11d02e4cee8b3fde64380d4a05983167d8a2414bc59
4ad5286c068792ab7ca60ff6ea00919c41c00e789dabc2f42fd94178 4ad5286c068792ab7ca60ff6ea00919c41c00e789dabc2f42fd94178
skipping to change at page 68, line 17 skipping to change at page 69, line 17
009227bf8dc741dacc9422f8bf3c0e96fce9587bc562eaafe0dc5f6f 009227bf8dc741dacc9422f8bf3c0e96fce9587bc562eaafe0dc5f6f
82f28594e4a6f98553560c62b75fa4abb198cecbbb86ebd41b0ea025 82f28594e4a6f98553560c62b75fa4abb198cecbbb86ebd41b0ea025
4cde78ac68d39a240ae7 4cde78ac68d39a240ae7
Outputs Outputs
Yb: (length: 133 bytes) Yb: (length: 133 bytes)
0400f5cb68bf0117bd1a65412a2bc800af92013f9969cf546e1ea6d3 0400f5cb68bf0117bd1a65412a2bc800af92013f9969cf546e1ea6d3
bcf08643fdc482130aec1eecc33a2b5f33600be51295047fa3399fa2 bcf08643fdc482130aec1eecc33a2b5f33600be51295047fa3399fa2
82cc1a78de91f3a4e30b5d01a085b453f22bf3dc947386b042e5fc4e 82cc1a78de91f3a4e30b5d01a085b453f22bf3dc947386b042e5fc4e
c691fee47fe3c3ec6408c22a17c26bc0ab73940910614d6fcee32daf c691fee47fe3c3ec6408c22a17c26bc0ab73940910614d6fcee32daf
bfd2d340d6e382d71b1fc763d7cec502fbcbcf93b4 bfd2d340d6e382d71b1fc763d7cec502fbcbcf93b4
Alternative correct value for Yb: g^(-yb): Alternative correct value for Yb: g*(-yb):
(length: 133 bytes) (length: 133 bytes)
0400f5cb68bf0117bd1a65412a2bc800af92013f9969cf546e1ea6d3 0400f5cb68bf0117bd1a65412a2bc800af92013f9969cf546e1ea6d3
bcf08643fdc482130aec1eecc33a2b5f33600be51295047fa3399fa2 bcf08643fdc482130aec1eecc33a2b5f33600be51295047fa3399fa2
82cc1a78de91f3a4e30b5d005f7a4bac0dd40c236b8c794fbd1a03b1 82cc1a78de91f3a4e30b5d005f7a4bac0dd40c236b8c794fbd1a03b1
396e011b801c3c139bf73dd5e83d943f548c6bf6ef9eb290311cd250 396e011b801c3c139bf73dd5e83d943f548c6bf6ef9eb290311cd250
402d2cbf291c7d28e4e0389c28313afd0434306c4b 402d2cbf291c7d28e4e0389c28313afd0434306c4b
MSGb = lv_cat(Yb,ADb): (length: 139 bytes) MSGb = lv_cat(Yb,ADb): (length: 139 bytes)
85010400f5cb68bf0117bd1a65412a2bc800af92013f9969cf546e1e 85010400f5cb68bf0117bd1a65412a2bc800af92013f9969cf546e1e
a6d3bcf08643fdc482130aec1eecc33a2b5f33600be51295047fa339 a6d3bcf08643fdc482130aec1eecc33a2b5f33600be51295047fa339
9fa282cc1a78de91f3a4e30b5d01a085b453f22bf3dc947386b042e5 9fa282cc1a78de91f3a4e30b5d01a085b453f22bf3dc947386b042e5
skipping to change at page 70, line 4 skipping to change at page 71, line 4
1295047fa3399fa282cc1a78de91f3a4e30b5d01a085b453f22bf3dc 1295047fa3399fa282cc1a78de91f3a4e30b5d01a085b453f22bf3dc
947386b042e5fc4ec691fee47fe3c3ec6408c22a17c26bc0ab739409 947386b042e5fc4ec691fee47fe3c3ec6408c22a17c26bc0ab739409
10614d6fcee32dafbfd2d340d6e382d71b1fc763d7cec502fbcbcf93 10614d6fcee32dafbfd2d340d6e382d71b1fc763d7cec502fbcbcf93
b403414462 b403414462
ISK result: (length: 64 bytes) ISK result: (length: 64 bytes)
ed208a15af3ef8a67a5cac4acb360d03154570e3b1b1c54867f53a72 ed208a15af3ef8a67a5cac4acb360d03154570e3b1b1c54867f53a72
53cb919d13aa47efc647375be2250cb39ad965afa4ddfcb6be47d586 53cb919d13aa47efc647375be2250cb39ad965afa4ddfcb6be47d586
d28c7eef6d654525 d28c7eef6d654525
B.7.6. Test vector for ISK calculation parallel execution B.7.6. Test vector for ISK calculation parallel execution
ordered cat of transcript : (length: 278 bytes) ordered cat of transcript : (length: 280 bytes)
85010400f5cb68bf0117bd1a65412a2bc800af92013f9969cf546e1e 6f6385010400f5cb68bf0117bd1a65412a2bc800af92013f9969cf54
a6d3bcf08643fdc482130aec1eecc33a2b5f33600be51295047fa339 6e1ea6d3bcf08643fdc482130aec1eecc33a2b5f33600be51295047f
9fa282cc1a78de91f3a4e30b5d01a085b453f22bf3dc947386b042e5 a3399fa282cc1a78de91f3a4e30b5d01a085b453f22bf3dc947386b0
fc4ec691fee47fe3c3ec6408c22a17c26bc0ab73940910614d6fcee3 42e5fc4ec691fee47fe3c3ec6408c22a17c26bc0ab73940910614d6f
2dafbfd2d340d6e382d71b1fc763d7cec502fbcbcf93b40341446285 cee32dafbfd2d340d6e382d71b1fc763d7cec502fbcbcf93b4034144
0104003701ec35caafa3dd416cad29ba1774551f9d2ed89f7e106570 62850104003701ec35caafa3dd416cad29ba1774551f9d2ed89f7e10
6dca230b86a11d02e4cee8b3fde64380d4a05983167d8a2414bc594a 65706dca230b86a11d02e4cee8b3fde64380d4a05983167d8a2414bc
d5286c068792ab7ca60ff6ea00919c41c00e789dabc2f42fd94178d7 594ad5286c068792ab7ca60ff6ea00919c41c00e789dabc2f42fd941
bfd8fbe1aff1c1854b3dafb3a0ea13f5a5fc1703860f022bd2717404 78d7bfd8fbe1aff1c1854b3dafb3a0ea13f5a5fc1703860f022bd271
69bb322b07c179c7c225499b31727c0ea3ee6557863403414461 740469bb322b07c179c7c225499b31727c0ea3ee6557863403414461
DSI = G.DSI_ISK, b'CPaceP521_XMD:SHA-512_SSWU_NU__ISK': DSI = G.DSI_ISK, b'CPaceP521_XMD:SHA-512_SSWU_NU__ISK':
(length: 34 bytes) (length: 34 bytes)
4350616365503532315f584d443a5348412d3531325f535357555f4e 4350616365503532315f584d443a5348412d3531325f535357555f4e
555f5f49534b 555f5f49534b
lv_cat(DSI,sid,K)||oCAT(MSGa,MSGb): (length: 397 bytes) lv_cat(DSI,sid,K)||o_cat(MSGa,MSGb): (length: 399 bytes)
224350616365503532315f584d443a5348412d3531325f535357555f 224350616365503532315f584d443a5348412d3531325f535357555f
4e555f5f49534b107e4b4791d6a8ef019b936c79fb7f2c574200503e 4e555f5f49534b107e4b4791d6a8ef019b936c79fb7f2c574200503e
75e38e012a6dc6f3561980e4cf540dbcff3de3a4a6f09d79c32cc457 75e38e012a6dc6f3561980e4cf540dbcff3de3a4a6f09d79c32cc457
64d3a6605eb45df1dc63fb7937b7879f2820da1b3266b69fa099bf87 64d3a6605eb45df1dc63fb7937b7879f2820da1b3266b69fa099bf87
20dd8f6a07e8ed85010400f5cb68bf0117bd1a65412a2bc800af9201 20dd8f6a07e8ed6f6385010400f5cb68bf0117bd1a65412a2bc800af
3f9969cf546e1ea6d3bcf08643fdc482130aec1eecc33a2b5f33600b 92013f9969cf546e1ea6d3bcf08643fdc482130aec1eecc33a2b5f33
e51295047fa3399fa282cc1a78de91f3a4e30b5d01a085b453f22bf3 600be51295047fa3399fa282cc1a78de91f3a4e30b5d01a085b453f2
dc947386b042e5fc4ec691fee47fe3c3ec6408c22a17c26bc0ab7394 2bf3dc947386b042e5fc4ec691fee47fe3c3ec6408c22a17c26bc0ab
0910614d6fcee32dafbfd2d340d6e382d71b1fc763d7cec502fbcbcf 73940910614d6fcee32dafbfd2d340d6e382d71b1fc763d7cec502fb
93b403414462850104003701ec35caafa3dd416cad29ba1774551f9d cbcf93b403414462850104003701ec35caafa3dd416cad29ba177455
2ed89f7e1065706dca230b86a11d02e4cee8b3fde64380d4a0598316 1f9d2ed89f7e1065706dca230b86a11d02e4cee8b3fde64380d4a059
7d8a2414bc594ad5286c068792ab7ca60ff6ea00919c41c00e789dab 83167d8a2414bc594ad5286c068792ab7ca60ff6ea00919c41c00e78
c2f42fd94178d7bfd8fbe1aff1c1854b3dafb3a0ea13f5a5fc170386 9dabc2f42fd94178d7bfd8fbe1aff1c1854b3dafb3a0ea13f5a5fc17
0f022bd271740469bb322b07c179c7c225499b31727c0ea3ee655786 03860f022bd271740469bb322b07c179c7c225499b31727c0ea3ee65
3403414461 57863403414461
ISK result: (length: 64 bytes) ISK result: (length: 64 bytes)
aae7320b73ba2516f289f71088662d41c4314d00521c48ea3c9c85ea e7b10b6da531d9a8fd47fdd08441e8bb803d16c59a93e366d5cd9a10
ca57112e55eb2b4094d4a0c7813ddd95c5d80c5596ad686d2eba876b 277bbc543d943182889154704d80f2b0756ed62da87e0eb4e6d07920
a1cd92f90407aa3d 480100d5e800ca85
B.7.7. Corresponding ANSI-C initializers B.7.7. Corresponding C programming language initializers
const uint8_t tc_PRS[] = { const unsigned char tc_PRS[] = {
0x50,0x61,0x73,0x73,0x77,0x6f,0x72,0x64, 0x50,0x61,0x73,0x73,0x77,0x6f,0x72,0x64,
}; };
const uint8_t tc_CI[] = { const unsigned char tc_CI[] = {
0x0a,0x41,0x69,0x6e,0x69,0x74,0x69,0x61,0x74,0x6f,0x72,0x0a, 0x0a,0x41,0x69,0x6e,0x69,0x74,0x69,0x61,0x74,0x6f,0x72,0x0a,
0x42,0x72,0x65,0x73,0x70,0x6f,0x6e,0x64,0x65,0x72, 0x42,0x72,0x65,0x73,0x70,0x6f,0x6e,0x64,0x65,0x72,
}; };
const uint8_t tc_sid[] = { const unsigned char tc_sid[] = {
0x7e,0x4b,0x47,0x91,0xd6,0xa8,0xef,0x01,0x9b,0x93,0x6c,0x79, 0x7e,0x4b,0x47,0x91,0xd6,0xa8,0xef,0x01,0x9b,0x93,0x6c,0x79,
0xfb,0x7f,0x2c,0x57, 0xfb,0x7f,0x2c,0x57,
}; };
const uint8_t tc_g[] = { const unsigned char tc_g[] = {
0x04,0x00,0xdc,0x92,0x79,0x58,0xf0,0xb6,0x9c,0xca,0xd8,0xfb, 0x04,0x00,0xdc,0x92,0x79,0x58,0xf0,0xb6,0x9c,0xca,0xd8,0xfb,
0x67,0xef,0x00,0x89,0x05,0x35,0x4b,0x58,0xc7,0xc9,0xc9,0x2a, 0x67,0xef,0x00,0x89,0x05,0x35,0x4b,0x58,0xc7,0xc9,0xc9,0x2a,
0xd5,0x00,0x60,0xa9,0xe6,0xaf,0xb1,0x04,0x37,0xd6,0xca,0x8a, 0xd5,0x00,0x60,0xa9,0xe6,0xaf,0xb1,0x04,0x37,0xd6,0xca,0x8a,
0x26,0x16,0x4e,0x85,0x73,0x70,0x2b,0x89,0x72,0x75,0xa2,0x5d, 0x26,0x16,0x4e,0x85,0x73,0x70,0x2b,0x89,0x72,0x75,0xa2,0x5d,
0x05,0xed,0x44,0x07,0xaf,0x2a,0x38,0x49,0x86,0xdc,0xa7,0xe2, 0x05,0xed,0x44,0x07,0xaf,0x2a,0x38,0x49,0x86,0xdc,0xa7,0xe2,
0x43,0xb9,0x2c,0x5d,0xd5,0x00,0xd4,0x00,0x57,0x01,0x21,0x21, 0x43,0xb9,0x2c,0x5d,0xd5,0x00,0xd4,0x00,0x57,0x01,0x21,0x21,
0xa9,0xc8,0xe3,0x43,0x73,0xfa,0x61,0x9f,0x91,0x8f,0x7d,0x47, 0xa9,0xc8,0xe3,0x43,0x73,0xfa,0x61,0x9f,0x91,0x8f,0x7d,0x47,
0x9c,0x23,0xf8,0x5f,0x04,0x85,0x37,0x9e,0xf0,0xf0,0x52,0x84, 0x9c,0x23,0xf8,0x5f,0x04,0x85,0x37,0x9e,0xf0,0xf0,0x52,0x84,
0x39,0x8d,0xe2,0x66,0x53,0xb4,0x9a,0x15,0x53,0x24,0xc9,0xd7, 0x39,0x8d,0xe2,0x66,0x53,0xb4,0x9a,0x15,0x53,0x24,0xc9,0xd7,
0xb1,0x38,0xbe,0x84,0xd0,0xb4,0x9b,0xb5,0x8e,0x23,0x2b,0x7b, 0xb1,0x38,0xbe,0x84,0xd0,0xb4,0x9b,0xb5,0x8e,0x23,0x2b,0x7b,
0xf6,0x97,0x79,0x8d,0xe6,0xee,0x8a,0xfd,0x6b,0x92,0xb6,0xfa, 0xf6,0x97,0x79,0x8d,0xe6,0xee,0x8a,0xfd,0x6b,0x92,0xb6,0xfa,
0x2f, 0x2f,
}; };
const uint8_t tc_ya[] = { const unsigned char tc_ya[] = {
0x00,0x63,0x67,0xe9,0xc2,0xae,0xff,0x9f,0x1d,0xb1,0x9a,0xf6, 0x00,0x63,0x67,0xe9,0xc2,0xae,0xff,0x9f,0x1d,0xb1,0x9a,0xf6,
0x00,0xcc,0xa7,0x33,0x43,0xd4,0x7c,0xbe,0x44,0x6c,0xeb,0xbd, 0x00,0xcc,0xa7,0x33,0x43,0xd4,0x7c,0xbe,0x44,0x6c,0xeb,0xbd,
0x1c,0xcd,0x78,0x3f,0x82,0x75,0x5a,0x87,0x2d,0xa8,0x6f,0xd0, 0x1c,0xcd,0x78,0x3f,0x82,0x75,0x5a,0x87,0x2d,0xa8,0x6f,0xd0,
0x70,0x7e,0xb3,0x76,0x7c,0x61,0x14,0xf1,0x80,0x3d,0xeb,0x62, 0x70,0x7e,0xb3,0x76,0x7c,0x61,0x14,0xf1,0x80,0x3d,0xeb,0x62,
0xd6,0x3b,0xdd,0x1e,0x61,0x3f,0x67,0xe6,0x3e,0x8c,0x14,0x1e, 0xd6,0x3b,0xdd,0x1e,0x61,0x3f,0x67,0xe6,0x3e,0x8c,0x14,0x1e,
0xe5,0x31,0x0e,0x3e,0xe8,0x19, 0xe5,0x31,0x0e,0x3e,0xe8,0x19,
}; };
const uint8_t tc_ADa[] = { const unsigned char tc_ADa[] = {
0x41,0x44,0x61, 0x41,0x44,0x61,
}; };
const uint8_t tc_Ya[] = { const unsigned char tc_Ya[] = {
0x04,0x00,0x37,0x01,0xec,0x35,0xca,0xaf,0xa3,0xdd,0x41,0x6c, 0x04,0x00,0x37,0x01,0xec,0x35,0xca,0xaf,0xa3,0xdd,0x41,0x6c,
0xad,0x29,0xba,0x17,0x74,0x55,0x1f,0x9d,0x2e,0xd8,0x9f,0x7e, 0xad,0x29,0xba,0x17,0x74,0x55,0x1f,0x9d,0x2e,0xd8,0x9f,0x7e,
0x10,0x65,0x70,0x6d,0xca,0x23,0x0b,0x86,0xa1,0x1d,0x02,0xe4, 0x10,0x65,0x70,0x6d,0xca,0x23,0x0b,0x86,0xa1,0x1d,0x02,0xe4,
0xce,0xe8,0xb3,0xfd,0xe6,0x43,0x80,0xd4,0xa0,0x59,0x83,0x16, 0xce,0xe8,0xb3,0xfd,0xe6,0x43,0x80,0xd4,0xa0,0x59,0x83,0x16,
0x7d,0x8a,0x24,0x14,0xbc,0x59,0x4a,0xd5,0x28,0x6c,0x06,0x87, 0x7d,0x8a,0x24,0x14,0xbc,0x59,0x4a,0xd5,0x28,0x6c,0x06,0x87,
0x92,0xab,0x7c,0xa6,0x0f,0xf6,0xea,0x00,0x91,0x9c,0x41,0xc0, 0x92,0xab,0x7c,0xa6,0x0f,0xf6,0xea,0x00,0x91,0x9c,0x41,0xc0,
0x0e,0x78,0x9d,0xab,0xc2,0xf4,0x2f,0xd9,0x41,0x78,0xd7,0xbf, 0x0e,0x78,0x9d,0xab,0xc2,0xf4,0x2f,0xd9,0x41,0x78,0xd7,0xbf,
0xd8,0xfb,0xe1,0xaf,0xf1,0xc1,0x85,0x4b,0x3d,0xaf,0xb3,0xa0, 0xd8,0xfb,0xe1,0xaf,0xf1,0xc1,0x85,0x4b,0x3d,0xaf,0xb3,0xa0,
0xea,0x13,0xf5,0xa5,0xfc,0x17,0x03,0x86,0x0f,0x02,0x2b,0xd2, 0xea,0x13,0xf5,0xa5,0xfc,0x17,0x03,0x86,0x0f,0x02,0x2b,0xd2,
0x71,0x74,0x04,0x69,0xbb,0x32,0x2b,0x07,0xc1,0x79,0xc7,0xc2, 0x71,0x74,0x04,0x69,0xbb,0x32,0x2b,0x07,0xc1,0x79,0xc7,0xc2,
0x25,0x49,0x9b,0x31,0x72,0x7c,0x0e,0xa3,0xee,0x65,0x57,0x86, 0x25,0x49,0x9b,0x31,0x72,0x7c,0x0e,0xa3,0xee,0x65,0x57,0x86,
0x34, 0x34,
}; };
const uint8_t tc_yb[] = { const unsigned char tc_yb[] = {
0x00,0x92,0x27,0xbf,0x8d,0xc7,0x41,0xda,0xcc,0x94,0x22,0xf8, 0x00,0x92,0x27,0xbf,0x8d,0xc7,0x41,0xda,0xcc,0x94,0x22,0xf8,
0xbf,0x3c,0x0e,0x96,0xfc,0xe9,0x58,0x7b,0xc5,0x62,0xea,0xaf, 0xbf,0x3c,0x0e,0x96,0xfc,0xe9,0x58,0x7b,0xc5,0x62,0xea,0xaf,
0xe0,0xdc,0x5f,0x6f,0x82,0xf2,0x85,0x94,0xe4,0xa6,0xf9,0x85, 0xe0,0xdc,0x5f,0x6f,0x82,0xf2,0x85,0x94,0xe4,0xa6,0xf9,0x85,
0x53,0x56,0x0c,0x62,0xb7,0x5f,0xa4,0xab,0xb1,0x98,0xce,0xcb, 0x53,0x56,0x0c,0x62,0xb7,0x5f,0xa4,0xab,0xb1,0x98,0xce,0xcb,
0xbb,0x86,0xeb,0xd4,0x1b,0x0e,0xa0,0x25,0x4c,0xde,0x78,0xac, 0xbb,0x86,0xeb,0xd4,0x1b,0x0e,0xa0,0x25,0x4c,0xde,0x78,0xac,
0x68,0xd3,0x9a,0x24,0x0a,0xe7, 0x68,0xd3,0x9a,0x24,0x0a,0xe7,
}; };
const uint8_t tc_ADb[] = { const unsigned char tc_ADb[] = {
0x41,0x44,0x62, 0x41,0x44,0x62,
}; };
const uint8_t tc_Yb[] = { const unsigned char tc_Yb[] = {
0x04,0x00,0xf5,0xcb,0x68,0xbf,0x01,0x17,0xbd,0x1a,0x65,0x41, 0x04,0x00,0xf5,0xcb,0x68,0xbf,0x01,0x17,0xbd,0x1a,0x65,0x41,
0x2a,0x2b,0xc8,0x00,0xaf,0x92,0x01,0x3f,0x99,0x69,0xcf,0x54, 0x2a,0x2b,0xc8,0x00,0xaf,0x92,0x01,0x3f,0x99,0x69,0xcf,0x54,
0x6e,0x1e,0xa6,0xd3,0xbc,0xf0,0x86,0x43,0xfd,0xc4,0x82,0x13, 0x6e,0x1e,0xa6,0xd3,0xbc,0xf0,0x86,0x43,0xfd,0xc4,0x82,0x13,
0x0a,0xec,0x1e,0xec,0xc3,0x3a,0x2b,0x5f,0x33,0x60,0x0b,0xe5, 0x0a,0xec,0x1e,0xec,0xc3,0x3a,0x2b,0x5f,0x33,0x60,0x0b,0xe5,
0x12,0x95,0x04,0x7f,0xa3,0x39,0x9f,0xa2,0x82,0xcc,0x1a,0x78, 0x12,0x95,0x04,0x7f,0xa3,0x39,0x9f,0xa2,0x82,0xcc,0x1a,0x78,
0xde,0x91,0xf3,0xa4,0xe3,0x0b,0x5d,0x01,0xa0,0x85,0xb4,0x53, 0xde,0x91,0xf3,0xa4,0xe3,0x0b,0x5d,0x01,0xa0,0x85,0xb4,0x53,
0xf2,0x2b,0xf3,0xdc,0x94,0x73,0x86,0xb0,0x42,0xe5,0xfc,0x4e, 0xf2,0x2b,0xf3,0xdc,0x94,0x73,0x86,0xb0,0x42,0xe5,0xfc,0x4e,
0xc6,0x91,0xfe,0xe4,0x7f,0xe3,0xc3,0xec,0x64,0x08,0xc2,0x2a, 0xc6,0x91,0xfe,0xe4,0x7f,0xe3,0xc3,0xec,0x64,0x08,0xc2,0x2a,
0x17,0xc2,0x6b,0xc0,0xab,0x73,0x94,0x09,0x10,0x61,0x4d,0x6f, 0x17,0xc2,0x6b,0xc0,0xab,0x73,0x94,0x09,0x10,0x61,0x4d,0x6f,
0xce,0xe3,0x2d,0xaf,0xbf,0xd2,0xd3,0x40,0xd6,0xe3,0x82,0xd7, 0xce,0xe3,0x2d,0xaf,0xbf,0xd2,0xd3,0x40,0xd6,0xe3,0x82,0xd7,
0x1b,0x1f,0xc7,0x63,0xd7,0xce,0xc5,0x02,0xfb,0xcb,0xcf,0x93, 0x1b,0x1f,0xc7,0x63,0xd7,0xce,0xc5,0x02,0xfb,0xcb,0xcf,0x93,
0xb4, 0xb4,
}; };
const uint8_t tc_K[] = { const unsigned char tc_K[] = {
0x00,0x50,0x3e,0x75,0xe3,0x8e,0x01,0x2a,0x6d,0xc6,0xf3,0x56, 0x00,0x50,0x3e,0x75,0xe3,0x8e,0x01,0x2a,0x6d,0xc6,0xf3,0x56,
0x19,0x80,0xe4,0xcf,0x54,0x0d,0xbc,0xff,0x3d,0xe3,0xa4,0xa6, 0x19,0x80,0xe4,0xcf,0x54,0x0d,0xbc,0xff,0x3d,0xe3,0xa4,0xa6,
0xf0,0x9d,0x79,0xc3,0x2c,0xc4,0x57,0x64,0xd3,0xa6,0x60,0x5e, 0xf0,0x9d,0x79,0xc3,0x2c,0xc4,0x57,0x64,0xd3,0xa6,0x60,0x5e,
0xb4,0x5d,0xf1,0xdc,0x63,0xfb,0x79,0x37,0xb7,0x87,0x9f,0x28, 0xb4,0x5d,0xf1,0xdc,0x63,0xfb,0x79,0x37,0xb7,0x87,0x9f,0x28,
0x20,0xda,0x1b,0x32,0x66,0xb6,0x9f,0xa0,0x99,0xbf,0x87,0x20, 0x20,0xda,0x1b,0x32,0x66,0xb6,0x9f,0xa0,0x99,0xbf,0x87,0x20,
0xdd,0x8f,0x6a,0x07,0xe8,0xed, 0xdd,0x8f,0x6a,0x07,0xe8,0xed,
}; };
const uint8_t tc_ISK_IR[] = { const unsigned char tc_ISK_IR[] = {
0xed,0x20,0x8a,0x15,0xaf,0x3e,0xf8,0xa6,0x7a,0x5c,0xac,0x4a, 0xed,0x20,0x8a,0x15,0xaf,0x3e,0xf8,0xa6,0x7a,0x5c,0xac,0x4a,
0xcb,0x36,0x0d,0x03,0x15,0x45,0x70,0xe3,0xb1,0xb1,0xc5,0x48, 0xcb,0x36,0x0d,0x03,0x15,0x45,0x70,0xe3,0xb1,0xb1,0xc5,0x48,
0x67,0xf5,0x3a,0x72,0x53,0xcb,0x91,0x9d,0x13,0xaa,0x47,0xef, 0x67,0xf5,0x3a,0x72,0x53,0xcb,0x91,0x9d,0x13,0xaa,0x47,0xef,
0xc6,0x47,0x37,0x5b,0xe2,0x25,0x0c,0xb3,0x9a,0xd9,0x65,0xaf, 0xc6,0x47,0x37,0x5b,0xe2,0x25,0x0c,0xb3,0x9a,0xd9,0x65,0xaf,
0xa4,0xdd,0xfc,0xb6,0xbe,0x47,0xd5,0x86,0xd2,0x8c,0x7e,0xef, 0xa4,0xdd,0xfc,0xb6,0xbe,0x47,0xd5,0x86,0xd2,0x8c,0x7e,0xef,
0x6d,0x65,0x45,0x25, 0x6d,0x65,0x45,0x25,
}; };
const uint8_t tc_ISK_SY[] = { const unsigned char tc_ISK_SY[] = {
0xaa,0xe7,0x32,0x0b,0x73,0xba,0x25,0x16,0xf2,0x89,0xf7,0x10, 0xe7,0xb1,0x0b,0x6d,0xa5,0x31,0xd9,0xa8,0xfd,0x47,0xfd,0xd0,
0x88,0x66,0x2d,0x41,0xc4,0x31,0x4d,0x00,0x52,0x1c,0x48,0xea, 0x84,0x41,0xe8,0xbb,0x80,0x3d,0x16,0xc5,0x9a,0x93,0xe3,0x66,
0x3c,0x9c,0x85,0xea,0xca,0x57,0x11,0x2e,0x55,0xeb,0x2b,0x40, 0xd5,0xcd,0x9a,0x10,0x27,0x7b,0xbc,0x54,0x3d,0x94,0x31,0x82,
0x94,0xd4,0xa0,0xc7,0x81,0x3d,0xdd,0x95,0xc5,0xd8,0x0c,0x55, 0x88,0x91,0x54,0x70,0x4d,0x80,0xf2,0xb0,0x75,0x6e,0xd6,0x2d,
0x96,0xad,0x68,0x6d,0x2e,0xba,0x87,0x6b,0xa1,0xcd,0x92,0xf9, 0xa8,0x7e,0x0e,0xb4,0xe6,0xd0,0x79,0x20,0x48,0x01,0x00,0xd5,
0x04,0x07,0xaa,0x3d, 0xe8,0x00,0xca,0x85,
}; };
B.7.8. Test case for scalar_mult_vfy with correct inputs B.7.8. Test case for scalar_mult_vfy with correct inputs
s: (length: 66 bytes) s: (length: 66 bytes)
0182dd7925f1753419e4bf83429763acd37d64000cd5a175edf53a15 0182dd7925f1753419e4bf83429763acd37d64000cd5a175edf53a15
87dd986bc95acc1506991702b6ba1a9ee2458fee8efc00198cf0088c 87dd986bc95acc1506991702b6ba1a9ee2458fee8efc00198cf0088c
480965ef65ff2048b856 480965ef65ff2048b856
X: (length: 133 bytes) X: (length: 133 bytes)
0400dc5078b24c4af1620cc10fbecc6cd8cf1cab0b011efb73c782f2 0400dc5078b24c4af1620cc10fbecc6cd8cf1cab0b011efb73c782f2
26dc21c7ca7eb406be74a69ecba5b4a87c07cfc6e687b4beca9a6eda 26dc21c7ca7eb406be74a69ecba5b4a87c07cfc6e687b4beca9a6eda
 End of changes. 259 change blocks. 
670 lines changed or deleted 717 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/