draft-irtf-cfrg-cpace-10.txt | draft-irtf-cfrg-cpace-11.txt | |||
---|---|---|---|---|
Network Working Group M. Abdalla | Network Working Group M. Abdalla | |||
Internet-Draft DFINITY - Zurich | Internet-Draft DFINITY - Zurich | |||
Intended status: Informational B. Haase | Intended status: Informational B. Haase | |||
Expires: 28 March 2024 Endress + Hauser Liquid Analysis - Gerlingen | Expires: 28 September 2024 Endress + Hauser Liquid Analysis - Gerlingen | |||
J. Hesse | J. Hesse | |||
IBM Research Europe - Zurich | IBM Research Europe - Zurich | |||
25 September 2023 | 27 March 2024 | |||
CPace, a balanced composable PAKE | CPace, a balanced composable PAKE | |||
draft-irtf-cfrg-cpace-10 | draft-irtf-cfrg-cpace-11 | |||
Abstract | Abstract | |||
This document describes CPace which is a protocol that allows two | This document describes CPace which is a protocol that allows two | |||
parties that share a low-entropy secret (password) to derive a strong | parties that share a low-entropy secret (password) to derive a strong | |||
shared key without disclosing the secret to offline dictionary | shared key without disclosing the secret to offline dictionary | |||
attacks. The CPace protocol was tailored for constrained devices and | attacks. The CPace protocol was tailored for constrained devices and | |||
can be used on groups of prime- and non-prime order. | can be used on groups of prime- and non-prime order. | |||
Discussion Venues | Discussion Venues | |||
skipping to change at page 1, line 48 ¶ | skipping to change at page 1, line 48 ¶ | |||
Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
This Internet-Draft will expire on 28 March 2024. | This Internet-Draft will expire on 28 September 2024. | |||
Copyright Notice | Copyright Notice | |||
Copyright (c) 2023 IETF Trust and the persons identified as the | Copyright (c) 2024 IETF Trust and the persons identified as the | |||
document authors. All rights reserved. | document authors. All rights reserved. | |||
This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents (https://trustee.ietf.org/ | |||
license-info) in effect on the date of publication of this document. | license-info) in effect on the date of publication of this document. | |||
Please review these documents carefully, as they describe your rights | Please review these documents carefully, as they describe your rights | |||
and restrictions with respect to this document. Code Components | and restrictions with respect to this document. Code Components | |||
extracted from this document must include Revised BSD License text as | extracted from this document must include Revised BSD License text as | |||
described in Section 4.e of the Trust Legal Provisions and are | described in Section 4.e of the Trust Legal Provisions and are | |||
provided without warranty as described in the Revised BSD License. | provided without warranty as described in the Revised BSD License. | |||
skipping to change at page 2, line 35 ¶ | skipping to change at page 2, line 35 ¶ | |||
3.1. Optional CPace inputs . . . . . . . . . . . . . . . . . . 7 | 3.1. Optional CPace inputs . . . . . . . . . . . . . . . . . . 7 | |||
3.2. Responsibilities of the application layer . . . . . . . . 8 | 3.2. Responsibilities of the application layer . . . . . . . . 8 | |||
4. CPace cipher suites . . . . . . . . . . . . . . . . . . . . . 9 | 4. CPace cipher suites . . . . . . . . . . . . . . . . . . . . . 9 | |||
5. Definitions and notation . . . . . . . . . . . . . . . . . . 10 | 5. Definitions and notation . . . . . . . . . . . . . . . . . . 10 | |||
5.1. Hash function H . . . . . . . . . . . . . . . . . . . . . 10 | 5.1. Hash function H . . . . . . . . . . . . . . . . . . . . . 10 | |||
5.2. Group environment G . . . . . . . . . . . . . . . . . . . 11 | 5.2. Group environment G . . . . . . . . . . . . . . . . . . . 11 | |||
5.3. Notation for string operations . . . . . . . . . . . . . 11 | 5.3. Notation for string operations . . . . . . . . . . . . . 11 | |||
5.4. Notation for group operations . . . . . . . . . . . . . . 13 | 5.4. Notation for group operations . . . . . . . . . . . . . . 13 | |||
6. The CPace protocol . . . . . . . . . . . . . . . . . . . . . 13 | 6. The CPace protocol . . . . . . . . . . . . . . . . . . . . . 13 | |||
6.1. Protocol flow . . . . . . . . . . . . . . . . . . . . . . 13 | 6.1. Protocol flow . . . . . . . . . . . . . . . . . . . . . . 13 | |||
6.2. CPace protocol instructions . . . . . . . . . . . . . . . 13 | 6.2. CPace protocol instructions . . . . . . . . . . . . . . . 14 | |||
7. Implementation of recommended CPace cipher suites . . . . . . 14 | 7. Implementation of recommended CPace cipher suites . . . . . . 15 | |||
7.1. Common function for computing generators . . . . . . . . 14 | 7.1. Common function for computing generators . . . . . . . . 15 | |||
7.2. CPace group objects G_X25519 and G_X448 for | 7.2. CPace group objects G_X25519 and G_X448 for | |||
single-coordinate Ladders on Montgomery curves . . . . . 15 | single-coordinate Ladders on Montgomery curves . . . . . 15 | |||
7.2.1. Verification tests . . . . . . . . . . . . . . . . . 16 | 7.2.1. Verification tests . . . . . . . . . . . . . . . . . 17 | |||
7.3. CPace group objects G_Ristretto255 and G_Decaf448 for | 7.3. CPace group objects G_Ristretto255 and G_Decaf448 for | |||
prime-order group abstractions . . . . . . . . . . . . . 17 | prime-order group abstractions . . . . . . . . . . . . . 17 | |||
7.3.1. Verification tests . . . . . . . . . . . . . . . . . 19 | 7.3.1. Verification tests . . . . . . . . . . . . . . . . . 19 | |||
7.4. CPace group objects for curves in Short-Weierstrass | 7.4. CPace group objects for curves in Short-Weierstrass | |||
representation . . . . . . . . . . . . . . . . . . . . . 19 | representation . . . . . . . . . . . . . . . . . . . . . 19 | |||
7.4.1. Curves and associated functions . . . . . . . . . . . 19 | 7.4.1. Curves and associated functions . . . . . . . . . . . 19 | |||
7.4.2. Suitable encode_to_curve methods . . . . . . . . . . 20 | 7.4.2. Suitable encode_to_curve methods . . . . . . . . . . 20 | |||
7.4.3. Definition of the group environment G for | 7.4.3. Definition of the group environment G for | |||
Short-Weierstrass curves . . . . . . . . . . . . . . 20 | Short-Weierstrass curves . . . . . . . . . . . . . . 20 | |||
7.4.4. Verification tests . . . . . . . . . . . . . . . . . 22 | 7.4.4. Verification tests . . . . . . . . . . . . . . . . . 22 | |||
8. Implementation verification . . . . . . . . . . . . . . . . . 22 | 8. Implementation verification . . . . . . . . . . . . . . . . . 22 | |||
9. Security Considerations . . . . . . . . . . . . . . . . . . . 22 | 9. Security Considerations . . . . . . . . . . . . . . . . . . . 23 | |||
9.1. Party identifiers and relay attacks . . . . . . . . . . . 22 | 9.1. Party identifiers and relay attacks . . . . . . . . . . . 23 | |||
9.2. Network message encoding and hashing protocol | 9.2. Network message encoding and hashing protocol | |||
transcripts . . . . . . . . . . . . . . . . . . . . . . . 23 | transcripts . . . . . . . . . . . . . . . . . . . . . . . 23 | |||
9.3. Key derivation . . . . . . . . . . . . . . . . . . . . . 23 | 9.3. Key derivation . . . . . . . . . . . . . . . . . . . . . 24 | |||
9.4. Key confirmation . . . . . . . . . . . . . . . . . . . . 23 | 9.4. Key confirmation . . . . . . . . . . . . . . . . . . . . 24 | |||
9.5. Sampling of scalars . . . . . . . . . . . . . . . . . . . 24 | 9.5. Sampling of scalars . . . . . . . . . . . . . . . . . . . 25 | |||
9.6. Single-coordinate CPace on Montgomery curves . . . . . . 25 | 9.6. Preconditions for using the simplified CPace specification | |||
9.7. Nonce values . . . . . . . . . . . . . . . . . . . . . . 25 | from Section 7.2 . . . . . . . . . . . . . . . . . . . . 25 | |||
9.8. Side channel attacks . . . . . . . . . . . . . . . . . . 25 | 9.7. Nonce values . . . . . . . . . . . . . . . . . . . . . . 26 | |||
9.9. Quantum computers . . . . . . . . . . . . . . . . . . . . 26 | 9.8. Side channel attacks . . . . . . . . . . . . . . . . . . 26 | |||
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 26 | 9.9. Quantum computers . . . . . . . . . . . . . . . . . . . . 27 | |||
11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 26 | 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 27 | |||
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 26 | 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 27 | |||
12.1. Normative References . . . . . . . . . . . . . . . . . . 26 | 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 27 | |||
12.2. Informative References . . . . . . . . . . . . . . . . . 27 | 12.1. Normative References . . . . . . . . . . . . . . . . . . 27 | |||
Appendix A. CPace function definitions . . . . . . . . . . . . . 29 | 12.2. Informative References . . . . . . . . . . . . . . . . . 28 | |||
Appendix A. CPace function definitions . . . . . . . . . . . . . 30 | ||||
A.1. Definition and test vectors for string utility | A.1. Definition and test vectors for string utility | |||
functions . . . . . . . . . . . . . . . . . . . . . . . . 29 | functions . . . . . . . . . . . . . . . . . . . . . . . . 30 | |||
A.1.1. prepend_len function . . . . . . . . . . . . . . . . 29 | A.1.1. prepend_len function . . . . . . . . . . . . . . . . 30 | |||
A.1.2. prepend_len test vectors . . . . . . . . . . . . . . 29 | A.1.2. prepend_len test vectors . . . . . . . . . . . . . . 30 | |||
A.1.3. lv_cat function . . . . . . . . . . . . . . . . . . . 29 | A.1.3. lv_cat function . . . . . . . . . . . . . . . . . . . 31 | |||
A.1.4. Testvector for lv_cat() . . . . . . . . . . . . . . . 30 | A.1.4. Testvector for lv_cat() . . . . . . . . . . . . . . . 31 | |||
A.1.5. Examples for messages not obtained from a lv_cat-based | A.1.5. Examples for messages not obtained from a lv_cat-based | |||
encoding . . . . . . . . . . . . . . . . . . . . . . 30 | encoding . . . . . . . . . . . . . . . . . . . . . . 31 | |||
A.2. Definition of generator_string function. . . . . . . . . 30 | A.2. Definition of generator_string function. . . . . . . . . 31 | |||
A.3. Definitions and test vector ordered concatenation . . . . 30 | A.3. Definitions and test vector ordered concatenation . . . . 31 | |||
A.3.1. Definitions for lexiographical ordering . . . . . . . 30 | A.3.1. Definitions for lexiographical ordering . . . . . . . 31 | |||
A.3.2. Definitions for ordered concatenation . . . . . . . . 31 | A.3.2. Definitions for ordered concatenation . . . . . . . . 32 | |||
A.3.3. Test vectors ordered concatenation . . . . . . . . . 31 | A.3.3. Test vectors ordered concatenation . . . . . . . . . 32 | |||
A.4. Decoding and Encoding functions according to RFC7748 . . 31 | A.4. Decoding and Encoding functions according to RFC7748 . . 32 | |||
A.5. Elligator 2 reference implementation . . . . . . . . . . 32 | A.5. Elligator 2 reference implementation . . . . . . . . . . 33 | |||
Appendix B. Test vectors . . . . . . . . . . . . . . . . . . . . 33 | Appendix B. Test vectors . . . . . . . . . . . . . . . . . . . . 34 | |||
B.1. Test vector for CPace using group X25519 and hash | B.1. Test vector for CPace using group X25519 and hash | |||
SHA-512 . . . . . . . . . . . . . . . . . . . . . . . . . 33 | SHA-512 . . . . . . . . . . . . . . . . . . . . . . . . . 34 | |||
B.1.1. Test vectors for calculate_generator with group | B.1.1. Test vectors for calculate_generator with group | |||
X25519 . . . . . . . . . . . . . . . . . . . . . . . 33 | X25519 . . . . . . . . . . . . . . . . . . . . . . . 34 | |||
B.1.2. Test vector for MSGa . . . . . . . . . . . . . . . . 33 | B.1.2. Test vector for MSGa . . . . . . . . . . . . . . . . 34 | |||
B.1.3. Test vector for MSGb . . . . . . . . . . . . . . . . 34 | B.1.3. Test vector for MSGb . . . . . . . . . . . . . . . . 35 | |||
B.1.4. Test vector for secret points K . . . . . . . . . . . 34 | B.1.4. Test vector for secret points K . . . . . . . . . . . 35 | |||
B.1.5. Test vector for ISK calculation initiator/ | B.1.5. Test vector for ISK calculation initiator/ | |||
responder . . . . . . . . . . . . . . . . . . . . . . 34 | responder . . . . . . . . . . . . . . . . . . . . . . 35 | |||
B.1.6. Test vector for ISK calculation parallel execution . 35 | B.1.6. Test vector for ISK calculation parallel execution . 36 | |||
B.1.7. Corresponding ANSI-C initializers . . . . . . . . . . 35 | B.1.7. Corresponding C programming language initializers . . 36 | |||
B.1.8. Test vectors for G_X25519.scalar_mult_vfy: low order | B.1.8. Test vectors for G_X25519.scalar_mult_vfy: low order | |||
points . . . . . . . . . . . . . . . . . . . . . . . 37 | points . . . . . . . . . . . . . . . . . . . . . . . 38 | |||
B.2. Test vector for CPace using group X448 and hash | B.2. Test vector for CPace using group X448 and hash | |||
SHAKE-256 . . . . . . . . . . . . . . . . . . . . . . . . 38 | SHAKE-256 . . . . . . . . . . . . . . . . . . . . . . . . 39 | |||
B.2.1. Test vectors for calculate_generator with group | B.2.1. Test vectors for calculate_generator with group | |||
X448 . . . . . . . . . . . . . . . . . . . . . . . . 38 | X448 . . . . . . . . . . . . . . . . . . . . . . . . 39 | |||
B.2.2. Test vector for MSGa . . . . . . . . . . . . . . . . 38 | B.2.2. Test vector for MSGa . . . . . . . . . . . . . . . . 39 | |||
B.2.3. Test vector for MSGb . . . . . . . . . . . . . . . . 38 | B.2.3. Test vector for MSGb . . . . . . . . . . . . . . . . 39 | |||
B.2.4. Test vector for secret points K . . . . . . . . . . . 39 | B.2.4. Test vector for secret points K . . . . . . . . . . . 40 | |||
B.2.5. Test vector for ISK calculation initiator/ | B.2.5. Test vector for ISK calculation initiator/ | |||
responder . . . . . . . . . . . . . . . . . . . . . . 39 | responder . . . . . . . . . . . . . . . . . . . . . . 40 | |||
B.2.6. Test vector for ISK calculation parallel execution . 40 | B.2.6. Test vector for ISK calculation parallel execution . 41 | |||
B.2.7. Corresponding ANSI-C initializers . . . . . . . . . . 40 | B.2.7. Corresponding C programming language initializers . . 41 | |||
B.2.8. Test vectors for G_X448.scalar_mult_vfy: low order | B.2.8. Test vectors for G_X448.scalar_mult_vfy: low order | |||
points . . . . . . . . . . . . . . . . . . . . . . . 42 | points . . . . . . . . . . . . . . . . . . . . . . . 43 | |||
B.3. Test vector for CPace using group ristretto255 and hash | B.3. Test vector for CPace using group ristretto255 and hash | |||
SHA-512 . . . . . . . . . . . . . . . . . . . . . . . . . 43 | SHA-512 . . . . . . . . . . . . . . . . . . . . . . . . . 44 | |||
B.3.1. Test vectors for calculate_generator with group | B.3.1. Test vectors for calculate_generator with group | |||
ristretto255 . . . . . . . . . . . . . . . . . . . . 43 | ristretto255 . . . . . . . . . . . . . . . . . . . . 44 | |||
B.3.2. Test vector for MSGa . . . . . . . . . . . . . . . . 44 | B.3.2. Test vector for MSGa . . . . . . . . . . . . . . . . 45 | |||
B.3.3. Test vector for MSGb . . . . . . . . . . . . . . . . 44 | B.3.3. Test vector for MSGb . . . . . . . . . . . . . . . . 45 | |||
B.3.4. Test vector for secret points K . . . . . . . . . . . 45 | B.3.4. Test vector for secret points K . . . . . . . . . . . 46 | |||
B.3.5. Test vector for ISK calculation initiator/ | B.3.5. Test vector for ISK calculation initiator/ | |||
responder . . . . . . . . . . . . . . . . . . . . . . 45 | responder . . . . . . . . . . . . . . . . . . . . . . 46 | |||
B.3.6. Test vector for ISK calculation parallel execution . 45 | B.3.6. Test vector for ISK calculation parallel execution . 46 | |||
B.3.7. Corresponding ANSI-C initializers . . . . . . . . . . 46 | B.3.7. Corresponding C programming language initializers . . 47 | |||
B.3.8. Test case for scalar_mult with valid inputs . . . . . 47 | B.3.8. Test case for scalar_mult with valid inputs . . . . . 48 | |||
B.3.9. Invalid inputs for scalar_mult_vfy . . . . . . . . . 48 | B.3.9. Invalid inputs for scalar_mult_vfy . . . . . . . . . 49 | |||
B.4. Test vector for CPace using group decaf448 and hash | B.4. Test vector for CPace using group decaf448 and hash | |||
SHAKE-256 . . . . . . . . . . . . . . . . . . . . . . . . 48 | SHAKE-256 . . . . . . . . . . . . . . . . . . . . . . . . 49 | |||
B.4.1. Test vectors for calculate_generator with group | B.4.1. Test vectors for calculate_generator with group | |||
decaf448 . . . . . . . . . . . . . . . . . . . . . . 48 | decaf448 . . . . . . . . . . . . . . . . . . . . . . 49 | |||
B.4.2. Test vector for MSGa . . . . . . . . . . . . . . . . 49 | B.4.2. Test vector for MSGa . . . . . . . . . . . . . . . . 50 | |||
B.4.3. Test vector for MSGb . . . . . . . . . . . . . . . . 49 | B.4.3. Test vector for MSGb . . . . . . . . . . . . . . . . 50 | |||
B.4.4. Test vector for secret points K . . . . . . . . . . . 50 | B.4.4. Test vector for secret points K . . . . . . . . . . . 51 | |||
B.4.5. Test vector for ISK calculation initiator/ | B.4.5. Test vector for ISK calculation initiator/ | |||
responder . . . . . . . . . . . . . . . . . . . . . . 50 | responder . . . . . . . . . . . . . . . . . . . . . . 51 | |||
B.4.6. Test vector for ISK calculation parallel execution . 51 | B.4.6. Test vector for ISK calculation parallel execution . 52 | |||
B.4.7. Corresponding ANSI-C initializers . . . . . . . . . . 51 | B.4.7. Corresponding C programming language initializers . . 52 | |||
B.4.8. Test case for scalar_mult with valid inputs . . . . . 53 | B.4.8. Test case for scalar_mult with valid inputs . . . . . 54 | |||
B.4.9. Invalid inputs for scalar_mult_vfy . . . . . . . . . 53 | B.4.9. Invalid inputs for scalar_mult_vfy . . . . . . . . . 54 | |||
B.5. Test vector for CPace using group NIST P-256 and hash | B.5. Test vector for CPace using group NIST P-256 and hash | |||
SHA-256 . . . . . . . . . . . . . . . . . . . . . . . . . 53 | SHA-256 . . . . . . . . . . . . . . . . . . . . . . . . . 54 | |||
B.5.1. Test vectors for calculate_generator with group NIST | B.5.1. Test vectors for calculate_generator with group NIST | |||
P-256 . . . . . . . . . . . . . . . . . . . . . . . . 53 | P-256 . . . . . . . . . . . . . . . . . . . . . . . . 54 | |||
B.5.2. Test vector for MSGa . . . . . . . . . . . . . . . . 54 | B.5.2. Test vector for MSGa . . . . . . . . . . . . . . . . 55 | |||
B.5.3. Test vector for MSGb . . . . . . . . . . . . . . . . 54 | B.5.3. Test vector for MSGb . . . . . . . . . . . . . . . . 55 | |||
B.5.4. Test vector for secret points K . . . . . . . . . . . 55 | B.5.4. Test vector for secret points K . . . . . . . . . . . 56 | |||
B.5.5. Test vector for ISK calculation initiator/ | B.5.5. Test vector for ISK calculation initiator/ | |||
responder . . . . . . . . . . . . . . . . . . . . . . 55 | responder . . . . . . . . . . . . . . . . . . . . . . 56 | |||
B.5.6. Test vector for ISK calculation parallel execution . 56 | B.5.6. Test vector for ISK calculation parallel execution . 57 | |||
B.5.7. Corresponding ANSI-C initializers . . . . . . . . . . 57 | B.5.7. Corresponding C programming language initializers . . 58 | |||
B.5.8. Test case for scalar_mult_vfy with correct inputs . . 58 | B.5.8. Test case for scalar_mult_vfy with correct inputs . . 59 | |||
B.5.9. Invalid inputs for scalar_mult_vfy . . . . . . . . . 59 | B.5.9. Invalid inputs for scalar_mult_vfy . . . . . . . . . 60 | |||
B.6. Test vector for CPace using group NIST P-384 and hash | B.6. Test vector for CPace using group NIST P-384 and hash | |||
SHA-384 . . . . . . . . . . . . . . . . . . . . . . . . . 59 | SHA-384 . . . . . . . . . . . . . . . . . . . . . . . . . 60 | |||
B.6.1. Test vectors for calculate_generator with group NIST | B.6.1. Test vectors for calculate_generator with group NIST | |||
P-384 . . . . . . . . . . . . . . . . . . . . . . . . 59 | P-384 . . . . . . . . . . . . . . . . . . . . . . . . 60 | |||
B.6.2. Test vector for MSGa . . . . . . . . . . . . . . . . 60 | B.6.2. Test vector for MSGa . . . . . . . . . . . . . . . . 61 | |||
B.6.3. Test vector for MSGb . . . . . . . . . . . . . . . . 61 | B.6.3. Test vector for MSGb . . . . . . . . . . . . . . . . 62 | |||
B.6.4. Test vector for secret points K . . . . . . . . . . . 61 | B.6.4. Test vector for secret points K . . . . . . . . . . . 62 | |||
B.6.5. Test vector for ISK calculation initiator/ | B.6.5. Test vector for ISK calculation initiator/ | |||
responder . . . . . . . . . . . . . . . . . . . . . . 61 | responder . . . . . . . . . . . . . . . . . . . . . . 62 | |||
B.6.6. Test vector for ISK calculation parallel execution . 62 | B.6.6. Test vector for ISK calculation parallel execution . 63 | |||
B.6.7. Corresponding ANSI-C initializers . . . . . . . . . . 63 | B.6.7. Corresponding C programming language initializers . . 64 | |||
B.6.8. Test case for scalar_mult_vfy with correct inputs . . 65 | B.6.8. Test case for scalar_mult_vfy with correct inputs . . 66 | |||
B.6.9. Invalid inputs for scalar_mult_vfy . . . . . . . . . 65 | B.6.9. Invalid inputs for scalar_mult_vfy . . . . . . . . . 66 | |||
B.7. Test vector for CPace using group NIST P-521 and hash | B.7. Test vector for CPace using group NIST P-521 and hash | |||
SHA-512 . . . . . . . . . . . . . . . . . . . . . . . . . 66 | SHA-512 . . . . . . . . . . . . . . . . . . . . . . . . . 67 | |||
B.7.1. Test vectors for calculate_generator with group NIST | B.7.1. Test vectors for calculate_generator with group NIST | |||
P-521 . . . . . . . . . . . . . . . . . . . . . . . . 66 | P-521 . . . . . . . . . . . . . . . . . . . . . . . . 67 | |||
B.7.2. Test vector for MSGa . . . . . . . . . . . . . . . . 66 | B.7.2. Test vector for MSGa . . . . . . . . . . . . . . . . 67 | |||
B.7.3. Test vector for MSGb . . . . . . . . . . . . . . . . 67 | B.7.3. Test vector for MSGb . . . . . . . . . . . . . . . . 68 | |||
B.7.4. Test vector for secret points K . . . . . . . . . . . 68 | B.7.4. Test vector for secret points K . . . . . . . . . . . 69 | |||
B.7.5. Test vector for ISK calculation initiator/ | B.7.5. Test vector for ISK calculation initiator/ | |||
responder . . . . . . . . . . . . . . . . . . . . . . 68 | responder . . . . . . . . . . . . . . . . . . . . . . 69 | |||
B.7.6. Test vector for ISK calculation parallel execution . 69 | B.7.6. Test vector for ISK calculation parallel execution . 70 | |||
B.7.7. Corresponding ANSI-C initializers . . . . . . . . . . 70 | B.7.7. Corresponding C programming language initializers . . 71 | |||
B.7.8. Test case for scalar_mult_vfy with correct inputs . . 72 | B.7.8. Test case for scalar_mult_vfy with correct inputs . . 73 | |||
B.7.9. Invalid inputs for scalar_mult_vfy . . . . . . . . . 73 | B.7.9. Invalid inputs for scalar_mult_vfy . . . . . . . . . 74 | |||
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 73 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 74 | |||
1. Introduction | 1. Introduction | |||
This document describes CPace which is a balanced Password- | This document describes CPace which is a balanced Password- | |||
Authenticated-Key-Establishment (PAKE) protocol for two parties where | Authenticated-Key-Establishment (PAKE) protocol for two parties where | |||
both parties derive a cryptographic key of high entropy from a shared | both parties derive a cryptographic key of high entropy from a shared | |||
secret of low-entropy. CPace protects the passwords against offline | secret of low-entropy. CPace protects the passwords against offline | |||
dictionary attacks by requiring adversaries to actively interact with | dictionary attacks by requiring adversaries to actively interact with | |||
a protocol party and by allowing for at most one single password | a protocol party and by allowing for at most one single password | |||
guess per active interaction. | guess per active interaction. | |||
skipping to change at page 6, line 25 ¶ | skipping to change at page 6, line 25 ¶ | |||
* Post-quantum annoyance: CPace comes with mitigations with respect | * Post-quantum annoyance: CPace comes with mitigations with respect | |||
to adversaries that become capable of breaking the discrete | to adversaries that become capable of breaking the discrete | |||
logarithm problem on elliptic curves. | logarithm problem on elliptic curves. | |||
1.1. Outline of this document | 1.1. Outline of this document | |||
* Section 3 describes the expected properties of an application | * Section 3 describes the expected properties of an application | |||
using CPace, and discusses in particular which application-level | using CPace, and discusses in particular which application-level | |||
aspects are relevant for CPace's security. | aspects are relevant for CPace's security. | |||
* Section 4 gives an overview over the recommended cipher suites for | * Section 4 gives an overview of the recommended cipher suites for | |||
CPace which were optimized for different types of cryptographic | CPace which were optimized for different types of cryptographic | |||
library ecosystems. | library ecosystems. | |||
* Section 5 introduces the notation used throughout this document. | * Section 5 introduces the notation used throughout this document. | |||
* Section 6 specifies the CPace protocol. | * Section 6 specifies the CPace protocol. | |||
* The final section provides explicit reference implementations and | * The final section provides explicit reference implementations and | |||
test vectors of all of the functions defined for CPace in the | test vectors of all of the functions defined for CPace in the | |||
appendix. | appendix. | |||
skipping to change at page 10, line 38 ¶ | skipping to change at page 10, line 38 ¶ | |||
that the hash function is specified for a fixed-size output, we | that the hash function is specified for a fixed-size output, we | |||
define H.hash(m,l) such that it returns the first l octets of the | define H.hash(m,l) such that it returns the first l octets of the | |||
output. | output. | |||
We use the following notation for referring to the specific | We use the following notation for referring to the specific | |||
properties of a hash function H: | properties of a hash function H: | |||
* H.hash(m,l) is a function that operates on an input octet string m | * H.hash(m,l) is a function that operates on an input octet string m | |||
and returns a hashing result of l octets. | and returns a hashing result of l octets. | |||
* H.b_in_bytes denotes the default output size in bytes | * H.b_in_bytes denotes the minimum output size in bytes for | |||
corresponding to the symmetric security level of the hash | collision resistance for the security level target of the hash | |||
function. E.g. H.b_in_bytes = 64 for SHA-512 and SHAKE-256 and | function. E.g. H.b_in_bytes = 64 for SHA-512 and SHAKE-256 and | |||
H.b_in_bytes = 32 for SHA-256 and SHAKE-128. We use the notation | H.b_in_bytes = 32 for SHA-256 and SHAKE-128. We use the notation | |||
H.hash(m) = H.hash(m, H.b_in_bytes) and let the hash operation | H.hash(m) = H.hash(m, H.b_in_bytes) and let the hash operation | |||
output the default length if no explicit length parameter is | output the default length if no explicit length parameter is | |||
given. | given. | |||
* H.bmax_in_bytes denotes the _maximum_ output size in octets | * H.bmax_in_bytes denotes the _maximum_ output size in octets | |||
supported by the hash function. In case of fixed-size hashes such | supported by the hash function. In case of fixed-size hashes such | |||
as SHA-256, this is the same as H.b_in_bytes, while there is no | as SHA-256, this is the same as H.b_in_bytes, while there is no | |||
such limit for hash functions such as SHAKE-256. | such limit for hash functions such as SHAKE-256. | |||
* H.s_in_bytes denotes the _input block size_ used by H. For | * H.s_in_bytes denotes the _input block size_ used by H. This | |||
instance, for SHA-512 the input block size s_in_bytes is 128, | number denotes the maximum number of bytes that can be processed | |||
while for SHAKE-256 the input block size amounts to 136 bytes. | in a single block before applying the compression function or | |||
permutation becomes necessary. (See also [RFC2104] for the | ||||
corresponding block size concepts). For instance, for SHA-512 the | ||||
input block size s_in_bytes is 128 as the compression function can | ||||
process up to 128 bytes, while for SHAKE-256 the input block size | ||||
amounts to 136 bytes before the permutation of the sponge state | ||||
needs to be applied. | ||||
5.2. Group environment G | 5.2. Group environment G | |||
The group environment G specifies an elliptic curve group (also | The group environment G specifies an elliptic curve group (also | |||
denoted G for convenience) and associated constants and functions as | denoted G for convenience) and associated constants and functions as | |||
detailed below. In this document we use multiplicative notation for | detailed below. In this document we use additive notation for the | |||
the group operation. | group operation. | |||
* G.calculate_generator(H,PRS,CI,sid) denotes a function that | * G.calculate_generator(H,PRS,CI,sid) denotes a function that | |||
outputs a representation of a generator (referred to as | outputs a representation of a generator (referred to as | |||
"generator" from now on) of the group which is derived from input | "generator" from now on) of the group which is derived from input | |||
octet strings PRS, CI, and sid and with the help of the hash | octet strings PRS, CI, and sid and with the help of the hash | |||
function H. | function H. | |||
* G.sample_scalar() is a function returning a representation of a | * G.sample_scalar() is a function returning a representation of an | |||
scalar (referred to as "scalar" from now on) appropriate as a | integer (referred to as "scalar" from now on) appropriate as a | |||
private Diffie-Hellman key for the group. | private Diffie-Hellman key for the group. | |||
* G.scalar_mult(y,g) is a function operating on a scalar y and a | * G.scalar_mult(y,g) is a function operating on a scalar y and a | |||
group element g. It returns an octet string representation of the | group element g. It returns an octet string representation of the | |||
group element Y = g^y. | group element Y = g*y. | |||
* G.I denotes a unique octet string representation of the neutral | * G.I denotes a unique octet string representation of the neutral | |||
element of the group. G.I is used for detecting and signaling | element of the group. G.I is used for detecting and signaling | |||
certain error conditions. | certain error conditions. | |||
* G.scalar_mult_vfy(y,g) is a function operating on a scalar y and a | * G.scalar_mult_vfy(y,g) is a function operating on a scalar y and a | |||
group element g. It returns an octet string representation of the | group element g. It returns an octet string representation of the | |||
group element g^y. Additionally, scalar_mult_vfy specifies | group element g*y. Additionally, scalar_mult_vfy specifies | |||
validity conditions for y,g and g^y and outputs G.I in case they | validity conditions for y,g and g*y and outputs G.I in case they | |||
are not met. | are not met. | |||
* G.DSI denotes a domain-separation identifier string which SHALL be | * G.DSI denotes a domain-separation identifier octet string which | |||
uniquely identifying the group environment G. | SHALL be uniquely identifying the group environment G. | |||
5.3. Notation for string operations | 5.3. Notation for string operations | |||
* bytes1 || bytes2 and denotes concatenation of octet strings. | * bytes1 || bytes2 and denotes concatenation of octet strings. | |||
* len(S) denotes the number of octets in a string S. | * len(S) denotes the number of octets in an octet string S. | |||
* nil denotes an empty octet string, i.e., len(nil) = 0. | * nil denotes an empty octet string, i.e., len(nil) = 0. | |||
* This document uses quotation marks "" both for general language | ||||
(e.g. for citation of notation used in other documents) and as | ||||
syntax for specifying octet strings as in b"CPace25519". | ||||
We use a preceeding lower-case letter b"" in front of the | ||||
quotation marks if a character sequence is representing an octet | ||||
string sequence. I.e. we use the notation for byte string | ||||
representations with single-byte ASCII character encodings from | ||||
the python programming language. | ||||
* prepend_len(octet_string) denotes the octet sequence that is | * prepend_len(octet_string) denotes the octet sequence that is | |||
obtained from prepending the length of the octet string to the | obtained from prepending the length of the octet string to the | |||
string itself. The length shall be prepended by using an LEB128 | string itself. The length shall be prepended by using an LEB128 | |||
encoding of the length. This will result in a single-byte | encoding of the length. This will result in a single-byte | |||
encoding for values below 128. (Test vectors and reference | encoding for values below 128. (Test vectors and reference | |||
implementations for prepend_len and the LEB128 encodings are given | implementations for prepend_len and the LEB128 encodings are given | |||
in the appendix.) | in the appendix.) | |||
* lv_cat(a0,a1, ...) is the "length-value" encoding function which | * lv_cat(a0,a1, ...) is the "length-value" encoding function which | |||
returns the concatenation of the input strings with an encoding of | returns the concatenation of the input strings with an encoding of | |||
skipping to change at page 12, line 32 ¶ | skipping to change at page 12, line 46 ¶ | |||
implementation of MSG = network_encode(Y,AD) SHALL allow the | implementation of MSG = network_encode(Y,AD) SHALL allow the | |||
receiver party to parse MSG for the individual subcomponents Y and | receiver party to parse MSG for the individual subcomponents Y and | |||
AD. For CPace we RECOMMEND to implement network_encode(Y,AD) as | AD. For CPace we RECOMMEND to implement network_encode(Y,AD) as | |||
network_encode(Y,AD) = lv_cat(Y,AD). | network_encode(Y,AD) = lv_cat(Y,AD). | |||
Other encodings, such as the network encoding used for the client- | Other encodings, such as the network encoding used for the client- | |||
hello and server-hello messages in TLS MAY also be used when | hello and server-hello messages in TLS MAY also be used when | |||
following the guidance given in the security consideration | following the guidance given in the security consideration | |||
section. | section. | |||
* sample_random_bytes(n) denotes a function that returns n octets | * sample_random_bytes(n) denotes a function that returns n octets, | |||
uniformly distributed between 0 and 255. | each of which is to be independently sampled from an uniform | |||
distribution between 0 and 255. | ||||
* zero_bytes(n) denotes a function that returns n octets with value | * zero_bytes(n) denotes a function that returns n octets with value | |||
0. | 0. | |||
* oCat(bytes1,bytes2) denotes ordered concatenation of octet | * o_cat(bytes1,bytes2) denotes a function for ordered concatenation | |||
strings, which places the lexiographically larger octet string | of octet strings. It places the lexiographically larger octet | |||
first. (Explicit reference code for this function is given in the | string first and prepends the two bytes from the octet string | |||
appendix.) | b"oc" to the result. (Explicit reference code for this function | |||
is given in the appendix.) | ||||
* transcript(MSGa,MSGb) denotes function outputing a string for the | * transcript(MSGa,MSGb) denotes function outputing a string for the | |||
protocol transcript with messages MSGa and MSGb. In applications | protocol transcript with messages MSGa and MSGb. In applications | |||
where CPace is used without clear initiator and responder roles, | where CPace is used without clear initiator and responder roles, | |||
i.e. where the ordering of messages is not enforced by the | i.e. where the ordering of messages is not enforced by the | |||
protocol flow, transcript(MSGa,MSGb) = oCat(MSGa,MSGb) SHOULD be | protocol flow, transcript(MSGa,MSGb) = o_cat(MSGa,MSGb) SHALL be | |||
used. In the initiator-responder setting transcript(MSGa,MSGb) | used. In the initiator-responder setting transcript(MSGa,MSGb) | |||
SHOULD BE implemented such that the later message is appended to | SHALL BE implemented such that the later message is appended to | |||
the earlier message, i.e., transcript(MSGa,MSGb) = MSGa||MSGb if | the earlier message, i.e., transcript(MSGa,MSGb) = MSGa||MSGb if | |||
MSGa is sent first. | MSGa is sent first. | |||
5.4. Notation for group operations | 5.4. Notation for group operations | |||
We use multiplicative notation for the group, i.e., X^2 denotes the | We use additive notation for the group, i.e., X*2 denotes the element | |||
element that is obtained by computing X*X, for group element X and | that is obtained by computing X+X, for group element X and group | |||
group operation *. | operation +. | |||
6. The CPace protocol | 6. The CPace protocol | |||
CPace is a one round protocol between two parties, A and B. At | CPace is a one round protocol between two parties, A and B. At | |||
invocation, A and B are provisioned with PRS,G,H and OPTIONAL | invocation, A and B are provisioned with PRS,G,H and OPTIONAL | |||
CI,sid,ADa (for A) and CI,sid,ADb (for B). A sends a message MSGa to | CI,sid,ADa (for A) and CI,sid,ADb (for B). A sends a message MSGa to | |||
B. MSGa contains the public share Ya and OPTIONAL associated data | B. MSGa contains the public share Ya and OPTIONAL associated data | |||
ADa (i.e. an ADa field that MAY have a length of 0 bytes). Likewise, | ADa (i.e. an ADa field that MAY have a length of 0 bytes). Likewise, | |||
B sends a message MSGb to A. MSGb contains the public share Yb and | B sends a message MSGb to A. MSGb contains the public share Yb and | |||
OPTIONAL associated data ADb (i.e. an ADb field that MAY have a | OPTIONAL associated data ADb (i.e. an ADb field that MAY have a | |||
length of 0 bytes). Both A and B use the received messages for | length of 0 bytes). Both A and B use the received messages for | |||
deriving a shared intermediate session key, ISK. | deriving a shared intermediate session key, ISK. | |||
6.1. Protocol flow | 6.1. Protocol flow | |||
Optional parameters and messages are denoted with []. | Optional parameters and messages are denoted with []. | |||
public: G, H, [CI], [sid] | public: G, H | |||
A: PRS,[ADa] B: PRS,[ADb] | A: PRS,[ADa],[CI],[sid] B: PRS,[ADb],[CI],[sid] | |||
--------------------------------------- | --------------------------------------- | |||
compute Ya | Ya,[ADa] | compute Yb | compute Ya | Ya,[ADa] | compute Yb | |||
|----------------->| | |----------------->| | |||
| Yb,[ADb] | | | Yb,[ADb] | | |||
verify inputs |<-----------------| verify inputs | verify inputs |<-----------------| verify inputs | |||
derive ISK | | derive ISK | derive ISK | | derive ISK | |||
--------------------------------------- | --------------------------------------- | |||
output ISK output ISK | output ISK output ISK | |||
6.2. CPace protocol instructions | 6.2. CPace protocol instructions | |||
skipping to change at page 14, line 5 ¶ | skipping to change at page 14, line 29 ¶ | |||
A computes a generator g = G.calculate_generator(H,PRS,CI,sid), | A computes a generator g = G.calculate_generator(H,PRS,CI,sid), | |||
scalar ya = G.sample_scalar() and group element Ya = G.scalar_mult | scalar ya = G.sample_scalar() and group element Ya = G.scalar_mult | |||
(ya,g). A then transmits MSGa = network_encode(Ya, ADa) with | (ya,g). A then transmits MSGa = network_encode(Ya, ADa) with | |||
optional associated data ADa to B. | optional associated data ADa to B. | |||
B computes a generator g = G.calculate_generator(H,PRS,CI,sid), | B computes a generator g = G.calculate_generator(H,PRS,CI,sid), | |||
scalar yb = G.sample_scalar() and group element Yb = | scalar yb = G.sample_scalar() and group element Yb = | |||
G.scalar_mult(yb,g). B sends MSGb = network_encode(Yb, ADb) with | G.scalar_mult(yb,g). B sends MSGb = network_encode(Yb, ADb) with | |||
optional associated data ADb to A. | optional associated data ADb to A. | |||
Upon reception of MSGa, B checks that MSGa was properly generated | Upon reception of MSGa, B checks that MSGa was properly generated in | |||
conform with the chosen encoding of network messages (notably correct | conformity with the chosen encoding of network messages (notably | |||
length fields). If this parsing fails, then B MUST abort. | correct length fields). If this parsing fails, then B MUST abort. | |||
(Testvectors of examples for invalid messages when using lv_cat() as | (Testvectors of examples for invalid messages when using lv_cat() as | |||
network_encode function for CPace are given in the appendix.) B then | network_encode function for CPace are given in the appendix.) B then | |||
computes K = G.scalar_mult_vfy(yb,Ya). B MUST abort if K=G.I. | computes K = G.scalar_mult_vfy(yb,Ya). B MUST abort if K=G.I. | |||
Otherwise B returns ISK = H.hash(lv_cat(G.DSI || "_ISK", sid, | Otherwise B calculates ISK = H.hash(lv_cat(G.DSI || b"_ISK", sid, | |||
K)||transcript(MSGa, MSGb)). B returns ISK and terminates. | K)||transcript(MSGa, MSGb)). B returns ISK and terminates. | |||
Likewise upon reception of MSGb, A parses MSGb for Yb and ADb and | Likewise upon reception of MSGb, A parses MSGb for Yb and ADb and | |||
checks for a valid encoding. If this parsing fails, then A MUST | checks for a valid encoding. If this parsing fails, then A MUST | |||
abort. A then computes K = G.scalar_mult_vfy(ya,Yb). A MUST abort | abort. A then computes K = G.scalar_mult_vfy(ya,Yb). A MUST abort | |||
if K=G.I. Otherwise A returns ISK = H.hash(lv_cat(G.DSI || "_ISK", | if K=G.I. Otherwise A calculates ISK = H.hash(lv_cat(G.DSI || | |||
sid, K) || transcript(MSGa, MSGb)). A returns ISK and terminates. | b"_ISK", sid, K) || transcript(MSGa, MSGb)). A returns ISK and | |||
terminates. | ||||
The session key ISK returned by A and B is identical if and only if | The session key ISK returned by A and B is identical if and only if | |||
the supplied input parameters PRS, CI and sid match on both sides and | the supplied input parameters PRS, CI and sid match on both sides and | |||
transcript view (containing of MSGa and MSGb) of both parties match. | transcript view (containing of MSGa and MSGb) of both parties match. | |||
(Note that in case of a symmetric protocol execution without clear | (Note that in case of a symmetric protocol execution without clear | |||
initiator/responder roles, transcript(MSGa, MSGb) needs to be | initiator/responder roles, transcript(MSGa, MSGb) needs to be | |||
implemented using ordered concatenation for generating a matching | implemented using ordered concatenation for generating a matching | |||
view by both parties.) | view by both parties.) | |||
skipping to change at page 14, line 47 ¶ | skipping to change at page 15, line 23 ¶ | |||
* generator_string(DSI, PRS, CI, sid, s_in_bytes) denotes a function | * generator_string(DSI, PRS, CI, sid, s_in_bytes) denotes a function | |||
that returns the string lv_cat(DSI, PRS, zero_bytes(len_zpad), CI, | that returns the string lv_cat(DSI, PRS, zero_bytes(len_zpad), CI, | |||
sid). | sid). | |||
* len_zpad = MAX(0, s_in_bytes - len(prepend_len(PRS)) - | * len_zpad = MAX(0, s_in_bytes - len(prepend_len(PRS)) - | |||
len(prepend_len(G.DSI)) - 1) | len(prepend_len(G.DSI)) - 1) | |||
The zero padding of length len_zpad is designed such that the | The zero padding of length len_zpad is designed such that the | |||
encoding of DSI and PRS together with the zero padding field | encoding of DSI and PRS together with the zero padding field | |||
completely fills the first input block (of length s_in_bytes) of the | completely fills at least the first input block (of length | |||
hash. As a result for the common case of short PRS the number of | s_in_bytes) of the hash. As a result for the common case of short | |||
bytes to hash becomes independent of the actual length of the | PRS the number of bytes to hash becomes independent of the actual | |||
password (PRS). (A reference implementation and test vectors are | length of the password (PRS). (A reference implementation and test | |||
provided in the appendix.) | vectors are provided in the appendix.) | |||
The introduction of a zero-padding within the generator string also | The introduction of a zero-padding within the generator string also | |||
helps mitigating attacks of a side-channel adversary that analyzes | helps mitigating attacks of a side-channel adversary that analyzes | |||
correlations between publicly known variable information with the | correlations between publicly known variable information with a short | |||
low-entropy PRS string. Note that the hash of the first block is | low-entropy PRS string. Note that the hash of the first block is | |||
intentionally made independent of session-specific inputs, such as | intentionally made independent of session-specific inputs, such as | |||
sid or CI. | sid or CI and that there is no limitation regarding the maximum | |||
length of the PRS string. | ||||
7.2. CPace group objects G_X25519 and G_X448 for single-coordinate | 7.2. CPace group objects G_X25519 and G_X448 for single-coordinate | |||
Ladders on Montgomery curves | Ladders on Montgomery curves | |||
In this section we consider the case of CPace when using the X25519 | In this section we consider the case of CPace when using the X25519 | |||
and X448 Diffie-Hellman functions from [RFC7748] operating on the | and X448 Diffie-Hellman functions from [RFC7748] operating on the | |||
Montgomery curves Curve25519 and Curve448 [RFC7748]. CPace | Montgomery curves Curve25519 and Curve448 [RFC7748]. CPace | |||
implementations using single-coordinate ladders on further Montgomery | implementations using single-coordinate ladders on further Montgomery | |||
curves SHALL use the definitions in line with the specifications for | curves SHALL use the definitions in line with the specifications for | |||
X25519 and X448 and review the guidance given in Section 9. | X25519 and X448 and review the guidance given in Section 9. | |||
skipping to change at page 15, line 26 ¶ | skipping to change at page 16, line 4 ¶ | |||
Montgomery curves Curve25519 and Curve448 [RFC7748]. CPace | Montgomery curves Curve25519 and Curve448 [RFC7748]. CPace | |||
implementations using single-coordinate ladders on further Montgomery | implementations using single-coordinate ladders on further Montgomery | |||
curves SHALL use the definitions in line with the specifications for | curves SHALL use the definitions in line with the specifications for | |||
X25519 and X448 and review the guidance given in Section 9. | X25519 and X448 and review the guidance given in Section 9. | |||
For the group environment G_X25519 the following definitions apply: | For the group environment G_X25519 the following definitions apply: | |||
* G_X25519.field_size_bytes = 32 | * G_X25519.field_size_bytes = 32 | |||
* G_X25519.field_size_bits = 255 | * G_X25519.field_size_bits = 255 | |||
* G_X25519.sample_scalar() = sample_random_bytes(G.field_size_bytes) | * G_X25519.sample_scalar() = sample_random_bytes(G.field_size_bytes) | |||
* G_X25519.scalar_mult(y,g) = G.scalar_mult_vfy(y,g) = X25519(y,g) | * G_X25519.scalar_mult(y,g) = G.scalar_mult_vfy(y,g) = X25519(y,g) | |||
* G_X25519.I = zero_bytes(G.field_size_bytes) | * G_X25519.I = zero_bytes(G.field_size_bytes) | |||
* G_X25519.DSI = "CPace255" | * G_X25519.DSI = b"CPace255" | |||
CPace cipher suites using G_X25519 MUST use a hash function producing | CPace cipher suites using G_X25519 MUST use a hash function producing | |||
at least H.b_max_in_bytes >= 32 bytes of output. It is RECOMMENDED | at least H.b_max_in_bytes >= 32 bytes of output. It is RECOMMENDED | |||
to use G_X25519 in combination with SHA-512. | to use G_X25519 in combination with SHA-512. | |||
For X448 the following definitions apply: | For X448 the following definitions apply: | |||
* G_X448.field_size_bytes = 56 | * G_X448.field_size_bytes = 56 | |||
* G_X448.field_size_bits = 448 | * G_X448.field_size_bits = 448 | |||
* G_X448.sample_scalar() = sample_random_bytes(G.field_size_bytes) | * G_X448.sample_scalar() = sample_random_bytes(G.field_size_bytes) | |||
* G_X448.scalar_mult(y,g) = G.scalar_mult_vfy(y,g) = X448(y,g) | * G_X448.scalar_mult(y,g) = G.scalar_mult_vfy(y,g) = X448(y,g) | |||
* G_X448.I = zero_bytes(G.field_size_bytes) | * G_X448.I = zero_bytes(G.field_size_bytes) | |||
* G_X448.DSI = "CPace448" | * G_X448.DSI = b"CPace448" | |||
CPace cipher suites using G_X448 MUST use a hash function producing | CPace cipher suites using G_X448 MUST use a hash function producing | |||
at least H.b_max_in_bytes >= 56 bytes of output. It is RECOMMENDED | at least H.b_max_in_bytes >= 56 bytes of output. It is RECOMMENDED | |||
to use G_X448 in combination with SHAKE-256. | to use G_X448 in combination with SHAKE-256. | |||
For both G_X448 and G_X25519 the G.calculate_generator(H, PRS,sid,CI) | For both G_X448 and G_X25519 the G.calculate_generator(H, PRS,sid,CI) | |||
function shall be implemented as follows. | function shall be implemented as follows. | |||
* First gen_str = generator_string(G.DSI,PRS,CI,sid, H.s_in_bytes) | * First gen_str = generator_string(G.DSI,PRS,CI,sid, H.s_in_bytes) | |||
SHALL BE calculated using the input block size of the chosen hash | SHALL BE calculated using the input block size of the chosen hash | |||
function. | function. | |||
skipping to change at page 16, line 39 ¶ | skipping to change at page 17, line 19 ¶ | |||
repeats the definitions from [RFC9380] for convenience. | repeats the definitions from [RFC9380] for convenience. | |||
In the appendix we show sage code that can be used as reference | In the appendix we show sage code that can be used as reference | |||
implementation. | implementation. | |||
7.2.1. Verification tests | 7.2.1. Verification tests | |||
For single-coordinate Montgomery ladders on Montgomery curves | For single-coordinate Montgomery ladders on Montgomery curves | |||
verification tests according to Section 8 SHALL check for proper | verification tests according to Section 8 SHALL check for proper | |||
handling of the abort conditions, when a party is receiving u | handling of the abort conditions, when a party is receiving u | |||
coordinate values that encode a low-order point on either, the curve | coordinate values that encode a low-order point on either the curve | |||
or the quadratic twist. | or the quadratic twist. | |||
In addition to that in case of G_X25519 the tests SHALL also verify | In addition to that in case of G_X25519 the tests SHALL also verify | |||
that the implementation of G.scalar_mult_vfy(y,g) produces the | that the implementation of G.scalar_mult_vfy(y,g) produces the | |||
expected results for non-canonical u coordinate values with bit #255 | expected results for non-canonical u coordinate values with bit #255 | |||
set, which may also encode low-order points. | set, which may also encode low-order points. | |||
Corresponding test vectors are provided in the appendix. | Corresponding test vectors are provided in the appendix. | |||
7.3. CPace group objects G_Ristretto255 and G_Decaf448 for prime-order | 7.3. CPace group objects G_Ristretto255 and G_Decaf448 for prime-order | |||
skipping to change at page 17, line 22 ¶ | skipping to change at page 17, line 46 ¶ | |||
internal encoding and an element-derivation function that maps a byte | internal encoding and an element-derivation function that maps a byte | |||
string to a group element. With the group abstractions there is a | string to a group element. With the group abstractions there is a | |||
distinction between an internal representation of group elements and | distinction between an internal representation of group elements and | |||
an external encoding of the same group element. In order to | an external encoding of the same group element. In order to | |||
distinguish between these different representations, we prepend an | distinguish between these different representations, we prepend an | |||
underscore before values using the internal representation within | underscore before values using the internal representation within | |||
this section. | this section. | |||
For Ristretto255 the following definitions apply: | For Ristretto255 the following definitions apply: | |||
* G_Ristretto255.DSI = "CPaceRistretto255" | * G_Ristretto255.DSI = b"CPaceRistretto255" | |||
* G_Ristretto255.field_size_bytes = 32 | * G_Ristretto255.field_size_bytes = 32 | |||
* G_Ristretto255.group_size_bits = 252 | * G_Ristretto255.group_size_bits = 252 | |||
* G_Ristretto255.group_order = 2^252 + | * G_Ristretto255.group_order = 2^252 + | |||
27742317777372353535851937790883648493 | 27742317777372353535851937790883648493 | |||
CPace cipher suites using G_Ristretto255 MUST use a hash function | CPace cipher suites using G_Ristretto255 MUST use a hash function | |||
producing at least H.b_max_in_bytes >= 64 bytes of output. It is | producing at least H.b_max_in_bytes >= 64 bytes of output. It is | |||
RECOMMENDED to use G_Ristretto255 in combination with SHA-512. | RECOMMENDED to use G_Ristretto255 in combination with SHA-512. | |||
For decaf448 the following definitions apply: | For decaf448 the following definitions apply: | |||
* G_Decaf448.DSI = "CPaceDecaf448" | * G_Decaf448.DSI = b"CPaceDecaf448" | |||
* G_Decaf448.field_size_bytes = 56 | * G_Decaf448.field_size_bytes = 56 | |||
* G_Decaf448.group_size_bits = 445 | * G_Decaf448.group_size_bits = 445 | |||
* G_Decaf448.group_order = l = 2^446 - | * G_Decaf448.group_order = l = 2^446 - | |||
1381806680989511535200738674851542 | 1381806680989511535200738674851542 | |||
6880336692474882178609894547503885 | 6880336692474882178609894547503885 | |||
CPace cipher suites using G_Decaf448 MUST use a hash function | CPace cipher suites using G_Decaf448 MUST use a hash function | |||
skipping to change at page 18, line 23 ¶ | skipping to change at page 18, line 47 ¶ | |||
integer value and return the result. | integer value and return the result. | |||
* Alternatively, if G.sample_scalar() is not implemented according | * Alternatively, if G.sample_scalar() is not implemented according | |||
to the above recommendation, it SHALL be implemented using uniform | to the above recommendation, it SHALL be implemented using uniform | |||
sampling between 1 and (G.group_order - 1). Note that the more | sampling between 1 and (G.group_order - 1). Note that the more | |||
complex uniform sampling process can provide a larger side-channel | complex uniform sampling process can provide a larger side-channel | |||
attack surface for embedded systems in hostile environments. | attack surface for embedded systems in hostile environments. | |||
* G.scalar_mult(y,_g) SHALL operate on a scalar y and a group | * G.scalar_mult(y,_g) SHALL operate on a scalar y and a group | |||
element _g in the internal representation of the group abstraction | element _g in the internal representation of the group abstraction | |||
environment. It returns the value Y = encode((_g)^y), i.e. it | environment. It returns the value Y = encode((_g) * y), i.e. it | |||
returns a value using the public encoding. | returns a value using the public encoding. | |||
* G.I = is the public encoding representation of the identity | * G.I = is the public encoding representation of the identity | |||
element. | element. | |||
* G.scalar_mult_vfy(y,X) operates on a value using the public | * G.scalar_mult_vfy(y,X) operates on a value using the public | |||
encoding and a scalar and is implemented as follows. If the | encoding and a scalar and is implemented as follows. If the | |||
decode(X) function fails, it returns G.I. Otherwise it returns | decode(X) function fails, it returns G.I. Otherwise it returns | |||
encode( decode(X)^y ). | encode( decode(X) * y ). | |||
* The G.calculate_generator(H, PRS,sid,CI) function SHALL return a | * The G.calculate_generator(H, PRS,sid,CI) function SHALL return a | |||
decoded point and SHALL BE implemented as follows. | decoded point and SHALL BE implemented as follows. | |||
- First gen_str = generator_string(G.DSI,PRS,CI,sid, | - First gen_str = generator_string(G.DSI,PRS,CI,sid, | |||
H.s_in_bytes) is calculated using the input block size of the | H.s_in_bytes) is calculated using the input block size of the | |||
chosen hash function. | chosen hash function. | |||
- This string is then hashed to the required length gen_str_hash | - This string is then hashed to the required length gen_str_hash | |||
= H.hash(gen_str, 2 * G.field_size_bytes). Note that this | = H.hash(gen_str, 2 * G.field_size_bytes). Note that this | |||
skipping to change at page 20, line 38 ¶ | skipping to change at page 21, line 12 ¶ | |||
either the neutral element on the group or does not form a valid | either the neutral element on the group or does not form a valid | |||
encoding of a point on the group. | encoding of a point on the group. | |||
* With encode_to_curve(str,DST) we denote a mapping function from | * With encode_to_curve(str,DST) we denote a mapping function from | |||
[RFC9380]. I.e. a function that maps octet string str to a point | [RFC9380]. I.e. a function that maps octet string str to a point | |||
on the group using the domain separation tag DST. [RFC9380] | on the group using the domain separation tag DST. [RFC9380] | |||
considers both, uniform and non-uniform mappings based on several | considers both, uniform and non-uniform mappings based on several | |||
different strategies. It is RECOMMENDED to use the nonuniform | different strategies. It is RECOMMENDED to use the nonuniform | |||
variant of the SSWU mapping primitive within [RFC9380]. | variant of the SSWU mapping primitive within [RFC9380]. | |||
* G.DSI denotes a domain-separation identifier string. G.DSI which | * G.DSI denotes a domain-separation identifier octet string. G.DSI | |||
SHALL BE obtained by the concatenation of "CPace" and the | which SHALL BE obtained by the concatenation of b"CPace" and the | |||
associated name of the cipher suite used for the encode_to_curve | associated name of the cipher suite used for the encode_to_curve | |||
function as specified in [RFC9380]. E.g. when using the map with | function as specified in [RFC9380]. E.g. when using the map with | |||
the name "P384_XMD:SHA-384_SSWU_NU_" on curve NIST-P384 the | the name P384_XMD:SHA-384_SSWU_NU_ on curve NIST-P384 the | |||
resulting value SHALL BE G.DSI = "CPaceP384_XMD:SHA-384_SSWU_NU_". | resulting value SHALL BE G.DSI = b"CPaceP384_XMD:SHA- | |||
384_SSWU_NU_". | ||||
Using the above definitions, the CPace functions required for the | Using the above definitions, the CPace functions required for the | |||
group object G are defined as follows. | group object G are defined as follows. | |||
* G.DST denotes the domain-separation tag value to use in | * G.DST denotes the domain-separation tag value to use in | |||
conjunction with the encode_to_curve function from [RFC9380]. | conjunction with the encode_to_curve function from [RFC9380]. | |||
G.DST shall be obtained by concatenating G.DSI and "_DST". | G.DST shall be obtained by concatenating G.DSI and b"_DST". | |||
* G.sample_scalar() SHALL return a value between 1 and | * G.sample_scalar() SHALL return a value between 1 and | |||
(G.group_order - 1). The value sampling MUST BE uniformly random. | (G.group_order - 1). The sampling SHALL BE indistinguishable from | |||
It is RECOMMENDED to use rejection sampling for converting a | uniform random selection between 1 and (G.group_order - 1). It is | |||
uniform bitstring to a uniform value between 1 and (G.group_order | RECOMMENDED to use a constant-time rejection sampling algorithm | |||
- 1). | for converting a uniform bitstring to a uniform value between 1 | |||
and (G.group_order - 1). | ||||
* G.calculate_generator(H, PRS,sid,CI) function SHALL be implemented | * G.calculate_generator(H, PRS,sid,CI) function SHALL be implemented | |||
as follows. | as follows. | |||
- First gen_str = generator_string(G.DSI,PRS,CI,sid, | - First gen_str = generator_string(G.DSI,PRS,CI,sid, | |||
H.s_in_bytes) is calculated. | H.s_in_bytes) is calculated. | |||
- Then the output of a call to encode_to_curve(gen_str, G.DST) is | - Then the output of a call to encode_to_curve(gen_str, G.DST) is | |||
returned, using the selected suite from [RFC9380]. | returned, using the selected suite from [RFC9380]. | |||
* G.scalar_mult(s,X) is a function that operates on a scalar s and | * G.scalar_mult(s,X) is a function that operates on a scalar s and | |||
an input point X. The input X shall use the same encoding as | an input point X. The input X shall use the same encoding as | |||
produced by the G.calculate_generator method above. | produced by the G.calculate_generator method above. | |||
G.scalar_mult(s,X) SHALL return an encoding of either the point | G.scalar_mult(s,X) SHALL return an encoding of either the point | |||
X^s or the point X^(-s) according to [SEC1]. Implementations | X*s or the point X*(-s) according to [SEC1]. Implementations | |||
SHOULD use the full-coordinate format without compression, as | SHOULD use the full-coordinate format without compression, as | |||
important protocols such as TLS 1.3 removed support for | important protocols such as TLS 1.3 removed support for | |||
compression. Implementations of scalar_mult(s,X) MAY output | compression. Implementations of scalar_mult(s,X) MAY output | |||
either X^s or X^(-s) as both points X^s and X^(-s) have the same | either X*s or X*(-s) as both points X*s and X*(-s) have the same | |||
x-coordinate and result in the same Diffie-Hellman shared secrets | x-coordinate and result in the same Diffie-Hellman shared secrets | |||
K. (This allows implementations to opt for x-coordinate-only | K. (This allows implementations to opt for x-coordinate-only | |||
scalar multiplication algorithms.) | scalar multiplication algorithms.) | |||
* G.scalar_mult_vfy(s,X) merges verification of point X according to | * G.scalar_mult_vfy(s,X) merges verification of point X according to | |||
[IEEE1363] A.16.10. and the the ECSVDP-DH procedure from | [IEEE1363] A.16.10. and the the ECSVDP-DH procedure from | |||
[IEEE1363]. It SHALL BE implemented as follows: | [IEEE1363]. It SHALL BE implemented as follows: | |||
- If is_valid(X) = False then G.scalar_mult_vfy(s,X) SHALL return | - If is_valid(X) = False then G.scalar_mult_vfy(s,X) SHALL return | |||
"error" as specified in [IEEE1363] A.16.10 and 7.2.1. | "error" as specified in [IEEE1363] A.16.10 and 7.2.1. | |||
- Otherwise G.scalar_mult_vfy(s,X) SHALL return the result of the | - Otherwise G.scalar_mult_vfy(s,X) SHALL return the result of the | |||
ECSVDP-DH procedure from [IEEE1363] (section 7.2.1). I.e. it | ECSVDP-DH procedure from [IEEE1363] (section 7.2.1). I.e. it | |||
shall either return "error" (in case that X^s is the neutral | shall either return "error" (in case that X*s is the neutral | |||
element) or the secret shared value "z" (otherwise). "z" SHALL | element) or the secret shared value "z" (otherwise). "z" SHALL | |||
be encoded by using the big-endian encoding of the x-coordinate | be encoded by using the big-endian encoding of the x-coordinate | |||
of the result point X^s according to [SEC1]. | of the result point X*s according to [SEC1]. | |||
* We represent the neutral element G.I by using the representation | * We represent the neutral element G.I by using the representation | |||
of the "error" result case from [IEEE1363] as used in the | of the "error" result case from [IEEE1363] as used in the | |||
G.scalar_mult_vfy method above. | G.scalar_mult_vfy method above. | |||
7.4.4. Verification tests | 7.4.4. Verification tests | |||
For Short-Weierstrass curves verification tests according to | For Short-Weierstrass curves verification tests according to | |||
Section 8 SHALL check for proper handling of the abort conditions, | Section 8 SHALL check for proper handling of the abort conditions, | |||
when a party is receiving an encoding of the point at infinity and an | when a party is receiving an encoding of the point at infinity and an | |||
skipping to change at page 22, line 22 ¶ | skipping to change at page 23, line 6 ¶ | |||
8. Implementation verification | 8. Implementation verification | |||
Any CPace implementation MUST be tested against invalid or weak point | Any CPace implementation MUST be tested against invalid or weak point | |||
attacks. Implementation MUST be verified to abort upon conditions | attacks. Implementation MUST be verified to abort upon conditions | |||
where G.scalar_mult_vfy functions outputs G.I. For testing an | where G.scalar_mult_vfy functions outputs G.I. For testing an | |||
implementation it is RECOMMENDED to include weak or invalid point | implementation it is RECOMMENDED to include weak or invalid point | |||
encodings within MSGa and MSGb and introduce this in a protocol run. | encodings within MSGa and MSGb and introduce this in a protocol run. | |||
It SHALL be verified that the abort condition is properly handled. | It SHALL be verified that the abort condition is properly handled. | |||
Moreover regarding the network format any implementation MUST be | Moreover regarding the network format any implementation MUST be | |||
tested with respect invalid encodings of MSGa and MSGb. E.g. when | tested with respect to invalid encodings of MSGa and MSGb. E.g. when | |||
lv_cat is used as network format for encoding MSGa and MSGb, the sum | lv_cat is used as network format for encoding MSGa and MSGb, the sum | |||
of the prepended lengths of the fields must be verified to match the | of the prepended lengths of the fields must be verified to match the | |||
actual length of the message. Tests SHALL verify that a party aborts | actual length of the message. Tests SHALL verify that a party aborts | |||
in case that incorrectly encoded messages are recieved. | in case that incorrectly encoded messages are received. | |||
Corresponding test vectors are given in the appendix for all | Corresponding test vectors are given in the appendix for all | |||
recommended cipher suites. | recommended cipher suites. | |||
9. Security Considerations | 9. Security Considerations | |||
A security proof of CPace is found in [AHH21]. This proof covers all | A security proof of CPace is found in [AHH21]. This proof covers all | |||
recommended cipher suites included in this document. In the | recommended cipher suites included in this document. In the | |||
following sections we describe how to protect CPace against several | following sections we describe how to protect CPace against several | |||
attack families, such as relay-, length extension- or side channel | attack families, such as relay-, length extension- or side channel | |||
skipping to change at page 23, line 11 ¶ | skipping to change at page 23, line 44 ¶ | |||
to a party C instead. If no party identifier strings are used, and B | to a party C instead. If no party identifier strings are used, and B | |||
and C use the same PRS value, A might be establishing a common ISK | and C use the same PRS value, A might be establishing a common ISK | |||
key with C while assuming to interact with party B. Including and | key with C while assuming to interact with party B. Including and | |||
checking party identifiers can fend off such relay attacks. | checking party identifiers can fend off such relay attacks. | |||
9.2. Network message encoding and hashing protocol transcripts | 9.2. Network message encoding and hashing protocol transcripts | |||
It is RECOMMENDED to encode the (Ya,ADa) and (Yb,ADb) fields on the | It is RECOMMENDED to encode the (Ya,ADa) and (Yb,ADb) fields on the | |||
network by using network_encode(Y,AD) = lv_cat(Y,AD). I.e. we | network by using network_encode(Y,AD) = lv_cat(Y,AD). I.e. we | |||
RECOMMEND to prepend an encoding of the length of the subfields. | RECOMMEND to prepend an encoding of the length of the subfields. | |||
Prepending the length of of all variable-size input strings results | Prepending the length of all variable-size input strings results in a | |||
in a so-called prefix-free encoding of transcript strings, using | so-called prefix-free encoding of transcript strings, using | |||
terminology introduced in [CDMP05]. This property allows for | terminology introduced in [CDMP05]. This property allows for | |||
disregarding length-extension imperfections that come with the | disregarding length-extension imperfections that come with the | |||
commonly used Merkle-Damgard hash function constructions such as | commonly used Merkle-Damgard hash function constructions such as | |||
SHA256 and SHA512. | SHA256 and SHA512. | |||
Other alternative network encoding formats which prepend an encoding | Other alternative network encoding formats which prepend an encoding | |||
of the length of variable-size data fields in the protocol messages | of the length of variable-size data fields in the protocol messages | |||
are equally suitable. This includes, e.g., the type-length-value | are equally suitable. This includes, e.g., the type-length-value | |||
format specified in the DER encoding standard (X.690) or the protocol | format specified in the DER encoding standard (X.690) or the protocol | |||
message encoding used in the TLS protocol family for the TLS client- | message encoding used in the TLS protocol family for the TLS client- | |||
skipping to change at page 24, line 25 ¶ | skipping to change at page 25, line 8 ¶ | |||
recommend adding explicit key confirmation if perfect forward | recommend adding explicit key confirmation if perfect forward | |||
security is required. | security is required. | |||
When implementing explicit key confirmation, it is recommended to use | When implementing explicit key confirmation, it is recommended to use | |||
an appropriate message-authentication code (MAC) such as HMAC | an appropriate message-authentication code (MAC) such as HMAC | |||
[RFC2104] or CMAC [RFC4493] using a key mac_key derived from ISK. | [RFC2104] or CMAC [RFC4493] using a key mac_key derived from ISK. | |||
One suitable option that works also in the parallel setting without | One suitable option that works also in the parallel setting without | |||
message ordering is to proceed as follows. | message ordering is to proceed as follows. | |||
* First calculate mac_key as as mac_key = H.hash(b"CPaceMac" || | * First calculate mac_key as mac_key = H.hash(b"CPaceMac" || ISK). | |||
ISK). | ||||
* Then let each party send an authenticator tag Ta, Tb that is | * Then let each party send an authenticator tag Ta, Tb that is | |||
calculated over the protocol message that it has sent previously. | calculated over the protocol message that it has sent previously. | |||
I.e. let party A calculate its transmitted authentication code Ta | I.e. let party A calculate its transmitted authentication code Ta | |||
as Ta = MAC(mac_key, MSGa) and let party B calculate its | as Ta = MAC(mac_key, MSGa) and let party B calculate its | |||
transmitted authentication code Tb as Tb = MAC(mac_key, MSGb). | transmitted authentication code Tb as Tb = MAC(mac_key, MSGb). | |||
* Let the receiving party check the remote authentication tag for | * Let the receiving party check the remote authentication tag for | |||
the correct value and abort in case that it's incorrect. | the correct value and abort in case that it's incorrect. | |||
9.5. Sampling of scalars | 9.5. Sampling of scalars | |||
For curves over fields F_p where p is a prime close to a power of | For curves over fields F_q where q is a prime close to a power of | |||
two, we recommend sampling scalars as a uniform bit string of length | two, we recommend sampling scalars as a uniform bit string of length | |||
field_size_bits. We do so in order to reduce both, complexity of the | field_size_bits. We do so in order to reduce both, complexity of the | |||
implementation and reducing the attack surface with respect to side- | implementation and the attack surface with respect to side-channels | |||
channels for embedded systems in hostile environments. The effect of | for embedded systems in hostile environments. The effect of non- | |||
non-uniform sampling on security was demonstrated to be begning in | uniform sampling on security was demonstrated to be begnin in [AHH21] | |||
[AHH21] for the case of Curve25519 and Curve448. This analysis | for the case of Curve25519 and Curve448. This analysis however does | |||
however does not transfer to most curves in Short-Weierstrass form. | not transfer to most curves in Short-Weierstrass form. | |||
As a result, we recommend rejection sampling if G is as in | As a result, we recommend rejection sampling if G is as in | |||
Section 7.4. | Section 7.4. Alternatively an algorithm designed allong the lines of | |||
the hash_to_field() function from [RFC9380] can also be used. There | ||||
oversampling to an integer significantly larger than the curve order | ||||
is followed by a modular reduction to the group order. | ||||
9.6. Single-coordinate CPace on Montgomery curves | 9.6. Preconditions for using the simplified CPace specification from | |||
Section 7.2 | ||||
The recommended cipher suites for the Montgomery curves Curve25519 | The security of the algorithms used for the recommended cipher suites | |||
and Curve448 in Section 7.2 rely on the following properties [AHH21]: | for the Montgomery curves Curve25519 and Curve448 in Section 7.2 rely | |||
on the following properties [AHH21]: | ||||
* The curve has order (p * c) with p prime and c a small cofactor. | * The curve has order (p * c) with p prime and c a small cofactor. | |||
Also the curve's quadratic twist must be of order (p' * c') with | Also the curve's quadratic twist must be of order (p' * c') with | |||
p' prime and c' a cofactor. | p' prime and c' a cofactor. | |||
* The cofactor c' of the twist MUST BE EQUAL to or an integer | * The cofactor c of the curve MUST BE EQUAL to or an integer | |||
multiple of the cofactor c of the curve. | multiple of the cofactor c' of the curve's quadratic twist. Also, | |||
importantly, the implementation of the scalar_mult and | ||||
scalar_mult_vfy functions must ensure that all scalars actually | ||||
used for the group operation are integer multiples of c (e.g. such | ||||
as asserted by the specification of the decodeScalar functions in | ||||
[RFC7748]). | ||||
* Both field order q and group order p MUST BE close to a power of | * Both field order q and group order p MUST BE close to a power of | |||
two along the lines of [AHH21], Appendix E. | two along the lines of [AHH21], Appendix E. Otherwise the | |||
simplified scalar sampling specified in Section 7.2 needs to be | ||||
changed. | ||||
* The representation of the neutral element G.I MUST BE the same for | * The representation of the neutral element G.I MUST BE the same for | |||
both, the curve and its twist. | both, the curve and its twist. | |||
* The implementation of G.scalar_mult_vfy(y,X) MUST map all c low- | * The implementation of G.scalar_mult_vfy(y,X) MUST map all c low- | |||
order points on the curve and all c' low-order points on the twist | order points on the curve and all c' low-order points on the twist | |||
to G.I. | to G.I. | |||
Montgomery curves other than the ones recommended here can use the | Algorithms for curves other than the ones recommended here can be | |||
specifications given in Section 7.2, given that the above properties | based on the principles from Section 7.2 given that the above | |||
hold. | properties hold. | |||
9.7. Nonce values | 9.7. Nonce values | |||
Secret scalars ya and yb MUST NOT be reused. Values for sid SHOULD | Secret scalars ya and yb MUST NOT be reused. Values for sid SHOULD | |||
NOT be reused since the composability guarantees established by the | NOT be reused since the composability guarantees established by the | |||
simulation-based proof rely on the uniqueness of session ids [AHH21]. | simulation-based proof rely on the uniqueness of session ids [AHH21]. | |||
If CPace is used in a concurrent system, it is RECOMMENDED that a | If CPace is used in a concurrent system, it is RECOMMENDED that a | |||
unique sid is generated by the higher-level protocol and passed to | unique sid is generated by the higher-level protocol and passed to | |||
CPace. One suitable option is that sid is generated by concatenating | CPace. One suitable option is that sid is generated by concatenating | |||
ephemeral random strings contributed by both parties. | ephemeral random strings contributed by both parties. | |||
9.8. Side channel attacks | 9.8. Side channel attacks | |||
All state-of-the art methods for realizing constant-time execution | All state-of-the art methods for realizing constant-time execution | |||
SHOULD be used. In case that side channel attacks are to be | SHOULD be used. Special care is RECOMMENDED specifically for | |||
considered practical for a given application, it is RECOMMENDED to | elliptic curves in Short-Weierstrass form as important standard | |||
pay special attention on computing the secret generator | documents including [IEEE1363] describe curve operations with non- | |||
G.calculate_generator(PRS,CI,sid). The most critical substep to | constant-time algorithms. | |||
consider might be the processing of the first block of the hash that | ||||
includes the PRS string. The zero-padding introduced when hashing | In case that side channel attacks are to be considered practical for | |||
the sensitive PRS string can be expected to make the task for a side- | a given application, it is RECOMMENDED to pay special attention on | |||
channel attack somewhat more complex. Still this feature alone is | computing the secret generator G.calculate_generator(PRS,CI,sid). | |||
not sufficient for ruling out power analysis attacks. | The most critical substep to consider might be the processing of the | |||
first block of the hash that includes the PRS string. The zero- | ||||
padding introduced when hashing the sensitive PRS string can be | ||||
expected to make the task for a side-channel attack somewhat more | ||||
complex. Still this feature alone is not sufficient for ruling out | ||||
power analysis attacks. | ||||
Even though the calculate_generator operation might be considered to | ||||
form the primary target for side-channel attacks as information on | ||||
long-term secrets might be exposed, also the subsequent operations on | ||||
ephemeral values, such as scalar sampling and scalar multiplication | ||||
should be protected from side-channels. | ||||
9.9. Quantum computers | 9.9. Quantum computers | |||
CPace is proven secure under the hardness of the strong computational | CPace is proven secure under the hardness of the strong computational | |||
Simultaneous Diffie-Hellmann (sSDH) and strong computational Diffie- | Simultaneous Diffie-Hellmann (sSDH) and strong computational Diffie- | |||
Hellmann (sCDH) assumptions in the group G (as defined in [AHH21]). | Hellmann (sCDH) assumptions in the group G (as defined in [AHH21]). | |||
These assumptions are not expected to hold any longer when large- | These assumptions are not expected to hold any longer when large- | |||
scale quantum computers (LSQC) are available. Still, even in case | scale quantum computers (LSQC) are available. Still, even in case | |||
that LSQC emerge, it is reasonable to assume that discrete-logarithm | that LSQC emerge, it is reasonable to assume that discrete-logarithm | |||
computations will remain costly. CPace with ephemeral session id | computations will remain costly. CPace with ephemeral session id | |||
skipping to change at page 26, line 43 ¶ | skipping to change at page 28, line 7 ¶ | |||
[I-D.draft-irtf-cfrg-ristretto255-decaf448] | [I-D.draft-irtf-cfrg-ristretto255-decaf448] | |||
de Valence, H., Grigg, J., Hamburg, M., Lovecruft, I., | de Valence, H., Grigg, J., Hamburg, M., Lovecruft, I., | |||
Tankersley, G., and F. Valsorda, "The ristretto255 and | Tankersley, G., and F. Valsorda, "The ristretto255 and | |||
decaf448 Groups", Work in Progress, Internet-Draft, draft- | decaf448 Groups", Work in Progress, Internet-Draft, draft- | |||
irtf-cfrg-ristretto255-decaf448-08, 5 September 2023, | irtf-cfrg-ristretto255-decaf448-08, 5 September 2023, | |||
<https://datatracker.ietf.org/doc/html/draft-irtf-cfrg- | <https://datatracker.ietf.org/doc/html/draft-irtf-cfrg- | |||
ristretto255-decaf448-08>. | ristretto255-decaf448-08>. | |||
[I-D.irtf-cfrg-opaque] | [I-D.irtf-cfrg-opaque] | |||
Bourdrez, D., Krawczyk, H., Lewi, K., and C. A. Wood, "The | Bourdrez, D., Krawczyk, H., Lewi, K., and C. A. Wood, "The | |||
OPAQUE Asymmetric PAKE Protocol", Work in Progress, | OPAQUE Augmented PAKE Protocol", Work in Progress, | |||
Internet-Draft, draft-irtf-cfrg-opaque-11, 8 June 2023, | Internet-Draft, draft-irtf-cfrg-opaque-14, 24 March 2024, | |||
<https://datatracker.ietf.org/doc/html/draft-irtf-cfrg- | <https://datatracker.ietf.org/doc/html/draft-irtf-cfrg- | |||
opaque-11>. | opaque-14>. | |||
[IEEE1363] "Standard Specifications for Public Key Cryptography, IEEE | [IEEE1363] "Standard Specifications for Public Key Cryptography, IEEE | |||
1363", 2000. | 1363", 2000. | |||
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
<https://www.rfc-editor.org/rfc/rfc2119>. | <https://www.rfc-editor.org/rfc/rfc2119>. | |||
[RFC7748] Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves | [RFC7748] Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves | |||
skipping to change at page 31, line 20 ¶ | skipping to change at page 32, line 20 ¶ | |||
return True; | return True; | |||
elif bytes1[m] < bytes2[m]: | elif bytes1[m] < bytes2[m]: | |||
return False; | return False; | |||
return len(bytes1) > len(bytes2) | return len(bytes1) > len(bytes2) | |||
A.3.2. Definitions for ordered concatenation | A.3.2. Definitions for ordered concatenation | |||
With the above definition of lexiographical ordering ordered | With the above definition of lexiographical ordering ordered | |||
concatenation is specified as follows. | concatenation is specified as follows. | |||
def oCAT(bytes1,bytes2): | def o_cat(bytes1,bytes2): | |||
if lexiographically_larger(bytes1,bytes2): | if lexiographically_larger(bytes1,bytes2): | |||
return bytes1 + bytes2 | return b"oc" + bytes1 + bytes2 | |||
else: | else: | |||
return bytes2 + bytes1 | return b"oc" + bytes2 + bytes1 | |||
A.3.3. Test vectors ordered concatenation | A.3.3. Test vectors ordered concatenation | |||
string comparison for oCAT: | string comparison for o_cat: | |||
lexiographically_larger(b"\0", b"\0\0") == False | lexiographically_larger(b"\0", b"\0\0") == False | |||
lexiographically_larger(b"\1", b"\0\0") == True | lexiographically_larger(b"\1", b"\0\0") == True | |||
lexiographically_larger(b"\0\0", b"\0") == True | lexiographically_larger(b"\0\0", b"\0") == True | |||
lexiographically_larger(b"\0\0", b"\1") == False | lexiographically_larger(b"\0\0", b"\1") == False | |||
lexiographically_larger(b"\0\1", b"\1") == False | lexiographically_larger(b"\0\1", b"\1") == False | |||
lexiographically_larger(b"ABCD", b"BCD") == False | lexiographically_larger(b"ABCD", b"BCD") == False | |||
oCAT(b"ABCD",b"BCD"): (length: 7 bytes) | o_cat(b"ABCD",b"BCD"): (length: 9 bytes) | |||
42434441424344 | 6f6342434441424344 | |||
oCAT(b"BCD",b"ABCDE"): (length: 8 bytes) | o_cat(b"BCD",b"ABCDE"): (length: 10 bytes) | |||
4243444142434445 | 6f634243444142434445 | |||
A.4. Decoding and Encoding functions according to RFC7748 | A.4. Decoding and Encoding functions according to RFC7748 | |||
def decodeLittleEndian(b, bits): | def decodeLittleEndian(b, bits): | |||
return sum([b[i] << 8*i for i in range((bits+7)/8)]) | return sum([b[i] << 8*i for i in range((bits+7)/8)]) | |||
def decodeUCoordinate(u, bits): | def decodeUCoordinate(u, bits): | |||
u_list = [ord(b) for b in u] | u_list = [ord(b) for b in u] | |||
# Ignore any unused bits. | # Ignore any unused bits. | |||
if bits % 8: | if bits % 8: | |||
u_list[-1] &= (1<<(bits%8))-1 | u_list[-1] &= (1<<(bits%8))-1 | |||
skipping to change at page 34, line 7 ¶ | skipping to change at page 35, line 7 ¶ | |||
10047198e8c4cacf0ab8a6d0ac337b8ae497209d042f7f3a50945863 | 10047198e8c4cacf0ab8a6d0ac337b8ae497209d042f7f3a50945863 | |||
94e8217c | 94e8217c | |||
generator g: (length: 32 bytes) | generator g: (length: 32 bytes) | |||
4e6098733061c0e8486611a904fe5edb049804d26130a44131a6229e | 4e6098733061c0e8486611a904fe5edb049804d26130a44131a6229e | |||
55c5c321 | 55c5c321 | |||
B.1.2. Test vector for MSGa | B.1.2. Test vector for MSGa | |||
Inputs | Inputs | |||
ADa = b'ADa' | ADa = b'ADa' | |||
ya (little endian): (length: 32 bytes) | ya (little endian): (length: 32 bytes) | |||
45acf93116ae5d3dae995a7c627df2924321a8e857d9a200807131e3 | 21b4f4bd9e64ed355c3eb676a28ebedaf6d8f17bdc365995b3190971 | |||
8839b0c2 | 53044080 | |||
Outputs | Outputs | |||
Ya: (length: 32 bytes) | Ya: (length: 32 bytes) | |||
6f7fd31863b18b0cc9830fc842c60dea80120ccf2fd375498225e45a | f970e36f37cfcd9a39e37dd2d1fbc9156d6d2f9ae422f4722cbd9d32 | |||
52065361 | e9b1e704 | |||
MSGa = lv_cat(Ya,ADa): (length: 37 bytes) | MSGa = lv_cat(Ya,ADa): (length: 37 bytes) | |||
206f7fd31863b18b0cc9830fc842c60dea80120ccf2fd375498225e4 | 20f970e36f37cfcd9a39e37dd2d1fbc9156d6d2f9ae422f4722cbd9d | |||
5a5206536103414461 | 32e9b1e70403414461 | |||
B.1.3. Test vector for MSGb | B.1.3. Test vector for MSGb | |||
Inputs | Inputs | |||
ADb = b'ADb' | ADb = b'ADb' | |||
yb (little endian): (length: 32 bytes) | yb (little endian): (length: 32 bytes) | |||
a145e914b347002d298ce2051394f0ed68cf3623dfe5db082c78ffa5 | 848b0779ff415f0af4ea14df9dd1d3c29ac41d836c7808896c4eba19 | |||
a667acdc | c51ac40a | |||
Outputs | Outputs | |||
Yb: (length: 32 bytes) | Yb: (length: 32 bytes) | |||
e1b730a4956c0f853d96c5d125cebeeea46952c07c6f66da65bd9ffd | 0178bbbab0804a4455b8f02e5d6e7d80997c6470bfb3618d7e74c396 | |||
2f71a462 | 47af5a29 | |||
MSGb = lv_cat(Yb,ADb): (length: 37 bytes) | MSGb = lv_cat(Yb,ADb): (length: 37 bytes) | |||
20e1b730a4956c0f853d96c5d125cebeeea46952c07c6f66da65bd9f | 200178bbbab0804a4455b8f02e5d6e7d80997c6470bfb3618d7e74c3 | |||
fd2f71a46203414462 | 9647af5a2903414462 | |||
B.1.4. Test vector for secret points K | B.1.4. Test vector for secret points K | |||
scalar_mult_vfy(ya,Yb): (length: 32 bytes) | scalar_mult_vfy(ya,Yb): (length: 32 bytes) | |||
2a905bc5f0b93ee72ac4b6ea8723520941adfc892935bf6f86d9e199 | 42ba4c6dc4c184a1cf405d4503f64bf7f015e2a0107450e38b9efff3 | |||
befa6024 | bee52412 | |||
scalar_mult_vfy(yb,Ya): (length: 32 bytes) | scalar_mult_vfy(yb,Ya): (length: 32 bytes) | |||
2a905bc5f0b93ee72ac4b6ea8723520941adfc892935bf6f86d9e199 | 42ba4c6dc4c184a1cf405d4503f64bf7f015e2a0107450e38b9efff3 | |||
befa6024 | bee52412 | |||
B.1.5. Test vector for ISK calculation initiator/responder | B.1.5. Test vector for ISK calculation initiator/responder | |||
unordered cat of transcript : (length: 74 bytes) | unordered cat of transcript : (length: 74 bytes) | |||
206f7fd31863b18b0cc9830fc842c60dea80120ccf2fd375498225e4 | 20f970e36f37cfcd9a39e37dd2d1fbc9156d6d2f9ae422f4722cbd9d | |||
5a520653610341446120e1b730a4956c0f853d96c5d125cebeeea469 | 32e9b1e70403414461200178bbbab0804a4455b8f02e5d6e7d80997c | |||
52c07c6f66da65bd9ffd2f71a46203414462 | 6470bfb3618d7e74c39647af5a2903414462 | |||
DSI = G.DSI_ISK, b'CPace255_ISK': (length: 12 bytes) | DSI = G.DSI_ISK, b'CPace255_ISK': (length: 12 bytes) | |||
43506163653235355f49534b | 43506163653235355f49534b | |||
lv_cat(DSI,sid,K)||MSGa||MSGb: (length: 137 bytes) | lv_cat(DSI,sid,K)||MSGa||MSGb: (length: 137 bytes) | |||
0c43506163653235355f49534b107e4b4791d6a8ef019b936c79fb7f | 0c43506163653235355f49534b107e4b4791d6a8ef019b936c79fb7f | |||
2c57202a905bc5f0b93ee72ac4b6ea8723520941adfc892935bf6f86 | 2c572042ba4c6dc4c184a1cf405d4503f64bf7f015e2a0107450e38b | |||
d9e199befa6024206f7fd31863b18b0cc9830fc842c60dea80120ccf | 9efff3bee5241220f970e36f37cfcd9a39e37dd2d1fbc9156d6d2f9a | |||
2fd375498225e45a520653610341446120e1b730a4956c0f853d96c5 | e422f4722cbd9d32e9b1e70403414461200178bbbab0804a4455b8f0 | |||
d125cebeeea46952c07c6f66da65bd9ffd2f71a46203414462 | 2e5d6e7d80997c6470bfb3618d7e74c39647af5a2903414462 | |||
ISK result: (length: 64 bytes) | ISK result: (length: 64 bytes) | |||
99a9e0ff35acb94ad8af1cd6b32ac409dc7d00557ccd9a7d19d3b462 | f5ef3c13fdb9dfe839bdbf8a9256e8cee7db8a8f1dfa74958a925450 | |||
9e5f1f084f9332096162438c7ecc78331b4eda17e1a229a47182eccc | cf8089cd560d9a4e7956b7334b6f625c8559b75ea0764ac2be894b8f | |||
9ea58cd9cdcd8e9a | 3d434b30e87797d5 | |||
B.1.6. Test vector for ISK calculation parallel execution | B.1.6. Test vector for ISK calculation parallel execution | |||
ordered cat of transcript : (length: 74 bytes) | ordered cat of transcript : (length: 76 bytes) | |||
20e1b730a4956c0f853d96c5d125cebeeea46952c07c6f66da65bd9f | 6f6320f970e36f37cfcd9a39e37dd2d1fbc9156d6d2f9ae422f4722c | |||
fd2f71a46203414462206f7fd31863b18b0cc9830fc842c60dea8012 | bd9d32e9b1e70403414461200178bbbab0804a4455b8f02e5d6e7d80 | |||
0ccf2fd375498225e45a5206536103414461 | 997c6470bfb3618d7e74c39647af5a2903414462 | |||
DSI = G.DSI_ISK, b'CPace255_ISK': (length: 12 bytes) | DSI = G.DSI_ISK, b'CPace255_ISK': (length: 12 bytes) | |||
43506163653235355f49534b | 43506163653235355f49534b | |||
lv_cat(DSI,sid,K)||oCAT(MSGa,MSGb): (length: 137 bytes) | lv_cat(DSI,sid,K)||o_cat(MSGa,MSGb): (length: 139 bytes) | |||
0c43506163653235355f49534b107e4b4791d6a8ef019b936c79fb7f | 0c43506163653235355f49534b107e4b4791d6a8ef019b936c79fb7f | |||
2c57202a905bc5f0b93ee72ac4b6ea8723520941adfc892935bf6f86 | 2c572042ba4c6dc4c184a1cf405d4503f64bf7f015e2a0107450e38b | |||
d9e199befa602420e1b730a4956c0f853d96c5d125cebeeea46952c0 | 9efff3bee524126f6320f970e36f37cfcd9a39e37dd2d1fbc9156d6d | |||
7c6f66da65bd9ffd2f71a46203414462206f7fd31863b18b0cc9830f | 2f9ae422f4722cbd9d32e9b1e70403414461200178bbbab0804a4455 | |||
c842c60dea80120ccf2fd375498225e45a5206536103414461 | b8f02e5d6e7d80997c6470bfb3618d7e74c39647af5a2903414462 | |||
ISK result: (length: 64 bytes) | ISK result: (length: 64 bytes) | |||
3cd6a9670fa3ff211d829b845baa0f5ba9ad580c3ba0ee790bd0e9cd | f4051edc63b2620e10d5ecf76d9f0c5ccd1447858a98d4bf847fafac | |||
556290a8ffce44419fbf94e4cb8e7fe9f454fd25dc13e689e4d6ab0a | 737478c1350e14619bc0fcd4f028d10e4102dfca39f91fe9b829a503 | |||
c2211c70a8ac0062 | ab3e0549bd835edf | |||
B.1.7. Corresponding ANSI-C initializers | B.1.7. Corresponding C programming language initializers | |||
const uint8_t tc_PRS[] = { | const unsigned char tc_PRS[] = { | |||
0x50,0x61,0x73,0x73,0x77,0x6f,0x72,0x64, | 0x50,0x61,0x73,0x73,0x77,0x6f,0x72,0x64, | |||
}; | }; | |||
const uint8_t tc_CI[] = { | const unsigned char tc_CI[] = { | |||
0x0a,0x41,0x69,0x6e,0x69,0x74,0x69,0x61,0x74,0x6f,0x72,0x0a, | 0x0a,0x41,0x69,0x6e,0x69,0x74,0x69,0x61,0x74,0x6f,0x72,0x0a, | |||
0x42,0x72,0x65,0x73,0x70,0x6f,0x6e,0x64,0x65,0x72, | 0x42,0x72,0x65,0x73,0x70,0x6f,0x6e,0x64,0x65,0x72, | |||
}; | }; | |||
const uint8_t tc_sid[] = { | const unsigned char tc_sid[] = { | |||
0x7e,0x4b,0x47,0x91,0xd6,0xa8,0xef,0x01,0x9b,0x93,0x6c,0x79, | 0x7e,0x4b,0x47,0x91,0xd6,0xa8,0xef,0x01,0x9b,0x93,0x6c,0x79, | |||
0xfb,0x7f,0x2c,0x57, | 0xfb,0x7f,0x2c,0x57, | |||
}; | }; | |||
const uint8_t tc_g[] = { | const unsigned char tc_g[] = { | |||
0x4e,0x60,0x98,0x73,0x30,0x61,0xc0,0xe8,0x48,0x66,0x11,0xa9, | 0x4e,0x60,0x98,0x73,0x30,0x61,0xc0,0xe8,0x48,0x66,0x11,0xa9, | |||
0x04,0xfe,0x5e,0xdb,0x04,0x98,0x04,0xd2,0x61,0x30,0xa4,0x41, | 0x04,0xfe,0x5e,0xdb,0x04,0x98,0x04,0xd2,0x61,0x30,0xa4,0x41, | |||
0x31,0xa6,0x22,0x9e,0x55,0xc5,0xc3,0x21, | 0x31,0xa6,0x22,0x9e,0x55,0xc5,0xc3,0x21, | |||
}; | }; | |||
const uint8_t tc_ya[] = { | const unsigned char tc_ya[] = { | |||
0x45,0xac,0xf9,0x31,0x16,0xae,0x5d,0x3d,0xae,0x99,0x5a,0x7c, | 0x21,0xb4,0xf4,0xbd,0x9e,0x64,0xed,0x35,0x5c,0x3e,0xb6,0x76, | |||
0x62,0x7d,0xf2,0x92,0x43,0x21,0xa8,0xe8,0x57,0xd9,0xa2,0x00, | 0xa2,0x8e,0xbe,0xda,0xf6,0xd8,0xf1,0x7b,0xdc,0x36,0x59,0x95, | |||
0x80,0x71,0x31,0xe3,0x88,0x39,0xb0,0xc2, | 0xb3,0x19,0x09,0x71,0x53,0x04,0x40,0x80, | |||
}; | }; | |||
const uint8_t tc_ADa[] = { | const unsigned char tc_ADa[] = { | |||
0x41,0x44,0x61, | 0x41,0x44,0x61, | |||
}; | }; | |||
const uint8_t tc_Ya[] = { | const unsigned char tc_Ya[] = { | |||
0x6f,0x7f,0xd3,0x18,0x63,0xb1,0x8b,0x0c,0xc9,0x83,0x0f,0xc8, | 0xf9,0x70,0xe3,0x6f,0x37,0xcf,0xcd,0x9a,0x39,0xe3,0x7d,0xd2, | |||
0x42,0xc6,0x0d,0xea,0x80,0x12,0x0c,0xcf,0x2f,0xd3,0x75,0x49, | 0xd1,0xfb,0xc9,0x15,0x6d,0x6d,0x2f,0x9a,0xe4,0x22,0xf4,0x72, | |||
0x82,0x25,0xe4,0x5a,0x52,0x06,0x53,0x61, | 0x2c,0xbd,0x9d,0x32,0xe9,0xb1,0xe7,0x04, | |||
}; | }; | |||
const uint8_t tc_yb[] = { | const unsigned char tc_yb[] = { | |||
0xa1,0x45,0xe9,0x14,0xb3,0x47,0x00,0x2d,0x29,0x8c,0xe2,0x05, | 0x84,0x8b,0x07,0x79,0xff,0x41,0x5f,0x0a,0xf4,0xea,0x14,0xdf, | |||
0x13,0x94,0xf0,0xed,0x68,0xcf,0x36,0x23,0xdf,0xe5,0xdb,0x08, | 0x9d,0xd1,0xd3,0xc2,0x9a,0xc4,0x1d,0x83,0x6c,0x78,0x08,0x89, | |||
0x2c,0x78,0xff,0xa5,0xa6,0x67,0xac,0xdc, | 0x6c,0x4e,0xba,0x19,0xc5,0x1a,0xc4,0x0a, | |||
}; | }; | |||
const uint8_t tc_ADb[] = { | const unsigned char tc_ADb[] = { | |||
0x41,0x44,0x62, | 0x41,0x44,0x62, | |||
}; | }; | |||
const uint8_t tc_Yb[] = { | const unsigned char tc_Yb[] = { | |||
0xe1,0xb7,0x30,0xa4,0x95,0x6c,0x0f,0x85,0x3d,0x96,0xc5,0xd1, | 0x01,0x78,0xbb,0xba,0xb0,0x80,0x4a,0x44,0x55,0xb8,0xf0,0x2e, | |||
0x25,0xce,0xbe,0xee,0xa4,0x69,0x52,0xc0,0x7c,0x6f,0x66,0xda, | 0x5d,0x6e,0x7d,0x80,0x99,0x7c,0x64,0x70,0xbf,0xb3,0x61,0x8d, | |||
0x65,0xbd,0x9f,0xfd,0x2f,0x71,0xa4,0x62, | 0x7e,0x74,0xc3,0x96,0x47,0xaf,0x5a,0x29, | |||
}; | }; | |||
const uint8_t tc_K[] = { | const unsigned char tc_K[] = { | |||
0x2a,0x90,0x5b,0xc5,0xf0,0xb9,0x3e,0xe7,0x2a,0xc4,0xb6,0xea, | 0x42,0xba,0x4c,0x6d,0xc4,0xc1,0x84,0xa1,0xcf,0x40,0x5d,0x45, | |||
0x87,0x23,0x52,0x09,0x41,0xad,0xfc,0x89,0x29,0x35,0xbf,0x6f, | 0x03,0xf6,0x4b,0xf7,0xf0,0x15,0xe2,0xa0,0x10,0x74,0x50,0xe3, | |||
0x86,0xd9,0xe1,0x99,0xbe,0xfa,0x60,0x24, | 0x8b,0x9e,0xff,0xf3,0xbe,0xe5,0x24,0x12, | |||
}; | }; | |||
const uint8_t tc_ISK_IR[] = { | const unsigned char tc_ISK_IR[] = { | |||
0x99,0xa9,0xe0,0xff,0x35,0xac,0xb9,0x4a,0xd8,0xaf,0x1c,0xd6, | 0xf5,0xef,0x3c,0x13,0xfd,0xb9,0xdf,0xe8,0x39,0xbd,0xbf,0x8a, | |||
0xb3,0x2a,0xc4,0x09,0xdc,0x7d,0x00,0x55,0x7c,0xcd,0x9a,0x7d, | 0x92,0x56,0xe8,0xce,0xe7,0xdb,0x8a,0x8f,0x1d,0xfa,0x74,0x95, | |||
0x19,0xd3,0xb4,0x62,0x9e,0x5f,0x1f,0x08,0x4f,0x93,0x32,0x09, | 0x8a,0x92,0x54,0x50,0xcf,0x80,0x89,0xcd,0x56,0x0d,0x9a,0x4e, | |||
0x61,0x62,0x43,0x8c,0x7e,0xcc,0x78,0x33,0x1b,0x4e,0xda,0x17, | 0x79,0x56,0xb7,0x33,0x4b,0x6f,0x62,0x5c,0x85,0x59,0xb7,0x5e, | |||
0xe1,0xa2,0x29,0xa4,0x71,0x82,0xec,0xcc,0x9e,0xa5,0x8c,0xd9, | 0xa0,0x76,0x4a,0xc2,0xbe,0x89,0x4b,0x8f,0x3d,0x43,0x4b,0x30, | |||
0xcd,0xcd,0x8e,0x9a, | 0xe8,0x77,0x97,0xd5, | |||
}; | }; | |||
const uint8_t tc_ISK_SY[] = { | const unsigned char tc_ISK_SY[] = { | |||
0x3c,0xd6,0xa9,0x67,0x0f,0xa3,0xff,0x21,0x1d,0x82,0x9b,0x84, | 0xf4,0x05,0x1e,0xdc,0x63,0xb2,0x62,0x0e,0x10,0xd5,0xec,0xf7, | |||
0x5b,0xaa,0x0f,0x5b,0xa9,0xad,0x58,0x0c,0x3b,0xa0,0xee,0x79, | 0x6d,0x9f,0x0c,0x5c,0xcd,0x14,0x47,0x85,0x8a,0x98,0xd4,0xbf, | |||
0x0b,0xd0,0xe9,0xcd,0x55,0x62,0x90,0xa8,0xff,0xce,0x44,0x41, | 0x84,0x7f,0xaf,0xac,0x73,0x74,0x78,0xc1,0x35,0x0e,0x14,0x61, | |||
0x9f,0xbf,0x94,0xe4,0xcb,0x8e,0x7f,0xe9,0xf4,0x54,0xfd,0x25, | 0x9b,0xc0,0xfc,0xd4,0xf0,0x28,0xd1,0x0e,0x41,0x02,0xdf,0xca, | |||
0xdc,0x13,0xe6,0x89,0xe4,0xd6,0xab,0x0a,0xc2,0x21,0x1c,0x70, | 0x39,0xf9,0x1f,0xe9,0xb8,0x29,0xa5,0x03,0xab,0x3e,0x05,0x49, | |||
0xa8,0xac,0x00,0x62, | 0xbd,0x83,0x5e,0xdf, | |||
}; | }; | |||
B.1.8. Test vectors for G_X25519.scalar_mult_vfy: low order points | B.1.8. Test vectors for G_X25519.scalar_mult_vfy: low order points | |||
Test vectors for which G_X25519.scalar_mult_vfy(s_in,ux) must return | Test vectors for which G_X25519.scalar_mult_vfy(s_in,ux) must return | |||
the neutral element or would return the neutral element if bit #255 | the neutral element or would return the neutral element if bit #255 | |||
of field element representation was not correctly cleared. (The | of field element representation was not correctly cleared. (The | |||
decodeUCoordinate function from RFC7748 mandates clearing bit #255 | decodeUCoordinate function from RFC7748 mandates clearing bit #255 | |||
for field element representations for use in the X25519 function.). | for field element representations for use in the X25519 function.). | |||
skipping to change at page 40, line 7 ¶ | skipping to change at page 41, line 7 ¶ | |||
a58ce4b5034144613853c519fb490fde5a04bda8c18b327d0fc1a939 | a58ce4b5034144613853c519fb490fde5a04bda8c18b327d0fc1a939 | |||
1d19e0ac00c59df9c60422284e593d6b092eac94f5aa644ed883f39b | 1d19e0ac00c59df9c60422284e593d6b092eac94f5aa644ed883f39b | |||
d4f04e4beb6af86d5803414462 | d4f04e4beb6af86d5803414462 | |||
ISK result: (length: 64 bytes) | ISK result: (length: 64 bytes) | |||
4030297722c1914711da6b2a224a44b53b30c05ab02c2a3d3ccc7272 | 4030297722c1914711da6b2a224a44b53b30c05ab02c2a3d3ccc7272 | |||
a3333ce3a4564c17031b634e89f65681f52d5c3d1df7baeb88523d2e | a3333ce3a4564c17031b634e89f65681f52d5c3d1df7baeb88523d2e | |||
481b3858aed86315 | 481b3858aed86315 | |||
B.2.6. Test vector for ISK calculation parallel execution | B.2.6. Test vector for ISK calculation parallel execution | |||
ordered cat of transcript : (length: 122 bytes) | ordered cat of transcript : (length: 124 bytes) | |||
3853c519fb490fde5a04bda8c18b327d0fc1a9391d19e0ac00c59df9 | 6f633853c519fb490fde5a04bda8c18b327d0fc1a9391d19e0ac00c5 | |||
c60422284e593d6b092eac94f5aa644ed883f39bd4f04e4beb6af86d | 9df9c60422284e593d6b092eac94f5aa644ed883f39bd4f04e4beb6a | |||
580341446238396bd11daf223711e575cac6021e3fa31558012048a1 | f86d580341446238396bd11daf223711e575cac6021e3fa315580120 | |||
cec7876292b96c61eda353fe04f33028d2352779668a934084da776c | 48a1cec7876292b96c61eda353fe04f33028d2352779668a934084da | |||
1c51a58ce4b503414461 | 776c1c51a58ce4b503414461 | |||
DSI = G.DSI_ISK, b'CPace448_ISK': (length: 12 bytes) | DSI = G.DSI_ISK, b'CPace448_ISK': (length: 12 bytes) | |||
43506163653434385f49534b | 43506163653434385f49534b | |||
lv_cat(DSI,sid,K)||oCAT(MSGa,MSGb): (length: 209 bytes) | lv_cat(DSI,sid,K)||o_cat(MSGa,MSGb): (length: 211 bytes) | |||
0c43506163653434385f49534b105223e0cdc45d6575668d64c55200 | 0c43506163653434385f49534b105223e0cdc45d6575668d64c55200 | |||
412438e00af217556a40ccbc9822cc27a43542e45166a653aa4df746 | 412438e00af217556a40ccbc9822cc27a43542e45166a653aa4df746 | |||
d5f8e1e8df483e9baff71c9eb03ee20a688ad4e4d359f70ac9ec3f6a | d5f8e1e8df483e9baff71c9eb03ee20a688ad4e4d359f70ac9ec3f6a | |||
6599973853c519fb490fde5a04bda8c18b327d0fc1a9391d19e0ac00 | 6599976f633853c519fb490fde5a04bda8c18b327d0fc1a9391d19e0 | |||
c59df9c60422284e593d6b092eac94f5aa644ed883f39bd4f04e4beb | ac00c59df9c60422284e593d6b092eac94f5aa644ed883f39bd4f04e | |||
6af86d580341446238396bd11daf223711e575cac6021e3fa3155801 | 4beb6af86d580341446238396bd11daf223711e575cac6021e3fa315 | |||
2048a1cec7876292b96c61eda353fe04f33028d2352779668a934084 | 58012048a1cec7876292b96c61eda353fe04f33028d2352779668a93 | |||
da776c1c51a58ce4b503414461 | 4084da776c1c51a58ce4b503414461 | |||
ISK result: (length: 64 bytes) | ISK result: (length: 64 bytes) | |||
925e95d1095dad1af6378d5ef8b9a998bd3855bfc7d36cb5ca05b0a7 | 4cd30768e2f75f0583449614bce823b421c31163c5a3bde4eed1c664 | |||
a93346abcb8cef04bceb28c38fdaf0cc608fd1dcd462ab523f3b7f75 | 284a32995ea3430b5c47fc7dd771b534ad38eaea5d8c8f97bd548966 | |||
2c77c411be3ac8fb | 7facfc044615075f | |||
B.2.7. Corresponding ANSI-C initializers | B.2.7. Corresponding C programming language initializers | |||
const uint8_t tc_PRS[] = { | const unsigned char tc_PRS[] = { | |||
0x50,0x61,0x73,0x73,0x77,0x6f,0x72,0x64, | 0x50,0x61,0x73,0x73,0x77,0x6f,0x72,0x64, | |||
}; | }; | |||
const uint8_t tc_CI[] = { | const unsigned char tc_CI[] = { | |||
0x0a,0x41,0x69,0x6e,0x69,0x74,0x69,0x61,0x74,0x6f,0x72,0x0a, | 0x0a,0x41,0x69,0x6e,0x69,0x74,0x69,0x61,0x74,0x6f,0x72,0x0a, | |||
0x42,0x72,0x65,0x73,0x70,0x6f,0x6e,0x64,0x65,0x72, | 0x42,0x72,0x65,0x73,0x70,0x6f,0x6e,0x64,0x65,0x72, | |||
}; | }; | |||
const uint8_t tc_sid[] = { | const unsigned char tc_sid[] = { | |||
0x52,0x23,0xe0,0xcd,0xc4,0x5d,0x65,0x75,0x66,0x8d,0x64,0xc5, | 0x52,0x23,0xe0,0xcd,0xc4,0x5d,0x65,0x75,0x66,0x8d,0x64,0xc5, | |||
0x52,0x00,0x41,0x24, | 0x52,0x00,0x41,0x24, | |||
}; | }; | |||
const uint8_t tc_g[] = { | const unsigned char tc_g[] = { | |||
0x6f,0xda,0xe1,0x47,0x18,0xeb,0x75,0x06,0xdd,0x96,0xe3,0xf7, | 0x6f,0xda,0xe1,0x47,0x18,0xeb,0x75,0x06,0xdd,0x96,0xe3,0xf7, | |||
0x79,0x78,0x96,0xef,0xdb,0x8d,0xb9,0xec,0x07,0x97,0x48,0x5c, | 0x79,0x78,0x96,0xef,0xdb,0x8d,0xb9,0xec,0x07,0x97,0x48,0x5c, | |||
0x9c,0x48,0xa1,0x92,0x2e,0x44,0x96,0x1d,0xa0,0x97,0xf2,0x90, | 0x9c,0x48,0xa1,0x92,0x2e,0x44,0x96,0x1d,0xa0,0x97,0xf2,0x90, | |||
0x8b,0x08,0x4a,0x5d,0xe3,0x3a,0xb6,0x71,0x63,0x06,0x60,0xd2, | 0x8b,0x08,0x4a,0x5d,0xe3,0x3a,0xb6,0x71,0x63,0x06,0x60,0xd2, | |||
0x7d,0x79,0xff,0xd6,0xee,0x8e,0xc8,0x46, | 0x7d,0x79,0xff,0xd6,0xee,0x8e,0xc8,0x46, | |||
}; | }; | |||
const uint8_t tc_ya[] = { | const unsigned char tc_ya[] = { | |||
0x21,0xb4,0xf4,0xbd,0x9e,0x64,0xed,0x35,0x5c,0x3e,0xb6,0x76, | 0x21,0xb4,0xf4,0xbd,0x9e,0x64,0xed,0x35,0x5c,0x3e,0xb6,0x76, | |||
0xa2,0x8e,0xbe,0xda,0xf6,0xd8,0xf1,0x7b,0xdc,0x36,0x59,0x95, | 0xa2,0x8e,0xbe,0xda,0xf6,0xd8,0xf1,0x7b,0xdc,0x36,0x59,0x95, | |||
0xb3,0x19,0x09,0x71,0x53,0x04,0x40,0x80,0x51,0x6b,0xd0,0x83, | 0xb3,0x19,0x09,0x71,0x53,0x04,0x40,0x80,0x51,0x6b,0xd0,0x83, | |||
0xbf,0xcc,0xe6,0x61,0x21,0xa3,0x07,0x26,0x46,0x99,0x4c,0x84, | 0xbf,0xcc,0xe6,0x61,0x21,0xa3,0x07,0x26,0x46,0x99,0x4c,0x84, | |||
0x30,0xcc,0x38,0x2b,0x8d,0xc5,0x43,0xe8, | 0x30,0xcc,0x38,0x2b,0x8d,0xc5,0x43,0xe8, | |||
}; | }; | |||
const uint8_t tc_ADa[] = { | const unsigned char tc_ADa[] = { | |||
0x41,0x44,0x61, | 0x41,0x44,0x61, | |||
}; | }; | |||
const uint8_t tc_Ya[] = { | const unsigned char tc_Ya[] = { | |||
0x39,0x6b,0xd1,0x1d,0xaf,0x22,0x37,0x11,0xe5,0x75,0xca,0xc6, | 0x39,0x6b,0xd1,0x1d,0xaf,0x22,0x37,0x11,0xe5,0x75,0xca,0xc6, | |||
0x02,0x1e,0x3f,0xa3,0x15,0x58,0x01,0x20,0x48,0xa1,0xce,0xc7, | 0x02,0x1e,0x3f,0xa3,0x15,0x58,0x01,0x20,0x48,0xa1,0xce,0xc7, | |||
0x87,0x62,0x92,0xb9,0x6c,0x61,0xed,0xa3,0x53,0xfe,0x04,0xf3, | 0x87,0x62,0x92,0xb9,0x6c,0x61,0xed,0xa3,0x53,0xfe,0x04,0xf3, | |||
0x30,0x28,0xd2,0x35,0x27,0x79,0x66,0x8a,0x93,0x40,0x84,0xda, | 0x30,0x28,0xd2,0x35,0x27,0x79,0x66,0x8a,0x93,0x40,0x84,0xda, | |||
0x77,0x6c,0x1c,0x51,0xa5,0x8c,0xe4,0xb5, | 0x77,0x6c,0x1c,0x51,0xa5,0x8c,0xe4,0xb5, | |||
}; | }; | |||
const uint8_t tc_yb[] = { | const unsigned char tc_yb[] = { | |||
0x84,0x8b,0x07,0x79,0xff,0x41,0x5f,0x0a,0xf4,0xea,0x14,0xdf, | 0x84,0x8b,0x07,0x79,0xff,0x41,0x5f,0x0a,0xf4,0xea,0x14,0xdf, | |||
0x9d,0xd1,0xd3,0xc2,0x9a,0xc4,0x1d,0x83,0x6c,0x78,0x08,0x89, | 0x9d,0xd1,0xd3,0xc2,0x9a,0xc4,0x1d,0x83,0x6c,0x78,0x08,0x89, | |||
0x6c,0x4e,0xba,0x19,0xc5,0x1a,0xc4,0x0a,0x43,0x9c,0xaf,0x5e, | 0x6c,0x4e,0xba,0x19,0xc5,0x1a,0xc4,0x0a,0x43,0x9c,0xaf,0x5e, | |||
0x61,0xec,0x88,0xc3,0x07,0xc7,0xd6,0x19,0x19,0x52,0x29,0x41, | 0x61,0xec,0x88,0xc3,0x07,0xc7,0xd6,0x19,0x19,0x52,0x29,0x41, | |||
0x2e,0xaa,0x73,0xfb,0x2a,0x5e,0xa2,0x0d, | 0x2e,0xaa,0x73,0xfb,0x2a,0x5e,0xa2,0x0d, | |||
}; | }; | |||
const uint8_t tc_ADb[] = { | const unsigned char tc_ADb[] = { | |||
0x41,0x44,0x62, | 0x41,0x44,0x62, | |||
}; | }; | |||
const uint8_t tc_Yb[] = { | const unsigned char tc_Yb[] = { | |||
0x53,0xc5,0x19,0xfb,0x49,0x0f,0xde,0x5a,0x04,0xbd,0xa8,0xc1, | 0x53,0xc5,0x19,0xfb,0x49,0x0f,0xde,0x5a,0x04,0xbd,0xa8,0xc1, | |||
0x8b,0x32,0x7d,0x0f,0xc1,0xa9,0x39,0x1d,0x19,0xe0,0xac,0x00, | 0x8b,0x32,0x7d,0x0f,0xc1,0xa9,0x39,0x1d,0x19,0xe0,0xac,0x00, | |||
0xc5,0x9d,0xf9,0xc6,0x04,0x22,0x28,0x4e,0x59,0x3d,0x6b,0x09, | 0xc5,0x9d,0xf9,0xc6,0x04,0x22,0x28,0x4e,0x59,0x3d,0x6b,0x09, | |||
0x2e,0xac,0x94,0xf5,0xaa,0x64,0x4e,0xd8,0x83,0xf3,0x9b,0xd4, | 0x2e,0xac,0x94,0xf5,0xaa,0x64,0x4e,0xd8,0x83,0xf3,0x9b,0xd4, | |||
0xf0,0x4e,0x4b,0xeb,0x6a,0xf8,0x6d,0x58, | 0xf0,0x4e,0x4b,0xeb,0x6a,0xf8,0x6d,0x58, | |||
}; | }; | |||
const uint8_t tc_K[] = { | const unsigned char tc_K[] = { | |||
0xe0,0x0a,0xf2,0x17,0x55,0x6a,0x40,0xcc,0xbc,0x98,0x22,0xcc, | 0xe0,0x0a,0xf2,0x17,0x55,0x6a,0x40,0xcc,0xbc,0x98,0x22,0xcc, | |||
0x27,0xa4,0x35,0x42,0xe4,0x51,0x66,0xa6,0x53,0xaa,0x4d,0xf7, | 0x27,0xa4,0x35,0x42,0xe4,0x51,0x66,0xa6,0x53,0xaa,0x4d,0xf7, | |||
0x46,0xd5,0xf8,0xe1,0xe8,0xdf,0x48,0x3e,0x9b,0xaf,0xf7,0x1c, | 0x46,0xd5,0xf8,0xe1,0xe8,0xdf,0x48,0x3e,0x9b,0xaf,0xf7,0x1c, | |||
0x9e,0xb0,0x3e,0xe2,0x0a,0x68,0x8a,0xd4,0xe4,0xd3,0x59,0xf7, | 0x9e,0xb0,0x3e,0xe2,0x0a,0x68,0x8a,0xd4,0xe4,0xd3,0x59,0xf7, | |||
0x0a,0xc9,0xec,0x3f,0x6a,0x65,0x99,0x97, | 0x0a,0xc9,0xec,0x3f,0x6a,0x65,0x99,0x97, | |||
}; | }; | |||
const uint8_t tc_ISK_IR[] = { | const unsigned char tc_ISK_IR[] = { | |||
0x40,0x30,0x29,0x77,0x22,0xc1,0x91,0x47,0x11,0xda,0x6b,0x2a, | 0x40,0x30,0x29,0x77,0x22,0xc1,0x91,0x47,0x11,0xda,0x6b,0x2a, | |||
0x22,0x4a,0x44,0xb5,0x3b,0x30,0xc0,0x5a,0xb0,0x2c,0x2a,0x3d, | 0x22,0x4a,0x44,0xb5,0x3b,0x30,0xc0,0x5a,0xb0,0x2c,0x2a,0x3d, | |||
0x3c,0xcc,0x72,0x72,0xa3,0x33,0x3c,0xe3,0xa4,0x56,0x4c,0x17, | 0x3c,0xcc,0x72,0x72,0xa3,0x33,0x3c,0xe3,0xa4,0x56,0x4c,0x17, | |||
0x03,0x1b,0x63,0x4e,0x89,0xf6,0x56,0x81,0xf5,0x2d,0x5c,0x3d, | 0x03,0x1b,0x63,0x4e,0x89,0xf6,0x56,0x81,0xf5,0x2d,0x5c,0x3d, | |||
0x1d,0xf7,0xba,0xeb,0x88,0x52,0x3d,0x2e,0x48,0x1b,0x38,0x58, | 0x1d,0xf7,0xba,0xeb,0x88,0x52,0x3d,0x2e,0x48,0x1b,0x38,0x58, | |||
0xae,0xd8,0x63,0x15, | 0xae,0xd8,0x63,0x15, | |||
}; | }; | |||
const uint8_t tc_ISK_SY[] = { | const unsigned char tc_ISK_SY[] = { | |||
0x92,0x5e,0x95,0xd1,0x09,0x5d,0xad,0x1a,0xf6,0x37,0x8d,0x5e, | 0x4c,0xd3,0x07,0x68,0xe2,0xf7,0x5f,0x05,0x83,0x44,0x96,0x14, | |||
0xf8,0xb9,0xa9,0x98,0xbd,0x38,0x55,0xbf,0xc7,0xd3,0x6c,0xb5, | 0xbc,0xe8,0x23,0xb4,0x21,0xc3,0x11,0x63,0xc5,0xa3,0xbd,0xe4, | |||
0xca,0x05,0xb0,0xa7,0xa9,0x33,0x46,0xab,0xcb,0x8c,0xef,0x04, | 0xee,0xd1,0xc6,0x64,0x28,0x4a,0x32,0x99,0x5e,0xa3,0x43,0x0b, | |||
0xbc,0xeb,0x28,0xc3,0x8f,0xda,0xf0,0xcc,0x60,0x8f,0xd1,0xdc, | 0x5c,0x47,0xfc,0x7d,0xd7,0x71,0xb5,0x34,0xad,0x38,0xea,0xea, | |||
0xd4,0x62,0xab,0x52,0x3f,0x3b,0x7f,0x75,0x2c,0x77,0xc4,0x11, | 0x5d,0x8c,0x8f,0x97,0xbd,0x54,0x89,0x66,0x7f,0xac,0xfc,0x04, | |||
0xbe,0x3a,0xc8,0xfb, | 0x46,0x15,0x07,0x5f, | |||
}; | }; | |||
B.2.8. Test vectors for G_X448.scalar_mult_vfy: low order points | B.2.8. Test vectors for G_X448.scalar_mult_vfy: low order points | |||
Test vectors for which G_X448.scalar_mult_vfy(s_in,ux) must return | Test vectors for which G_X448.scalar_mult_vfy(s_in,ux) must return | |||
the neutral element. This includes points that are non-canonicaly | the neutral element. This includes points that are non-canonicaly | |||
encoded, i.e. have coordinate values larger than the field prime. | encoded, i.e. have coordinate values larger than the field prime. | |||
Weak points for X448 smaller than the field prime (canonical) | Weak points for X448 smaller than the field prime (canonical) | |||
skipping to change at page 46, line 4 ¶ | skipping to change at page 47, line 4 ¶ | |||
83204fe8359addb53e95a2e98893853f20383a85dd236978f17f8c85 | 83204fe8359addb53e95a2e98893853f20383a85dd236978f17f8c85 | |||
45b50dabc52a39fcdab2cf8bc531ce040ff77ca82d0341446120a620 | 45b50dabc52a39fcdab2cf8bc531ce040ff77ca82d0341446120a620 | |||
6309c0e8e5f579295e35997ac4300ab3fecec3c17f7b604f3e698fa1 | 6309c0e8e5f579295e35997ac4300ab3fecec3c17f7b604f3e698fa1 | |||
383c03414462 | 383c03414462 | |||
ISK result: (length: 64 bytes) | ISK result: (length: 64 bytes) | |||
e91ccb2c0f5e0d0993a33956e3be59754f3f2b07db57631f5394452e | e91ccb2c0f5e0d0993a33956e3be59754f3f2b07db57631f5394452e | |||
a2e7b4354674eb1f5686c078462bf83bec72e8743df440108e638f35 | a2e7b4354674eb1f5686c078462bf83bec72e8743df440108e638f35 | |||
26d9b90e85be096f | 26d9b90e85be096f | |||
B.3.6. Test vector for ISK calculation parallel execution | B.3.6. Test vector for ISK calculation parallel execution | |||
ordered cat of transcript : (length: 74 bytes) | ordered cat of transcript : (length: 76 bytes) | |||
20a6206309c0e8e5f579295e35997ac4300ab3fecec3c17f7b604f3e | 6f6320a6206309c0e8e5f579295e35997ac4300ab3fecec3c17f7b60 | |||
698fa1383c0341446220383a85dd236978f17f8c8545b50dabc52a39 | 4f3e698fa1383c0341446220383a85dd236978f17f8c8545b50dabc5 | |||
fcdab2cf8bc531ce040ff77ca82d03414461 | 2a39fcdab2cf8bc531ce040ff77ca82d03414461 | |||
DSI = G.DSI_ISK, b'CPaceRistretto255_ISK': | DSI = G.DSI_ISK, b'CPaceRistretto255_ISK': | |||
(length: 21 bytes) | (length: 21 bytes) | |||
435061636552697374726574746f3235355f49534b | 435061636552697374726574746f3235355f49534b | |||
lv_cat(DSI,sid,K)||oCAT(MSGa,MSGb): (length: 146 bytes) | lv_cat(DSI,sid,K)||o_cat(MSGa,MSGb): (length: 148 bytes) | |||
15435061636552697374726574746f3235355f49534b107e4b4791d6 | 15435061636552697374726574746f3235355f49534b107e4b4791d6 | |||
a8ef019b936c79fb7f2c5720fa1d0318864e2cacb26875f1b791c9ae | a8ef019b936c79fb7f2c5720fa1d0318864e2cacb26875f1b791c9ae | |||
83204fe8359addb53e95a2e98893853f20a6206309c0e8e5f579295e | 83204fe8359addb53e95a2e98893853f6f6320a6206309c0e8e5f579 | |||
35997ac4300ab3fecec3c17f7b604f3e698fa1383c0341446220383a | 295e35997ac4300ab3fecec3c17f7b604f3e698fa1383c0341446220 | |||
85dd236978f17f8c8545b50dabc52a39fcdab2cf8bc531ce040ff77c | 383a85dd236978f17f8c8545b50dabc52a39fcdab2cf8bc531ce040f | |||
a82d03414461 | f77ca82d03414461 | |||
ISK result: (length: 64 bytes) | ISK result: (length: 64 bytes) | |||
2472dedbff868bfc12b4c256f790539af0e2bab7efc28d1a995d18a1 | 1638fb6ff564a80a12af07c036870e10c4efb539fa847fdf3e9c4621 | |||
a58e5bec639273d4604512669ab7953153d437eb90314dcba7539724 | 7bf52cd4df4ca0fe51146492a9ba6dd6a42ac402bc2d60adb4084c81 | |||
02b0d9c5ec5283f8 | 758d754d1d81482a | |||
B.3.7. Corresponding ANSI-C initializers | B.3.7. Corresponding C programming language initializers | |||
const uint8_t tc_PRS[] = { | const unsigned char tc_PRS[] = { | |||
0x50,0x61,0x73,0x73,0x77,0x6f,0x72,0x64, | 0x50,0x61,0x73,0x73,0x77,0x6f,0x72,0x64, | |||
}; | }; | |||
const uint8_t tc_CI[] = { | const unsigned char tc_CI[] = { | |||
0x0a,0x41,0x69,0x6e,0x69,0x74,0x69,0x61,0x74,0x6f,0x72,0x0a, | 0x0a,0x41,0x69,0x6e,0x69,0x74,0x69,0x61,0x74,0x6f,0x72,0x0a, | |||
0x42,0x72,0x65,0x73,0x70,0x6f,0x6e,0x64,0x65,0x72, | 0x42,0x72,0x65,0x73,0x70,0x6f,0x6e,0x64,0x65,0x72, | |||
}; | }; | |||
const uint8_t tc_sid[] = { | const unsigned char tc_sid[] = { | |||
0x7e,0x4b,0x47,0x91,0xd6,0xa8,0xef,0x01,0x9b,0x93,0x6c,0x79, | 0x7e,0x4b,0x47,0x91,0xd6,0xa8,0xef,0x01,0x9b,0x93,0x6c,0x79, | |||
0xfb,0x7f,0x2c,0x57, | 0xfb,0x7f,0x2c,0x57, | |||
}; | }; | |||
const uint8_t tc_g[] = { | const unsigned char tc_g[] = { | |||
0x5e,0x25,0x41,0x1c,0xa1,0xad,0x7c,0x9d,0xeb,0xfd,0x0b,0x33, | 0x5e,0x25,0x41,0x1c,0xa1,0xad,0x7c,0x9d,0xeb,0xfd,0x0b,0x33, | |||
0xad,0x98,0x7a,0x95,0xce,0xfe,0xf2,0xd3,0xf1,0x5d,0xcc,0x8b, | 0xad,0x98,0x7a,0x95,0xce,0xfe,0xf2,0xd3,0xf1,0x5d,0xcc,0x8b, | |||
0xd2,0x64,0x15,0xa5,0xdf,0xe2,0xe1,0x5a, | 0xd2,0x64,0x15,0xa5,0xdf,0xe2,0xe1,0x5a, | |||
}; | }; | |||
const uint8_t tc_ya[] = { | const unsigned char tc_ya[] = { | |||
0xda,0x3d,0x23,0x70,0x0a,0x9e,0x56,0x99,0x25,0x8a,0xef,0x94, | 0xda,0x3d,0x23,0x70,0x0a,0x9e,0x56,0x99,0x25,0x8a,0xef,0x94, | |||
0xdc,0x06,0x0d,0xfd,0xa5,0xeb,0xb6,0x1f,0x02,0xa5,0xea,0x77, | 0xdc,0x06,0x0d,0xfd,0xa5,0xeb,0xb6,0x1f,0x02,0xa5,0xea,0x77, | |||
0xfa,0xd5,0x3f,0x4f,0xf0,0x97,0x6d,0x08, | 0xfa,0xd5,0x3f,0x4f,0xf0,0x97,0x6d,0x08, | |||
}; | }; | |||
const uint8_t tc_ADa[] = { | const unsigned char tc_ADa[] = { | |||
0x41,0x44,0x61, | 0x41,0x44,0x61, | |||
}; | }; | |||
const uint8_t tc_Ya[] = { | const unsigned char tc_Ya[] = { | |||
0x38,0x3a,0x85,0xdd,0x23,0x69,0x78,0xf1,0x7f,0x8c,0x85,0x45, | 0x38,0x3a,0x85,0xdd,0x23,0x69,0x78,0xf1,0x7f,0x8c,0x85,0x45, | |||
0xb5,0x0d,0xab,0xc5,0x2a,0x39,0xfc,0xda,0xb2,0xcf,0x8b,0xc5, | 0xb5,0x0d,0xab,0xc5,0x2a,0x39,0xfc,0xda,0xb2,0xcf,0x8b,0xc5, | |||
0x31,0xce,0x04,0x0f,0xf7,0x7c,0xa8,0x2d, | 0x31,0xce,0x04,0x0f,0xf7,0x7c,0xa8,0x2d, | |||
}; | }; | |||
const uint8_t tc_yb[] = { | const unsigned char tc_yb[] = { | |||
0xd2,0x31,0x6b,0x45,0x47,0x18,0xc3,0x53,0x62,0xd8,0x3d,0x69, | 0xd2,0x31,0x6b,0x45,0x47,0x18,0xc3,0x53,0x62,0xd8,0x3d,0x69, | |||
0xdf,0x63,0x20,0xf3,0x85,0x78,0xed,0x59,0x84,0x65,0x14,0x35, | 0xdf,0x63,0x20,0xf3,0x85,0x78,0xed,0x59,0x84,0x65,0x14,0x35, | |||
0xe2,0x94,0x97,0x62,0xd9,0x00,0xb8,0x0d, | 0xe2,0x94,0x97,0x62,0xd9,0x00,0xb8,0x0d, | |||
}; | }; | |||
const uint8_t tc_ADb[] = { | const unsigned char tc_ADb[] = { | |||
0x41,0x44,0x62, | 0x41,0x44,0x62, | |||
}; | }; | |||
const uint8_t tc_Yb[] = { | const unsigned char tc_Yb[] = { | |||
0xa6,0x20,0x63,0x09,0xc0,0xe8,0xe5,0xf5,0x79,0x29,0x5e,0x35, | 0xa6,0x20,0x63,0x09,0xc0,0xe8,0xe5,0xf5,0x79,0x29,0x5e,0x35, | |||
0x99,0x7a,0xc4,0x30,0x0a,0xb3,0xfe,0xce,0xc3,0xc1,0x7f,0x7b, | 0x99,0x7a,0xc4,0x30,0x0a,0xb3,0xfe,0xce,0xc3,0xc1,0x7f,0x7b, | |||
0x60,0x4f,0x3e,0x69,0x8f,0xa1,0x38,0x3c, | 0x60,0x4f,0x3e,0x69,0x8f,0xa1,0x38,0x3c, | |||
}; | }; | |||
const uint8_t tc_K[] = { | const unsigned char tc_K[] = { | |||
0xfa,0x1d,0x03,0x18,0x86,0x4e,0x2c,0xac,0xb2,0x68,0x75,0xf1, | 0xfa,0x1d,0x03,0x18,0x86,0x4e,0x2c,0xac,0xb2,0x68,0x75,0xf1, | |||
0xb7,0x91,0xc9,0xae,0x83,0x20,0x4f,0xe8,0x35,0x9a,0xdd,0xb5, | 0xb7,0x91,0xc9,0xae,0x83,0x20,0x4f,0xe8,0x35,0x9a,0xdd,0xb5, | |||
0x3e,0x95,0xa2,0xe9,0x88,0x93,0x85,0x3f, | 0x3e,0x95,0xa2,0xe9,0x88,0x93,0x85,0x3f, | |||
}; | }; | |||
const uint8_t tc_ISK_IR[] = { | const unsigned char tc_ISK_IR[] = { | |||
0xe9,0x1c,0xcb,0x2c,0x0f,0x5e,0x0d,0x09,0x93,0xa3,0x39,0x56, | 0xe9,0x1c,0xcb,0x2c,0x0f,0x5e,0x0d,0x09,0x93,0xa3,0x39,0x56, | |||
0xe3,0xbe,0x59,0x75,0x4f,0x3f,0x2b,0x07,0xdb,0x57,0x63,0x1f, | 0xe3,0xbe,0x59,0x75,0x4f,0x3f,0x2b,0x07,0xdb,0x57,0x63,0x1f, | |||
0x53,0x94,0x45,0x2e,0xa2,0xe7,0xb4,0x35,0x46,0x74,0xeb,0x1f, | 0x53,0x94,0x45,0x2e,0xa2,0xe7,0xb4,0x35,0x46,0x74,0xeb,0x1f, | |||
0x56,0x86,0xc0,0x78,0x46,0x2b,0xf8,0x3b,0xec,0x72,0xe8,0x74, | 0x56,0x86,0xc0,0x78,0x46,0x2b,0xf8,0x3b,0xec,0x72,0xe8,0x74, | |||
0x3d,0xf4,0x40,0x10,0x8e,0x63,0x8f,0x35,0x26,0xd9,0xb9,0x0e, | 0x3d,0xf4,0x40,0x10,0x8e,0x63,0x8f,0x35,0x26,0xd9,0xb9,0x0e, | |||
0x85,0xbe,0x09,0x6f, | 0x85,0xbe,0x09,0x6f, | |||
}; | }; | |||
const uint8_t tc_ISK_SY[] = { | const unsigned char tc_ISK_SY[] = { | |||
0x24,0x72,0xde,0xdb,0xff,0x86,0x8b,0xfc,0x12,0xb4,0xc2,0x56, | 0x16,0x38,0xfb,0x6f,0xf5,0x64,0xa8,0x0a,0x12,0xaf,0x07,0xc0, | |||
0xf7,0x90,0x53,0x9a,0xf0,0xe2,0xba,0xb7,0xef,0xc2,0x8d,0x1a, | 0x36,0x87,0x0e,0x10,0xc4,0xef,0xb5,0x39,0xfa,0x84,0x7f,0xdf, | |||
0x99,0x5d,0x18,0xa1,0xa5,0x8e,0x5b,0xec,0x63,0x92,0x73,0xd4, | 0x3e,0x9c,0x46,0x21,0x7b,0xf5,0x2c,0xd4,0xdf,0x4c,0xa0,0xfe, | |||
0x60,0x45,0x12,0x66,0x9a,0xb7,0x95,0x31,0x53,0xd4,0x37,0xeb, | 0x51,0x14,0x64,0x92,0xa9,0xba,0x6d,0xd6,0xa4,0x2a,0xc4,0x02, | |||
0x90,0x31,0x4d,0xcb,0xa7,0x53,0x97,0x24,0x02,0xb0,0xd9,0xc5, | 0xbc,0x2d,0x60,0xad,0xb4,0x08,0x4c,0x81,0x75,0x8d,0x75,0x4d, | |||
0xec,0x52,0x83,0xf8, | 0x1d,0x81,0x48,0x2a, | |||
}; | }; | |||
B.3.8. Test case for scalar_mult with valid inputs | B.3.8. Test case for scalar_mult with valid inputs | |||
s: (length: 32 bytes) | s: (length: 32 bytes) | |||
7cd0e075fa7955ba52c02759a6c90dbbfc10e6d40aea8d283e407d88 | 7cd0e075fa7955ba52c02759a6c90dbbfc10e6d40aea8d283e407d88 | |||
cf538a05 | cf538a05 | |||
X: (length: 32 bytes) | X: (length: 32 bytes) | |||
2c3c6b8c4f3800e7aef6864025b4ed79bd599117e427c41bd47d93d6 | 2c3c6b8c4f3800e7aef6864025b4ed79bd599117e427c41bd47d93d6 | |||
54b4a51c | 54b4a51c | |||
G.scalar_mult(s,decode(X)): (length: 32 bytes) | G.scalar_mult(s,decode(X)): (length: 32 bytes) | |||
skipping to change at page 49, line 35 ¶ | skipping to change at page 50, line 35 ¶ | |||
1d28915fb750011209040f5f03b2ceb5e5eb259c96b478382d5a5c57 | 1d28915fb750011209040f5f03b2ceb5e5eb259c96b478382d5a5c57 | |||
encoded generator g: (length: 56 bytes) | encoded generator g: (length: 56 bytes) | |||
682d1a4f49fc2a4834356ae4d7f58636bc9481521c845e66e6fb0b29 | 682d1a4f49fc2a4834356ae4d7f58636bc9481521c845e66e6fb0b29 | |||
69341df45fbaeaea9e2221b3f5babc54c5f8ce456988ffc519defaeb | 69341df45fbaeaea9e2221b3f5babc54c5f8ce456988ffc519defaeb | |||
B.4.2. Test vector for MSGa | B.4.2. Test vector for MSGa | |||
Inputs | Inputs | |||
ADa = b'ADa' | ADa = b'ADa' | |||
ya (little endian): (length: 56 bytes) | ya (little endian): (length: 56 bytes) | |||
d8d2e26c821a12d7f59a8dee023d3f6155976152e16c73cbf68c303d | 33d561f13cfc0dca279c30e8cde895175dc25483892819eba132d58c | |||
f0404399f0a7b614a65df50a9788f00b410586b443f738ad7ff03930 | 13c0462a8eb0d73fda941950594bef5191d8394691f86edffcad6c1e | |||
Outputs | Outputs | |||
Ya: (length: 56 bytes) | Ya: (length: 56 bytes) | |||
d4b87d2fcdcac1096dba1898361f27e29dc1e019f74f84a71199bfd3 | e233867540319ec86eaecc09a85dec233745db729f61c36bde14c034 | |||
dc8d09d2b823038f579f517591474be366968e2fb599bf14e55704f4 | 200994fc4b6e8d263008c169585fd1d186d8ac560cb9f7ad0d166965 | |||
MSGa = lv_cat(Ya,ADa): (length: 61 bytes) | MSGa = lv_cat(Ya,ADa): (length: 61 bytes) | |||
38d4b87d2fcdcac1096dba1898361f27e29dc1e019f74f84a71199bf | 38e233867540319ec86eaecc09a85dec233745db729f61c36bde14c0 | |||
d3dc8d09d2b823038f579f517591474be366968e2fb599bf14e55704 | 34200994fc4b6e8d263008c169585fd1d186d8ac560cb9f7ad0d1669 | |||
f403414461 | 6503414461 | |||
B.4.3. Test vector for MSGb | B.4.3. Test vector for MSGb | |||
Inputs | Inputs | |||
ADb = b'ADb' | ADb = b'ADb' | |||
yb (little endian): (length: 56 bytes) | yb (little endian): (length: 56 bytes) | |||
91bae9793f4a8aceb1b5c54375a7ed1858a79a6e72dab959c8bdf3a7 | 2523c969f68fa2b2aea294c2539ef36eb1e0558abd14712a7828f16a | |||
5ac9bb4de2a25af4d4a9a5c5bc5441d19b8e3f6fcce7196c6afc2236 | 85ed2c7e77e2bdd418994405fb1b57b6bbaadd66849892aac9d81402 | |||
Outputs | Outputs | |||
Yb: (length: 56 bytes) | Yb: (length: 56 bytes) | |||
d61c6c039c01560e8b19b8299fb39513f39302eebd4c462694a33155 | 5062a0f33478914bf162a80dad39b5b266c1dd02f408573b41827e38 | |||
a3a387e44aa613647fcf6303f918bad598aaab53bea849b9fd14da74 | 599b682afbf7a0735adfd68c39ab4994fd1b034846270e38332b4da9 | |||
MSGb = lv_cat(Yb,ADb): (length: 61 bytes) | MSGb = lv_cat(Yb,ADb): (length: 61 bytes) | |||
38d61c6c039c01560e8b19b8299fb39513f39302eebd4c462694a331 | 385062a0f33478914bf162a80dad39b5b266c1dd02f408573b41827e | |||
55a3a387e44aa613647fcf6303f918bad598aaab53bea849b9fd14da | 38599b682afbf7a0735adfd68c39ab4994fd1b034846270e38332b4d | |||
7403414462 | a903414462 | |||
B.4.4. Test vector for secret points K | B.4.4. Test vector for secret points K | |||
scalar_mult_vfy(ya,Yb): (length: 56 bytes) | scalar_mult_vfy(ya,Yb): (length: 56 bytes) | |||
e434cda1783ddaaef08fc1d5f2201f1540fbc295fe2dd7cc38f20385 | dc9edef7c127e79d32f2584f9fcd3269174fe32226c2082963879a6d | |||
64824c98dbbe1978f121bdfead8e1a638913a6952cbec54867eb770a | eafefb9c14efcee9fc1245917ad3658037d2d62aff2d3f76fa4fca99 | |||
scalar_mult_vfy(yb,Ya): (length: 56 bytes) | scalar_mult_vfy(yb,Ya): (length: 56 bytes) | |||
e434cda1783ddaaef08fc1d5f2201f1540fbc295fe2dd7cc38f20385 | dc9edef7c127e79d32f2584f9fcd3269174fe32226c2082963879a6d | |||
64824c98dbbe1978f121bdfead8e1a638913a6952cbec54867eb770a | eafefb9c14efcee9fc1245917ad3658037d2d62aff2d3f76fa4fca99 | |||
B.4.5. Test vector for ISK calculation initiator/responder | B.4.5. Test vector for ISK calculation initiator/responder | |||
unordered cat of transcript : (length: 122 bytes) | unordered cat of transcript : (length: 122 bytes) | |||
38d4b87d2fcdcac1096dba1898361f27e29dc1e019f74f84a71199bf | 38e233867540319ec86eaecc09a85dec233745db729f61c36bde14c0 | |||
d3dc8d09d2b823038f579f517591474be366968e2fb599bf14e55704 | 34200994fc4b6e8d263008c169585fd1d186d8ac560cb9f7ad0d1669 | |||
f40341446138d61c6c039c01560e8b19b8299fb39513f39302eebd4c | 6503414461385062a0f33478914bf162a80dad39b5b266c1dd02f408 | |||
462694a33155a3a387e44aa613647fcf6303f918bad598aaab53bea8 | 573b41827e38599b682afbf7a0735adfd68c39ab4994fd1b03484627 | |||
49b9fd14da7403414462 | 0e38332b4da903414462 | |||
DSI = G.DSI_ISK, b'CPaceDecaf448_ISK': (length: 17 bytes) | DSI = G.DSI_ISK, b'CPaceDecaf448_ISK': (length: 17 bytes) | |||
435061636544656361663434385f49534b | 435061636544656361663434385f49534b | |||
lv_cat(DSI,sid,K)||MSGa||MSGb: (length: 214 bytes) | lv_cat(DSI,sid,K)||MSGa||MSGb: (length: 214 bytes) | |||
11435061636544656361663434385f49534b105223e0cdc45d657566 | 11435061636544656361663434385f49534b105223e0cdc45d657566 | |||
8d64c55200412438e434cda1783ddaaef08fc1d5f2201f1540fbc295 | 8d64c55200412438dc9edef7c127e79d32f2584f9fcd3269174fe322 | |||
fe2dd7cc38f2038564824c98dbbe1978f121bdfead8e1a638913a695 | 26c2082963879a6deafefb9c14efcee9fc1245917ad3658037d2d62a | |||
2cbec54867eb770a38d4b87d2fcdcac1096dba1898361f27e29dc1e0 | ff2d3f76fa4fca9938e233867540319ec86eaecc09a85dec233745db | |||
19f74f84a71199bfd3dc8d09d2b823038f579f517591474be366968e | 729f61c36bde14c034200994fc4b6e8d263008c169585fd1d186d8ac | |||
2fb599bf14e55704f40341446138d61c6c039c01560e8b19b8299fb3 | 560cb9f7ad0d16696503414461385062a0f33478914bf162a80dad39 | |||
9513f39302eebd4c462694a33155a3a387e44aa613647fcf6303f918 | b5b266c1dd02f408573b41827e38599b682afbf7a0735adfd68c39ab | |||
bad598aaab53bea849b9fd14da7403414462 | 4994fd1b034846270e38332b4da903414462 | |||
ISK result: (length: 64 bytes) | ISK result: (length: 64 bytes) | |||
13636dc9b7d233ac24a2d5c4a85a72fe20145f7a47ad51cab40e087c | a752612fe6dec542e96629a6eb68ecb9bfe2257224975e916035aee7 | |||
057831b69ee59b9c828732bde171cfca99afda4852bcaf04fe9f0a97 | 47c6aba32af2e6fe25eeb96261e6140100edcf95686e0aaa134026b4 | |||
592cdf5e2c9a5948 | b5254fd271b7a4da | |||
B.4.6. Test vector for ISK calculation parallel execution | B.4.6. Test vector for ISK calculation parallel execution | |||
ordered cat of transcript : (length: 122 bytes) | ordered cat of transcript : (length: 124 bytes) | |||
38d61c6c039c01560e8b19b8299fb39513f39302eebd4c462694a331 | 6f6338e233867540319ec86eaecc09a85dec233745db729f61c36bde | |||
55a3a387e44aa613647fcf6303f918bad598aaab53bea849b9fd14da | 14c034200994fc4b6e8d263008c169585fd1d186d8ac560cb9f7ad0d | |||
740341446238d4b87d2fcdcac1096dba1898361f27e29dc1e019f74f | 16696503414461385062a0f33478914bf162a80dad39b5b266c1dd02 | |||
84a71199bfd3dc8d09d2b823038f579f517591474be366968e2fb599 | f408573b41827e38599b682afbf7a0735adfd68c39ab4994fd1b0348 | |||
bf14e55704f403414461 | 46270e38332b4da903414462 | |||
DSI = G.DSI_ISK, b'CPaceDecaf448_ISK': (length: 17 bytes) | DSI = G.DSI_ISK, b'CPaceDecaf448_ISK': (length: 17 bytes) | |||
435061636544656361663434385f49534b | 435061636544656361663434385f49534b | |||
lv_cat(DSI,sid,K)||oCAT(MSGa,MSGb): (length: 214 bytes) | lv_cat(DSI,sid,K)||o_cat(MSGa,MSGb): (length: 216 bytes) | |||
11435061636544656361663434385f49534b105223e0cdc45d657566 | 11435061636544656361663434385f49534b105223e0cdc45d657566 | |||
8d64c55200412438e434cda1783ddaaef08fc1d5f2201f1540fbc295 | 8d64c55200412438dc9edef7c127e79d32f2584f9fcd3269174fe322 | |||
fe2dd7cc38f2038564824c98dbbe1978f121bdfead8e1a638913a695 | 26c2082963879a6deafefb9c14efcee9fc1245917ad3658037d2d62a | |||
2cbec54867eb770a38d61c6c039c01560e8b19b8299fb39513f39302 | ff2d3f76fa4fca996f6338e233867540319ec86eaecc09a85dec2337 | |||
eebd4c462694a33155a3a387e44aa613647fcf6303f918bad598aaab | 45db729f61c36bde14c034200994fc4b6e8d263008c169585fd1d186 | |||
53bea849b9fd14da740341446238d4b87d2fcdcac1096dba1898361f | d8ac560cb9f7ad0d16696503414461385062a0f33478914bf162a80d | |||
27e29dc1e019f74f84a71199bfd3dc8d09d2b823038f579f51759147 | ad39b5b266c1dd02f408573b41827e38599b682afbf7a0735adfd68c | |||
4be366968e2fb599bf14e55704f403414461 | 39ab4994fd1b034846270e38332b4da903414462 | |||
ISK result: (length: 64 bytes) | ISK result: (length: 64 bytes) | |||
999e8f8486670bc1bf874a4d8f1496b9ebd8909eb01cf46b275ec942 | e6c79d30d4381a45bd47b14b769d41354211aff553ece937d4ac134f | |||
2f22593064b272ba9e9e201a4a34a18729e48859a2d038c7c8cf0a0f | 09844896c72a723b1f1b6da1ab281d759a15624d2bcd0e423b70b8b8 | |||
e8a90ddcbdde1126 | 50a4d0ed126a3026 | |||
B.4.7. Corresponding ANSI-C initializers | B.4.7. Corresponding C programming language initializers | |||
const uint8_t tc_PRS[] = { | const unsigned char tc_PRS[] = { | |||
0x50,0x61,0x73,0x73,0x77,0x6f,0x72,0x64, | 0x50,0x61,0x73,0x73,0x77,0x6f,0x72,0x64, | |||
}; | }; | |||
const uint8_t tc_CI[] = { | const unsigned char tc_CI[] = { | |||
0x0a,0x41,0x69,0x6e,0x69,0x74,0x69,0x61,0x74,0x6f,0x72,0x0a, | 0x0a,0x41,0x69,0x6e,0x69,0x74,0x69,0x61,0x74,0x6f,0x72,0x0a, | |||
0x42,0x72,0x65,0x73,0x70,0x6f,0x6e,0x64,0x65,0x72, | 0x42,0x72,0x65,0x73,0x70,0x6f,0x6e,0x64,0x65,0x72, | |||
}; | }; | |||
const uint8_t tc_sid[] = { | const unsigned char tc_sid[] = { | |||
0x52,0x23,0xe0,0xcd,0xc4,0x5d,0x65,0x75,0x66,0x8d,0x64,0xc5, | 0x52,0x23,0xe0,0xcd,0xc4,0x5d,0x65,0x75,0x66,0x8d,0x64,0xc5, | |||
0x52,0x00,0x41,0x24, | 0x52,0x00,0x41,0x24, | |||
}; | }; | |||
const uint8_t tc_g[] = { | const unsigned char tc_g[] = { | |||
0x68,0x2d,0x1a,0x4f,0x49,0xfc,0x2a,0x48,0x34,0x35,0x6a,0xe4, | 0x68,0x2d,0x1a,0x4f,0x49,0xfc,0x2a,0x48,0x34,0x35,0x6a,0xe4, | |||
0xd7,0xf5,0x86,0x36,0xbc,0x94,0x81,0x52,0x1c,0x84,0x5e,0x66, | 0xd7,0xf5,0x86,0x36,0xbc,0x94,0x81,0x52,0x1c,0x84,0x5e,0x66, | |||
0xe6,0xfb,0x0b,0x29,0x69,0x34,0x1d,0xf4,0x5f,0xba,0xea,0xea, | 0xe6,0xfb,0x0b,0x29,0x69,0x34,0x1d,0xf4,0x5f,0xba,0xea,0xea, | |||
0x9e,0x22,0x21,0xb3,0xf5,0xba,0xbc,0x54,0xc5,0xf8,0xce,0x45, | 0x9e,0x22,0x21,0xb3,0xf5,0xba,0xbc,0x54,0xc5,0xf8,0xce,0x45, | |||
0x69,0x88,0xff,0xc5,0x19,0xde,0xfa,0xeb, | 0x69,0x88,0xff,0xc5,0x19,0xde,0xfa,0xeb, | |||
}; | }; | |||
const uint8_t tc_ya[] = { | const unsigned char tc_ya[] = { | |||
0xd8,0xd2,0xe2,0x6c,0x82,0x1a,0x12,0xd7,0xf5,0x9a,0x8d,0xee, | 0x33,0xd5,0x61,0xf1,0x3c,0xfc,0x0d,0xca,0x27,0x9c,0x30,0xe8, | |||
0x02,0x3d,0x3f,0x61,0x55,0x97,0x61,0x52,0xe1,0x6c,0x73,0xcb, | 0xcd,0xe8,0x95,0x17,0x5d,0xc2,0x54,0x83,0x89,0x28,0x19,0xeb, | |||
0xf6,0x8c,0x30,0x3d,0xf0,0x40,0x43,0x99,0xf0,0xa7,0xb6,0x14, | 0xa1,0x32,0xd5,0x8c,0x13,0xc0,0x46,0x2a,0x8e,0xb0,0xd7,0x3f, | |||
0xa6,0x5d,0xf5,0x0a,0x97,0x88,0xf0,0x0b,0x41,0x05,0x86,0xb4, | 0xda,0x94,0x19,0x50,0x59,0x4b,0xef,0x51,0x91,0xd8,0x39,0x46, | |||
0x43,0xf7,0x38,0xad,0x7f,0xf0,0x39,0x30, | 0x91,0xf8,0x6e,0xdf,0xfc,0xad,0x6c,0x1e, | |||
}; | }; | |||
const uint8_t tc_ADa[] = { | const unsigned char tc_ADa[] = { | |||
0x41,0x44,0x61, | 0x41,0x44,0x61, | |||
}; | }; | |||
const uint8_t tc_Ya[] = { | const unsigned char tc_Ya[] = { | |||
0xd4,0xb8,0x7d,0x2f,0xcd,0xca,0xc1,0x09,0x6d,0xba,0x18,0x98, | 0xe2,0x33,0x86,0x75,0x40,0x31,0x9e,0xc8,0x6e,0xae,0xcc,0x09, | |||
0x36,0x1f,0x27,0xe2,0x9d,0xc1,0xe0,0x19,0xf7,0x4f,0x84,0xa7, | 0xa8,0x5d,0xec,0x23,0x37,0x45,0xdb,0x72,0x9f,0x61,0xc3,0x6b, | |||
0x11,0x99,0xbf,0xd3,0xdc,0x8d,0x09,0xd2,0xb8,0x23,0x03,0x8f, | 0xde,0x14,0xc0,0x34,0x20,0x09,0x94,0xfc,0x4b,0x6e,0x8d,0x26, | |||
0x57,0x9f,0x51,0x75,0x91,0x47,0x4b,0xe3,0x66,0x96,0x8e,0x2f, | 0x30,0x08,0xc1,0x69,0x58,0x5f,0xd1,0xd1,0x86,0xd8,0xac,0x56, | |||
0xb5,0x99,0xbf,0x14,0xe5,0x57,0x04,0xf4, | 0x0c,0xb9,0xf7,0xad,0x0d,0x16,0x69,0x65, | |||
}; | }; | |||
const uint8_t tc_yb[] = { | const unsigned char tc_yb[] = { | |||
0x91,0xba,0xe9,0x79,0x3f,0x4a,0x8a,0xce,0xb1,0xb5,0xc5,0x43, | 0x25,0x23,0xc9,0x69,0xf6,0x8f,0xa2,0xb2,0xae,0xa2,0x94,0xc2, | |||
0x75,0xa7,0xed,0x18,0x58,0xa7,0x9a,0x6e,0x72,0xda,0xb9,0x59, | 0x53,0x9e,0xf3,0x6e,0xb1,0xe0,0x55,0x8a,0xbd,0x14,0x71,0x2a, | |||
0xc8,0xbd,0xf3,0xa7,0x5a,0xc9,0xbb,0x4d,0xe2,0xa2,0x5a,0xf4, | 0x78,0x28,0xf1,0x6a,0x85,0xed,0x2c,0x7e,0x77,0xe2,0xbd,0xd4, | |||
0xd4,0xa9,0xa5,0xc5,0xbc,0x54,0x41,0xd1,0x9b,0x8e,0x3f,0x6f, | 0x18,0x99,0x44,0x05,0xfb,0x1b,0x57,0xb6,0xbb,0xaa,0xdd,0x66, | |||
0xcc,0xe7,0x19,0x6c,0x6a,0xfc,0x22,0x36, | 0x84,0x98,0x92,0xaa,0xc9,0xd8,0x14,0x02, | |||
}; | }; | |||
const uint8_t tc_ADb[] = { | const unsigned char tc_ADb[] = { | |||
0x41,0x44,0x62, | 0x41,0x44,0x62, | |||
}; | }; | |||
const uint8_t tc_Yb[] = { | const unsigned char tc_Yb[] = { | |||
0xd6,0x1c,0x6c,0x03,0x9c,0x01,0x56,0x0e,0x8b,0x19,0xb8,0x29, | 0x50,0x62,0xa0,0xf3,0x34,0x78,0x91,0x4b,0xf1,0x62,0xa8,0x0d, | |||
0x9f,0xb3,0x95,0x13,0xf3,0x93,0x02,0xee,0xbd,0x4c,0x46,0x26, | 0xad,0x39,0xb5,0xb2,0x66,0xc1,0xdd,0x02,0xf4,0x08,0x57,0x3b, | |||
0x94,0xa3,0x31,0x55,0xa3,0xa3,0x87,0xe4,0x4a,0xa6,0x13,0x64, | 0x41,0x82,0x7e,0x38,0x59,0x9b,0x68,0x2a,0xfb,0xf7,0xa0,0x73, | |||
0x7f,0xcf,0x63,0x03,0xf9,0x18,0xba,0xd5,0x98,0xaa,0xab,0x53, | 0x5a,0xdf,0xd6,0x8c,0x39,0xab,0x49,0x94,0xfd,0x1b,0x03,0x48, | |||
0xbe,0xa8,0x49,0xb9,0xfd,0x14,0xda,0x74, | 0x46,0x27,0x0e,0x38,0x33,0x2b,0x4d,0xa9, | |||
}; | }; | |||
const uint8_t tc_K[] = { | const unsigned char tc_K[] = { | |||
0xe4,0x34,0xcd,0xa1,0x78,0x3d,0xda,0xae,0xf0,0x8f,0xc1,0xd5, | 0xdc,0x9e,0xde,0xf7,0xc1,0x27,0xe7,0x9d,0x32,0xf2,0x58,0x4f, | |||
0xf2,0x20,0x1f,0x15,0x40,0xfb,0xc2,0x95,0xfe,0x2d,0xd7,0xcc, | 0x9f,0xcd,0x32,0x69,0x17,0x4f,0xe3,0x22,0x26,0xc2,0x08,0x29, | |||
0x38,0xf2,0x03,0x85,0x64,0x82,0x4c,0x98,0xdb,0xbe,0x19,0x78, | 0x63,0x87,0x9a,0x6d,0xea,0xfe,0xfb,0x9c,0x14,0xef,0xce,0xe9, | |||
0xf1,0x21,0xbd,0xfe,0xad,0x8e,0x1a,0x63,0x89,0x13,0xa6,0x95, | 0xfc,0x12,0x45,0x91,0x7a,0xd3,0x65,0x80,0x37,0xd2,0xd6,0x2a, | |||
0x2c,0xbe,0xc5,0x48,0x67,0xeb,0x77,0x0a, | 0xff,0x2d,0x3f,0x76,0xfa,0x4f,0xca,0x99, | |||
}; | }; | |||
const uint8_t tc_ISK_IR[] = { | const unsigned char tc_ISK_IR[] = { | |||
0x13,0x63,0x6d,0xc9,0xb7,0xd2,0x33,0xac,0x24,0xa2,0xd5,0xc4, | 0xa7,0x52,0x61,0x2f,0xe6,0xde,0xc5,0x42,0xe9,0x66,0x29,0xa6, | |||
0xa8,0x5a,0x72,0xfe,0x20,0x14,0x5f,0x7a,0x47,0xad,0x51,0xca, | 0xeb,0x68,0xec,0xb9,0xbf,0xe2,0x25,0x72,0x24,0x97,0x5e,0x91, | |||
0xb4,0x0e,0x08,0x7c,0x05,0x78,0x31,0xb6,0x9e,0xe5,0x9b,0x9c, | 0x60,0x35,0xae,0xe7,0x47,0xc6,0xab,0xa3,0x2a,0xf2,0xe6,0xfe, | |||
0x82,0x87,0x32,0xbd,0xe1,0x71,0xcf,0xca,0x99,0xaf,0xda,0x48, | 0x25,0xee,0xb9,0x62,0x61,0xe6,0x14,0x01,0x00,0xed,0xcf,0x95, | |||
0x52,0xbc,0xaf,0x04,0xfe,0x9f,0x0a,0x97,0x59,0x2c,0xdf,0x5e, | 0x68,0x6e,0x0a,0xaa,0x13,0x40,0x26,0xb4,0xb5,0x25,0x4f,0xd2, | |||
0x2c,0x9a,0x59,0x48, | 0x71,0xb7,0xa4,0xda, | |||
}; | }; | |||
const uint8_t tc_ISK_SY[] = { | const unsigned char tc_ISK_SY[] = { | |||
0x99,0x9e,0x8f,0x84,0x86,0x67,0x0b,0xc1,0xbf,0x87,0x4a,0x4d, | 0xe6,0xc7,0x9d,0x30,0xd4,0x38,0x1a,0x45,0xbd,0x47,0xb1,0x4b, | |||
0x8f,0x14,0x96,0xb9,0xeb,0xd8,0x90,0x9e,0xb0,0x1c,0xf4,0x6b, | 0x76,0x9d,0x41,0x35,0x42,0x11,0xaf,0xf5,0x53,0xec,0xe9,0x37, | |||
0x27,0x5e,0xc9,0x42,0x2f,0x22,0x59,0x30,0x64,0xb2,0x72,0xba, | 0xd4,0xac,0x13,0x4f,0x09,0x84,0x48,0x96,0xc7,0x2a,0x72,0x3b, | |||
0x9e,0x9e,0x20,0x1a,0x4a,0x34,0xa1,0x87,0x29,0xe4,0x88,0x59, | 0x1f,0x1b,0x6d,0xa1,0xab,0x28,0x1d,0x75,0x9a,0x15,0x62,0x4d, | |||
0xa2,0xd0,0x38,0xc7,0xc8,0xcf,0x0a,0x0f,0xe8,0xa9,0x0d,0xdc, | 0x2b,0xcd,0x0e,0x42,0x3b,0x70,0xb8,0xb8,0x50,0xa4,0xd0,0xed, | |||
0xbd,0xde,0x11,0x26, | 0x12,0x6a,0x30,0x26, | |||
}; | }; | |||
B.4.8. Test case for scalar_mult with valid inputs | B.4.8. Test case for scalar_mult with valid inputs | |||
s: (length: 56 bytes) | s: (length: 56 bytes) | |||
dd1bc7015daabb7672129cc35a3ba815486b139deff9bdeca7a4fc61 | dd1bc7015daabb7672129cc35a3ba815486b139deff9bdeca7a4fc61 | |||
34323d34658761e90ff079972a7ca8aa5606498f4f4f0ebc0933a819 | 34323d34658761e90ff079972a7ca8aa5606498f4f4f0ebc0933a819 | |||
X: (length: 56 bytes) | X: (length: 56 bytes) | |||
601431d5e51f43d422a92d3fb2373bde28217aab42524c341aa404ea | 601431d5e51f43d422a92d3fb2373bde28217aab42524c341aa404ea | |||
ba5aa5541f7042dbb3253ce4c90f772b038a413dcb3a0f6bf3ae9e21 | ba5aa5541f7042dbb3253ce4c90f772b038a413dcb3a0f6bf3ae9e21 | |||
skipping to change at page 54, line 36 ¶ | skipping to change at page 55, line 36 ¶ | |||
Inputs | Inputs | |||
ADa = b'ADa' | ADa = b'ADa' | |||
ya (big endian): (length: 32 bytes) | ya (big endian): (length: 32 bytes) | |||
37574cfbf1b95ff6a8e2d7be462d4d01e6dde2618f34f4de9df869b2 | 37574cfbf1b95ff6a8e2d7be462d4d01e6dde2618f34f4de9df869b2 | |||
4f532c5d | 4f532c5d | |||
Outputs | Outputs | |||
Ya: (length: 65 bytes) | Ya: (length: 65 bytes) | |||
04b75c1bcda84a0f324aabb7f25cf853ed7fb327c33f23db6aeb320d | 04b75c1bcda84a0f324aabb7f25cf853ed7fb327c33f23db6aeb320d | |||
81df014649c2ac691925fce0eceac7dbc75eca25e6a1558066a610b4 | 81df014649c2ac691925fce0eceac7dbc75eca25e6a1558066a610b4 | |||
021488279e3b989d52 | 021488279e3b989d52 | |||
Alternative correct value for Ya: g^(-ya): | Alternative correct value for Ya: g*(-ya): | |||
(length: 65 bytes) | (length: 65 bytes) | |||
04b75c1bcda84a0f324aabb7f25cf853ed7fb327c33f23db6aeb320d | 04b75c1bcda84a0f324aabb7f25cf853ed7fb327c33f23db6aeb320d | |||
81df0146493d5396e5da031f1415382438a135da195eaa7f9a59ef4b | 81df0146493d5396e5da031f1415382438a135da195eaa7f9a59ef4b | |||
fdeb77d861c46762ad | fdeb77d861c46762ad | |||
MSGa = lv_cat(Ya,ADa): (length: 70 bytes) | MSGa = lv_cat(Ya,ADa): (length: 70 bytes) | |||
4104b75c1bcda84a0f324aabb7f25cf853ed7fb327c33f23db6aeb32 | 4104b75c1bcda84a0f324aabb7f25cf853ed7fb327c33f23db6aeb32 | |||
0d81df014649c2ac691925fce0eceac7dbc75eca25e6a1558066a610 | 0d81df014649c2ac691925fce0eceac7dbc75eca25e6a1558066a610 | |||
b4021488279e3b989d5203414461 | b4021488279e3b989d5203414461 | |||
B.5.3. Test vector for MSGb | B.5.3. Test vector for MSGb | |||
Inputs | Inputs | |||
ADb = b'ADb' | ADb = b'ADb' | |||
yb (big endian): (length: 32 bytes) | yb (big endian): (length: 32 bytes) | |||
e5672fc9eb4e721f41d80181ec4c9fd9886668acc48024d33c82bb10 | e5672fc9eb4e721f41d80181ec4c9fd9886668acc48024d33c82bb10 | |||
2aecba52 | 2aecba52 | |||
Outputs | Outputs | |||
Yb: (length: 65 bytes) | Yb: (length: 65 bytes) | |||
04bb2783a57337e74671f76452876b27839c0ea9e044e3aadaad2e64 | 04bb2783a57337e74671f76452876b27839c0ea9e044e3aadaad2e64 | |||
777ed27a90e80a99438e2f1c072462f2895c6dadf1b43867b92ffb65 | 777ed27a90e80a99438e2f1c072462f2895c6dadf1b43867b92ffb65 | |||
562b78c793947dcada | 562b78c793947dcada | |||
Alternative correct value for Yb: g^(-yb): | Alternative correct value for Yb: g*(-yb): | |||
(length: 65 bytes) | (length: 65 bytes) | |||
04bb2783a57337e74671f76452876b27839c0ea9e044e3aadaad2e64 | 04bb2783a57337e74671f76452876b27839c0ea9e044e3aadaad2e64 | |||
777ed27a9017f566bb71d0e3f9db9d0d76a392520e4bc79847d0049a | 777ed27a9017f566bb71d0e3f9db9d0d76a392520e4bc79847d0049a | |||
a9d487386c6b823525 | a9d487386c6b823525 | |||
MSGb = lv_cat(Yb,ADb): (length: 70 bytes) | MSGb = lv_cat(Yb,ADb): (length: 70 bytes) | |||
4104bb2783a57337e74671f76452876b27839c0ea9e044e3aadaad2e | 4104bb2783a57337e74671f76452876b27839c0ea9e044e3aadaad2e | |||
64777ed27a90e80a99438e2f1c072462f2895c6dadf1b43867b92ffb | 64777ed27a90e80a99438e2f1c072462f2895c6dadf1b43867b92ffb | |||
65562b78c793947dcada03414462 | 65562b78c793947dcada03414462 | |||
B.5.4. Test vector for secret points K | B.5.4. Test vector for secret points K | |||
skipping to change at page 57, line 4 ¶ | skipping to change at page 58, line 4 ¶ | |||
320d81df014649c2ac691925fce0eceac7dbc75eca25e6a1558066a6 | 320d81df014649c2ac691925fce0eceac7dbc75eca25e6a1558066a6 | |||
10b4021488279e3b989d52034144614104bb2783a57337e74671f764 | 10b4021488279e3b989d52034144614104bb2783a57337e74671f764 | |||
52876b27839c0ea9e044e3aadaad2e64777ed27a90e80a99438e2f1c | 52876b27839c0ea9e044e3aadaad2e64777ed27a90e80a99438e2f1c | |||
072462f2895c6dadf1b43867b92ffb65562b78c793947dcada034144 | 072462f2895c6dadf1b43867b92ffb65562b78c793947dcada034144 | |||
62 | 62 | |||
ISK result: (length: 32 bytes) | ISK result: (length: 32 bytes) | |||
7ae1e916606e44652e3c0d7231198af6519226339c241e546afd0bbf | 7ae1e916606e44652e3c0d7231198af6519226339c241e546afd0bbf | |||
48e1c96a | 48e1c96a | |||
B.5.6. Test vector for ISK calculation parallel execution | B.5.6. Test vector for ISK calculation parallel execution | |||
ordered cat of transcript : (length: 140 bytes) | ordered cat of transcript : (length: 142 bytes) | |||
4104bb2783a57337e74671f76452876b27839c0ea9e044e3aadaad2e | 6f634104bb2783a57337e74671f76452876b27839c0ea9e044e3aada | |||
64777ed27a90e80a99438e2f1c072462f2895c6dadf1b43867b92ffb | ad2e64777ed27a90e80a99438e2f1c072462f2895c6dadf1b43867b9 | |||
65562b78c793947dcada034144624104b75c1bcda84a0f324aabb7f2 | 2ffb65562b78c793947dcada034144624104b75c1bcda84a0f324aab | |||
5cf853ed7fb327c33f23db6aeb320d81df014649c2ac691925fce0ec | b7f25cf853ed7fb327c33f23db6aeb320d81df014649c2ac691925fc | |||
eac7dbc75eca25e6a1558066a610b4021488279e3b989d5203414461 | e0eceac7dbc75eca25e6a1558066a610b4021488279e3b989d520341 | |||
4461 | ||||
DSI = G.DSI_ISK, b'CPaceP256_XMD:SHA-256_SSWU_NU__ISK': | DSI = G.DSI_ISK, b'CPaceP256_XMD:SHA-256_SSWU_NU__ISK': | |||
(length: 34 bytes) | (length: 34 bytes) | |||
4350616365503235365f584d443a5348412d3235365f535357555f4e | 4350616365503235365f584d443a5348412d3235365f535357555f4e | |||
555f5f49534b | 555f5f49534b | |||
lv_cat(DSI,sid,K)||oCAT(MSGa,MSGb): (length: 225 bytes) | lv_cat(DSI,sid,K)||o_cat(MSGa,MSGb): (length: 227 bytes) | |||
224350616365503235365f584d443a5348412d3235365f535357555f | 224350616365503235365f584d443a5348412d3235365f535357555f | |||
4e555f5f49534b1034b36454cab2e7842c389f7d88ecb7df208fd12b | 4e555f5f49534b1034b36454cab2e7842c389f7d88ecb7df208fd12b | |||
283805750aeee6151bcd4211a6b71019e8fc416293ade24ed2bce12c | 283805750aeee6151bcd4211a6b71019e8fc416293ade24ed2bce12c | |||
394104bb2783a57337e74671f76452876b27839c0ea9e044e3aadaad | 396f634104bb2783a57337e74671f76452876b27839c0ea9e044e3aa | |||
2e64777ed27a90e80a99438e2f1c072462f2895c6dadf1b43867b92f | daad2e64777ed27a90e80a99438e2f1c072462f2895c6dadf1b43867 | |||
fb65562b78c793947dcada034144624104b75c1bcda84a0f324aabb7 | b92ffb65562b78c793947dcada034144624104b75c1bcda84a0f324a | |||
f25cf853ed7fb327c33f23db6aeb320d81df014649c2ac691925fce0 | abb7f25cf853ed7fb327c33f23db6aeb320d81df014649c2ac691925 | |||
eceac7dbc75eca25e6a1558066a610b4021488279e3b989d52034144 | fce0eceac7dbc75eca25e6a1558066a610b4021488279e3b989d5203 | |||
61 | 414461 | |||
ISK result: (length: 32 bytes) | ISK result: (length: 32 bytes) | |||
c5b4e6d44f5bbb7637a77ec67afd768a1343c410f7e1f76f6549eb00 | 5600a5c5bea5e92695dd68bd33d7f7b58326199c27c9b7326d76e4f9 | |||
2623c0f1 | cb2fb276 | |||
B.5.7. Corresponding ANSI-C initializers | B.5.7. Corresponding C programming language initializers | |||
const uint8_t tc_PRS[] = { | const unsigned char tc_PRS[] = { | |||
0x50,0x61,0x73,0x73,0x77,0x6f,0x72,0x64, | 0x50,0x61,0x73,0x73,0x77,0x6f,0x72,0x64, | |||
}; | }; | |||
const uint8_t tc_CI[] = { | const unsigned char tc_CI[] = { | |||
0x0a,0x41,0x69,0x6e,0x69,0x74,0x69,0x61,0x74,0x6f,0x72,0x0a, | 0x0a,0x41,0x69,0x6e,0x69,0x74,0x69,0x61,0x74,0x6f,0x72,0x0a, | |||
0x42,0x72,0x65,0x73,0x70,0x6f,0x6e,0x64,0x65,0x72, | 0x42,0x72,0x65,0x73,0x70,0x6f,0x6e,0x64,0x65,0x72, | |||
}; | }; | |||
const uint8_t tc_sid[] = { | const unsigned char tc_sid[] = { | |||
0x34,0xb3,0x64,0x54,0xca,0xb2,0xe7,0x84,0x2c,0x38,0x9f,0x7d, | 0x34,0xb3,0x64,0x54,0xca,0xb2,0xe7,0x84,0x2c,0x38,0x9f,0x7d, | |||
0x88,0xec,0xb7,0xdf, | 0x88,0xec,0xb7,0xdf, | |||
}; | }; | |||
const uint8_t tc_g[] = { | const unsigned char tc_g[] = { | |||
0x04,0x1b,0x51,0x43,0x31,0x14,0xe0,0x96,0xc9,0xd5,0x95,0xf0, | 0x04,0x1b,0x51,0x43,0x31,0x14,0xe0,0x96,0xc9,0xd5,0x95,0xf0, | |||
0x95,0x5f,0x57,0x17,0xa7,0x51,0x69,0xaf,0xb9,0x55,0x57,0xf4, | 0x95,0x5f,0x57,0x17,0xa7,0x51,0x69,0xaf,0xb9,0x55,0x57,0xf4, | |||
0xa6,0xf5,0x11,0x55,0x03,0x5d,0xee,0x19,0xc7,0x68,0x87,0xbc, | 0xa6,0xf5,0x11,0x55,0x03,0x5d,0xee,0x19,0xc7,0x68,0x87,0xbc, | |||
0xe5,0xc7,0xc0,0x54,0xfa,0x1f,0xe4,0x8a,0x4a,0x62,0xc7,0xfb, | 0xe5,0xc7,0xc0,0x54,0xfa,0x1f,0xe4,0x8a,0x4a,0x62,0xc7,0xfb, | |||
0x96,0xdc,0x75,0xe3,0x42,0x59,0xd2,0xf7,0x2b,0x8d,0x41,0xf3, | 0x96,0xdc,0x75,0xe3,0x42,0x59,0xd2,0xf7,0x2b,0x8d,0x41,0xf3, | |||
0x1b,0x8e,0x58,0x6b,0xcd, | 0x1b,0x8e,0x58,0x6b,0xcd, | |||
}; | }; | |||
const uint8_t tc_ya[] = { | const unsigned char tc_ya[] = { | |||
0x37,0x57,0x4c,0xfb,0xf1,0xb9,0x5f,0xf6,0xa8,0xe2,0xd7,0xbe, | 0x37,0x57,0x4c,0xfb,0xf1,0xb9,0x5f,0xf6,0xa8,0xe2,0xd7,0xbe, | |||
0x46,0x2d,0x4d,0x01,0xe6,0xdd,0xe2,0x61,0x8f,0x34,0xf4,0xde, | 0x46,0x2d,0x4d,0x01,0xe6,0xdd,0xe2,0x61,0x8f,0x34,0xf4,0xde, | |||
0x9d,0xf8,0x69,0xb2,0x4f,0x53,0x2c,0x5d, | 0x9d,0xf8,0x69,0xb2,0x4f,0x53,0x2c,0x5d, | |||
}; | }; | |||
const uint8_t tc_ADa[] = { | const unsigned char tc_ADa[] = { | |||
0x41,0x44,0x61, | 0x41,0x44,0x61, | |||
}; | }; | |||
const uint8_t tc_Ya[] = { | const unsigned char tc_Ya[] = { | |||
0x04,0xb7,0x5c,0x1b,0xcd,0xa8,0x4a,0x0f,0x32,0x4a,0xab,0xb7, | 0x04,0xb7,0x5c,0x1b,0xcd,0xa8,0x4a,0x0f,0x32,0x4a,0xab,0xb7, | |||
0xf2,0x5c,0xf8,0x53,0xed,0x7f,0xb3,0x27,0xc3,0x3f,0x23,0xdb, | 0xf2,0x5c,0xf8,0x53,0xed,0x7f,0xb3,0x27,0xc3,0x3f,0x23,0xdb, | |||
0x6a,0xeb,0x32,0x0d,0x81,0xdf,0x01,0x46,0x49,0xc2,0xac,0x69, | 0x6a,0xeb,0x32,0x0d,0x81,0xdf,0x01,0x46,0x49,0xc2,0xac,0x69, | |||
0x19,0x25,0xfc,0xe0,0xec,0xea,0xc7,0xdb,0xc7,0x5e,0xca,0x25, | 0x19,0x25,0xfc,0xe0,0xec,0xea,0xc7,0xdb,0xc7,0x5e,0xca,0x25, | |||
0xe6,0xa1,0x55,0x80,0x66,0xa6,0x10,0xb4,0x02,0x14,0x88,0x27, | 0xe6,0xa1,0x55,0x80,0x66,0xa6,0x10,0xb4,0x02,0x14,0x88,0x27, | |||
0x9e,0x3b,0x98,0x9d,0x52, | 0x9e,0x3b,0x98,0x9d,0x52, | |||
}; | }; | |||
const uint8_t tc_yb[] = { | const unsigned char tc_yb[] = { | |||
0xe5,0x67,0x2f,0xc9,0xeb,0x4e,0x72,0x1f,0x41,0xd8,0x01,0x81, | 0xe5,0x67,0x2f,0xc9,0xeb,0x4e,0x72,0x1f,0x41,0xd8,0x01,0x81, | |||
0xec,0x4c,0x9f,0xd9,0x88,0x66,0x68,0xac,0xc4,0x80,0x24,0xd3, | 0xec,0x4c,0x9f,0xd9,0x88,0x66,0x68,0xac,0xc4,0x80,0x24,0xd3, | |||
0x3c,0x82,0xbb,0x10,0x2a,0xec,0xba,0x52, | 0x3c,0x82,0xbb,0x10,0x2a,0xec,0xba,0x52, | |||
}; | }; | |||
const uint8_t tc_ADb[] = { | const unsigned char tc_ADb[] = { | |||
0x41,0x44,0x62, | 0x41,0x44,0x62, | |||
}; | }; | |||
const uint8_t tc_Yb[] = { | const unsigned char tc_Yb[] = { | |||
0x04,0xbb,0x27,0x83,0xa5,0x73,0x37,0xe7,0x46,0x71,0xf7,0x64, | 0x04,0xbb,0x27,0x83,0xa5,0x73,0x37,0xe7,0x46,0x71,0xf7,0x64, | |||
0x52,0x87,0x6b,0x27,0x83,0x9c,0x0e,0xa9,0xe0,0x44,0xe3,0xaa, | 0x52,0x87,0x6b,0x27,0x83,0x9c,0x0e,0xa9,0xe0,0x44,0xe3,0xaa, | |||
0xda,0xad,0x2e,0x64,0x77,0x7e,0xd2,0x7a,0x90,0xe8,0x0a,0x99, | 0xda,0xad,0x2e,0x64,0x77,0x7e,0xd2,0x7a,0x90,0xe8,0x0a,0x99, | |||
0x43,0x8e,0x2f,0x1c,0x07,0x24,0x62,0xf2,0x89,0x5c,0x6d,0xad, | 0x43,0x8e,0x2f,0x1c,0x07,0x24,0x62,0xf2,0x89,0x5c,0x6d,0xad, | |||
0xf1,0xb4,0x38,0x67,0xb9,0x2f,0xfb,0x65,0x56,0x2b,0x78,0xc7, | 0xf1,0xb4,0x38,0x67,0xb9,0x2f,0xfb,0x65,0x56,0x2b,0x78,0xc7, | |||
0x93,0x94,0x7d,0xca,0xda, | 0x93,0x94,0x7d,0xca,0xda, | |||
}; | }; | |||
const uint8_t tc_K[] = { | const unsigned char tc_K[] = { | |||
0x8f,0xd1,0x2b,0x28,0x38,0x05,0x75,0x0a,0xee,0xe6,0x15,0x1b, | 0x8f,0xd1,0x2b,0x28,0x38,0x05,0x75,0x0a,0xee,0xe6,0x15,0x1b, | |||
0xcd,0x42,0x11,0xa6,0xb7,0x10,0x19,0xe8,0xfc,0x41,0x62,0x93, | 0xcd,0x42,0x11,0xa6,0xb7,0x10,0x19,0xe8,0xfc,0x41,0x62,0x93, | |||
0xad,0xe2,0x4e,0xd2,0xbc,0xe1,0x2c,0x39, | 0xad,0xe2,0x4e,0xd2,0xbc,0xe1,0x2c,0x39, | |||
}; | }; | |||
const uint8_t tc_ISK_IR[] = { | const unsigned char tc_ISK_IR[] = { | |||
0x7a,0xe1,0xe9,0x16,0x60,0x6e,0x44,0x65,0x2e,0x3c,0x0d,0x72, | 0x7a,0xe1,0xe9,0x16,0x60,0x6e,0x44,0x65,0x2e,0x3c,0x0d,0x72, | |||
0x31,0x19,0x8a,0xf6,0x51,0x92,0x26,0x33,0x9c,0x24,0x1e,0x54, | 0x31,0x19,0x8a,0xf6,0x51,0x92,0x26,0x33,0x9c,0x24,0x1e,0x54, | |||
0x6a,0xfd,0x0b,0xbf,0x48,0xe1,0xc9,0x6a, | 0x6a,0xfd,0x0b,0xbf,0x48,0xe1,0xc9,0x6a, | |||
}; | }; | |||
const uint8_t tc_ISK_SY[] = { | const unsigned char tc_ISK_SY[] = { | |||
0xc5,0xb4,0xe6,0xd4,0x4f,0x5b,0xbb,0x76,0x37,0xa7,0x7e,0xc6, | 0x56,0x00,0xa5,0xc5,0xbe,0xa5,0xe9,0x26,0x95,0xdd,0x68,0xbd, | |||
0x7a,0xfd,0x76,0x8a,0x13,0x43,0xc4,0x10,0xf7,0xe1,0xf7,0x6f, | 0x33,0xd7,0xf7,0xb5,0x83,0x26,0x19,0x9c,0x27,0xc9,0xb7,0x32, | |||
0x65,0x49,0xeb,0x00,0x26,0x23,0xc0,0xf1, | 0x6d,0x76,0xe4,0xf9,0xcb,0x2f,0xb2,0x76, | |||
}; | }; | |||
B.5.8. Test case for scalar_mult_vfy with correct inputs | B.5.8. Test case for scalar_mult_vfy with correct inputs | |||
s: (length: 32 bytes) | s: (length: 32 bytes) | |||
f012501c091ff9b99a123fffe571d8bc01e8077ee581362e1bd21399 | f012501c091ff9b99a123fffe571d8bc01e8077ee581362e1bd21399 | |||
0835643b | 0835643b | |||
X: (length: 65 bytes) | X: (length: 65 bytes) | |||
0424648eb986c2be0af636455cef0550671d6bcd8aa26e0d72ffa1b1 | 0424648eb986c2be0af636455cef0550671d6bcd8aa26e0d72ffa1b1 | |||
fd12ba4e0f78da2b6d2184f31af39e566aef127014b6936c9a37346d | fd12ba4e0f78da2b6d2184f31af39e566aef127014b6936c9a37346d | |||
10a4ab2514faef5831 | 10a4ab2514faef5831 | |||
skipping to change at page 60, line 32 ¶ | skipping to change at page 61, line 32 ¶ | |||
04f35a925fe82e54350e80b084a8013b1960cb3f73c49b0c2ae9b523 | 04f35a925fe82e54350e80b084a8013b1960cb3f73c49b0c2ae9b523 | |||
997846ddd14c66f24f62223112cf35b866065f91ad86674cce2a2876 | 997846ddd14c66f24f62223112cf35b866065f91ad86674cce2a2876 | |||
84904e49f01287b54666bb518df2ea53cec627fa6e1283f14c6ed4bc | 84904e49f01287b54666bb518df2ea53cec627fa6e1283f14c6ed4bc | |||
d11b33fbb962da3e2e4ff1345c | d11b33fbb962da3e2e4ff1345c | |||
B.6.2. Test vector for MSGa | B.6.2. Test vector for MSGa | |||
Inputs | Inputs | |||
ADa = b'ADa' | ADa = b'ADa' | |||
ya (big endian): (length: 48 bytes) | ya (big endian): (length: 48 bytes) | |||
7d5bc6a8959f9db2655b8b6642e393dc13d25150d69c6675fb3efd41 | ef433dd5ad142c860e7cb6400dd315d388d5ec5420c550e9d6f0907f | |||
ae6255bf54202b960f9aacd97fd6d2841b461f18 | 375d988bc4d704837e43561c497e7dd93edcdb9d | |||
Outputs | Outputs | |||
Ya: (length: 97 bytes) | Ya: (length: 97 bytes) | |||
048b65b9ef4c5726664391ceeae241834b275960a6f9316799f5c974 | 04fd864c1a81f0e657a8a3f8e4ebafa421da712b6fb98f0abfa139ff | |||
eceb71dfb6d36e989addf2ae8c4e338f204b2cd754e1c43b43a12692 | 971718cab474fa74c6a44b80a46468699280dd5d271252f3b9c05acc | |||
8d8d81ce2e6edbc22a99ed478ad3487b87e1052bce2d94b6464a2228 | 93dbd8b939152987cd5a8d1fb7b70c45512c993ec5456cc10f1797c9 | |||
eab73c01f79d6b290af6b218cf | 2fac2f1b7e363478a9ecd79e74 | |||
Alternative correct value for Ya: g^(-ya): | Alternative correct value for Ya: g*(-ya): | |||
(length: 97 bytes) | (length: 97 bytes) | |||
048b65b9ef4c5726664391ceeae241834b275960a6f9316799f5c974 | 04fd864c1a81f0e657a8a3f8e4ebafa421da712b6fb98f0abfa139ff | |||
eceb71dfb6d36e989addf2ae8c4e338f204b2cd7541e3bc4bc5ed96d | 971718cab474fa74c6a44b80a46468699280dd5d27edad0c463fa533 | |||
72727e31d191243dd56612b8752cb784781efad431d26b49b8b5ddd7 | 6c242746c6ead67832a572e04848f3baaed366c13aba933eefe86836 | |||
1448c3fe086294d6f6094de730 | cf53d0e481c9cb87571328618b | |||
MSGa = lv_cat(Ya,ADa): (length: 102 bytes) | MSGa = lv_cat(Ya,ADa): (length: 102 bytes) | |||
61048b65b9ef4c5726664391ceeae241834b275960a6f9316799f5c9 | 6104fd864c1a81f0e657a8a3f8e4ebafa421da712b6fb98f0abfa139 | |||
74eceb71dfb6d36e989addf2ae8c4e338f204b2cd754e1c43b43a126 | ff971718cab474fa74c6a44b80a46468699280dd5d271252f3b9c05a | |||
928d8d81ce2e6edbc22a99ed478ad3487b87e1052bce2d94b6464a22 | cc93dbd8b939152987cd5a8d1fb7b70c45512c993ec5456cc10f1797 | |||
28eab73c01f79d6b290af6b218cf03414461 | c92fac2f1b7e363478a9ecd79e7403414461 | |||
B.6.3. Test vector for MSGb | B.6.3. Test vector for MSGb | |||
Inputs | Inputs | |||
ADb = b'ADb' | ADb = b'ADb' | |||
yb (big endian): (length: 48 bytes) | yb (big endian): (length: 48 bytes) | |||
5cc9465bdb3ae626b77521ea36218fc93a9693c36ff126899e3d8777 | 50b0e36b95a2edfaa8342b843dddc90b175330f2399c1b36586dedda | |||
c126ef05483e34c05576c9e8c64b1a0b6f5b53d1 | 3c255975f30be6a750f9404fccc62a6323b5e471 | |||
Outputs | Outputs | |||
Yb: (length: 97 bytes) | Yb: (length: 97 bytes) | |||
04cb68451813699abda3dc0ed9d521baf9108bc2c4b2a1dbcd90a083 | 04822b9874755c51adfdf624101eb4dc12a8ae433750be4fd6f4f7eb | |||
63f5e458938d6fe634ed6393bc8440ec9b9f8a30841ffcc7cd65d9cf | f6954ddb57837752a4effa4a5b44627a64b62a2db9d3c9c031c4ad37 | |||
9617155e129bccded9888ac738f78e940f9887f9089ab6275d36c3ab | dbe7bf180d6bcba54feb4e84eeb876ebfa64a85d4c5ac2063dc05ba7 | |||
1bccbd048b088b1b80a0f56f27 | 26810824c41e1893faa9373a84 | |||
Alternative correct value for Yb: g^(-yb): | Alternative correct value for Yb: g*(-yb): | |||
(length: 97 bytes) | (length: 97 bytes) | |||
04cb68451813699abda3dc0ed9d521baf9108bc2c4b2a1dbcd90a083 | 04822b9874755c51adfdf624101eb4dc12a8ae433750be4fd6f4f7eb | |||
63f5e458938d6fe634ed6393bc8440ec9b9f8a3084e00338329a2630 | f6954ddb57837752a4effa4a5b44627a64b62a2db92c363fce3b52c8 | |||
69e8eaa1ed64332126777538c708716bf0677806f76549d8a1c93c54 | 241840e7f294345ab014b17b11478914059b57a2b3a53df9c13fa458 | |||
e33342fb74f774e4805f0a90d8 | d87ef7db3be1e76c0656c8c57b | |||
MSGb = lv_cat(Yb,ADb): (length: 102 bytes) | MSGb = lv_cat(Yb,ADb): (length: 102 bytes) | |||
6104cb68451813699abda3dc0ed9d521baf9108bc2c4b2a1dbcd90a0 | 6104822b9874755c51adfdf624101eb4dc12a8ae433750be4fd6f4f7 | |||
8363f5e458938d6fe634ed6393bc8440ec9b9f8a30841ffcc7cd65d9 | ebf6954ddb57837752a4effa4a5b44627a64b62a2db9d3c9c031c4ad | |||
cf9617155e129bccded9888ac738f78e940f9887f9089ab6275d36c3 | 37dbe7bf180d6bcba54feb4e84eeb876ebfa64a85d4c5ac2063dc05b | |||
ab1bccbd048b088b1b80a0f56f2703414462 | a726810824c41e1893faa9373a8403414462 | |||
B.6.4. Test vector for secret points K | B.6.4. Test vector for secret points K | |||
scalar_mult_vfy(ya,Yb): (length: 48 bytes) | scalar_mult_vfy(ya,Yb): (length: 48 bytes) | |||
c862709d6bfe7cc02f0c11dafdbf4ef8db1c5e4cb13a22985a83bef1 | 374290a54e07015baad085b311b18fbae1a20652e137c7c4bd13d565 | |||
8631361ed7d8cd97b12931844b7ac61b2f31d332 | 7d8b1ace028eb5acfba8c68d6211a79fff0965c9 | |||
scalar_mult_vfy(yb,Ya): (length: 48 bytes) | scalar_mult_vfy(yb,Ya): (length: 48 bytes) | |||
c862709d6bfe7cc02f0c11dafdbf4ef8db1c5e4cb13a22985a83bef1 | 374290a54e07015baad085b311b18fbae1a20652e137c7c4bd13d565 | |||
8631361ed7d8cd97b12931844b7ac61b2f31d332 | 7d8b1ace028eb5acfba8c68d6211a79fff0965c9 | |||
B.6.5. Test vector for ISK calculation initiator/responder | B.6.5. Test vector for ISK calculation initiator/responder | |||
unordered cat of transcript : (length: 204 bytes) | unordered cat of transcript : (length: 204 bytes) | |||
61048b65b9ef4c5726664391ceeae241834b275960a6f9316799f5c9 | 6104fd864c1a81f0e657a8a3f8e4ebafa421da712b6fb98f0abfa139 | |||
74eceb71dfb6d36e989addf2ae8c4e338f204b2cd754e1c43b43a126 | ff971718cab474fa74c6a44b80a46468699280dd5d271252f3b9c05a | |||
928d8d81ce2e6edbc22a99ed478ad3487b87e1052bce2d94b6464a22 | cc93dbd8b939152987cd5a8d1fb7b70c45512c993ec5456cc10f1797 | |||
28eab73c01f79d6b290af6b218cf034144616104cb68451813699abd | c92fac2f1b7e363478a9ecd79e74034144616104822b9874755c51ad | |||
a3dc0ed9d521baf9108bc2c4b2a1dbcd90a08363f5e458938d6fe634 | fdf624101eb4dc12a8ae433750be4fd6f4f7ebf6954ddb57837752a4 | |||
ed6393bc8440ec9b9f8a30841ffcc7cd65d9cf9617155e129bccded9 | effa4a5b44627a64b62a2db9d3c9c031c4ad37dbe7bf180d6bcba54f | |||
888ac738f78e940f9887f9089ab6275d36c3ab1bccbd048b088b1b80 | eb4e84eeb876ebfa64a85d4c5ac2063dc05ba726810824c41e1893fa | |||
a0f56f2703414462 | a9373a8403414462 | |||
DSI = G.DSI_ISK, b'CPaceP384_XMD:SHA-384_SSWU_NU__ISK': | DSI = G.DSI_ISK, b'CPaceP384_XMD:SHA-384_SSWU_NU__ISK': | |||
(length: 34 bytes) | (length: 34 bytes) | |||
4350616365503338345f584d443a5348412d3338345f535357555f4e | 4350616365503338345f584d443a5348412d3338345f535357555f4e | |||
555f5f49534b | 555f5f49534b | |||
lv_cat(DSI,sid,K)||MSGa||MSGb: (length: 305 bytes) | lv_cat(DSI,sid,K)||MSGa||MSGb: (length: 305 bytes) | |||
224350616365503338345f584d443a5348412d3338345f535357555f | 224350616365503338345f584d443a5348412d3338345f535357555f | |||
4e555f5f49534b105b3773aa90e8f23c61563a4b645b276c30c86270 | 4e555f5f49534b105b3773aa90e8f23c61563a4b645b276c30374290 | |||
9d6bfe7cc02f0c11dafdbf4ef8db1c5e4cb13a22985a83bef1863136 | a54e07015baad085b311b18fbae1a20652e137c7c4bd13d5657d8b1a | |||
1ed7d8cd97b12931844b7ac61b2f31d33261048b65b9ef4c57266643 | ce028eb5acfba8c68d6211a79fff0965c96104fd864c1a81f0e657a8 | |||
91ceeae241834b275960a6f9316799f5c974eceb71dfb6d36e989add | a3f8e4ebafa421da712b6fb98f0abfa139ff971718cab474fa74c6a4 | |||
f2ae8c4e338f204b2cd754e1c43b43a126928d8d81ce2e6edbc22a99 | 4b80a46468699280dd5d271252f3b9c05acc93dbd8b939152987cd5a | |||
ed478ad3487b87e1052bce2d94b6464a2228eab73c01f79d6b290af6 | 8d1fb7b70c45512c993ec5456cc10f1797c92fac2f1b7e363478a9ec | |||
b218cf034144616104cb68451813699abda3dc0ed9d521baf9108bc2 | d79e74034144616104822b9874755c51adfdf624101eb4dc12a8ae43 | |||
c4b2a1dbcd90a08363f5e458938d6fe634ed6393bc8440ec9b9f8a30 | 3750be4fd6f4f7ebf6954ddb57837752a4effa4a5b44627a64b62a2d | |||
841ffcc7cd65d9cf9617155e129bccded9888ac738f78e940f9887f9 | b9d3c9c031c4ad37dbe7bf180d6bcba54feb4e84eeb876ebfa64a85d | |||
089ab6275d36c3ab1bccbd048b088b1b80a0f56f2703414462 | 4c5ac2063dc05ba726810824c41e1893faa9373a8403414462 | |||
ISK result: (length: 48 bytes) | ISK result: (length: 48 bytes) | |||
db1e8133be8359b9aa8cd563043ee784344f26580876862e28b3f98b | a62d337820ce9cc1195a1adfb3c1efc2d844c0d8c6bc44bd060fe3cd | |||
51b2f611a65362c1d77db66c879de466f5b6148a | d4ee8d2343aca0168c2b58478354a37d8d8856bd | |||
B.6.6. Test vector for ISK calculation parallel execution | B.6.6. Test vector for ISK calculation parallel execution | |||
ordered cat of transcript : (length: 204 bytes) | ordered cat of transcript : (length: 206 bytes) | |||
6104cb68451813699abda3dc0ed9d521baf9108bc2c4b2a1dbcd90a0 | 6f636104fd864c1a81f0e657a8a3f8e4ebafa421da712b6fb98f0abf | |||
8363f5e458938d6fe634ed6393bc8440ec9b9f8a30841ffcc7cd65d9 | a139ff971718cab474fa74c6a44b80a46468699280dd5d271252f3b9 | |||
cf9617155e129bccded9888ac738f78e940f9887f9089ab6275d36c3 | c05acc93dbd8b939152987cd5a8d1fb7b70c45512c993ec5456cc10f | |||
ab1bccbd048b088b1b80a0f56f270341446261048b65b9ef4c572666 | 1797c92fac2f1b7e363478a9ecd79e74034144616104822b9874755c | |||
4391ceeae241834b275960a6f9316799f5c974eceb71dfb6d36e989a | 51adfdf624101eb4dc12a8ae433750be4fd6f4f7ebf6954ddb578377 | |||
ddf2ae8c4e338f204b2cd754e1c43b43a126928d8d81ce2e6edbc22a | 52a4effa4a5b44627a64b62a2db9d3c9c031c4ad37dbe7bf180d6bcb | |||
99ed478ad3487b87e1052bce2d94b6464a2228eab73c01f79d6b290a | a54feb4e84eeb876ebfa64a85d4c5ac2063dc05ba726810824c41e18 | |||
f6b218cf03414461 | 93faa9373a8403414462 | |||
DSI = G.DSI_ISK, b'CPaceP384_XMD:SHA-384_SSWU_NU__ISK': | DSI = G.DSI_ISK, b'CPaceP384_XMD:SHA-384_SSWU_NU__ISK': | |||
(length: 34 bytes) | (length: 34 bytes) | |||
4350616365503338345f584d443a5348412d3338345f535357555f4e | 4350616365503338345f584d443a5348412d3338345f535357555f4e | |||
555f5f49534b | 555f5f49534b | |||
lv_cat(DSI,sid,K)||oCAT(MSGa,MSGb): (length: 305 bytes) | lv_cat(DSI,sid,K)||o_cat(MSGa,MSGb): (length: 307 bytes) | |||
224350616365503338345f584d443a5348412d3338345f535357555f | 224350616365503338345f584d443a5348412d3338345f535357555f | |||
4e555f5f49534b105b3773aa90e8f23c61563a4b645b276c30c86270 | 4e555f5f49534b105b3773aa90e8f23c61563a4b645b276c30374290 | |||
9d6bfe7cc02f0c11dafdbf4ef8db1c5e4cb13a22985a83bef1863136 | a54e07015baad085b311b18fbae1a20652e137c7c4bd13d5657d8b1a | |||
1ed7d8cd97b12931844b7ac61b2f31d3326104cb68451813699abda3 | ce028eb5acfba8c68d6211a79fff0965c96f636104fd864c1a81f0e6 | |||
dc0ed9d521baf9108bc2c4b2a1dbcd90a08363f5e458938d6fe634ed | 57a8a3f8e4ebafa421da712b6fb98f0abfa139ff971718cab474fa74 | |||
6393bc8440ec9b9f8a30841ffcc7cd65d9cf9617155e129bccded988 | c6a44b80a46468699280dd5d271252f3b9c05acc93dbd8b939152987 | |||
8ac738f78e940f9887f9089ab6275d36c3ab1bccbd048b088b1b80a0 | cd5a8d1fb7b70c45512c993ec5456cc10f1797c92fac2f1b7e363478 | |||
f56f270341446261048b65b9ef4c5726664391ceeae241834b275960 | a9ecd79e74034144616104822b9874755c51adfdf624101eb4dc12a8 | |||
a6f9316799f5c974eceb71dfb6d36e989addf2ae8c4e338f204b2cd7 | ae433750be4fd6f4f7ebf6954ddb57837752a4effa4a5b44627a64b6 | |||
54e1c43b43a126928d8d81ce2e6edbc22a99ed478ad3487b87e1052b | 2a2db9d3c9c031c4ad37dbe7bf180d6bcba54feb4e84eeb876ebfa64 | |||
ce2d94b6464a2228eab73c01f79d6b290af6b218cf03414461 | a85d4c5ac2063dc05ba726810824c41e1893faa9373a8403414462 | |||
ISK result: (length: 48 bytes) | ISK result: (length: 48 bytes) | |||
519bfbb1477652e8ed1b4ec5774e310c4f44da46f3c36be91b0dd6b4 | eebf988a62b5c854f0ba32822ab45d23329bd1c78c84a4a0e1b40704 | |||
e3a3245942cf4d9db8f79023dad6e1b57aed4891 | c99c0a6f6c01c29af5fc6943254b883ce8a65ea1 | |||
B.6.7. Corresponding ANSI-C initializers | B.6.7. Corresponding C programming language initializers | |||
const uint8_t tc_PRS[] = { | const unsigned char tc_PRS[] = { | |||
0x50,0x61,0x73,0x73,0x77,0x6f,0x72,0x64, | 0x50,0x61,0x73,0x73,0x77,0x6f,0x72,0x64, | |||
}; | }; | |||
const uint8_t tc_CI[] = { | const unsigned char tc_CI[] = { | |||
0x0a,0x41,0x69,0x6e,0x69,0x74,0x69,0x61,0x74,0x6f,0x72,0x0a, | 0x0a,0x41,0x69,0x6e,0x69,0x74,0x69,0x61,0x74,0x6f,0x72,0x0a, | |||
0x42,0x72,0x65,0x73,0x70,0x6f,0x6e,0x64,0x65,0x72, | 0x42,0x72,0x65,0x73,0x70,0x6f,0x6e,0x64,0x65,0x72, | |||
}; | }; | |||
const uint8_t tc_sid[] = { | const unsigned char tc_sid[] = { | |||
0x5b,0x37,0x73,0xaa,0x90,0xe8,0xf2,0x3c,0x61,0x56,0x3a,0x4b, | 0x5b,0x37,0x73,0xaa,0x90,0xe8,0xf2,0x3c,0x61,0x56,0x3a,0x4b, | |||
0x64,0x5b,0x27,0x6c, | 0x64,0x5b,0x27,0x6c, | |||
}; | }; | |||
const uint8_t tc_g[] = { | const unsigned char tc_g[] = { | |||
0x04,0xf3,0x5a,0x92,0x5f,0xe8,0x2e,0x54,0x35,0x0e,0x80,0xb0, | 0x04,0xf3,0x5a,0x92,0x5f,0xe8,0x2e,0x54,0x35,0x0e,0x80,0xb0, | |||
0x84,0xa8,0x01,0x3b,0x19,0x60,0xcb,0x3f,0x73,0xc4,0x9b,0x0c, | 0x84,0xa8,0x01,0x3b,0x19,0x60,0xcb,0x3f,0x73,0xc4,0x9b,0x0c, | |||
0x2a,0xe9,0xb5,0x23,0x99,0x78,0x46,0xdd,0xd1,0x4c,0x66,0xf2, | 0x2a,0xe9,0xb5,0x23,0x99,0x78,0x46,0xdd,0xd1,0x4c,0x66,0xf2, | |||
0x4f,0x62,0x22,0x31,0x12,0xcf,0x35,0xb8,0x66,0x06,0x5f,0x91, | 0x4f,0x62,0x22,0x31,0x12,0xcf,0x35,0xb8,0x66,0x06,0x5f,0x91, | |||
0xad,0x86,0x67,0x4c,0xce,0x2a,0x28,0x76,0x84,0x90,0x4e,0x49, | 0xad,0x86,0x67,0x4c,0xce,0x2a,0x28,0x76,0x84,0x90,0x4e,0x49, | |||
0xf0,0x12,0x87,0xb5,0x46,0x66,0xbb,0x51,0x8d,0xf2,0xea,0x53, | 0xf0,0x12,0x87,0xb5,0x46,0x66,0xbb,0x51,0x8d,0xf2,0xea,0x53, | |||
0xce,0xc6,0x27,0xfa,0x6e,0x12,0x83,0xf1,0x4c,0x6e,0xd4,0xbc, | 0xce,0xc6,0x27,0xfa,0x6e,0x12,0x83,0xf1,0x4c,0x6e,0xd4,0xbc, | |||
0xd1,0x1b,0x33,0xfb,0xb9,0x62,0xda,0x3e,0x2e,0x4f,0xf1,0x34, | 0xd1,0x1b,0x33,0xfb,0xb9,0x62,0xda,0x3e,0x2e,0x4f,0xf1,0x34, | |||
0x5c, | 0x5c, | |||
}; | }; | |||
const uint8_t tc_ya[] = { | const unsigned char tc_ya[] = { | |||
0x7d,0x5b,0xc6,0xa8,0x95,0x9f,0x9d,0xb2,0x65,0x5b,0x8b,0x66, | 0xef,0x43,0x3d,0xd5,0xad,0x14,0x2c,0x86,0x0e,0x7c,0xb6,0x40, | |||
0x42,0xe3,0x93,0xdc,0x13,0xd2,0x51,0x50,0xd6,0x9c,0x66,0x75, | 0x0d,0xd3,0x15,0xd3,0x88,0xd5,0xec,0x54,0x20,0xc5,0x50,0xe9, | |||
0xfb,0x3e,0xfd,0x41,0xae,0x62,0x55,0xbf,0x54,0x20,0x2b,0x96, | 0xd6,0xf0,0x90,0x7f,0x37,0x5d,0x98,0x8b,0xc4,0xd7,0x04,0x83, | |||
0x0f,0x9a,0xac,0xd9,0x7f,0xd6,0xd2,0x84,0x1b,0x46,0x1f,0x18, | 0x7e,0x43,0x56,0x1c,0x49,0x7e,0x7d,0xd9,0x3e,0xdc,0xdb,0x9d, | |||
}; | }; | |||
const uint8_t tc_ADa[] = { | const unsigned char tc_ADa[] = { | |||
0x41,0x44,0x61, | 0x41,0x44,0x61, | |||
}; | }; | |||
const uint8_t tc_Ya[] = { | const unsigned char tc_Ya[] = { | |||
0x04,0x8b,0x65,0xb9,0xef,0x4c,0x57,0x26,0x66,0x43,0x91,0xce, | 0x04,0xfd,0x86,0x4c,0x1a,0x81,0xf0,0xe6,0x57,0xa8,0xa3,0xf8, | |||
0xea,0xe2,0x41,0x83,0x4b,0x27,0x59,0x60,0xa6,0xf9,0x31,0x67, | 0xe4,0xeb,0xaf,0xa4,0x21,0xda,0x71,0x2b,0x6f,0xb9,0x8f,0x0a, | |||
0x99,0xf5,0xc9,0x74,0xec,0xeb,0x71,0xdf,0xb6,0xd3,0x6e,0x98, | 0xbf,0xa1,0x39,0xff,0x97,0x17,0x18,0xca,0xb4,0x74,0xfa,0x74, | |||
0x9a,0xdd,0xf2,0xae,0x8c,0x4e,0x33,0x8f,0x20,0x4b,0x2c,0xd7, | 0xc6,0xa4,0x4b,0x80,0xa4,0x64,0x68,0x69,0x92,0x80,0xdd,0x5d, | |||
0x54,0xe1,0xc4,0x3b,0x43,0xa1,0x26,0x92,0x8d,0x8d,0x81,0xce, | 0x27,0x12,0x52,0xf3,0xb9,0xc0,0x5a,0xcc,0x93,0xdb,0xd8,0xb9, | |||
0x2e,0x6e,0xdb,0xc2,0x2a,0x99,0xed,0x47,0x8a,0xd3,0x48,0x7b, | 0x39,0x15,0x29,0x87,0xcd,0x5a,0x8d,0x1f,0xb7,0xb7,0x0c,0x45, | |||
0x87,0xe1,0x05,0x2b,0xce,0x2d,0x94,0xb6,0x46,0x4a,0x22,0x28, | 0x51,0x2c,0x99,0x3e,0xc5,0x45,0x6c,0xc1,0x0f,0x17,0x97,0xc9, | |||
0xea,0xb7,0x3c,0x01,0xf7,0x9d,0x6b,0x29,0x0a,0xf6,0xb2,0x18, | 0x2f,0xac,0x2f,0x1b,0x7e,0x36,0x34,0x78,0xa9,0xec,0xd7,0x9e, | |||
0xcf, | 0x74, | |||
}; | }; | |||
const uint8_t tc_yb[] = { | const unsigned char tc_yb[] = { | |||
0x5c,0xc9,0x46,0x5b,0xdb,0x3a,0xe6,0x26,0xb7,0x75,0x21,0xea, | 0x50,0xb0,0xe3,0x6b,0x95,0xa2,0xed,0xfa,0xa8,0x34,0x2b,0x84, | |||
0x36,0x21,0x8f,0xc9,0x3a,0x96,0x93,0xc3,0x6f,0xf1,0x26,0x89, | 0x3d,0xdd,0xc9,0x0b,0x17,0x53,0x30,0xf2,0x39,0x9c,0x1b,0x36, | |||
0x9e,0x3d,0x87,0x77,0xc1,0x26,0xef,0x05,0x48,0x3e,0x34,0xc0, | 0x58,0x6d,0xed,0xda,0x3c,0x25,0x59,0x75,0xf3,0x0b,0xe6,0xa7, | |||
0x55,0x76,0xc9,0xe8,0xc6,0x4b,0x1a,0x0b,0x6f,0x5b,0x53,0xd1, | 0x50,0xf9,0x40,0x4f,0xcc,0xc6,0x2a,0x63,0x23,0xb5,0xe4,0x71, | |||
}; | }; | |||
const uint8_t tc_ADb[] = { | const unsigned char tc_ADb[] = { | |||
0x41,0x44,0x62, | 0x41,0x44,0x62, | |||
}; | }; | |||
const uint8_t tc_Yb[] = { | const unsigned char tc_Yb[] = { | |||
0x04,0xcb,0x68,0x45,0x18,0x13,0x69,0x9a,0xbd,0xa3,0xdc,0x0e, | 0x04,0x82,0x2b,0x98,0x74,0x75,0x5c,0x51,0xad,0xfd,0xf6,0x24, | |||
0xd9,0xd5,0x21,0xba,0xf9,0x10,0x8b,0xc2,0xc4,0xb2,0xa1,0xdb, | 0x10,0x1e,0xb4,0xdc,0x12,0xa8,0xae,0x43,0x37,0x50,0xbe,0x4f, | |||
0xcd,0x90,0xa0,0x83,0x63,0xf5,0xe4,0x58,0x93,0x8d,0x6f,0xe6, | 0xd6,0xf4,0xf7,0xeb,0xf6,0x95,0x4d,0xdb,0x57,0x83,0x77,0x52, | |||
0x34,0xed,0x63,0x93,0xbc,0x84,0x40,0xec,0x9b,0x9f,0x8a,0x30, | 0xa4,0xef,0xfa,0x4a,0x5b,0x44,0x62,0x7a,0x64,0xb6,0x2a,0x2d, | |||
0x84,0x1f,0xfc,0xc7,0xcd,0x65,0xd9,0xcf,0x96,0x17,0x15,0x5e, | 0xb9,0xd3,0xc9,0xc0,0x31,0xc4,0xad,0x37,0xdb,0xe7,0xbf,0x18, | |||
0x12,0x9b,0xcc,0xde,0xd9,0x88,0x8a,0xc7,0x38,0xf7,0x8e,0x94, | 0x0d,0x6b,0xcb,0xa5,0x4f,0xeb,0x4e,0x84,0xee,0xb8,0x76,0xeb, | |||
0x0f,0x98,0x87,0xf9,0x08,0x9a,0xb6,0x27,0x5d,0x36,0xc3,0xab, | 0xfa,0x64,0xa8,0x5d,0x4c,0x5a,0xc2,0x06,0x3d,0xc0,0x5b,0xa7, | |||
0x1b,0xcc,0xbd,0x04,0x8b,0x08,0x8b,0x1b,0x80,0xa0,0xf5,0x6f, | 0x26,0x81,0x08,0x24,0xc4,0x1e,0x18,0x93,0xfa,0xa9,0x37,0x3a, | |||
0x27, | 0x84, | |||
}; | }; | |||
const uint8_t tc_K[] = { | const unsigned char tc_K[] = { | |||
0xc8,0x62,0x70,0x9d,0x6b,0xfe,0x7c,0xc0,0x2f,0x0c,0x11,0xda, | 0x37,0x42,0x90,0xa5,0x4e,0x07,0x01,0x5b,0xaa,0xd0,0x85,0xb3, | |||
0xfd,0xbf,0x4e,0xf8,0xdb,0x1c,0x5e,0x4c,0xb1,0x3a,0x22,0x98, | 0x11,0xb1,0x8f,0xba,0xe1,0xa2,0x06,0x52,0xe1,0x37,0xc7,0xc4, | |||
0x5a,0x83,0xbe,0xf1,0x86,0x31,0x36,0x1e,0xd7,0xd8,0xcd,0x97, | 0xbd,0x13,0xd5,0x65,0x7d,0x8b,0x1a,0xce,0x02,0x8e,0xb5,0xac, | |||
0xb1,0x29,0x31,0x84,0x4b,0x7a,0xc6,0x1b,0x2f,0x31,0xd3,0x32, | 0xfb,0xa8,0xc6,0x8d,0x62,0x11,0xa7,0x9f,0xff,0x09,0x65,0xc9, | |||
}; | }; | |||
const uint8_t tc_ISK_IR[] = { | const unsigned char tc_ISK_IR[] = { | |||
0xdb,0x1e,0x81,0x33,0xbe,0x83,0x59,0xb9,0xaa,0x8c,0xd5,0x63, | 0xa6,0x2d,0x33,0x78,0x20,0xce,0x9c,0xc1,0x19,0x5a,0x1a,0xdf, | |||
0x04,0x3e,0xe7,0x84,0x34,0x4f,0x26,0x58,0x08,0x76,0x86,0x2e, | 0xb3,0xc1,0xef,0xc2,0xd8,0x44,0xc0,0xd8,0xc6,0xbc,0x44,0xbd, | |||
0x28,0xb3,0xf9,0x8b,0x51,0xb2,0xf6,0x11,0xa6,0x53,0x62,0xc1, | 0x06,0x0f,0xe3,0xcd,0xd4,0xee,0x8d,0x23,0x43,0xac,0xa0,0x16, | |||
0xd7,0x7d,0xb6,0x6c,0x87,0x9d,0xe4,0x66,0xf5,0xb6,0x14,0x8a, | 0x8c,0x2b,0x58,0x47,0x83,0x54,0xa3,0x7d,0x8d,0x88,0x56,0xbd, | |||
}; | }; | |||
const uint8_t tc_ISK_SY[] = { | const unsigned char tc_ISK_SY[] = { | |||
0x51,0x9b,0xfb,0xb1,0x47,0x76,0x52,0xe8,0xed,0x1b,0x4e,0xc5, | 0xee,0xbf,0x98,0x8a,0x62,0xb5,0xc8,0x54,0xf0,0xba,0x32,0x82, | |||
0x77,0x4e,0x31,0x0c,0x4f,0x44,0xda,0x46,0xf3,0xc3,0x6b,0xe9, | 0x2a,0xb4,0x5d,0x23,0x32,0x9b,0xd1,0xc7,0x8c,0x84,0xa4,0xa0, | |||
0x1b,0x0d,0xd6,0xb4,0xe3,0xa3,0x24,0x59,0x42,0xcf,0x4d,0x9d, | 0xe1,0xb4,0x07,0x04,0xc9,0x9c,0x0a,0x6f,0x6c,0x01,0xc2,0x9a, | |||
0xb8,0xf7,0x90,0x23,0xda,0xd6,0xe1,0xb5,0x7a,0xed,0x48,0x91, | 0xf5,0xfc,0x69,0x43,0x25,0x4b,0x88,0x3c,0xe8,0xa6,0x5e,0xa1, | |||
}; | }; | |||
B.6.8. Test case for scalar_mult_vfy with correct inputs | B.6.8. Test case for scalar_mult_vfy with correct inputs | |||
s: (length: 48 bytes) | s: (length: 48 bytes) | |||
6e8a99a5cdd408eae98e1b8aed286e7b12adbbdac7f2c628d9060ce9 | 6e8a99a5cdd408eae98e1b8aed286e7b12adbbdac7f2c628d9060ce9 | |||
2ae0d90bd57a564fd3500fbcce3425dc94ba0ade | 2ae0d90bd57a564fd3500fbcce3425dc94ba0ade | |||
X: (length: 97 bytes) | X: (length: 97 bytes) | |||
045b4cd53c4506cc04ba4c44f2762d5d32c3e55df25b8baa5571b165 | 045b4cd53c4506cc04ba4c44f2762d5d32c3e55df25b8baa5571b165 | |||
7ad9576efea8259f0684de065a470585b4be876748c7797054f3defe | 7ad9576efea8259f0684de065a470585b4be876748c7797054f3defe | |||
skipping to change at page 67, line 17 ¶ | skipping to change at page 68, line 17 ¶ | |||
006367e9c2aeff9f1db19af600cca73343d47cbe446cebbd1ccd783f | 006367e9c2aeff9f1db19af600cca73343d47cbe446cebbd1ccd783f | |||
82755a872da86fd0707eb3767c6114f1803deb62d63bdd1e613f67e6 | 82755a872da86fd0707eb3767c6114f1803deb62d63bdd1e613f67e6 | |||
3e8c141ee5310e3ee819 | 3e8c141ee5310e3ee819 | |||
Outputs | Outputs | |||
Ya: (length: 133 bytes) | Ya: (length: 133 bytes) | |||
04003701ec35caafa3dd416cad29ba1774551f9d2ed89f7e1065706d | 04003701ec35caafa3dd416cad29ba1774551f9d2ed89f7e1065706d | |||
ca230b86a11d02e4cee8b3fde64380d4a05983167d8a2414bc594ad5 | ca230b86a11d02e4cee8b3fde64380d4a05983167d8a2414bc594ad5 | |||
286c068792ab7ca60ff6ea00919c41c00e789dabc2f42fd94178d7bf | 286c068792ab7ca60ff6ea00919c41c00e789dabc2f42fd94178d7bf | |||
d8fbe1aff1c1854b3dafb3a0ea13f5a5fc1703860f022bd271740469 | d8fbe1aff1c1854b3dafb3a0ea13f5a5fc1703860f022bd271740469 | |||
bb322b07c179c7c225499b31727c0ea3ee65578634 | bb322b07c179c7c225499b31727c0ea3ee65578634 | |||
Alternative correct value for Ya: g^(-ya): | Alternative correct value for Ya: g*(-ya): | |||
(length: 133 bytes) | (length: 133 bytes) | |||
04003701ec35caafa3dd416cad29ba1774551f9d2ed89f7e1065706d | 04003701ec35caafa3dd416cad29ba1774551f9d2ed89f7e1065706d | |||
ca230b86a11d02e4cee8b3fde64380d4a05983167d8a2414bc594ad5 | ca230b86a11d02e4cee8b3fde64380d4a05983167d8a2414bc594ad5 | |||
286c068792ab7ca60ff6ea016e63be3ff18762543d0bd026be872840 | 286c068792ab7ca60ff6ea016e63be3ff18762543d0bd026be872840 | |||
27041e500e3e7ab4c2504c5f15ec0a5a03e8fc79f0fdd42d8e8bfb96 | 27041e500e3e7ab4c2504c5f15ec0a5a03e8fc79f0fdd42d8e8bfb96 | |||
44cdd4f83e86383ddab664ce8d83f15c119aa879cb | 44cdd4f83e86383ddab664ce8d83f15c119aa879cb | |||
MSGa = lv_cat(Ya,ADa): (length: 139 bytes) | MSGa = lv_cat(Ya,ADa): (length: 139 bytes) | |||
850104003701ec35caafa3dd416cad29ba1774551f9d2ed89f7e1065 | 850104003701ec35caafa3dd416cad29ba1774551f9d2ed89f7e1065 | |||
706dca230b86a11d02e4cee8b3fde64380d4a05983167d8a2414bc59 | 706dca230b86a11d02e4cee8b3fde64380d4a05983167d8a2414bc59 | |||
4ad5286c068792ab7ca60ff6ea00919c41c00e789dabc2f42fd94178 | 4ad5286c068792ab7ca60ff6ea00919c41c00e789dabc2f42fd94178 | |||
skipping to change at page 68, line 17 ¶ | skipping to change at page 69, line 17 ¶ | |||
009227bf8dc741dacc9422f8bf3c0e96fce9587bc562eaafe0dc5f6f | 009227bf8dc741dacc9422f8bf3c0e96fce9587bc562eaafe0dc5f6f | |||
82f28594e4a6f98553560c62b75fa4abb198cecbbb86ebd41b0ea025 | 82f28594e4a6f98553560c62b75fa4abb198cecbbb86ebd41b0ea025 | |||
4cde78ac68d39a240ae7 | 4cde78ac68d39a240ae7 | |||
Outputs | Outputs | |||
Yb: (length: 133 bytes) | Yb: (length: 133 bytes) | |||
0400f5cb68bf0117bd1a65412a2bc800af92013f9969cf546e1ea6d3 | 0400f5cb68bf0117bd1a65412a2bc800af92013f9969cf546e1ea6d3 | |||
bcf08643fdc482130aec1eecc33a2b5f33600be51295047fa3399fa2 | bcf08643fdc482130aec1eecc33a2b5f33600be51295047fa3399fa2 | |||
82cc1a78de91f3a4e30b5d01a085b453f22bf3dc947386b042e5fc4e | 82cc1a78de91f3a4e30b5d01a085b453f22bf3dc947386b042e5fc4e | |||
c691fee47fe3c3ec6408c22a17c26bc0ab73940910614d6fcee32daf | c691fee47fe3c3ec6408c22a17c26bc0ab73940910614d6fcee32daf | |||
bfd2d340d6e382d71b1fc763d7cec502fbcbcf93b4 | bfd2d340d6e382d71b1fc763d7cec502fbcbcf93b4 | |||
Alternative correct value for Yb: g^(-yb): | Alternative correct value for Yb: g*(-yb): | |||
(length: 133 bytes) | (length: 133 bytes) | |||
0400f5cb68bf0117bd1a65412a2bc800af92013f9969cf546e1ea6d3 | 0400f5cb68bf0117bd1a65412a2bc800af92013f9969cf546e1ea6d3 | |||
bcf08643fdc482130aec1eecc33a2b5f33600be51295047fa3399fa2 | bcf08643fdc482130aec1eecc33a2b5f33600be51295047fa3399fa2 | |||
82cc1a78de91f3a4e30b5d005f7a4bac0dd40c236b8c794fbd1a03b1 | 82cc1a78de91f3a4e30b5d005f7a4bac0dd40c236b8c794fbd1a03b1 | |||
396e011b801c3c139bf73dd5e83d943f548c6bf6ef9eb290311cd250 | 396e011b801c3c139bf73dd5e83d943f548c6bf6ef9eb290311cd250 | |||
402d2cbf291c7d28e4e0389c28313afd0434306c4b | 402d2cbf291c7d28e4e0389c28313afd0434306c4b | |||
MSGb = lv_cat(Yb,ADb): (length: 139 bytes) | MSGb = lv_cat(Yb,ADb): (length: 139 bytes) | |||
85010400f5cb68bf0117bd1a65412a2bc800af92013f9969cf546e1e | 85010400f5cb68bf0117bd1a65412a2bc800af92013f9969cf546e1e | |||
a6d3bcf08643fdc482130aec1eecc33a2b5f33600be51295047fa339 | a6d3bcf08643fdc482130aec1eecc33a2b5f33600be51295047fa339 | |||
9fa282cc1a78de91f3a4e30b5d01a085b453f22bf3dc947386b042e5 | 9fa282cc1a78de91f3a4e30b5d01a085b453f22bf3dc947386b042e5 | |||
skipping to change at page 70, line 4 ¶ | skipping to change at page 71, line 4 ¶ | |||
1295047fa3399fa282cc1a78de91f3a4e30b5d01a085b453f22bf3dc | 1295047fa3399fa282cc1a78de91f3a4e30b5d01a085b453f22bf3dc | |||
947386b042e5fc4ec691fee47fe3c3ec6408c22a17c26bc0ab739409 | 947386b042e5fc4ec691fee47fe3c3ec6408c22a17c26bc0ab739409 | |||
10614d6fcee32dafbfd2d340d6e382d71b1fc763d7cec502fbcbcf93 | 10614d6fcee32dafbfd2d340d6e382d71b1fc763d7cec502fbcbcf93 | |||
b403414462 | b403414462 | |||
ISK result: (length: 64 bytes) | ISK result: (length: 64 bytes) | |||
ed208a15af3ef8a67a5cac4acb360d03154570e3b1b1c54867f53a72 | ed208a15af3ef8a67a5cac4acb360d03154570e3b1b1c54867f53a72 | |||
53cb919d13aa47efc647375be2250cb39ad965afa4ddfcb6be47d586 | 53cb919d13aa47efc647375be2250cb39ad965afa4ddfcb6be47d586 | |||
d28c7eef6d654525 | d28c7eef6d654525 | |||
B.7.6. Test vector for ISK calculation parallel execution | B.7.6. Test vector for ISK calculation parallel execution | |||
ordered cat of transcript : (length: 278 bytes) | ordered cat of transcript : (length: 280 bytes) | |||
85010400f5cb68bf0117bd1a65412a2bc800af92013f9969cf546e1e | 6f6385010400f5cb68bf0117bd1a65412a2bc800af92013f9969cf54 | |||
a6d3bcf08643fdc482130aec1eecc33a2b5f33600be51295047fa339 | 6e1ea6d3bcf08643fdc482130aec1eecc33a2b5f33600be51295047f | |||
9fa282cc1a78de91f3a4e30b5d01a085b453f22bf3dc947386b042e5 | a3399fa282cc1a78de91f3a4e30b5d01a085b453f22bf3dc947386b0 | |||
fc4ec691fee47fe3c3ec6408c22a17c26bc0ab73940910614d6fcee3 | 42e5fc4ec691fee47fe3c3ec6408c22a17c26bc0ab73940910614d6f | |||
2dafbfd2d340d6e382d71b1fc763d7cec502fbcbcf93b40341446285 | cee32dafbfd2d340d6e382d71b1fc763d7cec502fbcbcf93b4034144 | |||
0104003701ec35caafa3dd416cad29ba1774551f9d2ed89f7e106570 | 62850104003701ec35caafa3dd416cad29ba1774551f9d2ed89f7e10 | |||
6dca230b86a11d02e4cee8b3fde64380d4a05983167d8a2414bc594a | 65706dca230b86a11d02e4cee8b3fde64380d4a05983167d8a2414bc | |||
d5286c068792ab7ca60ff6ea00919c41c00e789dabc2f42fd94178d7 | 594ad5286c068792ab7ca60ff6ea00919c41c00e789dabc2f42fd941 | |||
bfd8fbe1aff1c1854b3dafb3a0ea13f5a5fc1703860f022bd2717404 | 78d7bfd8fbe1aff1c1854b3dafb3a0ea13f5a5fc1703860f022bd271 | |||
69bb322b07c179c7c225499b31727c0ea3ee6557863403414461 | 740469bb322b07c179c7c225499b31727c0ea3ee6557863403414461 | |||
DSI = G.DSI_ISK, b'CPaceP521_XMD:SHA-512_SSWU_NU__ISK': | DSI = G.DSI_ISK, b'CPaceP521_XMD:SHA-512_SSWU_NU__ISK': | |||
(length: 34 bytes) | (length: 34 bytes) | |||
4350616365503532315f584d443a5348412d3531325f535357555f4e | 4350616365503532315f584d443a5348412d3531325f535357555f4e | |||
555f5f49534b | 555f5f49534b | |||
lv_cat(DSI,sid,K)||oCAT(MSGa,MSGb): (length: 397 bytes) | lv_cat(DSI,sid,K)||o_cat(MSGa,MSGb): (length: 399 bytes) | |||
224350616365503532315f584d443a5348412d3531325f535357555f | 224350616365503532315f584d443a5348412d3531325f535357555f | |||
4e555f5f49534b107e4b4791d6a8ef019b936c79fb7f2c574200503e | 4e555f5f49534b107e4b4791d6a8ef019b936c79fb7f2c574200503e | |||
75e38e012a6dc6f3561980e4cf540dbcff3de3a4a6f09d79c32cc457 | 75e38e012a6dc6f3561980e4cf540dbcff3de3a4a6f09d79c32cc457 | |||
64d3a6605eb45df1dc63fb7937b7879f2820da1b3266b69fa099bf87 | 64d3a6605eb45df1dc63fb7937b7879f2820da1b3266b69fa099bf87 | |||
20dd8f6a07e8ed85010400f5cb68bf0117bd1a65412a2bc800af9201 | 20dd8f6a07e8ed6f6385010400f5cb68bf0117bd1a65412a2bc800af | |||
3f9969cf546e1ea6d3bcf08643fdc482130aec1eecc33a2b5f33600b | 92013f9969cf546e1ea6d3bcf08643fdc482130aec1eecc33a2b5f33 | |||
e51295047fa3399fa282cc1a78de91f3a4e30b5d01a085b453f22bf3 | 600be51295047fa3399fa282cc1a78de91f3a4e30b5d01a085b453f2 | |||
dc947386b042e5fc4ec691fee47fe3c3ec6408c22a17c26bc0ab7394 | 2bf3dc947386b042e5fc4ec691fee47fe3c3ec6408c22a17c26bc0ab | |||
0910614d6fcee32dafbfd2d340d6e382d71b1fc763d7cec502fbcbcf | 73940910614d6fcee32dafbfd2d340d6e382d71b1fc763d7cec502fb | |||
93b403414462850104003701ec35caafa3dd416cad29ba1774551f9d | cbcf93b403414462850104003701ec35caafa3dd416cad29ba177455 | |||
2ed89f7e1065706dca230b86a11d02e4cee8b3fde64380d4a0598316 | 1f9d2ed89f7e1065706dca230b86a11d02e4cee8b3fde64380d4a059 | |||
7d8a2414bc594ad5286c068792ab7ca60ff6ea00919c41c00e789dab | 83167d8a2414bc594ad5286c068792ab7ca60ff6ea00919c41c00e78 | |||
c2f42fd94178d7bfd8fbe1aff1c1854b3dafb3a0ea13f5a5fc170386 | 9dabc2f42fd94178d7bfd8fbe1aff1c1854b3dafb3a0ea13f5a5fc17 | |||
0f022bd271740469bb322b07c179c7c225499b31727c0ea3ee655786 | 03860f022bd271740469bb322b07c179c7c225499b31727c0ea3ee65 | |||
3403414461 | 57863403414461 | |||
ISK result: (length: 64 bytes) | ISK result: (length: 64 bytes) | |||
aae7320b73ba2516f289f71088662d41c4314d00521c48ea3c9c85ea | e7b10b6da531d9a8fd47fdd08441e8bb803d16c59a93e366d5cd9a10 | |||
ca57112e55eb2b4094d4a0c7813ddd95c5d80c5596ad686d2eba876b | 277bbc543d943182889154704d80f2b0756ed62da87e0eb4e6d07920 | |||
a1cd92f90407aa3d | 480100d5e800ca85 | |||
B.7.7. Corresponding ANSI-C initializers | B.7.7. Corresponding C programming language initializers | |||
const uint8_t tc_PRS[] = { | const unsigned char tc_PRS[] = { | |||
0x50,0x61,0x73,0x73,0x77,0x6f,0x72,0x64, | 0x50,0x61,0x73,0x73,0x77,0x6f,0x72,0x64, | |||
}; | }; | |||
const uint8_t tc_CI[] = { | const unsigned char tc_CI[] = { | |||
0x0a,0x41,0x69,0x6e,0x69,0x74,0x69,0x61,0x74,0x6f,0x72,0x0a, | 0x0a,0x41,0x69,0x6e,0x69,0x74,0x69,0x61,0x74,0x6f,0x72,0x0a, | |||
0x42,0x72,0x65,0x73,0x70,0x6f,0x6e,0x64,0x65,0x72, | 0x42,0x72,0x65,0x73,0x70,0x6f,0x6e,0x64,0x65,0x72, | |||
}; | }; | |||
const uint8_t tc_sid[] = { | const unsigned char tc_sid[] = { | |||
0x7e,0x4b,0x47,0x91,0xd6,0xa8,0xef,0x01,0x9b,0x93,0x6c,0x79, | 0x7e,0x4b,0x47,0x91,0xd6,0xa8,0xef,0x01,0x9b,0x93,0x6c,0x79, | |||
0xfb,0x7f,0x2c,0x57, | 0xfb,0x7f,0x2c,0x57, | |||
}; | }; | |||
const uint8_t tc_g[] = { | const unsigned char tc_g[] = { | |||
0x04,0x00,0xdc,0x92,0x79,0x58,0xf0,0xb6,0x9c,0xca,0xd8,0xfb, | 0x04,0x00,0xdc,0x92,0x79,0x58,0xf0,0xb6,0x9c,0xca,0xd8,0xfb, | |||
0x67,0xef,0x00,0x89,0x05,0x35,0x4b,0x58,0xc7,0xc9,0xc9,0x2a, | 0x67,0xef,0x00,0x89,0x05,0x35,0x4b,0x58,0xc7,0xc9,0xc9,0x2a, | |||
0xd5,0x00,0x60,0xa9,0xe6,0xaf,0xb1,0x04,0x37,0xd6,0xca,0x8a, | 0xd5,0x00,0x60,0xa9,0xe6,0xaf,0xb1,0x04,0x37,0xd6,0xca,0x8a, | |||
0x26,0x16,0x4e,0x85,0x73,0x70,0x2b,0x89,0x72,0x75,0xa2,0x5d, | 0x26,0x16,0x4e,0x85,0x73,0x70,0x2b,0x89,0x72,0x75,0xa2,0x5d, | |||
0x05,0xed,0x44,0x07,0xaf,0x2a,0x38,0x49,0x86,0xdc,0xa7,0xe2, | 0x05,0xed,0x44,0x07,0xaf,0x2a,0x38,0x49,0x86,0xdc,0xa7,0xe2, | |||
0x43,0xb9,0x2c,0x5d,0xd5,0x00,0xd4,0x00,0x57,0x01,0x21,0x21, | 0x43,0xb9,0x2c,0x5d,0xd5,0x00,0xd4,0x00,0x57,0x01,0x21,0x21, | |||
0xa9,0xc8,0xe3,0x43,0x73,0xfa,0x61,0x9f,0x91,0x8f,0x7d,0x47, | 0xa9,0xc8,0xe3,0x43,0x73,0xfa,0x61,0x9f,0x91,0x8f,0x7d,0x47, | |||
0x9c,0x23,0xf8,0x5f,0x04,0x85,0x37,0x9e,0xf0,0xf0,0x52,0x84, | 0x9c,0x23,0xf8,0x5f,0x04,0x85,0x37,0x9e,0xf0,0xf0,0x52,0x84, | |||
0x39,0x8d,0xe2,0x66,0x53,0xb4,0x9a,0x15,0x53,0x24,0xc9,0xd7, | 0x39,0x8d,0xe2,0x66,0x53,0xb4,0x9a,0x15,0x53,0x24,0xc9,0xd7, | |||
0xb1,0x38,0xbe,0x84,0xd0,0xb4,0x9b,0xb5,0x8e,0x23,0x2b,0x7b, | 0xb1,0x38,0xbe,0x84,0xd0,0xb4,0x9b,0xb5,0x8e,0x23,0x2b,0x7b, | |||
0xf6,0x97,0x79,0x8d,0xe6,0xee,0x8a,0xfd,0x6b,0x92,0xb6,0xfa, | 0xf6,0x97,0x79,0x8d,0xe6,0xee,0x8a,0xfd,0x6b,0x92,0xb6,0xfa, | |||
0x2f, | 0x2f, | |||
}; | }; | |||
const uint8_t tc_ya[] = { | const unsigned char tc_ya[] = { | |||
0x00,0x63,0x67,0xe9,0xc2,0xae,0xff,0x9f,0x1d,0xb1,0x9a,0xf6, | 0x00,0x63,0x67,0xe9,0xc2,0xae,0xff,0x9f,0x1d,0xb1,0x9a,0xf6, | |||
0x00,0xcc,0xa7,0x33,0x43,0xd4,0x7c,0xbe,0x44,0x6c,0xeb,0xbd, | 0x00,0xcc,0xa7,0x33,0x43,0xd4,0x7c,0xbe,0x44,0x6c,0xeb,0xbd, | |||
0x1c,0xcd,0x78,0x3f,0x82,0x75,0x5a,0x87,0x2d,0xa8,0x6f,0xd0, | 0x1c,0xcd,0x78,0x3f,0x82,0x75,0x5a,0x87,0x2d,0xa8,0x6f,0xd0, | |||
0x70,0x7e,0xb3,0x76,0x7c,0x61,0x14,0xf1,0x80,0x3d,0xeb,0x62, | 0x70,0x7e,0xb3,0x76,0x7c,0x61,0x14,0xf1,0x80,0x3d,0xeb,0x62, | |||
0xd6,0x3b,0xdd,0x1e,0x61,0x3f,0x67,0xe6,0x3e,0x8c,0x14,0x1e, | 0xd6,0x3b,0xdd,0x1e,0x61,0x3f,0x67,0xe6,0x3e,0x8c,0x14,0x1e, | |||
0xe5,0x31,0x0e,0x3e,0xe8,0x19, | 0xe5,0x31,0x0e,0x3e,0xe8,0x19, | |||
}; | }; | |||
const uint8_t tc_ADa[] = { | const unsigned char tc_ADa[] = { | |||
0x41,0x44,0x61, | 0x41,0x44,0x61, | |||
}; | }; | |||
const uint8_t tc_Ya[] = { | const unsigned char tc_Ya[] = { | |||
0x04,0x00,0x37,0x01,0xec,0x35,0xca,0xaf,0xa3,0xdd,0x41,0x6c, | 0x04,0x00,0x37,0x01,0xec,0x35,0xca,0xaf,0xa3,0xdd,0x41,0x6c, | |||
0xad,0x29,0xba,0x17,0x74,0x55,0x1f,0x9d,0x2e,0xd8,0x9f,0x7e, | 0xad,0x29,0xba,0x17,0x74,0x55,0x1f,0x9d,0x2e,0xd8,0x9f,0x7e, | |||
0x10,0x65,0x70,0x6d,0xca,0x23,0x0b,0x86,0xa1,0x1d,0x02,0xe4, | 0x10,0x65,0x70,0x6d,0xca,0x23,0x0b,0x86,0xa1,0x1d,0x02,0xe4, | |||
0xce,0xe8,0xb3,0xfd,0xe6,0x43,0x80,0xd4,0xa0,0x59,0x83,0x16, | 0xce,0xe8,0xb3,0xfd,0xe6,0x43,0x80,0xd4,0xa0,0x59,0x83,0x16, | |||
0x7d,0x8a,0x24,0x14,0xbc,0x59,0x4a,0xd5,0x28,0x6c,0x06,0x87, | 0x7d,0x8a,0x24,0x14,0xbc,0x59,0x4a,0xd5,0x28,0x6c,0x06,0x87, | |||
0x92,0xab,0x7c,0xa6,0x0f,0xf6,0xea,0x00,0x91,0x9c,0x41,0xc0, | 0x92,0xab,0x7c,0xa6,0x0f,0xf6,0xea,0x00,0x91,0x9c,0x41,0xc0, | |||
0x0e,0x78,0x9d,0xab,0xc2,0xf4,0x2f,0xd9,0x41,0x78,0xd7,0xbf, | 0x0e,0x78,0x9d,0xab,0xc2,0xf4,0x2f,0xd9,0x41,0x78,0xd7,0xbf, | |||
0xd8,0xfb,0xe1,0xaf,0xf1,0xc1,0x85,0x4b,0x3d,0xaf,0xb3,0xa0, | 0xd8,0xfb,0xe1,0xaf,0xf1,0xc1,0x85,0x4b,0x3d,0xaf,0xb3,0xa0, | |||
0xea,0x13,0xf5,0xa5,0xfc,0x17,0x03,0x86,0x0f,0x02,0x2b,0xd2, | 0xea,0x13,0xf5,0xa5,0xfc,0x17,0x03,0x86,0x0f,0x02,0x2b,0xd2, | |||
0x71,0x74,0x04,0x69,0xbb,0x32,0x2b,0x07,0xc1,0x79,0xc7,0xc2, | 0x71,0x74,0x04,0x69,0xbb,0x32,0x2b,0x07,0xc1,0x79,0xc7,0xc2, | |||
0x25,0x49,0x9b,0x31,0x72,0x7c,0x0e,0xa3,0xee,0x65,0x57,0x86, | 0x25,0x49,0x9b,0x31,0x72,0x7c,0x0e,0xa3,0xee,0x65,0x57,0x86, | |||
0x34, | 0x34, | |||
}; | }; | |||
const uint8_t tc_yb[] = { | const unsigned char tc_yb[] = { | |||
0x00,0x92,0x27,0xbf,0x8d,0xc7,0x41,0xda,0xcc,0x94,0x22,0xf8, | 0x00,0x92,0x27,0xbf,0x8d,0xc7,0x41,0xda,0xcc,0x94,0x22,0xf8, | |||
0xbf,0x3c,0x0e,0x96,0xfc,0xe9,0x58,0x7b,0xc5,0x62,0xea,0xaf, | 0xbf,0x3c,0x0e,0x96,0xfc,0xe9,0x58,0x7b,0xc5,0x62,0xea,0xaf, | |||
0xe0,0xdc,0x5f,0x6f,0x82,0xf2,0x85,0x94,0xe4,0xa6,0xf9,0x85, | 0xe0,0xdc,0x5f,0x6f,0x82,0xf2,0x85,0x94,0xe4,0xa6,0xf9,0x85, | |||
0x53,0x56,0x0c,0x62,0xb7,0x5f,0xa4,0xab,0xb1,0x98,0xce,0xcb, | 0x53,0x56,0x0c,0x62,0xb7,0x5f,0xa4,0xab,0xb1,0x98,0xce,0xcb, | |||
0xbb,0x86,0xeb,0xd4,0x1b,0x0e,0xa0,0x25,0x4c,0xde,0x78,0xac, | 0xbb,0x86,0xeb,0xd4,0x1b,0x0e,0xa0,0x25,0x4c,0xde,0x78,0xac, | |||
0x68,0xd3,0x9a,0x24,0x0a,0xe7, | 0x68,0xd3,0x9a,0x24,0x0a,0xe7, | |||
}; | }; | |||
const uint8_t tc_ADb[] = { | const unsigned char tc_ADb[] = { | |||
0x41,0x44,0x62, | 0x41,0x44,0x62, | |||
}; | }; | |||
const uint8_t tc_Yb[] = { | const unsigned char tc_Yb[] = { | |||
0x04,0x00,0xf5,0xcb,0x68,0xbf,0x01,0x17,0xbd,0x1a,0x65,0x41, | 0x04,0x00,0xf5,0xcb,0x68,0xbf,0x01,0x17,0xbd,0x1a,0x65,0x41, | |||
0x2a,0x2b,0xc8,0x00,0xaf,0x92,0x01,0x3f,0x99,0x69,0xcf,0x54, | 0x2a,0x2b,0xc8,0x00,0xaf,0x92,0x01,0x3f,0x99,0x69,0xcf,0x54, | |||
0x6e,0x1e,0xa6,0xd3,0xbc,0xf0,0x86,0x43,0xfd,0xc4,0x82,0x13, | 0x6e,0x1e,0xa6,0xd3,0xbc,0xf0,0x86,0x43,0xfd,0xc4,0x82,0x13, | |||
0x0a,0xec,0x1e,0xec,0xc3,0x3a,0x2b,0x5f,0x33,0x60,0x0b,0xe5, | 0x0a,0xec,0x1e,0xec,0xc3,0x3a,0x2b,0x5f,0x33,0x60,0x0b,0xe5, | |||
0x12,0x95,0x04,0x7f,0xa3,0x39,0x9f,0xa2,0x82,0xcc,0x1a,0x78, | 0x12,0x95,0x04,0x7f,0xa3,0x39,0x9f,0xa2,0x82,0xcc,0x1a,0x78, | |||
0xde,0x91,0xf3,0xa4,0xe3,0x0b,0x5d,0x01,0xa0,0x85,0xb4,0x53, | 0xde,0x91,0xf3,0xa4,0xe3,0x0b,0x5d,0x01,0xa0,0x85,0xb4,0x53, | |||
0xf2,0x2b,0xf3,0xdc,0x94,0x73,0x86,0xb0,0x42,0xe5,0xfc,0x4e, | 0xf2,0x2b,0xf3,0xdc,0x94,0x73,0x86,0xb0,0x42,0xe5,0xfc,0x4e, | |||
0xc6,0x91,0xfe,0xe4,0x7f,0xe3,0xc3,0xec,0x64,0x08,0xc2,0x2a, | 0xc6,0x91,0xfe,0xe4,0x7f,0xe3,0xc3,0xec,0x64,0x08,0xc2,0x2a, | |||
0x17,0xc2,0x6b,0xc0,0xab,0x73,0x94,0x09,0x10,0x61,0x4d,0x6f, | 0x17,0xc2,0x6b,0xc0,0xab,0x73,0x94,0x09,0x10,0x61,0x4d,0x6f, | |||
0xce,0xe3,0x2d,0xaf,0xbf,0xd2,0xd3,0x40,0xd6,0xe3,0x82,0xd7, | 0xce,0xe3,0x2d,0xaf,0xbf,0xd2,0xd3,0x40,0xd6,0xe3,0x82,0xd7, | |||
0x1b,0x1f,0xc7,0x63,0xd7,0xce,0xc5,0x02,0xfb,0xcb,0xcf,0x93, | 0x1b,0x1f,0xc7,0x63,0xd7,0xce,0xc5,0x02,0xfb,0xcb,0xcf,0x93, | |||
0xb4, | 0xb4, | |||
}; | }; | |||
const uint8_t tc_K[] = { | const unsigned char tc_K[] = { | |||
0x00,0x50,0x3e,0x75,0xe3,0x8e,0x01,0x2a,0x6d,0xc6,0xf3,0x56, | 0x00,0x50,0x3e,0x75,0xe3,0x8e,0x01,0x2a,0x6d,0xc6,0xf3,0x56, | |||
0x19,0x80,0xe4,0xcf,0x54,0x0d,0xbc,0xff,0x3d,0xe3,0xa4,0xa6, | 0x19,0x80,0xe4,0xcf,0x54,0x0d,0xbc,0xff,0x3d,0xe3,0xa4,0xa6, | |||
0xf0,0x9d,0x79,0xc3,0x2c,0xc4,0x57,0x64,0xd3,0xa6,0x60,0x5e, | 0xf0,0x9d,0x79,0xc3,0x2c,0xc4,0x57,0x64,0xd3,0xa6,0x60,0x5e, | |||
0xb4,0x5d,0xf1,0xdc,0x63,0xfb,0x79,0x37,0xb7,0x87,0x9f,0x28, | 0xb4,0x5d,0xf1,0xdc,0x63,0xfb,0x79,0x37,0xb7,0x87,0x9f,0x28, | |||
0x20,0xda,0x1b,0x32,0x66,0xb6,0x9f,0xa0,0x99,0xbf,0x87,0x20, | 0x20,0xda,0x1b,0x32,0x66,0xb6,0x9f,0xa0,0x99,0xbf,0x87,0x20, | |||
0xdd,0x8f,0x6a,0x07,0xe8,0xed, | 0xdd,0x8f,0x6a,0x07,0xe8,0xed, | |||
}; | }; | |||
const uint8_t tc_ISK_IR[] = { | const unsigned char tc_ISK_IR[] = { | |||
0xed,0x20,0x8a,0x15,0xaf,0x3e,0xf8,0xa6,0x7a,0x5c,0xac,0x4a, | 0xed,0x20,0x8a,0x15,0xaf,0x3e,0xf8,0xa6,0x7a,0x5c,0xac,0x4a, | |||
0xcb,0x36,0x0d,0x03,0x15,0x45,0x70,0xe3,0xb1,0xb1,0xc5,0x48, | 0xcb,0x36,0x0d,0x03,0x15,0x45,0x70,0xe3,0xb1,0xb1,0xc5,0x48, | |||
0x67,0xf5,0x3a,0x72,0x53,0xcb,0x91,0x9d,0x13,0xaa,0x47,0xef, | 0x67,0xf5,0x3a,0x72,0x53,0xcb,0x91,0x9d,0x13,0xaa,0x47,0xef, | |||
0xc6,0x47,0x37,0x5b,0xe2,0x25,0x0c,0xb3,0x9a,0xd9,0x65,0xaf, | 0xc6,0x47,0x37,0x5b,0xe2,0x25,0x0c,0xb3,0x9a,0xd9,0x65,0xaf, | |||
0xa4,0xdd,0xfc,0xb6,0xbe,0x47,0xd5,0x86,0xd2,0x8c,0x7e,0xef, | 0xa4,0xdd,0xfc,0xb6,0xbe,0x47,0xd5,0x86,0xd2,0x8c,0x7e,0xef, | |||
0x6d,0x65,0x45,0x25, | 0x6d,0x65,0x45,0x25, | |||
}; | }; | |||
const uint8_t tc_ISK_SY[] = { | const unsigned char tc_ISK_SY[] = { | |||
0xaa,0xe7,0x32,0x0b,0x73,0xba,0x25,0x16,0xf2,0x89,0xf7,0x10, | 0xe7,0xb1,0x0b,0x6d,0xa5,0x31,0xd9,0xa8,0xfd,0x47,0xfd,0xd0, | |||
0x88,0x66,0x2d,0x41,0xc4,0x31,0x4d,0x00,0x52,0x1c,0x48,0xea, | 0x84,0x41,0xe8,0xbb,0x80,0x3d,0x16,0xc5,0x9a,0x93,0xe3,0x66, | |||
0x3c,0x9c,0x85,0xea,0xca,0x57,0x11,0x2e,0x55,0xeb,0x2b,0x40, | 0xd5,0xcd,0x9a,0x10,0x27,0x7b,0xbc,0x54,0x3d,0x94,0x31,0x82, | |||
0x94,0xd4,0xa0,0xc7,0x81,0x3d,0xdd,0x95,0xc5,0xd8,0x0c,0x55, | 0x88,0x91,0x54,0x70,0x4d,0x80,0xf2,0xb0,0x75,0x6e,0xd6,0x2d, | |||
0x96,0xad,0x68,0x6d,0x2e,0xba,0x87,0x6b,0xa1,0xcd,0x92,0xf9, | 0xa8,0x7e,0x0e,0xb4,0xe6,0xd0,0x79,0x20,0x48,0x01,0x00,0xd5, | |||
0x04,0x07,0xaa,0x3d, | 0xe8,0x00,0xca,0x85, | |||
}; | }; | |||
B.7.8. Test case for scalar_mult_vfy with correct inputs | B.7.8. Test case for scalar_mult_vfy with correct inputs | |||
s: (length: 66 bytes) | s: (length: 66 bytes) | |||
0182dd7925f1753419e4bf83429763acd37d64000cd5a175edf53a15 | 0182dd7925f1753419e4bf83429763acd37d64000cd5a175edf53a15 | |||
87dd986bc95acc1506991702b6ba1a9ee2458fee8efc00198cf0088c | 87dd986bc95acc1506991702b6ba1a9ee2458fee8efc00198cf0088c | |||
480965ef65ff2048b856 | 480965ef65ff2048b856 | |||
X: (length: 133 bytes) | X: (length: 133 bytes) | |||
0400dc5078b24c4af1620cc10fbecc6cd8cf1cab0b011efb73c782f2 | 0400dc5078b24c4af1620cc10fbecc6cd8cf1cab0b011efb73c782f2 | |||
26dc21c7ca7eb406be74a69ecba5b4a87c07cfc6e687b4beca9a6eda | 26dc21c7ca7eb406be74a69ecba5b4a87c07cfc6e687b4beca9a6eda | |||
End of changes. 259 change blocks. | ||||
670 lines changed or deleted | 717 lines changed or added | |||
This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ |