Network Working Group M. Abdalla Internet-Draft Nexus - San Francisco Intended status: Informational B. Haase Expires: 30 March 2025 Endress + Hauser Liquid Analysis - Gerlingen J. Hesse IBM Research Europe - Zurich 26 September 2024 CPace, a balanced composable PAKE draft-irtf-cfrg-cpace-12 Abstract This document describes CPace which is a protocol that allows two parties that share a low-entropy secret (password) to derive a strong shared key without disclosing the secret to offline dictionary attacks. The CPace protocol was tailored for constrained devices and can be used on groups of prime- and non-prime order. Discussion Venues This note is to be removed before publishing as an RFC. Discussion of this document takes place on the Crypto Forum Research Group mailing list (cfrg@ietf.org), which is archived at https://mailarchive.ietf.org/arch/search/?email_list=cfrg. Source for this draft and an issue tracker can be found at https://github.com/cfrg/draft-irtf-cfrg-cpace. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 30 March 2025. Abdalla, et al. Expires 30 March 2025 [Page 1] Internet-Draft CPace September 2024 Copyright Notice Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 6 1.1. Outline of this document . . . . . . . . . . . . . . . . 6 2. Requirements Notation . . . . . . . . . . . . . . . . . . . . 7 3. High-level application perspective . . . . . . . . . . . . . 7 3.1. Optional CPace inputs . . . . . . . . . . . . . . . . . . 8 3.2. Optional CPace outputs . . . . . . . . . . . . . . . . . 9 3.3. Responsibilities of the application layer . . . . . . . . 9 4. CPace cipher suites . . . . . . . . . . . . . . . . . . . . . 9 5. Definitions and notation . . . . . . . . . . . . . . . . . . 10 5.1. Hash function H . . . . . . . . . . . . . . . . . . . . . 10 5.2. Group environment G . . . . . . . . . . . . . . . . . . . 11 5.3. Notation for string operations . . . . . . . . . . . . . 12 5.4. Notation for group operations . . . . . . . . . . . . . . 13 6. The CPace protocol . . . . . . . . . . . . . . . . . . . . . 13 6.1. Protocol flow . . . . . . . . . . . . . . . . . . . . . . 14 6.2. CPace protocol instructions . . . . . . . . . . . . . . . 14 7. Implementation of recommended CPace cipher suites . . . . . . 14 7.1. Common function for computing generators . . . . . . . . 15 7.2. CPace group objects G_X25519 and G_X448 for single-coordinate Ladders on Montgomery curves . . . . . 15 7.2.1. Verification tests . . . . . . . . . . . . . . . . . 17 7.3. CPace group objects G_Ristretto255 and G_Decaf448 for prime-order group abstractions . . . . . . . . . . . . . 17 7.3.1. Verification tests . . . . . . . . . . . . . . . . . 19 7.4. CPace group objects for curves in Short-Weierstrass representation . . . . . . . . . . . . . . . . . . . . . 19 7.4.1. Curves and associated functions . . . . . . . . . . . 19 7.4.2. Suitable encode_to_curve methods . . . . . . . . . . 20 7.4.3. Definition of the group environment G for Short-Weierstrass curves . . . . . . . . . . . . . . 20 7.4.4. Verification tests . . . . . . . . . . . . . . . . . 22 8. Implementation verification . . . . . . . . . . . . . . . . . 22 Abdalla, et al. Expires 30 March 2025 [Page 2] Internet-Draft CPace September 2024 9. Security Considerations . . . . . . . . . . . . . . . . . . . 23 9.1. Party identifiers and relay attacks . . . . . . . . . . . 23 9.2. Hashing protocol transcripts . . . . . . . . . . . . . . 24 9.3. Key derivation . . . . . . . . . . . . . . . . . . . . . 24 9.4. Key confirmation . . . . . . . . . . . . . . . . . . . . 24 9.5. Integrating CPace in higher-level protocols such as TLS1.3 . . . . . . . . . . . . . . . . . . . . . . . . . 25 9.6. Calculating a session identifier alongside with the CPace run . . . . . . . . . . . . . . . . . . . . . . . . . . 26 9.7. Sampling of scalars . . . . . . . . . . . . . . . . . . . 26 9.8. Preconditions for using the simplified CPace specification from Section 7.2 . . . . . . . . . . . . . . . . . . . . 26 9.9. Nonce values . . . . . . . . . . . . . . . . . . . . . . 27 9.10. Side channel attacks . . . . . . . . . . . . . . . . . . 27 9.11. Quantum computers . . . . . . . . . . . . . . . . . . . . 28 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 28 11. Reference implementation . . . . . . . . . . . . . . . . . . 28 12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 29 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 29 13.1. Normative References . . . . . . . . . . . . . . . . . . 29 13.2. Informative References . . . . . . . . . . . . . . . . . 29 Appendix A. CPace function definitions . . . . . . . . . . . . . 31 A.1. Definition and test vectors for string utility functions . . . . . . . . . . . . . . . . . . . . . . . . 31 A.1.1. prepend_len function . . . . . . . . . . . . . . . . 31 A.1.2. prepend_len test vectors . . . . . . . . . . . . . . 32 A.1.3. lv_cat function . . . . . . . . . . . . . . . . . . . 33 A.1.4. Testvector for lv_cat() . . . . . . . . . . . . . . . 33 A.2. Definition of generator_string function. . . . . . . . . 33 A.3. Definitions and test vector ordered concatenation . . . . 34 A.3.1. Definitions for lexiographical ordering . . . . . . . 34 A.3.2. Definitions for ordered concatenation . . . . . . . . 34 A.3.3. Test vectors ordered concatenation . . . . . . . . . 34 A.3.4. Definitions for transcript_ir function . . . . . . . 35 A.3.5. Test vectors transcript_ir function . . . . . . . . . 35 A.3.6. Definitions for transcript_oc function . . . . . . . 35 A.3.7. Test vectors for transcript_oc function . . . . . . . 35 A.4. Decoding and Encoding functions according to RFC7748 . . 36 A.5. Elligator 2 reference implementation . . . . . . . . . . 36 Appendix B. Test vectors . . . . . . . . . . . . . . . . . . . . 37 B.1. Test vector for CPace using group X25519 and hash SHA-512 . . . . . . . . . . . . . . . . . . . . . . . . . 37 B.1.1. Test vectors for calculate_generator with group X25519 . . . . . . . . . . . . . . . . . . . . . . . 37 B.1.2. Test vector for message from A . . . . . . . . . . . 39 B.1.3. Test vector for message from B . . . . . . . . . . . 39 B.1.4. Test vector for secret points K . . . . . . . . . . . 39 Abdalla, et al. Expires 30 March 2025 [Page 3] Internet-Draft CPace September 2024 B.1.5. Test vector for ISK calculation initiator/ responder . . . . . . . . . . . . . . . . . . . . . . 39 B.1.6. Test vector for ISK calculation parallel execution . 40 B.1.7. Test vector for optional output of session id . . . . 40 B.1.8. Corresponding C programming language initializers . . 41 B.1.9. Testvectors as JSON file encoded as BASE64 . . . . . 43 B.1.10. Test vectors for G_X25519.scalar_mult_vfy: low order points . . . . . . . . . . . . . . . . . . . . . . . 43 B.2. Test vector for CPace using group X448 and hash SHAKE-256 . . . . . . . . . . . . . . . . . . . . . . . . 45 B.2.1. Test vectors for calculate_generator with group X448 . . . . . . . . . . . . . . . . . . . . . . . . 45 B.2.2. Test vector for message from A . . . . . . . . . . . 47 B.2.3. Test vector for message from B . . . . . . . . . . . 47 B.2.4. Test vector for secret points K . . . . . . . . . . . 48 B.2.5. Test vector for ISK calculation initiator/ responder . . . . . . . . . . . . . . . . . . . . . . 48 B.2.6. Test vector for ISK calculation parallel execution . 48 B.2.7. Test vector for optional output of session id . . . . 49 B.2.8. Corresponding C programming language initializers . . 49 B.2.9. Testvectors as JSON file encoded as BASE64 . . . . . 51 B.2.10. Test vectors for G_X448.scalar_mult_vfy: low order points . . . . . . . . . . . . . . . . . . . . . . . 52 B.3. Test vector for CPace using group ristretto255 and hash SHA-512 . . . . . . . . . . . . . . . . . . . . . . . . . 55 B.3.1. Test vectors for calculate_generator with group ristretto255 . . . . . . . . . . . . . . . . . . . . 55 B.3.2. Test vector for message from A . . . . . . . . . . . 57 B.3.3. Test vector for message from B . . . . . . . . . . . 57 B.3.4. Test vector for secret points K . . . . . . . . . . . 57 B.3.5. Test vector for ISK calculation initiator/ responder . . . . . . . . . . . . . . . . . . . . . . 57 B.3.6. Test vector for ISK calculation parallel execution . 58 B.3.7. Test vector for optional output of session id . . . . 58 B.3.8. Corresponding C programming language initializers . . 59 B.3.9. Testvectors as JSON file encoded as BASE64 . . . . . 61 B.3.10. Test case for scalar_mult with valid inputs . . . . . 61 B.3.11. Invalid inputs for scalar_mult_vfy . . . . . . . . . 62 B.4. Test vector for CPace using group decaf448 and hash SHAKE-256 . . . . . . . . . . . . . . . . . . . . . . . . 62 B.4.1. Test vectors for calculate_generator with group decaf448 . . . . . . . . . . . . . . . . . . . . . . 62 B.4.2. Test vector for message from A . . . . . . . . . . . 64 B.4.3. Test vector for message from B . . . . . . . . . . . 64 B.4.4. Test vector for secret points K . . . . . . . . . . . 65 B.4.5. Test vector for ISK calculation initiator/ responder . . . . . . . . . . . . . . . . . . . . . . 65 B.4.6. Test vector for ISK calculation parallel execution . 65 Abdalla, et al. Expires 30 March 2025 [Page 4] Internet-Draft CPace September 2024 B.4.7. Test vector for optional output of session id . . . . 66 B.4.8. Corresponding C programming language initializers . . 66 B.4.9. Testvectors as JSON file encoded as BASE64 . . . . . 68 B.4.10. Test case for scalar_mult with valid inputs . . . . . 69 B.4.11. Invalid inputs for scalar_mult_vfy . . . . . . . . . 70 B.5. Test vector for CPace using group NIST P-256 and hash SHA-256 . . . . . . . . . . . . . . . . . . . . . . . . . 70 B.5.1. Test vectors for calculate_generator with group NIST P-256 . . . . . . . . . . . . . . . . . . . . . . . . 70 B.5.2. Test vector for message from A . . . . . . . . . . . 71 B.5.3. Test vector for message from B . . . . . . . . . . . 72 B.5.4. Test vector for secret points K . . . . . . . . . . . 72 B.5.5. Test vector for ISK calculation initiator/ responder . . . . . . . . . . . . . . . . . . . . . . 72 B.5.6. Test vector for ISK calculation parallel execution . 73 B.5.7. Test vector for optional output of session id . . . . 74 B.5.8. Corresponding C programming language initializers . . 74 B.5.9. Testvectors as JSON file encoded as BASE64 . . . . . 76 B.5.10. Test case for scalar_mult_vfy with correct inputs . . 77 B.5.11. Invalid inputs for scalar_mult_vfy . . . . . . . . . 77 B.6. Test vector for CPace using group NIST P-384 and hash SHA-384 . . . . . . . . . . . . . . . . . . . . . . . . . 78 B.6.1. Test vectors for calculate_generator with group NIST P-384 . . . . . . . . . . . . . . . . . . . . . . . . 78 B.6.2. Test vector for message from A . . . . . . . . . . . 79 B.6.3. Test vector for message from B . . . . . . . . . . . 80 B.6.4. Test vector for secret points K . . . . . . . . . . . 80 B.6.5. Test vector for ISK calculation initiator/ responder . . . . . . . . . . . . . . . . . . . . . . 81 B.6.6. Test vector for ISK calculation parallel execution . 81 B.6.7. Test vector for optional output of session id . . . . 82 B.6.8. Corresponding C programming language initializers . . 82 B.6.9. Testvectors as JSON file encoded as BASE64 . . . . . 85 B.6.10. Test case for scalar_mult_vfy with correct inputs . . 85 B.6.11. Invalid inputs for scalar_mult_vfy . . . . . . . . . 86 B.7. Test vector for CPace using group NIST P-521 and hash SHA-512 . . . . . . . . . . . . . . . . . . . . . . . . . 87 B.7.1. Test vectors for calculate_generator with group NIST P-521 . . . . . . . . . . . . . . . . . . . . . . . . 87 B.7.2. Test vector for message from A . . . . . . . . . . . 89 B.7.3. Test vector for message from B . . . . . . . . . . . 89 B.7.4. Test vector for secret points K . . . . . . . . . . . 89 B.7.5. Test vector for ISK calculation initiator/ responder . . . . . . . . . . . . . . . . . . . . . . 90 B.7.6. Test vector for ISK calculation parallel execution . 91 B.7.7. Test vector for optional output of session id . . . . 91 B.7.8. Corresponding C programming language initializers . . 92 B.7.9. Testvectors as JSON file encoded as BASE64 . . . . . 94 Abdalla, et al. Expires 30 March 2025 [Page 5] Internet-Draft CPace September 2024 B.7.10. Test case for scalar_mult_vfy with correct inputs . . 95 B.7.11. Invalid inputs for scalar_mult_vfy . . . . . . . . . 96 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 97 1. Introduction This document describes CPace which is a balanced Password- Authenticated-Key-Establishment (PAKE) protocol for two parties where both parties derive a cryptographic key of high entropy from a shared secret of low-entropy. CPace protects the passwords against offline dictionary attacks by requiring adversaries to actively interact with a protocol party and by allowing for at most one single password guess per active interaction. The CPace design was tailored considering the following main objectives: * Efficiency: Deployment of CPace is feasible on resource- constrained devices. * Versatility: CPace supports different application scenarios via versatile input formats, and by supporting applications with and without clear initiator and responder roles. * Implementation error resistance: CPace aims at avoiding common implementation pitfalls already by-design, such as avoiding incentives for insecure execution-time speed optimizations. For smooth integration into different cryptographic library ecosystems, this document provides a variety of cipher suites. * Post-quantum annoyance: CPace comes with mitigations with respect to adversaries that become capable of breaking the discrete logarithm problem on elliptic curves. 1.1. Outline of this document * Section 3 describes the expected properties of an application using CPace, and discusses in particular which application-level aspects are relevant for CPace's security. * Section 4 gives an overview of the recommended cipher suites for CPace which were optimized for different types of cryptographic library ecosystems. * Section 5 introduces the notation used throughout this document. * Section 6 specifies the CPace protocol. Abdalla, et al. Expires 30 March 2025 [Page 6] Internet-Draft CPace September 2024 * The final section provides explicit reference implementations and test vectors of all of the functions defined for CPace in the appendix. As this document is primarily written for implementers and application designers, we would like to refer the theory-inclined reader to the scientific papers [AHH21] which covers the detailed security analysis of the different CPace instantiations as defined in this document via the cipher suites. 2. Requirements Notation The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. 3. High-level application perspective CPace enables balanced password-authenticated key establishment. CPace requires a shared secret octet string, the password-related string (PRS), is available for both parties A and B. PRS can be a low-entropy secret itself, for instance a clear-text password encoded according to [RFC8265], or any string derived from a common secret, for instance by use of a password-based key derivation function. Applications with clients and servers where the server side is storing account and password information in its persistent memory are recommended to use augmented PAKE protocols such as OPAQUE [I-D.irtf-cfrg-opaque]. In the course of the CPace protocol, A sends one message to B and B sends one message to A. CPace does not mandate any ordering of these two messages. We use the term "initiator-responder" for CPace where A always speaks first, and the term "symmetric" setting where anyone can speak first. CPace's output is an intermediate session key (ISK), but any party might abort in case of an invalid received message. A and B will produce the same ISK value only if both sides did initiate the protocol using the same protocol inputs, specifically the same PRS string and the same value for the optional input parameters CI, ADa, ADb and sid that will be specified in the upcoming sections. Abdalla, et al. Expires 30 March 2025 [Page 7] Internet-Draft CPace September 2024 The naming of ISK key as "intermediate" session key highlights the fact that it is RECOMMENDED that applications process ISK by use of a suitable strong key derivation function KDF (such as defined in [RFC5869]) before using the key in a higher-level protocol. 3.1. Optional CPace inputs For accomodating different application settings, CPace offers the following OPTIONAL inputs, i.e. inputs which MAY also be the empty string: * Party identity strings (A,B). In CPace each party can be be given a party identity string which might be a device name a user name or an URL. CPace offers two alternative options for authenticating the party identifiers in the course of the protocol run. The RECOMMENDED option is to integrate of both, A and B into the channel identifier string CI. This option is to be preferred as A and B will be kept confidential and as this provides security advantages (see Section 9.11 and Section 9.1). Integrating A,B into CI, however, requires that both parties know the party identity string of the communication partner before starting the protocol. If this requirement is not fullfilled in an application setting then CPace offers the alternative of integrating A as part of the optional input ADa and B as part of the optional input ADb. * Channel identifier (CI). CI can be used to bind a session key exchanged with CPace to a specific networking channel which interconnects the protocol parties. CI could for instance include networking addresses of both parties or party identity strings. Both parties are required to have the same view of CI. CI will not be publicly sent on the wire and may also include confidential information. Both parties will only establish a common session key if they initiated the protocol with the same view of CI. * Associated data fields (ADa and ADb). These fields can be used for authenticating associated data alongside the CPace protocol. The ADa and ADb will be sent in clear text as part of the protocol messages. ADa and ADb will become authenticated in a CPace protocol run as both parties will only agree on a common key if they have had the same view on ADa and ADb. If an application cannot integrate the party identities (A,B) as part of CI, A SHOULD BE included in ADa and B SHOULD BE included in ADb instead (see Section 9.1). In a setting with clear initiator and responder roles, identity information in ADa sent by the initiator can be used by the responder for choosing the appropriate PRS string (respectively Abdalla, et al. Expires 30 March 2025 [Page 8] Internet-Draft CPace September 2024 password) for this identity. ADa and ADb could also include application protocol version information of an application protocol (e.g. to avoid downgrade attacks). * Session identifier (sid). If both parties have access to the same unique octet string sid being specific for a communication session before starting the protocol, it is RECOMMENDED to forward this sid value as an additional input for the protocol as this provides security advantages and will bind the CPace run to this communication session (see Section 9). 3.2. Optional CPace outputs If a session identifier is not available as input at protocol start CPace can optionally produce a session identifier sid_output as output that might be helpful for the application for actions subsequent to the CPace protocol step (see Section 9.6, [BGHJ24]). 3.3. Responsibilities of the application layer The following tasks are out of the scope of this document and left to the application layer * Setup phase: The application layer is responsible for the handshake that makes parties agree on a common CPace cipher suite. * This document does not specify which encodings applications use for the mandatory PRS input and the optional inputs CI, sid, ADa and ADb. If PRS is a clear-text password or an octet string derived from a clear-text password, e.g. by use of a key- derivation function, the clear-text password SHOULD BE encoded according to [RFC8265]. * The application needs to settle whether CPace is used in the initiator-responder or the symmetric setting, as in the symmetric setting transcripts ordered string concatenation must be used for generating protocol transcripts and when integrating the identity strings A and B into the channel identifier CI. In this document we will provide test vectors for both, initiator-responder and symmetric settings. 4. CPace cipher suites In the setup phase of CPace, both communication partners need to agree on a common cipher suite. Cipher suites consist of a combination of a hash function H and an elliptic curve environment G. Abdalla, et al. Expires 30 March 2025 [Page 9] Internet-Draft CPace September 2024 For naming cipher suites we use the convention "CPACE-G-H". We RECOMMEND the following cipher suites: * CPACE-X25519-SHA512. This suite uses the group environment G_X25519 defined in Section 7.2 and SHA-512 as hash function. This cipher suite comes with the smallest messages on the wire and a low computational cost. * CPACE-P256_XMD:SHA-256_SSWU_NU_-SHA256. This suite instantiates the group environment G as specified in Section 7.4 using the encode_to_curve function P256_XMD:SHA-256_SSWU_NU_ from [RFC9380] on curve NIST-P256, and hash function SHA-256. The following RECOMMENDED cipher suites provide higher security margins. * CPACE-X448-SHAKE256. This suite uses the group environment G_X448 defined in Section 7.2 and SHAKE-256 as hash function. * CPACE-P384_XMD:SHA-384_SSWU_NU_-SHA384. This suite instantiates G as specified in Section 7.4 using the encode_to_curve function P384_XMD:SHA-384_SSWU_NU_ from [RFC9380] on curve NIST-P384 with H = SHA-384. * CPACE-P521_XMD:SHA-512_SSWU_NU_-SHA512. This suite instantiates G as specified in Section 7.4 using the encode_to_curve function P521_XMD:SHA-512_SSWU_NU_ from [RFC9380] on curve NIST-P521 with H = SHA-512. CPace can also securely be implemented using the cipher suites CPACE- RISTR255-SHA512 and CPACE-DECAF448-SHAKE256 defined in Section 7.3. Section 9 gives guidance on how to implement CPace on further elliptic curves. 5. Definitions and notation 5.1. Hash function H Common choices for H are SHA-512 [RFC6234] or SHAKE-256 [FIPS202]. (I.e. the hash function outputs octet strings, and not group elements.) For considering both variable-output-length hashes and fixed-output-length hashes, we use the following convention. In case that the hash function is specified for a fixed-size output, we define H.hash(m,l) such that it returns the first l octets of the output. We use the following notation for referring to the specific properties of a hash function H: Abdalla, et al. Expires 30 March 2025 [Page 10] Internet-Draft CPace September 2024 * H.hash(m,l) is a function that operates on an input octet string m and returns a hashing result of l octets. * H.b_in_bytes denotes the minimum output size in bytes for collision resistance for the security level target of the hash function. E.g. H.b_in_bytes = 64 for SHA-512 and SHAKE-256 and H.b_in_bytes = 32 for SHA-256 and SHAKE-128. We use the notation H.hash(m) = H.hash(m, H.b_in_bytes) and let the hash operation output the default length if no explicit length parameter is given. * H.bmax_in_bytes denotes the _maximum_ output size in octets supported by the hash function. In case of fixed-size hashes such as SHA-256, this is the same as H.b_in_bytes, while there is no such limit for hash functions such as SHAKE-256. * H.s_in_bytes denotes the _input block size_ used by H. This number denotes the maximum number of bytes that can be processed in a single block before applying the compression function or permutation becomes necessary. (See also [RFC2104] for the corresponding block size concepts). For instance, for SHA-512 the input block size s_in_bytes is 128 as the compression function can process up to 128 bytes, while for SHAKE-256 the input block size amounts to 136 bytes before the permutation of the sponge state needs to be applied. 5.2. Group environment G The group environment G specifies an elliptic curve group (also denoted G for convenience) and associated constants and functions as detailed below. In this document we use additive notation for the group operation. * G.calculate_generator(H,PRS,CI,sid) denotes a function that outputs a representation of a generator (referred to as "generator" from now on) of the group which is derived from input octet strings PRS, CI, and sid and with the help of the hash function H. * G.sample_scalar() is a function returning a representation of an integer (referred to as "scalar" from now on) appropriate as a private Diffie-Hellman key for the group. * G.scalar_mult(y,g) is a function operating on a scalar y and a group element g. It returns an octet string representation of the group element Y = g*y. Abdalla, et al. Expires 30 March 2025 [Page 11] Internet-Draft CPace September 2024 * G.I denotes a unique octet string representation of the neutral element of the group. G.I is used for detecting and signaling certain error conditions. * G.scalar_mult_vfy(y,g) is a function operating on a scalar y and a group element g. It returns an octet string representation of the group element g*y. Additionally, scalar_mult_vfy specifies validity conditions for y,g and g*y and outputs G.I in case they are not met. * G.DSI denotes a domain-separation identifier octet string which SHALL be uniquely identifying the group environment G. 5.3. Notation for string operations * bytes1 || bytes2 and denotes concatenation of octet strings. * len(S) denotes the number of octets in an octet string S. * nil denotes an empty octet string, i.e., len(nil) = 0. * This document uses quotation marks "" both for general language (e.g. for citation of notation used in other documents) and as syntax for specifying octet strings as in b"CPace25519". We use a preceeding lower-case letter b"" in front of the quotation marks if a character sequence is representing an octet string sequence. I.e. we use the notation convention for byte string representations with single-byte ASCII character encodings from the python programming language. * LEB128 denotes an algorithm that converts an integer to a variable size string. The algorithm encodes 7 bits per byte starting with the least significant bits in bits #0 to #6. As long as significant bits remain, bit #7 will be set. This will result in a single-byte encoding for values below 128. Test vectors and reference implementations for LEB128 encodings are given in the appendix. * prepend_len(octet_string) denotes the octet sequence that is obtained from prepending the length of the octet string to the string itself. The length shall be prepended by using an LEB128 encoding of the length. Test vectors and reference implementations for prepend_len are given in the appendix. Abdalla, et al. Expires 30 March 2025 [Page 12] Internet-Draft CPace September 2024 * lv_cat(a0,a1, ...) is the "length-value" encoding function which returns the concatenation of the input strings with an encoding of their respective length prepended. E.g. lv_cat(a0,a1) returns prepend_len(a0) || prepend_len(a1). The detailed specification of lv_cat and a reference implementations are given in the appendix. * sample_random_bytes(n) denotes a function that returns n octets, each of which is to be independently sampled from an uniform distribution between 0 and 255. * zero_bytes(n) denotes a function that returns n octets with value 0. * o_cat(bytes1,bytes2) denotes a function for ordered concatenation of octet strings. It places the lexiographically larger octet string first and prepends the two bytes from the octet string b"oc" to the result. (Explicit reference code for this function is given in the appendix.) * transcript(Ya,ADa,Yb,ADb) denotes a function outputing an octet string for the protocol transcript. In applications where CPace is used without clear initiator and responder roles, i.e. where the ordering of messages is not enforced by the protocol flow, transcript_oc(Ya,Yb,ADa,ADb) = o_cat(lv_cat(Ya,ADa),lv_cat(Yb, ADb)) SHALL be used. In the initiator-responder setting the implementation transcript_ir(Ya,Yb,ADa,ADb) = lv_cat(Ya,ADa) || lv_cat(Yb, ADb) SHALL be used. 5.4. Notation for group operations We use additive notation for the group, i.e., X*2 denotes the element that is obtained by computing X+X, for group element X and group operation +. 6. The CPace protocol CPace is a one round protocol between two parties, A and B. At invocation, A and B are provisioned with PRS,G,H and OPTIONAL CI,sid,ADa (for A) and CI,sid,ADb (for B). A sends the public share Ya and OPTIONAL associated data ADa (i.e. an ADa field that MAY have a length of 0 bytes) to B. Likewise, B sends the public share Yb and OPTIONAL associated data ADb (i.e. an ADb field that MAY have a length of 0 bytes). Both A and B use the received messages for deriving a shared intermediate session key, ISK. Abdalla, et al. Expires 30 March 2025 [Page 13] Internet-Draft CPace September 2024 6.1. Protocol flow Optional parameters and messages are denoted with []. public: G, H A: PRS,[ADa],[CI],[sid] B: PRS,[ADb],[CI],[sid] --------------------------------------- compute Ya | Ya,[ADa] | compute Yb |----------------->| | Yb,[ADb] | verify inputs |<-----------------| verify inputs derive ISK | | derive ISK --------------------------------------- output ISK output ISK 6.2. CPace protocol instructions A computes a generator g = G.calculate_generator(H,PRS,CI,sid), scalar ya = G.sample_scalar() and group element Ya = G.scalar_mult (ya,g). A then transmits Ya and optional associated data ADa to B. B computes a generator g = G.calculate_generator(H,PRS,CI,sid), scalar yb = G.sample_scalar() and group element Yb = G.scalar_mult(yb,g). B sends Yb and optional associated data ADb to A. B then computes K = G.scalar_mult_vfy(yb,Ya). B MUST abort if K=G.I. Otherwise B calculates ISK = H.hash(lv_cat(G.DSI || b"_ISK", sid, K)||transcript(Ya,ADa,Yb,ADb)). B returns ISK and terminates. Likewise upon reception of the message from B, A computes K = G.scalar_mult_vfy(ya,Yb). A MUST abort if K=G.I. Otherwise A calculates ISK = H.hash(lv_cat(G.DSI || b"_ISK", sid, K) || transcript(Ya,ADa,Yb,ADb)). A returns ISK and terminates. The session key ISK returned by A and B is identical if and only if the supplied input parameters PRS, CI and sid match on both sides and transcript view of both parties match. 7. Implementation of recommended CPace cipher suites Abdalla, et al. Expires 30 March 2025 [Page 14] Internet-Draft CPace September 2024 7.1. Common function for computing generators The different cipher suites for CPace defined in the upcoming sections share the same method for deterministically combining the individual strings PRS, CI, sid and the domain-separation identifier DSI to a generator string that we describe here. * generator_string(DSI, PRS, CI, sid, s_in_bytes) denotes a function that returns the string lv_cat(DSI, PRS, zero_bytes(len_zpad), CI, sid). * len_zpad = MAX(0, s_in_bytes - len(prepend_len(PRS)) - len(prepend_len(G.DSI)) - 1) The zero padding of length len_zpad is designed such that the encoding of DSI and PRS together with the zero padding field completely fills at least the first input block (of length s_in_bytes) of the hash. As a result for the common case of short PRS the number of bytes to hash becomes independent of the actual length of the password (PRS). (A reference implementation and test vectors are provided in the appendix.) The introduction of a zero-padding within the generator string also helps mitigating attacks of a side-channel adversary that analyzes correlations between publicly known variable information with a short low-entropy PRS string. Note that the hash of the first block is intentionally made independent of session-specific inputs, such as sid or CI and that there is no limitation regarding the maximum length of the PRS string. 7.2. CPace group objects G_X25519 and G_X448 for single-coordinate Ladders on Montgomery curves In this section we consider the case of CPace when using the X25519 and X448 Diffie-Hellman functions from [RFC7748] operating on the Montgomery curves Curve25519 and Curve448 [RFC7748]. CPace implementations using single-coordinate ladders on further Montgomery curves SHALL use the definitions in line with the specifications for X25519 and X448 and review the guidance given in Section 9. For the group environment G_X25519 the following definitions apply: * G_X25519.field_size_bytes = 32 * G_X25519.field_size_bits = 255 * G_X25519.sample_scalar() = sample_random_bytes(G.field_size_bytes) Abdalla, et al. Expires 30 March 2025 [Page 15] Internet-Draft CPace September 2024 * G_X25519.scalar_mult(y,g) = G.scalar_mult_vfy(y,g) = X25519(y,g) * G_X25519.I = zero_bytes(G.field_size_bytes) * G_X25519.DSI = b"CPace255" CPace cipher suites using G_X25519 MUST use a hash function producing at least H.b_max_in_bytes >= 32 bytes of output. It is RECOMMENDED to use G_X25519 in combination with SHA-512. For X448 the following definitions apply: * G_X448.field_size_bytes = 56 * G_X448.field_size_bits = 448 * G_X448.sample_scalar() = sample_random_bytes(G.field_size_bytes) * G_X448.scalar_mult(y,g) = G.scalar_mult_vfy(y,g) = X448(y,g) * G_X448.I = zero_bytes(G.field_size_bytes) * G_X448.DSI = b"CPace448" CPace cipher suites using G_X448 MUST use a hash function producing at least H.b_max_in_bytes >= 56 bytes of output. It is RECOMMENDED to use G_X448 in combination with SHAKE-256. For both G_X448 and G_X25519 the G.calculate_generator(H, PRS,sid,CI) function shall be implemented as follows. * First gen_str = generator_string(G.DSI,PRS,CI,sid, H.s_in_bytes) SHALL BE calculated using the input block size of the chosen hash function. * This string SHALL then BE hashed to the required length gen_str_hash = H.hash(gen_str, G.field_size_bytes). Note that this implies that the permissible output length H.maxb_in_bytes MUST BE larger or equal to the field size of the group G for making a hashing function suitable. * This result is then considered as a field coordinate using the u = decodeUCoordinate(gen_str_hash, G.field_size_bits) function from [RFC7748] which we repeat in the appendix for convenience. Abdalla, et al. Expires 30 March 2025 [Page 16] Internet-Draft CPace September 2024 * The result point g is then calculated as (g,v) = map_to_curve_elligator2(u) using the function from [RFC9380]. Note that the v coordinate produced by the map_to_curve_elligator2 function is not required for CPace and discarded. The appendix repeats the definitions from [RFC9380] for convenience. In the appendix we show sage code that can be used as reference implementation. 7.2.1. Verification tests For single-coordinate Montgomery ladders on Montgomery curves verification tests according to Section 8 SHALL check for proper handling of the abort conditions, when a party is receiving u coordinate values that encode a low-order point on either the curve or the quadratic twist. In addition to that in case of G_X25519 the tests SHALL also verify that the implementation of G.scalar_mult_vfy(y,g) produces the expected results for non-canonical u coordinate values with bit #255 set, which may also encode low-order points. Corresponding test vectors are provided in the appendix. 7.3. CPace group objects G_Ristretto255 and G_Decaf448 for prime-order group abstractions In this section we consider the case of CPace using the Ristretto255 and Decaf448 group abstractions [I-D.draft-irtf-cfrg-ristretto255-decaf448]. These abstractions define an encode and decode function, group operations using an internal encoding and an element-derivation function that maps a byte string to a group element. With the group abstractions there is a distinction between an internal representation of group elements and an external encoding of the same group element. In order to distinguish between these different representations, we prepend an underscore before values using the internal representation within this section. For Ristretto255 the following definitions apply: * G_Ristretto255.DSI = b"CPaceRistretto255" * G_Ristretto255.field_size_bytes = 32 * G_Ristretto255.group_size_bits = 252 Abdalla, et al. Expires 30 March 2025 [Page 17] Internet-Draft CPace September 2024 * G_Ristretto255.group_order = 2^252 + 27742317777372353535851937790883648493 CPace cipher suites using G_Ristretto255 MUST use a hash function producing at least H.b_max_in_bytes >= 64 bytes of output. It is RECOMMENDED to use G_Ristretto255 in combination with SHA-512. For decaf448 the following definitions apply: * G_Decaf448.DSI = b"CPaceDecaf448" * G_Decaf448.field_size_bytes = 56 * G_Decaf448.group_size_bits = 445 * G_Decaf448.group_order = l = 2^446 - 1381806680989511535200738674851542 6880336692474882178609894547503885 CPace cipher suites using G_Decaf448 MUST use a hash function producing at least H.b_max_in_bytes >= 112 bytes of output. It is RECOMMENDED to use G_Decaf448 in combination with SHAKE-256. For both abstractions the following definitions apply: * It is RECOMMENDED to implement G.sample_scalar() as follows. - Set scalar = sample_random_bytes(G.group_size_bytes). - Then clear the most significant bits larger than G.group_size_bits. - Interpret the result as the little-endian encoding of an integer value and return the result. * Alternatively, if G.sample_scalar() is not implemented according to the above recommendation, it SHALL be implemented using uniform sampling between 1 and (G.group_order - 1). Note that the more complex uniform sampling process can provide a larger side-channel attack surface for embedded systems in hostile environments. * G.scalar_mult(y,_g) SHALL operate on a scalar y and a group element _g in the internal representation of the group abstraction environment. It returns the value Y = encode((_g) * y), i.e. it returns a value using the public encoding. * G.I = is the public encoding representation of the identity element. Abdalla, et al. Expires 30 March 2025 [Page 18] Internet-Draft CPace September 2024 * G.scalar_mult_vfy(y,X) operates on a value using the public encoding and a scalar and is implemented as follows. If the decode(X) function fails, it returns G.I. Otherwise it returns encode( decode(X) * y ). * The G.calculate_generator(H, PRS,sid,CI) function SHALL return a decoded point and SHALL BE implemented as follows. - First gen_str = generator_string(G.DSI,PRS,CI,sid, H.s_in_bytes) is calculated using the input block size of the chosen hash function. - This string is then hashed to the required length gen_str_hash = H.hash(gen_str, 2 * G.field_size_bytes). Note that this implies that the permissible output length H.maxb_in_bytes MUST BE larger or equal to twice the field size of the group G for making a hash function suitable. - Finally the internal representation of the generator _g is calculated as _g = element_derivation(gen_str_hash) using the element derivation function from the abstraction. Note that with these definitions the scalar_mult function operates on a decoded point _g and returns an encoded point, while the scalar_mult_vfy(y,X) function operates on an encoded point X (and also returns an encoded point). 7.3.1. Verification tests For group abstractions verification tests according to Section 8 SHALL check for proper handling of the abort conditions, when a party is receiving encodings of the neutral element or receives an octet string that does not decode to a valid group element. 7.4. CPace group objects for curves in Short-Weierstrass representation The group environment objects G defined in this section for use with Short-Weierstrass curves, are parametrized by the choice of an elliptic curve and by choice of a suitable encode_to_curve function. encode_to_curve must map an octet string to a point on the curve. 7.4.1. Curves and associated functions Elliptic curves in Short-Weierstrass form are considered in [IEEE1363]. [IEEE1363] allows for both, curves of prime and non- prime order. However, for the procedures described in this section any suitable group MUST BE of prime order. Abdalla, et al. Expires 30 March 2025 [Page 19] Internet-Draft CPace September 2024 The specification for the group environment objects specified in this section closely follow the ECKAS-DH1 method from [IEEE1363]. I.e. we use the same methods and encodings and protocol substeps as employed in the TLS [RFC5246] [RFC8446] protocol family. For CPace only the uncompressed full-coordinate encodings from [SEC1] (x and y coordinate) SHOULD be used. Commonly used curve groups are specified in [SEC2] and [RFC5639]. A typical representative of such a Short-Weierstrass curve is NIST-P256. Point verification as used in ECKAS-DH1 is described in Annex A.16.10. of [IEEE1363]. For deriving Diffie-Hellman shared secrets ECKAS-DH1 from [IEEE1363] specifies the use of an ECSVDP-DH method. We use ECSVDP-DH in combination with the identy map such that it either returns "error" or the x-coordinate of the Diffie-Hellman result point as shared secret in big endian format (fixed length output by FE2OSP without truncating leading zeros). 7.4.2. Suitable encode_to_curve methods All the encode_to_curve methods specified in [RFC9380] are suitable for CPace. For Short-Weierstrass curves it is RECOMMENDED to use the non-uniform variant of the SSWU mapping primitive from [RFC9380] if a SSWU mapping is available for the chosen curve. (We recommend non- uniform maps in order to give implementations the flexibility to opt for x-coordinate-only scalar multiplication algorithms.) 7.4.3. Definition of the group environment G for Short-Weierstrass curves In this paragraph we use the following notation for defining the group object G for a selected curve and encode_to_curve method: * With G.group_order we denote the order of the elliptic curve which MUST BE a prime. * With is_valid(X) we denote a method which operates on an octet stream according to [SEC1] of a point on the group and returns true if the point is valid and returns false otherwise. This is_valid(X) method SHALL be implemented according to Annex A.16.10. of [IEEE1363]. I.e. it shall return false if X encodes either the neutral element on the group or does not form a valid encoding of a point on the group. Abdalla, et al. Expires 30 March 2025 [Page 20] Internet-Draft CPace September 2024 * With encode_to_curve(str,DST) we denote a mapping function from [RFC9380]. I.e. a function that maps octet string str to a point on the group using the domain separation tag DST. [RFC9380] considers both, uniform and non-uniform mappings based on several different strategies. It is RECOMMENDED to use the nonuniform variant of the SSWU mapping primitive within [RFC9380]. * G.DSI denotes a domain-separation identifier octet string. G.DSI which SHALL BE obtained by the concatenation of b"CPace" and the associated name of the cipher suite used for the encode_to_curve function as specified in [RFC9380]. E.g. when using the map with the name P384_XMD:SHA-384_SSWU_NU_ on curve NIST-P384 the resulting value SHALL BE G.DSI = b"CPaceP384_XMD:SHA- 384_SSWU_NU_". Using the above definitions, the CPace functions required for the group object G are defined as follows. * G.DST denotes the domain-separation tag value to use in conjunction with the encode_to_curve function from [RFC9380]. G.DST shall be obtained by concatenating G.DSI and b"_DST". * G.sample_scalar() SHALL return a value between 1 and (G.group_order - 1). The sampling SHALL BE indistinguishable from uniform random selection between 1 and (G.group_order - 1). It is RECOMMENDED to use a constant-time rejection sampling algorithm for converting a uniform bitstring to a uniform value between 1 and (G.group_order - 1). * G.calculate_generator(H, PRS,sid,CI) function SHALL be implemented as follows. - First gen_str = generator_string(G.DSI,PRS,CI,sid, H.s_in_bytes) is calculated. - Then the output of a call to encode_to_curve(gen_str, G.DST) is returned, using the selected suite from [RFC9380]. Abdalla, et al. Expires 30 March 2025 [Page 21] Internet-Draft CPace September 2024 * G.scalar_mult(s,X) is a function that operates on a scalar s and an input point X. The input X shall use the same encoding as produced by the G.calculate_generator method above. G.scalar_mult(s,X) SHALL return an encoding of either the point X*s or the point X*(-s) according to [SEC1]. Implementations SHOULD use the full-coordinate format without compression, as important protocols such as TLS 1.3 removed support for compression. Implementations of scalar_mult(s,X) MAY output either X*s or X*(-s) as both points X*s and X*(-s) have the same x-coordinate and result in the same Diffie-Hellman shared secrets K. (This allows implementations to opt for x-coordinate-only scalar multiplication algorithms.) * G.scalar_mult_vfy(s,X) merges verification of point X according to [IEEE1363] A.16.10. and the the ECSVDP-DH procedure from [IEEE1363]. It SHALL BE implemented as follows: - If is_valid(X) = False then G.scalar_mult_vfy(s,X) SHALL return "error" as specified in [IEEE1363] A.16.10 and 7.2.1. - Otherwise G.scalar_mult_vfy(s,X) SHALL return the result of the ECSVDP-DH procedure from [IEEE1363] (section 7.2.1). I.e. it shall either return "error" (in case that X*s is the neutral element) or the secret shared value "z" (otherwise). "z" SHALL be encoded by using the big-endian encoding of the x-coordinate of the result point X*s according to [SEC1]. * We represent the neutral element G.I by using the representation of the "error" result case from [IEEE1363] as used in the G.scalar_mult_vfy method above. 7.4.4. Verification tests For Short-Weierstrass curves verification tests according to Section 8 SHALL check for proper handling of the abort conditions, when a party is receiving an encoding of the point at infinity and an encoding of a point not on the group. 8. Implementation verification Any CPace implementation MUST be tested against invalid or weak point attacks. Implementation MUST be verified to abort upon conditions where G.scalar_mult_vfy functions outputs G.I. For testing an implementation it is RECOMMENDED to include weak or invalid point encodings within the messages of party A and B and introduce this in a protocol run. It SHALL be verified that the abort condition is properly handled. Abdalla, et al. Expires 30 March 2025 [Page 22] Internet-Draft CPace September 2024 Corresponding test vectors are given in the appendix for all recommended cipher suites. 9. Security Considerations A security proof of CPace is found in [AHH21]. This proof covers all recommended cipher suites included in this document. The security analysis in [BGHJ24] extends the analysis from [AHH21] and covers also the case that no pre-agreed session identifier is available. [BGHJ24] also shows how a session id sid_output can be generated along with the protocol for applications that do not have a session identifier input available. 9.1. Party identifiers and relay attacks If unique strings identifying the protocol partners are included either as part of the channel identifier CI or the associated data fields ADa, ADb, then ISK will provide implicit authentication also regarding the party identities. Incorporating party identifier strings is important for fending off relay attacks. Such attacks become relevant in a setting where several parties, say, A, B and C, share the same password PRS. An adversary might relay messages from a honest user A, who aims at interacting with user B, to a party C instead. If no party identifier strings are used and B and C share the same PRS value then A might be using CPace for establishing a common ISK key with C while assuming to interact with party B. Including and checking party identifiers can fend off such relay attacks. The following guidance SHOULD be followed regarding party identifiers. * If an application layer has party identifiers available, it SHOULD integrate party identifiers in the CPace protocol run, either within CI or ADa/ADb. * The application SHOULD give preference to the option of integrating party identifiers in CI. This avoids the need of an explicit check for the identity strings. * Otherwise A SHOULD integrate its party identifiers in ADa and ADb, such that A integrates its identifier in ADa and B integrates its party identifier as part of ADb. In this case the application layer will have to add an explicit check for the identity string of the actual communication partner for fending off relay attacks. Abdalla, et al. Expires 30 March 2025 [Page 23] Internet-Draft CPace September 2024 9.2. Hashing protocol transcripts CPace prepends the length of all variable-size input strings before hashing data. Prepending the length of all variable-size input strings results in a so-called prefix-free encoding of transcript strings, using terminology introduced in [CDMP05]. This property allows for disregarding length-extension imperfections that come with the commonly used Merkle-Damgard hash function constructions such as SHA256 and SHA512 [CDMP05]. 9.3. Key derivation Although already K is a shared value, it MUST NOT itself be used as an application key. Instead, ISK MUST BE used. Leakage of K to an adversary can lead to offline dictionary attacks. As noted already in Section 6 it is RECOMMENDED to process ISK by use of a suitable strong key derivation function KDF (such as defined in [RFC5869]) first, before using the key in a higher-level protocol. 9.4. Key confirmation In many applications it is advisable to add an explicit key confirmation round after the CPace protocol flow. However, as some applications might only require implicit authentication and as explicit authentication messages are already a built-in feature in many higher-level protocols (e.g. TLS 1.3) the CPace protocol described here does not mandate use of a key confirmation on the level of the CPace sub-protocol. Already without explicit key confirmation, CPace enjoys weak forward security under the sCDH and sSDH assumptions [AHH21]. With added explicit confirmation, CPace enjoys perfect forward security also under the strong sCDH and sSDH assumptions [AHH21]. Note that in [ABKLX21] it was shown that an idealized variant of CPace also enjoys perfect forward security without explicit key confirmation. However this proof does not explicitly cover the recommended cipher suites in this document and requires the stronger assumption of an algebraic adversary model. For this reason, we recommend adding explicit key confirmation if perfect forward security is required. When implementing explicit key confirmation, it is recommended to use an appropriate message-authentication code (MAC) such as HMAC [RFC2104] or CMAC [RFC4493] using a key mac_key derived from ISK. Abdalla, et al. Expires 30 March 2025 [Page 24] Internet-Draft CPace September 2024 One suitable option that works also in the parallel setting without message ordering is to proceed as follows. * First calculate mac_key as mac_key = H.hash(b"CPaceMac" || sid || ISK). * Then let each party send an authenticator tag Ta, Tb that is calculated over the protocol message that it has sent previously. I.e. let party A calculate its transmitted authentication code Ta as Ta = MAC(mac_key, lv_cat(Ya,ADa)) and let party B calculate its transmitted authentication code Tb as Tb = MAC(mac_key, , lv_cat(Yb,ADb)). * Let the receiving party check the remote authentication tag for the correct value and abort in case that it's incorrect. 9.5. Integrating CPace in higher-level protocols such as TLS1.3 When integrating CPace into a higher-level protocol such as TLS1.3 [RFC8446] it is recommended to use ISK as shared secret (which might otherwise be generated as part of a Diffie-Hellman key exchange output for other cipher suites). Note that unlike the shared secret of a Diffie-Hellman protocol run, ISK will also provide mutual implicit authentication of the protocol partners. For providing explicit authentication, it is recommended to add a key confirmation round along the lines in Section 9.4, such as e.g. done in the "Finished" messages in TLS1.3 [RFC8446]. If an embedding protocol uses more than two messages (e.g. four message TLS1.3 [RFC8446] flows involving a hello-retry message and a repeated client-hello message) it is suggested that the CPace layer only considers the two messages used for the CPace run. I.e. it is suggested that authenticating the full message sequence involving also the additional messages that might preceed the two CPace messages is done under the responsibiity of the embedding application protocol. This could be done by integrating the full protocol transcript as part of a final explicit key confirmation round (as commonly done by TLS 1.3 as part of the "Finished" messages). Alternatively, information on communication rounds preceeding the CPace flows can also be integrated as part of the CI field, as this will authenticate the information and will not require both communication partners to keep state information regarding preceeding messages in memory until after the CPace run. In case of TLS 1.3 [RFC8446] it is suggested to integrate Ya into the client-hello message and Yb into the server-hello message. Also party identifiers might best be added to the client-hello and server- Abdalla, et al. Expires 30 March 2025 [Page 25] Internet-Draft CPace September 2024 hello messages as part of extension fields. It is recommended to use the full octet stream encoding of the client-hello message as parameter ADa. Likewise it is recommended to use the encoding of the server-hello message for the parameter ADb. This approach has the drawback that the public points Ya and Yb might show up redundantly duplicated in the hashing operation for CPace's transcript strings but has the advantage of simplicity and the advantage that all meta- information in the extension fields within the client- and server hello fields will always become authenticated as part of the ISK. 9.6. Calculating a session identifier alongside with the CPace run If CPace was run with an empty string sid available as input, both parties can produce a session identifier string sid_output = H.hash(b"CPaceSidOut" || transcript(Ya,ADa, Yb,ADb)) which will be unique for honest parties [BGHJ24]. 9.7. Sampling of scalars For curves over fields F_q where q is a prime close to a power of two, we recommend sampling scalars as a uniform bit string of length field_size_bits. We do so in order to reduce both, complexity of the implementation and the attack surface with respect to side-channels for embedded systems in hostile environments. The effect of non- uniform sampling on security was demonstrated to be begnin in [AHH21] for the case of Curve25519 and Curve448. This analysis however does not transfer to most curves in Short-Weierstrass form. As a result, we recommend rejection sampling if G is as in Section 7.4. Alternatively an algorithm designed allong the lines of the hash_to_field() function from [RFC9380] can also be used. There oversampling to an integer significantly larger than the curve order is followed by a modular reduction to the group order. 9.8. Preconditions for using the simplified CPace specification from Section 7.2 The security of the algorithms used for the recommended cipher suites for the Montgomery curves Curve25519 and Curve448 in Section 7.2 rely on the following properties [AHH21]: * The curve has order (p * c) with p prime and c a small cofactor. Also the curve's quadratic twist must be of order (p' * c') with p' prime and c' a cofactor. * The cofactor c of the curve MUST BE EQUAL to or an integer multiple of the cofactor c' of the curve's quadratic twist. Also, importantly, the implementation of the scalar_mult and Abdalla, et al. Expires 30 March 2025 [Page 26] Internet-Draft CPace September 2024 scalar_mult_vfy functions must ensure that all scalars actually used for the group operation are integer multiples of c (e.g. such as asserted by the specification of the decodeScalar functions in [RFC7748]). * Both field order q and group order p MUST BE close to a power of two along the lines of [AHH21], Appendix E. Otherwise the simplified scalar sampling specified in Section 7.2 needs to be changed. * The representation of the neutral element G.I MUST BE the same for both, the curve and its twist. * The implementation of G.scalar_mult_vfy(y,X) MUST map all c low- order points on the curve and all c' low-order points on the twist to G.I. Algorithms for curves other than the ones recommended here can be based on the principles from Section 7.2 given that the above properties hold. 9.9. Nonce values Secret scalars ya and yb MUST NOT be reused. Values for sid SHOULD NOT be reused since the composability guarantees established by the simulation-based proof rely on the uniqueness of session ids [AHH21]. If the higher-level protocol that integrates CPace is able to establish a unique sid identifier for the communication session, it is RECOMMENDED that this is passed to CPace as sid parameter. One suitable option for generating sid is concatenation of ephemeral random strings contributed by both parties. 9.10. Side channel attacks All state-of-the art methods for realizing constant-time execution SHOULD be used. Special care is RECOMMENDED specifically for elliptic curves in Short-Weierstrass form as important standard documents including [IEEE1363] describe curve operations with non- constant-time algorithms. Abdalla, et al. Expires 30 March 2025 [Page 27] Internet-Draft CPace September 2024 In case that side channel attacks are to be considered practical for a given application, it is RECOMMENDED to pay special attention on computing the secret generator G.calculate_generator(PRS,CI,sid). The most critical substep to consider might be the processing of the first block of the hash that includes the PRS string. The zero- padding introduced when hashing the sensitive PRS string can be expected to make the task for a side-channel attack somewhat more complex. Still this feature alone is not sufficient for ruling out power analysis attacks. Even though the calculate_generator operation might be considered to form the primary target for side-channel attacks as information on long-term secrets might be exposed, also the subsequent operations on ephemeral values, such as scalar sampling and scalar multiplication should be protected from side-channels. 9.11. Quantum computers CPace is proven secure under the hardness of the strong computational Simultaneous Diffie-Hellmann (sSDH) and strong computational Diffie- Hellmann (sCDH) assumptions in the group G (as defined in [AHH21]). These assumptions are not expected to hold any longer when large- scale quantum computers (LSQC) are available. Still, even in case that LSQC emerge, it is reasonable to assume that discrete-logarithm computations will remain costly. CPace with ephemeral pre- established session id values sid forces the adversary to solve one computational Diffie-Hellman problem per password guess [ES21]. If party identifiers are included as part of CI then the adversary is forced to solve one computational Diffie-Hellman problem per password guess and party identifier pair. For this reason it is RECOMMENDED to use the optional inputs sid if available in an application setting. For the same reason it is RECOMMENDED to integrate party identity strings A,B into CI. In this sense, using the wording suggested by Steve Thomas on the CFRG mailing list, CPace is "quantum-annoying". 10. IANA Considerations No IANA action is required. 11. Reference implementation The reference implementation that was used for deriving test vectors is available at [REFIMP]. Abdalla, et al. Expires 30 March 2025 [Page 28] Internet-Draft CPace September 2024 12. Acknowledgements We would like to thank the participants on the CFRG list for comments and advice. Any comment and advice is appreciated. 13. References 13.1. Normative References [I-D.draft-irtf-cfrg-ristretto255-decaf448] de Valence, H., Grigg, J., Hamburg, M., Lovecruft, I., Tankersley, G., and F. Valsorda, "The ristretto255 and decaf448 Groups", Work in Progress, Internet-Draft, draft- irtf-cfrg-ristretto255-decaf448-08, 5 September 2023, . [IEEE1363] "Standard Specifications for Public Key Cryptography, IEEE 1363", 2000. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC7748] Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves for Security", RFC 7748, DOI 10.17487/RFC7748, January 2016, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . [SEC1] Standards for Efficient Cryptography Group (SECG), "SEC 1: Elliptic Curve Cryptography", May 2009, . 13.2. Informative References [ABKLX21] Abdalla, M., Barbosa, M., Katz, J., Loss, J., and J. Xu, "Algebraic Adversaries in the Universal Composability Framework.", n.d., . [AHH21] Abdalla, M., Haase, B., and J. Hesse, "Security analysis of CPace", n.d., . Abdalla, et al. Expires 30 March 2025 [Page 29] Internet-Draft CPace September 2024 [BGHJ24] Barbosa, M., Gellert, K., Hesse, J., and S. Jarecki, "Bare PAKE: Universally Composable Key Exchange from Just Passwords", n.d., . [CDMP05] Coron, J.-S., Dodis, Y., Malinaud, C., and P. Puniya, "Merkle-Damgaard Revisited: How to Construct a Hash Function", In Advances in Cryptology - CRYPTO 2005, pages 430-448, DOI 10.1007/11535218_26, 2005, . [ES21] Eaton, E. and D. Stebila, "The 'quantum annoying' property of password-authenticated key exchange protocols.", n.d., . [FIPS202] National Institute of Standards and Technology (NIST), "SHA-3 Standard: Permutation-Based Hash and Extendable- Output Functions", August 2015, . [I-D.irtf-cfrg-opaque] Bourdrez, D., Krawczyk, H., Lewi, K., and C. A. Wood, "The OPAQUE Augmented PAKE Protocol", Work in Progress, Internet-Draft, draft-irtf-cfrg-opaque-16, 12 June 2024, . [REFIMP] "CPace reference implementation (sage)", September 2024, . [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- Hashing for Message Authentication", RFC 2104, DOI 10.17487/RFC2104, February 1997, . [RFC4493] Song, JH., Poovendran, R., Lee, J., and T. Iwata, "The AES-CMAC Algorithm", RFC 4493, DOI 10.17487/RFC4493, June 2006, . [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.2", RFC 5246, DOI 10.17487/RFC5246, August 2008, . Abdalla, et al. Expires 30 March 2025 [Page 30] Internet-Draft CPace September 2024 [RFC5639] Lochter, M. and J. Merkle, "Elliptic Curve Cryptography (ECC) Brainpool Standard Curves and Curve Generation", RFC 5639, DOI 10.17487/RFC5639, March 2010, . [RFC5869] Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand Key Derivation Function (HKDF)", RFC 5869, DOI 10.17487/RFC5869, May 2010, . [RFC6234] Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms (SHA and SHA-based HMAC and HKDF)", RFC 6234, DOI 10.17487/RFC6234, May 2011, . [RFC8265] Saint-Andre, P. and A. Melnikov, "Preparation, Enforcement, and Comparison of Internationalized Strings Representing Usernames and Passwords", RFC 8265, DOI 10.17487/RFC8265, October 2017, . [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, . [RFC9380] Faz-Hernandez, A., Scott, S., Sullivan, N., Wahby, R. S., and C. A. Wood, "Hashing to Elliptic Curves", RFC 9380, DOI 10.17487/RFC9380, August 2023, . [SEC2] Standards for Efficient Cryptography Group (SECG), "SEC 2: Recommended Elliptic Curve Domain Parameters", January 2010, . Appendix A. CPace function definitions A.1. Definition and test vectors for string utility functions A.1.1. prepend_len function Abdalla, et al. Expires 30 March 2025 [Page 31] Internet-Draft CPace September 2024 def prepend_len(data): "prepend LEB128 encoding of length" length = len(data) length_encoded = b"" while True: if length < 128: length_encoded += bytes([length]) else: length_encoded += bytes([(length & 0x7f) + 0x80]) length = int(length >> 7) if length == 0: break; return length_encoded + data A.1.2. prepend_len test vectors prepend_len(b""): (length: 1 bytes) 00 prepend_len(b"1234"): (length: 5 bytes) 0431323334 prepend_len(bytes(range(127))): (length: 128 bytes) 7f000102030405060708090a0b0c0d0e0f101112131415161718191a1b 1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738 393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455 565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172 737475767778797a7b7c7d7e prepend_len(bytes(range(128))): (length: 130 bytes) 8001000102030405060708090a0b0c0d0e0f101112131415161718191a 1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031323334353637 38393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f5051525354 55565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f7071 72737475767778797a7b7c7d7e7f A.1.2.1. Testvectors as JSON file encoded as BASE64 Abdalla, et al. Expires 30 March 2025 [Page 32] Internet-Draft CPace September 2024 ##eyJwcmVwZW5kX2xlbihiKSI6ICIwMCIsICJiXCIxMjM0XCIiOiAiMzEzMjMzMzQ ##iLCAicHJlcGVuZF9sZW4oYlwiMTIzNFwiKSI6ICIwNDMxMzIzMzM0IiwgInByZX ##BlbmRfbGVuKGJ5dGVzKHJhbmdlKDEyNykpKSI6ICI3RjAwMDEwMjAzMDQwNTA2M ##DcwODA5MEEwQjBDMEQwRTBGMTAxMTEyMTMxNDE1MTYxNzE4MTkxQTFCMUMxRDFF ##MUYyMDIxMjIyMzI0MjUyNjI3MjgyOTJBMkIyQzJEMkUyRjMwMzEzMjMzMzQzNTM ##2MzczODM5M0EzQjNDM0QzRTNGNDA0MTQyNDM0NDQ1NDY0NzQ4NDk0QTRCNEM0RD ##RFNEY1MDUxNTI1MzU0NTU1NjU3NTg1OTVBNUI1QzVENUU1RjYwNjE2MjYzNjQ2N ##TY2Njc2ODY5NkE2QjZDNkQ2RTZGNzA3MTcyNzM3NDc1NzY3Nzc4Nzk3QTdCN0M3 ##RDdFIiwgInByZXBlbmRfbGVuKGJ5dGVzKHJhbmdlKDEyOCkpKSI6ICI4MDAxMDA ##wMTAyMDMwNDA1MDYwNzA4MDkwQTBCMEMwRDBFMEYxMDExMTIxMzE0MTUxNjE3MT ##gxOTFBMUIxQzFEMUUxRjIwMjEyMjIzMjQyNTI2MjcyODI5MkEyQjJDMkQyRTJGM ##zAzMTMyMzMzNDM1MzYzNzM4MzkzQTNCM0MzRDNFM0Y0MDQxNDI0MzQ0NDU0NjQ3 ##NDg0OTRBNEI0QzRENEU0RjUwNTE1MjUzNTQ1NTU2NTc1ODU5NUE1QjVDNUQ1RTV ##GNjA2MTYyNjM2NDY1NjY2NzY4Njk2QTZCNkM2RDZFNkY3MDcxNzI3Mzc0NzU3Nj ##c3Nzg3OTdBN0I3QzdEN0U3RiJ9 A.1.3. lv_cat function def lv_cat(*args): result = b"" for arg in args: result += prepend_len(arg) return result A.1.4. Testvector for lv_cat() lv_cat(b"1234",b"5",b"",b"6789"): (length: 13 bytes) 04313233340135000436373839 A.1.4.1. Testvectors as JSON file encoded as BASE64 ##eyJiYTEiOiAiMzEzMjMzMzQiLCAiYmEyIjogIjM1IiwgImJhMyI6ICIzNjM3Mzg ##zOSIsICJsdl9jYXQoYmExLGJhMixiYTMpIjogIjA0MzEzMjMzMzQwMTM1MDAwND ##M2MzczODM5In0= A.2. Definition of generator_string function. def generator_string(DSI,PRS,CI,sid,s_in_bytes): # Concat all input fields with prepended length information. # Add zero padding in the first hash block after DSI and PRS. len_zpad = max(0,s_in_bytes - 1 - len(prepend_len(PRS)) - len(prepend_len(DSI))) return lv_cat(DSI, PRS, zero_bytes(len_zpad), CI, sid) Abdalla, et al. Expires 30 March 2025 [Page 33] Internet-Draft CPace September 2024 A.3. Definitions and test vector ordered concatenation A.3.1. Definitions for lexiographical ordering For ordered concatenation lexiographical ordering of byte sequences is used: def lexiographically_larger(bytes1,bytes2): "Returns True if bytes1 > bytes2 using lexiographical ordering." min_len = min (len(bytes1), len(bytes2)) for m in range(min_len): if bytes1[m] > bytes2[m]: return True; elif bytes1[m] < bytes2[m]: return False; return len(bytes1) > len(bytes2) A.3.2. Definitions for ordered concatenation With the above definition of lexiographical ordering ordered concatenation is specified as follows. def o_cat(bytes1,bytes2): if lexiographically_larger(bytes1,bytes2): return b"oc" + bytes1 + bytes2 else: return b"oc" + bytes2 + bytes1 A.3.3. Test vectors ordered concatenation string comparison for o_cat: lexiographically_larger(b"\0", b"\0\0") == False lexiographically_larger(b"\1", b"\0\0") == True lexiographically_larger(b"\0\0", b"\0") == True lexiographically_larger(b"\0\0", b"\1") == False lexiographically_larger(b"\0\1", b"\1") == False lexiographically_larger(b"ABCD", b"BCD") == False o_cat(b"ABCD",b"BCD"): (length: 9 bytes) 6f6342434441424344 o_cat(b"BCD",b"ABCDE"): (length: 10 bytes) 6f634243444142434445 A.3.3.1. Testvectors as JSON file encoded as BASE64 Abdalla, et al. Expires 30 March 2025 [Page 34] Internet-Draft CPace September 2024 ##eyJiXCJBQkNEXCIiOiAiNDE0MjQzNDQiLCAiYlwiQkNEXCIiOiAiNDI0MzQ0Iiw ##gImJcIkFCQ0RFXCIiOiAiNDE0MjQzNDQ0NSIsICJvX2NhdChiXCJBQkNEXCIsYl ##wiQkNEXCIpIjogIjZGNjM0MjQzNDQ0MTQyNDM0NCIsICJvX2NhdChiXCJCQ0RcI ##ixiXCJBQkNERVwiKSI6ICI2RjYzNDI0MzQ0NDE0MjQzNDQ0NSJ9 A.3.4. Definitions for transcript_ir function def transcript_ir(Ya,ADa,Yb,ADb): result = lv_cat(Ya,ADa) + lv_cat(Yb,ADb) return result A.3.5. Test vectors transcript_ir function transcript_ir(b"123", b"PartyA", b"234",b"PartyB"): (length: 22 bytes) 03313233065061727479410332333406506172747942 transcript_ir(b"3456",b"PartyA",b"2345",b"PartyB"): (length: 24 bytes) 043334353606506172747941043233343506506172747942 A.3.5.1. Testvectors as JSON file encoded as BASE64 ##eyJiXCIxMjNcIiI6ICIzMTMyMzMiLCAiYlwiMjM0XCIiOiAiMzIzMzM0IiwgImJ ##cIlBhcnR5QVwiIjogIjUwNjE3Mjc0Nzk0MSIsICJiXCJQYXJ0eUJcIiI6ICI1MD ##YxNzI3NDc5NDIiLCAiYlwiMzQ1NlwiIjogIjMzMzQzNTM2IiwgImJcIjIzNDVcI ##iI6ICIzMjMzMzQzNSIsICJ0cmFuc2NyaXB0X2lyKGJcIjEyM1wiLGJcIlBhcnR5 ##QVwiLGJcIjIzNFwiLGJcIlBhcnR5QlwiKSI6ICIwMzMxMzIzMzA2NTA2MTcyNzQ ##3OTQxMDMzMjMzMzQwNjUwNjE3Mjc0Nzk0MiIsICJ0cmFuc2NyaXB0X2lyKGJcIj ##M0NTZcIixiXCJQYXJ0eUFcIixiXCIyMzQ1XCIsYlwiUGFydHlCXCIpIjogIjA0M ##zMzNDM1MzYwNjUwNjE3Mjc0Nzk0MTA0MzIzMzM0MzUwNjUwNjE3Mjc0Nzk0MiJ9 A.3.6. Definitions for transcript_oc function def transcript_oc(Ya,ADa,Yb,ADb): result = o_cat(lv_cat(Ya,ADa),lv_cat(Yb,ADb)) return result A.3.7. Test vectors for transcript_oc function transcript_oc(b"123", b"PartyA", b"234",b"PartyB"): (length: 24 bytes) 6f6303323334065061727479420331323306506172747941 transcript_oc(b"3456",b"PartyA",b"2345",b"PartyB"): (length: 26 bytes) 6f63043334353606506172747941043233343506506172747942 A.3.7.1. Testvectors as JSON file encoded as BASE64 Abdalla, et al. Expires 30 March 2025 [Page 35] Internet-Draft CPace September 2024 ##eyJiXCIxMjNcIiI6ICIzMTMyMzMiLCAiYlwiMjM0XCIiOiAiMzIzMzM0IiwgImJ ##cIlBhcnR5QVwiIjogIjUwNjE3Mjc0Nzk0MSIsICJiXCJQYXJ0eUJcIiI6ICI1MD ##YxNzI3NDc5NDIiLCAiYlwiMzQ1NlwiIjogIjMzMzQzNTM2IiwgImJcIjIzNDVcI ##iI6ICIzMjMzMzQzNSIsICJ0cmFuc2NyaXB0X29jKGJcIjEyM1wiLGJcIlBhcnR5 ##QVwiLGJcIjIzNFwiLGJcIlBhcnR5QlwiKSI6ICI2RjYzMDMzMjMzMzQwNjUwNjE ##3Mjc0Nzk0MjAzMzEzMjMzMDY1MDYxNzI3NDc5NDEiLCAidHJhbnNjcmlwdF9vYy ##hiXCIzNDU2XCIsYlwiUGFydHlBXCIsYlwiMjM0NVwiLGJcIlBhcnR5QlwiKSI6I ##CI2RjYzMDQzMzM0MzUzNjA2NTA2MTcyNzQ3OTQxMDQzMjMzMzQzNTA2NTA2MTcy ##NzQ3OTQyIn0= A.4. Decoding and Encoding functions according to RFC7748 def decodeLittleEndian(b, bits): return sum([b[i] << 8*i for i in range((bits+7)/8)]) def decodeUCoordinate(u, bits): u_list = [ord(b) for b in u] # Ignore any unused bits. if bits % 8: u_list[-1] &= (1<<(bits%8))-1 return decodeLittleEndian(u_list, bits) def encodeUCoordinate(u, bits): return ''.join([chr((u >> 8*i) & 0xff) for i in range((bits+7)/8)]) A.5. Elligator 2 reference implementation The Elligator 2 map requires a non-square field element Z which shall be calculated as follows. def find_z_ell2(F): # Find nonsquare for Elligator2 # Argument: F, a field object, e.g., F = GF(2^255 - 19) ctr = F.gen() while True: for Z_cand in (F(ctr), F(-ctr)): # Z must be a non-square in F. if is_square(Z_cand): continue return Z_cand ctr += 1 The values of the non-square Z only depend on the curve. The algorithm above results in a value of Z = 2 for Curve25519 and Z=-1 for Ed448. Abdalla, et al. Expires 30 March 2025 [Page 36] Internet-Draft CPace September 2024 The following code maps a field element r to an encoded field element which is a valid u-coordinate of a Montgomery curve with curve parameter A. def elligator2(r, q, A, field_size_bits): # Inputs: field element r, field order q, # curve parameter A and field size in bits Fq = GF(q); A = Fq(A); B = Fq(1); # get non-square z as specified in the hash2curve draft. z = Fq(find_z_ell2(Fq)) powerForLegendreSymbol = floor((q-1)/2) v = - A / (1 + z * r^2) epsilon = (v^3 + A * v^2 + B * v)^powerForLegendreSymbol x = epsilon * v - (1 - epsilon) * A/2 return encodeUCoordinate(Integer(x), field_size_bits) Appendix B. Test vectors B.1. Test vector for CPace using group X25519 and hash SHA-512 B.1.1. Test vectors for calculate_generator with group X25519 Abdalla, et al. Expires 30 March 2025 [Page 37] Internet-Draft CPace September 2024 Inputs H = SHA-512 with input block size 128 bytes. PRS = b'Password' ; ZPAD length: 109 ; DSI = b'CPace255' CI = b'oc\x0bB_responder\x0bA_initiator' CI = 6f630b425f726573706f6e6465720b415f696e69746961746f72 sid = 7e4b4791d6a8ef019b936c79fb7f2c57 Outputs generator_string(G.DSI,PRS,CI,sid,H.s_in_bytes): (length: 172 bytes) 0843506163653235350850617373776f72646d000000000000000000 00000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000 000000000000000000000000000000001a6f630b425f726573706f6e 6465720b415f696e69746961746f72107e4b4791d6a8ef019b936c79 fb7f2c57 hash generator string: (length: 32 bytes) 92806dc608984dbf4e4aae478c6ec453ae979cc01ecc1a2a7cf49f5c ee56551b decoded field element of 255 bits: (length: 32 bytes) 92806dc608984dbf4e4aae478c6ec453ae979cc01ecc1a2a7cf49f5c ee56551b generator g: (length: 32 bytes) 64e8099e3ea682cfdc5cb665c057ebb514d06bf23ebc9f743b51b822 42327074 B.1.1.1. Testvectors as JSON file encoded as BASE64 ##eyJIIjogIlNIQS01MTIiLCAiSC5zX2luX2J5dGVzIjogMTI4LCAiUFJTIjogIjU ##wNjE3MzczNzc2RjcyNjQiLCAiWlBBRCBsZW5ndGgiOiAxMDksICJEU0kiOiAiND ##M1MDYxNjM2NTMyMzUzNSIsICJDSSI6ICI2RjYzMEI0MjVGNzI2NTczNzA2RjZFN ##jQ2NTcyMEI0MTVGNjk2RTY5NzQ2OTYxNzQ2RjcyIiwgInNpZCI6ICI3RTRCNDc5 ##MUQ2QThFRjAxOUI5MzZDNzlGQjdGMkM1NyIsICJnZW5lcmF0b3Jfc3RyaW5nKEc ##uRFNJLFBSUyxDSSxzaWQsSC5zX2luX2J5dGVzKSI6ICIwODQzNTA2MTYzNjUzMj ##M1MzUwODUwNjE3MzczNzc2RjcyNjQ2RDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwM ##DAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw ##MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDA ##wMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMD ##AwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwM ##DAwMDAwMUE2RjYzMEI0MjVGNzI2NTczNzA2RjZFNjQ2NTcyMEI0MTVGNjk2RTY5 ##NzQ2OTYxNzQ2RjcyMTA3RTRCNDc5MUQ2QThFRjAxOUI5MzZDNzlGQjdGMkM1NyI ##sICJoYXNoIGdlbmVyYXRvciBzdHJpbmciOiAiOTI4MDZEQzYwODk4NERCRjRFNE ##FBRTQ3OEM2RUM0NTNBRTk3OUNDMDFFQ0MxQTJBN0NGNDlGNUNFRTU2NTUxQiIsI ##CJkZWNvZGVkIGZpZWxkIGVsZW1lbnQgb2YgMjU1IGJpdHMiOiAiOTI4MDZEQzYw ##ODk4NERCRjRFNEFBRTQ3OEM2RUM0NTNBRTk3OUNDMDFFQ0MxQTJBN0NGNDlGNUN ##FRTU2NTUxQiIsICJnZW5lcmF0b3IgZyI6ICI2NEU4MDk5RTNFQTY4MkNGREM1Q0 ##I2NjVDMDU3RUJCNTE0RDA2QkYyM0VCQzlGNzQzQjUxQjgyMjQyMzI3MDc0In0= Abdalla, et al. Expires 30 March 2025 [Page 38] Internet-Draft CPace September 2024 B.1.2. Test vector for message from A Inputs ADa = b'ADa' ya (little endian): (length: 32 bytes) 21b4f4bd9e64ed355c3eb676a28ebedaf6d8f17bdc365995b3190971 53044080 Outputs Ya: (length: 32 bytes) 1b02dad6dbd29a07b6d28c9e04cb2f184f0734350e32bb7e62ff9dbc fdb63d15 B.1.3. Test vector for message from B Inputs ADb = b'ADb' yb (little endian): (length: 32 bytes) 848b0779ff415f0af4ea14df9dd1d3c29ac41d836c7808896c4eba19 c51ac40a Outputs Yb: (length: 32 bytes) 20cda5955f82c4931545bcbf40758ce1010d7db4db2a907013d79c7a 8fcf957f B.1.4. Test vector for secret points K scalar_mult_vfy(ya,Yb): (length: 32 bytes) f97fdfcfff1c983ed6283856a401de3191ca919902b323c5f950c970 3df7297a scalar_mult_vfy(yb,Ya): (length: 32 bytes) f97fdfcfff1c983ed6283856a401de3191ca919902b323c5f950c970 3df7297a B.1.5. Test vector for ISK calculation initiator/responder Abdalla, et al. Expires 30 March 2025 [Page 39] Internet-Draft CPace September 2024 transcript_ir(Ya,ADa,Yb,ADb): (length: 74 bytes) 201b02dad6dbd29a07b6d28c9e04cb2f184f0734350e32bb7e62ff9d bcfdb63d15034144612020cda5955f82c4931545bcbf40758ce1010d 7db4db2a907013d79c7a8fcf957f03414462 DSI = G.DSI_ISK, b'CPace255_ISK': (length: 12 bytes) 43506163653235355f49534b lv_cat(DSI,sid,K)||transcript_ir(Ya,ADa,Yb,ADb): (length: 137 bytes) 0c43506163653235355f49534b107e4b4791d6a8ef019b936c79fb7f 2c5720f97fdfcfff1c983ed6283856a401de3191ca919902b323c5f9 50c9703df7297a201b02dad6dbd29a07b6d28c9e04cb2f184f073435 0e32bb7e62ff9dbcfdb63d15034144612020cda5955f82c4931545bc bf40758ce1010d7db4db2a907013d79c7a8fcf957f03414462 ISK result: (length: 64 bytes) a051ee5ee2499d16da3f69f430218b8ea94a18a45b67f9e86495b382 c33d14a5c38cecc0cc834f960e39e0d1bf7d76b9ef5d54eecc5e0f38 6c97ad12da8c3d5f B.1.6. Test vector for ISK calculation parallel execution transcript_oc(Ya,ADa,Yb,ADb): (length: 76 bytes) 6f632020cda5955f82c4931545bcbf40758ce1010d7db4db2a907013 d79c7a8fcf957f03414462201b02dad6dbd29a07b6d28c9e04cb2f18 4f0734350e32bb7e62ff9dbcfdb63d1503414461 DSI = G.DSI_ISK, b'CPace255_ISK': (length: 12 bytes) 43506163653235355f49534b lv_cat(DSI,sid,K)||transcript_oc(Ya,ADa,Yb,ADb): (length: 139 bytes) 0c43506163653235355f49534b107e4b4791d6a8ef019b936c79fb7f 2c5720f97fdfcfff1c983ed6283856a401de3191ca919902b323c5f9 50c9703df7297a6f632020cda5955f82c4931545bcbf40758ce1010d 7db4db2a907013d79c7a8fcf957f03414462201b02dad6dbd29a07b6 d28c9e04cb2f184f0734350e32bb7e62ff9dbcfdb63d1503414461 ISK result: (length: 64 bytes) 5cc27e49679423f81a37d7521d9fb1327c840d2ea4a1543652e7de5c abb89ebad27d24761b3288a3fd5764b441ecb78d30abc26161ff45ea 297bb311dde04727 B.1.7. Test vector for optional output of session id Abdalla, et al. Expires 30 March 2025 [Page 40] Internet-Draft CPace September 2024 H.hash(b"CPaceSidOut" + transcript_ir(Ya,ADa, Yb,ADb)): (length: 64 bytes) f7ae11ac3ee85c3c42d8bd51ba823fbe17158f43d34a1296f1cb2567 bcc71dc8b201a134b566b468aad8fd04f02f96e3caf9d5601f7ed760 a0a951a5a861b5e7 H.hash(b"CPaceSidOut" + transcript_oc(Ya,ADa, Yb,ADb)): (length: 64 bytes) a38389e34fa492788c1df43b06b427710491174e53c33b01362a490d 116fe1b7e870aa6e2a7fc018725e3b7f969f7508042e44cd3863f39a a75026a190d1902b B.1.8. Corresponding C programming language initializers const unsigned char tc_PRS[] = { 0x50,0x61,0x73,0x73,0x77,0x6f,0x72,0x64, }; const unsigned char tc_CI[] = { 0x6f,0x63,0x0b,0x42,0x5f,0x72,0x65,0x73,0x70,0x6f,0x6e,0x64, 0x65,0x72,0x0b,0x41,0x5f,0x69,0x6e,0x69,0x74,0x69,0x61,0x74, 0x6f,0x72, }; const unsigned char tc_sid[] = { 0x7e,0x4b,0x47,0x91,0xd6,0xa8,0xef,0x01,0x9b,0x93,0x6c,0x79, 0xfb,0x7f,0x2c,0x57, }; const unsigned char tc_g[] = { 0x64,0xe8,0x09,0x9e,0x3e,0xa6,0x82,0xcf,0xdc,0x5c,0xb6,0x65, 0xc0,0x57,0xeb,0xb5,0x14,0xd0,0x6b,0xf2,0x3e,0xbc,0x9f,0x74, 0x3b,0x51,0xb8,0x22,0x42,0x32,0x70,0x74, }; const unsigned char tc_ya[] = { 0x21,0xb4,0xf4,0xbd,0x9e,0x64,0xed,0x35,0x5c,0x3e,0xb6,0x76, 0xa2,0x8e,0xbe,0xda,0xf6,0xd8,0xf1,0x7b,0xdc,0x36,0x59,0x95, 0xb3,0x19,0x09,0x71,0x53,0x04,0x40,0x80, }; const unsigned char tc_ADa[] = { 0x41,0x44,0x61, }; const unsigned char tc_Ya[] = { 0x1b,0x02,0xda,0xd6,0xdb,0xd2,0x9a,0x07,0xb6,0xd2,0x8c,0x9e, 0x04,0xcb,0x2f,0x18,0x4f,0x07,0x34,0x35,0x0e,0x32,0xbb,0x7e, 0x62,0xff,0x9d,0xbc,0xfd,0xb6,0x3d,0x15, }; const unsigned char tc_yb[] = { 0x84,0x8b,0x07,0x79,0xff,0x41,0x5f,0x0a,0xf4,0xea,0x14,0xdf, 0x9d,0xd1,0xd3,0xc2,0x9a,0xc4,0x1d,0x83,0x6c,0x78,0x08,0x89, 0x6c,0x4e,0xba,0x19,0xc5,0x1a,0xc4,0x0a, }; Abdalla, et al. Expires 30 March 2025 [Page 41] Internet-Draft CPace September 2024 const unsigned char tc_ADb[] = { 0x41,0x44,0x62, }; const unsigned char tc_Yb[] = { 0x20,0xcd,0xa5,0x95,0x5f,0x82,0xc4,0x93,0x15,0x45,0xbc,0xbf, 0x40,0x75,0x8c,0xe1,0x01,0x0d,0x7d,0xb4,0xdb,0x2a,0x90,0x70, 0x13,0xd7,0x9c,0x7a,0x8f,0xcf,0x95,0x7f, }; const unsigned char tc_K[] = { 0xf9,0x7f,0xdf,0xcf,0xff,0x1c,0x98,0x3e,0xd6,0x28,0x38,0x56, 0xa4,0x01,0xde,0x31,0x91,0xca,0x91,0x99,0x02,0xb3,0x23,0xc5, 0xf9,0x50,0xc9,0x70,0x3d,0xf7,0x29,0x7a, }; const unsigned char tc_ISK_IR[] = { 0xa0,0x51,0xee,0x5e,0xe2,0x49,0x9d,0x16,0xda,0x3f,0x69,0xf4, 0x30,0x21,0x8b,0x8e,0xa9,0x4a,0x18,0xa4,0x5b,0x67,0xf9,0xe8, 0x64,0x95,0xb3,0x82,0xc3,0x3d,0x14,0xa5,0xc3,0x8c,0xec,0xc0, 0xcc,0x83,0x4f,0x96,0x0e,0x39,0xe0,0xd1,0xbf,0x7d,0x76,0xb9, 0xef,0x5d,0x54,0xee,0xcc,0x5e,0x0f,0x38,0x6c,0x97,0xad,0x12, 0xda,0x8c,0x3d,0x5f, }; const unsigned char tc_ISK_SY[] = { 0x5c,0xc2,0x7e,0x49,0x67,0x94,0x23,0xf8,0x1a,0x37,0xd7,0x52, 0x1d,0x9f,0xb1,0x32,0x7c,0x84,0x0d,0x2e,0xa4,0xa1,0x54,0x36, 0x52,0xe7,0xde,0x5c,0xab,0xb8,0x9e,0xba,0xd2,0x7d,0x24,0x76, 0x1b,0x32,0x88,0xa3,0xfd,0x57,0x64,0xb4,0x41,0xec,0xb7,0x8d, 0x30,0xab,0xc2,0x61,0x61,0xff,0x45,0xea,0x29,0x7b,0xb3,0x11, 0xdd,0xe0,0x47,0x27, }; const unsigned char tc_ISK_SY[] = { 0x5c,0xc2,0x7e,0x49,0x67,0x94,0x23,0xf8,0x1a,0x37,0xd7,0x52, 0x1d,0x9f,0xb1,0x32,0x7c,0x84,0x0d,0x2e,0xa4,0xa1,0x54,0x36, 0x52,0xe7,0xde,0x5c,0xab,0xb8,0x9e,0xba,0xd2,0x7d,0x24,0x76, 0x1b,0x32,0x88,0xa3,0xfd,0x57,0x64,0xb4,0x41,0xec,0xb7,0x8d, 0x30,0xab,0xc2,0x61,0x61,0xff,0x45,0xea,0x29,0x7b,0xb3,0x11, 0xdd,0xe0,0x47,0x27, }; const unsigned char tc_sid_out_ir[] = { 0xf7,0xae,0x11,0xac,0x3e,0xe8,0x5c,0x3c,0x42,0xd8,0xbd,0x51, 0xba,0x82,0x3f,0xbe,0x17,0x15,0x8f,0x43,0xd3,0x4a,0x12,0x96, 0xf1,0xcb,0x25,0x67,0xbc,0xc7,0x1d,0xc8,0xb2,0x01,0xa1,0x34, 0xb5,0x66,0xb4,0x68,0xaa,0xd8,0xfd,0x04,0xf0,0x2f,0x96,0xe3, 0xca,0xf9,0xd5,0x60,0x1f,0x7e,0xd7,0x60,0xa0,0xa9,0x51,0xa5, 0xa8,0x61,0xb5,0xe7, }; const unsigned char tc_sid_out_oc[] = { 0xa3,0x83,0x89,0xe3,0x4f,0xa4,0x92,0x78,0x8c,0x1d,0xf4,0x3b, 0x06,0xb4,0x27,0x71,0x04,0x91,0x17,0x4e,0x53,0xc3,0x3b,0x01, Abdalla, et al. Expires 30 March 2025 [Page 42] Internet-Draft CPace September 2024 0x36,0x2a,0x49,0x0d,0x11,0x6f,0xe1,0xb7,0xe8,0x70,0xaa,0x6e, 0x2a,0x7f,0xc0,0x18,0x72,0x5e,0x3b,0x7f,0x96,0x9f,0x75,0x08, 0x04,0x2e,0x44,0xcd,0x38,0x63,0xf3,0x9a,0xa7,0x50,0x26,0xa1, 0x90,0xd1,0x90,0x2b, }; B.1.9. Testvectors as JSON file encoded as BASE64 ##eyJQUlMiOiAiNTA2MTczNzM3NzZGNzI2NCIsICJDSSI6ICI2RjYzMEI0MjVGNzI ##2NTczNzA2RjZFNjQ2NTcyMEI0MTVGNjk2RTY5NzQ2OTYxNzQ2RjcyIiwgInNpZC ##I6ICI3RTRCNDc5MUQ2QThFRjAxOUI5MzZDNzlGQjdGMkM1NyIsICJnIjogIjY0R ##TgwOTlFM0VBNjgyQ0ZEQzVDQjY2NUMwNTdFQkI1MTREMDZCRjIzRUJDOUY3NDNC ##NTFCODIyNDIzMjcwNzQiLCAieWEiOiAiMjFCNEY0QkQ5RTY0RUQzNTVDM0VCNjc ##2QTI4RUJFREFGNkQ4RjE3QkRDMzY1OTk1QjMxOTA5NzE1MzA0NDA4MCIsICJBRG ##EiOiAiNDE0NDYxIiwgIllhIjogIjFCMDJEQUQ2REJEMjlBMDdCNkQyOEM5RTA0Q ##0IyRjE4NEYwNzM0MzUwRTMyQkI3RTYyRkY5REJDRkRCNjNEMTUiLCAieWIiOiAi ##ODQ4QjA3NzlGRjQxNUYwQUY0RUExNERGOUREMUQzQzI5QUM0MUQ4MzZDNzgwODg ##5NkM0RUJBMTlDNTFBQzQwQSIsICJBRGIiOiAiNDE0NDYyIiwgIlliIjogIjIwQ0 ##RBNTk1NUY4MkM0OTMxNTQ1QkNCRjQwNzU4Q0UxMDEwRDdEQjREQjJBOTA3MDEzR ##Dc5QzdBOEZDRjk1N0YiLCAiSyI6ICJGOTdGREZDRkZGMUM5ODNFRDYyODM4NTZB ##NDAxREUzMTkxQ0E5MTk5MDJCMzIzQzVGOTUwQzk3MDNERjcyOTdBIiwgIklTS19 ##JUiI6ICJBMDUxRUU1RUUyNDk5RDE2REEzRjY5RjQzMDIxOEI4RUE5NEExOEE0NU ##I2N0Y5RTg2NDk1QjM4MkMzM0QxNEE1QzM4Q0VDQzBDQzgzNEY5NjBFMzlFMEQxQ ##kY3RDc2QjlFRjVENTRFRUNDNUUwRjM4NkM5N0FEMTJEQThDM0Q1RiIsICJJU0tf ##U1kiOiAiNUNDMjdFNDk2Nzk0MjNGODFBMzdENzUyMUQ5RkIxMzI3Qzg0MEQyRUE ##0QTE1NDM2NTJFN0RFNUNBQkI4OUVCQUQyN0QyNDc2MUIzMjg4QTNGRDU3NjRCND ##QxRUNCNzhEMzBBQkMyNjE2MUZGNDVFQTI5N0JCMzExRERFMDQ3MjciLCAic2lkX ##291dHB1dF9pciI6ICJGN0FFMTFBQzNFRTg1QzNDNDJEOEJENTFCQTgyM0ZCRTE3 ##MTU4RjQzRDM0QTEyOTZGMUNCMjU2N0JDQzcxREM4QjIwMUExMzRCNTY2QjQ2OEF ##BRDhGRDA0RjAyRjk2RTNDQUY5RDU2MDFGN0VENzYwQTBBOTUxQTVBODYxQjVFNy ##IsICJzaWRfb3V0cHV0X29jIjogIkEzODM4OUUzNEZBNDkyNzg4QzFERjQzQjA2Q ##jQyNzcxMDQ5MTE3NEU1M0MzM0IwMTM2MkE0OTBEMTE2RkUxQjdFODcwQUE2RTJB ##N0ZDMDE4NzI1RTNCN0Y5NjlGNzUwODA0MkU0NENEMzg2M0YzOUFBNzUwMjZBMTk ##wRDE5MDJCIn0= B.1.10. Test vectors for G_X25519.scalar_mult_vfy: low order points Test vectors for which G_X25519.scalar_mult_vfy(s_in,ux) must return the neutral element or would return the neutral element if bit #255 of field element representation was not correctly cleared. (The decodeUCoordinate function from RFC7748 mandates clearing bit #255 for field element representations for use in the X25519 function.). Abdalla, et al. Expires 30 March 2025 [Page 43] Internet-Draft CPace September 2024 u0: 0000000000000000000000000000000000000000000000000000000000000000 u1: 0100000000000000000000000000000000000000000000000000000000000000 u2: ecffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f u3: e0eb7a7c3b41b8ae1656e3faf19fc46ada098deb9c32b1fd866205165f49b800 u4: 5f9c95bca3508c24b1d0b1559c83ef5b04445cc4581c8e86d8224eddd09f1157 u5: edffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f u6: daffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff u7: eeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f u8: dbffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff u9: d9ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ua: cdeb7a7c3b41b8ae1656e3faf19fc46ada098deb9c32b1fd866205165f49b880 ub: 4c9c95bca3508c24b1d0b1559c83ef5b04445cc4581c8e86d8224eddd09f11d7 u0 ... ub MUST be verified to produce the correct results q0 ... qb: Additionally, u0,u1,u2,u3,u4,u5 and u7 MUST trigger the abort case when included in message from A or B. s = af46e36bf0527c9d3b16154b82465edd62144c0ac1fc5a18506a2244ba449aff qN = G_X25519.scalar_mult_vfy(s, uX) q0: 0000000000000000000000000000000000000000000000000000000000000000 q1: 0000000000000000000000000000000000000000000000000000000000000000 q2: 0000000000000000000000000000000000000000000000000000000000000000 q3: 0000000000000000000000000000000000000000000000000000000000000000 q4: 0000000000000000000000000000000000000000000000000000000000000000 q5: 0000000000000000000000000000000000000000000000000000000000000000 q6: d8e2c776bbacd510d09fd9278b7edcd25fc5ae9adfba3b6e040e8d3b71b21806 q7: 0000000000000000000000000000000000000000000000000000000000000000 q8: c85c655ebe8be44ba9c0ffde69f2fe10194458d137f09bbff725ce58803cdb38 q9: db64dafa9b8fdd136914e61461935fe92aa372cb056314e1231bc4ec12417456 qa: e062dcd5376d58297be2618c7498f55baa07d7e03184e8aada20bca28888bf7a qb: 993c6ad11c4c29da9a56f7691fd0ff8d732e49de6250b6c2e80003ff4629a175 B.1.10.1. Testvectors as JSON file encoded as BASE64 Abdalla, et al. Expires 30 March 2025 [Page 44] Internet-Draft CPace September 2024 ##eyJJbnZhbGlkIFkwIjogIjAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDA ##wMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAiLCAiSW52YWxpZCBZMS ##I6ICIwMTAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwM ##DAwMDAwMDAwMDAwMDAwMDAwMDAwIiwgIkludmFsaWQgWTIiOiAiRUNGRkZGRkZG ##RkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZ ##GRkZGRkY3RiIsICJJbnZhbGlkIFkzIjogIkUwRUI3QTdDM0I0MUI4QUUxNjU2RT ##NGQUYxOUZDNDZBREEwOThERUI5QzMyQjFGRDg2NjIwNTE2NUY0OUI4MDAiLCAiS ##W52YWxpZCBZNCI6ICI1RjlDOTVCQ0EzNTA4QzI0QjFEMEIxNTU5QzgzRUY1QjA0 ##NDQ1Q0M0NTgxQzhFODZEODIyNEVEREQwOUYxMTU3IiwgIkludmFsaWQgWTUiOiA ##iRURGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRk ##ZGRkZGRkZGRkZGRkZGRkY3RiIsICJJbnZhbGlkIFk2IjogIkRBRkZGRkZGRkZGR ##kZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZG ##RkZGRkYiLCAiSW52YWxpZCBZNyI6ICJFRUZGRkZGRkZGRkZGRkZGRkZGRkZGRkZ ##GRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRjdGIiwgIkludm ##FsaWQgWTgiOiAiREJGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGR ##kZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRiIsICJJbnZhbGlkIFk5IjogIkQ5 ##RkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZ ##GRkZGRkZGRkZGRkZGRkYiLCAiSW52YWxpZCBZMTAiOiAiQ0RFQjdBN0MzQjQxQj ##hBRTE2NTZFM0ZBRjE5RkM0NkFEQTA5OERFQjlDMzJCMUZEODY2MjA1MTY1RjQ5Q ##jg4MCIsICJJbnZhbGlkIFkxMSI6ICI0QzlDOTVCQ0EzNTA4QzI0QjFEMEIxNTU5 ##QzgzRUY1QjA0NDQ1Q0M0NTgxQzhFODZEODIyNEVEREQwOUYxMUQ3In0= B.2. Test vector for CPace using group X448 and hash SHAKE-256 B.2.1. Test vectors for calculate_generator with group X448 Abdalla, et al. Expires 30 March 2025 [Page 45] Internet-Draft CPace September 2024 Inputs H = SHAKE-256 with input block size 136 bytes. PRS = b'Password' ; ZPAD length: 117 ; DSI = b'CPace448' CI = b'oc\x0bB_responder\x0bA_initiator' CI = 6f630b425f726573706f6e6465720b415f696e69746961746f72 sid = 5223e0cdc45d6575668d64c552004124 Outputs generator_string(G.DSI,PRS,CI,sid,H.s_in_bytes): (length: 180 bytes) 0843506163653434380850617373776f726475000000000000000000 00000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000001a6f630b 425f726573706f6e6465720b415f696e69746961746f72105223e0cd c45d6575668d64c552004124 hash generator string: (length: 56 bytes) 98b713f84529194d719a7d86cb0f504b8afeb05354d68747e18b2e7c c8b6da526085e4263bd8bea7d69e479ebad09e30ae062e5d089da7f3 decoded field element of 448 bits: (length: 56 bytes) 98b713f84529194d719a7d86cb0f504b8afeb05354d68747e18b2e7c c8b6da526085e4263bd8bea7d69e479ebad09e30ae062e5d089da7f3 generator g: (length: 56 bytes) e293b7ccf61ca7eb928a26391cf38b660f874a001fdf0bf3a91fd182 f2b6d83e61a9377ede127eba7e0d4c08592eaff33d4aa705d6ce54bb B.2.1.1. Testvectors as JSON file encoded as BASE64 Abdalla, et al. Expires 30 March 2025 [Page 46] Internet-Draft CPace September 2024 ##eyJIIjogIlNIQUtFLTI1NiIsICJILnNfaW5fYnl0ZXMiOiAxMzYsICJQUlMiOiA ##iNTA2MTczNzM3NzZGNzI2NCIsICJaUEFEIGxlbmd0aCI6IDExNywgIkRTSSI6IC ##I0MzUwNjE2MzY1MzQzNDM4IiwgIkNJIjogIjZGNjMwQjQyNUY3MjY1NzM3MDZGN ##kU2NDY1NzIwQjQxNUY2OTZFNjk3NDY5NjE3NDZGNzIiLCAic2lkIjogIjUyMjNF ##MENEQzQ1RDY1NzU2NjhENjRDNTUyMDA0MTI0IiwgImdlbmVyYXRvcl9zdHJpbmc ##oRy5EU0ksUFJTLENJLHNpZCxILnNfaW5fYnl0ZXMpIjogIjA4NDM1MDYxNjM2NT ##M0MzQzODA4NTA2MTczNzM3NzZGNzI2NDc1MDAwMDAwMDAwMDAwMDAwMDAwMDAwM ##DAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw ##MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDA ##wMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMD ##AwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwM ##DAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMUE2RjYzMEI0MjVGNzI2NTczNzA2RjZF ##NjQ2NTcyMEI0MTVGNjk2RTY5NzQ2OTYxNzQ2RjcyMTA1MjIzRTBDREM0NUQ2NTc ##1NjY4RDY0QzU1MjAwNDEyNCIsICJoYXNoIGdlbmVyYXRvciBzdHJpbmciOiAiOT ##hCNzEzRjg0NTI5MTk0RDcxOUE3RDg2Q0IwRjUwNEI4QUZFQjA1MzU0RDY4NzQ3R ##TE4QjJFN0NDOEI2REE1MjYwODVFNDI2M0JEOEJFQTdENjlFNDc5RUJBRDA5RTMw ##QUUwNjJFNUQwODlEQTdGMyIsICJkZWNvZGVkIGZpZWxkIGVsZW1lbnQgb2YgNDQ ##4IGJpdHMiOiAiOThCNzEzRjg0NTI5MTk0RDcxOUE3RDg2Q0IwRjUwNEI4QUZFQj ##A1MzU0RDY4NzQ3RTE4QjJFN0NDOEI2REE1MjYwODVFNDI2M0JEOEJFQTdENjlFN ##Dc5RUJBRDA5RTMwQUUwNjJFNUQwODlEQTdGMyIsICJnZW5lcmF0b3IgZyI6ICJF ##MjkzQjdDQ0Y2MUNBN0VCOTI4QTI2MzkxQ0YzOEI2NjBGODc0QTAwMUZERjBCRjN ##BOTFGRDE4MkYyQjZEODNFNjFBOTM3N0VERTEyN0VCQTdFMEQ0QzA4NTkyRUFGRj ##MzRDRBQTcwNUQ2Q0U1NEJCIn0= B.2.2. Test vector for message from A Inputs ADa = b'ADa' ya (little endian): (length: 56 bytes) 21b4f4bd9e64ed355c3eb676a28ebedaf6d8f17bdc365995b3190971 53044080516bd083bfcce66121a3072646994c8430cc382b8dc543e8 Outputs Ya: (length: 56 bytes) 7f645772cc209bf9fd9d76dbb10283bea71b12235e3bb21878d5e56a 70506e165743a632de98eca9932c5d2efe36500a59b2fdaed0d8a148 B.2.3. Test vector for message from B Inputs ADb = b'ADb' yb (little endian): (length: 56 bytes) 848b0779ff415f0af4ea14df9dd1d3c29ac41d836c7808896c4eba19 c51ac40a439caf5e61ec88c307c7d619195229412eaa73fb2a5ea20d Outputs Yb: (length: 56 bytes) a4690a0750c42b288ddd0ba08e3f4902dfe70bae5c9e2c6ee95844de f2692be77646b20d3b429f8da00d21433ee0891c667658d8d0c48e38 Abdalla, et al. Expires 30 March 2025 [Page 47] Internet-Draft CPace September 2024 B.2.4. Test vector for secret points K scalar_mult_vfy(ya,Yb): (length: 56 bytes) db3fff9da59576715b04d4df8dc8d18db2430e57bbed337dbeee5bb2 d6ab6ceddc9c75c5c0b17fad7eb724daa12f8f1903dd6c2cede6135a scalar_mult_vfy(yb,Ya): (length: 56 bytes) db3fff9da59576715b04d4df8dc8d18db2430e57bbed337dbeee5bb2 d6ab6ceddc9c75c5c0b17fad7eb724daa12f8f1903dd6c2cede6135a B.2.5. Test vector for ISK calculation initiator/responder transcript_ir(Ya,ADa,Yb,ADb): (length: 122 bytes) 387f645772cc209bf9fd9d76dbb10283bea71b12235e3bb21878d5e5 6a70506e165743a632de98eca9932c5d2efe36500a59b2fdaed0d8a1 480341446138a4690a0750c42b288ddd0ba08e3f4902dfe70bae5c9e 2c6ee95844def2692be77646b20d3b429f8da00d21433ee0891c6676 58d8d0c48e3803414462 DSI = G.DSI_ISK, b'CPace448_ISK': (length: 12 bytes) 43506163653434385f49534b lv_cat(DSI,sid,K)||transcript_ir(Ya,ADa,Yb,ADb): (length: 209 bytes) 0c43506163653434385f49534b105223e0cdc45d6575668d64c55200 412438db3fff9da59576715b04d4df8dc8d18db2430e57bbed337dbe ee5bb2d6ab6ceddc9c75c5c0b17fad7eb724daa12f8f1903dd6c2ced e6135a387f645772cc209bf9fd9d76dbb10283bea71b12235e3bb218 78d5e56a70506e165743a632de98eca9932c5d2efe36500a59b2fdae d0d8a1480341446138a4690a0750c42b288ddd0ba08e3f4902dfe70b ae5c9e2c6ee95844def2692be77646b20d3b429f8da00d21433ee089 1c667658d8d0c48e3803414462 ISK result: (length: 64 bytes) 599892a2078a8c988181625e1e5e5f7a6163f7d72f21b93ebefba0f1 7ff7ea3aa0594bd569cf74264157b3c0087bdccf2f59c77156628487 f5ca1645b8e9d05b B.2.6. Test vector for ISK calculation parallel execution Abdalla, et al. Expires 30 March 2025 [Page 48] Internet-Draft CPace September 2024 transcript_oc(Ya,ADa,Yb,ADb): (length: 124 bytes) 6f6338a4690a0750c42b288ddd0ba08e3f4902dfe70bae5c9e2c6ee9 5844def2692be77646b20d3b429f8da00d21433ee0891c667658d8d0 c48e3803414462387f645772cc209bf9fd9d76dbb10283bea71b1223 5e3bb21878d5e56a70506e165743a632de98eca9932c5d2efe36500a 59b2fdaed0d8a14803414461 DSI = G.DSI_ISK, b'CPace448_ISK': (length: 12 bytes) 43506163653434385f49534b lv_cat(DSI,sid,K)||transcript_oc(Ya,ADa,Yb,ADb): (length: 211 bytes) 0c43506163653434385f49534b105223e0cdc45d6575668d64c55200 412438db3fff9da59576715b04d4df8dc8d18db2430e57bbed337dbe ee5bb2d6ab6ceddc9c75c5c0b17fad7eb724daa12f8f1903dd6c2ced e6135a6f6338a4690a0750c42b288ddd0ba08e3f4902dfe70bae5c9e 2c6ee95844def2692be77646b20d3b429f8da00d21433ee0891c6676 58d8d0c48e3803414462387f645772cc209bf9fd9d76dbb10283bea7 1b12235e3bb21878d5e56a70506e165743a632de98eca9932c5d2efe 36500a59b2fdaed0d8a14803414461 ISK result: (length: 64 bytes) 3ac73f03030296aa591f01326b18afa47e1189129cd06ae8dfb05e6e b1310cde948b59eef0755365c06a339266afe594948c56a538d98a65 767113938a9a78d8 B.2.7. Test vector for optional output of session id H.hash(b"CPaceSidOut" + transcript_ir(Ya,ADa, Yb,ADb)): (length: 64 bytes) 00a2333a79481abe71efd6594d7bbaac55c808482e869c9b65c4b53d 7100d3da8f3cabd59fa0c1f22d6d2f9ac0c093962292798fca2c0b93 268974cad75d575a H.hash(b"CPaceSidOut" + transcript_oc(Ya,ADa, Yb,ADb)): (length: 64 bytes) a1ce90537a8d53b06d77e79fe719461cc5ed8300d21d1866a59f9638 601833f57a8b5e88db9a52abfa1b4e8a651a400bc9205082aad81eb3 11c44373b9a19eff B.2.8. Corresponding C programming language initializers const unsigned char tc_PRS[] = { 0x50,0x61,0x73,0x73,0x77,0x6f,0x72,0x64, }; const unsigned char tc_CI[] = { 0x6f,0x63,0x0b,0x42,0x5f,0x72,0x65,0x73,0x70,0x6f,0x6e,0x64, 0x65,0x72,0x0b,0x41,0x5f,0x69,0x6e,0x69,0x74,0x69,0x61,0x74, 0x6f,0x72, }; const unsigned char tc_sid[] = { 0x52,0x23,0xe0,0xcd,0xc4,0x5d,0x65,0x75,0x66,0x8d,0x64,0xc5, Abdalla, et al. Expires 30 March 2025 [Page 49] Internet-Draft CPace September 2024 0x52,0x00,0x41,0x24, }; const unsigned char tc_g[] = { 0xe2,0x93,0xb7,0xcc,0xf6,0x1c,0xa7,0xeb,0x92,0x8a,0x26,0x39, 0x1c,0xf3,0x8b,0x66,0x0f,0x87,0x4a,0x00,0x1f,0xdf,0x0b,0xf3, 0xa9,0x1f,0xd1,0x82,0xf2,0xb6,0xd8,0x3e,0x61,0xa9,0x37,0x7e, 0xde,0x12,0x7e,0xba,0x7e,0x0d,0x4c,0x08,0x59,0x2e,0xaf,0xf3, 0x3d,0x4a,0xa7,0x05,0xd6,0xce,0x54,0xbb, }; const unsigned char tc_ya[] = { 0x21,0xb4,0xf4,0xbd,0x9e,0x64,0xed,0x35,0x5c,0x3e,0xb6,0x76, 0xa2,0x8e,0xbe,0xda,0xf6,0xd8,0xf1,0x7b,0xdc,0x36,0x59,0x95, 0xb3,0x19,0x09,0x71,0x53,0x04,0x40,0x80,0x51,0x6b,0xd0,0x83, 0xbf,0xcc,0xe6,0x61,0x21,0xa3,0x07,0x26,0x46,0x99,0x4c,0x84, 0x30,0xcc,0x38,0x2b,0x8d,0xc5,0x43,0xe8, }; const unsigned char tc_ADa[] = { 0x41,0x44,0x61, }; const unsigned char tc_Ya[] = { 0x7f,0x64,0x57,0x72,0xcc,0x20,0x9b,0xf9,0xfd,0x9d,0x76,0xdb, 0xb1,0x02,0x83,0xbe,0xa7,0x1b,0x12,0x23,0x5e,0x3b,0xb2,0x18, 0x78,0xd5,0xe5,0x6a,0x70,0x50,0x6e,0x16,0x57,0x43,0xa6,0x32, 0xde,0x98,0xec,0xa9,0x93,0x2c,0x5d,0x2e,0xfe,0x36,0x50,0x0a, 0x59,0xb2,0xfd,0xae,0xd0,0xd8,0xa1,0x48, }; const unsigned char tc_yb[] = { 0x84,0x8b,0x07,0x79,0xff,0x41,0x5f,0x0a,0xf4,0xea,0x14,0xdf, 0x9d,0xd1,0xd3,0xc2,0x9a,0xc4,0x1d,0x83,0x6c,0x78,0x08,0x89, 0x6c,0x4e,0xba,0x19,0xc5,0x1a,0xc4,0x0a,0x43,0x9c,0xaf,0x5e, 0x61,0xec,0x88,0xc3,0x07,0xc7,0xd6,0x19,0x19,0x52,0x29,0x41, 0x2e,0xaa,0x73,0xfb,0x2a,0x5e,0xa2,0x0d, }; const unsigned char tc_ADb[] = { 0x41,0x44,0x62, }; const unsigned char tc_Yb[] = { 0xa4,0x69,0x0a,0x07,0x50,0xc4,0x2b,0x28,0x8d,0xdd,0x0b,0xa0, 0x8e,0x3f,0x49,0x02,0xdf,0xe7,0x0b,0xae,0x5c,0x9e,0x2c,0x6e, 0xe9,0x58,0x44,0xde,0xf2,0x69,0x2b,0xe7,0x76,0x46,0xb2,0x0d, 0x3b,0x42,0x9f,0x8d,0xa0,0x0d,0x21,0x43,0x3e,0xe0,0x89,0x1c, 0x66,0x76,0x58,0xd8,0xd0,0xc4,0x8e,0x38, }; const unsigned char tc_K[] = { 0xdb,0x3f,0xff,0x9d,0xa5,0x95,0x76,0x71,0x5b,0x04,0xd4,0xdf, 0x8d,0xc8,0xd1,0x8d,0xb2,0x43,0x0e,0x57,0xbb,0xed,0x33,0x7d, 0xbe,0xee,0x5b,0xb2,0xd6,0xab,0x6c,0xed,0xdc,0x9c,0x75,0xc5, 0xc0,0xb1,0x7f,0xad,0x7e,0xb7,0x24,0xda,0xa1,0x2f,0x8f,0x19, Abdalla, et al. Expires 30 March 2025 [Page 50] Internet-Draft CPace September 2024 0x03,0xdd,0x6c,0x2c,0xed,0xe6,0x13,0x5a, }; const unsigned char tc_ISK_IR[] = { 0x59,0x98,0x92,0xa2,0x07,0x8a,0x8c,0x98,0x81,0x81,0x62,0x5e, 0x1e,0x5e,0x5f,0x7a,0x61,0x63,0xf7,0xd7,0x2f,0x21,0xb9,0x3e, 0xbe,0xfb,0xa0,0xf1,0x7f,0xf7,0xea,0x3a,0xa0,0x59,0x4b,0xd5, 0x69,0xcf,0x74,0x26,0x41,0x57,0xb3,0xc0,0x08,0x7b,0xdc,0xcf, 0x2f,0x59,0xc7,0x71,0x56,0x62,0x84,0x87,0xf5,0xca,0x16,0x45, 0xb8,0xe9,0xd0,0x5b, }; const unsigned char tc_ISK_SY[] = { 0x3a,0xc7,0x3f,0x03,0x03,0x02,0x96,0xaa,0x59,0x1f,0x01,0x32, 0x6b,0x18,0xaf,0xa4,0x7e,0x11,0x89,0x12,0x9c,0xd0,0x6a,0xe8, 0xdf,0xb0,0x5e,0x6e,0xb1,0x31,0x0c,0xde,0x94,0x8b,0x59,0xee, 0xf0,0x75,0x53,0x65,0xc0,0x6a,0x33,0x92,0x66,0xaf,0xe5,0x94, 0x94,0x8c,0x56,0xa5,0x38,0xd9,0x8a,0x65,0x76,0x71,0x13,0x93, 0x8a,0x9a,0x78,0xd8, }; const unsigned char tc_ISK_SY[] = { 0x3a,0xc7,0x3f,0x03,0x03,0x02,0x96,0xaa,0x59,0x1f,0x01,0x32, 0x6b,0x18,0xaf,0xa4,0x7e,0x11,0x89,0x12,0x9c,0xd0,0x6a,0xe8, 0xdf,0xb0,0x5e,0x6e,0xb1,0x31,0x0c,0xde,0x94,0x8b,0x59,0xee, 0xf0,0x75,0x53,0x65,0xc0,0x6a,0x33,0x92,0x66,0xaf,0xe5,0x94, 0x94,0x8c,0x56,0xa5,0x38,0xd9,0x8a,0x65,0x76,0x71,0x13,0x93, 0x8a,0x9a,0x78,0xd8, }; const unsigned char tc_sid_out_ir[] = { 0x00,0xa2,0x33,0x3a,0x79,0x48,0x1a,0xbe,0x71,0xef,0xd6,0x59, 0x4d,0x7b,0xba,0xac,0x55,0xc8,0x08,0x48,0x2e,0x86,0x9c,0x9b, 0x65,0xc4,0xb5,0x3d,0x71,0x00,0xd3,0xda,0x8f,0x3c,0xab,0xd5, 0x9f,0xa0,0xc1,0xf2,0x2d,0x6d,0x2f,0x9a,0xc0,0xc0,0x93,0x96, 0x22,0x92,0x79,0x8f,0xca,0x2c,0x0b,0x93,0x26,0x89,0x74,0xca, 0xd7,0x5d,0x57,0x5a, }; const unsigned char tc_sid_out_oc[] = { 0xa1,0xce,0x90,0x53,0x7a,0x8d,0x53,0xb0,0x6d,0x77,0xe7,0x9f, 0xe7,0x19,0x46,0x1c,0xc5,0xed,0x83,0x00,0xd2,0x1d,0x18,0x66, 0xa5,0x9f,0x96,0x38,0x60,0x18,0x33,0xf5,0x7a,0x8b,0x5e,0x88, 0xdb,0x9a,0x52,0xab,0xfa,0x1b,0x4e,0x8a,0x65,0x1a,0x40,0x0b, 0xc9,0x20,0x50,0x82,0xaa,0xd8,0x1e,0xb3,0x11,0xc4,0x43,0x73, 0xb9,0xa1,0x9e,0xff, }; B.2.9. Testvectors as JSON file encoded as BASE64 Abdalla, et al. Expires 30 March 2025 [Page 51] Internet-Draft CPace September 2024 ##eyJQUlMiOiAiNTA2MTczNzM3NzZGNzI2NCIsICJDSSI6ICI2RjYzMEI0MjVGNzI ##2NTczNzA2RjZFNjQ2NTcyMEI0MTVGNjk2RTY5NzQ2OTYxNzQ2RjcyIiwgInNpZC ##I6ICI1MjIzRTBDREM0NUQ2NTc1NjY4RDY0QzU1MjAwNDEyNCIsICJnIjogIkUyO ##TNCN0NDRjYxQ0E3RUI5MjhBMjYzOTFDRjM4QjY2MEY4NzRBMDAxRkRGMEJGM0E5 ##MUZEMTgyRjJCNkQ4M0U2MUE5Mzc3RURFMTI3RUJBN0UwRDRDMDg1OTJFQUZGMzN ##ENEFBNzA1RDZDRTU0QkIiLCAieWEiOiAiMjFCNEY0QkQ5RTY0RUQzNTVDM0VCNj ##c2QTI4RUJFREFGNkQ4RjE3QkRDMzY1OTk1QjMxOTA5NzE1MzA0NDA4MDUxNkJEM ##DgzQkZDQ0U2NjEyMUEzMDcyNjQ2OTk0Qzg0MzBDQzM4MkI4REM1NDNFOCIsICJB ##RGEiOiAiNDE0NDYxIiwgIllhIjogIjdGNjQ1NzcyQ0MyMDlCRjlGRDlENzZEQkI ##xMDI4M0JFQTcxQjEyMjM1RTNCQjIxODc4RDVFNTZBNzA1MDZFMTY1NzQzQTYzMk ##RFOThFQ0E5OTMyQzVEMkVGRTM2NTAwQTU5QjJGREFFRDBEOEExNDgiLCAieWIiO ##iAiODQ4QjA3NzlGRjQxNUYwQUY0RUExNERGOUREMUQzQzI5QUM0MUQ4MzZDNzgw ##ODg5NkM0RUJBMTlDNTFBQzQwQTQzOUNBRjVFNjFFQzg4QzMwN0M3RDYxOTE5NTI ##yOTQxMkVBQTczRkIyQTVFQTIwRCIsICJBRGIiOiAiNDE0NDYyIiwgIlliIjogIk ##E0NjkwQTA3NTBDNDJCMjg4REREMEJBMDhFM0Y0OTAyREZFNzBCQUU1QzlFMkM2R ##UU5NTg0NERFRjI2OTJCRTc3NjQ2QjIwRDNCNDI5RjhEQTAwRDIxNDMzRUUwODkx ##QzY2NzY1OEQ4RDBDNDhFMzgiLCAiSyI6ICJEQjNGRkY5REE1OTU3NjcxNUIwNEQ ##0REY4REM4RDE4REIyNDMwRTU3QkJFRDMzN0RCRUVFNUJCMkQ2QUI2Q0VEREM5Qz ##c1QzVDMEIxN0ZBRDdFQjcyNERBQTEyRjhGMTkwM0RENkMyQ0VERTYxMzVBIiwgI ##klTS19JUiI6ICI1OTk4OTJBMjA3OEE4Qzk4ODE4MTYyNUUxRTVFNUY3QTYxNjNG ##N0Q3MkYyMUI5M0VCRUZCQTBGMTdGRjdFQTNBQTA1OTRCRDU2OUNGNzQyNjQxNTd ##CM0MwMDg3QkRDQ0YyRjU5Qzc3MTU2NjI4NDg3RjVDQTE2NDVCOEU5RDA1QiIsIC ##JJU0tfU1kiOiAiM0FDNzNGMDMwMzAyOTZBQTU5MUYwMTMyNkIxOEFGQTQ3RTExO ##DkxMjlDRDA2QUU4REZCMDVFNkVCMTMxMENERTk0OEI1OUVFRjA3NTUzNjVDMDZB ##MzM5MjY2QUZFNTk0OTQ4QzU2QTUzOEQ5OEE2NTc2NzExMzkzOEE5QTc4RDgiLCA ##ic2lkX291dHB1dF9pciI6ICIwMEEyMzMzQTc5NDgxQUJFNzFFRkQ2NTk0RDdCQk ##FBQzU1QzgwODQ4MkU4NjlDOUI2NUM0QjUzRDcxMDBEM0RBOEYzQ0FCRDU5RkEwQ ##zFGMjJENkQyRjlBQzBDMDkzOTYyMjkyNzk4RkNBMkMwQjkzMjY4OTc0Q0FENzVE ##NTc1QSIsICJzaWRfb3V0cHV0X29jIjogIkExQ0U5MDUzN0E4RDUzQjA2RDc3RTc ##5RkU3MTk0NjFDQzVFRDgzMDBEMjFEMTg2NkE1OUY5NjM4NjAxODMzRjU3QThCNU ##U4OERCOUE1MkFCRkExQjRFOEE2NTFBNDAwQkM5MjA1MDgyQUFEODFFQjMxMUM0N ##DM3M0I5QTE5RUZGIn0= B.2.10. Test vectors for G_X448.scalar_mult_vfy: low order points Test vectors for which G_X448.scalar_mult_vfy(s_in,ux) must return the neutral element. This includes points that are non-canonicaly encoded, i.e. have coordinate values larger than the field prime. Weak points for X448 smaller than the field prime (canonical) Abdalla, et al. Expires 30 March 2025 [Page 52] Internet-Draft CPace September 2024 u0: (length: 56 bytes) 0000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000 u1: (length: 56 bytes) 0100000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000 u2: (length: 56 bytes) fefffffffffffffffffffffffffffffffffffffffffffffffffffffffe ffffffffffffffffffffffffffffffffffffffffffffffffffffff Weak points for X448 larger or equal to the field prime (non- canonical) u3: (length: 56 bytes) fffffffffffffffffffffffffffffffffffffffffffffffffffffffffe ffffffffffffffffffffffffffffffffffffffffffffffffffffff u4: (length: 56 bytes) 00000000000000000000000000000000000000000000000000000000ff ffffffffffffffffffffffffffffffffffffffffffffffffffffff All of the above points u0 ... u4 MUST trigger the abort case when included in the protocol messages from A or B. Expected results for X448 resp. G_X448.scalar_mult_vfy scalar s: (length: 56 bytes) af8a14218bf2a2062926d2ea9b8fe4e8b6817349b6ed2feb1e5d64d7a4 523f15fceec70fb111e870dc58d191e66a14d3e9d482d04432cadd G_X448.scalar_mult_vfy(s,u0): (length: 56 bytes) 0000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000 G_X448.scalar_mult_vfy(s,u1): (length: 56 bytes) 0000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000 G_X448.scalar_mult_vfy(s,u2): (length: 56 bytes) 0000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000 G_X448.scalar_mult_vfy(s,u3): (length: 56 bytes) 0000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000 G_X448.scalar_mult_vfy(s,u4): (length: 56 bytes) 0000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000 Test vectors for scalar_mult with nonzero outputs Abdalla, et al. Expires 30 March 2025 [Page 53] Internet-Draft CPace September 2024 scalar s: (length: 56 bytes) af8a14218bf2a2062926d2ea9b8fe4e8b6817349b6ed2feb1e5d64d7a4 523f15fceec70fb111e870dc58d191e66a14d3e9d482d04432cadd point coordinate u_curve on the curve: (length: 56 bytes) ab0c68d772ec2eb9de25c49700e46d6325e66d6aa39d7b65eb84a68c55 69d47bd71b41f3e0d210f44e146dec8926b174acb3f940a0b82cab G_X448.scalar_mult_vfy(s,u_curve): (length: 56 bytes) 3b0fa9bc40a6fdc78c9e06ff7a54c143c5d52f365607053bf0656f5142 0496295f910a101b38edc1acd3bd240fd55dcb7a360553b8a7627e point coordinate u_twist on the twist: (length: 56 bytes) c981cd1e1f72d9c35c7d7cf6be426757c0dc8206a2fcfa564a8e7618c0 3c0e61f9a2eb1c3e0dd97d6e9b1010f5edd03397a83f5a914cb3ff G_X448.scalar_mult_vfy(s,u_twist): (length: 56 bytes) d0a2bb7e9c5c2c627793d8342f23b759fe7d9e3320a85ca4fd61376331 50ffd9a9148a9b75c349fac43d64bec49a6e126cc92cbfbf353961 B.2.10.1. Testvectors as JSON file encoded as BASE64 Abdalla, et al. Expires 30 March 2025 [Page 54] Internet-Draft CPace September 2024 ##eyJJbnZhbGlkIFkxIjogIjAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDA ##wMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMD ##AwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAiLCAiSW52YWxpZCBZM ##iI6ICIwMTAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw ##MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDA ##wMDAwMDAwMDAwMDAwMDAwMDAwMDAwIiwgIkludmFsaWQgWTMiOiAiRkVGRkZGRk ##ZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGR ##kZGRUZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZG ##RkZGRkZGRkZGRiIsICJJbnZhbGlkIFk0IjogIkZGRkZGRkZGRkZGRkZGRkZGRkZ ##GRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkVGRkZGRkZGRk ##ZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkYiL ##CAiSW52YWxpZCBZNSI6ICIwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw ##MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMEZGRkZGRkZGRkZGRkZGRkZGRkZGRkZ ##GRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGIiwgIlZhbGlkIChvbi ##BjdXJ2ZSkiOiB7InMiOiAiQUY4QTE0MjE4QkYyQTIwNjI5MjZEMkVBOUI4RkU0R ##ThCNjgxNzM0OUI2RUQyRkVCMUU1RDY0RDdBNDUyM0YxNUZDRUVDNzBGQjExMUU4 ##NzBEQzU4RDE5MUU2NkExNEQzRTlENDgyRDA0NDMyQ0FERCIsICJ1X2N1cnZlIjo ##gIkFCMEM2OEQ3NzJFQzJFQjlERTI1QzQ5NzAwRTQ2RDYzMjVFNjZENkFBMzlEN0 ##I2NUVCODRBNjhDNTU2OUQ0N0JENzFCNDFGM0UwRDIxMEY0NEUxNDZERUM4OTI2Q ##jE3NEFDQjNGOTQwQTBCODJDQUIiLCAicmVzX2N1cnZlIjogIjNCMEZBOUJDNDBB ##NkZEQzc4QzlFMDZGRjdBNTRDMTQzQzVENTJGMzY1NjA3MDUzQkYwNjU2RjUxNDI ##wNDk2Mjk1RjkxMEExMDFCMzhFREMxQUNEM0JEMjQwRkQ1NURDQjdBMzYwNTUzQj ##hBNzYyN0UifSwgIlZhbGlkIChvbiB0d2lzdCkiOiB7InMiOiAiQUY4QTE0MjE4Q ##kYyQTIwNjI5MjZEMkVBOUI4RkU0RThCNjgxNzM0OUI2RUQyRkVCMUU1RDY0RDdB ##NDUyM0YxNUZDRUVDNzBGQjExMUU4NzBEQzU4RDE5MUU2NkExNEQzRTlENDgyRDA ##0NDMyQ0FERCIsICJ1X3R3aXN0IjogIkM5ODFDRDFFMUY3MkQ5QzM1QzdEN0NGNk ##JFNDI2NzU3QzBEQzgyMDZBMkZDRkE1NjRBOEU3NjE4QzAzQzBFNjFGOUEyRUIxQ ##zNFMEREOTdENkU5QjEwMTBGNUVERDAzMzk3QTgzRjVBOTE0Q0IzRkYiLCAicmVz ##X3R3aXN0IjogIkQwQTJCQjdFOUM1QzJDNjI3NzkzRDgzNDJGMjNCNzU5RkU3RDl ##FMzMyMEE4NUNBNEZENjEzNzYzMzE1MEZGRDlBOTE0OEE5Qjc1QzM0OUZBQzQzRD ##Y0QkVDNDlBNkUxMjZDQzkyQ0JGQkYzNTM5NjEifX0= B.3. Test vector for CPace using group ristretto255 and hash SHA-512 B.3.1. Test vectors for calculate_generator with group ristretto255 Abdalla, et al. Expires 30 March 2025 [Page 55] Internet-Draft CPace September 2024 Inputs H = SHA-512 with input block size 128 bytes. PRS = b'Password' ; ZPAD length: 100 ; DSI = b'CPaceRistretto255' CI = b'oc\x0bB_responder\x0bA_initiator' CI = 6f630b425f726573706f6e6465720b415f696e69746961746f72 sid = 7e4b4791d6a8ef019b936c79fb7f2c57 Outputs generator_string(G.DSI,PRS,CI,sid,H.s_in_bytes): (length: 172 bytes) 11435061636552697374726574746f3235350850617373776f726464 00000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000 000000000000000000000000000000001a6f630b425f726573706f6e 6465720b415f696e69746961746f72107e4b4791d6a8ef019b936c79 fb7f2c57 hash result: (length: 64 bytes) c63a5750e2439c17ccd8213be14fde2f87e1bc637001a97f5929c77b 30ea0e08afbc75ace5d3d73b2842a79d01488c5fd7ea30d475ee6095 45af1bfd1ff77c8e encoded generator g: (length: 32 bytes) a6fc82c3b8968fbb2e06fee81ca858586dea50d248f0c7ca6a18b090 2a30b36b B.3.1.1. Testvectors as JSON file encoded as BASE64 ##eyJIIjogIlNIQS01MTIiLCAiSC5zX2luX2J5dGVzIjogMTI4LCAiUFJTIjogIjU ##wNjE3MzczNzc2RjcyNjQiLCAiWlBBRCBsZW5ndGgiOiAxMDAsICJEU0kiOiAiND ##M1MDYxNjM2NTUyNjk3Mzc0NzI2NTc0NzQ2RjMyMzUzNSIsICJDSSI6ICI2RjYzM ##EI0MjVGNzI2NTczNzA2RjZFNjQ2NTcyMEI0MTVGNjk2RTY5NzQ2OTYxNzQ2Rjcy ##IiwgInNpZCI6ICI3RTRCNDc5MUQ2QThFRjAxOUI5MzZDNzlGQjdGMkM1NyIsICJ ##nZW5lcmF0b3Jfc3RyaW5nKEcuRFNJLFBSUyxDSSxzaWQsSC5zX2luX2J5dGVzKS ##I6ICIxMTQzNTA2MTYzNjU1MjY5NzM3NDcyNjU3NDc0NkYzMjM1MzUwODUwNjE3M ##zczNzc2RjcyNjQ2NDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw ##MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDA ##wMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMD ##AwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwM ##DAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMUE2RjYzMEI0MjVGNzI2NTczNzA2RjZF ##NjQ2NTcyMEI0MTVGNjk2RTY5NzQ2OTYxNzQ2RjcyMTA3RTRCNDc5MUQ2QThFRjA ##xOUI5MzZDNzlGQjdGMkM1NyIsICJoYXNoIHJlc3VsdCI6ICJDNjNBNTc1MEUyND ##M5QzE3Q0NEODIxM0JFMTRGREUyRjg3RTFCQzYzNzAwMUE5N0Y1OTI5Qzc3QjMwR ##UEwRTA4QUZCQzc1QUNFNUQzRDczQjI4NDJBNzlEMDE0ODhDNUZEN0VBMzBENDc1 ##RUU2MDk1NDVBRjFCRkQxRkY3N0M4RSIsICJlbmNvZGVkIGdlbmVyYXRvciBnIjo ##gIkE2RkM4MkMzQjg5NjhGQkIyRTA2RkVFODFDQTg1ODU4NkRFQTUwRDI0OEYwQz ##dDQTZBMThCMDkwMkEzMEIzNkIifQ== Abdalla, et al. Expires 30 March 2025 [Page 56] Internet-Draft CPace September 2024 B.3.2. Test vector for message from A Inputs ADa = b'ADa' ya (little endian): (length: 32 bytes) da3d23700a9e5699258aef94dc060dfda5ebb61f02a5ea77fad53f4f f0976d08 Outputs Ya: (length: 32 bytes) d40fb265a7abeaee7939d91a585fe59f7053f982c296ec413c624c66 9308f87a B.3.3. Test vector for message from B Inputs ADb = b'ADb' yb (little endian): (length: 32 bytes) d2316b454718c35362d83d69df6320f38578ed5984651435e2949762 d900b80d Outputs Yb: (length: 32 bytes) 08bcf6e9777a9c313a3db6daa510f2d398403319c2341bd506a92e67 2eb7e307 B.3.4. Test vector for secret points K scalar_mult_vfy(ya,Yb): (length: 32 bytes) e22b1ef7788f661478f3cddd4c600774fc0f41e6b711569190ff88fa 0e607e09 scalar_mult_vfy(yb,Ya): (length: 32 bytes) e22b1ef7788f661478f3cddd4c600774fc0f41e6b711569190ff88fa 0e607e09 B.3.5. Test vector for ISK calculation initiator/responder Abdalla, et al. Expires 30 March 2025 [Page 57] Internet-Draft CPace September 2024 transcript_ir(Ya,ADa,Yb,ADb): (length: 74 bytes) 20d40fb265a7abeaee7939d91a585fe59f7053f982c296ec413c624c 669308f87a034144612008bcf6e9777a9c313a3db6daa510f2d39840 3319c2341bd506a92e672eb7e30703414462 DSI = G.DSI_ISK, b'CPaceRistretto255_ISK': (length: 21 bytes) 435061636552697374726574746f3235355f49534b lv_cat(DSI,sid,K)||transcript_ir(Ya,ADa,Yb,ADb): (length: 146 bytes) 15435061636552697374726574746f3235355f49534b107e4b4791d6 a8ef019b936c79fb7f2c5720e22b1ef7788f661478f3cddd4c600774 fc0f41e6b711569190ff88fa0e607e0920d40fb265a7abeaee7939d9 1a585fe59f7053f982c296ec413c624c669308f87a034144612008bc f6e9777a9c313a3db6daa510f2d398403319c2341bd506a92e672eb7 e30703414462 ISK result: (length: 64 bytes) 4c5469a16b2364c4b944ebc1a79e51d1674ad47db26e8718154f59fa ebfaa52d8346f30aa58377117eb20d527f2cbc5c76381f7fd372e89d f8239f87f2e02ed1 B.3.6. Test vector for ISK calculation parallel execution transcript_oc(Ya,ADa,Yb,ADb): (length: 76 bytes) 6f6320d40fb265a7abeaee7939d91a585fe59f7053f982c296ec413c 624c669308f87a034144612008bcf6e9777a9c313a3db6daa510f2d3 98403319c2341bd506a92e672eb7e30703414462 DSI = G.DSI_ISK, b'CPaceRistretto255_ISK': (length: 21 bytes) 435061636552697374726574746f3235355f49534b lv_cat(DSI,sid,K)||transcript_oc(Ya,ADa,Yb,ADb): (length: 148 bytes) 15435061636552697374726574746f3235355f49534b107e4b4791d6 a8ef019b936c79fb7f2c5720e22b1ef7788f661478f3cddd4c600774 fc0f41e6b711569190ff88fa0e607e096f6320d40fb265a7abeaee79 39d91a585fe59f7053f982c296ec413c624c669308f87a0341446120 08bcf6e9777a9c313a3db6daa510f2d398403319c2341bd506a92e67 2eb7e30703414462 ISK result: (length: 64 bytes) 980dcc5a1c52ceea031e75f38ed266586616488c5c5780285fcbcf79 087c7bcdbd993502eee606b718ba31e840a000a7b7befe15ea427c5c fe88344fa1237f35 B.3.7. Test vector for optional output of session id Abdalla, et al. Expires 30 March 2025 [Page 58] Internet-Draft CPace September 2024 H.hash(b"CPaceSidOut" + transcript_ir(Ya,ADa, Yb,ADb)): (length: 64 bytes) 2a76d3bbc499dfdc4dcacc9ff042f4e1a54e3843258e100ccd7c60f0 a541f9d3ebf025e68a460dde218bd39f0711bc6fa11409c9d7b69d8c cf6b32fc51ddb699 H.hash(b"CPaceSidOut" + transcript_oc(Ya,ADa, Yb,ADb)): (length: 64 bytes) ca4b50700c46203ccd10bc0e9f31095e508189cb59857537be561048 d34b9ed9a9697af11c998f484c3d783b0b531434caa6835d4c32344f cd17160c9c348fc7 B.3.8. Corresponding C programming language initializers const unsigned char tc_PRS[] = { 0x50,0x61,0x73,0x73,0x77,0x6f,0x72,0x64, }; const unsigned char tc_CI[] = { 0x6f,0x63,0x0b,0x42,0x5f,0x72,0x65,0x73,0x70,0x6f,0x6e,0x64, 0x65,0x72,0x0b,0x41,0x5f,0x69,0x6e,0x69,0x74,0x69,0x61,0x74, 0x6f,0x72, }; const unsigned char tc_sid[] = { 0x7e,0x4b,0x47,0x91,0xd6,0xa8,0xef,0x01,0x9b,0x93,0x6c,0x79, 0xfb,0x7f,0x2c,0x57, }; const unsigned char tc_g[] = { 0xa6,0xfc,0x82,0xc3,0xb8,0x96,0x8f,0xbb,0x2e,0x06,0xfe,0xe8, 0x1c,0xa8,0x58,0x58,0x6d,0xea,0x50,0xd2,0x48,0xf0,0xc7,0xca, 0x6a,0x18,0xb0,0x90,0x2a,0x30,0xb3,0x6b, }; const unsigned char tc_ya[] = { 0xda,0x3d,0x23,0x70,0x0a,0x9e,0x56,0x99,0x25,0x8a,0xef,0x94, 0xdc,0x06,0x0d,0xfd,0xa5,0xeb,0xb6,0x1f,0x02,0xa5,0xea,0x77, 0xfa,0xd5,0x3f,0x4f,0xf0,0x97,0x6d,0x08, }; const unsigned char tc_ADa[] = { 0x41,0x44,0x61, }; const unsigned char tc_Ya[] = { 0xd4,0x0f,0xb2,0x65,0xa7,0xab,0xea,0xee,0x79,0x39,0xd9,0x1a, 0x58,0x5f,0xe5,0x9f,0x70,0x53,0xf9,0x82,0xc2,0x96,0xec,0x41, 0x3c,0x62,0x4c,0x66,0x93,0x08,0xf8,0x7a, }; const unsigned char tc_yb[] = { 0xd2,0x31,0x6b,0x45,0x47,0x18,0xc3,0x53,0x62,0xd8,0x3d,0x69, 0xdf,0x63,0x20,0xf3,0x85,0x78,0xed,0x59,0x84,0x65,0x14,0x35, 0xe2,0x94,0x97,0x62,0xd9,0x00,0xb8,0x0d, }; Abdalla, et al. Expires 30 March 2025 [Page 59] Internet-Draft CPace September 2024 const unsigned char tc_ADb[] = { 0x41,0x44,0x62, }; const unsigned char tc_Yb[] = { 0x08,0xbc,0xf6,0xe9,0x77,0x7a,0x9c,0x31,0x3a,0x3d,0xb6,0xda, 0xa5,0x10,0xf2,0xd3,0x98,0x40,0x33,0x19,0xc2,0x34,0x1b,0xd5, 0x06,0xa9,0x2e,0x67,0x2e,0xb7,0xe3,0x07, }; const unsigned char tc_K[] = { 0xe2,0x2b,0x1e,0xf7,0x78,0x8f,0x66,0x14,0x78,0xf3,0xcd,0xdd, 0x4c,0x60,0x07,0x74,0xfc,0x0f,0x41,0xe6,0xb7,0x11,0x56,0x91, 0x90,0xff,0x88,0xfa,0x0e,0x60,0x7e,0x09, }; const unsigned char tc_ISK_IR[] = { 0x4c,0x54,0x69,0xa1,0x6b,0x23,0x64,0xc4,0xb9,0x44,0xeb,0xc1, 0xa7,0x9e,0x51,0xd1,0x67,0x4a,0xd4,0x7d,0xb2,0x6e,0x87,0x18, 0x15,0x4f,0x59,0xfa,0xeb,0xfa,0xa5,0x2d,0x83,0x46,0xf3,0x0a, 0xa5,0x83,0x77,0x11,0x7e,0xb2,0x0d,0x52,0x7f,0x2c,0xbc,0x5c, 0x76,0x38,0x1f,0x7f,0xd3,0x72,0xe8,0x9d,0xf8,0x23,0x9f,0x87, 0xf2,0xe0,0x2e,0xd1, }; const unsigned char tc_ISK_SY[] = { 0x98,0x0d,0xcc,0x5a,0x1c,0x52,0xce,0xea,0x03,0x1e,0x75,0xf3, 0x8e,0xd2,0x66,0x58,0x66,0x16,0x48,0x8c,0x5c,0x57,0x80,0x28, 0x5f,0xcb,0xcf,0x79,0x08,0x7c,0x7b,0xcd,0xbd,0x99,0x35,0x02, 0xee,0xe6,0x06,0xb7,0x18,0xba,0x31,0xe8,0x40,0xa0,0x00,0xa7, 0xb7,0xbe,0xfe,0x15,0xea,0x42,0x7c,0x5c,0xfe,0x88,0x34,0x4f, 0xa1,0x23,0x7f,0x35, }; const unsigned char tc_ISK_SY[] = { 0x98,0x0d,0xcc,0x5a,0x1c,0x52,0xce,0xea,0x03,0x1e,0x75,0xf3, 0x8e,0xd2,0x66,0x58,0x66,0x16,0x48,0x8c,0x5c,0x57,0x80,0x28, 0x5f,0xcb,0xcf,0x79,0x08,0x7c,0x7b,0xcd,0xbd,0x99,0x35,0x02, 0xee,0xe6,0x06,0xb7,0x18,0xba,0x31,0xe8,0x40,0xa0,0x00,0xa7, 0xb7,0xbe,0xfe,0x15,0xea,0x42,0x7c,0x5c,0xfe,0x88,0x34,0x4f, 0xa1,0x23,0x7f,0x35, }; const unsigned char tc_sid_out_ir[] = { 0x2a,0x76,0xd3,0xbb,0xc4,0x99,0xdf,0xdc,0x4d,0xca,0xcc,0x9f, 0xf0,0x42,0xf4,0xe1,0xa5,0x4e,0x38,0x43,0x25,0x8e,0x10,0x0c, 0xcd,0x7c,0x60,0xf0,0xa5,0x41,0xf9,0xd3,0xeb,0xf0,0x25,0xe6, 0x8a,0x46,0x0d,0xde,0x21,0x8b,0xd3,0x9f,0x07,0x11,0xbc,0x6f, 0xa1,0x14,0x09,0xc9,0xd7,0xb6,0x9d,0x8c,0xcf,0x6b,0x32,0xfc, 0x51,0xdd,0xb6,0x99, }; const unsigned char tc_sid_out_oc[] = { 0xca,0x4b,0x50,0x70,0x0c,0x46,0x20,0x3c,0xcd,0x10,0xbc,0x0e, 0x9f,0x31,0x09,0x5e,0x50,0x81,0x89,0xcb,0x59,0x85,0x75,0x37, Abdalla, et al. Expires 30 March 2025 [Page 60] Internet-Draft CPace September 2024 0xbe,0x56,0x10,0x48,0xd3,0x4b,0x9e,0xd9,0xa9,0x69,0x7a,0xf1, 0x1c,0x99,0x8f,0x48,0x4c,0x3d,0x78,0x3b,0x0b,0x53,0x14,0x34, 0xca,0xa6,0x83,0x5d,0x4c,0x32,0x34,0x4f,0xcd,0x17,0x16,0x0c, 0x9c,0x34,0x8f,0xc7, }; B.3.9. Testvectors as JSON file encoded as BASE64 ##eyJQUlMiOiAiNTA2MTczNzM3NzZGNzI2NCIsICJDSSI6ICI2RjYzMEI0MjVGNzI ##2NTczNzA2RjZFNjQ2NTcyMEI0MTVGNjk2RTY5NzQ2OTYxNzQ2RjcyIiwgInNpZC ##I6ICI3RTRCNDc5MUQ2QThFRjAxOUI5MzZDNzlGQjdGMkM1NyIsICJnIjogIkE2R ##kM4MkMzQjg5NjhGQkIyRTA2RkVFODFDQTg1ODU4NkRFQTUwRDI0OEYwQzdDQTZB ##MThCMDkwMkEzMEIzNkIiLCAieWEiOiAiREEzRDIzNzAwQTlFNTY5OTI1OEFFRjk ##0REMwNjBERkRBNUVCQjYxRjAyQTVFQTc3RkFENTNGNEZGMDk3NkQwOCIsICJBRG ##EiOiAiNDE0NDYxIiwgIllhIjogIkQ0MEZCMjY1QTdBQkVBRUU3OTM5RDkxQTU4N ##UZFNTlGNzA1M0Y5ODJDMjk2RUM0MTNDNjI0QzY2OTMwOEY4N0EiLCAieWIiOiAi ##RDIzMTZCNDU0NzE4QzM1MzYyRDgzRDY5REY2MzIwRjM4NTc4RUQ1OTg0NjUxNDM ##1RTI5NDk3NjJEOTAwQjgwRCIsICJBRGIiOiAiNDE0NDYyIiwgIlliIjogIjA4Qk ##NGNkU5Nzc3QTlDMzEzQTNEQjZEQUE1MTBGMkQzOTg0MDMzMTlDMjM0MUJENTA2Q ##TkyRTY3MkVCN0UzMDciLCAiSyI6ICJFMjJCMUVGNzc4OEY2NjE0NzhGM0NEREQ0 ##QzYwMDc3NEZDMEY0MUU2QjcxMTU2OTE5MEZGODhGQTBFNjA3RTA5IiwgIklTS19 ##JUiI6ICI0QzU0NjlBMTZCMjM2NEM0Qjk0NEVCQzFBNzlFNTFEMTY3NEFENDdEQj ##I2RTg3MTgxNTRGNTlGQUVCRkFBNTJEODM0NkYzMEFBNTgzNzcxMTdFQjIwRDUyN ##0YyQ0JDNUM3NjM4MUY3RkQzNzJFODlERjgyMzlGODdGMkUwMkVEMSIsICJJU0tf ##U1kiOiAiOTgwRENDNUExQzUyQ0VFQTAzMUU3NUYzOEVEMjY2NTg2NjE2NDg4QzV ##DNTc4MDI4NUZDQkNGNzkwODdDN0JDREJEOTkzNTAyRUVFNjA2QjcxOEJBMzFFOD ##QwQTAwMEE3QjdCRUZFMTVFQTQyN0M1Q0ZFODgzNDRGQTEyMzdGMzUiLCAic2lkX ##291dHB1dF9pciI6ICIyQTc2RDNCQkM0OTlERkRDNERDQUNDOUZGMDQyRjRFMUE1 ##NEUzODQzMjU4RTEwMENDRDdDNjBGMEE1NDFGOUQzRUJGMDI1RTY4QTQ2MERERTI ##xOEJEMzlGMDcxMUJDNkZBMTE0MDlDOUQ3QjY5RDhDQ0Y2QjMyRkM1MUREQjY5OS ##IsICJzaWRfb3V0cHV0X29jIjogIkNBNEI1MDcwMEM0NjIwM0NDRDEwQkMwRTlGM ##zEwOTVFNTA4MTg5Q0I1OTg1NzUzN0JFNTYxMDQ4RDM0QjlFRDlBOTY5N0FGMTFD ##OTk4RjQ4NEMzRDc4M0IwQjUzMTQzNENBQTY4MzVENEMzMjM0NEZDRDE3MTYwQzl ##DMzQ4RkM3In0= B.3.10. Test case for scalar_mult with valid inputs Abdalla, et al. Expires 30 March 2025 [Page 61] Internet-Draft CPace September 2024 s: (length: 32 bytes) 7cd0e075fa7955ba52c02759a6c90dbbfc10e6d40aea8d283e407d88 cf538a05 X: (length: 32 bytes) 2c3c6b8c4f3800e7aef6864025b4ed79bd599117e427c41bd47d93d6 54b4a51c G.scalar_mult(s,decode(X)): (length: 32 bytes) 7c13645fe790a468f62c39beb7388e541d8405d1ade69d1778c5fe3e 7f6b600e G.scalar_mult_vfy(s,X): (length: 32 bytes) 7c13645fe790a468f62c39beb7388e541d8405d1ade69d1778c5fe3e 7f6b600e B.3.11. Invalid inputs for scalar_mult_vfy For these test cases scalar_mult_vfy(y,.) MUST return the representation of the neutral element G.I. When points Y_i1 or Y_i2 are included in message of A or B the protocol MUST abort. s: (length: 32 bytes) 7cd0e075fa7955ba52c02759a6c90dbbfc10e6d40aea8d283e407d88 cf538a05 Y_i1: (length: 32 bytes) 2b3c6b8c4f3800e7aef6864025b4ed79bd599117e427c41bd47d93d6 54b4a51c Y_i2 == G.I: (length: 32 bytes) 00000000000000000000000000000000000000000000000000000000 00000000 G.scalar_mult_vfy(s,Y_i1) = G.scalar_mult_vfy(s,Y_i2) = G.I B.3.11.1. Testvectors as JSON file encoded as BASE64 ##eyJWYWxpZCI6IHsicyI6ICI3Q0QwRTA3NUZBNzk1NUJBNTJDMDI3NTlBNkM5MER ##CQkZDMTBFNkQ0MEFFQThEMjgzRTQwN0Q4OENGNTM4QTA1IiwgIlgiOiAiMkMzQz ##ZCOEM0RjM4MDBFN0FFRjY4NjQwMjVCNEVENzlCRDU5OTExN0U0MjdDNDFCRDQ3R ##DkzRDY1NEI0QTUxQyIsICJHLnNjYWxhcl9tdWx0KHMsZGVjb2RlKFgpKSI6ICI3 ##QzEzNjQ1RkU3OTBBNDY4RjYyQzM5QkVCNzM4OEU1NDFEODQwNUQxQURFNjlEMTc ##3OEM1RkUzRTdGNkI2MDBFIiwgIkcuc2NhbGFyX211bHRfdmZ5KHMsWCkiOiAiN0 ##MxMzY0NUZFNzkwQTQ2OEY2MkMzOUJFQjczODhFNTQxRDg0MDVEMUFERTY5RDE3N ##zhDNUZFM0U3RjZCNjAwRSJ9LCAiSW52YWxpZCBZMSI6ICIyQjNDNkI4QzRGMzgw ##MEU3QUVGNjg2NDAyNUI0RUQ3OUJENTk5MTE3RTQyN0M0MUJENDdEOTNENjU0QjR ##BNTFDIiwgIkludmFsaWQgWTIiOiAiMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMD ##AwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMCJ9 B.4. Test vector for CPace using group decaf448 and hash SHAKE-256 B.4.1. Test vectors for calculate_generator with group decaf448 Abdalla, et al. Expires 30 March 2025 [Page 62] Internet-Draft CPace September 2024 Inputs H = SHAKE-256 with input block size 136 bytes. PRS = b'Password' ; ZPAD length: 112 ; DSI = b'CPaceDecaf448' CI = b'oc\x0bB_responder\x0bA_initiator' CI = 6f630b425f726573706f6e6465720b415f696e69746961746f72 sid = 5223e0cdc45d6575668d64c552004124 Outputs generator_string(G.DSI,PRS,CI,sid,H.s_in_bytes): (length: 180 bytes) 0d435061636544656361663434380850617373776f72647000000000 00000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000001a6f630b 425f726573706f6e6465720b415f696e69746961746f72105223e0cd c45d6575668d64c552004124 hash result: (length: 112 bytes) 7148f4d60587aaafa64d2fd6bcfe45ee71e8b971d1d5ff3bbf8c1451 797c62a1af22ab25638749f97f9b15fedcf4aeee87282cf667594ab0 92b6023c8f8d3a61c38b0af791c9271137df01b57d63b79734bbce69 91e3e2e10fdc805abc9e6e6f3daeff6fd34093d26de240b326764252 encoded generator g: (length: 56 bytes) 9a700ecc378eb98e57387df456d5b4b4f1dceebbb1371527eeb7e1bf bab64ecc9c9303396145ba04f5b5aea5baedfa61f31f00fbc5fd5606 B.4.1.1. Testvectors as JSON file encoded as BASE64 Abdalla, et al. Expires 30 March 2025 [Page 63] Internet-Draft CPace September 2024 ##eyJIIjogIlNIQUtFLTI1NiIsICJILnNfaW5fYnl0ZXMiOiAxMzYsICJQUlMiOiA ##iNTA2MTczNzM3NzZGNzI2NCIsICJaUEFEIGxlbmd0aCI6IDExMiwgIkRTSSI6IC ##I0MzUwNjE2MzY1NDQ2NTYzNjE2NjM0MzQzOCIsICJDSSI6ICI2RjYzMEI0MjVGN ##zI2NTczNzA2RjZFNjQ2NTcyMEI0MTVGNjk2RTY5NzQ2OTYxNzQ2RjcyIiwgInNp ##ZCI6ICI1MjIzRTBDREM0NUQ2NTc1NjY4RDY0QzU1MjAwNDEyNCIsICJnZW5lcmF ##0b3Jfc3RyaW5nKEcuRFNJLFBSUyxDSSxzaWQsSC5zX2luX2J5dGVzKSI6ICIwRD ##QzNTA2MTYzNjU0NDY1NjM2MTY2MzQzNDM4MDg1MDYxNzM3Mzc3NkY3MjY0NzAwM ##DAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw ##MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDA ##wMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMD ##AwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwM ##DAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDFBNkY2MzBCNDI1Rjcy ##NjU3MzcwNkY2RTY0NjU3MjBCNDE1RjY5NkU2OTc0Njk2MTc0NkY3MjEwNTIyM0U ##wQ0RDNDVENjU3NTY2OEQ2NEM1NTIwMDQxMjQiLCAiaGFzaCByZXN1bHQiOiAiNz ##E0OEY0RDYwNTg3QUFBRkE2NEQyRkQ2QkNGRTQ1RUU3MUU4Qjk3MUQxRDVGRjNCQ ##kY4QzE0NTE3OTdDNjJBMUFGMjJBQjI1NjM4NzQ5Rjk3RjlCMTVGRURDRjRBRUVF ##ODcyODJDRjY2NzU5NEFCMDkyQjYwMjNDOEY4RDNBNjFDMzhCMEFGNzkxQzkyNzE ##xMzdERjAxQjU3RDYzQjc5NzM0QkJDRTY5OTFFM0UyRTEwRkRDODA1QUJDOUU2RT ##ZGM0RBRUZGNkZEMzQwOTNEMjZERTI0MEIzMjY3NjQyNTIiLCAiZW5jb2RlZCBnZ ##W5lcmF0b3IgZyI6ICI5QTcwMEVDQzM3OEVCOThFNTczODdERjQ1NkQ1QjRCNEYx ##RENFRUJCQjEzNzE1MjdFRUI3RTFCRkJBQjY0RUNDOUM5MzAzMzk2MTQ1QkEwNEY ##1QjVBRUE1QkFFREZBNjFGMzFGMDBGQkM1RkQ1NjA2In0= B.4.2. Test vector for message from A Inputs ADa = b'ADa' ya (little endian): (length: 56 bytes) 33d561f13cfc0dca279c30e8cde895175dc25483892819eba132d58c 13c0462a8eb0d73fda941950594bef5191d8394691f86edffcad6c1e Outputs Ya: (length: 56 bytes) 627f8bb2ae945e2a518967df9b00aff19253d3086398f2ec18be846c c0d1f286c2ce3caf1da639859ccd2a6a01a9372a17e66bb7006e571b B.4.3. Test vector for message from B Inputs ADb = b'ADb' yb (little endian): (length: 56 bytes) 2523c969f68fa2b2aea294c2539ef36eb1e0558abd14712a7828f16a 85ed2c7e77e2bdd418994405fb1b57b6bbaadd66849892aac9d81402 Outputs Yb: (length: 56 bytes) 8e9811e4402fac098743ca7b2b509b91b38c8cf1360cc6cab3011871 7019782b7f58a591c63d9c9247b774e6b0e0b826ff4f8399f94772db Abdalla, et al. Expires 30 March 2025 [Page 64] Internet-Draft CPace September 2024 B.4.4. Test vector for secret points K scalar_mult_vfy(ya,Yb): (length: 56 bytes) 94f4ae494f4e8b07ade3354726eee49c5518b363cda544f5b4541b97 32830be37ea0e63fc83f54be280dea0747a043c76d473e01689af77f scalar_mult_vfy(yb,Ya): (length: 56 bytes) 94f4ae494f4e8b07ade3354726eee49c5518b363cda544f5b4541b97 32830be37ea0e63fc83f54be280dea0747a043c76d473e01689af77f B.4.5. Test vector for ISK calculation initiator/responder transcript_ir(Ya,ADa,Yb,ADb): (length: 122 bytes) 38627f8bb2ae945e2a518967df9b00aff19253d3086398f2ec18be84 6cc0d1f286c2ce3caf1da639859ccd2a6a01a9372a17e66bb7006e57 1b03414461388e9811e4402fac098743ca7b2b509b91b38c8cf1360c c6cab30118717019782b7f58a591c63d9c9247b774e6b0e0b826ff4f 8399f94772db03414462 DSI = G.DSI_ISK, b'CPaceDecaf448_ISK': (length: 17 bytes) 435061636544656361663434385f49534b lv_cat(DSI,sid,K)||transcript_ir(Ya,ADa,Yb,ADb): (length: 214 bytes) 11435061636544656361663434385f49534b105223e0cdc45d657566 8d64c5520041243894f4ae494f4e8b07ade3354726eee49c5518b363 cda544f5b4541b9732830be37ea0e63fc83f54be280dea0747a043c7 6d473e01689af77f38627f8bb2ae945e2a518967df9b00aff19253d3 086398f2ec18be846cc0d1f286c2ce3caf1da639859ccd2a6a01a937 2a17e66bb7006e571b03414461388e9811e4402fac098743ca7b2b50 9b91b38c8cf1360cc6cab30118717019782b7f58a591c63d9c9247b7 74e6b0e0b826ff4f8399f94772db03414462 ISK result: (length: 64 bytes) 9c2726a6cda1179349cbc38f31765eab646a2a5f176f3019fab4a0aa bd9d17c2ba895998cff698d801761a003512c1cf67d144b21e1cb6d6 b82da71d0da76cad B.4.6. Test vector for ISK calculation parallel execution Abdalla, et al. Expires 30 March 2025 [Page 65] Internet-Draft CPace September 2024 transcript_oc(Ya,ADa,Yb,ADb): (length: 124 bytes) 6f63388e9811e4402fac098743ca7b2b509b91b38c8cf1360cc6cab3 0118717019782b7f58a591c63d9c9247b774e6b0e0b826ff4f8399f9 4772db0341446238627f8bb2ae945e2a518967df9b00aff19253d308 6398f2ec18be846cc0d1f286c2ce3caf1da639859ccd2a6a01a9372a 17e66bb7006e571b03414461 DSI = G.DSI_ISK, b'CPaceDecaf448_ISK': (length: 17 bytes) 435061636544656361663434385f49534b lv_cat(DSI,sid,K)||transcript_oc(Ya,ADa,Yb,ADb): (length: 216 bytes) 11435061636544656361663434385f49534b105223e0cdc45d657566 8d64c5520041243894f4ae494f4e8b07ade3354726eee49c5518b363 cda544f5b4541b9732830be37ea0e63fc83f54be280dea0747a043c7 6d473e01689af77f6f63388e9811e4402fac098743ca7b2b509b91b3 8c8cf1360cc6cab30118717019782b7f58a591c63d9c9247b774e6b0 e0b826ff4f8399f94772db0341446238627f8bb2ae945e2a518967df 9b00aff19253d3086398f2ec18be846cc0d1f286c2ce3caf1da63985 9ccd2a6a01a9372a17e66bb7006e571b03414461 ISK result: (length: 64 bytes) 6d2178ed3048703025b9007ec84c4d969e8d8135df455e608c16aa15 2e1219c86cea563254428a9d969903ae3649d1050da1e6e0c1c060e1 ebf7316a7e993389 B.4.7. Test vector for optional output of session id H.hash(b"CPaceSidOut" + transcript_ir(Ya,ADa, Yb,ADb)): (length: 64 bytes) 65bffde17b7acf07cfd437bdb973a8f7340bf911d393a61498c0a50e f0d68bca103fbdb0f5b799505562e59811df1bc5d9b4f5f0f7c57c22 cd7ed6db4d153e3a H.hash(b"CPaceSidOut" + transcript_oc(Ya,ADa, Yb,ADb)): (length: 64 bytes) 7ce27043d1b1d0d0e02e16979637e2a00547ed6e15ea988f7d3c9b3c 2159b26ab3834bff7ff86240323e25216ba2ee6ea6e1582502017f8e 6d65f8c4a5e65543 B.4.8. Corresponding C programming language initializers const unsigned char tc_PRS[] = { 0x50,0x61,0x73,0x73,0x77,0x6f,0x72,0x64, }; const unsigned char tc_CI[] = { 0x6f,0x63,0x0b,0x42,0x5f,0x72,0x65,0x73,0x70,0x6f,0x6e,0x64, 0x65,0x72,0x0b,0x41,0x5f,0x69,0x6e,0x69,0x74,0x69,0x61,0x74, 0x6f,0x72, }; const unsigned char tc_sid[] = { 0x52,0x23,0xe0,0xcd,0xc4,0x5d,0x65,0x75,0x66,0x8d,0x64,0xc5, Abdalla, et al. Expires 30 March 2025 [Page 66] Internet-Draft CPace September 2024 0x52,0x00,0x41,0x24, }; const unsigned char tc_g[] = { 0x9a,0x70,0x0e,0xcc,0x37,0x8e,0xb9,0x8e,0x57,0x38,0x7d,0xf4, 0x56,0xd5,0xb4,0xb4,0xf1,0xdc,0xee,0xbb,0xb1,0x37,0x15,0x27, 0xee,0xb7,0xe1,0xbf,0xba,0xb6,0x4e,0xcc,0x9c,0x93,0x03,0x39, 0x61,0x45,0xba,0x04,0xf5,0xb5,0xae,0xa5,0xba,0xed,0xfa,0x61, 0xf3,0x1f,0x00,0xfb,0xc5,0xfd,0x56,0x06, }; const unsigned char tc_ya[] = { 0x33,0xd5,0x61,0xf1,0x3c,0xfc,0x0d,0xca,0x27,0x9c,0x30,0xe8, 0xcd,0xe8,0x95,0x17,0x5d,0xc2,0x54,0x83,0x89,0x28,0x19,0xeb, 0xa1,0x32,0xd5,0x8c,0x13,0xc0,0x46,0x2a,0x8e,0xb0,0xd7,0x3f, 0xda,0x94,0x19,0x50,0x59,0x4b,0xef,0x51,0x91,0xd8,0x39,0x46, 0x91,0xf8,0x6e,0xdf,0xfc,0xad,0x6c,0x1e, }; const unsigned char tc_ADa[] = { 0x41,0x44,0x61, }; const unsigned char tc_Ya[] = { 0x62,0x7f,0x8b,0xb2,0xae,0x94,0x5e,0x2a,0x51,0x89,0x67,0xdf, 0x9b,0x00,0xaf,0xf1,0x92,0x53,0xd3,0x08,0x63,0x98,0xf2,0xec, 0x18,0xbe,0x84,0x6c,0xc0,0xd1,0xf2,0x86,0xc2,0xce,0x3c,0xaf, 0x1d,0xa6,0x39,0x85,0x9c,0xcd,0x2a,0x6a,0x01,0xa9,0x37,0x2a, 0x17,0xe6,0x6b,0xb7,0x00,0x6e,0x57,0x1b, }; const unsigned char tc_yb[] = { 0x25,0x23,0xc9,0x69,0xf6,0x8f,0xa2,0xb2,0xae,0xa2,0x94,0xc2, 0x53,0x9e,0xf3,0x6e,0xb1,0xe0,0x55,0x8a,0xbd,0x14,0x71,0x2a, 0x78,0x28,0xf1,0x6a,0x85,0xed,0x2c,0x7e,0x77,0xe2,0xbd,0xd4, 0x18,0x99,0x44,0x05,0xfb,0x1b,0x57,0xb6,0xbb,0xaa,0xdd,0x66, 0x84,0x98,0x92,0xaa,0xc9,0xd8,0x14,0x02, }; const unsigned char tc_ADb[] = { 0x41,0x44,0x62, }; const unsigned char tc_Yb[] = { 0x8e,0x98,0x11,0xe4,0x40,0x2f,0xac,0x09,0x87,0x43,0xca,0x7b, 0x2b,0x50,0x9b,0x91,0xb3,0x8c,0x8c,0xf1,0x36,0x0c,0xc6,0xca, 0xb3,0x01,0x18,0x71,0x70,0x19,0x78,0x2b,0x7f,0x58,0xa5,0x91, 0xc6,0x3d,0x9c,0x92,0x47,0xb7,0x74,0xe6,0xb0,0xe0,0xb8,0x26, 0xff,0x4f,0x83,0x99,0xf9,0x47,0x72,0xdb, }; const unsigned char tc_K[] = { 0x94,0xf4,0xae,0x49,0x4f,0x4e,0x8b,0x07,0xad,0xe3,0x35,0x47, 0x26,0xee,0xe4,0x9c,0x55,0x18,0xb3,0x63,0xcd,0xa5,0x44,0xf5, 0xb4,0x54,0x1b,0x97,0x32,0x83,0x0b,0xe3,0x7e,0xa0,0xe6,0x3f, 0xc8,0x3f,0x54,0xbe,0x28,0x0d,0xea,0x07,0x47,0xa0,0x43,0xc7, Abdalla, et al. Expires 30 March 2025 [Page 67] Internet-Draft CPace September 2024 0x6d,0x47,0x3e,0x01,0x68,0x9a,0xf7,0x7f, }; const unsigned char tc_ISK_IR[] = { 0x9c,0x27,0x26,0xa6,0xcd,0xa1,0x17,0x93,0x49,0xcb,0xc3,0x8f, 0x31,0x76,0x5e,0xab,0x64,0x6a,0x2a,0x5f,0x17,0x6f,0x30,0x19, 0xfa,0xb4,0xa0,0xaa,0xbd,0x9d,0x17,0xc2,0xba,0x89,0x59,0x98, 0xcf,0xf6,0x98,0xd8,0x01,0x76,0x1a,0x00,0x35,0x12,0xc1,0xcf, 0x67,0xd1,0x44,0xb2,0x1e,0x1c,0xb6,0xd6,0xb8,0x2d,0xa7,0x1d, 0x0d,0xa7,0x6c,0xad, }; const unsigned char tc_ISK_SY[] = { 0x6d,0x21,0x78,0xed,0x30,0x48,0x70,0x30,0x25,0xb9,0x00,0x7e, 0xc8,0x4c,0x4d,0x96,0x9e,0x8d,0x81,0x35,0xdf,0x45,0x5e,0x60, 0x8c,0x16,0xaa,0x15,0x2e,0x12,0x19,0xc8,0x6c,0xea,0x56,0x32, 0x54,0x42,0x8a,0x9d,0x96,0x99,0x03,0xae,0x36,0x49,0xd1,0x05, 0x0d,0xa1,0xe6,0xe0,0xc1,0xc0,0x60,0xe1,0xeb,0xf7,0x31,0x6a, 0x7e,0x99,0x33,0x89, }; const unsigned char tc_ISK_SY[] = { 0x6d,0x21,0x78,0xed,0x30,0x48,0x70,0x30,0x25,0xb9,0x00,0x7e, 0xc8,0x4c,0x4d,0x96,0x9e,0x8d,0x81,0x35,0xdf,0x45,0x5e,0x60, 0x8c,0x16,0xaa,0x15,0x2e,0x12,0x19,0xc8,0x6c,0xea,0x56,0x32, 0x54,0x42,0x8a,0x9d,0x96,0x99,0x03,0xae,0x36,0x49,0xd1,0x05, 0x0d,0xa1,0xe6,0xe0,0xc1,0xc0,0x60,0xe1,0xeb,0xf7,0x31,0x6a, 0x7e,0x99,0x33,0x89, }; const unsigned char tc_sid_out_ir[] = { 0x65,0xbf,0xfd,0xe1,0x7b,0x7a,0xcf,0x07,0xcf,0xd4,0x37,0xbd, 0xb9,0x73,0xa8,0xf7,0x34,0x0b,0xf9,0x11,0xd3,0x93,0xa6,0x14, 0x98,0xc0,0xa5,0x0e,0xf0,0xd6,0x8b,0xca,0x10,0x3f,0xbd,0xb0, 0xf5,0xb7,0x99,0x50,0x55,0x62,0xe5,0x98,0x11,0xdf,0x1b,0xc5, 0xd9,0xb4,0xf5,0xf0,0xf7,0xc5,0x7c,0x22,0xcd,0x7e,0xd6,0xdb, 0x4d,0x15,0x3e,0x3a, }; const unsigned char tc_sid_out_oc[] = { 0x7c,0xe2,0x70,0x43,0xd1,0xb1,0xd0,0xd0,0xe0,0x2e,0x16,0x97, 0x96,0x37,0xe2,0xa0,0x05,0x47,0xed,0x6e,0x15,0xea,0x98,0x8f, 0x7d,0x3c,0x9b,0x3c,0x21,0x59,0xb2,0x6a,0xb3,0x83,0x4b,0xff, 0x7f,0xf8,0x62,0x40,0x32,0x3e,0x25,0x21,0x6b,0xa2,0xee,0x6e, 0xa6,0xe1,0x58,0x25,0x02,0x01,0x7f,0x8e,0x6d,0x65,0xf8,0xc4, 0xa5,0xe6,0x55,0x43, }; B.4.9. Testvectors as JSON file encoded as BASE64 Abdalla, et al. Expires 30 March 2025 [Page 68] Internet-Draft CPace September 2024 ##eyJQUlMiOiAiNTA2MTczNzM3NzZGNzI2NCIsICJDSSI6ICI2RjYzMEI0MjVGNzI ##2NTczNzA2RjZFNjQ2NTcyMEI0MTVGNjk2RTY5NzQ2OTYxNzQ2RjcyIiwgInNpZC ##I6ICI1MjIzRTBDREM0NUQ2NTc1NjY4RDY0QzU1MjAwNDEyNCIsICJnIjogIjlBN ##zAwRUNDMzc4RUI5OEU1NzM4N0RGNDU2RDVCNEI0RjFEQ0VFQkJCMTM3MTUyN0VF ##QjdFMUJGQkFCNjRFQ0M5QzkzMDMzOTYxNDVCQTA0RjVCNUFFQTVCQUVERkE2MUY ##zMUYwMEZCQzVGRDU2MDYiLCAieWEiOiAiMzNENTYxRjEzQ0ZDMERDQTI3OUMzME ##U4Q0RFODk1MTc1REMyNTQ4Mzg5MjgxOUVCQTEzMkQ1OEMxM0MwNDYyQThFQjBEN ##zNGREE5NDE5NTA1OTRCRUY1MTkxRDgzOTQ2OTFGODZFREZGQ0FENkMxRSIsICJB ##RGEiOiAiNDE0NDYxIiwgIllhIjogIjYyN0Y4QkIyQUU5NDVFMkE1MTg5NjdERjl ##CMDBBRkYxOTI1M0QzMDg2Mzk4RjJFQzE4QkU4NDZDQzBEMUYyODZDMkNFM0NBRj ##FEQTYzOTg1OUNDRDJBNkEwMUE5MzcyQTE3RTY2QkI3MDA2RTU3MUIiLCAieWIiO ##iAiMjUyM0M5NjlGNjhGQTJCMkFFQTI5NEMyNTM5RUYzNkVCMUUwNTU4QUJEMTQ3 ##MTJBNzgyOEYxNkE4NUVEMkM3RTc3RTJCREQ0MTg5OTQ0MDVGQjFCNTdCNkJCQUF ##ERDY2ODQ5ODkyQUFDOUQ4MTQwMiIsICJBRGIiOiAiNDE0NDYyIiwgIlliIjogIj ##hFOTgxMUU0NDAyRkFDMDk4NzQzQ0E3QjJCNTA5QjkxQjM4QzhDRjEzNjBDQzZDQ ##UIzMDExODcxNzAxOTc4MkI3RjU4QTU5MUM2M0Q5QzkyNDdCNzc0RTZCMEUwQjgy ##NkZGNEY4Mzk5Rjk0NzcyREIiLCAiSyI6ICI5NEY0QUU0OTRGNEU4QjA3QURFMzM ##1NDcyNkVFRTQ5QzU1MThCMzYzQ0RBNTQ0RjVCNDU0MUI5NzMyODMwQkUzN0VBME ##U2M0ZDODNGNTRCRTI4MERFQTA3NDdBMDQzQzc2RDQ3M0UwMTY4OUFGNzdGIiwgI ##klTS19JUiI6ICI5QzI3MjZBNkNEQTExNzkzNDlDQkMzOEYzMTc2NUVBQjY0NkEy ##QTVGMTc2RjMwMTlGQUI0QTBBQUJEOUQxN0MyQkE4OTU5OThDRkY2OThEODAxNzY ##xQTAwMzUxMkMxQ0Y2N0QxNDRCMjFFMUNCNkQ2QjgyREE3MUQwREE3NkNBRCIsIC ##JJU0tfU1kiOiAiNkQyMTc4RUQzMDQ4NzAzMDI1QjkwMDdFQzg0QzREOTY5RThEO ##DEzNURGNDU1RTYwOEMxNkFBMTUyRTEyMTlDODZDRUE1NjMyNTQ0MjhBOUQ5Njk5 ##MDNBRTM2NDlEMTA1MERBMUU2RTBDMUMwNjBFMUVCRjczMTZBN0U5OTMzODkiLCA ##ic2lkX291dHB1dF9pciI6ICI2NUJGRkRFMTdCN0FDRjA3Q0ZENDM3QkRCOTczQT ##hGNzM0MEJGOTExRDM5M0E2MTQ5OEMwQTUwRUYwRDY4QkNBMTAzRkJEQjBGNUI3O ##Tk1MDU1NjJFNTk4MTFERjFCQzVEOUI0RjVGMEY3QzU3QzIyQ0Q3RUQ2REI0RDE1 ##M0UzQSIsICJzaWRfb3V0cHV0X29jIjogIjdDRTI3MDQzRDFCMUQwRDBFMDJFMTY ##5Nzk2MzdFMkEwMDU0N0VENkUxNUVBOTg4RjdEM0M5QjNDMjE1OUIyNkFCMzgzNE ##JGRjdGRjg2MjQwMzIzRTI1MjE2QkEyRUU2RUE2RTE1ODI1MDIwMTdGOEU2RDY1R ##jhDNEE1RTY1NTQzIn0= B.4.10. Test case for scalar_mult with valid inputs s: (length: 56 bytes) dd1bc7015daabb7672129cc35a3ba815486b139deff9bdeca7a4fc61 34323d34658761e90ff079972a7ca8aa5606498f4f4f0ebc0933a819 X: (length: 56 bytes) 601431d5e51f43d422a92d3fb2373bde28217aab42524c341aa404ea ba5aa5541f7042dbb3253ce4c90f772b038a413dcb3a0f6bf3ae9e21 G.scalar_mult(s,decode(X)): (length: 56 bytes) 388b35c60eb41b66085a2118316218681d78979d667702de105fdc1f 21ffe884a577d795f45691781390a229a3bd7b527e831380f2f585a4 G.scalar_mult_vfy(s,X): (length: 56 bytes) 388b35c60eb41b66085a2118316218681d78979d667702de105fdc1f 21ffe884a577d795f45691781390a229a3bd7b527e831380f2f585a4 Abdalla, et al. Expires 30 March 2025 [Page 69] Internet-Draft CPace September 2024 B.4.11. Invalid inputs for scalar_mult_vfy For these test cases scalar_mult_vfy(y,.) MUST return the representation of the neutral element G.I. When points Y_i1 or Y_i2 are included in message of A or B the protocol MUST abort. s: (length: 56 bytes) dd1bc7015daabb7672129cc35a3ba815486b139deff9bdeca7a4fc61 34323d34658761e90ff079972a7ca8aa5606498f4f4f0ebc0933a819 Y_i1: (length: 56 bytes) 5f1431d5e51f43d422a92d3fb2373bde28217aab42524c341aa404ea ba5aa5541f7042dbb3253ce4c90f772b038a413dcb3a0f6bf3ae9e21 Y_i2 == G.I: (length: 56 bytes) 00000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000 G.scalar_mult_vfy(s,Y_i1) = G.scalar_mult_vfy(s,Y_i2) = G.I B.4.11.1. Testvectors as JSON file encoded as BASE64 ##eyJWYWxpZCI6IHsicyI6ICJERDFCQzcwMTVEQUFCQjc2NzIxMjlDQzM1QTNCQTg ##xNTQ4NkIxMzlERUZGOUJERUNBN0E0RkM2MTM0MzIzRDM0NjU4NzYxRTkwRkYwNz ##k5NzJBN0NBOEFBNTYwNjQ5OEY0RjRGMEVCQzA5MzNBODE5IiwgIlgiOiAiNjAxN ##DMxRDVFNTFGNDNENDIyQTkyRDNGQjIzNzNCREUyODIxN0FBQjQyNTI0QzM0MUFB ##NDA0RUFCQTVBQTU1NDFGNzA0MkRCQjMyNTNDRTRDOTBGNzcyQjAzOEE0MTNEQ0I ##zQTBGNkJGM0FFOUUyMSIsICJHLnNjYWxhcl9tdWx0KHMsZGVjb2RlKFgpKSI6IC ##IzODhCMzVDNjBFQjQxQjY2MDg1QTIxMTgzMTYyMTg2ODFENzg5NzlENjY3NzAyR ##EUxMDVGREMxRjIxRkZFODg0QTU3N0Q3OTVGNDU2OTE3ODEzOTBBMjI5QTNCRDdC ##NTI3RTgzMTM4MEYyRjU4NUE0IiwgIkcuc2NhbGFyX211bHRfdmZ5KHMsWCkiOiA ##iMzg4QjM1QzYwRUI0MUI2NjA4NUEyMTE4MzE2MjE4NjgxRDc4OTc5RDY2NzcwMk ##RFMTA1RkRDMUYyMUZGRTg4NEE1NzdENzk1RjQ1NjkxNzgxMzkwQTIyOUEzQkQ3Q ##jUyN0U4MzEzODBGMkY1ODVBNCJ9LCAiSW52YWxpZCBZMSI6ICI1RjE0MzFENUU1 ##MUY0M0Q0MjJBOTJEM0ZCMjM3M0JERTI4MjE3QUFCNDI1MjRDMzQxQUE0MDRFQUJ ##BNUFBNTU0MUY3MDQyREJCMzI1M0NFNEM5MEY3NzJCMDM4QTQxM0RDQjNBMEY2Qk ##YzQUU5RTIxIiwgIkludmFsaWQgWTIiOiAiMDAwMDAwMDAwMDAwMDAwMDAwMDAwM ##DAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw ##MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMCJ9 B.5. Test vector for CPace using group NIST P-256 and hash SHA-256 B.5.1. Test vectors for calculate_generator with group NIST P-256 Abdalla, et al. Expires 30 March 2025 [Page 70] Internet-Draft CPace September 2024 Inputs H = SHA-256 with input block size 64 bytes. PRS = b'Password' ; ZPAD length: 23 ; DSI = b'CPaceP256_XMD:SHA-256_SSWU_NU_' DST = b'CPaceP256_XMD:SHA-256_SSWU_NU__DST' CI = b'oc\x0bB_responder\x0bA_initiator' CI = 6f630b425f726573706f6e6465720b415f696e69746961746f72 sid = 34b36454cab2e7842c389f7d88ecb7df Outputs generator_string(PRS,G.DSI,CI,sid,H.s_in_bytes): (length: 108 bytes) 1e4350616365503235365f584d443a5348412d3235365f535357555f 4e555f0850617373776f726417000000000000000000000000000000 00000000000000001a6f630b425f726573706f6e6465720b415f696e 69746961746f721034b36454cab2e7842c389f7d88ecb7df generator g: (length: 65 bytes) 04eee577320b1c241a79419fcde5718c2b63f81ef8717d56a57d2fb2 6b65a8beb63573b52605efb32ff4cf31aaef9a92df84e4e8408cc6c7 cf27a535aad2b38a56 B.5.1.1. Testvectors as JSON file encoded as BASE64 ##eyJIIjogIlNIQS0yNTYiLCAiSC5zX2luX2J5dGVzIjogNjQsICJQUlMiOiAiNTA ##2MTczNzM3NzZGNzI2NCIsICJaUEFEIGxlbmd0aCI6IDIzLCAiRFNJIjogIjQzNT ##A2MTYzNjU1MDMyMzUzNjVGNTg0RDQ0M0E1MzQ4NDEyRDMyMzUzNjVGNTM1MzU3N ##TU1RjRFNTU1RiIsICJDSSI6ICI2RjYzMEI0MjVGNzI2NTczNzA2RjZFNjQ2NTcy ##MEI0MTVGNjk2RTY5NzQ2OTYxNzQ2RjcyIiwgInNpZCI6ICIzNEIzNjQ1NENBQjJ ##FNzg0MkMzODlGN0Q4OEVDQjdERiIsICJnZW5lcmF0b3Jfc3RyaW5nKEcuRFNJLF ##BSUyxDSSxzaWQsSC5zX2luX2J5dGVzKSI6ICIxRTQzNTA2MTYzNjU1MDMyMzUzN ##jVGNTg0RDQ0M0E1MzQ4NDEyRDMyMzUzNjVGNTM1MzU3NTU1RjRFNTU1RjA4NTA2 ##MTczNzM3NzZGNzI2NDE3MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDA ##wMDAwMDAwMDAwMDAwMDFBNkY2MzBCNDI1RjcyNjU3MzcwNkY2RTY0NjU3MjBCND ##E1RjY5NkU2OTc0Njk2MTc0NkY3MjEwMzRCMzY0NTRDQUIyRTc4NDJDMzg5RjdEO ##DhFQ0I3REYiLCAiZ2VuZXJhdG9yIGciOiAiMDRFRUU1NzczMjBCMUMyNDFBNzk0 ##MTlGQ0RFNTcxOEMyQjYzRjgxRUY4NzE3RDU2QTU3RDJGQjI2QjY1QThCRUI2MzU ##3M0I1MjYwNUVGQjMyRkY0Q0YzMUFBRUY5QTkyREY4NEU0RTg0MDhDQzZDN0NGMj ##dBNTM1QUFEMkIzOEE1NiJ9 B.5.2. Test vector for message from A Abdalla, et al. Expires 30 March 2025 [Page 71] Internet-Draft CPace September 2024 Inputs ADa = b'ADa' ya (big endian): (length: 32 bytes) 37574cfbf1b95ff6a8e2d7be462d4d01e6dde2618f34f4de9df869b2 4f532c5d Outputs Ya: (length: 65 bytes) 041f12ad5fc65010a24fc04c86197109a36df0e9ce85a7479e1e1364 692fdace17ea5a634e19c207a5d52ead6c6817a163cf2f2fe3406c5d fdfc2ecdf8e42c5e16 Alternative correct value for Ya: g*(-ya): (length: 65 bytes) 041f12ad5fc65010a24fc04c86197109a36df0e9ce85a7479e1e1364 692fdace1715a59cb0e63df85b2ad1529397e85e9c30d0d01dbf93a2 0203d132071bd3a1e9 B.5.3. Test vector for message from B Inputs ADb = b'ADb' yb (big endian): (length: 32 bytes) e5672fc9eb4e721f41d80181ec4c9fd9886668acc48024d33c82bb10 2aecba52 Outputs Yb: (length: 65 bytes) 046a51180b6ebabaf5ed0af8cd786886d93342bcae4c158ce1617a0a cc8ec354486f9ed2e9210913206d1e3f5e463d2d320c4f1f5ce8b677 a7e38a26f752bf8f84 Alternative correct value for Yb: g*(-yb): (length: 65 bytes) 046a51180b6ebabaf5ed0af8cd786886d93342bcae4c158ce1617a0a cc8ec3544890612d15def6ece092e1c0a1b9c2d2cdf3b0e0a4174988 581c75d908ad40707b B.5.4. Test vector for secret points K scalar_mult_vfy(ya,Yb): (length: 32 bytes) 3e0e2f8976fb8d0deee30aef4b5cd3631eed249af32f53d0dd009b5d 7b8f6b6c scalar_mult_vfy(yb,Ya): (length: 32 bytes) 3e0e2f8976fb8d0deee30aef4b5cd3631eed249af32f53d0dd009b5d 7b8f6b6c B.5.5. Test vector for ISK calculation initiator/responder Abdalla, et al. Expires 30 March 2025 [Page 72] Internet-Draft CPace September 2024 transcript_ir(Ya,ADa,Yb,ADb): (length: 140 bytes) 41041f12ad5fc65010a24fc04c86197109a36df0e9ce85a7479e1e13 64692fdace17ea5a634e19c207a5d52ead6c6817a163cf2f2fe3406c 5dfdfc2ecdf8e42c5e160341446141046a51180b6ebabaf5ed0af8cd 786886d93342bcae4c158ce1617a0acc8ec354486f9ed2e921091320 6d1e3f5e463d2d320c4f1f5ce8b677a7e38a26f752bf8f8403414462 DSI = G.DSI_ISK, b'CPaceP256_XMD:SHA-256_SSWU_NU__ISK': (length: 34 bytes) 4350616365503235365f584d443a5348412d3235365f535357555f4e 555f5f49534b lv_cat(DSI,sid,K)||transcript_ir(Ya,ADa,Yb,ADb): (length: 225 bytes) 224350616365503235365f584d443a5348412d3235365f535357555f 4e555f5f49534b1034b36454cab2e7842c389f7d88ecb7df203e0e2f 8976fb8d0deee30aef4b5cd3631eed249af32f53d0dd009b5d7b8f6b 6c41041f12ad5fc65010a24fc04c86197109a36df0e9ce85a7479e1e 1364692fdace17ea5a634e19c207a5d52ead6c6817a163cf2f2fe340 6c5dfdfc2ecdf8e42c5e160341446141046a51180b6ebabaf5ed0af8 cd786886d93342bcae4c158ce1617a0acc8ec354486f9ed2e9210913 206d1e3f5e463d2d320c4f1f5ce8b677a7e38a26f752bf8f84034144 62 ISK result: (length: 32 bytes) 9565ed286b6e3cf1f943fd31746f9a22935537025a1328d4980005ba 984f0c39 B.5.6. Test vector for ISK calculation parallel execution Abdalla, et al. Expires 30 March 2025 [Page 73] Internet-Draft CPace September 2024 transcript_oc(Ya,ADa,Yb,ADb): (length: 142 bytes) 6f6341046a51180b6ebabaf5ed0af8cd786886d93342bcae4c158ce1 617a0acc8ec354486f9ed2e9210913206d1e3f5e463d2d320c4f1f5c e8b677a7e38a26f752bf8f840341446241041f12ad5fc65010a24fc0 4c86197109a36df0e9ce85a7479e1e1364692fdace17ea5a634e19c2 07a5d52ead6c6817a163cf2f2fe3406c5dfdfc2ecdf8e42c5e160341 4461 DSI = G.DSI_ISK, b'CPaceP256_XMD:SHA-256_SSWU_NU__ISK': (length: 34 bytes) 4350616365503235365f584d443a5348412d3235365f535357555f4e 555f5f49534b lv_cat(DSI,sid,K)||transcript_oc(Ya,ADa,Yb,ADb): (length: 227 bytes) 224350616365503235365f584d443a5348412d3235365f535357555f 4e555f5f49534b1034b36454cab2e7842c389f7d88ecb7df203e0e2f 8976fb8d0deee30aef4b5cd3631eed249af32f53d0dd009b5d7b8f6b 6c6f6341046a51180b6ebabaf5ed0af8cd786886d93342bcae4c158c e1617a0acc8ec354486f9ed2e9210913206d1e3f5e463d2d320c4f1f 5ce8b677a7e38a26f752bf8f840341446241041f12ad5fc65010a24f c04c86197109a36df0e9ce85a7479e1e1364692fdace17ea5a634e19 c207a5d52ead6c6817a163cf2f2fe3406c5dfdfc2ecdf8e42c5e1603 414461 ISK result: (length: 32 bytes) 62a445a4daa3546dd031c66ead2e4e015abbcc83bde31c90f841149f d441c58a B.5.7. Test vector for optional output of session id H.hash(b"CPaceSidOut" + transcript_ir(Ya,ADa, Yb,ADb)): (length: 32 bytes) a7386d1c2eb06e8056d7fecbcf691e08d189d96236020ef31b414069 8a4b99f9 H.hash(b"CPaceSidOut" + transcript_oc(Ya,ADa, Yb,ADb)): (length: 32 bytes) d337dbc0dd797b4e6f2f14ea4925c58e5d5523871e8cb43a3c1b0f2b 1a1ffde3 B.5.8. Corresponding C programming language initializers const unsigned char tc_PRS[] = { 0x50,0x61,0x73,0x73,0x77,0x6f,0x72,0x64, }; const unsigned char tc_CI[] = { 0x6f,0x63,0x0b,0x42,0x5f,0x72,0x65,0x73,0x70,0x6f,0x6e,0x64, 0x65,0x72,0x0b,0x41,0x5f,0x69,0x6e,0x69,0x74,0x69,0x61,0x74, 0x6f,0x72, }; const unsigned char tc_sid[] = { Abdalla, et al. Expires 30 March 2025 [Page 74] Internet-Draft CPace September 2024 0x34,0xb3,0x64,0x54,0xca,0xb2,0xe7,0x84,0x2c,0x38,0x9f,0x7d, 0x88,0xec,0xb7,0xdf, }; const unsigned char tc_g[] = { 0x04,0xee,0xe5,0x77,0x32,0x0b,0x1c,0x24,0x1a,0x79,0x41,0x9f, 0xcd,0xe5,0x71,0x8c,0x2b,0x63,0xf8,0x1e,0xf8,0x71,0x7d,0x56, 0xa5,0x7d,0x2f,0xb2,0x6b,0x65,0xa8,0xbe,0xb6,0x35,0x73,0xb5, 0x26,0x05,0xef,0xb3,0x2f,0xf4,0xcf,0x31,0xaa,0xef,0x9a,0x92, 0xdf,0x84,0xe4,0xe8,0x40,0x8c,0xc6,0xc7,0xcf,0x27,0xa5,0x35, 0xaa,0xd2,0xb3,0x8a,0x56, }; const unsigned char tc_ya[] = { 0x37,0x57,0x4c,0xfb,0xf1,0xb9,0x5f,0xf6,0xa8,0xe2,0xd7,0xbe, 0x46,0x2d,0x4d,0x01,0xe6,0xdd,0xe2,0x61,0x8f,0x34,0xf4,0xde, 0x9d,0xf8,0x69,0xb2,0x4f,0x53,0x2c,0x5d, }; const unsigned char tc_ADa[] = { 0x41,0x44,0x61, }; const unsigned char tc_Ya[] = { 0x04,0x1f,0x12,0xad,0x5f,0xc6,0x50,0x10,0xa2,0x4f,0xc0,0x4c, 0x86,0x19,0x71,0x09,0xa3,0x6d,0xf0,0xe9,0xce,0x85,0xa7,0x47, 0x9e,0x1e,0x13,0x64,0x69,0x2f,0xda,0xce,0x17,0xea,0x5a,0x63, 0x4e,0x19,0xc2,0x07,0xa5,0xd5,0x2e,0xad,0x6c,0x68,0x17,0xa1, 0x63,0xcf,0x2f,0x2f,0xe3,0x40,0x6c,0x5d,0xfd,0xfc,0x2e,0xcd, 0xf8,0xe4,0x2c,0x5e,0x16, }; const unsigned char tc_yb[] = { 0xe5,0x67,0x2f,0xc9,0xeb,0x4e,0x72,0x1f,0x41,0xd8,0x01,0x81, 0xec,0x4c,0x9f,0xd9,0x88,0x66,0x68,0xac,0xc4,0x80,0x24,0xd3, 0x3c,0x82,0xbb,0x10,0x2a,0xec,0xba,0x52, }; const unsigned char tc_ADb[] = { 0x41,0x44,0x62, }; const unsigned char tc_Yb[] = { 0x04,0x6a,0x51,0x18,0x0b,0x6e,0xba,0xba,0xf5,0xed,0x0a,0xf8, 0xcd,0x78,0x68,0x86,0xd9,0x33,0x42,0xbc,0xae,0x4c,0x15,0x8c, 0xe1,0x61,0x7a,0x0a,0xcc,0x8e,0xc3,0x54,0x48,0x6f,0x9e,0xd2, 0xe9,0x21,0x09,0x13,0x20,0x6d,0x1e,0x3f,0x5e,0x46,0x3d,0x2d, 0x32,0x0c,0x4f,0x1f,0x5c,0xe8,0xb6,0x77,0xa7,0xe3,0x8a,0x26, 0xf7,0x52,0xbf,0x8f,0x84, }; const unsigned char tc_K[] = { 0x3e,0x0e,0x2f,0x89,0x76,0xfb,0x8d,0x0d,0xee,0xe3,0x0a,0xef, 0x4b,0x5c,0xd3,0x63,0x1e,0xed,0x24,0x9a,0xf3,0x2f,0x53,0xd0, 0xdd,0x00,0x9b,0x5d,0x7b,0x8f,0x6b,0x6c, }; Abdalla, et al. Expires 30 March 2025 [Page 75] Internet-Draft CPace September 2024 const unsigned char tc_ISK_IR[] = { 0x95,0x65,0xed,0x28,0x6b,0x6e,0x3c,0xf1,0xf9,0x43,0xfd,0x31, 0x74,0x6f,0x9a,0x22,0x93,0x55,0x37,0x02,0x5a,0x13,0x28,0xd4, 0x98,0x00,0x05,0xba,0x98,0x4f,0x0c,0x39, }; const unsigned char tc_ISK_SY[] = { 0x62,0xa4,0x45,0xa4,0xda,0xa3,0x54,0x6d,0xd0,0x31,0xc6,0x6e, 0xad,0x2e,0x4e,0x01,0x5a,0xbb,0xcc,0x83,0xbd,0xe3,0x1c,0x90, 0xf8,0x41,0x14,0x9f,0xd4,0x41,0xc5,0x8a, }; const unsigned char tc_ISK_SY[] = { 0x62,0xa4,0x45,0xa4,0xda,0xa3,0x54,0x6d,0xd0,0x31,0xc6,0x6e, 0xad,0x2e,0x4e,0x01,0x5a,0xbb,0xcc,0x83,0xbd,0xe3,0x1c,0x90, 0xf8,0x41,0x14,0x9f,0xd4,0x41,0xc5,0x8a, }; const unsigned char tc_sid_out_ir[] = { 0xa7,0x38,0x6d,0x1c,0x2e,0xb0,0x6e,0x80,0x56,0xd7,0xfe,0xcb, 0xcf,0x69,0x1e,0x08,0xd1,0x89,0xd9,0x62,0x36,0x02,0x0e,0xf3, 0x1b,0x41,0x40,0x69,0x8a,0x4b,0x99,0xf9, }; const unsigned char tc_sid_out_oc[] = { 0xd3,0x37,0xdb,0xc0,0xdd,0x79,0x7b,0x4e,0x6f,0x2f,0x14,0xea, 0x49,0x25,0xc5,0x8e,0x5d,0x55,0x23,0x87,0x1e,0x8c,0xb4,0x3a, 0x3c,0x1b,0x0f,0x2b,0x1a,0x1f,0xfd,0xe3, }; B.5.9. Testvectors as JSON file encoded as BASE64 Abdalla, et al. Expires 30 March 2025 [Page 76] Internet-Draft CPace September 2024 ##eyJQUlMiOiAiNTA2MTczNzM3NzZGNzI2NCIsICJDSSI6ICI2RjYzMEI0MjVGNzI ##2NTczNzA2RjZFNjQ2NTcyMEI0MTVGNjk2RTY5NzQ2OTYxNzQ2RjcyIiwgInNpZC ##I6ICIzNEIzNjQ1NENBQjJFNzg0MkMzODlGN0Q4OEVDQjdERiIsICJnIjogIjA0R ##UVFNTc3MzIwQjFDMjQxQTc5NDE5RkNERTU3MThDMkI2M0Y4MUVGODcxN0Q1NkE1 ##N0QyRkIyNkI2NUE4QkVCNjM1NzNCNTI2MDVFRkIzMkZGNENGMzFBQUVGOUE5MkR ##GODRFNEU4NDA4Q0M2QzdDRjI3QTUzNUFBRDJCMzhBNTYiLCAieWEiOiAiMzc1Nz ##RDRkJGMUI5NUZGNkE4RTJEN0JFNDYyRDREMDFFNkRERTI2MThGMzRGNERFOURGO ##DY5QjI0RjUzMkM1RCIsICJBRGEiOiAiNDE0NDYxIiwgIllhIjogIjA0MUYxMkFE ##NUZDNjUwMTBBMjRGQzA0Qzg2MTk3MTA5QTM2REYwRTlDRTg1QTc0NzlFMUUxMzY ##0NjkyRkRBQ0UxN0VBNUE2MzRFMTlDMjA3QTVENTJFQUQ2QzY4MTdBMTYzQ0YyRj ##JGRTM0MDZDNURGREZDMkVDREY4RTQyQzVFMTYiLCAieWIiOiAiRTU2NzJGQzlFQ ##jRFNzIxRjQxRDgwMTgxRUM0QzlGRDk4ODY2NjhBQ0M0ODAyNEQzM0M4MkJCMTAy ##QUVDQkE1MiIsICJBRGIiOiAiNDE0NDYyIiwgIlliIjogIjA0NkE1MTE4MEI2RUJ ##BQkFGNUVEMEFGOENENzg2ODg2RDkzMzQyQkNBRTRDMTU4Q0UxNjE3QTBBQ0M4RU ##MzNTQ0ODZGOUVEMkU5MjEwOTEzMjA2RDFFM0Y1RTQ2M0QyRDMyMEM0RjFGNUNFO ##EI2NzdBN0UzOEEyNkY3NTJCRjhGODQiLCAiSyI6ICIzRTBFMkY4OTc2RkI4RDBE ##RUVFMzBBRUY0QjVDRDM2MzFFRUQyNDlBRjMyRjUzRDBERDAwOUI1RDdCOEY2QjZ ##DIiwgIklTS19JUiI6ICI5NTY1RUQyODZCNkUzQ0YxRjk0M0ZEMzE3NDZGOUEyMj ##kzNTUzNzAyNUExMzI4RDQ5ODAwMDVCQTk4NEYwQzM5IiwgIklTS19TWSI6ICI2M ##kE0NDVBNERBQTM1NDZERDAzMUM2NkVBRDJFNEUwMTVBQkJDQzgzQkRFMzFDOTBG ##ODQxMTQ5RkQ0NDFDNThBIiwgInNpZF9vdXRwdXRfaXIiOiAiQTczODZEMUMyRUI ##wNkU4MDU2RDdGRUNCQ0Y2OTFFMDhEMTg5RDk2MjM2MDIwRUYzMUI0MTQwNjk4QT ##RCOTlGOSIsICJzaWRfb3V0cHV0X29jIjogIkQzMzdEQkMwREQ3OTdCNEU2RjJGM ##TRFQTQ5MjVDNThFNUQ1NTIzODcxRThDQjQzQTNDMUIwRjJCMUExRkZERTMifQ== B.5.10. Test case for scalar_mult_vfy with correct inputs s: (length: 32 bytes) f012501c091ff9b99a123fffe571d8bc01e8077ee581362e1bd21399 0835643b X: (length: 65 bytes) 0424648eb986c2be0af636455cef0550671d6bcd8aa26e0d72ffa1b1 fd12ba4e0f78da2b6d2184f31af39e566aef127014b6936c9a37346d 10a4ab2514faef5831 G.scalar_mult(s,X) (full coordinates): (length: 65 bytes) 04f5a191f078c87c36633b78c701751159d56c59f3fe9105b5720673 470f303ab925b6a7fd1cdd8f649a21cf36b68d9e9c4a11919a951892 519786104b27033757 G.scalar_mult_vfy(s,X) (only X-coordinate): (length: 32 bytes) f5a191f078c87c36633b78c701751159d56c59f3fe9105b572067347 0f303ab9 B.5.11. Invalid inputs for scalar_mult_vfy For these test cases scalar_mult_vfy(y,.) MUST return the representation of the neutral element G.I. When including Y_i1 or Y_i2 in messages of A or B the protocol MUST abort. Abdalla, et al. Expires 30 March 2025 [Page 77] Internet-Draft CPace September 2024 s: (length: 32 bytes) f012501c091ff9b99a123fffe571d8bc01e8077ee581362e1bd21399 0835643b Y_i1: (length: 65 bytes) 0424648eb986c2be0af636455cef0550671d6bcd8aa26e0d72ffa1b1 fd12ba4e0f78da2b6d2184f31af39e566aef127014b6936c9a37346d 10a4ab2514faef5857 Y_i2: (length: 1 bytes) 00 G.scalar_mult_vfy(s,Y_i1) = G.scalar_mult_vfy(s,Y_i2) = G.I B.5.11.1. Testvectors as JSON file encoded as BASE64 ##eyJWYWxpZCI6IHsicyI6ICJGMDEyNTAxQzA5MUZGOUI5OUExMjNGRkZFNTcxRDh ##CQzAxRTgwNzdFRTU4MTM2MkUxQkQyMTM5OTA4MzU2NDNCIiwgIlgiOiAiMDQyND ##Y0OEVCOTg2QzJCRTBBRjYzNjQ1NUNFRjA1NTA2NzFENkJDRDhBQTI2RTBENzJGR ##kExQjFGRDEyQkE0RTBGNzhEQTJCNkQyMTg0RjMxQUYzOUU1NjZBRUYxMjcwMTRC ##NjkzNkM5QTM3MzQ2RDEwQTRBQjI1MTRGQUVGNTgzMSIsICJHLnNjYWxhcl9tdWx ##0KHMsWCkgKGZ1bGwgY29vcmRpbmF0ZXMpIjogIjA0RjVBMTkxRjA3OEM4N0MzNj ##YzM0I3OEM3MDE3NTExNTlENTZDNTlGM0ZFOTEwNUI1NzIwNjczNDcwRjMwM0FCO ##TI1QjZBN0ZEMUNERDhGNjQ5QTIxQ0YzNkI2OEQ5RTlDNEExMTkxOUE5NTE4OTI1 ##MTk3ODYxMDRCMjcwMzM3NTciLCAiRy5zY2FsYXJfbXVsdF92ZnkocyxYKSAob25 ##seSBYLWNvb3JkaW5hdGUpIjogIkY1QTE5MUYwNzhDODdDMzY2MzNCNzhDNzAxNz ##UxMTU5RDU2QzU5RjNGRTkxMDVCNTcyMDY3MzQ3MEYzMDNBQjkifSwgIkludmFsa ##WQgWTEiOiAiMDQyNDY0OEVCOTg2QzJCRTBBRjYzNjQ1NUNFRjA1NTA2NzFENkJD ##RDhBQTI2RTBENzJGRkExQjFGRDEyQkE0RTBGNzhEQTJCNkQyMTg0RjMxQUYzOUU ##1NjZBRUYxMjcwMTRCNjkzNkM5QTM3MzQ2RDEwQTRBQjI1MTRGQUVGNTg1NyIsIC ##JJbnZhbGlkIFkyIjogIjAwIn0= B.6. Test vector for CPace using group NIST P-384 and hash SHA-384 B.6.1. Test vectors for calculate_generator with group NIST P-384 Abdalla, et al. Expires 30 March 2025 [Page 78] Internet-Draft CPace September 2024 Inputs H = SHA-384 with input block size 128 bytes. PRS = b'Password' ; ZPAD length: 87 ; DSI = b'CPaceP384_XMD:SHA-384_SSWU_NU_' DST = b'CPaceP384_XMD:SHA-384_SSWU_NU__DST' CI = b'oc\x0bB_responder\x0bA_initiator' CI = 6f630b425f726573706f6e6465720b415f696e69746961746f72 sid = 5b3773aa90e8f23c61563a4b645b276c Outputs generator_string(PRS,G.DSI,CI,sid,H.s_in_bytes): (length: 172 bytes) 1e4350616365503338345f584d443a5348412d3338345f535357555f 4e555f0850617373776f726457000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000 000000000000000000000000000000001a6f630b425f726573706f6e 6465720b415f696e69746961746f72105b3773aa90e8f23c61563a4b 645b276c generator g: (length: 97 bytes) 04ffe1bdc3293fdbe31b2959916e52c018e923eac99836bd9a1cbeec 794a8d4d78baa32cdafc9685bc1067a780f4ad9c8a6c6e164aa42906 d1e27f782581adc8e0109219626a2b8fbdc34602e4084554bdd6c0c6 98dd657ac8e31b2bcce1c7b0d8 B.6.1.1. Testvectors as JSON file encoded as BASE64 ##eyJIIjogIlNIQS0zODQiLCAiSC5zX2luX2J5dGVzIjogMTI4LCAiUFJTIjogIjU ##wNjE3MzczNzc2RjcyNjQiLCAiWlBBRCBsZW5ndGgiOiA4NywgIkRTSSI6ICI0Mz ##UwNjE2MzY1NTAzMzM4MzQ1RjU4NEQ0NDNBNTM0ODQxMkQzMzM4MzQ1RjUzNTM1N ##zU1NUY0RTU1NUYiLCAiQ0kiOiAiNkY2MzBCNDI1RjcyNjU3MzcwNkY2RTY0NjU3 ##MjBCNDE1RjY5NkU2OTc0Njk2MTc0NkY3MiIsICJzaWQiOiAiNUIzNzczQUE5MEU ##4RjIzQzYxNTYzQTRCNjQ1QjI3NkMiLCAiZ2VuZXJhdG9yX3N0cmluZyhHLkRTSS ##xQUlMsQ0ksc2lkLEguc19pbl9ieXRlcykiOiAiMUU0MzUwNjE2MzY1NTAzMzM4M ##zQ1RjU4NEQ0NDNBNTM0ODQxMkQzMzM4MzQ1RjUzNTM1NzU1NUY0RTU1NUYwODUw ##NjE3MzczNzc2RjcyNjQ1NzAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDA ##wMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMD ##AwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwM ##DAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw ##MDFBNkY2MzBCNDI1RjcyNjU3MzcwNkY2RTY0NjU3MjBCNDE1RjY5NkU2OTc0Njk ##2MTc0NkY3MjEwNUIzNzczQUE5MEU4RjIzQzYxNTYzQTRCNjQ1QjI3NkMiLCAiZ2 ##VuZXJhdG9yIGciOiAiMDRGRkUxQkRDMzI5M0ZEQkUzMUIyOTU5OTE2RTUyQzAxO ##EU5MjNFQUM5OTgzNkJEOUExQ0JFRUM3OTRBOEQ0RDc4QkFBMzJDREFGQzk2ODVC ##QzEwNjdBNzgwRjRBRDlDOEE2QzZFMTY0QUE0MjkwNkQxRTI3Rjc4MjU4MUFEQzh ##FMDEwOTIxOTYyNkEyQjhGQkRDMzQ2MDJFNDA4NDU1NEJERDZDMEM2OThERDY1N0 ##FDOEUzMUIyQkNDRTFDN0IwRDgifQ== B.6.2. Test vector for message from A Abdalla, et al. Expires 30 March 2025 [Page 79] Internet-Draft CPace September 2024 Inputs ADa = b'ADa' ya (big endian): (length: 48 bytes) ef433dd5ad142c860e7cb6400dd315d388d5ec5420c550e9d6f0907f 375d988bc4d704837e43561c497e7dd93edcdb9d Outputs Ya: (length: 97 bytes) 0434a04da121995d81d7c5ded02cf2e70954dca49059485ea38310b7 3b96fa1ec78619c5a1e524472778331fbe009fa1564a3203e42993a3 6285fa54e6c24184fd227458c87781be16fff46dbc970cc1b1770050 a94d6826d52f211b234792e66d Alternative correct value for Ya: g*(-ya): (length: 97 bytes) 0434a04da121995d81d7c5ded02cf2e70954dca49059485ea38310b7 3b96fa1ec78619c5a1e524472778331fbe009fa156b5cdfc1bd66c5c 9d7a05ab193dbe7b02dd8ba737887e41e9000b924368f33e4d88ffaf 55b297d92ad0dee4ddb86d1992 B.6.3. Test vector for message from B Inputs ADb = b'ADb' yb (big endian): (length: 48 bytes) 50b0e36b95a2edfaa8342b843dddc90b175330f2399c1b36586dedda 3c255975f30be6a750f9404fccc62a6323b5e471 Outputs Yb: (length: 97 bytes) 040a6559147fd492ad74ab1f4def6196fd6399540e84706227a1f90d 104cdaeb630b7c5c18748deb25653ad2a4cb5e6274841cad328bb031 2628b9b1f51bea72b8c610999a6730f752649205ae85c452ef83f98b e715cd0103186874b07cf02074 Alternative correct value for Yb: g*(-yb): (length: 97 bytes) 040a6559147fd492ad74ab1f4def6196fd6399540e84706227a1f90d 104cdaeb630b7c5c18748deb25653ad2a4cb5e62747be352cd744fce d9d7464e0ae4158d4739ef666598cf08ad9b6dfa517a3bad0f7c0674 17ea32fefce7978b50830fdf8b B.6.4. Test vector for secret points K scalar_mult_vfy(ya,Yb): (length: 48 bytes) a9acaea95692a64462067fe8e4321f2fca9793a8a0420f0e253ed0d6 db858fe161de7576206a8a35bd4a60e00724fd3e scalar_mult_vfy(yb,Ya): (length: 48 bytes) a9acaea95692a64462067fe8e4321f2fca9793a8a0420f0e253ed0d6 db858fe161de7576206a8a35bd4a60e00724fd3e Abdalla, et al. Expires 30 March 2025 [Page 80] Internet-Draft CPace September 2024 B.6.5. Test vector for ISK calculation initiator/responder transcript_ir(Ya,ADa,Yb,ADb): (length: 204 bytes) 610434a04da121995d81d7c5ded02cf2e70954dca49059485ea38310 b73b96fa1ec78619c5a1e524472778331fbe009fa1564a3203e42993 a36285fa54e6c24184fd227458c87781be16fff46dbc970cc1b17700 50a94d6826d52f211b234792e66d0341446161040a6559147fd492ad 74ab1f4def6196fd6399540e84706227a1f90d104cdaeb630b7c5c18 748deb25653ad2a4cb5e6274841cad328bb0312628b9b1f51bea72b8 c610999a6730f752649205ae85c452ef83f98be715cd0103186874b0 7cf0207403414462 DSI = G.DSI_ISK, b'CPaceP384_XMD:SHA-384_SSWU_NU__ISK': (length: 34 bytes) 4350616365503338345f584d443a5348412d3338345f535357555f4e 555f5f49534b lv_cat(DSI,sid,K)||transcript_ir(Ya,ADa,Yb,ADb): (length: 305 bytes) 224350616365503338345f584d443a5348412d3338345f535357555f 4e555f5f49534b105b3773aa90e8f23c61563a4b645b276c30a9acae a95692a64462067fe8e4321f2fca9793a8a0420f0e253ed0d6db858f e161de7576206a8a35bd4a60e00724fd3e610434a04da121995d81d7 c5ded02cf2e70954dca49059485ea38310b73b96fa1ec78619c5a1e5 24472778331fbe009fa1564a3203e42993a36285fa54e6c24184fd22 7458c87781be16fff46dbc970cc1b1770050a94d6826d52f211b2347 92e66d0341446161040a6559147fd492ad74ab1f4def6196fd639954 0e84706227a1f90d104cdaeb630b7c5c18748deb25653ad2a4cb5e62 74841cad328bb0312628b9b1f51bea72b8c610999a6730f752649205 ae85c452ef83f98be715cd0103186874b07cf0207403414462 ISK result: (length: 48 bytes) d1b74375c7d63d7de246cbf3fc2b3092645c73a0aa816989c0de6048 ed4ece6a54df82d05d2be3498cb9288be7bdbdb9 B.6.6. Test vector for ISK calculation parallel execution Abdalla, et al. Expires 30 March 2025 [Page 81] Internet-Draft CPace September 2024 transcript_oc(Ya,ADa,Yb,ADb): (length: 206 bytes) 6f63610434a04da121995d81d7c5ded02cf2e70954dca49059485ea3 8310b73b96fa1ec78619c5a1e524472778331fbe009fa1564a3203e4 2993a36285fa54e6c24184fd227458c87781be16fff46dbc970cc1b1 770050a94d6826d52f211b234792e66d0341446161040a6559147fd4 92ad74ab1f4def6196fd6399540e84706227a1f90d104cdaeb630b7c 5c18748deb25653ad2a4cb5e6274841cad328bb0312628b9b1f51bea 72b8c610999a6730f752649205ae85c452ef83f98be715cd01031868 74b07cf0207403414462 DSI = G.DSI_ISK, b'CPaceP384_XMD:SHA-384_SSWU_NU__ISK': (length: 34 bytes) 4350616365503338345f584d443a5348412d3338345f535357555f4e 555f5f49534b lv_cat(DSI,sid,K)||transcript_oc(Ya,ADa,Yb,ADb): (length: 307 bytes) 224350616365503338345f584d443a5348412d3338345f535357555f 4e555f5f49534b105b3773aa90e8f23c61563a4b645b276c30a9acae a95692a64462067fe8e4321f2fca9793a8a0420f0e253ed0d6db858f e161de7576206a8a35bd4a60e00724fd3e6f63610434a04da121995d 81d7c5ded02cf2e70954dca49059485ea38310b73b96fa1ec78619c5 a1e524472778331fbe009fa1564a3203e42993a36285fa54e6c24184 fd227458c87781be16fff46dbc970cc1b1770050a94d6826d52f211b 234792e66d0341446161040a6559147fd492ad74ab1f4def6196fd63 99540e84706227a1f90d104cdaeb630b7c5c18748deb25653ad2a4cb 5e6274841cad328bb0312628b9b1f51bea72b8c610999a6730f75264 9205ae85c452ef83f98be715cd0103186874b07cf0207403414462 ISK result: (length: 48 bytes) a051d4532ca9fb6774e097ebac69c1d6a18144a15421dc155d0b1e8a ef9f9d8c0fe86e85d3cbee7796ff50171f42801b B.6.7. Test vector for optional output of session id H.hash(b"CPaceSidOut" + transcript_ir(Ya,ADa, Yb,ADb)): (length: 48 bytes) 8d5a03946a69ffa12cd6efd469fe8671bbc25fad6db2656f3963c94e 9c940bdecc2bd555474c211817787d5cf7870ed1 H.hash(b"CPaceSidOut" + transcript_oc(Ya,ADa, Yb,ADb)): (length: 48 bytes) c0729db25db40c48a35f787d5410b2cb9a2d9f5e9cf1cf159ed2f63c 6b2185e597e176cc221422e9496eeda2bf123c8b B.6.8. Corresponding C programming language initializers Abdalla, et al. Expires 30 March 2025 [Page 82] Internet-Draft CPace September 2024 const unsigned char tc_PRS[] = { 0x50,0x61,0x73,0x73,0x77,0x6f,0x72,0x64, }; const unsigned char tc_CI[] = { 0x6f,0x63,0x0b,0x42,0x5f,0x72,0x65,0x73,0x70,0x6f,0x6e,0x64, 0x65,0x72,0x0b,0x41,0x5f,0x69,0x6e,0x69,0x74,0x69,0x61,0x74, 0x6f,0x72, }; const unsigned char tc_sid[] = { 0x5b,0x37,0x73,0xaa,0x90,0xe8,0xf2,0x3c,0x61,0x56,0x3a,0x4b, 0x64,0x5b,0x27,0x6c, }; const unsigned char tc_g[] = { 0x04,0xff,0xe1,0xbd,0xc3,0x29,0x3f,0xdb,0xe3,0x1b,0x29,0x59, 0x91,0x6e,0x52,0xc0,0x18,0xe9,0x23,0xea,0xc9,0x98,0x36,0xbd, 0x9a,0x1c,0xbe,0xec,0x79,0x4a,0x8d,0x4d,0x78,0xba,0xa3,0x2c, 0xda,0xfc,0x96,0x85,0xbc,0x10,0x67,0xa7,0x80,0xf4,0xad,0x9c, 0x8a,0x6c,0x6e,0x16,0x4a,0xa4,0x29,0x06,0xd1,0xe2,0x7f,0x78, 0x25,0x81,0xad,0xc8,0xe0,0x10,0x92,0x19,0x62,0x6a,0x2b,0x8f, 0xbd,0xc3,0x46,0x02,0xe4,0x08,0x45,0x54,0xbd,0xd6,0xc0,0xc6, 0x98,0xdd,0x65,0x7a,0xc8,0xe3,0x1b,0x2b,0xcc,0xe1,0xc7,0xb0, 0xd8, }; const unsigned char tc_ya[] = { 0xef,0x43,0x3d,0xd5,0xad,0x14,0x2c,0x86,0x0e,0x7c,0xb6,0x40, 0x0d,0xd3,0x15,0xd3,0x88,0xd5,0xec,0x54,0x20,0xc5,0x50,0xe9, 0xd6,0xf0,0x90,0x7f,0x37,0x5d,0x98,0x8b,0xc4,0xd7,0x04,0x83, 0x7e,0x43,0x56,0x1c,0x49,0x7e,0x7d,0xd9,0x3e,0xdc,0xdb,0x9d, }; const unsigned char tc_ADa[] = { 0x41,0x44,0x61, }; const unsigned char tc_Ya[] = { 0x04,0x34,0xa0,0x4d,0xa1,0x21,0x99,0x5d,0x81,0xd7,0xc5,0xde, 0xd0,0x2c,0xf2,0xe7,0x09,0x54,0xdc,0xa4,0x90,0x59,0x48,0x5e, 0xa3,0x83,0x10,0xb7,0x3b,0x96,0xfa,0x1e,0xc7,0x86,0x19,0xc5, 0xa1,0xe5,0x24,0x47,0x27,0x78,0x33,0x1f,0xbe,0x00,0x9f,0xa1, 0x56,0x4a,0x32,0x03,0xe4,0x29,0x93,0xa3,0x62,0x85,0xfa,0x54, 0xe6,0xc2,0x41,0x84,0xfd,0x22,0x74,0x58,0xc8,0x77,0x81,0xbe, 0x16,0xff,0xf4,0x6d,0xbc,0x97,0x0c,0xc1,0xb1,0x77,0x00,0x50, 0xa9,0x4d,0x68,0x26,0xd5,0x2f,0x21,0x1b,0x23,0x47,0x92,0xe6, 0x6d, }; const unsigned char tc_yb[] = { 0x50,0xb0,0xe3,0x6b,0x95,0xa2,0xed,0xfa,0xa8,0x34,0x2b,0x84, 0x3d,0xdd,0xc9,0x0b,0x17,0x53,0x30,0xf2,0x39,0x9c,0x1b,0x36, 0x58,0x6d,0xed,0xda,0x3c,0x25,0x59,0x75,0xf3,0x0b,0xe6,0xa7, 0x50,0xf9,0x40,0x4f,0xcc,0xc6,0x2a,0x63,0x23,0xb5,0xe4,0x71, Abdalla, et al. Expires 30 March 2025 [Page 83] Internet-Draft CPace September 2024 }; const unsigned char tc_ADb[] = { 0x41,0x44,0x62, }; const unsigned char tc_Yb[] = { 0x04,0x0a,0x65,0x59,0x14,0x7f,0xd4,0x92,0xad,0x74,0xab,0x1f, 0x4d,0xef,0x61,0x96,0xfd,0x63,0x99,0x54,0x0e,0x84,0x70,0x62, 0x27,0xa1,0xf9,0x0d,0x10,0x4c,0xda,0xeb,0x63,0x0b,0x7c,0x5c, 0x18,0x74,0x8d,0xeb,0x25,0x65,0x3a,0xd2,0xa4,0xcb,0x5e,0x62, 0x74,0x84,0x1c,0xad,0x32,0x8b,0xb0,0x31,0x26,0x28,0xb9,0xb1, 0xf5,0x1b,0xea,0x72,0xb8,0xc6,0x10,0x99,0x9a,0x67,0x30,0xf7, 0x52,0x64,0x92,0x05,0xae,0x85,0xc4,0x52,0xef,0x83,0xf9,0x8b, 0xe7,0x15,0xcd,0x01,0x03,0x18,0x68,0x74,0xb0,0x7c,0xf0,0x20, 0x74, }; const unsigned char tc_K[] = { 0xa9,0xac,0xae,0xa9,0x56,0x92,0xa6,0x44,0x62,0x06,0x7f,0xe8, 0xe4,0x32,0x1f,0x2f,0xca,0x97,0x93,0xa8,0xa0,0x42,0x0f,0x0e, 0x25,0x3e,0xd0,0xd6,0xdb,0x85,0x8f,0xe1,0x61,0xde,0x75,0x76, 0x20,0x6a,0x8a,0x35,0xbd,0x4a,0x60,0xe0,0x07,0x24,0xfd,0x3e, }; const unsigned char tc_ISK_IR[] = { 0xd1,0xb7,0x43,0x75,0xc7,0xd6,0x3d,0x7d,0xe2,0x46,0xcb,0xf3, 0xfc,0x2b,0x30,0x92,0x64,0x5c,0x73,0xa0,0xaa,0x81,0x69,0x89, 0xc0,0xde,0x60,0x48,0xed,0x4e,0xce,0x6a,0x54,0xdf,0x82,0xd0, 0x5d,0x2b,0xe3,0x49,0x8c,0xb9,0x28,0x8b,0xe7,0xbd,0xbd,0xb9, }; const unsigned char tc_ISK_SY[] = { 0xa0,0x51,0xd4,0x53,0x2c,0xa9,0xfb,0x67,0x74,0xe0,0x97,0xeb, 0xac,0x69,0xc1,0xd6,0xa1,0x81,0x44,0xa1,0x54,0x21,0xdc,0x15, 0x5d,0x0b,0x1e,0x8a,0xef,0x9f,0x9d,0x8c,0x0f,0xe8,0x6e,0x85, 0xd3,0xcb,0xee,0x77,0x96,0xff,0x50,0x17,0x1f,0x42,0x80,0x1b, }; const unsigned char tc_ISK_SY[] = { 0xa0,0x51,0xd4,0x53,0x2c,0xa9,0xfb,0x67,0x74,0xe0,0x97,0xeb, 0xac,0x69,0xc1,0xd6,0xa1,0x81,0x44,0xa1,0x54,0x21,0xdc,0x15, 0x5d,0x0b,0x1e,0x8a,0xef,0x9f,0x9d,0x8c,0x0f,0xe8,0x6e,0x85, 0xd3,0xcb,0xee,0x77,0x96,0xff,0x50,0x17,0x1f,0x42,0x80,0x1b, }; const unsigned char tc_sid_out_ir[] = { 0x8d,0x5a,0x03,0x94,0x6a,0x69,0xff,0xa1,0x2c,0xd6,0xef,0xd4, 0x69,0xfe,0x86,0x71,0xbb,0xc2,0x5f,0xad,0x6d,0xb2,0x65,0x6f, 0x39,0x63,0xc9,0x4e,0x9c,0x94,0x0b,0xde,0xcc,0x2b,0xd5,0x55, 0x47,0x4c,0x21,0x18,0x17,0x78,0x7d,0x5c,0xf7,0x87,0x0e,0xd1, }; const unsigned char tc_sid_out_oc[] = { 0xc0,0x72,0x9d,0xb2,0x5d,0xb4,0x0c,0x48,0xa3,0x5f,0x78,0x7d, 0x54,0x10,0xb2,0xcb,0x9a,0x2d,0x9f,0x5e,0x9c,0xf1,0xcf,0x15, Abdalla, et al. Expires 30 March 2025 [Page 84] Internet-Draft CPace September 2024 0x9e,0xd2,0xf6,0x3c,0x6b,0x21,0x85,0xe5,0x97,0xe1,0x76,0xcc, 0x22,0x14,0x22,0xe9,0x49,0x6e,0xed,0xa2,0xbf,0x12,0x3c,0x8b, }; B.6.9. Testvectors as JSON file encoded as BASE64 ##eyJQUlMiOiAiNTA2MTczNzM3NzZGNzI2NCIsICJDSSI6ICI2RjYzMEI0MjVGNzI ##2NTczNzA2RjZFNjQ2NTcyMEI0MTVGNjk2RTY5NzQ2OTYxNzQ2RjcyIiwgInNpZC ##I6ICI1QjM3NzNBQTkwRThGMjNDNjE1NjNBNEI2NDVCMjc2QyIsICJnIjogIjA0R ##kZFMUJEQzMyOTNGREJFMzFCMjk1OTkxNkU1MkMwMThFOTIzRUFDOTk4MzZCRDlB ##MUNCRUVDNzk0QThENEQ3OEJBQTMyQ0RBRkM5Njg1QkMxMDY3QTc4MEY0QUQ5Qzh ##BNkM2RTE2NEFBNDI5MDZEMUUyN0Y3ODI1ODFBREM4RTAxMDkyMTk2MjZBMkI4Rk ##JEQzM0NjAyRTQwODQ1NTRCREQ2QzBDNjk4REQ2NTdBQzhFMzFCMkJDQ0UxQzdCM ##EQ4IiwgInlhIjogIkVGNDMzREQ1QUQxNDJDODYwRTdDQjY0MDBERDMxNUQzODhE ##NUVDNTQyMEM1NTBFOUQ2RjA5MDdGMzc1RDk4OEJDNEQ3MDQ4MzdFNDM1NjFDNDk ##3RTdERDkzRURDREI5RCIsICJBRGEiOiAiNDE0NDYxIiwgIllhIjogIjA0MzRBMD ##REQTEyMTk5NUQ4MUQ3QzVERUQwMkNGMkU3MDk1NERDQTQ5MDU5NDg1RUEzODMxM ##EI3M0I5NkZBMUVDNzg2MTlDNUExRTUyNDQ3Mjc3ODMzMUZCRTAwOUZBMTU2NEEz ##MjAzRTQyOTkzQTM2Mjg1RkE1NEU2QzI0MTg0RkQyMjc0NThDODc3ODFCRTE2RkZ ##GNDZEQkM5NzBDQzFCMTc3MDA1MEE5NEQ2ODI2RDUyRjIxMUIyMzQ3OTJFNjZEIi ##wgInliIjogIjUwQjBFMzZCOTVBMkVERkFBODM0MkI4NDNERERDOTBCMTc1MzMwR ##jIzOTlDMUIzNjU4NkRFRERBM0MyNTU5NzVGMzBCRTZBNzUwRjk0MDRGQ0NDNjJB ##NjMyM0I1RTQ3MSIsICJBRGIiOiAiNDE0NDYyIiwgIlliIjogIjA0MEE2NTU5MTQ ##3RkQ0OTJBRDc0QUIxRjRERUY2MTk2RkQ2Mzk5NTQwRTg0NzA2MjI3QTFGOTBEMT ##A0Q0RBRUI2MzBCN0M1QzE4NzQ4REVCMjU2NTNBRDJBNENCNUU2Mjc0ODQxQ0FEM ##zI4QkIwMzEyNjI4QjlCMUY1MUJFQTcyQjhDNjEwOTk5QTY3MzBGNzUyNjQ5MjA1 ##QUU4NUM0NTJFRjgzRjk4QkU3MTVDRDAxMDMxODY4NzRCMDdDRjAyMDc0IiwgIks ##iOiAiQTlBQ0FFQTk1NjkyQTY0NDYyMDY3RkU4RTQzMjFGMkZDQTk3OTNBOEEwND ##IwRjBFMjUzRUQwRDZEQjg1OEZFMTYxREU3NTc2MjA2QThBMzVCRDRBNjBFMDA3M ##jRGRDNFIiwgIklTS19JUiI6ICJEMUI3NDM3NUM3RDYzRDdERTI0NkNCRjNGQzJC ##MzA5MjY0NUM3M0EwQUE4MTY5ODlDMERFNjA0OEVENEVDRTZBNTRERjgyRDA1RDJ ##CRTM0OThDQjkyODhCRTdCREJEQjkiLCAiSVNLX1NZIjogIkEwNTFENDUzMkNBOU ##ZCNjc3NEUwOTdFQkFDNjlDMUQ2QTE4MTQ0QTE1NDIxREMxNTVEMEIxRThBRUY5R ##jlEOEMwRkU4NkU4NUQzQ0JFRTc3OTZGRjUwMTcxRjQyODAxQiIsICJzaWRfb3V0 ##cHV0X2lyIjogIjhENUEwMzk0NkE2OUZGQTEyQ0Q2RUZENDY5RkU4NjcxQkJDMjV ##GQUQ2REIyNjU2RjM5NjNDOTRFOUM5NDBCREVDQzJCRDU1NTQ3NEMyMTE4MTc3OD ##dENUNGNzg3MEVEMSIsICJzaWRfb3V0cHV0X29jIjogIkMwNzI5REIyNURCNDBDN ##DhBMzVGNzg3RDU0MTBCMkNCOUEyRDlGNUU5Q0YxQ0YxNTlFRDJGNjNDNkIyMTg1 ##RTU5N0UxNzZDQzIyMTQyMkU5NDk2RUVEQTJCRjEyM0M4QiJ9 B.6.10. Test case for scalar_mult_vfy with correct inputs Abdalla, et al. Expires 30 March 2025 [Page 85] Internet-Draft CPace September 2024 s: (length: 48 bytes) 6e8a99a5cdd408eae98e1b8aed286e7b12adbbdac7f2c628d9060ce9 2ae0d90bd57a564fd3500fbcce3425dc94ba0ade X: (length: 97 bytes) 045b4cd53c4506cc04ba4c44f2762d5d32c3e55df25b8baa5571b165 7ad9576efea8259f0684de065a470585b4be876748c7797054f3defe f21b77f83d53bac57c89d52aa4d6dd5872bd281989b138359698009f 8ac1f301538badcce9d9f4036e G.scalar_mult(s,X) (full coordinates): (length: 97 bytes) 0465c28db05fd9f9a93651c5cc31eae49c4e5246b46489b8f6105873 3173a033cda76c3e3ea5352b804e67fdbe2e334be8245dad5c8c993e 63bacf0456478f29b71b6c859f13676f84ff150d2741f028f560584a 0bdba19a63df62c08949c2fd6d G.scalar_mult_vfy(s,X) (only X-coordinate): (length: 48 bytes) 65c28db05fd9f9a93651c5cc31eae49c4e5246b46489b8f610587331 73a033cda76c3e3ea5352b804e67fdbe2e334be8 B.6.11. Invalid inputs for scalar_mult_vfy For these test cases scalar_mult_vfy(y,.) MUST return the representation of the neutral element G.I. When including Y_i1 or Y_i2 in messages of A or B the protocol MUST abort. s: (length: 48 bytes) 6e8a99a5cdd408eae98e1b8aed286e7b12adbbdac7f2c628d9060ce9 2ae0d90bd57a564fd3500fbcce3425dc94ba0ade Y_i1: (length: 97 bytes) 045b4cd53c4506cc04ba4c44f2762d5d32c3e55df25b8baa5571b165 7ad9576efea8259f0684de065a470585b4be876748c7797054f3defe f21b77f83d53bac57c89d52aa4d6dd5872bd281989b138359698009f 8ac1f301538badcce9d9f40302 Y_i2: (length: 1 bytes) 00 G.scalar_mult_vfy(s,Y_i1) = G.scalar_mult_vfy(s,Y_i2) = G.I B.6.11.1. Testvectors as JSON file encoded as BASE64 Abdalla, et al. Expires 30 March 2025 [Page 86] Internet-Draft CPace September 2024 ##eyJWYWxpZCI6IHsicyI6ICI2RThBOTlBNUNERDQwOEVBRTk4RTFCOEFFRDI4NkU ##3QjEyQURCQkRBQzdGMkM2MjhEOTA2MENFOTJBRTBEOTBCRDU3QTU2NEZEMzUwME ##ZCQ0NFMzQyNURDOTRCQTBBREUiLCAiWCI6ICIwNDVCNENENTNDNDUwNkNDMDRCQ ##TRDNDRGMjc2MkQ1RDMyQzNFNTVERjI1QjhCQUE1NTcxQjE2NTdBRDk1NzZFRkVB ##ODI1OUYwNjg0REUwNjVBNDcwNTg1QjRCRTg3Njc0OEM3Nzk3MDU0RjNERUZFRjI ##xQjc3RjgzRDUzQkFDNTdDODlENTJBQTRENkRENTg3MkJEMjgxOTg5QjEzODM1OT ##Y5ODAwOUY4QUMxRjMwMTUzOEJBRENDRTlEOUY0MDM2RSIsICJHLnNjYWxhcl9td ##Wx0KHMsWCkgKGZ1bGwgY29vcmRpbmF0ZXMpIjogIjA0NjVDMjhEQjA1RkQ5RjlB ##OTM2NTFDNUNDMzFFQUU0OUM0RTUyNDZCNDY0ODlCOEY2MTA1ODczMzE3M0EwMzN ##DREE3NkMzRTNFQTUzNTJCODA0RTY3RkRCRTJFMzM0QkU4MjQ1REFENUM4Qzk5M0 ##U2M0JBQ0YwNDU2NDc4RjI5QjcxQjZDODU5RjEzNjc2Rjg0RkYxNTBEMjc0MUYwM ##jhGNTYwNTg0QTBCREJBMTlBNjNERjYyQzA4OTQ5QzJGRDZEIiwgIkcuc2NhbGFy ##X211bHRfdmZ5KHMsWCkgKG9ubHkgWC1jb29yZGluYXRlKSI6ICI2NUMyOERCMDV ##GRDlGOUE5MzY1MUM1Q0MzMUVBRTQ5QzRFNTI0NkI0NjQ4OUI4RjYxMDU4NzMzMT ##czQTAzM0NEQTc2QzNFM0VBNTM1MkI4MDRFNjdGREJFMkUzMzRCRTgifSwgIklud ##mFsaWQgWTEiOiAiMDQ1QjRDRDUzQzQ1MDZDQzA0QkE0QzQ0RjI3NjJENUQzMkMz ##RTU1REYyNUI4QkFBNTU3MUIxNjU3QUQ5NTc2RUZFQTgyNTlGMDY4NERFMDY1QTQ ##3MDU4NUI0QkU4NzY3NDhDNzc5NzA1NEYzREVGRUYyMUI3N0Y4M0Q1M0JBQzU3Qz ##g5RDUyQUE0RDZERDU4NzJCRDI4MTk4OUIxMzgzNTk2OTgwMDlGOEFDMUYzMDE1M ##zhCQURDQ0U5RDlGNDAzMDIiLCAiSW52YWxpZCBZMiI6ICIwMCJ9 B.7. Test vector for CPace using group NIST P-521 and hash SHA-512 B.7.1. Test vectors for calculate_generator with group NIST P-521 Abdalla, et al. Expires 30 March 2025 [Page 87] Internet-Draft CPace September 2024 Inputs H = SHA-512 with input block size 128 bytes. PRS = b'Password' ; ZPAD length: 87 ; DSI = b'CPaceP521_XMD:SHA-512_SSWU_NU_' DST = b'CPaceP521_XMD:SHA-512_SSWU_NU__DST' CI = b'oc\x0bB_responder\x0bA_initiator' CI = 6f630b425f726573706f6e6465720b415f696e69746961746f72 sid = 7e4b4791d6a8ef019b936c79fb7f2c57 Outputs generator_string(PRS,G.DSI,CI,sid,H.s_in_bytes): (length: 172 bytes) 1e4350616365503532315f584d443a5348412d3531325f535357555f 4e555f0850617373776f726457000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000 000000000000000000000000000000001a6f630b425f726573706f6e 6465720b415f696e69746961746f72107e4b4791d6a8ef019b936c79 fb7f2c57 generator g: (length: 133 bytes) 0400e58a8fbf08b38e34a3676f6d690bed58aa4115ff32a57ec87172 fc2a1fb89d03258c6429c464981b3284b5fedbd1244bf27432008868 7065b9075dd558e14ed69901d2162db1ba3a49c97dca7c902cb1b96b abe21a31942114c860665b35c46b8213f6de17194de54c441083dd11 63d5907adad8824bb1307dcf6a55c11a8f01d9789b B.7.1.1. Testvectors as JSON file encoded as BASE64 ##eyJIIjogIlNIQS01MTIiLCAiSC5zX2luX2J5dGVzIjogMTI4LCAiUFJTIjogIjU ##wNjE3MzczNzc2RjcyNjQiLCAiWlBBRCBsZW5ndGgiOiA4NywgIkRTSSI6ICI0Mz ##UwNjE2MzY1NTAzNTMyMzE1RjU4NEQ0NDNBNTM0ODQxMkQzNTMxMzI1RjUzNTM1N ##zU1NUY0RTU1NUYiLCAiQ0kiOiAiNkY2MzBCNDI1RjcyNjU3MzcwNkY2RTY0NjU3 ##MjBCNDE1RjY5NkU2OTc0Njk2MTc0NkY3MiIsICJzaWQiOiAiN0U0QjQ3OTFENkE ##4RUYwMTlCOTM2Qzc5RkI3RjJDNTciLCAiZ2VuZXJhdG9yX3N0cmluZyhHLkRTSS ##xQUlMsQ0ksc2lkLEguc19pbl9ieXRlcykiOiAiMUU0MzUwNjE2MzY1NTAzNTMyM ##zE1RjU4NEQ0NDNBNTM0ODQxMkQzNTMxMzI1RjUzNTM1NzU1NUY0RTU1NUYwODUw ##NjE3MzczNzc2RjcyNjQ1NzAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDA ##wMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMD ##AwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwM ##DAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw ##MDFBNkY2MzBCNDI1RjcyNjU3MzcwNkY2RTY0NjU3MjBCNDE1RjY5NkU2OTc0Njk ##2MTc0NkY3MjEwN0U0QjQ3OTFENkE4RUYwMTlCOTM2Qzc5RkI3RjJDNTciLCAiZ2 ##VuZXJhdG9yIGciOiAiMDQwMEU1OEE4RkJGMDhCMzhFMzRBMzY3NkY2RDY5MEJFR ##DU4QUE0MTE1RkYzMkE1N0VDODcxNzJGQzJBMUZCODlEMDMyNThDNjQyOUM0NjQ5 ##ODFCMzI4NEI1RkVEQkQxMjQ0QkYyNzQzMjAwODg2ODcwNjVCOTA3NURENTU4RTE ##0RUQ2OTkwMUQyMTYyREIxQkEzQTQ5Qzk3RENBN0M5MDJDQjFCOTZCQUJFMjFBMz ##E5NDIxMTRDODYwNjY1QjM1QzQ2QjgyMTNGNkRFMTcxOTRERTU0QzQ0MTA4M0REM ##TE2M0Q1OTA3QURBRDg4MjRCQjEzMDdEQ0Y2QTU1QzExQThGMDFEOTc4OUIifQ== Abdalla, et al. Expires 30 March 2025 [Page 88] Internet-Draft CPace September 2024 B.7.2. Test vector for message from A Inputs ADa = b'ADa' ya (big endian): (length: 66 bytes) 006367e9c2aeff9f1db19af600cca73343d47cbe446cebbd1ccd783f 82755a872da86fd0707eb3767c6114f1803deb62d63bdd1e613f67e6 3e8c141ee5310e3ee819 Outputs Ya: (length: 133 bytes) 0400c2bfd794467f4438277e85a42e101fa4061e1ef6e05f81e5381f 30e73b341dd726089cb6a6bbe5a509fad009857488db7130ff768090 7312eb724cddb4dcce675b0098ad400fef80e1deb4bc1756c43961ef 60b85f2d62ed458454e11616a5d1df1e5809636821a73662f9f12254 e6f9950dd01fa8e26a8b20736fb63c63c81094f681 Alternative correct value for Ya: g*(-ya): (length: 133 bytes) 0400c2bfd794467f4438277e85a42e101fa4061e1ef6e05f81e5381f 30e73b341dd726089cb6a6bbe5a509fad009857488db7130ff768090 7312eb724cddb4dcce675b016752bff0107f1e214b43e8a93bc69e10 9f47a0d29d12ba7bab1ee9e95a2e20e1a7f69c97de58c99d060eddab 19066af22fe0571d9574df8c9049c39c37ef6b097e B.7.3. Test vector for message from B Inputs ADb = b'ADb' yb (big endian): (length: 66 bytes) 009227bf8dc741dacc9422f8bf3c0e96fce9587bc562eaafe0dc5f6f 82f28594e4a6f98553560c62b75fa4abb198cecbbb86ebd41b0ea025 4cde78ac68d39a240ae7 Outputs Yb: (length: 133 bytes) 0400706ea69b2b7167773248ea6e69a574e9dd2ff8a3d04a6e07f70c 709869ca486827d59f9290599d1cf94e1a03fc242e2b1316afe2fa21 8bfaeb3e1ffd9f19bf062d01f6b15c9c3651be4c08baf01eec25c818 ee12c6edc4620644b1d97cf24f868732d56fe45ce78e302c221c92f4 03e0fa3207de8bb41b388d81046a298ed8ddac9b2a Alternative correct value for Yb: g*(-yb): (length: 133 bytes) 0400706ea69b2b7167773248ea6e69a574e9dd2ff8a3d04a6e07f70c 709869ca486827d59f9290599d1cf94e1a03fc242e2b1316afe2fa21 8bfaeb3e1ffd9f19bf062d00094ea363c9ae41b3f7450fe113da37e7 11ed39123b9df9bb4e26830db07978cd2a901ba31871cfd3dde36d0b fc1f05cdf821744be4c7727efb95d67127225364d5 B.7.4. Test vector for secret points K Abdalla, et al. Expires 30 March 2025 [Page 89] Internet-Draft CPace September 2024 scalar_mult_vfy(ya,Yb): (length: 66 bytes) 018e0e7e9ade74917c11c0f6b52f95ed871eab235437cbee8b5c2509 516e787a80e825ed5d539fa6a0ec32c48fa8fabe85809d000d0cfd30 832c23d477c991bea8e5 scalar_mult_vfy(yb,Ya): (length: 66 bytes) 018e0e7e9ade74917c11c0f6b52f95ed871eab235437cbee8b5c2509 516e787a80e825ed5d539fa6a0ec32c48fa8fabe85809d000d0cfd30 832c23d477c991bea8e5 B.7.5. Test vector for ISK calculation initiator/responder transcript_ir(Ya,ADa,Yb,ADb): (length: 278 bytes) 85010400c2bfd794467f4438277e85a42e101fa4061e1ef6e05f81e5 381f30e73b341dd726089cb6a6bbe5a509fad009857488db7130ff76 80907312eb724cddb4dcce675b0098ad400fef80e1deb4bc1756c439 61ef60b85f2d62ed458454e11616a5d1df1e5809636821a73662f9f1 2254e6f9950dd01fa8e26a8b20736fb63c63c81094f6810341446185 010400706ea69b2b7167773248ea6e69a574e9dd2ff8a3d04a6e07f7 0c709869ca486827d59f9290599d1cf94e1a03fc242e2b1316afe2fa 218bfaeb3e1ffd9f19bf062d01f6b15c9c3651be4c08baf01eec25c8 18ee12c6edc4620644b1d97cf24f868732d56fe45ce78e302c221c92 f403e0fa3207de8bb41b388d81046a298ed8ddac9b2a03414462 DSI = G.DSI_ISK, b'CPaceP521_XMD:SHA-512_SSWU_NU__ISK': (length: 34 bytes) 4350616365503532315f584d443a5348412d3531325f535357555f4e 555f5f49534b lv_cat(DSI,sid,K)||transcript_ir(Ya,ADa,Yb,ADb): (length: 397 bytes) 224350616365503532315f584d443a5348412d3531325f535357555f 4e555f5f49534b107e4b4791d6a8ef019b936c79fb7f2c5742018e0e 7e9ade74917c11c0f6b52f95ed871eab235437cbee8b5c2509516e78 7a80e825ed5d539fa6a0ec32c48fa8fabe85809d000d0cfd30832c23 d477c991bea8e585010400c2bfd794467f4438277e85a42e101fa406 1e1ef6e05f81e5381f30e73b341dd726089cb6a6bbe5a509fad00985 7488db7130ff7680907312eb724cddb4dcce675b0098ad400fef80e1 deb4bc1756c43961ef60b85f2d62ed458454e11616a5d1df1e580963 6821a73662f9f12254e6f9950dd01fa8e26a8b20736fb63c63c81094 f6810341446185010400706ea69b2b7167773248ea6e69a574e9dd2f f8a3d04a6e07f70c709869ca486827d59f9290599d1cf94e1a03fc24 2e2b1316afe2fa218bfaeb3e1ffd9f19bf062d01f6b15c9c3651be4c 08baf01eec25c818ee12c6edc4620644b1d97cf24f868732d56fe45c e78e302c221c92f403e0fa3207de8bb41b388d81046a298ed8ddac9b 2a03414462 ISK result: (length: 64 bytes) 1669a0a29726adc7eea2510d6f7e004a135fa63ac3c9f9e6ce53cba5 d5e3781aced515956041e43358409a13ef90ddc3c36fd8d7d81424c8 e94592e21854260a Abdalla, et al. Expires 30 March 2025 [Page 90] Internet-Draft CPace September 2024 B.7.6. Test vector for ISK calculation parallel execution transcript_oc(Ya,ADa,Yb,ADb): (length: 280 bytes) 6f6385010400c2bfd794467f4438277e85a42e101fa4061e1ef6e05f 81e5381f30e73b341dd726089cb6a6bbe5a509fad009857488db7130 ff7680907312eb724cddb4dcce675b0098ad400fef80e1deb4bc1756 c43961ef60b85f2d62ed458454e11616a5d1df1e5809636821a73662 f9f12254e6f9950dd01fa8e26a8b20736fb63c63c81094f681034144 6185010400706ea69b2b7167773248ea6e69a574e9dd2ff8a3d04a6e 07f70c709869ca486827d59f9290599d1cf94e1a03fc242e2b1316af e2fa218bfaeb3e1ffd9f19bf062d01f6b15c9c3651be4c08baf01eec 25c818ee12c6edc4620644b1d97cf24f868732d56fe45ce78e302c22 1c92f403e0fa3207de8bb41b388d81046a298ed8ddac9b2a03414462 DSI = G.DSI_ISK, b'CPaceP521_XMD:SHA-512_SSWU_NU__ISK': (length: 34 bytes) 4350616365503532315f584d443a5348412d3531325f535357555f4e 555f5f49534b lv_cat(DSI,sid,K)||transcript_oc(Ya,ADa,Yb,ADb): (length: 399 bytes) 224350616365503532315f584d443a5348412d3531325f535357555f 4e555f5f49534b107e4b4791d6a8ef019b936c79fb7f2c5742018e0e 7e9ade74917c11c0f6b52f95ed871eab235437cbee8b5c2509516e78 7a80e825ed5d539fa6a0ec32c48fa8fabe85809d000d0cfd30832c23 d477c991bea8e56f6385010400c2bfd794467f4438277e85a42e101f a4061e1ef6e05f81e5381f30e73b341dd726089cb6a6bbe5a509fad0 09857488db7130ff7680907312eb724cddb4dcce675b0098ad400fef 80e1deb4bc1756c43961ef60b85f2d62ed458454e11616a5d1df1e58 09636821a73662f9f12254e6f9950dd01fa8e26a8b20736fb63c63c8 1094f6810341446185010400706ea69b2b7167773248ea6e69a574e9 dd2ff8a3d04a6e07f70c709869ca486827d59f9290599d1cf94e1a03 fc242e2b1316afe2fa218bfaeb3e1ffd9f19bf062d01f6b15c9c3651 be4c08baf01eec25c818ee12c6edc4620644b1d97cf24f868732d56f e45ce78e302c221c92f403e0fa3207de8bb41b388d81046a298ed8dd ac9b2a03414462 ISK result: (length: 64 bytes) f2f3bd8cd442a4e16659b47a7b7a84f29be75893ed2e5f772d7a3c8b 779eb0df937a4ec50a4f1ff01ebbaa97d80e090ea69b00a95200ed25 8e48c6f7e9d8fbc2 B.7.7. Test vector for optional output of session id Abdalla, et al. Expires 30 March 2025 [Page 91] Internet-Draft CPace September 2024 H.hash(b"CPaceSidOut" + transcript_ir(Ya,ADa, Yb,ADb)): (length: 64 bytes) 56cc3cd8be77cdc84c0d1906de1ffc8ef7cbb326a3f05267b6e8c634 4e2781eb20ef725e84cb1bb45927435051b4e0fae78e975bf15099f9 e38d755413eee2fd H.hash(b"CPaceSidOut" + transcript_oc(Ya,ADa, Yb,ADb)): (length: 64 bytes) a46c7189ba6a36c4447741e057da39c885b7d59e08bd2df1852a5271 f2a8a2e9b187ccd07325a3eede646adee0c06fe58da77f74177896b2 1053c5d107de006d B.7.8. Corresponding C programming language initializers const unsigned char tc_PRS[] = { 0x50,0x61,0x73,0x73,0x77,0x6f,0x72,0x64, }; const unsigned char tc_CI[] = { 0x6f,0x63,0x0b,0x42,0x5f,0x72,0x65,0x73,0x70,0x6f,0x6e,0x64, 0x65,0x72,0x0b,0x41,0x5f,0x69,0x6e,0x69,0x74,0x69,0x61,0x74, 0x6f,0x72, }; const unsigned char tc_sid[] = { 0x7e,0x4b,0x47,0x91,0xd6,0xa8,0xef,0x01,0x9b,0x93,0x6c,0x79, 0xfb,0x7f,0x2c,0x57, }; const unsigned char tc_g[] = { 0x04,0x00,0xe5,0x8a,0x8f,0xbf,0x08,0xb3,0x8e,0x34,0xa3,0x67, 0x6f,0x6d,0x69,0x0b,0xed,0x58,0xaa,0x41,0x15,0xff,0x32,0xa5, 0x7e,0xc8,0x71,0x72,0xfc,0x2a,0x1f,0xb8,0x9d,0x03,0x25,0x8c, 0x64,0x29,0xc4,0x64,0x98,0x1b,0x32,0x84,0xb5,0xfe,0xdb,0xd1, 0x24,0x4b,0xf2,0x74,0x32,0x00,0x88,0x68,0x70,0x65,0xb9,0x07, 0x5d,0xd5,0x58,0xe1,0x4e,0xd6,0x99,0x01,0xd2,0x16,0x2d,0xb1, 0xba,0x3a,0x49,0xc9,0x7d,0xca,0x7c,0x90,0x2c,0xb1,0xb9,0x6b, 0xab,0xe2,0x1a,0x31,0x94,0x21,0x14,0xc8,0x60,0x66,0x5b,0x35, 0xc4,0x6b,0x82,0x13,0xf6,0xde,0x17,0x19,0x4d,0xe5,0x4c,0x44, 0x10,0x83,0xdd,0x11,0x63,0xd5,0x90,0x7a,0xda,0xd8,0x82,0x4b, 0xb1,0x30,0x7d,0xcf,0x6a,0x55,0xc1,0x1a,0x8f,0x01,0xd9,0x78, 0x9b, }; const unsigned char tc_ya[] = { 0x00,0x63,0x67,0xe9,0xc2,0xae,0xff,0x9f,0x1d,0xb1,0x9a,0xf6, 0x00,0xcc,0xa7,0x33,0x43,0xd4,0x7c,0xbe,0x44,0x6c,0xeb,0xbd, 0x1c,0xcd,0x78,0x3f,0x82,0x75,0x5a,0x87,0x2d,0xa8,0x6f,0xd0, 0x70,0x7e,0xb3,0x76,0x7c,0x61,0x14,0xf1,0x80,0x3d,0xeb,0x62, 0xd6,0x3b,0xdd,0x1e,0x61,0x3f,0x67,0xe6,0x3e,0x8c,0x14,0x1e, 0xe5,0x31,0x0e,0x3e,0xe8,0x19, }; const unsigned char tc_ADa[] = { Abdalla, et al. Expires 30 March 2025 [Page 92] Internet-Draft CPace September 2024 0x41,0x44,0x61, }; const unsigned char tc_Ya[] = { 0x04,0x00,0xc2,0xbf,0xd7,0x94,0x46,0x7f,0x44,0x38,0x27,0x7e, 0x85,0xa4,0x2e,0x10,0x1f,0xa4,0x06,0x1e,0x1e,0xf6,0xe0,0x5f, 0x81,0xe5,0x38,0x1f,0x30,0xe7,0x3b,0x34,0x1d,0xd7,0x26,0x08, 0x9c,0xb6,0xa6,0xbb,0xe5,0xa5,0x09,0xfa,0xd0,0x09,0x85,0x74, 0x88,0xdb,0x71,0x30,0xff,0x76,0x80,0x90,0x73,0x12,0xeb,0x72, 0x4c,0xdd,0xb4,0xdc,0xce,0x67,0x5b,0x00,0x98,0xad,0x40,0x0f, 0xef,0x80,0xe1,0xde,0xb4,0xbc,0x17,0x56,0xc4,0x39,0x61,0xef, 0x60,0xb8,0x5f,0x2d,0x62,0xed,0x45,0x84,0x54,0xe1,0x16,0x16, 0xa5,0xd1,0xdf,0x1e,0x58,0x09,0x63,0x68,0x21,0xa7,0x36,0x62, 0xf9,0xf1,0x22,0x54,0xe6,0xf9,0x95,0x0d,0xd0,0x1f,0xa8,0xe2, 0x6a,0x8b,0x20,0x73,0x6f,0xb6,0x3c,0x63,0xc8,0x10,0x94,0xf6, 0x81, }; const unsigned char tc_yb[] = { 0x00,0x92,0x27,0xbf,0x8d,0xc7,0x41,0xda,0xcc,0x94,0x22,0xf8, 0xbf,0x3c,0x0e,0x96,0xfc,0xe9,0x58,0x7b,0xc5,0x62,0xea,0xaf, 0xe0,0xdc,0x5f,0x6f,0x82,0xf2,0x85,0x94,0xe4,0xa6,0xf9,0x85, 0x53,0x56,0x0c,0x62,0xb7,0x5f,0xa4,0xab,0xb1,0x98,0xce,0xcb, 0xbb,0x86,0xeb,0xd4,0x1b,0x0e,0xa0,0x25,0x4c,0xde,0x78,0xac, 0x68,0xd3,0x9a,0x24,0x0a,0xe7, }; const unsigned char tc_ADb[] = { 0x41,0x44,0x62, }; const unsigned char tc_Yb[] = { 0x04,0x00,0x70,0x6e,0xa6,0x9b,0x2b,0x71,0x67,0x77,0x32,0x48, 0xea,0x6e,0x69,0xa5,0x74,0xe9,0xdd,0x2f,0xf8,0xa3,0xd0,0x4a, 0x6e,0x07,0xf7,0x0c,0x70,0x98,0x69,0xca,0x48,0x68,0x27,0xd5, 0x9f,0x92,0x90,0x59,0x9d,0x1c,0xf9,0x4e,0x1a,0x03,0xfc,0x24, 0x2e,0x2b,0x13,0x16,0xaf,0xe2,0xfa,0x21,0x8b,0xfa,0xeb,0x3e, 0x1f,0xfd,0x9f,0x19,0xbf,0x06,0x2d,0x01,0xf6,0xb1,0x5c,0x9c, 0x36,0x51,0xbe,0x4c,0x08,0xba,0xf0,0x1e,0xec,0x25,0xc8,0x18, 0xee,0x12,0xc6,0xed,0xc4,0x62,0x06,0x44,0xb1,0xd9,0x7c,0xf2, 0x4f,0x86,0x87,0x32,0xd5,0x6f,0xe4,0x5c,0xe7,0x8e,0x30,0x2c, 0x22,0x1c,0x92,0xf4,0x03,0xe0,0xfa,0x32,0x07,0xde,0x8b,0xb4, 0x1b,0x38,0x8d,0x81,0x04,0x6a,0x29,0x8e,0xd8,0xdd,0xac,0x9b, 0x2a, }; const unsigned char tc_K[] = { 0x01,0x8e,0x0e,0x7e,0x9a,0xde,0x74,0x91,0x7c,0x11,0xc0,0xf6, 0xb5,0x2f,0x95,0xed,0x87,0x1e,0xab,0x23,0x54,0x37,0xcb,0xee, 0x8b,0x5c,0x25,0x09,0x51,0x6e,0x78,0x7a,0x80,0xe8,0x25,0xed, 0x5d,0x53,0x9f,0xa6,0xa0,0xec,0x32,0xc4,0x8f,0xa8,0xfa,0xbe, 0x85,0x80,0x9d,0x00,0x0d,0x0c,0xfd,0x30,0x83,0x2c,0x23,0xd4, 0x77,0xc9,0x91,0xbe,0xa8,0xe5, Abdalla, et al. Expires 30 March 2025 [Page 93] Internet-Draft CPace September 2024 }; const unsigned char tc_ISK_IR[] = { 0x16,0x69,0xa0,0xa2,0x97,0x26,0xad,0xc7,0xee,0xa2,0x51,0x0d, 0x6f,0x7e,0x00,0x4a,0x13,0x5f,0xa6,0x3a,0xc3,0xc9,0xf9,0xe6, 0xce,0x53,0xcb,0xa5,0xd5,0xe3,0x78,0x1a,0xce,0xd5,0x15,0x95, 0x60,0x41,0xe4,0x33,0x58,0x40,0x9a,0x13,0xef,0x90,0xdd,0xc3, 0xc3,0x6f,0xd8,0xd7,0xd8,0x14,0x24,0xc8,0xe9,0x45,0x92,0xe2, 0x18,0x54,0x26,0x0a, }; const unsigned char tc_ISK_SY[] = { 0xf2,0xf3,0xbd,0x8c,0xd4,0x42,0xa4,0xe1,0x66,0x59,0xb4,0x7a, 0x7b,0x7a,0x84,0xf2,0x9b,0xe7,0x58,0x93,0xed,0x2e,0x5f,0x77, 0x2d,0x7a,0x3c,0x8b,0x77,0x9e,0xb0,0xdf,0x93,0x7a,0x4e,0xc5, 0x0a,0x4f,0x1f,0xf0,0x1e,0xbb,0xaa,0x97,0xd8,0x0e,0x09,0x0e, 0xa6,0x9b,0x00,0xa9,0x52,0x00,0xed,0x25,0x8e,0x48,0xc6,0xf7, 0xe9,0xd8,0xfb,0xc2, }; const unsigned char tc_ISK_SY[] = { 0xf2,0xf3,0xbd,0x8c,0xd4,0x42,0xa4,0xe1,0x66,0x59,0xb4,0x7a, 0x7b,0x7a,0x84,0xf2,0x9b,0xe7,0x58,0x93,0xed,0x2e,0x5f,0x77, 0x2d,0x7a,0x3c,0x8b,0x77,0x9e,0xb0,0xdf,0x93,0x7a,0x4e,0xc5, 0x0a,0x4f,0x1f,0xf0,0x1e,0xbb,0xaa,0x97,0xd8,0x0e,0x09,0x0e, 0xa6,0x9b,0x00,0xa9,0x52,0x00,0xed,0x25,0x8e,0x48,0xc6,0xf7, 0xe9,0xd8,0xfb,0xc2, }; const unsigned char tc_sid_out_ir[] = { 0x56,0xcc,0x3c,0xd8,0xbe,0x77,0xcd,0xc8,0x4c,0x0d,0x19,0x06, 0xde,0x1f,0xfc,0x8e,0xf7,0xcb,0xb3,0x26,0xa3,0xf0,0x52,0x67, 0xb6,0xe8,0xc6,0x34,0x4e,0x27,0x81,0xeb,0x20,0xef,0x72,0x5e, 0x84,0xcb,0x1b,0xb4,0x59,0x27,0x43,0x50,0x51,0xb4,0xe0,0xfa, 0xe7,0x8e,0x97,0x5b,0xf1,0x50,0x99,0xf9,0xe3,0x8d,0x75,0x54, 0x13,0xee,0xe2,0xfd, }; const unsigned char tc_sid_out_oc[] = { 0xa4,0x6c,0x71,0x89,0xba,0x6a,0x36,0xc4,0x44,0x77,0x41,0xe0, 0x57,0xda,0x39,0xc8,0x85,0xb7,0xd5,0x9e,0x08,0xbd,0x2d,0xf1, 0x85,0x2a,0x52,0x71,0xf2,0xa8,0xa2,0xe9,0xb1,0x87,0xcc,0xd0, 0x73,0x25,0xa3,0xee,0xde,0x64,0x6a,0xde,0xe0,0xc0,0x6f,0xe5, 0x8d,0xa7,0x7f,0x74,0x17,0x78,0x96,0xb2,0x10,0x53,0xc5,0xd1, 0x07,0xde,0x00,0x6d, }; B.7.9. Testvectors as JSON file encoded as BASE64 Abdalla, et al. Expires 30 March 2025 [Page 94] Internet-Draft CPace September 2024 ##eyJQUlMiOiAiNTA2MTczNzM3NzZGNzI2NCIsICJDSSI6ICI2RjYzMEI0MjVGNzI ##2NTczNzA2RjZFNjQ2NTcyMEI0MTVGNjk2RTY5NzQ2OTYxNzQ2RjcyIiwgInNpZC ##I6ICI3RTRCNDc5MUQ2QThFRjAxOUI5MzZDNzlGQjdGMkM1NyIsICJnIjogIjA0M ##DBFNThBOEZCRjA4QjM4RTM0QTM2NzZGNkQ2OTBCRUQ1OEFBNDExNUZGMzJBNTdF ##Qzg3MTcyRkMyQTFGQjg5RDAzMjU4QzY0MjlDNDY0OTgxQjMyODRCNUZFREJEMTI ##0NEJGMjc0MzIwMDg4Njg3MDY1QjkwNzVERDU1OEUxNEVENjk5MDFEMjE2MkRCMU ##JBM0E0OUM5N0RDQTdDOTAyQ0IxQjk2QkFCRTIxQTMxOTQyMTE0Qzg2MDY2NUIzN ##UM0NkI4MjEzRjZERTE3MTk0REU1NEM0NDEwODNERDExNjNENTkwN0FEQUQ4ODI0 ##QkIxMzA3RENGNkE1NUMxMUE4RjAxRDk3ODlCIiwgInlhIjogIjAwNjM2N0U5QzJ ##BRUZGOUYxREIxOUFGNjAwQ0NBNzMzNDNENDdDQkU0NDZDRUJCRDFDQ0Q3ODNGOD ##I3NTVBODcyREE4NkZEMDcwN0VCMzc2N0M2MTE0RjE4MDNERUI2MkQ2M0JERDFFN ##jEzRjY3RTYzRThDMTQxRUU1MzEwRTNFRTgxOSIsICJBRGEiOiAiNDE0NDYxIiwg ##IllhIjogIjA0MDBDMkJGRDc5NDQ2N0Y0NDM4Mjc3RTg1QTQyRTEwMUZBNDA2MUU ##xRUY2RTA1RjgxRTUzODFGMzBFNzNCMzQxREQ3MjYwODlDQjZBNkJCRTVBNTA5Rk ##FEMDA5ODU3NDg4REI3MTMwRkY3NjgwOTA3MzEyRUI3MjRDRERCNERDQ0U2NzVCM ##DA5OEFENDAwRkVGODBFMURFQjRCQzE3NTZDNDM5NjFFRjYwQjg1RjJENjJFRDQ1 ##ODQ1NEUxMTYxNkE1RDFERjFFNTgwOTYzNjgyMUE3MzY2MkY5RjEyMjU0RTZGOTk ##1MEREMDFGQThFMjZBOEIyMDczNkZCNjNDNjNDODEwOTRGNjgxIiwgInliIjogIj ##AwOTIyN0JGOERDNzQxREFDQzk0MjJGOEJGM0MwRTk2RkNFOTU4N0JDNTYyRUFBR ##kUwREM1RjZGODJGMjg1OTRFNEE2Rjk4NTUzNTYwQzYyQjc1RkE0QUJCMTk4Q0VD ##QkJCODZFQkQ0MUIwRUEwMjU0Q0RFNzhBQzY4RDM5QTI0MEFFNyIsICJBRGIiOiA ##iNDE0NDYyIiwgIlliIjogIjA0MDA3MDZFQTY5QjJCNzE2Nzc3MzI0OEVBNkU2OU ##E1NzRFOUREMkZGOEEzRDA0QTZFMDdGNzBDNzA5ODY5Q0E0ODY4MjdENTlGOTI5M ##DU5OUQxQ0Y5NEUxQTAzRkMyNDJFMkIxMzE2QUZFMkZBMjE4QkZBRUIzRTFGRkQ5 ##RjE5QkYwNjJEMDFGNkIxNUM5QzM2NTFCRTRDMDhCQUYwMUVFQzI1QzgxOEVFMTJ ##DNkVEQzQ2MjA2NDRCMUQ5N0NGMjRGODY4NzMyRDU2RkU0NUNFNzhFMzAyQzIyMU ##M5MkY0MDNFMEZBMzIwN0RFOEJCNDFCMzg4RDgxMDQ2QTI5OEVEOEREQUM5QjJBI ##iwgIksiOiAiMDE4RTBFN0U5QURFNzQ5MTdDMTFDMEY2QjUyRjk1RUQ4NzFFQUIy ##MzU0MzdDQkVFOEI1QzI1MDk1MTZFNzg3QTgwRTgyNUVENUQ1MzlGQTZBMEVDMzJ ##DNDhGQThGQUJFODU4MDlEMDAwRDBDRkQzMDgzMkMyM0Q0NzdDOTkxQkVBOEU1Ii ##wgIklTS19JUiI6ICIxNjY5QTBBMjk3MjZBREM3RUVBMjUxMEQ2RjdFMDA0QTEzN ##UZBNjNBQzNDOUY5RTZDRTUzQ0JBNUQ1RTM3ODFBQ0VENTE1OTU2MDQxRTQzMzU4 ##NDA5QTEzRUY5MEREQzNDMzZGRDhEN0Q4MTQyNEM4RTk0NTkyRTIxODU0MjYwQSI ##sICJJU0tfU1kiOiAiRjJGM0JEOENENDQyQTRFMTY2NTlCNDdBN0I3QTg0RjI5Qk ##U3NTg5M0VEMkU1Rjc3MkQ3QTNDOEI3NzlFQjBERjkzN0E0RUM1MEE0RjFGRjAxR ##UJCQUE5N0Q4MEUwOTBFQTY5QjAwQTk1MjAwRUQyNThFNDhDNkY3RTlEOEZCQzIi ##LCAic2lkX291dHB1dF9pciI6ICI1NkNDM0NEOEJFNzdDREM4NEMwRDE5MDZERTF ##GRkM4RUY3Q0JCMzI2QTNGMDUyNjdCNkU4QzYzNDRFMjc4MUVCMjBFRjcyNUU4NE ##NCMUJCNDU5Mjc0MzUwNTFCNEUwRkFFNzhFOTc1QkYxNTA5OUY5RTM4RDc1NTQxM ##0VFRTJGRCIsICJzaWRfb3V0cHV0X29jIjogIkE0NkM3MTg5QkE2QTM2QzQ0NDc3 ##NDFFMDU3REEzOUM4ODVCN0Q1OUUwOEJEMkRGMTg1MkE1MjcxRjJBOEEyRTlCMTg ##3Q0NEMDczMjVBM0VFREU2NDZBREVFMEMwNkZFNThEQTc3Rjc0MTc3ODk2QjIxMD ##UzQzVEMTA3REUwMDZEIn0= B.7.10. Test case for scalar_mult_vfy with correct inputs Abdalla, et al. Expires 30 March 2025 [Page 95] Internet-Draft CPace September 2024 s: (length: 66 bytes) 0182dd7925f1753419e4bf83429763acd37d64000cd5a175edf53a15 87dd986bc95acc1506991702b6ba1a9ee2458fee8efc00198cf0088c 480965ef65ff2048b856 X: (length: 133 bytes) 0400dc5078b24c4af1620cc10fbecc6cd8cf1cab0b011efb73c782f2 26dc21c7ca7eb406be74a69ecba5b4a87c07cfc6e687b4beca9a6eda c95940a3b4120573b26a80005e697833b0ba285fce7b3f1f25243008 860b8f1de710a0dcc05b0d20341efe90eb2bcca26797c2d85ae6ca74 c00696cb1b13e40bda15b27964d7670576647bfab9 G.scalar_mult(s,X) (full coordinates): (length: 133 bytes) 040122f88ce73ec5aa2d1c8c5d04148760c3d97ba87daa10d8cb8bb7 c73cf6e951fc922721bf1437995cfb13e132a78beb86389e60d3517c df6d99a8a2d6db19ef27bd0055af9e8ddcf337ce0a7c22a9c8099bc4 a44faeded1eb72effd26e4f322217b67d60b944b267b3df5046078fd 577f1785728f49b241fd5e8c83223a994a2d219281 G.scalar_mult_vfy(s,X) (only X-coordinate): (length: 66 bytes) 0122f88ce73ec5aa2d1c8c5d04148760c3d97ba87daa10d8cb8bb7c7 3cf6e951fc922721bf1437995cfb13e132a78beb86389e60d3517cdf 6d99a8a2d6db19ef27bd B.7.11. Invalid inputs for scalar_mult_vfy For these test cases scalar_mult_vfy(y,.) MUST return the representation of the neutral element G.I. When including Y_i1 or Y_i2 in messages of A or B the protocol MUST abort. s: (length: 66 bytes) 0182dd7925f1753419e4bf83429763acd37d64000cd5a175edf53a15 87dd986bc95acc1506991702b6ba1a9ee2458fee8efc00198cf0088c 480965ef65ff2048b856 Y_i1: (length: 133 bytes) 0400dc5078b24c4af1620cc10fbecc6cd8cf1cab0b011efb73c782f2 26dc21c7ca7eb406be74a69ecba5b4a87c07cfc6e687b4beca9a6eda c95940a3b4120573b26a80005e697833b0ba285fce7b3f1f25243008 860b8f1de710a0dcc05b0d20341efe90eb2bcca26797c2d85ae6ca74 c00696cb1b13e40bda15b27964d7670576647bfaf9 Y_i2: (length: 1 bytes) 00 G.scalar_mult_vfy(s,Y_i1) = G.scalar_mult_vfy(s,Y_i2) = G.I B.7.11.1. Testvectors as JSON file encoded as BASE64 Abdalla, et al. Expires 30 March 2025 [Page 96] Internet-Draft CPace September 2024 ##eyJWYWxpZCI6IHsicyI6ICIwMTgyREQ3OTI1RjE3NTM0MTlFNEJGODM0Mjk3NjN ##BQ0QzN0Q2NDAwMENENUExNzVFREY1M0ExNTg3REQ5ODZCQzk1QUNDMTUwNjk5MT ##cwMkI2QkExQTlFRTI0NThGRUU4RUZDMDAxOThDRjAwODhDNDgwOTY1RUY2NUZGM ##jA0OEI4NTYiLCAiWCI6ICIwNDAwREM1MDc4QjI0QzRBRjE2MjBDQzEwRkJFQ0M2 ##Q0Q4Q0YxQ0FCMEIwMTFFRkI3M0M3ODJGMjI2REMyMUM3Q0E3RUI0MDZCRTc0QTY ##5RUNCQTVCNEE4N0MwN0NGQzZFNjg3QjRCRUNBOUE2RURBQzk1OTQwQTNCNDEyMD ##U3M0IyNkE4MDAwNUU2OTc4MzNCMEJBMjg1RkNFN0IzRjFGMjUyNDMwMDg4NjBCO ##EYxREU3MTBBMERDQzA1QjBEMjAzNDFFRkU5MEVCMkJDQ0EyNjc5N0MyRDg1QUU2 ##Q0E3NEMwMDY5NkNCMUIxM0U0MEJEQTE1QjI3OTY0RDc2NzA1NzY2NDdCRkFCOSI ##sICJHLnNjYWxhcl9tdWx0KHMsWCkgKGZ1bGwgY29vcmRpbmF0ZXMpIjogIjA0MD ##EyMkY4OENFNzNFQzVBQTJEMUM4QzVEMDQxNDg3NjBDM0Q5N0JBODdEQUExMEQ4Q ##0I4QkI3QzczQ0Y2RTk1MUZDOTIyNzIxQkYxNDM3OTk1Q0ZCMTNFMTMyQTc4QkVC ##ODYzODlFNjBEMzUxN0NERjZEOTlBOEEyRDZEQjE5RUYyN0JEMDA1NUFGOUU4RER ##DRjMzN0NFMEE3QzIyQTlDODA5OUJDNEE0NEZBRURFRDFFQjcyRUZGRDI2RTRGMz ##IyMjE3QjY3RDYwQjk0NEIyNjdCM0RGNTA0NjA3OEZENTc3RjE3ODU3MjhGNDlCM ##jQxRkQ1RThDODMyMjNBOTk0QTJEMjE5MjgxIiwgIkcuc2NhbGFyX211bHRfdmZ5 ##KHMsWCkgKG9ubHkgWC1jb29yZGluYXRlKSI6ICIwMTIyRjg4Q0U3M0VDNUFBMkQ ##xQzhDNUQwNDE0ODc2MEMzRDk3QkE4N0RBQTEwRDhDQjhCQjdDNzNDRjZFOTUxRk ##M5MjI3MjFCRjE0Mzc5OTVDRkIxM0UxMzJBNzhCRUI4NjM4OUU2MEQzNTE3Q0RGN ##kQ5OUE4QTJENkRCMTlFRjI3QkQifSwgIkludmFsaWQgWTEiOiAiMDQwMERDNTA3 ##OEIyNEM0QUYxNjIwQ0MxMEZCRUNDNkNEOENGMUNBQjBCMDExRUZCNzNDNzgyRjI ##yNkRDMjFDN0NBN0VCNDA2QkU3NEE2OUVDQkE1QjRBODdDMDdDRkM2RTY4N0I0Qk ##VDQTlBNkVEQUM5NTk0MEEzQjQxMjA1NzNCMjZBODAwMDVFNjk3ODMzQjBCQTI4N ##UZDRTdCM0YxRjI1MjQzMDA4ODYwQjhGMURFNzEwQTBEQ0MwNUIwRDIwMzQxRUZF ##OTBFQjJCQ0NBMjY3OTdDMkQ4NUFFNkNBNzRDMDA2OTZDQjFCMTNFNDBCREExNUI ##yNzk2NEQ3NjcwNTc2NjQ3QkZBRjkiLCAiSW52YWxpZCBZMiI6ICIwMCJ9 Authors' Addresses Michel Abdalla Nexus - San Francisco Email: michel.abdalla@gmail.com Bjoern Haase Endress + Hauser Liquid Analysis - Gerlingen Email: bjoern.m.haase@web.de Julia Hesse IBM Research Europe - Zurich Email: JHS@zurich.ibm.com Abdalla, et al. Expires 30 March 2025 [Page 97]