Key agreement methods in FIPS


June 1, 2023

FIPS has multiple ways of claiming CAVP-tested compliance of the key agreement schemes. Each of them corresponds to a different use case, for example, the key agreement may or may not include key derivation. Additionally, FIPS also supports key confirmation (i.e. 56Ar3, 5.9) which can be applied to some key agreements. It is easy to get lost when reading FIPS IG, hence here below I put short summary of differences:

Note that SP800-56C rev2 is also mentioned by the IG 2.4.B. My understanding is that for example, in the case of TLS v1.3, we do need SP800-56 rev2, but not necessarily KDA certificate. For KDA compliance, software needs to be tested separately.

Example PQ-TLS v1.3: Two goals. 1) to implement the TLS key schedule as per 7.1 of RFC 8446, 2) to allow hybrid, quantum-safe key agreement.

We need a scheme that will be used for generating shared secret Z, so we need KAS-SSC. KAS is not useful as TLS key schedule is a single-extract-multi-expand derivation (800-56C r2, section 5.3). TLS uses key derivation with HKDF (two-step), so we also need KDA or CVL. Only IG 2.4.B. mentions TLS, so we need CVL. Hybrid-PQ TLS is not standardized, so CVL won’t apply here (I think), from the other hand SP800-56C rev2 allows using an auxiliary KAS as an addition to the approved one, hence we also need KDA. Therefore, in this case, we need KAS-SSC, KDA and CVL certificates.

Abbriviation Meaning
SSC Shared Secret Computation
KDA Key Derivation Algorithm
CVL Component Validation List
KAS Key agreement Scheme