Key agreement methods in FIPS

FIPS has multiple ways of claiming CAVP-tested compliance of the key agreement schemes. Each of them corresponds to a different use case, for example, the key agreement may or may not include key derivation. Additionally, FIPS also supports key confirmation (i.e. 56Ar3, 5.9) which can be applied to some key agreements. It is easy to get lost when reading FIPS IG, hence here below I put short summary of differences:

• KAS-SSC: Compliance with the agreement on shared secret Z (only). The key agreement scheme is the one mentioned in the SP800-56C r3, Section 6. No key derivation is done after Z is agreed upon.

• KAS: Compliance with NIST-approved key agreement AND derivation. Testing is done End-to-End, meaning both operations are done by single security service and a calling sequence is within the module boundary.

• KDA: It relates only to the key derivation part, so testing is NOT done End-to-End. This certificate is given when derivation uses one of the KDF’s described in SP800-56C rev1 or rev2.

• CVL: It relates only to the key derivation part, so testing is NOT done End-to-End. This certificate is given when derivation uses one of the KDF’s described by the IG 2.4.B.

Note that SP800-56C rev2 is also mentioned by the IG 2.4.B. My understanding is that for example, in the case of TLS v1.3, we do need SP800-56 rev2, but not necessarily KDA certificate. For KDA compliance, software needs to be tested separately.

Example PQ-TLS v1.3: Two goals. 1) to implement the TLS key schedule as per 7.1 of RFC 8446, 2) to allow hybrid, quantum-safe key agreement.

We need a scheme that will be used for generating shared secret Z, so we need KAS-SSC. KAS is not useful as TLS key schedule is a single-extract-multi-expand derivation (800-56C r2, section 5.3). TLS uses key derivation with HKDF (two-step), so we also need KDA or CVL. Only IG 2.4.B. mentions TLS, so we need CVL. Hybrid-PQ TLS is not standardized, so CVL won’t apply here (I think), from the other hand SP800-56C rev2 allows using an auxiliary KAS as an addition to the approved one, hence we also need KDA. Therefore, in this case, we need KAS-SSC, KDA and CVL certificates.