How To Use Tool

The ACVT Mate is an offline tool to collect algorithm settings for testing with the Automated Cryptographic Validation Testing System (ACVTS).

Information on the settings and tests can be found in the NIST ACVTS GitHub repository.
Every algorithm tab also has links to this information.
Start with the Vendor and Implementation Information.
Select the algorithms that you would like to have tested by atsec.
You can save and load the settings with the buttons at the end of the page.
Questions about the settings or the testing process should be directed to your atsec contact.
Once all the settings are entered, save them and send the generated file to your atsec contact.
This tool works best with Firefox or Chrome.

Change Log

Below is a list of the recent changes and updates made to ACVT Mate:

v1.15

Allow selecting both TDES keying options simultaneously.
Clarify AES payload inputs.
Add increment options to KBKDF.
Add increment options to HMAC output length.
Hard-code some default values.

v1.14

Fix the usage of AES GCM-SIV and AES XPN.

v1.13

Use doi links for standards.
Update ML-DSA and SLH-DSA definitions.
uPartyInfo and vPartyInfo are optional in the Fixed Input Pattern for KTS method.
Input key length was added to counter, feedback, and double-pipeline KBKDF.
Remove ECDSA signature verification component.

v1.12

Fix loading of save files containing RSA definitions.
Fixed Input Pattern is optional for KTS methods.

v1.11

Remove specification for secondary shared secret from HKDF and TwoStep KDF.
Add SLH-DSA.

v1.10

Add context length field for EdDSA.
Update FIPS 197 URL.
Add ML-DSA and ML-KEM.

v1.9

Re-order cipher modes in AES section.
Remove Secret Generation Method from EdDSA.
Update ECDSA for consistency with FIPS 186-5.
Update RSA for consistency with FIPS 186-5.
Remove duplicated OAEP modulo definition.
Add SHA-1 and HMAC SHA-1 to KAS IFC auxiliary functions.
Fix KAS-IFC-SSC modulo definitions.
Add KMAC mode for KBKDF.
Update hash algorithms for ANS X9.63 and TLS KDFs.
Make HKDF, OneStep KDF, and TwoStep KDF more consistent with the specification.
Add SHA-3 to DRBGs.
Update bounds for DRBG parameters.
Remove unused options for SHA and SHA-3.
Make LDT checked by default for hashes.

v1.8

Added LMS section.
Updated KTS section with module sizes.
Corrected import and save bug that caused CTR_DRBG to no longer save after being implemented and added to an old JSON.

v1.7

Added NIST links for XOF, Conditioning Components, and Safe Primes
Updated Links to SP 800-90Ar1
Removed warning that occurs when saving file due to permanent-checked boxes.

v1.6

Added AES-XTS Revision 2.0.
Added ECDSA Signature Generation Component P-Curves, K-Curves, and B-Curves
Added links for EDDSA documentation.
Added SHA3 and SHA3 functions for KDF

v1.5

Added file saving functionality that exports selected functions as a JSON file.
Added "Data Unit Length equals Payload Length" button.
Moved "Useful links" for each section to the top of their respective section.
Added tag length of 48 to CCM.
Added check to ensure each algorithm matches the capabilities of ACVP.
Added a checkbox for DataUnit Length to AES-XTS.
Added auto-checked box to uPartyinfo and vPartyinfo for KAS FFC and KAS ECC.
Removed AES-XTS Revision 1.0
Removed Modulo 1536 from RSA SigVer.

Contact Us

Please report technical issues to acvt-mate@atsec.com.

Vendor Name:
Address:
Address:
Address:
City:
State:
Zip Code:
Country:
Main Contact Info:
Contact Name:
Contact Email:
Contact Phone:
Contact Fax:
Second Contact Info (if applicable):
Contact Name:
Contact Email:
Contact Phone:
Contact Fax:

Module Name:
Module Version:
Implementation Name:
Software Version:
Part Number:
Firmware Version:
Implementation Type:	Software Firmware Hardware
Operational Environment Info:
Environment Name (OS):
Environment Description (for Software/Firmware):
Processor Info:
Processor Family:
Manufacturer:
Processor Name:
Processor Series:
Brief Implementation Description:
Request for Special Processing:
ITAR:	This algorithm implementation is subject to the requirements of the U.S. Department of State's International Traffic in Arms Regulations (ITAR). Yes No

ECB	Encrypt Decrypt	K1, K2, K3 independent K1 = K3, K2 independent
CBC	Encrypt Decrypt	K1, K2, K3 independent K1 = K3, K2 independent
CBC-I	Encrypt Decrypt	K1, K2, K3 independent K1 = K3, K2 independent
OFB	Encrypt Decrypt	K1, K2, K3 independent K1 = K3, K2 independent
OFB-I	Encrypt Decrypt	K1, K2, K3 independent K1 = K3, K2 independent
CFB-1	Encrypt Decrypt	K1, K2, K3 independent K1 = K3, K2 independent
CFB-8	Encrypt Decrypt	K1, K2, K3 independent K1 = K3, K2 independent
CFB-64	Encrypt Decrypt	K1, K2, K3 independent K1 = K3, K2 independent
CFB-P1	Encrypt Decrypt	K1, K2, K3 independent K1 = K3, K2 independent
CFB-P8	Encrypt Decrypt	K1, K2, K3 independent K1 = K3, K2 independent
CFB-P64	Encrypt Decrypt	K1, K2, K3 independent K1 = K3, K2 independent
CTR	Encrypt Decrypt	K1, K2, K3 independent K1 = K3, K2 independent
	Payload Length (min, max, increment): [ ?Enter the domain (minimum, maximum, increment) payload lengths (1 - 64 bits) ]
	Overflow Counter: yes no Incremental Counter: yes no Perform Counter Test: yes no

Generate CMAC with TDES
Keying Options	K1, K2, K3 independent K1 = K3, K2 independent
Message lengths [ ?Enter minimum and maximum values. Values must be mod 8. Min: 0 bits / Max: 524288 bits. ]
MAC length [ ?Enter minimum, maximum, and increment values. Values must be mod 8. Min: 32 bits / Max: 64 bits. ]

Verify CMAC with TDES
Keying Options	K1, K2, K3 independent K1 = K3, K2 independent
Message lengths [ ?Enter minimum, maximum, and increment values. Values must be mod 8. Min: 0 bits / Max: 524288 bits. ]
MAC length [ ?Values must be mod 8. Min: 32 bits / Max: 64 bits. ]

TDES Key Wrap
Encryption Decryption
Keying Options[ ?"K1 = K3, K2 independent" is only available for decryption. ]	K1, K2, K3 independent K1 = K3, K2 independent
CIPH as defined in SP 800-38F TDES cipher function inverse cipher function

General
	128 bits	192 bits	256 bits
ECB	Enc Dec	Enc Dec	Enc Dec
CBC	Enc Dec	Enc Dec	Enc Dec
OFB	Enc Dec	Enc Dec	Enc Dec
CFB1	Enc Dec	Enc Dec	Enc Dec
CFB8	Enc Dec	Enc Dec	Enc Dec
CFB128	Enc Dec	Enc Dec	Enc Dec
Payload Length (min, max, increment): [ ?Enter the domain (minimum, maximum, increment) payload lengths (8 - 65536 bits) ]

Ciphertext Stealing
	128 bits	192 bits	256 bits
CBC-CS1	Enc Dec	Enc Dec	Enc Dec
Payload length (min, max, increment): [ ?Enter the minimum, maximum, and increment of payload lengths (128 - 65536 bits) ]
CBC-CS2	Enc Dec	Enc Dec	Enc Dec
Payload length (min, max, increment): [ ?Enter the minimum, maximum, and increment of payload lengths (128 - 65536 bits) ]
CBC-CS3	Enc Dec	Enc Dec	Enc Dec
Payload length (min, max, increment): [ ?Enter the minimum, maximum, and increment of payload lengths (128 - 65536 bits) ]

CTR
NOTE: AES-CTR implementations must support a payloadLen of 128 bits. For AES-CTR, when values less than 128 are supplied for payloadLen, these lengths refer to the bit sizes supported in the last incomplete block (less than 128 bits) of the cipher or plain text.
	128 bits	192 bits	256 bits
CTR	Enc Dec	Enc Dec	Enc Dec
Payload length (min, max, increment): [ ?Enter the minimum, maximum, and increment of payload lengths (1 - 128 bits) ]
	Overflow Counter: yes no Incremental Counter: yes no Perform Counter Test: yes no

XTS
	128 bits	256 bits
Operations	Encrypt Decrypt	Encrypt Decrypt
Payload Length [ ?Please enter minimum and maximum values. Min: 128 / Max: 65536 bits, incremented by 8. ]
Data Unit Length equals Payload Length? [ ?Check this box if the Data Unit Length and Payload Length are equal. ]	DU Length = P Length	DU Length = P Length
DataUnit Length [ ?Please enter minimum and maximum values. Min: 128 / Max: 65536 bits, incremented by 8. ]
Format of tweak value	hexadecimal string number

	KW	KWP
Operations	Encrypt Decrypt	Encrypt Decrypt
Key Sizes	128 192 256	128 192 256
Payload Length [ ?Please enter minimum and maximum values. Min: 128 (KW) / 8 (KWP) / Max: 4096 bits. ]
CIPH as defined in SP 800-38F	AES cipher function Inverse cipher function	AES cipher function Inverse cipher function

	CCM	GCM-SIV
Operations	Encrypt Decrypt	Encrypt Decrypt
Key Sizes	128 192 256	128 192 256
Payload Length [ ?Enter minimum and maximum in increments of 8 bits. Min: 0 / Max: 256 (CCM) / 65536 (GCM-SIV) bits. ]
AAD Length [ ?Enter minimum, maximum and increment. Min: 0 / Max: 524288 (CCM) / 65536 (GCM-SIV) bits. ]
IV Length [ ?Enter minimum and maximum in increments of 8 bits. Min: 56 / Max: 104. ]
Tag Length (bits)	32 48 64 80 96 112 128

	GCM	XPN
Operations	Encrypt Decrypt	Encrypt Decrypt
Key Sizes	128 192 256	128 192 256
Payload Length [ ?Enter minimum, maximum and increment. Min: 0 / Max: 65536 bits. ]
AAD Length [ ?Enter minimum, maximum and increment. Min: 0 (GCM) / 1 (XPN) / Max: 65536 bits. ]
IV Length [ ?Enter minimum, maximum and increment. Min: 8 / Max: 1024. ]
IV Generation	Internal External Construction method: [ ?If the IV is generated internally, the lab will confirm that the IV is constructed using one of the two methods below from SP 800-38D ] Section 8.2.1 Section 8.2.2	Internal External Construction method: [ ?If the IV is generated internally, the lab will confirm that the IV is constructed using one of the two methods below from SP 800-38D ] Section 8.2.1 Section 8.2.2
Salt Generation		Internal External
Tag Length (bits)	32 64 96 104 112 120 128	32 64 96 104 112 120 128

CMAC Generation
Key Sizes	128 192 256
Message length [ ?Enter minimum, maximum, and increment values. Values must be mod 8. Min: 0 bits / Max: 524288 bits. ]
MAC length [ ?Enter minimum, maximum, and increment values. Values must be mod 8. Min: 32 bits / Max: 128 bits. ]

CMAC Verification
Key Sizes	128 192 256
Message length [ ?Enter minimum, maximum, and increment values. Values must be mod 8. Min: 0 bits / Max: 524288 bits. ]
MAC length [ ?Enter minimum, maximum, and increment values. Values must be mod 8. Min: 32 bits / Max: 128 bits. ]

PQG Generation
L=2048 and N=224	L=2048 and N=256	L=3072 and N=256
SHA-224 SHA-256 SHA-384 SHA 512 SHA-512/224 SHA-512/256	SHA-256 SHA-384 SHA 512 SHA-512/256	SHA-256 SHA-384 SHA 512 SHA-512/256
Generate P & Q (choose one or both)
Probable primes P & Q Provable primes P & Q
Generate G (choose one or both)
Unverifiable generationCanonical generation

PQG Verification
L=1024 and N=160	L=2048 and N=224	L=2048 and N=256	L=3072 and N=256
SHA-1 SHA-224 SHA-256 SHA-384 SHA 512 SHA-512/224 SHA-512/256	SHA-224 SHA-256 SHA-384 SHA 512 SHA-512/224 SHA-512/256	SHA-256 SHA-384 SHA 512 SHA-512/256	SHA-256 SHA-384 SHA 512 SHA-512/256
Generate P & Q (choose one or both)
Probable primes P & Q Provable primes P & Q
Generate G (choose one or both)
Unverifiable generationCanonical generation

Key Pair Generation
L=2048 and N=224	L=2048 and N=256	L=3072 and N=256

Signature Generation
L=2048 and N=224	L=2048 and N=256	L=3072 and N=256
SHA-224 SHA-256 SHA-384 SHA 512 SHA-512/224 SHA-512/256	SHA-224 SHA-256 SHA-384 SHA 512 SHA-512/224 SHA-512/256	SHA-224 SHA-256 SHA-384 SHA 512 SHA-512/224 SHA-512/256

GMAC
Operations	Encrypt Decrypt
Key Sizes	128 192 256
AAD Length [ ?Enter minimum and maximum in increments of 8 bits. Min: 0 / Max: 65536 bits. ]
IV Length [ ?Enter minimum and maximum in increments of 8 bits. Min: 8 / Max: 1024 bits. ]
IV Generation	Internal External Construction method: [ ?If the IV is generated internally, the lab will confirm that the IV is constructed using one of the two methods below from SP 800-38D ] Section 8.2.1 Section 8.2.2
Tag Length (bits)	32 64 96 104 112 120 128

Signature Verification
L=1024 and N 160 is for legacy use only.
L=1024 and N=160	L=2048 and N=224	L=2048 and N=256	L=3072 and N=256
SHA-1 SHA-224 SHA-256 SHA-384 SHA 512 SHA-512/224 SHA-512/256	SHA-1 SHA-224 SHA-256 SHA-384 SHA 512 SHA-512/224 SHA-512/256	SHA-1 SHA-224 SHA-256 SHA-384 SHA 512 SHA-512/224 SHA-512/256	SHA-1 SHA-224 SHA-256 SHA-384 SHA 512 SHA-512/224 SHA-512/256

Key Pair Generation
P-Curves	P-224	P-256	P-384	P-521
K-Curves	K-233	K-283	K-409	K-571
B-Curves	B-233	B-283	B-409	B-571
Key pair generation method
Extra Random Bits Rejection Sampling/Testing Candidates

Key Pair Verification
P-Curves	P-192	P-224	P-256	P-384	P-521
K-Curves	K-163	K-233	K-283	K-409	K-571
B-Curves	B-163	B-233	B-283	B-409	B-571

EDDSA Key Generation
Curve	Ed25519 Ed448
EDDSA Key Verification
Curve	Ed25519 Ed448
EDDSA Signature Generation
Curve	Ed25519 Ed448
IUT supports normal ("pure") signature generation	yes no
IUT supports pre-hash signature generation	yes no
Context Length in octets [ ?Please enter minimum and maximum values. Min: 0 / Max: 255 octets. ]
EDDSA Signature Verification
Curve	Ed25519 Ed448
IUT supports normal ("pure") signature verification	yes no
IUT supports pre-hash signature verification	yes no

Key Generation
LMS Modes	SHA256 M24 H5 SHA256 M24 H10 SHA256 M24 H15 SHA256 M24 H20 SHA256 M24 H25 SHA256 M32 H5 SHA256 M32 H10 SHA256 M32 H15 SHA256 M32 H20 SHA256 M32 H25 SHAKE M24 H5 SHAKE M24 H10 SHAKE M24 H15 SHAKE M24 H20 SHAKE M24 H25 SHAKE M32 H5 SHAKE M32 H10 SHAKE M32 H15 SHAKE M32 H20 SHAKE M32 H25
LMOTS Modes	SHA256 N24 W1 SHA256 N24 W2 SHA256 N24 W4 SHA256 N24 W8 SHA256 N32 W1 SHA256 N32 W2 SHA256 N32 W4 SHA256 N32 W8 SHAKE N24 W1 SHAKE N24 W2 SHAKE N24 W4 SHAKE N24 W8 SHAKE N32 W1 SHAKE N32 W2 SHAKE N32 W4 SHAKE N32 W8

Key Generation
Parameter Sets	ML-KEM-512 ML-KEM-768 ML-KEM-1024

Encapsulation
Parameter Sets	ML-KEM-512 ML-KEM-768 ML-KEM-1024

Decapsulation
Parameter Sets	ML-KEM-512 ML-KEM-768 ML-KEM-1024

Key Generation
Parameter Sets	ML-DSA-44 ML-DSA-65 ML-DSA-87

Signature Generation
Modes [ ?As discussed in Section 3.4 of FIPS 204 ]	Hedged Deterministic
Interfaces	External (Section 5) Internal (Section 6)
Hashing [ ?Only applicable if the external interface is supported ]	Normal ("pure") Pre-hash
IUT computes mu internally [ ?Only applicable if the internal interface is supported ]	Yes No
Parameter Sets	ML-DSA-44 ML-DSA-65 ML-DSA-87
Message Length (min, max, increment) [ ?Enter the domain (minimum, maximum, increment) payload lengths (8 - 65536 bits) ]
Pre-hash algorithms [ ?Only applicable if pre-hashing is supported ]	SHA-224 SHA-256 SHA-384 SHA-512 SHA-512/224 SHA-512/256 SHA3-224 SHA3-256 SHA3-384 SHA3-512 SHAKE128 SHAKE256
Context Length (min, max, increment) [ ?Enter the domain (minimum, maximum, increment) context lengths (0 - 2040 bits) ]

Key Generation
Parameter Sets	SLH-DSA-SHA2-128s SLH-DSA-SHA2-128f SLH-DSA-SHA2-192s SLH-DSA-SHA2-192f SLH-DSA-SHA2-256s SLH-DSA-SHA2-256f SLH-DSA-SHAKE-128s SLH-DSA-SHAKE-128f SLH-DSA-SHAKE-192s SLH-DSA-SHAKE-192f SLH-DSA-SHAKE-256s SLH-DSA-SHAKE-256f

Signature Generation
Variants	Deterministic Non-deterministic
Interfaces	External (Section 10) Internal (Section 9)
Hashing [ ?Only applicable if the external interface is supported ]	Normal ("pure") Pre-hash
Parameter Sets	SLH-DSA-SHA2-128s SLH-DSA-SHA2-128f SLH-DSA-SHA2-192s SLH-DSA-SHA2-192f SLH-DSA-SHA2-256s SLH-DSA-SHA2-256f SLH-DSA-SHAKE-128s SLH-DSA-SHAKE-128f SLH-DSA-SHAKE-192s SLH-DSA-SHAKE-192f SLH-DSA-SHAKE-256s SLH-DSA-SHAKE-256f
Message Length (min, max, increment) [ ?Enter the domain (minimum, maximum, increment) payload lengths (8 - 65536 bits) ]
Pre-hash algorithms [ ?Only applicable if pre-hashing is supported ]	SHA-224 SHA-256 SHA-384 SHA-512 SHA-512/224 SHA-512/256 SHA3-224 SHA3-256 SHA3-384 SHA3-512 SHAKE128 SHAKE256
Context Length (min, max, increment) [ ?Enter the domain (minimum, maximum, increment) context lengths (0 - 2040 bits) ]

Key Pair Generation
Format	Standard Chinese Remainder Theorem
Public Exponent [ ?The exponent e shall be an odd integer such that: 2^16 < e < 2^256 ]	random fixed
Generate P/Q according to	Provable Primes Probable Primes Provable Primes based on Auxiliary Provable Primes Probable Primes based on Auxiliary Provable Primes Probable Primes based on Auxiliary Probable Primes
Hash Needed for any generation involving Provable Primes	SHA-1 SHA-224 SHA-256 SHA-384 SHA-512 SHA-512/224 SHA-512/256
Modulus size	2048 3072 4096 6144 8192
Prime test error probability	2^{-security_strength} 2^-100
p mod 8 [ ?The value of p mod 8 for the generated prime p. Select N/A if no check is performed during generation. ]	N/A 1 3 5 7
q mod 8 [ ?The value of q mod 8 for the generated prime q. Select N/A if no check is performed during generation. ]	N/A 1 3 5 7

Signature Generation
Hash	SHA-224 SHA-256 SHA-384 SHA-512 SHA-512/224 SHA-512/256 SHA3-224 SHA3-256 SHA3-384 SHA3-512 SHAKE128 SHAKE256
Modulus size	2048 3072 4096
Padding	ANSI X9.31 PKCS#1 v1.5 PSS
Salt Length (PSS only)	Zero Hash length Salt value:
Mask Generation Function (PSS only)	MGF1 SHAKE128 SHAKE256

Signature Generation Component [ ?Tests the correct computation of 's = m^d mod n', without padding or hashing ]
Format	Standard Chinese Remainder Theorem
Public Exponent [ ?The exponent e shall be an odd integer such that: 2^16 < e < 2^256 ]	random fixed
Modulus size	2048 3072 4096

Signature Verification
Hash	SHA-1 SHA-224 SHA-256 SHA-384 SHA-512 SHA-512/224 SHA-512/256 SHA3-224 SHA3-256 SHA3-384 SHA3-512 SHAKE128 SHAKE256
Modulus size	1024 1536 2048 3072 4096
Padding	ANSI X9.31 PKCS#1 v1.5 PSS
Salt Length (PSS only)	Ignore Zero Hash length Salt value:
Mask Generation Function (PSS only)	MGF1 SHAKE128 SHAKE256

Decryption Component [ ?Tests the correct computation of 'm = c^d mod n', without padding or hashing ]
Format	Standard Chinese Remainder Theorem
Public Exponent [ ?The exponent e shall be an odd integer such that: 2^16 < e < 2^256 ]	random fixed
Modulus size	2048 3072 4096

The implementation contains routines to perform the following functions:	Supported Key Generation Methods [ ?At least one key generation method is required. ]
Key Pair Generation Partial Validation (SP 800-56Br2 section 6.4.2.2)	rsakpg1-basic rsakpg1-prime-factor rsakpg1-crt rsakpg2-basic rsakpg2-prime-factor rsakpg2-crt

KAS/KTS Schemes	kdf Methods	mac Methods	kts Methods
KAS1-basic	required
KAS1-Party_V-confirmation	required	required
KAS2-basic	required
KAS2-bilateral-confirmation	required	required
KAS2-Party_U-confirmation	required	required
KAS2-Party_V-confirmation	required	required
KTS-OAEP-basic			required
KTS-OAEP-Party_V-confirmation		required	required