Please enter the vendor and implementation information that you would like to see displayed with your CAVP
certificate.

Vendor Name:

Address:

Address:

Address:

City:

State:

Zip Code:

Country:

Main Contact Info:

Contact Name:

Contact Email:

Contact Phone:

Contact Fax:

Second Contact Info (if applicable):

Contact Name:

Contact Email:

Contact Phone:

Contact Fax:

Implementation Name:

Software Version:

Part Number:

Firmware Version:

Implementation Type:

Software
Firmware
Hardware

Processor (for Software/Firmware):

Operating System (for Software/Firmware):

Brief Implementation Description:

Request for
Special Processing:

ITAR:

This algorithm implementation is subject to the requirements of the U.S. Department of State's
International Traffic in Arms Regulations (ITAR).
Yes No

Please select the settings for your TDES algorithm implementation.
K1 = K3,K2 is only allowed for legacy use decryption.

Prerequisites

Prerequisite Algorithm

Same Implementation

Algorithm Validation #

TDES for CMAC

TDES for Key Wrapping

ECB

Encrypt Decrypt

K1, K2, K3 independent K1 = K3, K2 independent

CBC

Encrypt Decrypt

K1, K2, K3 independent K1 = K3, K2 independent

CBC-I

Encrypt Decrypt

K1, K2, K3 independent K1 = K3, K2 independent

OFB

Encrypt Decrypt

K1, K2, K3 independent K1 = K3, K2 independent

OFB-I

Encrypt Decrypt

K1, K2, K3 independent K1 = K3, K2 independent

CFB-1

Encrypt Decrypt

K1, K2, K3 independent K1 = K3, K2 independent

CFB-8

Encrypt Decrypt

K1, K2, K3 independent K1 = K3, K2 independent

CFB-64

Encrypt Decrypt

K1, K2, K3 independent K1 = K3, K2 independent

CFB-P1

Encrypt Decrypt

K1, K2, K3 independent K1 = K3, K2 independent

CFB-P8

Encrypt Decrypt

K1, K2, K3 independent K1 = K3, K2 independent

CFB-P64

Encrypt Decrypt

K1, K2, K3 independent K1 = K3, K2 independent

CTR

Encrypt Decrypt

K1, K2, K3 independent K1 = K3, K2 independent

Payload Length: [

?Enter the minimum and maximum
payload lengths (1 - 64 bits)

]

Overflow Counter: yes
no Incremental Counter: yes no Perform Counter Test: yes no

Generate CMAC with
TDES

Keying Options

K1, K2, K3 independent K1 = K3, K2 independent

Message lengths [

?Enter minimum and maximum
values. Values must be mod 8. Min: 0 bits / Max: 524288 bits.

]

CMAC length [

?Enter minimum and maximum
values. Values must be mod 8. Min: 32 bits / Max: 64 bits.

]

Verify CMAC with
TDES

Keying Options

K1, K2, K3 independent K1 = K3, K2 independent

Message lengths [

?Enter minimum and maximum
values. Values must be mod 8. Min: 0 bits / Max: 524288 bits.

]

CMAC length [

?Values must be mod 8. Min: 32
bits / Max: 64 bits.

]

TDES Key Wrap

Encryption Decryption

K1, K2, K3 independent K1 = K3, K2 independent

CIPH as defined in SP800-38F TDES cipher function inverse cipher function

Please select the settings for your AES algorithm implementation.
NOTE: Please make sure to specifiy the counter source if your implementation supports AES CTR.

Prerequisites

Prerequisite Algorithm

Same Implementation

Algorithm Validation #

AES for CMAC

AES for CCM

AES for GCM, GCM-SIV and XPN [

?Always required: AES
algorithm with mode of
operation using forward cipher function, including ECB encryption, CBC encryption, CFB encryption
and
decryption, OFB encryption and decryption.

]

DRBG for GCM and XPN [

?Required only if IVs are
generated internally
using the method in Section 8.2.2.

]

AES for XTS

AES for Key Wrapping

128 bits

192 bits

256 bits

ECB

Encrypt Decrypt

Encrypt Decrypt

Encrypt Decrypt

CBC

Encrypt Decrypt

Encrypt Decrypt

Encrypt Decrypt

CBC-CS1

Encrypt Decrypt

Encrypt Decrypt

Encrypt Decrypt

Payload length: [

?Enter the
minimum and maximum payload lengths (128 - 65536 bits)

]

CBC-CS2

Encrypt Decrypt

Encrypt Decrypt

Encrypt Decrypt

Payload length: [

?Enter the
minimum and maximum payload lengths (128 - 65536 bits)

]

CBC-CS3

Encrypt Decrypt

Encrypt Decrypt

Encrypt Decrypt

Payload length: [

?Enter the
minimum and maximum payload lengths (128 - 65536 bits)

]

OFB

Encrypt Decrypt

Encrypt Decrypt

Encrypt Decrypt

CFB1

Encrypt Decrypt

Encrypt Decrypt

Encrypt Decrypt

CFB8

Encrypt Decrypt

Encrypt Decrypt

Encrypt Decrypt

CFB128

Encrypt Decrypt

Encrypt Decrypt

Encrypt Decrypt

CTR

Encrypt Decrypt

Encrypt Decrypt

Encrypt Decrypt

Payload length: [

?Enter the
minimum and maximum payload lengths (1 - 128 bits)

]

Overflow Counter: yes no Incremental Counter: yes no Perform Counter Test:
yes no

Generate CMAC with
AES

Key Sizes Supported

AES 128

AES 192

AES 256

Message lengths [

?Enter minimum and maximum
values. Values must be mod 8. Min: 0 bits / Max: 524288 bits.

]

CMAC length [

?Enter minimum and maximum
values. Values must be mod 8. Min: 32 bits / Max: 128 bits.

]

Verify CMAC with
AES

Key Sizes Supported

AES 128

AES 192

AES 256

Message lengths [

?Enter minimum and maximum
values. Values must be mod 8. Min: 0 bits / Max: 524288 bits.

]

CMAC length [

?Enter minimum and maximum
values. Values must be mod 8. Min: 32 bits / Max: 128 bits.

]

AES CCM

Direction

Encrypt Decrypt

Key Sizes

128 192 256

Associated Data Length [

?Enter minimum and
maximum length supported. Minimum: >=0 / Maximum: <=524288 bits.

]

Payload Length [

?Enter minimum and maximum
length supported in increments of 8 bits. Minimum: >=0 / Maximum: <=256 bits.

]

IV Length [

?Enter minimum and maximum length
supported in increments of 8 bits. Minimum: >=56 / Maximum: <=104 bits.

]

Tag Length in bits

32 64 96 104 112 120 128

GCM

GCM SIV

Operations

Encryption Decryption

Encryption Decryption

Key Sizes

128 192 256

128 256

Payload [

?Please enter minimum and
maximum values in bits. Min: 0 / Max: 65536. NOTE: for GCM-SIV the increment is 8.

]

AAD [

?Please enter minimum and
maximum values in bits. Min: 0 / Max: 65536. NOTE: for GCM-SIV the increment is 8.

]

IV Length [

?Please enter minimum and
maximum values in bits. Min: 8 / Max: 1024.

]

IV Generation

Internal External Construction method: [

?If the IV is generated internally, the laboratory will affirm that IV
construction is using one of the two methods below from SP800-38D

] Section 8.2.1 Section 8.2.2

Tag Length

32 64 96 104 112
120 128

GMAC

XPN

Operations

Encryption Decryption

Encryption Decryption

Key Sizes

128 192 256

128 192 256

Payload [

?Please enter minimum and
maximum values in bits. Min: 0 / Max: 65536.

]

AAD [

?Please enter minimum and maximum values
in bits. For GMAC: Min: 0 / Max: 65536. For XPN: Min: 1 / Max: 65536. NOTE: for both the
increment is 8.

]

IV Length [

?Please enter minimum and maximum
values in bits. Min: 8 / Max: 1024.

]

IV Generation

Internal External Construction method: [

?If the IV is generated internally, the laboratory will affirm that IV
construction is using one of the two methods below from SP800-38D

] Section 8.2.1 Section 8.2.2

Internal External Construction method: [

?If the IV is generated internally, the laboratory will affirm that IV
construction is using one of the two methods below from SP800-38D

] Section 8.2.1 Section 8.2.2

Tag Length

32 64 96 104 112 120
128

32 64 96 104 112
120 128

Salt Generation

Internal External

AES XTS

XTS AES-128

XTS AES 256

Supported functions

Encrypt Decrypt

Encrypt Decrypt

Payload Length [

?Please enter minimum and
maximum values. Min: 128 / Max: 65536 bits, divisible by 128.

]

Format of tweak value

hexadecimal string number

AES Key Wrap

AES Key Wrap with Padding

Encryption Decryption

Encryption Decryption

CIPH as defined in SP800-38F: AES cipher function Inverse cipher function

CIPH as defined in SP800-38F: AES cipher function Inverse cipher function

Please select the settings for your KBKDF algorithm implementation(s).

KDF in Counter
Mode

Length of n in bits

8 16 24 32

CMAC-AES-128

HMAC-SHA-1

CMAC-AES-192

HMAC-SHA-224

CMAC-AES-256

HMAC-SHA-256

CMAC-TDES

HMAC-SHA-384

HMAC-SHA-512

HMAC-SHA3-224

HMAC-SHA3-256

HMAC-SHA3-384

HMAC-SHA3-512

Length (L) of Ko [

?Indicate L=length of Ko,
keying material outoput from KDF. Enter number of bytes. Enter all that apply. Length divisible
by
h (full block lengths).

]

Length (L) of Ko [

?Indicate L=length of Ko,
keying material outoput from KDF. Enter number of bytes. Enter all that apply. Length NOT
divisible
by h (partial block length).

]

Special Publication used to generate K:

SP800-56A SP800-56B SP800-90A N/A (out of scope)

Order of fixed input data [

?The
counter can come at the beginning, middle or end of the fixed input data. Indicate which way(s)
are
supported.

]

Counter comes... before fixed input after fixed input in the middle of
fixed input

KDF in Feedback
Mode

CMAC-AES-128

HMAC-SHA-1

CMAC-AES-192

HMAC-SHA-224

CMAC-AES-256

HMAC-SHA-256

CMAC-TDES

HMAC-SHA-384

HMAC-SHA-512

HMAC-SHA3-224

HMAC-SHA3-256

HMAC-SHA3-384

HMAC-SHA3-512

Does
NOT support zero length IVs

Length (L) of Ko [

?Indicate L=length of Ko,
keying material outoput from KDF. Enter number of bytes. Enter all that apply. Length divisible
by
h (full block lengths).

]

Length (L) of Ko [

?Indicate L=length of Ko,
keying material outoput from KDF. Enter number of bytes. Enter all that apply. Length NOT
divisible
by h (partial block length).

]

Special Publication used to generate K:

SP800-56A SP800-56B SP800-90A N/A (out of scope)

Counter is used in feedback mode

Length of n in bits

8
16 24 32

Order of fixed input data [

?The
counter can come at the beginning, middle or end of the fixed input data. Indicate which way(s)
are
supported.

]

Counter comes... before fixed input after fixed input in the middle
of
fixed input

KDF in Double Pipeline
Iteration Mode

CMAC-AES-128

HMAC-SHA-1

CMAC-AES-192

HMAC-SHA-224

CMAC-AES-256

HMAC-SHA-256

CMAC-TDES

HMAC-SHA-384

HMAC-SHA-512

HMAC-SHA3-224

HMAC-SHA3-256

HMAC-SHA3-384

HMAC-SHA3-512

Length (L) of Ko [

?Indicate L=length of Ko,
keying material outoput from KDF. Enter number of bytes. Enter all that apply. Length divisible
by
h (full block lengths).

]

Length (L) of Ko [

?Indicate L=length of Ko,
keying material outoput from KDF. Enter number of bytes. Enter all that apply. Length NOT
divisible
by h (partial block length).

]

Special Publication used to generate K:

SP800-56A SP800-56B SP800-90A N/A (out of scope)

Counter is used in pipeline mode

Length of n in bits

8
16 24 32

Order of fixed input data [

?The
counter can come at the beginning, middle or end of the fixed input data. Indicate which way(s)
are
supported.

]

Counter comes... before fixed input after fixed input in the middle
of
fixed input

?The length of the derived keying material in bits, MUST be represented in 32 bits for ACVP testing.

] uPartyInfo [

?Optional items such as ephemeralKey MUST be included when available for ACVP testing.

] vPartyInfo [

?Optional items such as ephemeralKey MUST be included when available for ACVP testing.

] Context [

?Random value chosen by ACVP server to represent the context.

] Algorithm ID [

?Random value chosen by ACVP server to represent the context.

] Label [

?Random value chosen by ACVP server to represent the context.

] Concatenation

Encoding

Concatenation

KDF Mode

Counter Feedback Double Pipeline

Fixed Data Order

None Before fixed data After fixed data Before iterator

Counter Length

8 16 24 32

Supported Length

[

?The supported derivation lengths (min and max). The value must be support the L value provided.

]

Supports Empty IV

Yes No

Requires Empty IV

Yes No

Key Confirmation

Supported Key Confirmation Roles

Provider Recipient

Supported types of Key Confirmation

Unilateral Bilateral [

?Provider and Recipient will be checked

]

Key Confirmation Method

MAC

Key Length [

?CMAC key length has to be 128, 192 or 256. All others can be 128-512 bits.

]

Mac Length [

?Value has to be between 64 and 512.

]

CMAC-AES-128

CMAC-AES-192

CMAC-AES-256

HMAC-SHA-224

HMAC-SHA-256

HMAC-SHA-384

HMAC-SHA-512

HMAC-SHA-512/224

HMAC-SHA-512/256

HMAC-SHA3-224

HMAC-SHA3-256

HMAC-SHA3-384

HMAC-SHA3-512

KMAC-128

KMAC-256

Length of Key to derive [

?The length of the key to derive (using a KDF) or transport (using a KTS scheme). This value should be large enough to accomodate the key length used for the mac algorithms in use for key confirmation. Minimum value without KC: 128 bits, minimum value with KC: 136 bits, maximum value: 1024 bits

]

Shared Secret Computation

SSC FFC Scheme Capabilities

Domain Parameter Generation Methods

dhHybrid1 mqv2 dhEphem [

?Key Confirmation not supported.

] dhHybridOneFlow mqv1 dhOneFlow [

?Can only provide unilateral key confirmation party V to party U.

?The length of the derived keying material in bits, MUST be represented in 32 bits for ACVP testing.

] uPartyInfo [

?Optional items such as ephemeralKey MUST be included when available for ACVP testing.

] vPartyInfo [

?Optional items such as ephemeralKey MUST be included when available for ACVP testing.

] Context [

?Random value chosen by ACVP server to represent the context.

] Algorithm ID [

?Random value chosen by ACVP server to represent the context.

] Label [

?Random value chosen by ACVP server to represent the context.

] Concatenation

Encoding

Concatenation

KDF Mode

Counter Feedback Double Pipeline

Fixed Data Order

None Before fixed data After fixed data Before iterator

Counter Length

8 16 24 32

Supported Length

[

?The supported derivation lengths (min and max). The value must be support the L value provided.

]

Supports Empty IV

Yes No

Requires Empty IV

Yes No

Key Confirmation

Supported Key Confirmation Roles

Provider Recipient

Supported types of Key Confirmation

Unilateral Bilateral [

?Provider and Recipient will be checked

]

Key Confirmation Method

MAC

Key Length [

?CMAC key length has to be 128, 192 or 256. All others can be 128-512 bits.

]

Mac Length [

?Value has to be between 64 and 512.

]

CMAC-AES-128

CMAC-AES-192

CMAC-AES-256

HMAC-SHA-224

HMAC-SHA-256

HMAC-SHA-384

HMAC-SHA-512

HMAC-SHA-512/224

HMAC-SHA-512/256

HMAC-SHA3-224

HMAC-SHA3-256

HMAC-SHA3-384

HMAC-SHA3-512

KMAC-128

KMAC-256

Length of Key to derive [

?The length of the key to derive (using a KDF) or transport (using a KTS scheme). This value should be large enough to accomodate the key length used for the mac algorithms in use for key confirmation. Minimum value without KC: 128 bits, minimum value with KC: 136 bits, maximum value: 1024 bits

]

Shared Secret Computation

SSC ECC Scheme Capabilities

Domain Parameter Generation Methods

ephemeralUnified [

?keyConfirmation not supported.

] fullMqv fullUnified onePassDh [

?Can only provide unilateral key confirmation party V to party U.

Please select the settings for your DRBG algorithm implementation.
Information on the values for the form fields below can be found in table 2 and 3 of SP800-90A.

Prerequisites

Prerequisite Algorithm

Same Implementation

Algorithm Validation #

Hash DRBG: SHA

HMAC DRBG: HMAC

CTR DRBG using TDES with Derivation Function: TDES

CTR DRBG using TDES without Derivation Function: TDES

CTR DRBG using AES with Derivation Function: AES

CTR DRBG using AES without Derivation Function: AES

Hash DRBG

Prediction Resitance Enabled Prediction Resitance Not Enabled

Reseed implemented

Entropy Input [

?Minimum value: maximum security strength. Maximum value: 2^{35}
bits.

]

Nonce Length [

?Minimum
value: HALF maximum security strength. Set to 0 if not supported.

]

Additional Input [

?Minimum value: maximum security strength. Maximum value: 2^{35}
bits. Set to 0 if not supported.

]

Personalization String [

?Minimum value: maximum security strength. Maximum value: 2^{35}
bits. Set to 0 if not supported.

]

Returned Bits Length [

?Please enter an integer bit value. No restrictions on size.

]

SHA-1

SHA-224

SHA-256

SHA-384

SHA 512

SHA-512/224

SHA-512/256

HMAC DRBG

Prediction Resitance Enabled Prediction Resitance Not Enabled

Reseed implemented

Entropy Input [

?Minimum value: maximum security strength. Maximum value: 2^{35}
bits.

]

Nonce Length [

?Minimum
value: HALF maximum security strength. Set to 0 if not supported.

]

Additional Input [

?Minimum value: maximum security strength. Maximum value: 2^{35}
bits. Set to 0 if not supported.

]

Personalization String [

?Minimum value: maximum security strength. Maximum value: 2^{35}
bits. Set to 0 if not supported.

]

Returned Bits Length [

?Please enter an integer bit value. No restrictions on size.

]

SHA-1

SHA-224

SHA-256

SHA-384

SHA 512

SHA-512/224

SHA-512/256

CTR DRBG

Prediction
Resitance Enabled Prediction Resitance Not Enabled

Reseed implemented

Entropy Input [

?Minimum value: maximum security strength. Maximum value: 2^{35}
bits.

]

Nonce Length [

?Minimum
value: HALF maximum security strength. Set to 0 if not supported.

]

Additional Input [

?Minimum value: maximum security strength. Maximum value: 2^{35}
bits. Set to 0 if not supported.

]

Personalization String [

?Minimum value: maximum security strength. Maximum value: 2^{35}
bits. Set to 0 if not supported.

]

Returned Bits Length [

?Please enter an integer bit value. No restrictions on size.