23
Japan Cryptographic Module Validation Program(JCMVP) Specifications of Cryptographic Algorithm Implementation Testing — Random Number Generators — June 22, 2018 ATR-01-E-EN Cryptographic Algorithm Implementation Testing Requirements INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN

Specifications of Cryptographic Algorithm …...1 Introduction This document describes the specifications of cryptographic algorithm implementation testing of the random num-ber

  • Upload
    others

  • View
    9

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Specifications of Cryptographic Algorithm …...1 Introduction This document describes the specifications of cryptographic algorithm implementation testing of the random num-ber

Japan Cryptographic Module Validation Program(JCMVP)

Specifications of Cryptographic AlgorithmImplementation Testing

— Random Number Generators —

June 22, 2018

ATR-01-E-ENCryptographic Algorithm Implementation Testing Requirements

INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN

Page 2: Specifications of Cryptographic Algorithm …...1 Introduction This document describes the specifications of cryptographic algorithm implementation testing of the random num-ber

Contents1 Introduction 11.1 Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.2 Outline of the JCATT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

2 Scope 22.1 Random Number Generators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

2.1.1 Deterministic Random Number Generators . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

3 The Tests Description of Random Number Generators 33.1 Deterministic Random Bit Generators specified in NIST SP800-90A . . . . . . . . . . . . . . . . . 3

3.1.1 Hash DRBG, HMAC DRBG, and CTR DRBG in NIST SP 800-90A . . . . . . . . . . . . . . 33.1.1.1 Deterministic Random Bit Generators specified in NIST SP800-90A, and corresponding

cryptographic algorithm implementation testing . . . . . . . . . . . . . . . . . . . . . . . 33.1.1.2 Interfaces for DRBG mechanisms for testing purpose . . . . . . . . . . . . . . . . . . . . 3

3.1.1.2.1 InstantiateTestIF function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33.1.1.2.2 ReseedTestIF function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43.1.1.2.3 GenerateTestIF function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53.1.1.2.4 UninstantiateTestIF function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

3.1.1.3 Test of all mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73.1.1.3.1 Test method 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73.1.1.3.2 Test method 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103.1.1.3.3 Test method 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

4 Conditions for Issuing Cryptographic Algorithm Validation Certificate 154.1 Details of Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

4.1.1 Deterministic random bit generators specified in NIST SP800-90A . . . . . . . . . . . . . . . . 15

References 20

i

Page 3: Specifications of Cryptographic Algorithm …...1 Introduction This document describes the specifications of cryptographic algorithm implementation testing of the random num-ber

1 IntroductionThis document describes the specifications of cryptographic algorithm implementation testing of the random num-ber generators.

1.1 OrganizationSection 2 specifies the random number generators that are in the scope of this document. Section 3 provides anoverview of the tests of each algorithm that make up the JCATT.

The following acronyms are used throughout this document.

• JCATT: Japan Cryptographic Algorithm implementation Testing Tool• IUT: Implementation Under Test

1.2 Outline of the JCATTThe Japan Cryptographic Algorithm implementation Testing Tool is designed:

• to test conformance to the cryptographic algorithm specifications,• to test each function of the cryptographic algorithm — for example, pseudo random number generation for

random number generators. —• to allow the testing of an IUT at locations remote to the JCATT. The JCATT and the IUT communicate data

via REQUEST and RESPONSE files.

Once configuration information has been provided, appropriate REQUEST files will be generated. REQUESTfiles are the means by which test data is communicated to the IUT. The IUT is used to process the data in theREQUEST file, and the resulting data is placed in a RESPONSE file. The data in the RESPONSE file is thenverified.

The specification of the file format is available in ref. [1] and the sample files are available in ref. [2].

Fig. 1.1 The Workflow of the Cryptographic Algorithm Implementation Testing

1/21

Page 4: Specifications of Cryptographic Algorithm …...1 Introduction This document describes the specifications of cryptographic algorithm implementation testing of the random num-ber

2 ScopeThis document specifies the tests required to validate IUTs implementing the following cryptographic algorithms.

2.1 Random Number Generators2.1.1 Deterministic Random Number Generators• Hash DRBG in NIST SP 800-90A

• HMAC DRBG in NIST SP 800-90A• CTR DRBG with DF in NIST SP 800-90A• CTR DRBG without DF in NIST SP 800-90A

2/21

Page 5: Specifications of Cryptographic Algorithm …...1 Introduction This document describes the specifications of cryptographic algorithm implementation testing of the random num-ber

3 The Tests Description of Random Number Generators

3.1 Deterministic Random Bit Generators specified in NIST SP800-90A3.1.1 Hash DRBG, HMAC DRBG, and CTR DRBG in NIST SP 800-90A3.1.1.1 Deterministic Random Bit Generators specified in NIST SP800-90A, and corresponding crypto-

graphic algorithm implementation testing

Detailed description is provided for the following Deterministic Random Bit Generators:

• Hash DRBG in NIST SP 800-90A• HMAC DRBG in NIST SP 800-90A• CTR DRBG with DF in NIST SP 800-90A• CTR DRBG without DF in NIST SP 800-90A

The Japan Cryptographic Algorithm implementation Testing Tool (JCATT) is designed to test the correct oper-ation for normal cases of a Deterministic Random Bit Generator specified in Sections 9 and 10 of NIST SP800-90A[3]. Those requirements not verified through the cryptographic algorithm implementation testing by JCATTwill be verified when the corresponding test requirements are clarified.

In NIST SP800-90A, it is prohibited to input the random seed to initialize the internal sate of DeterministicRandom Bit Generator (DRBG) from a DRBG consuming application. However, it is allowed to input the randomseed only through cryptographic algorithm implementation testing interface for validation test purpose.

Therefore, in 3.1.1.2 the cryptographic algorithm implementation testing interfaces are defined, which are exten-sion of DRBG mechanism functions specified in Section 9 of NIST SP800-90A. In 3.1.1.3, test methods 1∼3 aredefined by using cryptographic algorithm implementation testing interfaces defined in 3.1.1.2. These test methodsconform to NIST DRBGVS[4].

Also note that the description of test methods for DRBG in 3.1.1.3 is common to four types of DRBGs listedabove.

3.1.1.2 Interfaces for DRBG mechanisms for testing purpose

3.1.1.2.1 InstantiateTestIF function

Function overview

This function initializes the DRBG with the parameters provided for cryptographic algorithm implementationtesting.

Function prototype

(status,state handle) = InstatiateTestIF(requested instantiation security strength,prediction resistance f lag,personalization string,entropy input,nonce)

Return values

variable type explanationstatus - One of returned values of InstantiateTestIF function, which

is specified in 9.1 of NIST SP800-90A, either SUCCESS or akind of ERROR.

state handle integer One of returned values of InstantiateTestIF function, whichis a pointer to an instantiated DRBG instance and is specified in9.1 of NIST SP800-90A.

Parameters3/21

Page 6: Specifications of Cryptographic Algorithm …...1 Introduction This document describes the specifications of cryptographic algorithm implementation testing of the random num-ber

variable type explanationrequested instantiation security strength integer integer representing security strength in

bits supported by the DRBG instance,which is specified in 9.1 of NIST SP800-90A.

prediction resistance f lag integer variable indicating whether the predictionresistance is requested to the DRBG in-stance from a consuming application ofthe DRBG, which is specified in 9.1 ofNIST SP800-90A.

personalization string bitstring bitstring to personalize the DRBG in-stance from the other DRBG instances,which is specified in 9.1 of NIST SP800-90A.

Parameters for extented interface for testing purpose

variable type explanationentropy input bitstring input bitstring containing entropy, and its length in bits is

specified for each DRBG mechanism selected in Section 10of NIST SP800-90A. This parameter is fed for cryptographicalgorithm implementation testing. Originally entropy inputwas obtained as a return value of Get entropy input as shownin Step 6 of 9.1 of NIST SP800-90A. In order for crypto-graphic algorithm implementation testing, the interface wasextended so that the parameter can be set from the outside ofthe IUT.

nonce bitstring bitstring specified in 8.6.7 of NIST SP800-90A. This param-eter is fed for cryptographic algorithm implementation test-ing. Originally the parameter is generated inside of the IUTas described in Section 9 of NIST SP800-90A. In order forcryptographic algorithm implementation testing, the inter-face was extended so that the parameter can be set from theoutside of the IUT.

3.1.1.2.2 ReseedTestIF function

Function overview

This function reseeds the DRBG instance with the parameters provided for cryptographic algorithm implementa-tion testing.

Function prototype

status = ReseedTestIF(state handle,additional input,entropy input)

Return values

variable type explanationstatus - One of return values of ReseedTestIF function, which is spec-

ified in 9.2 of NIST SP800-90A, either SUCCESS or a kind ofERROR.

4/21

Page 7: Specifications of Cryptographic Algorithm …...1 Introduction This document describes the specifications of cryptographic algorithm implementation testing of the random num-ber

Parameters

variable type explanationstate handle integer One of returned values of ReseedTestIF function, which is

a pointer to a DRBG instance to be reseeded and is specifiedin 9.2 of NIST SP800-90A. The internal state of the DRBG isupdated through the invocation of ReseedTestIF function.

additional input bitstring Optional input bitstring and its length in bits is specifiedfor each DRBG mechanism selected in Section 10 of NISTSP800-90A.

Parameters for extented interface for testing purpose

variable type explanationentropy input bitstring bitstring containing entropy and its length in bits is speci-

fied for each DRBG mechanism selected in Section 10 ofNIST SP800-90A. This parameter is fed for cryptographicalgorithm implementation testing. Originally entropy inputwas obtained as a return value of Get entropy input as shownin Step 4 of 9.2 of NIST SP800-90A. In order for crypto-graphic algorithm implementation testing, the interface wasextended so that the parameter can be set from the outside ofthe IUT.

3.1.1.2.3 GenerateTestIF function

Function overview

This function generates pseudorandom bitstrings from the DRBG instance with the parameters provided for cryp-tographic algorithm implementation testing.

Function prototype

(status, pseudorandom bits) = GenerateTestIF(state handle,requested number o f bits,requested security strength,prediction resistance request,additional input,entropy input)

Return values

variable type explanationstatus - One for return values from GenerateTestIF function, which is

specified in 9.3.1 of NIST SP800-90A.pseudorandom bits bitstring pseudorandom bitstring generated through the invocation

of GenerateTestIF function, and its length in bits isrequested number o f bits.

Parameters

variable type explanation

5/21

Page 8: Specifications of Cryptographic Algorithm …...1 Introduction This document describes the specifications of cryptographic algorithm implementation testing of the random num-ber

state handle integer a pointer to the internal state of DRBGto be used for pseudo random numbergeneration, which is specified in 9.3.1of NIST SP800-90A. The internal stateis updated through the invocation ofGenerateTestIF function.

requested number o f bits integer The length of bitstring to be generated inbits, which is specified in 9.3.1 of NISTSP800-90A.

requested security strength integer The security strength assciated withpseudorandom bits, which is specified in9.3.1 of NIST SP800-90A.

prediction resistance request - a variable to indicate whether predictionresistance is requested, which is specifiedin 9.3.1 of NIST SP800-90A.

additional input bitstring Optional input bitstring, and its length inbits is specified for each DRBG mech-anism selected in Section 10 of NISTSP800-90A.

Parameters for extented interface for testing purpose

variable type explanationentropy input bitstring bitstring containing entropy, and its length in bits are spec-

ified in Section 10 of NIST SP800-90A for each DRBGmechanism selected. This parameter is fed for cryptographicalgorithm implementation testing. Originally entropy inputwas obtained as a return value of Get entropy input asshown in Step 4 of 9.2 of NIST SP800-90A in casewhen prediction resistance request is set or in case whenreseed counter meets or surpasses reseed interval definedin Section 10 of NIST SP800-90A. In order for crypto-graphic algorithm implementation testing, the interface wasextended so that the parameter can be set from the outside ofthe IUT. In order for cryptographic algorithm implementa-tion testing, the interface was extended so that the parametercan be set from the outside of the IUT and finally be passedto ReseedTestIF function.

3.1.1.2.4 UninstantiateTestIF function

Function overview

This function zeroises the specified DRBG instance.

Function prototype

status = UninstantiateTestIF(state handle)

Return values

variable type explanation

6/21

Page 9: Specifications of Cryptographic Algorithm …...1 Introduction This document describes the specifications of cryptographic algorithm implementation testing of the random num-ber

status - The return value of UninstantiateTestIF function, which isspecified in 9.4 of NIST SP800-90A.

Parameters

variable type explanationstate handle integer a pointer to the internal state of DRBG to be zeroised, which is

specified in 9.4 of NIST SP800-90A. The internal state of DRBGis zeroised through the invocation of UninstantiateTestIF

function.

3.1.1.3 Test of all mechanisms

3.1.1.3.1 Test method 1

Overview of Test method 1

Test method 1 is the default test for implementations where prediction resistance is enabled. In this test, pseudo-random bits are generated based on the algorithm described later, from the following input bitstrings specified in arequest file:

• additional input• entropy input• nonce• personalization string

In Test method 1, random bitstrings are specified for these parameters in the request file.

Symbols

Symbol Type Explanationadditional inputi, j bitstring (i, j)-th element in the set of addtional input.

entropy input PRi, j bitstring (i, j)-th element in the set of entropy inputused as an input parameter to GenerateTestIFfunction. In Test method 1, random values areprovided through a request file.

entropy inputi bitstring i-th element in the set of entropy input used asan input parameter to InstantiateTestIF func-tion. In Test method 1, random values are pro-vided through a request file.

i integer 0 ≤ i ≤ number o f trials−1j integer 0 or 1.noncei bitstring i-th element in the set of nonce. In Test method

1, random values are provided through a re-quest file.

number o f bits integer parameter used to invoke GenerateTestIF func-tion.

number o f trials integer number of invocations to instantiate a DRBGinstance.

outlen integer bit length of output of underlying crypto-graphic algorithm. For example, the value 256is assigned for HMAC DRBG using HMAC-SHA-256.

personalization stringi bitstring i-th element in the set of personalization string

7/21

Page 10: Specifications of Cryptographic Algorithm …...1 Introduction This document describes the specifications of cryptographic algorithm implementation testing of the random num-ber

prediction resistance f lag integer variable to indicate whether prediction resis-tance is requested to the DRBG instance froma consuming application of the DRBG. Whenprediction resistance is requested, 1 is as-signed to the value, for the other cases, 0 isassigned.

PR request integer variable to indicate whether prediction resis-tance is requested. When prediction resistanceis requested, 1 is assigned to the value, for theother cases, 0 is assigned. In Test method 1, 1is assigned.

pseudorandom bitsi, j bitstring (i, j)-th element in the set of pseudorandombits generated through the invocation of Gen-erateTestIF function, and will be output to re-sponse file.

requested number o f bits integer variable to retain the bit length of pseudoran-dom bits to be generated.

state handle integer pointer to a DRBG instance.status - return value from a testing interface. JCATT

does not check the status because JCATT doesnot provide input parameters which wouldcause any ERROR.

strength integer security strength supported by the DRBG.

Note1. Shaded items ( ) will be provided through a request file.

8/21

Page 11: Specifications of Cryptographic Algorithm …...1 Introduction This document describes the specifications of cryptographic algorithm implementation testing of the random num-ber

Pseudocode for Test method 1

Algorithm 11: prediction resistance f lag = 1

▷ instantiate a DRBG instance with prediction resistance enabled

2: PR request = 1 ▷ set prediction resistance enabled

3: for i = 0 to number o f trials−1 do

4: (status,state handle) = InstantiateTestIF(strength,

prediction resistance f lag,

personalization stringi,

entropy inputi,

noncei) ▷ Initialize the internal state

5: for j = 0 to 1 do

6: number o f bits = requested number o f bits

▷ set the bit length of random bits to be generated as specified in a request file

7: (status, pseudorandom bitsi, j) = GenerateTestIF(state handle,

number o f bits,

strength,

PR request,

additional inputi, j,

entropy input PRi, j)

▷ generate pseudorandom bits

8: if j ̸= 0 then

9: Output(pseudorandom bitsi, j)

▷ record the pseudorandom bits generated for the second invocation and later to a response file

10: end if

11: end for

12: status = UninstantiateTestIF(state handle) ▷ zeroises the internal state

13: end for

9/21

Page 12: Specifications of Cryptographic Algorithm …...1 Introduction This document describes the specifications of cryptographic algorithm implementation testing of the random num-ber

3.1.1.3.2 Test method 2

Overview of Test method

Test method 2 is the default test for implementations with reseed capability but where prediction resistance is notenabled. In this test, pseudorandom bits are generated based on the algorithm described later.

Symbols

Symbol Type Explanationadditional inputi, j bitstring (i, j)-th element in the set of addtional input

used as an input parameter to GenerateTestIFfunction.

additional input on reseedi, j bitstring (i, j)-th element in the set of addtional inputused as an input parameter to ReseedTestIFfunction.

entropy inputi bitstring i-th element in the set of entropy input used asan input parameter to InstantiateTestIF func-tion.

entropy input on reseedi, j bitstring (i, j)-th element in the set of entropy inputused as an input parameter to ReseedTestIFfunction.

i integer 0≤ i ≤ number o f trials−1.j integer 0, 1, or 2.noncei bitstring i-th element in the set of nonce.

number o f bits integer parameter used to invoke GenerateTestIF func-tion.

Null bitstring empty bitstring.number o f trials integer number of invocations to instantiate a DRBG

instance.outlen integer bit length of output of underlying crypto-

graphic algorithm. For example, the value 256is assigned for HMAC DRBG using HMAC-SHA-256.

personalization stringi bitstring i-th element in the set of personalization stringprediction resistance f lag integer variable to indicate whether prediction resis-

tance is requested to the DRBG instance froma consuming application of the DRBG. Whenprediction resistance is requested, 1 is as-signed to the value, for the other cases, 0 isassigned.

PR request integer variable to indicate whether prediction resis-tance is requested. When prediction resistanceis requested, 1 is assigned to the value, for theother cases, 0 is assigned. In Test method 2, 0is assigned.

pseudorandom bitsi, j bitstring (i, j)-th element in the set of pseudorandombits generated through the invocation of Gen-erateTestIF function, and will be output to re-sponse file.

requested number o f bits integer variable to retain the bit length of pseudorambits to be generated.

state handle integer pointer to a DRBG instance.

10/21

Page 13: Specifications of Cryptographic Algorithm …...1 Introduction This document describes the specifications of cryptographic algorithm implementation testing of the random num-ber

status - return value from a testing interface. JCATTdoes not provide input parameters whichwould cause any ERROR.

strength integer security strength supported by the DRBG.

Note1. Shaded items ( ) will be provided through a request file.

11/21

Page 14: Specifications of Cryptographic Algorithm …...1 Introduction This document describes the specifications of cryptographic algorithm implementation testing of the random num-ber

Pseudocode for Test method 2

Algorithm 21: prediction resistance f lag = 0

▷ instantiate a DRBG instance with prediction resistance disabled2: PR request = 0 ▷ set the flag so as not to request prediction resistance3: for i = 0 to number o f trials−1 do4: (status,state handle) = InstantiateTestIF(strength,

prediction resistance f lag,personalization stringi,

entropy inputi,noncei) ▷ initialize the internal state

5: for j = 0 to 2 do6: number o f bits = requested number o f bits

▷ set the bit length of random bits to be generated as specified in a request file7: if j = 0 then8: status = ReseedTestIF(state handle,

additional input on reseedi, j,

entropy input on reseedi, j) ▷ invoke Reseed function9: else

10: (status, pseudorandom bitsi, j) = GeneterateTestIF(state handle,number o f bits,strength,PR request,additional inputi, j,Null)

▷ generate pseudorandom bits11: end if12: if j = 2 then13: Output(pseudorandom bitsi, j)

▷ record the pseudorandom bits generated for the second invocation and later to a response file14: end if15: end for16: status = UninstantiateTestIF(state handle) ▷ zeroises the internal state17: end for

12/21

Page 15: Specifications of Cryptographic Algorithm …...1 Introduction This document describes the specifications of cryptographic algorithm implementation testing of the random num-ber

3.1.1.3.3 Test method 3

Overview of Test method

Test method 3 is the default test for implementations without reseed capability. In this test, pseudorandom bits aregenerated based on the algorithm described later.

Symbols

Symbol Type Explanationadditional inputi, j bitstring (i, j)-th element in the set of addtional input

used as an input parameter to GenerateTestIFfunction.

entropy inputi bitstring i-th element in the set of entropy input used asan input parameter to InstantiateTestIF function.

i integer 0 ≤ i ≤ number o f trials−1.j integer 0 or 1.noncei bitstring i-th element in the set of nonce.

Null bitstring empty bitstring.number o f bits integer parameter used to invoke GenerateTestIF func-

tion.number o f trials integer number of invocations to instantiate a DRBG in-

stance.outlen integer bit length of output of underlying cryptographic

algorithm. For example, the value 256 is as-signed for HMAC DRBG using HMAC-SHA-256.

personalization stringi bitstring i-th element in the set of personalization stringprediction resistance f lag integer variable to indicate whether prediction resistance

is requested to the DRBG instance from a con-suming application of the DRBG. When predic-tion resistance is requested, 1 is assigned to thevalue, for the other cases, 0 is assigned.

PR request integer variable to indicate whether prediction resistanceis requested. When prediction resistance is re-quested, 1 is assigned to the value, for the othercases, 0 is assigned. In Test method 3, 0 is as-signed.

pseudorandom bitsi, j bitstring (i, j)-th element in the set of pseudorandombits generated through the invocation of Gener-ateTestIF function, and will be output to responsefile.

requested number o f bits integer variable to retain the bit length of pseudoram bitsto be generated.

state handle integer pointer to a DRBG instance.status - return value from a testing interface. JCATT

does not provide input parameters which wouldcause any ERROR.

strength integer security strength supported by the DRBG.

Note1. Shaded items ( ) will be provided through a request file.

13/21

Page 16: Specifications of Cryptographic Algorithm …...1 Introduction This document describes the specifications of cryptographic algorithm implementation testing of the random num-ber

Pseudocode for Test method 3

Algorithm 31: prediction resistance f lag = 0

▷ instantiate a DRBG instance with prediction resistance disabled

2: PR request = 0 ▷ set the flag so as not to request prediction resistance

3: for i = 0 to number o f trials−1 do

4: (status,state handle) = InstantiateTestIF(strength,

prediction resistance f lag,

personalization stringi,

entropy inputi,

noncei) ▷ initialize the internal state

5: for j = 0 to 1 do

6: number o f bits = requested number o f bits

▷ set the bit length of random bits to be generated as specified in a request file

7: (status, pseudorandom bitsi, j) = GeneterateTestIF(state handle,

number o f bits,

strength,

PR request,

additional inputi, j,

Null)

▷ generate pseudorandom bits

8: if j ̸= 0 then

9: Output(pseudorandom bitsi, j)

▷ record the pseudorandom bits generated for the second invocation and later to a response file

10: end if

11: end for

12: status = UninstantiateTestIF(state handle) ▷ zeroises the internal state

13: end for

14/21

Page 17: Specifications of Cryptographic Algorithm …...1 Introduction This document describes the specifications of cryptographic algorithm implementation testing of the random num-ber

4 Conditions for Issuing Cryptographic Algorithm Validation Certificate

4.1 Details of ConditionsRequirements and default values of the parameters used for cryptographic algorithm implementation testing areshown in Table 4.1∼Table4.5. In these tables, the first columns indicate the functions to be tested. There are twoclasses of functions. One is the class of mandatory functions for validation. The other is the class of optionalfunctions. Mandatory functions are indicated by highlighted text in these tables.

For random number generators, the conditions for issuing cryptographic algorithm validation certificate are:

• IUT shall implement at least one mandatory function.• IUT shall pass the cryptographic algorithm implementation test.

4.1.1 Deterministic random bit generators specified in NIST SP800-90ARequirements and default values of the parameters used for cryptographic algorithm implementation testing areshown in Tables 4.1∼ 4.5 Here, the following caveat will be described in cryptographic algorithm verificationcertificates: “The cryptographic algorithm implementation identified in this cryptographic algorithm verificationcertificate has passed the cryptographic algorithm implementation testing for normal cases of algorithm specifiedin Section 9 of NIST SP800-90A, DRBG Mechanism Functions.”

Table 4.1: Selectable underlying cryptographic algorithm and security strength for testing DRBG(Hash DRBG in NIST SP 800-90A)

test target function Parameter Default ConditionsAll

Com

mon

toTe

stm

etho

d1∼

3 Underlying SHA-256 either of the followingmechanisms algorithm • SHA-1

• SHA-224• SHA-256• SHA-384• SHA-512• SHA-512/224• SHA-512/256

strength 256 When SHA-1 is selected, either of the following• 112• 128When SHA-224 , or SHA-512/224 is selected, either ofthe following• 112• 128• 192When SHA-256, SHA-384, SHA-512 , or SHA-512/256 is selected, either of the following• 112• 128• 192• 256

15/21

Page 18: Specifications of Cryptographic Algorithm …...1 Introduction This document describes the specifications of cryptographic algorithm implementation testing of the random num-ber

Table 4.2: Selectable underlying cryptographic algorithm and security strength for testing DRBG(HMAC DRBG in NIST SP 800-90A)

test target function Parameter Default ConditionsAll

Com

mon

toTe

stm

etho

d1∼

3 Underlying HMAC-SHA-256 either of the followingmechanisms algorithm • HMAC-SHA-1

• HMAC-SHA-224• HMAC-SHA-256• HMAC-SHA-384• HMAC-SHA-512• HMAC-SHA-512/224• HMAC-SHA-512/256

strength 256 When HMAC-SHA-1 is selected, either of the following• 112• 128When HMAC-SHA-224 , or HMAC-SHA-512/224 isselected, either of the following• 112• 128• 192When HMAC-SHA-256, HMAC-SHA-384, HMAC-SHA-512 , HMAC-SHA-512/256 is selected, either ofthe following• 112• 128• 192• 256

16/21

Page 19: Specifications of Cryptographic Algorithm …...1 Introduction This document describes the specifications of cryptographic algorithm implementation testing of the random num-ber

Table 4.3: Selectable underlying cryptographic algorithm, security strength, and ctr len for testingDRBGs(CTR DRBG with DF, CTR DRBG without DF in NIST SP 800-90A)

test target function Parameter Default ConditionsAll

Com

mon

toTe

stm

etho

d1∼

3 Underlying AES-256 either of the followingmechanisms algorithm • 3-key Triple DES

• AES-128• AES-192• AES-256

strength 256 When 3-key Triple DES is selected, 112.When AES-128 is selected, either of the following• 112• 128When AES-192 is selected, either of the following• 112• 128• 192When AES-256 is selected, either of the following• 112• 128• 192• 256

ctr len 128 • When 3-key Triple DES is selected, 4≤ x ≤ 64.• When AES-128, AES-192, or AES-256 is selected,4≤ x ≤ 128.

17/21

Page 20: Specifications of Cryptographic Algorithm …...1 Introduction This document describes the specifications of cryptographic algorithm implementation testing of the random num-ber

Table 4.4: Default parameters and input conditions for DRBGs common to Test method 1∼3(Hash DRBG, HMAC DRBG, CTR DRBG with DF in NIST SP 800-90A)

test target function Parameter Default Conditionsminimum bit length of 0 • multiple of 8additional input • ≤ 2ˆ 12

• less than or equal to the maximum bit lengthof additional input

maximum bit length of 1024 •multiple of 8additional input • ≤ 2ˆ 12

• greater than or equal to the minimum bitlength of additional input

bit length of entropy input 512 • multiple of 8• ≤ 2ˆ 12• ≥ strength

All

Com

mon

toTe

stm

etho

d1∼

3 bit length of nonce 128 • multiple of 8mechanisms • ≤ 2ˆ 12

• ≥ 12 strength

number o f trials 100 • 15≤ x ≤ 1000minimum bit length of 0 • multiple of 8personalization string • ≤ 2ˆ 12

• less than or equal to the maximum bit lengthof personalization string

maximum bit length of 1024 • multiple of 8personalization string • ≤ 2ˆ 12

• greater than or equal to minimum bit lengthof personalization string

requested number o f bits 4 ×outlen For Hash DRBG or HMAC DRBG,• non-negative integral multiple of outlen, butless than 256 ×outlenFor CTR DRBG with DF,• non-negative integral multiple of outlen,but less than or equal to min((2ctr len − 4),256) ×outlen

18/21

Page 21: Specifications of Cryptographic Algorithm …...1 Introduction This document describes the specifications of cryptographic algorithm implementation testing of the random num-ber

Table 4.5: Default parameters and input conditions for DRBGs common to Test method 1∼3(CTR DRBG without DF in NIST SP 800-90A)

test target function Parameter Default Conditionsminimum bit length of 0 • multiple of 8additional input • less than or equal to the

maximum bit length ofadditional input

All maximum bit length of bit length of entropy input -mechanisms additional input

• for 3-key Triple DES, 232

Com

mon

toTe

stm

etho

d1∼

3 • for AES-128, 256• for AES-192, 320• for AES-256, 384

bit length of nonce 0 -number o f trials 100 • 15≤ x ≤ 1000minimum bit length of 0 • non-negative integral multiple

of 8personalization string • less than or equal to the

maximum bit length ofpersonalization string

maximum bit length of bit length of entropy input -personalization stringrequested number o f bits • for 3-Key Triple DES, 256 • less than min((2ctr len −

4),256) -times of outlen• for AES, 512

19/21

Page 22: Specifications of Cryptographic Algorithm …...1 Introduction This document describes the specifications of cryptographic algorithm implementation testing of the random num-ber

Supplementary ProvisionThis procedure shall come into force as of April 1, 2009, and shall be applicable as of April 1, 2009.

Supplementary ProvisionThis procedure shall come into force as of September 30, 2009, and shall be applicable as of September 30, 2009.

Supplementary ProvisionThis procedure shall come into force as of June 22, 2018, and shall be applicable as of June 22, 2018.

References[1] Information-technology Promotion Agency, Japan, JCATT File Format Specification — Pseudo Random

Number Generators —[in Japanese], https://www.ipa.go.jp/security/jcmvp/documents/open/

jcatt/format/jcatt_fileformat_e.zip

[2] Information-technology Promotion Agency, Japan, JCATT Sample Files — Pseudo Random NumberGenerators —, https://www.ipa.go.jp/security/jcmvp/documents/open/jcatt/sample/jcatt_sample_e.zip

[3] Elaine Barker and John Kelsey, Recommendation for Random Number Generation Using Deterministic Ran-dom Bit Generators, National Institute of Standards and Technology, June, 2015. http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf

[4] Sharon Keller, Timothy A. Hall, The NIST SP 800-90A Deterministic Random Bit Generator ValidationSystem (DRBGVS), National Institute of Standards and Technology, October 29, 2015.

20/21

Page 23: Specifications of Cryptographic Algorithm …...1 Introduction This document describes the specifications of cryptographic algorithm implementation testing of the random num-ber

Revision RecordID ATR-01-E-EN

Date of Revision Prepared / Approved by Revision DetailsApril 1, 2009 Hashimoto / Nakata Newly Created

September 30, 2009 Hashimoto / Nakata Partially Revised(Removed PRNGs based on ISO/IEC18031 due tothe update of the list of approved security func-tion.)

February 29, 2012 Sakurai / Nakata Partially Revised(Specification of tests for DRBGsspecified in NIST SP 800-90A was added)

June 22, 2018 Sakurai / Eguchi Partially Revised(Specification of tests for RNGsnot specified in NIST SP800-90Awas removed.ctr len was added for input parameters toCTR DRBG in response toNIST SP800-90A Rev.1)

21/21