From the symmetric spec:

Currently the CCM -> AAD information does not account for the fact that AAD lengths of 2^16 can be tested. It may make sense to state that AAD lengths of 2^16 can be specified, as that is currently the maximum value allowed for testing purposes.

If ranges are implemented as suggested in #67, the aadLen registration could become:

{
	"aadLen": {
		"min": 0,
		"max": 65536
	}
}

In the above, test vectors would continue to be generated for aadLens of 0 through 32, but additional testing would also be done on 2^16. At this time, the additional testing would be minimal to help keep json sizes smaller.

Per Harold's email to the algotest mailing list:

"Hi All,
ephmeral-key.pdf

I have started the design and analysis for what the production architecture will look like for the NIST Validation server. As part of that work I encountered an issue dealing with how to store what could possibly be business proprietary information. The assumption here is that at least some (if not all) vendors may view the fact they are submitting tests for particular algorithms on a particular operating environment as business proprietary information and we (NIST) need to appropriately protect that information. Apostol suggested the idea of generating an ephemeral key (perhaps this is optional) that could be provided back to the client as part of the registration request and this key would then be used to encrypt the data at rest within our storage. This would protect the data in the event that an adversary were to gain access to our public facing database. We will have a protected zone outside the DMZ where the “real” work of generating test vectors and validating test results will happen. This zone will be able to use the ephemeral key to encrypt and decrypt information as needed, but will only have the ephemeral key for the limited period of time it needs to perform work. Once the work is completed, it will “forget” the key leaving the ACVP client as the only entity that will know the ephemeral key. Attached is a high-level sequence diagram that helps to illustrate what we are thinking about. We can discuss this and the attached diagram further on the call on Thursday, but I wanted to provide this material as “read-ahead” to help with the conversation.

Regards,

-Harold
"

A new issue from NIST Sprint 1:

The validation of partial test results offers some flexibility but creates substantial complications in managing validation status on the NIST server. We believe all benefits intended by this protocol feature can be attained in other ways that result in much simpler and robust validation server architecture. In order to simplify the storage and data processing on the ACV servers it would be beneficial to disallow the submission of partial test results. We would like to remove this capability from the protocol.

This might not be a good title, but through integration testing with AES-GCM it became apparent that different (CAVS) implementations of algorithms represent a zero length hex string differently. In AES-GCM, a zero length plaintext is represented as "", whereas in AES-CCM, the same is represented as "00".

It would be beneficial to decide on a consistent way to represent this, and @celic may have some additional input as it relates to SHA. Regardless of the decision, both the client and server should take into account the PropertyLen from the TestGroup when parsing hex strings. As it currently stands, that does not appear to be the case.

Need to expand error handling section.

Possible Error message:

{
   "acv_version" : "0.3",
   "error" : "Example error message goes here." 
}

Some example HTTP Error codes:
404 if a resource is not found (i.e. a Vector Set Id is provided and it does not exist)
400 if the input to the server is not correct
500 Internal Server Error (i.e. internal database connection issue)

Either individual users or a team. Don't know which way is better though.

Seems that there is an inconsistency in acvp_protocol section 11.5

11.5. Test Results Request

The client will send this request to learn the results for an individual vector set.

GET /validation/acvp/results?vsId=1 HTTP1.1
User Agent:
Host: www.my-acvpserver.com
Accept: /
HTTP 1.1 200 OK
Status: 200 OK
Content-Type: application/json
Content-Length: <length of results>
{
    "version" : "0.2",
    "results" : {
        "vsId" : 930,
        "disposition" : "incomplete",
        "tests" : [
            { "tcId" : 12340, "result" : "passed" },
            { "tcId" : 12341, "result" : "passed" },
            { "tcId" : 12342, "result" : "incomplete" },
            { "tcId" : 12343, "result" : "passed" }
        ]
    }
} 

The text prior to the block states it's the client request, which the top of it does appear to be a get request from the client. However, the JSON included in the block looks to be what the server would respond with, perhaps it was intended to be separated into two blocks to show client request -> server response?

Is this even used ?

User Agent: acvp-client/0.3

I took a look at the .3 spec of the symmetric specification thinking it would be similar to the .2 spec except for some naming differences and I noticed a fairly substantive change that caught me off-guard.

The “direction” JSON field is analogous to the .2 JSON field name “mode” and for some reason it was moved from being a child of a “test_group” object to being in the top-level and a peer/sibling of the “test_groups” field at the test vector level.

Within the protocol there is not a way to support the update of information surrounding the module.
For example a name change to the module, updating the description, updating the vendor or contact information, etc....

On a related note to #27 - some test vectors generated will have expected failures. A failure (in the example of AES-GCM) could be an invalid tag for the operation. In this case the original vector/tcId could look like:

{
    "tcId": 9999,
    "key": "FEFFE9928665731C6D6A8F9467308308",
    "iv": "CAFEBABEFACEDBADDECAF888",
    "ct": "42831EC2217774244B7221B784D0D49CE3AA212F2C02A4E035C17E2329ACA12E21D514B25466931C7D8F6A5AAC84AA051BA30B396A0AAC973D58E091473F5985",
    "aad": "3AD77BB40D7A3660A89ECAF32466EF97F5D3D58503B9699DE785895A96FDBAAF43B1CD7F598ECE23881B00E3ED0306887B0C785E27E8AD3F8223207104725DD4",
    "tag": "64C0232904AF398A5B67C10BD4205A35",  
},

Where the actual tag should be 64C0232904AF398A5B67C10B53A5024D (last 8 characters of the tag were reversed in the test case.)

In this case, we would expect the client to report a failure (in some manner) for the decryption operation, as the tag will be unverifiable.

How will a decryption result of "failure" be represented in the result JSON?

tag sent as "FAIL":

{
    "tcId": 9999,
    "iv": "CAFEBABEFACEDBADDECAF888",
    "pt": "D9313225F88406E5A55909C5AFF5269A86A7A9531534F7DA2E4C303D8A318A721C3C0C95956809532FCF0E2449A6B525B16AEDF5AA0DE657BA637B391AAFD255",
    "tag": "FAIL"
}

new property "success" or similar result:

{
    "tcId": 9999,
    "iv": "CAFEBABEFACEDBADDECAF888",
    "pt": "D9313225F88406E5A55909C5AFF5269A86A7A9531534F7DA2E4C303D8A318A721C3C0C95956809532FCF0E2449A6B525B16AEDF5AA0DE657BA637B391AAFD255",
    "tag": "64C0232904AF398A5B67C10BD4205A35",
    "failureTest" : true
}

Other possibilities?

A new issue from NIST Sprint 1:

Need to identify how to improve the description of the operation environment field contained within the registration step of the ACV protocol.

Some thoughts include:

• Need a unique identifier for the module/implementation;
• interoperable way to talk about OS, hardware platform, module;
• valid values list for OE.

The specification for the most part uses a bit representation in its "length" properties. The AES-CCM table:

Payload, IV/Nonce, Tag, and AAD are represented as bits in the AES-GCM and AES-XTS rows. However the values in AES-CCM are bytes, though that is not specified.

The AES-CCM values should probably be updated to be specified in bits to remain consistent. The disadvantage to going this route is the ranges of valid values, as well as (2^16)*8 for max AAD length is a much larger value.

Thoughts?

KAT is an existing term in other documentation and it would be desirable to switch the ACVP documentation to use another term/acronym that accurately communicates the test type while not colliding with other terms. My initial thought was something functional test, but any non-conflicting term is fine by me.

As the list of approved algorithms evolves over time, it would be nice to a have an ACVP server query that would return all approved algorithms/modes available for testing at a particular moment in time.

Under the current model, the client registers capabilities with the server with the underlying assumption that both the client and server know the valid options. However, it is conceivable in some cases the client may need to discover what is available for testing. Such a query would provide the needed information to the client.

Do we want to add a reason failure to the test results in section 11.4 for failed test cases? The JSON response would look something like this...

{
"version" : "0.2",
"results" : {
"vsId" : 1437,
"disposition" : "incomplete",
"tests" : [
{ "tcId" : 12340, "result" : "passed", "reason" : "" },
{ "tcId" : 12341, "result" : "incomplete", "reason" : "" },
{ "tcId" : 12342, "result" : "failed", "reason" : "Authentication tag failure" }
]
}
}

The "mode" value is no longer defined in the sub-spec. The length names are no longer plural.

"mode" : "both",
"ivGen" : "internal",
"ivGenMode" : "8.2.1",
"keyLens" : [
128,
256
],
"tagLens" : [
96
],
"ivLens" : [
96
],
"ptLens" : [
0,
128,
136
],
"aadLens" : [

Per agreement, adopt consistent terminology for test types across all specifications for v0.3.

Although JSON does not require it, as I am going through implementation I am wondering if we shouldn't require a particular field order. I am trying to be somewhat accepting and will ignore any unknown fields, but there are a few fields that I really need to know in a particular order. Largely, the order they are described in the specs are the order that I need. For the record, I am currently trying to process the input as a stream, if we cannot (or do not) want to specify the order then I will need to use a different implementation (not hard) but the consequence for us will be one of memory usage. I will need to load the whole file in memory and perform some random access. (The library I am using has the ability to create a tree-node representation and I can switch to that.)

A couple of examples:

• the acv_version field must be first or I don't know how to process the rest of the file.
• need the algorithm field before any of the other fields and so on

I do need to know sooner rather than later though how we want to address this moving forward.

Should we commit the current ACVP draft into this repo? I've started a sub-specification to define the JSON for symmetric ciphers. But the main ACVP draft isn't in the repo. Do we want to convert the main spec to RFC form first?

It looks to me the specs are ready to branch for v0.3. Let’s plan accordingly to rev up every spec to 0.3 prior to the branch. Once this is done and the v0.3 branch is created we need to rev the main line up to v0.4.

Please let me know what you think and which specs you are planning to touch.

Under 2.3. Supported Symmetric Algorithms
AES-EBC should be AES-ECB
TDES-EBC should be AES-ECB

Unfortunately, PR#105 undid the direction property updates introduced by PR#95 in the v_0.3 branch. Both protocol and sub_symmetric are affected. This needs to be fixed.

Per agreement, the symmetric spec shall use AFT, not KAT.

Right now, the SHA3 spec outlines 3 test types. "AFT", "MCT", and "variable". I propose changing "variable" to "VOT" (variable output test) in order to keep it in line with the existing test types while describing the test more accurately.

Just logging an issue to note that we will be switching from acvp.nist.gov to acvts.nist.gov for the domain name. We will likely want to update the examples to reflect this change. NOTE: The application context will remain the same, so that the URL will be:

https://acvts.nist.gov/acvp/validation/acvp/register

Should we consider adding the ACVP version to the URI. For instance, section 11 currently defines the URI as:
www://my-acpserver.com:123/validation/acvp/

We would change this to something like:
www://my-acpserver.com:123/validation/acvp/v0.2/

This would allow more deployment options for servers that needed to simultaneously support multiple versions of the protocol. This would be required for supporting legacy devices in the field.

It appears the spec would benefit from a "KeyingOption" (or similar) capability for specifying the type of tests to generate for a TDES registration.

The Keying Options as per http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-20.pdf are described as:

Three different keying options are allowed by the TDEA. The first option specifies that all the keys
are independent, i.e., KEY1, KEY2, and KEY3 are independent. This is referred to as Keying
Option 1 in FIPS PUB 46-3 – 1999 (and ANSI X9.52 – 1998). It will be referred to as 3-key
TDES in this document. The second option specifies that KEY1 and KEY2 are independent and
KEY3 is equal to KEY1, i.e., KEY1 and KEY2 are independent, KEY3 = KEY1. This is referred
to as Keying Option 2 in FIPS PUB 46-3 – 1999 (and ANSI X9.52 – 1998) and will be referred to
as 2-key TDES in this document. And the third option specifies that KEY1, KEY2 and KEY3 are
equal, i.e., KEY1=KEY2=KEY3. This is referred to as Keying Option 3 in FIPS PUB 46-3 – 1999
(and ANSI X9.52 – 1998 and will be referred to as 1-key TDES in this document. 1-key TDES is
equivalent to single DES.

Keying Options 1 and 2 are the only valid keying options for registration. Keying Option 3 is still used for performing KATs, but is not specified during registration.

Since AES-GCM is slated as the first algorithm to be implemented, I'll use it as an example. Given the current result sample JSON from acvp_sub_symmetric:

{
    "acvVersion": "0.2",
    "vsId": 1564,
    "testResults": [
        {
            "tcId": 2171,
            "iv": "01020304C077A707E56C22AC",
            "ct": "",
            "tag": "53B15E85E377F8B5B6BFC2DE915FD622"
        },
        {
            "tcId": 2172,
            "iv": "01020304D666587803BCBAD7",
            "ct": "",
            "tag": "E7B1F2D77D82C6EB3C9CEFF16C376D9C"
        },
        {
            "tcId": 2173,
            "iv": "01020304D3B09894BB14B6CF",
            "ct": "",
            "tag": "DFF22B329AC87B82726EBBF20E66EEE2"
        },
        {
            "tcId": 2174,
            "iv": "01020304D678FBCC2EA341A2",
            "ct": "",
            "tag": "BAFBFA38AD5D6C6E7C97D08DDEC26580"
        },
        {
            "tcId": 2186,
            "iv": "01020304C6A745B0C4C9F2D5",
            "ct": "",
            "tag": "429FD5A0DAB344EF69B594A44CCAD3EB"
        },
        {
            "tcId": 2187,
            "iv": "010203043E56946A9C9E18D7",
            "ct": "",
            "tag": "7DA8BA92D64071909972395C981C4567"
        },
        {
            "tcId": 2201,
            "iv": "0102030479FD178FEB555D99",
            "ct": "FA2AF4B01BA610DE3A3EDE0B88946E2D",
            "tag": "3E77B921DB447F541EB5CC508D74CE4E"
        },
        {
            "tcId": 2202,
            "iv": "01020304C70FB9D3B9E1E329",
            "ct": "568028D34EA82E8D30D1A3B952849A70",
            "tag": "3D20D5935D6D37F6EE82FE0D2C7006F8"
        },
        {
            "tcId": 2203,
            "iv": "010203040D66A6EEA797B757",
            "ct": "B2E10E2ECEC9FC3477841D3AED6469DB",
            "tag": "DEF33A719333CAADE8002752922EC124"
        },
        {
            "tcId": 2204,
            "iv": "010203045B6CDA4B5CA26883",
            "ct": "CF72C75B4E550AEA535750D6B16393DF",
            "tag": "370D1175CF36A72585F20B379D064BCF"
        },
        {
            "tcId": 2205,
            "iv": "010203041E9FD60F49957FF5",
            "ct": "A1F124EE6E98CAB776CCD601B7F65D6A",
            "tag": "F4D7D0D75FC9961A12B3C6A3E6379972"
        },
        {
            "tcId": 2206,
            "iv": "0102030474CBC83C647DBEAF",
            "ct": "2CE1129D3E2F25468A9EE13ED39C902C",
            "tag": "48F3D4D7EB4B9FCB924ACC05B3834F98"
        }
    ]
}

In above, it appears that all samples are "encrypt" samples, however "decrypt" test vectors/test cases will also be generated.

Decrypt test case possibility:

{
    "tcId": 9999,
    "key": "FEFFE9928665731C6D6A8F9467308308",
    "iv": "CAFEBABEFACEDBADDECAF888",
    "ct": "42831EC2217774244B7221B784D0D49CE3AA212F2C02A4E035C17E2329ACA12E21D514B25466931C7D8F6A5AAC84AA051BA30B396A0AAC973D58E091473F5985",
    "aad": "3AD77BB40D7A3660A89ECAF32466EF97F5D3D58503B9699DE785895A96FDBAAF43B1CD7F598ECE23881B00E3ED0306887B0C785E27E8AD3F8223207104725DD4",
    "tag": "64C0232904AF398A5B67C10B53A5024D",  
},

I would think the result for a decrypt test case would look something like:

{
    "tcId": 9999,
    "iv": "CAFEBABEFACEDBADDECAF888",
    "pt": "D9313225F88406E5A55909C5AFF5269A86A7A9531534F7DA2E4C303D8A318A721C3C0C95956809532FCF0E2449A6B525B16AEDF5AA0DE657BA637B391AAFD255",
    "tag": "64C0232904AF398A5B67C10B53A5024D"
}

Where ct (cipherText) is replaced with pt (plainText). Both "iv" and "tag" are not actually needed in a decrypt operation result, so those could potentially be removed.

Thoughts?

In Section 2.2 of the Symmetric sub-spec, the table contains a row for ptlen that references Section 2.3. This information appears to be missing from Section 2.3.

Additional detail is needed in the high-level protocol specification to describe the vectors and results URLs. Obviously, the specific details for each algorithm are in the algorithm sub-specifications, but a high-level description of what the expected inputs are (pointing out the details are in the sub specs) and expected response is needed.

The DRBG spec identifies the following as being part of the test group.
"derFunc":"yes",
"predResistance": "yes",
"entropyInputLen":"112",
"nonceLen":"56",
"persoStringLen":"112",
"additionalInputLen":"112",
but the the example does not reflect this.

Current example ....
{
"version": "0.2",
"vectorSetId": "1133",
"algorithm": "ctrDRBG",
"mode": "3KeyTDEA",
"derFunc":"yes",
"predResistance": "yes",
"entropyInputLen":"112",
"nonceLen":"56",
"persoStringLen":"112",
"additionalInputLen":"112",
"returnedBitsLen":"256",
"testGroups": [
{
"type": "long",
"tests": [
{
"tcId": "1815",

Correction needed is ...

Current example ....
{
"version": "0.2",
"vectorSetId": "1133",
"algorithm": "ctrDRBG",
"mode": "3KeyTDEA",
"derFunc":"yes",
"predResistance": "yes",
"entropyInputLen":"112",
"nonceLen":"56",
"persoStringLen":"112",
"additionalInputLen":"112",
"returnedBitsLen":"256",
"testGroups": [
{
"type": "long",
"tests": [
{
"tcId": "1815",

Correction should include.

{
"version": "0.2",
"vectorSetId": "1133",
"algorithm": "ctrDRBG",
"mode": "3KeyTDEA",
"derFunc":"yes",
"predResistance": "yes",
"entropyInputLen":"112",
"nonceLen":"56",
"persoStringLen":"112",
"additionalInputLen":"112",
"returnedBitsLen":"256",
"testGroups": [
"derFunc":"yes",
"predResistance": "yes",
"entropyInputLen":"112",
"nonceLen":"56",
"persoStringLen":"112",
"additionalInputLen":"112",
{
"type": "long",
"tests": [
{
"tcId": "1815",

Is anybody working on getting together a specification for hashing algorithms? This should be separate from the already included HMAC protocol.

If this hasn't been started yet, I can begin work on it. Otherwise, if someone has begun work on the document I can contribute to make sure it matches the server's expectations.

GCM-AES-XPN is a relatively new addition, and is not currently accounted for in the specification. The GCM validation document at http://csrc.nist.gov/groups/STM/cavp/documents/mac/gcmvs.pdf has been updated to include testing information for GCM-AES-XPN.

The additional information needed in GCM-AES-XPN registration is a salt - specifically whether or not that salt is generated internally or externally (similar to the current IV for AES-GCM). Additionally, GCM-AES-XPN only supports a 96 bit IV, and only supports key sizes of 128 and 256 bits.

Wanted to keep this as generic as possible (can update as details get fleshed out).

The spec does not currently account for CAVS parameters EntropyInputReseed and AdditionalInputReseed. Both of these parameters were utilized for tests with the following options:

Prediction Resistance Not Enabled = true
Reseeding not Implemented = false,

There is some potential confusion around why reseeding would be tested in a non PR scenario. While details and potential solutions are considered, this issue is here to track the conversation.

Just a few questions on DRBG Test vector handling ...
Take the following example from the spec ...

1. persoStringLen and additionalInputLen are 0 however the fields persoString and additionalInput are populated. Should they be ignored?

2. entropyInputPR and entropyInput will always be the same size?

3. Should "additionalInput" and "entropyInputPR" be displayed in an array called "predResistanceInput" ?

            {
              "version": "0.2",
              "vectorSetId": "1146",
              "algorithm": "hmacDRBG",
              "mode": "AES-256",
              "predResistance": "yes",
              "entropyInputLen":"256",
              "nonceLen":"128",
              "persoStringLen":"0",   ******
              "additionalInputLen":"0",  **** 
              "returnedBitsLen":"1024",
              "testGroups": [
                {
                  "type": "long",
                  "tests": [
                    {
                      "tcId": "2111",
                      "entropyInput":"ee3392c5f3de6f3f8c4f28d852afacd2cbaa89ed48d1c5d4311662962aa70a98",
                      "nonce":"b991a820fac75fd02642ad8fa651eda4",
                      "persoString":"30f3a50b0e2309dab93ea2aa095e5df8e4b2a42690572b31e53fb79a195481e5",
                      "additionalInput":"4ea46abe95b2e4184113f908ae30123207d481908b7af7ef348657bbf3b4a002",
                      "entropyInputPR": "e4413a2e404f12c644b0b1d7a49a0fbf3d8703d571ffd02168c11b4ade6fc903",
                      "additionalInput" : "61b7204c8fef294f2a9f2e73a83a8a7a04c38e3b3eaaed1b920abfceab912492",
                      "entropyInputPR" : "968ea185d1439fa2d67eb55ac93ba596b1ea679de7c6e44f80dc6f213455f1ed"
                      },
                    {
                      "tcId": "2112",
                      "entropyInput" : "a0ace75784b97224de2957e5f60dc85b25331fcf7901f37418d3c9de17ed4261",
                      "nonce": "b671308068fc7909a360c772f62a4c5e",
                      "persoString" : "338d5f2bd93262da154385e9ed90b7862e3c892f13e1d7d19924b2eb8b3bab21",
                      "additionalInput" : "7acd8bfae17ff4edbac3437817d6b3fce12a04c4034ac6bef0b1b88f7dcd7c85",
                      "entropyInputPR" : "47b26bbe93a5cc19a410523a072e04333f06c54af0049fc41e66213763020ef7",
                      "additionalInput" : "d4b24c74538e3a1083a2cc0a4414a9f558f0a2dc186e3b9a5294cd541acdad87",
                      "entropyInputPR" : "acb63f3b5995608a1331641cd43208444a9ec95e4bb2a438f614156b6a77c8c3"
                    }
                  ]
                }
              ]
   

}

4. If the array predResistanceInput is used, the test results
   "testResults": [
   {
   "tcId": "2111",
   "returnedBits": "e42130fd1d920a2bcd177c0de0d5834c9b05a6ecdf3bc46e3733869f762dc2e7d97357934d8061db033670c3739369924b321216c30b3e45d9bc8c0bad61d8fdc03dffd70725e793ebfe98bc15358764402f4e2c71be4acfad898649b51c5d2625374a61be2b59833d2dfcc593eddcffbac79016b22a992ae6f5f82bae194e06"

(Second generated value???)
"e42130fd1d920a2bcd177c0de0d5834c9b05a6ecdf3bc46e3733869f762dc2e7d97357934d8061db033670c3739369924b321216c30b3e45d9bc8c0bad61d8fdc03dffd70725e793ebfe98bc15358764402f4e2c71be4acfad898649b51c5d2625374a61be2b59833d2dfcc593eddcffbac79016b22a992ae6f5f82bae194e06"

},

In Section 3.2, tcId is defined as "Unique numeric identifier for the test case". Is this id unique within the context of the Test Group or all the Test Cases within the Test Vector?

Should we add a 'no-certificate' option to ACVP in the registration? There are cases where a company may want to validate a crypto implementation without getting a public certificate. Example scenarios are beta versions of unannounced products - the company may want to ensure the beta is good but does not want to preempt a public product release.

If this option is set, the validation server would perform all validation work except it would not publish a certificate. The server would only return a success, e.g. 200 OK, just like it is described in Section 11.4 of the current ACVP spec.

What do you all think?

Some algorithms may benefit from beginning to use a range object that allows for the specifying of a min and max value that is allowed for the parameter.

AES-CCM and SHAKE specifically use a range of values that are entered. If 0 min and 32 max are entered in the case of AES-CCM, all values between 0 and 32 are tested. A random sampling of values within the range is also feasible.

AES-GCM could also use this range object, as currently the aadLen array accepts up to 5 values, one can be a 0, 2 can be divisible by 128, and 2 are not divisible by 128. AES-GCM could begin accepting a min and max, and a separate flag for supportsNonBlockBoundryAadLen or similar.

This range value will potentially lead to a few new parameters, but should make things a bit more explicit, and hopefully easier to understand.

Example of current registration for AES-GCM:

{
	"aadLen": [0, 128, 256, 120, 248]
}

could become:

{
	"aadLen": {
		"min": 0,
		"max": 256
	},
	"supportsNonBlockBoundryAadLen": true
}

Thoughts?

Was there a reason why in section 2.3 of the Symmetric sub-spec that the AES-GCM AAD is not also range?

I would think range is fine across the board.

Instead of having individual prereq fields (the majority of which will be likely be null) for each algorithm, I think it would be preferable to have array of prereqs. For example, the ECDSA spec currently has...
shaVal
sha2Val
sha3Val
drgbVal
drbg2Val

This is not easy to read much less implement things like validation. Dealing with these in any capacity becomes 5 separate property reads with an inconsistent naming convention.

It would be better to have an array of prereqs, which not allows the easy use of loop, it reduces the data passed around to what is actually needed. It also allows the easy addition of additional prereqs if the need should arise. In the current model, if you want to add a third drbg prereq, that's an API change.

Suggest something along the lines of

prereqVals Prerequisite validations, see section 2.X.X array

Which would look like
[{algorithm: 'drbg', value: '1234'}, {algorithm: 'sha', value: 'same'}]

The allowed prereq algorithms would be supplied in the associated section and used to limit valid inputs.

Need to convert FCC to FFC in doc name and throughout the spec.

Currently we have these sections...
3. Test Vectors
3.1 Test Groups JSON Schema
3.2 Test Vectors JSON Schema

I believe this is confusing as Test Vector is used twice in the hierachy . Recommend we go to the following...
3. Test Vectors
3.1 Test Groups
3.2 Test Cases

and change all references to Test Vector in the Section 3.2 text to Test Case

Each test group contains an array of one or more test cases. Each test case is a JSON object that represents a single test case to be processed by the ACVP client. The following table describes the JSON elements for each test case.

Keccak was designed with little-endianness in mind. The algorithm expects little-endian messages and produces little-endian digests. Unfortunately this is not documented in FIPS-202 and SHA3VS. It should be documented in our spec for SHA3.

Hi,

The following:

     {
     "implementationDescription" : 
          "Sample crypto module for demonstrating ACV protocol."
     },

does not appear to be valid JSON, it is missing a comma then a label.

http://jsonlint.com/ reports:

Error: Parse error on line 18:
...ystem": "Linux 3.1" {				"implementatio
-----------------------^
Expecting 'EOF', '}', ':', ',', ']', got '{'

The MC Test for the different modes of symmetric ciphers relies on an algorithm with an initial state (e.g., key, IV, plaintext) - see for example http://csrc.nist.gov/groups/STM/cavp/documents/aes/AESAVS.pdf. The algorithm is different/specific for each mode.

Traditionally, CAVS supplied the initial value for the algorithm and the tested implementation was expected to implement the MCT algorithm, feed the initial condition in it and report the results from the execution.

The definition of the MCT is not well suited for expanding it into a series of simple test cases because the values for each test depend on the results from the previous test.

The current specification in sub_symmetric does not appear to have a handle for this type of test. A new type of test is needed for this

@jfigus if you see this differently, please chime in.

As we continue the development of ACVP, I thought it would be good to enable protection of the two main areas of work: master and v_0.3. Git information on branch protection is available here: https://help.github.com/articles/about-protected-branches/

Note that only the basic protection of these two branches is currently enabled: i) cannot force push and ii) cannot delete them. Hopefully, these protections are enough but if you feel some of the other optional features are needed, please chime in.

The protections currently enabled should have no effect on your work and please let me know if you encounter any issue.

I know we're getting close to our branch date of the spec, so wanted to get this out there just to get an opinion. We have several parts of the spec that state an expectation of a value with valid responses being yes or no; what are everyone's thoughts on using the primitive boolean instead?

I'm not (necessarily) suggesting this change be made prior to the branch, but was curious on what everyone's thoughts are - if it's wanted at all, and if it should be done before or after the branch.

Currently there is no indication in Section 3.1 Test Group or 3.2 Test of what function (encryption or decryption) is being tested. Believe this probably belongs in Section 3.1.

A new issue from NIST Sprint 1:

Need to establish some boundaries around when data will expire. This includes:
How long should registration/capabilities be available before test vectors are retrieved?
How long should test vectors be available after they are retrieved? It is it even necessary to keep them?
How long should a test id be active before it is no longer possible to submit test results?
Should the length of time be based on last interaction or total time taken?

Need to think how all these should be handled by the ACV protocol.