| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Software |
| Embodiment | Multi-Chip Stand Alone |
| Status | Active |
| Sunset date | 9/15/2029 |
| Caveat | Interim validation. When installed, initialized and configured as specified in Section 11.1 of the Security Policy. No assurance of the minimum strength of generated SSPs (e.g., keys) |
| Vendor | PQShield LTD |
| Hardware versions | N/A |
| Product page | https://pqshield.com/products/pqc-cor/ |
|---|---|
| Support page | https://pqshield.com/products/ partial support |
| Documentation | https://pqshield.com/products/certifications/ |
| https://pqshield.com/embedded-post-quantum-cryptography-library-pqcryptolib/ | |
| Assessment | Public product pages and a certifications page describe PQCryptoLib-Core fully; the library, SDK, and integration docs are provided under a commercial engagement / NDA rather than a public portal. |
| Algorithm | ACVP Cert |
|---|---|
| ECDSA KeyGen (FIPS186-4) | A3011 |
| ECDSA KeyVer (FIPS186-4) | A3011 |
| ECDSA SigGen (FIPS186-4) | A3011 |
| ECDSA SigVer (FIPS186-4) | A3011 |
| Hash DRBG | A3011 |
| HMAC-SHA2-224 | A3011 |
| HMAC-SHA2-256 | A3011 |
| HMAC-SHA2-384 | A3011 |
| HMAC-SHA2-512 | A3011 |
| HMAC-SHA3-224 | A3011 |
| HMAC-SHA3-256 | A3011 |
| HMAC-SHA3-384 | A3011 |
| HMAC-SHA3-512 | A3011 |
| KAS-ECC CDH-Component | A3011 |
| KAS-ECC-SSC Sp800-56Ar3 | A3011 |
| KDA HKDF SP800-56Cr2 | A3011 |
| KDA TwoStep SP800-56Cr2 | A3011 |
| KDF SP800-108 | A3011 |
| SHA2-224 | A3011 |
| SHA2-256 | A3011 |
| SHA2-384 | A3011 |
| SHA2-512 | A3011 |
| SHA3-224 | A3011 |
| SHA3-256 | A3011 |
| SHA3-384 | A3011 |
| SHA3-512 | A3011 |
| SHAKE-128 | A3011 |
| SHAKE-256 | A3011 |
| TLS v1.3 KDF | A3011 |
| Requirement area | Level |
|---|---|
| Cryptographic Module Specification | 1 |
| Cryptographic Module Interfaces | 1 |
| Software/Firmware Security | 1 |
| Operational Environment | 1 |
| Physical Security | N/A |
| Non-Invasive Security | N/A |
| Sensitive Security Parameter Management | 1 |
| Self-Tests | 1 |
| Life-Cycle Assurance | 1 |
| Mitigation of Other Attacks | N/A |
flowchart LR
%% Deterministic review-risk graph for PQCryptoLib
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>upgrade</i>"]
C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Self-Test</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>HTTPS<br/>no library/version identified</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i>"]
end
subgraph Inference["Derived inference"]
I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C2,C3,C5,C6 clue;
class I2,I3,I5,I6 infer;
class R2,R3,R5,R6 risk;
class E2,E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for PQCryptoLib
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>upgrade</i><br/>src: text:keyword"]
C3["[low] Self-test / status surface (referenced in text)<br/><i>Self-Test</i><br/>src: text:keyword"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>HTTPS<br/>no library/version identified</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C2,C3,C5,C6 clueLow;PQCryptoLib PQShield LTD PQCryptoLib Non-Proprietary FIPS 140-3 Security Policy Document Version: v1.0.0 Date: 26 July 2024 Document Version 1.0.0 PQShield Public Material
PQCryptoLib Table of Contents 1. 2. 2.1 2.2 2.3 2.3.1 2.3.2 2.4 2.4.1 2.5 3. 4. 4.1 4.2 4.3 5. 6. 7. 8. 9. 9.1 9.2 9.3 10. 11. 11.1 11.2 11.3 11.4 12. Document Version 1.0.0 PQShield Public Material
PQCryptoLib 13. Document Version 1.0.0 PQShield Public Material
PQCryptoLib List of Tables Table 7
| Name | ISO Section | Requirement | Level |
|---|---|---|---|
| 1 | 1 | General | 1 |
| 2 | 2 | Cryptographic Module Specification | 1 |
| 3 | 3 | Cryptographic Module Interfaces | 1 |
| 4 | 4 | Roles, Services and, Authentication | 1 |
| 5 | 5 | Software/Firmware Security | 1 |
| 6 | 6 | Operational Environment | 1 |
| 7 | 7 | Physical Security | N/A |
| 8 | 8 | Non-Invasive Security | N/A |
| 9 | 9 | Sensitive Security Parameter Management | 1 |
| 10 | 10 | Self-Tests | 1 |
| 11 | 11 | Life-Cycle Assurance | 1 |
| 12 | 12 | Mitigation of Other Attacks | N/A |
| Overall | Overall | 1 |
PQCryptoLib hereafter denoted the Module. The Module is a library of cryptographic primitives with a C interface offering security against quantum adversaries. PQShield is a spin-out of the University of Oxford which provides expertise in the design and implementation of quantum-resistant cryptography for software and hardware applications. The FIPS 140-3 security levels for the Module are as follows: Table 1
| Name | Operating System | Hardware Platform | Hardware Version | Software Version | Processor | Paa Pai | Features | Package | Integrity Test | # |
|---|---|---|---|---|---|---|---|---|---|---|
| 1 | Ubuntu 20.04 LTS | Dell PowerEdge 740 | Intel® Xeon® Platinum 8276 CPU (SkyLake) | with PAA | 1 | |||||
| 2 | Ubuntu 20.04 LTS | Dell PowerEdge 740 | Intel® Xeon® Platinum 8276 CPU (SkyLake) | without PAA | 2 | |||||
| 1 | N/A | 1.0.0 | N/A | libpqcrypto.so.1.0.0 | HMAC-SHA2-512 | 1 | ||||
| 1 | Debian 11 (bullseye) | Dell PowerEdge 740 | 1 | |||||||
| 2 | Ubuntu 22.04 LTS | Dell PowerEdge 740 | 2 |
| Name | Operating System | Hardware Platform | Hardware Version | Software Version | Processor | Paa Pai | Features | Package | Integrity Test | # |
|---|---|---|---|---|---|---|---|---|---|---|
| 1 | Ubuntu 20.04 LTS | Dell PowerEdge 740 | Intel® Xeon® Platinum 8276 CPU (SkyLake) | with PAA | 1 | |||||
| 2 | Ubuntu 20.04 LTS | Dell PowerEdge 740 | Intel® Xeon® Platinum 8276 CPU (SkyLake) | without PAA | 2 | |||||
| 1 | N/A | 1.0.0 | N/A | libpqcrypto.so.1.0.0 | HMAC-SHA2-512 | 1 | ||||
| 1 | Debian 11 (bullseye) | Dell PowerEdge 740 | 1 | |||||||
| 2 | Ubuntu 22.04 LTS | Dell PowerEdge 740 | 2 |
| Name | Operating System | Hardware Platform | Hardware Version | Software Version | Processor | Paa Pai | Features | Package | Integrity Test | # |
|---|---|---|---|---|---|---|---|---|---|---|
| 1 | Ubuntu 20.04 LTS | Dell PowerEdge 740 | Intel® Xeon® Platinum 8276 CPU (SkyLake) | with PAA | 1 | |||||
| 2 | Ubuntu 20.04 LTS | Dell PowerEdge 740 | Intel® Xeon® Platinum 8276 CPU (SkyLake) | without PAA | 2 | |||||
| 1 | N/A | 1.0.0 | N/A | libpqcrypto.so.1.0.0 | HMAC-SHA2-512 | 1 | ||||
| 1 | Debian 11 (bullseye) | Dell PowerEdge 740 | 1 | |||||||
| 2 | Ubuntu 22.04 LTS | Dell PowerEdge 740 | 2 |
PQCryptoLib 2. Cryptographic Module Specification The Module is classified as a software cryptographic module. It is a software library of cryptographic primitives with unified and easy to use API. The Module is intended for use by US Federal agencies or other markets that require FIPS 140-3 validated general purpose cryptographic library running on GPC. 2.1 Operational Environment A. Software module PQCryptoLib cryptographic module is tested on the following operational environment. Table 2
PQCryptoLib 2.2 Cryptographic Boundary The Module is a software library providing cryptographic services through application program interface (API) for use by Applications running in the user space of underlying operating system. The Module’s embodiment is defined as multi-chip standalone. The Figure 1 shows the cryptographic boundary of the Module, its interfaces with the tested operational environment’s physical perimeter (TOEPP) and flow of information between the Module and operator (a calling function of an Application using services of the Module). The software library is called libpqcrypto.so.1.0.0 (software version 1.0.0) that is intended to link with the Application. The Module can run in a multi- threaded environment, it requires POSIX thread library (pthread). The Module may call the CPU directly, that is done by performance optimized functions and to get entropy from the CPU. The module performs no communications other than with the calling application, tested operational environment and the CPU. Figure 1 - Module Block Diagram: Logical relationship of the Module to the other hardware and software components of the GPC. Document Version 1.0.0 PQShield Public Material
| Name | CAVP Cert | Mode Method | Key Size | Use Function |
|---|---|---|---|---|
| CVL: TLS [IG 2.4.B]1) | A3011 | TLS v1.3 KDF, DHE and PSK-DHE running modes | SHA2-(256, 384) | Key derivation |
| ECDSA [186] | A3011 | Key pair generation | Curve: P-256, Security strength of 128-bits | Asymmetric Key Generation |
| ECDSA [186] | A3011 | Public key verification | Curve: P-256, Security strength of 128-bits | Public Key Verification |
| ECDSA [186] 3) | A3011 | Signature generation Hash Algorithm: SHA2- 256 | Curve: P-256, Security strength of 128-bits | Signature generation |
| ECDSA [186] 3) | A3011 | Signature verification Hash Algorithm: SHA2- 256 | Curve: P-256, Security strength of 128-bits | Signature verification |
| Hash_DRBG [90A]2) | A3011 | Hash_DRBG [90A] | Security strength of 256 bits | Deterministic random bit generation |
| HMAC [198]4) | A3011 | SHA2-(224,256,384,512) SHA3-(224,256,384,512) | Security Strength of 192, 256 bits | Message authentication |
| KAS-ECC CDH- Component [56Ar3] | A3011 | CDH-Component | Curve: P-256, Security strength of 128-bits | Shared secret computation |
| KAS-ECC-SSC [56Ar3] 5) 6) | A3011 | Ephemeral Unified | Curve: P-256, Security strength of 128-bits | Key generation, Shared secret computation |
| KDA HKDF [56Cr2] | A3011 | SP 800-56Cr2 Section 5 HKDF [RFC5869] key derivation | Key sizes between 224 and 65336 (multiples of 8 bits) | Key based key derivation. Used by TLSv1.3 KDF |
| KDA Two-Step [56Cr2] | A3011 | SP 800-56Cr2 Section 5 Two-step key derivation using KDF mode Feed- back | Key sizes between 224 and 65336 (multiples of 8 bits) | Key based key derivation. |
| KDF SP800- 108 [108] | A3011 | KDF SP800 | HMAC SHA2 and SHA3 using 224, 256, 384 and 512 bits | Key based key derivation |
| SHA2 [180] | A3011 | SHA2- (224,256,384,512) | Security strength of 112, 128, 192, 256 bits Message Length: 0- 65536 | Message digest generation |
| SHA3 [202] | A3011 | SHA3- (224,256,384,512) | Security strength of 112, 128, 192, 256 bits Message Length: 0- 65536 Large Message Sizes: 1GB | Message digest generation |
| SHAKE [202] | A3011 | SHAKE-(128,256) | Max security strength either 128 or 256 bits | Variable size digest generation |
PQCryptoLib 2.3 The Module supports Approved mode of operation only. The Module does not support degraded mode and operates only in normal mode.
The Approved mode of operation is configured after the CO loads the module into memory, all self-tests are completed successfully, and only Approved algorithms are invoked. See Table 5 below for the list of approved algorithms.
Non-approved mode of operation is not supported. 2.4 Security Functions The Module implements the Approved and Non-Approved but Allowed cryptographic functions listed in the tables below. Table 5 - Approved Algorithms 2.4.B]1) 3) 3) Document Version 1.0.0 PQShield Public Material
PQCryptoLib
| Name | Properties | Reference | OE |
|---|---|---|---|
| CKG | [133] Sections 4 and 5.1 Asymmetric signature key generation using unmodified DRBG output | [133] | Hardware Platform: Dell PowerEdge R740 Operating System: Ubuntu (version 20.04 LTS) Processor: Intel Xeon Platinum 8276 |
| [133] Sections 4 and 5.2 Asymmetric key establishment key generation using unmodified DRBG output | [133] Sections 4 and 5.2 Asymmetric key establishment key generation using unmodified DRBG output | [133] | Hardware Platform: Dell PowerEdge R740 Operating System: Ubuntu (version 20.04 LTS) Processor: Intel Xeon Platinum 8276 |
| [133] Sections 4 and 6.1 Direct symmetric key generation using unmodified DRBG output | [133] Sections 4 and 6.1 Direct symmetric key generation using unmodified DRBG output | [133] | Hardware Platform: Dell PowerEdge R740 Operating System: Ubuntu (version 20.04 LTS) Processor: Intel Xeon Platinum 8276 |
| [133] Section 6.2.1 Derivation of symmetric keys from a key agreement shared secret | [133] Section 6.2.1 Derivation of symmetric keys from a key agreement shared secret | [133] | Hardware Platform: Dell PowerEdge R740 Operating System: Ubuntu (version 20.04 LTS) Processor: Intel Xeon Platinum 8276 |
| [133] Section 6.2.2 Derivation of symmetric keys from a pre-shared key | [133] Section 6.2.2 Derivation of symmetric keys from a pre-shared key | [133] | Hardware Platform: Dell PowerEdge R740 Operating System: Ubuntu (version 20.04 LTS) Processor: Intel Xeon Platinum 8276 |
PQCryptoLib Table 6
| Name | Use Function | Use / Function |
|---|---|---|
| Kyber KEM | No security claimed | Non-Approved cryptographic algorithm implementing non- security relevant service. This algorithm is meant to be used between two parties as a method to establish “auxiliary shared secret T” which is used for “hybrid” shared secret Z’ as mentioned in [56Cr2, section 2]. The value Z’ can only be used in the extraction step of the Two- Step Key Derivation process described in [56Cr2, section 5]. Internally, this step is implemented as HKDF-extract function as defined by [RFC5869]. Vendor claims no security over input values consumed by the algorithm and output values generated by the algorithm including value T. The algorithm uses Hash_DRBG for generating random byte strings. It also uses SHA3-{256,512} and SHAKE-{128,256} internally. The algorithm is not intended to be used as a security function and is not used internally by the Module. It must be accessed over API functions that are distinct from APIs used to access approved algorithms. |
| Name | Description | Approved Functions | Type | Properties | Algorithm Properties |
|---|---|---|---|---|---|
| CKG | Sections 4 and 6.1 Direct symmetric key generation using unmodified DRBG output | DRBG | Cryptographic Key Generation | [133] | Hash_DRBG |
| KAS1 | Pair-wise Key- Establishment Schemes using Discrete Logarithm ECC Diffie-Hellman with TLS 1.3 KDF | SHS DRBG KAS-SSC TLS 1.3 KDF | KAS | KAS (KAS-SSC Cert. #A3011, CVL Cert. #A3011; SSP establishment methodology provides 128 bits of encryption strength), [56Ar3]1, [IG] 2.4.B, [IG] D.F | SHA2-256 SHA2-384 P-256 Curve Hash_DRBG |
| KAS2 | Pair-wise Key- Establishment Schemes using Discrete Logarithm ECC Diffie- Hellman with KDA HKDF | HMAC SHA3 SHS KDA HKDF | KAS | KAS (KAS-SSC Cert. #A3011, KDA Cert. #A3011; SSP establishment methodology provides 128 bits of encryption strength), [56Ar3]2, [56Cr2], [198], [IG] D.F, [IG] D.B, [133], [IG] C.C | P-256 Curve Hash_DRBG HMAC SHA2-224 HMAC SHA2-256 HMAC SHA2-384 HMAC SHA2-512 HMAC SHA3-224 HMAC SHA3-256 HMAC SHA3-384 HMAC SHA3-512 |
| KAS3 | Pair-wise Key- Establishment Schemes using Discrete Logarithm ECC Diffie- Hellman with KDA TwoStep | HMAC SHA3 SHS KDA TwoStep | KAS | KAS (KAS-SSC Cert. #A3011, KDA Cert. #A3011; SSP establishment methodology provides 128 bits of encryption strength), [56Ar3]3, [56Cr2], [198], [IG] D.F, [IG] D.B, [133], [IG] C.C | P-256 Curve Hash_DRBG HMAC SHA2-224 HMAC SHA2-256 HMAC SHA2-384 HMAC SHA2-512 HMAC SHA3-224 HMAC SHA3-256 HMAC SHA3-384 HMAC SHA3-512 |
| KDA1 | Key Derivation Algorithm | HMAC SHA3 SHS KDA HKDF | HKDF | [56Cr2] [198], [IG] C.C | HMAC SHA2-224 HMAC SHA2-256 HMAC SHA2-384 HMAC SHA2-512 HMAC SHA3-224 HMAC SHA3-256 HMAC SHA3-384 HMAC SHA3-512 |
| KDA2 | Key Derivation Algorithm | HMAC SHA3 SHS KDA TwoStep | TwoStep | [56Cr2] [198], [IG] C.C | HMAC SHA2-224 HMAC SHA2-256 HMAC SHA2-384 HMAC SHA2-512 HMAC SHA3-224 HMAC SHA3-256 HMAC SHA3-384 HMAC SHA3-512 |
| KDF1 | Key Derivation using TLS 1.3 KDF | SHS TLS 1.3 KDF | Key Derivation Function TLS 1.3 KDF | [IG] 2.4.B [IG] D.F [180] | SHA2-256 SHA2- 384 |
| KDF2 | Key Based Key Derivation Function using Feedback method | HMAC SHA3 SHS | KDF [108] | [108] [198] [IG] C.C | KDF [108] – Feedback HMAC SHA2-224 HMAC SHA2-256 HMAC SHA2-384 HMAC SHA2-512 HMAC SHA3-224 HMAC SHA3-256 HMAC SHA3-384 HMAC SHA3-512 |
| KeyGen | ECDSA Key Generation | ECDSA DRBG | Key generation | [186] [133] | Hash_DRBG P- 256 Curve |
| KeyVer | ECDSA Public Key Verification | ECDSA | Public Key Verification | [186] | P-256 Curve |
| MAC | Keyed-Hash Message Authentication Code | HMAC SHS SHA3 | Message Authentication | [198] [IG] C.B, [IG] C.C | HMAC SHA2-224 HMAC SHA2-256 HMAC SHA2-384 HMAC SHA2-512 HMAC SHA3-224 HMAC SHA3-256 HMAC SHA3-384 HMAC SHA3-512 |
| Hash | Secure Hash Standard Permutation-Based Hash and Extendable- Output Functions | SHS SHA3 | Message Digest | [180] [202] [IG] C.B [IG] C.C | SHA2-224 SHA2- 256 SHA2-384 SHA2-512 SHA3- 224 SHA3-256 SHA3-384 SHA3- 512 SHAKE-128 SHAKE- 256 |
| RNG | Random Number Generation | DRBG | Deterministic Random Bit Generators | [90A] [IG] D.L [IG] D.R | Hash_DRBG |
| Shared Secret Establis hment1 | Shared Secret Establishment Pair- wise Key- Establishment Scheme using Discrete Logarithm - ECC Diffie-Hellman | KAS ECC CDH DRBG | KAS ECC CDH- Component | [56Ar3] [IG] D.F [IG] D.A [IG] D.B [133] | Hash_DRBG P- 256 Curve |
| Shared Secret Establis hment2 | Shared Secret Establishment Pair- wise Key- Establishment Scheme using Discrete Logarithm - ECC Diffie-Hellman | DRBG KAS- SSC | KAS ECC -SSC | [56Ar3] [IG] D.F [IG] D.B [133] | P-256 Curve Hash_DRBG |
| SigGen | Digital Signature Generation using ECDSA | ECDSA DRBG SHS | Signature generation | [186] [133] | Hash_DRBG P- 256 Curve SHA2- 256 |
| SigVer | Digital Signature Verification using ECDSA | SHS | Signature verification | [186] | P-256 Curve SHA2- 256 |
PQCryptoLib NOTE: The module does not implement any Non-Approved Algorithms Not Allowed in the Approved Mode of Operation. Table 8 - Security Function Implementations Document Version 1.0.0 PQShield Public Material
PQCryptoLib C.C Document Version 1.0.0 PQShield Public Material
PQCryptoLib C.C Document Version 1.0.0 PQShield Public Material
PQCryptoLib Document Version 1.0.0 PQShield Public Material
PQCryptoLib Establishment Pairwise KeyEstablishment Establishment Pairwise KeyEstablishment DRBG KASSSC Per [IG] D.F Scenario 2 path (2), [56Ar3] compliant key agreement scheme where testing is performed separately for the shared secret computation and a KDF compliant with [135] without key confirmation. Per [IG] D.F Scenario 2 path (2), [56Ar3] compliant key agreement scheme where testing is performed separately for the shared secret computation and a KDF compliant with KDA without key confirmation. Per [IG] D.F Scenario 2 path (2), [56Ar3] compliant key agreement scheme where testing is performed separately for the shared secret computation and a KDF compliant with KDA without key confirmation. Document Version 1.0.0 PQShield Public Material
The Module supports KDF used by TLS protocol version 1.3. 2.5 Rules of Operation The Module is intended to link with the Application. To initialize the Module, the code of an application that wishes to use the Module, must include pqcl.h and fips.h header files. This allows an application to use the Module Initialization service. The Module Initialization service must be used to initialize the Module. The Module is initialized after the Module Initialization service returns with success. The Module Initialization service automatically detects and enables PAA if available. After the Module is initialized, the PAA can be disabled by calling the Disable PAA service. This service can be called only after successful initialization of the Module. The Module Initialization service runs pre-operational and conditional self-tests and the Disable PAA service runs conditional self-tests. The Zeroize service zeroizes the state of internal DRBGs. It must be explicitly called by the CO before the Module is unloaded from the application using it. In addition, the CO can zeroize individual SSPs as described in Section 9.4. Overall Security Design
| Name | Physical Port | Logical Interface | Data That Passes |
|---|---|---|---|
| N/A | N/A | Data in | API input parameters that specify plaintext data; ciphertext or signed data; cryptographic keys, initialization vectors; kernel I/O. |
| N/A | N/A | Data out | API output parameters that receive plaintext data, ciphertext data, digital signatures cryptographic keys and initialization vectors. API Return values. |
| N/A | N/A | Control in | Function calls and control data (e.g., algorithms, algorithm modes, or module settings). Values stored in the CPU and read by the Module during initialization phase. |
| N/A | N/A | Control Out1) | N/A |
| N/A | N/A | Status out | API return values. |
| PC Power Supply Port | PC Power Supply Port | Power | N/A |
PQCryptoLib The Module is a software-only implementation. All keys, encrypted data, and control information are exchanged through calls to library functions (logical interfaces). As a software module, it has no access to the physical ports (physical covers, manual controls, physical status indicators) and hence those ports are the same as those of the GPC it runs on. The Module’s ports and associated FIPS defined logical interface categories are listed in Table 9. Table 9
| Name | Roles | Input | Output |
|---|---|---|---|
| Disable PAA1 | CO | None | Status code |
| Hash_DRBG operation context cleanup | CO | Operation context. Algorithms: Hash_DRBG | Operation context with SSPs deleted |
| Hash_DRBG pseudorandom byte stream generation | CO | Operation context, output buffer, length of requested byte stream, optionally buffer with additional data. Algorithms: Hash_DRBG | Stream of pseudo-random bytes, status code |
| Hash_DRBG reseeding | CO | Operation context, buffers with entropy, nonce and personalization string together with sizes of those buffers, optionally buffer with additional data. Algorithms: Hash_DRBG | Status code |
| Hash_DRBG instantiation and seeding | CO | Operation context, buffers with entropy, nonce and personalization string together with sizes of those buffers. Algorithms: Hash_DRBG | Status code |
| Hashing | CO | Input data, input size. Hash functions: SHA2- (224, 256, 384, 512), SHA3-(224, 256, 384, 512). | Digest, status code. |
| KEM context cleanup | CO | Operation context. Algorithms: Kyber (non- approved) | Operation context with SSPs deleted |
| KEM decapsulation | CO | Operation context with KEM private key, ciphertext with byte length. Algorithms used: Kyber (non-approved) | Shared secret, status code. |
| KEM encapsulation | CO | Operation context with KEM public key. Algorithms used: Kyber (non-approved) | Shared secret with byte length, ciphertext with byte length, status code |
| KEM key-pair export | CO | Operation context, memory buffers to store public and/or private key. Algorithms: Kyber (non-approved) | Public and/or private key stored in memory buffer, status code. |
| KEM key-pair generation | CO | Operation context. Algorithms: Kyber (non- approved) | Key-pair stored in operation context. Status code. |
| KEM key-pair import | CO | Operation context, public key and/or private key in plaintext. Algorithms: Kyber (non- approved) | Key-pair stored in operation context, Status code. |
| Key agreement | CO | Operation context, peers public key with byte length. Algorithms. ECDH (curve P256). | Shared secret stored in a memory buffer, status code |
| Key agreement key- pair cleanup | CO | Operation context. Algorithms: ECDH (curve P-256). | Operation context with SSPs deleted |
| Key agreement key- pair export | CO | Operation context, memory buffers to store public and/or private key. Algorithms: ECDH (curve P-256). | Public and/or private key stored in memory buffer, status code. |
| Key agreement key- pair generation | CO | Operation context. Algorithms: ECDH (curve P-256) | Key-pair stored in operation context. Status code. |
| Key agreement key- pair import | CO | Operation context, public key and/or private key in plaintext. Algorithms: ECDH (curve P- 256). | Key-pair stored in operation context, Status code. |
| Key derivation | CO | Operation context, key derivation key, salt, shared secret established by approved and auxiliary shared secret (56Cr2), algorithm ID, optional context binding value. Algorithms used: HKDF | Derived key, status code. |
| Key expansion in two-step key derivation | CO | Operation context, key-derivation key and its size, info label and its size. Algorithms used: KDF [108] | Derived key, status code. |
| Keyed hash context cleanup | CO | Operation context. Algorithms: HMAC | Operation context with SSPs deleted |
| Keyed hash key import | CO | Operation context, buffer containing key and its size. Key sizes: 112-bits or more (multiple of 8 bits). Algorithms: HMAC | Status code |
| Keyed hash signing | CO | Operation context, input data, input size, buffer storing output and output size. Algorithms: HMAC | An authentication tag, status code |
| Keyed hash verification | CO | Operation context, input data, input size. Algorithms: HMAC | Status code |
| Module initialization 2) | CO | None | Status code |
| Name enquiry | CO | Pointer to the buffer | Text "pqcryptolib" |
| Random number generation | CO | Entropy, output size, additional input. Algorithms used: Hash_DRBG. | Stream of randomly generated bytes. Security strength of 256-bits. |
| Randomness extraction | CO | Operation context, shared secret established by approved key agreement method (56Cr2) and its size, salt value and its size. Algorithms used: HKDF | Key-derivation key, status code |
| Randomness extraction with auxiliary shared secret | CO | Operation context, shared secret established by approved key agreement method (56Cr2) and its size, salt value and its size, auxiliary shared secret and its size. Algorithms used: HKDF | Key-derivation key, status code |
| Signature generation | CO | Operation context, message to sign with byte length, memory buffer. Algorithms: ECDSA (curve P-256) | Signature stored in the memory buffer. Status code |
| Signature verification | CO | Operation context, message to verify with byte length. Algorithms: ECDSA (curve P-256) | Operation context with SSPs deleted |
| Signing key-pair cleanup | CO | Operation context. Algorithms: ECDSA (curve P-256). | Operation context with SSPs deleted |
| Signing key-pair export | CO | Operation context, memory buffers to store public and/or private key. Algorithms: ECDSA (curve P-256). | Public and/or private key stored in memory buffer. Status code. |
| Signing key-pair generation | CO | Operation context. Algorithms: ECDSA (curve P-256) | Key-pair stored in operation context. Status code. |
| Signing key-pair import | CO | Operation context, public key and/or private key in plaintext. Algorithms: ECDSA (curve P- 256). | Key-pair stored in operation context. Status code. |
| Status enquiry | CO | None | Current state of the module |
| Symmetric key generation | CO | Buffer requested key size in bits. Algorithms: Hash_DRBG | Symmetric key, status code |
| TLS v1.3 KDF | CO | Operation context, key derivation key and its size, shared secret and authentication messages as defined by RFC8446, optionally pre-shared key and its size | Status code and all traffic and handshake keys resulting from TLS v1.3 key derivation |
| Version enquiry | CO | Pointer to the buffer | Text "1.0.0" |
| XOF | CO | Output size. Algorithms: SHAKE-128, SHAKE- 256 | Output generated by XOF. |
| Zeroize | CO | None | None |
PQCryptoLib 4. Roles, Services and Authentication 4.1 Assumption of Roles and Related Services The Module implements a single instance of one authorized role: Crypto Officer (CO). The role is implicitly assumed by the entity accessing services implemented by the module and is authorized to access all services provided by the module. Only one concurrent user is allowed, namely, a CO is considered the owner of executing thread. The Module does not support a maintenance role or bypass capability. Table 10 lists all operator roles supported by the Module and their related services. Table 10
2) Document Version 1.0.0 PQShield Public Material
PQCryptoLib Document Version 1.0.0 PQShield Public Material
| Name | Description | Roles | Csps Accessed | Approved Functions | Access | Indicator |
|---|---|---|---|---|---|---|
| Disable PAA | Switch off PAA | CO | N/A | N/A | N/A | N/A |
| Hash_DRBG operation context cleanup | Zeroize Hash_DRBG SSPs | CO | DRBG-S | Hash_DRBG | Z | DSI |
| Hash_DRBG pseudorandom byte stream generation | Generate pseudo random byte strings and keys | CO | DRBG-S | Hash_DRBG | ERW | DSI |
| Hash_DRBG reseeding | Seed Hash_DRBG instance with externally supplied entropy | CO | DRBG-EI, DRBG-N, DRBG-S, DRBG-SEED | Hash_DRBG | W, R, R, GW | DSI |
| Hash_DRBG instantiation and seeding | Seed Hash_DRBG instance with externally supplied entropy | CO | DRBG-EI, DRBG-N, DRBG-S, DRBG-SEED | Hash_DRBG | W, R, R, GW | DSI |
| Hashing | Calculate a message digest | CO | N/A | SHA2- (224,256,384,512) SHA3- (224,256,384,512) | N/A | HSI |
| Key agreement | Calculate shared secret key from private and public keys | CO | ECDH-PRV, ECDH-PUB, ECDH-K-Z | ECDH | ER, ER, GW | XSI |
| Key agreement key-pair cleanup | Zeroize SSPs | CO | ECDH-PRV, ECDH-PUB | ECDH | Z, Z | XSI |
| Key agreement key-pair export | Export a public and/or private ECDH key(s) | CO | ECDH-PRV, ECDH-PUB | ECDH | R, R | XSI |
| Key agreement key-pair generation | Generate a key-pair for key agreement | CO | ECDH-PRV, ECDH-PUB | ECDH | EGW, GW, | XSI |
| Key agreement key-pair import | Import a public and/or private ECDH key(s) | CO | ECDH-PRV, ECDH-PUB | ECDH | W, W | XSI |
| Key derivation | Symmetric key derivation from shared secret key | CO | HKDF-K, HKDF-KDK | KDA-HKDF SHA2- (224,256,384,512) SHA3- (224,256,384,512) , CKG | ER, EGWZ | KSI |
| Key expansion in two-step key derivation | PRF-based key- derivation function [108] | CO | HKDF-KDK | KDA-HKDF, KDF- SP800-108 SHA2- (224,256,38 4,512) SHA3- (224,256,38 4,512), CKG | RE | KSI |
| Keyed hash context cleanup | Zeroize HMAC SSPs | CO | HMAC-K | SHA2- (224,256,384,512) SHA3- (224,256,384,512) | Z | MSI |
| Keyed hash key import | Import a HMAC symmetric key into operation context | CO | HMAC-K | HMAC, SHA2- (224,256,384,512), SHA3- (224,256,384,512) | ER | MSI |
| Keyed hash signing | Calculate an authentication tag on data | CO | HMAC-K | HMAC, SHA2- (224,256,384,512) , SHA3- (224,256,384,512) | ER | MSI |
| Keyed hash verification | Validate an authentication tag on data | CO | HMAC-K | HMAC, SHA2- (224,256,384,512), SHA3- (224,256,384,512) | ER | MSI |
| Module initialization | Initializes internal structure of the Module | CO | DRBG-EI, DRBG-SEED, DRBG-S, DRBG-N | Hash_DRBG HMAC | RE, WE, W, W | N/A |
| Name enquiry | Returns name of the Module | CO | N/A | N/A | N/A | N/A |
| Random number generation | Generate random byte strings and keys from the Module’s internal instance of Hash_DRBG | CO | DRBG-S | Hash_DRBG | ERW | RSI |
| Randomness extraction | The randomness extraction step in two- step key derivation procedure as specified by [56Cr2] | CO | HKDF-K, HKDF-KDK | KDA-HKDF SHA2- (224,256,384,512) SHA3- (224,256,384,512) | ER, GW | KSI |
| Randomness extraction with auxiliary shared secret | The randomness extraction step in two- step key derivation procedure with auxiliary shared secret T as specified by [56Cr2] | CO | HKDF-K, HKDF-KDK | KDA-HKDF SHA2- (224,256,384,512) SHA3- (224,256,384,512) | ER, GW | KSI |
| Signature generation | Calculate digital signature using a private key | CO | ECDSA-PRV | SHA2-(256), ECDSA | RE | SSI |
| Signature verification | Verify digital signature using a public key | CO | ECDSA-PUB | SHA2-(256), ECDSA | RE | SSI |
| Signing key- pair cleanup | Zeroize SSPs and deletes operation context | CO | ECDSA-PRV, ECDSA-PUB | ECDSA | Z, Z | SSI |
| Signing key- pair export | Export a public and/or private ECDSA key(s) | CO | ECDSA-PRV, ECDSA-PUB | ECDSA | R, R | SSI |
| Signing key- pair generation | Generate a key-pair for signing and verification | CO | ECDSA-PRV, ECDSA-PUB | ECDSA | EGW, GW | SSI |
| Signing key- pair import | Import a public and/or private asymmetric key into operation context | CO | ECDSA-PRV, ECDSA-PUB | ECDSA | W, W | SSI |
| Status enquiry | Returns state of the Module | CO | N/A | N/A | N/A | N/A |
| Symmetric key generation | Generates symmetric key of size between 112 and 256 bits, multiple of 8. | CO | HMAC-K | Hash_DRBG, CKG | GW | DSI |
| TLS v1.3 KDF | Expands key- derivation- key into secret key as specified by the RFC8446 | CO | ECDH-K-Z, TLS-PSK, TLS-ES, TLS-HS, TLS-MS, TLS-EBK, TLS-RBK, TLS-CETS, TLS-EEMS, TLS-CHTS, TLS-SHTS, TLS-CATS, TLS-SATS, TLS-EMS, TLS-RMS, TLS-ZERO | TLS KDF, CKG | ER, ER, GW, GW, GW, GW, GW, GW, GW, GW, GW, GW, GW, GW, GW, ER | TSI |
| Version enquiry | Returns version of the Module | CO | N/A | N/A | N/A | N/A |
| XOF | Calculate output from XOF | CO | N/A | SHAKE-(128, 256) | N/A | HSI |
| Zeroize | Destroys internal state of Hash_DRBG | CO | DRBG-S | Hash_DRBG | Z | ZSI |
PQCryptoLib
PQCryptoLib N/A N/A Z, Z R, R W, W Document Version 1.0.0 PQShield Public Material
PQCryptoLib Z W, W N/A N/A N/A N/A N/A Document Version 1.0.0 PQShield Public Material
PQCryptoLib Z, Z R, R W, W N/A N/A N/A N/A Document Version 1.0.0 PQShield Public Material
PQCryptoLib N/A N/A N/A N/A N/A N/A Z The following table contains non-approved, allowed services running in approved mode of operation. All those services implement Key Encapsulation Mechanism but are non-security relevant. Namely we do not declare any security on the keys generated by those algorithms. Document Version 1.0.0 PQShield Public Material
| Name | Description | Roles | Approved Functions | Indicator |
|---|---|---|---|---|
| KEM context cleanup | Non-security relevant service | CO | None | ESI |
| KEM decapsulation | Non-security relevant service | CO | SHA3-{256,512}, SHAKE-{128, 256}, Kyber | ESI |
| KEM encapsulation | Non-security relevant service | CO | Hash_DRBG, SHA3- {256,512}, SHAKE- {128, 256}, Kyber | ESI |
| KEM key-pair export | Non-security relevant service | CO | Kyber | ESI |
| KEM key-pair generation | Non-security relevant service | CO | Hash_DRBG, SHA3- {256,512}, SHAKE- {128, 256}, Kyber | ESI |
| KEM key-pair import | Non-security relevant service | CO | Kyber | ESI |
PQCryptoLib Table 12 – Non-Approved Services
PQCryptoLib 6. Operational Environment The Module operates under a modifiable operational environment as per the FIPS 140-3 definitions. The tested operational environment is listed in Table 2 above. In addition, PQShield claims that the Module can be ported on the operational environment listed in Table 4; no statement is made regarding the correct operation of the Module on the Vendor Affirmed Operational Environments. The Module runs on a GPC running one of the tested operational environments. Each tested operational environment manages processes in a logically separated manner, each process is assigned a private memory space, access to that space is restricted to the process running the Module and trusted parts of the operational environment. Process private memory space is used to store CSPs and SSPs. The CO role is considered the owner of the calling application that instantiates the module. Document Version 1.0.0 PQShield Public Material
PQCryptoLib
| Name | Key Size | Use Function | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| P S S / y e K | P S S / y e K | e p y T / e m a N | h t g n e r t S | y t ir u c e S | d n a n o it c n u F | .t r e C | r e b m u N | n o it a r e n e G | t r o p x E / t r o p m I | t n e m h s ilb a t s E | e g a r o t S | n o it a z io r e Z | e s U | s y e k d e t a le R | |||
| DRBG-S, DRBG-N | 256 | Hash_DRBG [90A] entropy input | DRBG-EI | G3 | E1 | N/A | S1 | Z1 Z2 | N/A | ||||||||
| DRBG-EI DRBG-N DRBG-S | 256 | Hash_DRBG [90A] initialization and reseeding | DRBG- SEED | G5 | N/A | N/A | S1 | Z1 Z2 Z3 | DRBG (#A3011) | ||||||||
| DRBG-EI DRBG-SEED | 256 | Hash_DRBG [90A] working state (values V and C) derived from the seed | DRBG-S | G4 | N/A | N/A | S1 | Z1 Z2 | DRBG (#A3011) | ||||||||
| DRBG-EI DRBG-SEED | 256 | Hash_DRBG [90A] nonce | DRBG-N | G3 | E1 | N/A | S1 | Z1 Z2 | DRBG (#A3011) | ||||||||
| ECDSA-PRV | 128 | DRBG additional input. When used for ECDSA signature generation, the input is a ECDSA secret key. | DRBG-AI | N/A | E3 | N/A | S1 | Z1 Z2 | DRBG (#A3011) | ||||||||
| DRBG-S | Between 128 and 256. Multiple of 8 bits | HMAC [198] authentication key and OPAD value | HMAC-K | G2 | E1 | N/A | S1 | Z1 Z2 | HMAC (#A3011) | ||||||||
| DRBG-S | Between 224 and 65536. Multiple of 8 bits | KDA-HKDF secret key | HKDF-K | G2 | E1 | A1 | S1 | Z1 Z2 | KDA-HKDF, Two-Step (#A3011) | ||||||||
| P S S / y e K | P S S / y e K | e p y T / e m a N | h t g n e r t S | y t ir u c e S | d n a n o it c n u F | .t r e C | r e b m u N | n o it a r e n e G | t r o p x E / t r o p m I | t n e m h s ilb a t s E | e g a r o t S | n o it a z io r e Z | e s U | s y e k d e t a le R | |||
| HMAC-K ECDH-K- PRV HKDF-CNT | Between 8 and 4096. Multiple of 8 bits | Key-derivation key resulting from the randomness- extraction step that is used in the key- expansion step during the execution of the key- derivation procedure specified in the [56Cr2] and/or [108] | HKDF- KDK | N/A | E3 | A2 | S1 | Z1 Z2 | KDA-{HKDF, Two-Step} (#A3011) | ||||||||
| DRBG-S DRBG-N DRBG-AI | 128 | ECDSA signature generation key (P-256) | ECDSA- PRV | G1 | E1 E3 | N/A | S1 | Z1 Z2 | ECDSA (#A3011) | ||||||||
| DRBG-S DRBG-N ECC-PAR | 128 | ECDH key agreement private key (P- 256) | ECDH- PRV | G1 | E1 E3 | N/A | S1 | Z1 Z2 | EC Diffie Hellman Shared Secret Computation (#A3011) | ||||||||
| ECDH-K- PRV ECC-PAR | 128 | ECDH shared secret (P-256) used to derive session encryption key | ECDH-K- Z | N/A | E1 E3 | A1 | S1 | Z1 Z2 | EC Diffie Hellman Shared Secret Computation (#A3011) | ||||||||
| TLS-RMS | Between 112 and 256. Multiple of 8 bits | A TLS v1.3 pre- shared key, established externally or derived from TLS-RMS. | TLS-PSK | G6 | E1 | N/A | S1 | Z1 Z2 | TLS v1.3 KDF (#A3011) | ||||||||
| TLS-PSK ECDH-K-Z | 256 or 384 bits | TLS v1.3 early secret | TLS-ES | G6 | N/A | N/A | S1 | Z1 Z2 | TLS v1.3 KDF (#A3011) | ||||||||
| TLS-PSK ECDH-K-Z | 256 or 384 bits | TLS v1.3 handshake secret | TLS-HS | G6 | N/A | N/A | S1 | Z1 Z2 | TLS v1.3 KDF (#A3011) | ||||||||
| P S S / y e K | P S S / y e K | e p y T / e m a N | h t g n e r t S | y t ir u c e S | d n a n o it c n u F | .t r e C | r e b m u N | n o it a r e n e G | t r o p x E / t r o p m I | t n e m h s ilb a t s E | e g a r o t S | n o it a z io r e Z | e s U | s y e k d e t a le R | |||
| TLS-PSK ECDH-K-Z | 256 or 384 bits | TLS v1.3 master secret | TLS-MS | G6 | N/A | N/A | S1 | Z1 Z2 | TLS v1.3 KDF (#A3011) | ||||||||
| TLS-ES | 128 | TLS v1.3 binder secret for external PSKs | TLS-EBK | G7 | E3 | N/A | S1 | Z1 Z2 | TLS v1.3 KDF (#A3011) | ||||||||
| TLS-ES | 128 | TLS v1.3 binder key for resumption PSKs | TLS-RBK | G7 | E3 | N/A | S1 | Z1 Z2 | TLS v1.3 KDF (#A3011) | ||||||||
| TLS-ES | 128 | TLS v1.3 early traffic secret | TLS- CETS | G7 | E3 | N/A | S1 | Z1 Z2 | TLS v1.3 KDF (#A3011) | ||||||||
| TLS-ES | 128 | TLS v1.3 early master secret | TLS- EEMS | G7 | E3 | N/A | S1 | Z1 Z2 | TLS v1.3 KDF (#A3011) | ||||||||
| TLS-HS | 128 | TLS v1.3 client handshake traffic secret | TLS- CHTS | G7 | E3 | N/A | S1 | Z1 Z2 | TLS v1.3 KDF (#A3011) | ||||||||
| TLS-HS | 128 | TLS v1.3 server handshake traffic secret | TLS- SHTS | G7 | E3 | N/A | S1 | Z1 Z2 | TLS v1.3 KDF (#A3011) | ||||||||
| TLS-MS | 128 | TLS v1.3 client application traffic secret | TLS- CATS | G7 | E3 | N/A | S1 | Z1 Z2 | TLS v1.3 KDF (#A3011) | ||||||||
| TLS-MS | 128 | TLS v1.3 server application traffic secret | TLS- SATS | G7 | E3 | N/A | S1 | Z1 Z2 | TLS v1.3 KDF (#A3011) | ||||||||
| TLS-MS | 128 | TLS v1.3 exporter master secret | TLS-EMS | G7 | E3 | N/A | S1 | Z1 Z2 | TLS v1.3 KDF (#A3011) | ||||||||
| TLS-MS | 128 | TLS v1.3 resumption master secret | TLS- RMS | G7 | E3 | N/A | S1 | Z1 Z2 | TLS v1.3 KDF (#A3011) | ||||||||
| N/A | N/A | Global state of the cryptographic module | GLOB | G9 | N/A | N/A | S1 | Z1 | N/A | ||||||||
| P S S / y e K | P S S / y e K | e p y T / e m a N | h t g n e r t S | y t ir u c e S | d n a n o it c n u F | .t r e C | r e b m u N | n o it a r e n e G | t r o p x E / t r o p m I | t n e m h s ilb a t s E | e g a r o t S | n o it a z io r e Z | e s U | s y e k d e t a le R | |||
| HKDF-KDK | N/A | Counter used by KDF in feedback mode [108] | HKDF- CNT | G8 | N/A | N/A | S1 | Z1 Z2 | KDA-{HKDF, Two-Step} (#A3011) | ||||||||
| ECDSA-PUB ECDH-PUB ECDSA-PRV ECDH-PRV | N/A | ECC domain parameters | ECC-PAR | N/A | N/A | N/A | S2 | Z1 | ECDSA and EC Diffie Hellman Shared Secret Computation (#A3011) | ||||||||
| ECDSA-PRV ECC-PAR | 128 | ECDSA signature verification key (P-256) | ECDSA- PUB | G1 | E1, E2 | N/A | S1 | Z1 Z2 | ECDSA (#A3011) | ||||||||
| ECDH-PRV ECC-PAR | 128 | ECDH key agreement public key (P- 256) | ECDH- PUB | G1 | E1, E2 | N/A | S1 | Z1 Z2 | EC Diffie Hellman Shared Secret Computation (#A3011) | ||||||||
| All TLS-* SSPs, except TLS- PSK | N/A | Internal value used by TLS v1.3 KDF in case PSK is not provided. 48-byte long buffer filled with 0. | TLS-ZERO | G9 | N/A | N/A | S1 | Z1 | TLS v1.3 KDF (#A3011) |
PQCryptoLib 9.1 Sensitive Security Parameters (SSP) All SSPs used by the Module are described in this section. All usage of these SSPs by the Module is described in the services detailed in 4.3. N/A N/A DRBGSEED N/A N/A N/A N/A N/A N/A N/A N/A Document Version 1.0.0 PQShield Public Material
HKDFKDK ECDSAPRV ECDHPRV ECDH-KZ N/A N/A N/A N/A N/A N/A N/A N/A randomnessextraction step the keyderivation Document Version 1.0.0 PQShield Public Material
N/A N/A Related keys N/A Use Storage Zeroization Establishment Security Function and Cert. Number Import/Export Generation Strength Key/SSP Name/Type PQCryptoLib N/A N/A N/A TLSCHTS N/A TLSCATS N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A Document Version 1.0.0 PQShield Public Material
N/A N/A ECDSAPUB ECDHPUB 9.2 N/A N/A N/A N/A Related keys Use N/A Zeroization N/A N/A Storage Establishment Generation Import/Export Security Function and Cert. Number Strength Key/SSP Name/Type PQCryptoLib 0. except TLSPSK DRBG Entropy Source The RNG module leverages two different entropy sources, one provided by the CPU and the other provided by operational environment. The RDSEED is a CPU instruction, used to get entropy directly from the Intel CPU. Additionally, the Module uses the entropy from environmental noise. This is done by using getrandom system call. Returned bytes from both sources are XORd together and provided to the RNG initialization function as an entropy. In case entropy source fails to produce entropy, the RNG initialization procedure sets FSM to an ERROR state, resulting in the Module being not available for use in approved mode operation. The module conforms to FIPS 140-3 IG 9.3.A scenario 2b, thus the following caveat is applicable: No assurance of the minimum strength of generated SSPs (e.g., keys). Document Version 1.0.0 PQShield Public Material
| Entropy Sources | Minimum number | Details |
|---|---|---|
| of entropy bits | ||
| RDSEED | 256 | The RDSEED is CPU instruction, that provides an access to the implementation of XOR-NRBG construction (as per [90C]). It uses AES/128-CBC-MAC conditioner (vetted conditioning component as per [90B]) and internal implementation of DRBG based on AES-CTR to produce full entropy output. RDSEED is used as the main entropy source, which provides 256 bits of entropy to seed DRBG. Construction is CAVP certified (Cert. #A1791). |
| getrandom() | 8 | Additional entropy source. |
PQCryptoLib Table 14
| Name | Test Method | Test Type | Details | Security | Error |
|---|---|---|---|---|---|
| DRBG | KAT | Critical function test | DRBG Critical Function Tests (Instantiate, Generate and Reseed) | DRBG | ES1 |
| HMAC | Software integrity | Software integrity test | Integrity check of cryptographic module, using HMAC with SHA2-512 with fixed 256-bit key over various continuous segments of the Module binary image; tag compared against reference value stored in the binary | HMAC | ES1 |
| DRBG | KAT | CAST | Uses Hash_DRBG based on SHA2-256 for 256-bit security strength. Includes instantiate, generate, generate with additional input, reseed and reseed with additional input KATs. Doesn’t include prediction resistance. Performed before the first random data generation. Self-test is performed before being used in the Integrity test. | DRBG | ES1 |
| ECDH Key Generation | PCT | PCT | ECDH P-256 Key Generation Pairwise Consistency Test | ECDH Key Generation | ES1 |
| ECDSA | KAT | CAST | ECDSA P-256 with SHA2-256 signature generation and verification. Uses 32-byte long message. | ECDSA | ES1 |
| ECDSA Key Generation | PCT | PCT | ECDSA P-256 Key Generation Pairwise Consistency Test | ECDSA Key Generation | ES1 |
| HMAC | KAT | CAST | HMAC-SHA2-512 KAT with 16-byte long key over 32-byte long message. Self-test is performed before being used in the Integrity test. | HMAC | ES1 |
| HMAC | KAT | CAST | HMAC-SHA2-512 KAT with 16-byte long key over 32-byte long message. | HMAC | ES1 |
| KAS-SSC | KAT | CAST | ECC Diffie-Hellman shared secret generation with P-256 as per [IG] D.F | KAS-SSC | ES1 |
| KDF [108] | KAT | CAST | KDF with HMAC-SHA2-256 is used as PRF in feedback mode with an 8-bit counter located after fixed data, an 8-byte long Label string, and a 32-byte long IV set to buffer filled with random data. | KDF [108] | ES1 |
| KDA HKDF | KAT | CAST | HKDF with HMAC-SHA2-256 as an auxiliary function. An input is a 32-byte long value Z, 16- byte long salt and 52-byte long info string as described by the [56Cr2]. Output (DKM) is a 32- byte long derived key. | KDA HKDF | ES1 |
| KDA Two- Step | KAT | CAST | Two-step KDF with HMAC-SHA2-384 as an auxiliary function and concatenation of shared Z and auxiliary secret T as described by the [56Cr2]. An input to the extract step is a 32-byte long value Z and a 16-byte value T. Extraction uses a 128-byte long salt filled with 0. It produces a 48-byte-long KDK. An expansion step uses feedback mode with 16-byte long IV and it does not use counter. An input to the expansion step is a KDK and info string. Info string is formatted as a concatenation of two, 16 bytes long buffers, value T, and a 4-byte long buffer containing a length of output in bits. Output (DKM) is a 32-byte long key. | KDA Two- Step | ES1 |
| SHA3/SHAKE | KAT | CAST | SHAKE128 using 16-byte message. Two separated self-tests with the same parameters run for AVX2 optimized and non- optimized implementation. | SHA3/SHAKE | ES1 |
| SHS | KAT | CAST | SHA2-256 KAT using 32-byte message. | SHS | ES1 |
| TLS KDF v1.3 | KAT | CAST | Uses random 34-byte long shared secret Z (as defined in the [56Cr2]) and ClientHello, ServerHello, client Finished and server Finished (as defined in the [TLSACVP] and [RFC8446]) – all 34 byte-long. All key schedule secrets are generated and validated against the expected value. | TLS KDF v1.3 | ES1 |
| Error | Description | Indicator |
|---|---|---|
| state | ||
| ES1 | The Module fails a KAT or PCT self-test. The module does not perform any cryptographic functions and all data output is inhibited in the error state. The Module needs to be power cycled to clear the error. | The Module enters the ERROR state and outputs status of PQCL_STATE_ERROR |
PQCryptoLib The Module performs self-tests to ensure the proper operation. Per FIPS 140-3, these are categorized as either pre-operational self-tests or conditional self-tests. Pre-operational self–tests are available on demand by power cycling the Module and calling the Module Initialization service. The module uses critical functions, namely hash-based DRBG and HMAC-SHA2-512. The critical functions are tested both during pre-operational and conditional testing run. There is only one self-tests error state, and it is described in the table below: Table 15
PQCryptoLib Table 17
PQCryptoLib KDA TwoStep Document Version 1.0.0 PQShield Public Material
| Service Indicator | Type of security service |
|---|---|
| DSI | Deterministic Random Number Generation |
| HSI | Hashing |
| MSI | Message Authentication Code |
| KSI | Key Derivation Function |
| ESI | Key Encapsulation Mechanism |
| XSI | Key Agreement |
| RSI | Random number generation |
| SSI | Digital Signature |
| TSI | TLS v1.3 KDF |
| ZSI | Zeroization |
PQCryptoLib The Module provides the operator dedicated query function to determine whether the current security service in use is approved. Security services implemented by the Module are grouped by type. The Module provides one query function for each type of service. Details of usage are described in the product documentation. Table 18 defines a mapping between the identifier of the service indicator (used in the tables above) and Table 18
PQCryptoLib 11. Life-Cycle Assurance
The Module is delivered in a form of dynamically linkable software library and the API declared in the header files. The Module is intended to be linked with the Application. The library is delivered in a tarball file, that contains linkable software library and the API declared in the header files, as well as documentation. To install the library, an operator needs to unpack the tarball to target directory of its choice. Following command should be used: mkdir -p /opt/pqshield/pqcryptolib tar xvf pqcryptolib_v1.0.0.0_amd64_linux.tar.gz \ -C /opt/pqshield/pqcryptolib An application that wishes to use the Module includes pqcl.h and fips.h header files in its source code and link the application against binary file of the Module. The Module is initialized by the Application, by calling the Module Initialization service. That function must be called and finished before any other API function of the module is used. Error code returned by the function must be checked. In case of successful initialization, the function returns PQCL_SUCCESS code and any other code returned by the function indicates initialization failure. The deinitialization of the library is done by the Application by calling the Zeroization service. The initialization process automatically detects and enables PAA if available. To disable PAA operator must call the pqcl_disable_hwa() service. The service can be called only after successful initialization of the library.
This software module has no specific requirements regarding maintenance. The module is disposed by deleting the binary file of the Module.
Both Administrator and non-Administrator guidance is provided in the Users Manual, which is delivered with the Module.
When the Module is at end of life, the customers of the Module are informed via PQShield’s customer service capabilities. After the 6-month window, the access rights to the FIPS branch in a repository storing the source code of the Module are change to more restrictive, so that only administrators can access and read from the FIPS branch of the Module. This effectively makes it impossible to release new version of the Module. The Module does not possess persistent storage of SSPs. The SSP value only exists in volatile memory and that value vanishes when the Module is powered off. The secure sanitization of the Module is done by powering the Module off. The deprecation of the Module is done by upgrading it to the newer version. During upgrade process the old version of the Module is removed and replaced with a new version. Document Version 1.0.0 PQShield Public Material
PQCryptoLib 12. Mitigation of Other Attacks The Module is not designed to mitigate against other attacks. Document Version 1.0.0 PQShield Public Material
| Abbreviation | Full Specification Name |
|---|---|
| [FIPS140-3] | Security Requirements for Cryptographic Modules, March 22, 2019 |
| [ISO19790] | International Standard, ISO/IEC 19790, Information technology — Security techniques — Test requirements for cryptographic modules, Third edition, March 2017 |
| [ISO24759] | International Standard, ISO/IEC 24759, Information technology — Security techniques — Test requirements for cryptographic modules, Second and Corrected version, 15 December 2015 |
| [IG] | Implementation Guidance for FIPS PUB 140-3 and the Cryptographic Module Validation Program, October 7, 2022 |
| [108] | NIST Special Publication 800-108r1, Recommendation for Key Derivation Using Pseudorandom Functions (Revised), August 2022 |
| [133] | NIST Special Publication 800-133, Recommendation for Cryptographic Key Generation, Revision 2, June 2020 |
| [135] | National Institute of Standards and Technology, Recommendation for Existing Application-Specific Key Derivation Functions, Special Publication 800-135rev1, December 2011. |
| [186] | National Institute of Standards and Technology, Digital Signature Standard (DSS), Federal Information Processing Standards Publication 186-4, July 2013. |
| [198] | National Institute of Standards and Technology, The Keyed-Hash Message Authentication Code (HMAC), Federal Information Processing Standards Publication 198-1, July, 2008 |
| [180] | National Institute of Standards and Technology, Secure Hash Standard, Federal Information Processing Standards Publication 180-4, August, 2015 |
| [202] | FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION, SHA3 Standard: Permutation-Based Hash and Extendable-Output Functions, FIPS PUB 202, August 2015 |
| [56Ar3] | NIST Special Publication 800-56A Revision 3, Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography, April 2018 |
| [56Br2] | NIST Special Publication 800-56B Revision 2, Recommendation for Pair-Wise Key Establishment Schemes Using Finite Field Cryptography, March 2019 |
| [56Cr2] | NIST Special Publication 800-56C Revision 2, Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography, August 2020 |
PQCryptoLib 13. References and Definitions The following standards are referred to in this Security Policy. Table 19
| Abbreviation | Full Specification Name |
|---|---|
| [90A] | National Institute of Standards and Technology, Recommendation for Random Number Generation Using Deterministic Random Bit Generators, Special Publication 800-90A, Revision 1, June 2015. |
| [90B] | National Institute of Standards and Technology, Recommendation for the Entropy Sources Used for Random Bit Generation, Special Publication 800-90B, January 2018. |
| [90C] | Recommendation for Random Bit Generator (RBG) Constructions (2nd Draft), Special Publication 800-90C (2nd Draft), April 2016 |
| [RFC5869] | Internet Engineering Task Force specification of “HMAC-based Extract-and-Expand Key Derivation Function” by H. Krawczyk, P. Eronen, May 2010. Citated by [56Cr2]. |
| [TLSACVP] | “ACVP TLS Key Derivation Function JSON Specification”, https://pages.nist.gov/ACVP/draft-hammett-acvp-kdf-tls-v1.3.html |
| [RFC8446] | Internet Engineering Task Force specification of "The Transport Layer Security (TLS) Protocol Version 1.3“, https://datatracker.ietf.org/doc/html/rfc8446 |
| Acronym | Definition |
|---|---|
| APT | Adaptative Proportion Test |
| DKM | Derived Keying Material. Output of expansion step in two-step key derivation procedure |
| GPC | General Purpose Computer |
| KAT | Know Answer Test |
| KDK | Key Derivation Key. Output from extraction step in two-step key derivation procedure |
| KEM | Key Encapsulation Mechanism |
| PCT | Pair-wise Consistency Test |
| POSIX | Portable Operating System Interface |
| PSK | Pre-shared key as defined by [RFC8446] |
| RCT | Repetition Count Test |
| SSP | Sensitive Security Parameter |
PQCryptoLib Table 20