In the Assurance Activities for FCS_CKM.1, the Key generation for Curve25519 tests are inconsistent and RFC 7748. The tests do not account for the fact that the bytes should be written and decoded in little-endian order (least significant byte first).

09/03/2020 - This TD is archived and was superseded by TD0502.

The Curve25519 Assurance Activity is modified as follows:

Key Generation for Curve25519

The evaluator shall require the implementation under test (IUT) to generate 10 private/public key pairs. The private key shall be generated as specified in RFC 7748 using an approved random bit generator (RBG) and shall be written in little-endian order (least significant byte first). To determine correctness, the evaluator shall submit the generated key pairs to the public key verification (PKV) function of a known good implementation.

Note: Assuming the PKV function of the good implementation will (using little-endian order):

a. confirm the private and public keys are 32-byte values
b. confirm the three least significant bits of the most significant first byte of the private key are zero
c. confirm the most significant bit of the least significant last byte is zero
d. confirm the second most significant bit of the most significant last byte is one
e. calculate the expected public key from the private key and confirm it matches the supplied public key

The evaluator shall generate 10 private/public key pairs using the key generation function of a known good implementation and modify 5 of the public key values so that they are incorrect, leaving five values unchanged (i.e. correct). The evaluator shall obtain in response a set of 10 PASS/FAIL values.

The Assurance Activity should be consistent with the RFC and adopt its terminology to minimize confusion.