Secret cryptographic keying material may be electronically established between parties by using a key-establishment scheme—a procedure that results in secret keying material being shared among different parties. A newly released NIST publication, Special Publication (SP) 800-56A Revision 3, Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography, specifies key-establishment schemes based on the discrete logarithm problem over finite fields and elliptic curves, including several variations of Diffie-Hellman (DH) and Menezes-Qu-Vanstone (MQV) key-establishment schemes. The publication approves the use of specific safe-prime groups of domain parameters for the finite field DH and MQV schemes, in addition to the previously approved domain parameter sets. For the elliptic curve DH and MQV schemes, the publication provides an approved list of the domain parameters.
NIST is also releasing Special Publication 800-56C Revision 1, Recommendation for Key-Derivation Methods in Key-Establishment Schemes, which specifies techniques for the derivation of keying material from a shared secret established during a key-establishment scheme defined in SP 800-56A or SP 800-56B, Recommendation for Pair-Wise Key Establishment Using Integer Factorization Cryptography (please note that SP 800-56B is undergoing revision to accommodate this reorganization).
SP 800-56C Rev. 1 specifies two categories of key-derivation methods that derive keying material from a shared secret generated during the execution of a key-establishment scheme. The first category consists of hash-based key-derivation functions, including the recently approved KMAC128 and KMAC256 functions. The second category consists of two-step key-derivation methods that involve the following two steps: 1) randomness extraction, to obtain a single cryptographic key-derivation key, and 2) key expansion, to derive keying material from that key-derivation key and other information.
All methods specified in the previous version of SP 800-56A (Rev. 2) for key derivation of secret keying material from a shared secret computed during a key-agreement scheme have been moved to SP 800-56C Rev. 1.