CAVP - NIST ACVTS - Are you still with me?

author avatar
Photo by Markus Spiske on Unsplash

Photo by Markus Spiske on Unsplash

How “Acronym Soup” Serves Up Big Security Advantages.

This article was first published on

Let’s start at the top: NIST is the National Institute of Standards and Technologies, a US government agency that promotes innovation and industrial competitiveness by advancing measurement science, standards, and technology. CAVP is the NIST Cryptographic Algorithm Validation Program, which is part of the NIST certification effort for cryptographic components. The NIST test system uses the Automated Cryptographic Validation Protocol, or ACVP, to communicate the capabilities of the components to the NIST Automated Cryptographic Validation Test System (ACVTS) server, receive test vectors, send the responses and receive the result. Whew! Still with me?

Before you write all of this off as so much “acronym soup,” it’s important to know that this national, self-service, cryptographic-algorithm testing system performs an important function for the entire supply chain. This system helps assure that devices that contain cryptographic components will function as they should. Virtually every device on the internet of things (IoT) has a cryptographic component. Having the server and testing protocols available from an agency such as NIST makes testing and certification easier and more reliable for any device that needs Federal Information Processing Standard (FIPS) validation. The ACVP testing is a critical condition for passing the final FIPS 140-2, or the newer FIPS 140-3, certification process.

The ACVP replaces the Cryptographic Algorithm Validation System (CAVS), which was retired on 30 June 2020, and is designed to accelerate the validation process for vendors. The ACVP, as a self-serve testing system, reduces the role of a National Voluntary Laboratory Accreditation Program (NVLAP)-accredited Cryptographic and Security Testing (CST) Laboratory in the tedious and repetitive algorithm testing stage. Vendors still have to qualify, apply for and receive credentials, as well as learn the platform and execute testing. However, once they are up and running, they can use ACVP to prequalify their product, before having it formally validated by a CST Lab. This significantly simplifies and speeds up the certification process.

For vendors of cryptographic components, this means more predictable testing schedules, and the ability to seek validation of cryptographic algorithms early in the design process. For device manufacturers who incorporate cryptographic components into their devices, this means reduced risk and higher confidence in passing FIPS validations. These device manufacturers can look for components that are “ACVP-ready” and know that the cryptographic functions have been proven and validated.

The QuiddiKey® “Lab Test” Interface

Intrinsic ID QuiddiKey is a hardware IP solution that uses an SRAM PUF, a physical unclonable function based on the device-unique properties of SRAM start-up values, to create cryptographic keys to protect devices, as well as their data and their connections with other devices and/or the cloud. Recently, Intrinsic ID released a QuiddiKey configuration that includes a “Lab Test” interface, a capabilities registration JSON file and documentation that together enable users to test of all the cryptographic functions with the NIST server, validating that QuiddiKey, as integrated on their chip, faithfully executes the cryptographic functions it supports according to the applicable NIST specification.

An example of such a test system is shown below. The Test Master is usually a PC, running software that communicates with the NIST ACV Server and with the device under test (DUT) – in this case a device with a QuiddiKey implementation. In this example, the DUT Design includes a microcontroller that runs a DUT Server. The Test Master has access to a JSON file that describes the capabilities of QuiddiKey. The format of the JSON file is described in the ACVP documentation. The Test Master requests vectors from the ACV Server, which sends the vectors to the Test Master, which then sends the received vectors to the DUT Server, which sends the vectors to QuiddiKey. QuiddiKey sends a response to the DUT Server, which is forwarded back through the chain to the ACV Server, which validates the correctness of the response and sends that result back to the Test Master.

Example of a test system that communicates with NIST ACV Server


Streamlining Validation Helps the Whole Supply Chain

While the new testing procedures using the new ACVTS can still seem complex, they are significantly streamlined from the CAV service, which needed to be performed fully by an accredited CST lab. The result is a faster, easier process and higher confidence for the entire supply chain. And users who need to pass FIPS validation can use QuiddiKey knowing that it is ready for NIST CAVP certification. SVGTU (sounds very good to us)!

Intrinsic ID develops security IP solutions based on PUF technology to secure connected devices, their data and their communications. Its solutions are being used in MCUs, MPUs, FPGAs, data center chips, secure elements, sensors etc. Learn more at

More by Intrinsic ID

Intrinsic ID is the world’s leading provider of security IP for embedded systems based on physical unclonable function or PUF technology. The technology provides an additional level of hardware security utilizing the inherent uniqueness in each and every silicon chip. The IP can be delivered in hard...