*Bounty: 50*

*Bounty: 50*

In the NIST 800-56A rev3 "Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography" in section 5.6.2.2.3.2 "Recipient Obtains Assurance [of the Static Private Key] Directly from the Claimed Owner (i.e., the Other Party)" it requires 2 conditions to be met during a key-agreement transaction for the "Public Key Recipient" to prove that the other party possesses the corresponding private key. Basically PKR needs to contribute an ephemeral key (condition 1) and confirm the agreed upon key is also shared by the other party (condition 2).

As far as I understand, as long as these 2 conditions are met we don’t need to explicitly check the private key possession by other methods, i.e. no additional challenge/response is required, as the calculations already proves the possession. Then it lists the schemes that satisfy both conditions as all of the C(1e, 2s) and C(1e, 1s) schemes, but none of the C(2e, 2s) schemes with the requirement "**shall** employ one of the following".

Adding to the confusion, in the assumptions of C(1e, 2s) schemes it requires the assumption 6 "The recipient of a static public key has obtained assurance that its (claimed) owner is (or was) in possession of the corresponding static private key, as specified in Section 5.6.2.2.3." "**shall** be true".

My questions are:

- The key agreement calculations with key confirmation also proves the possession of the static private key, so there is no need to ask other questions to the other party, is this correct?
- C(2e, 2s) schemes with bilateral key confirmation should also satisfy the given conditions, right?
- It seems to me C(0e, 2s) schemes with bilateral key confirmation should also prove the possession of the static private key, why is the ephemeral key required?