SHA3 is not a viable option yet. SHA3 is required in order to permit SHAKE, which is required in order to support Ed448 (as per #325). This request purposefully only adds SHA3 to the FCS_COP.1/Hash and does not affect FCS_COP.1/KeyedHash, FCS_RBG_EXT.1, or any cryptographic protocol SFR. A new optional SFR is included, FCS_COP.1/XOF to cleanly separate the SHA family of hashing functions from the differences in the SHAKE XOFs while not creating too much differences in the normal FCS_COP.1/Hash we've come to get used to.
Recommend the following changes to the cPP:
FCS_COP.1/HashFCS_COP.1.1/Hash The TSF shall perform cryptographic hashing services in accordance with a specified cryptographic algorithm [selection: SHA-1, SHA2-256, SHA2-384, SHA2-512, SHA3-256, SHA3-384, SHA3-512] and cryptographic key sizes [assignment: cryptographic key sizes] and message digest sizes [selection: 160, 256, 384, 512] bits that meet the following: ISO/IEC 10118-3:2018.
[To be considered an optional SFR]
FCS_COP.1/XOFFCS_COP.1.1/XOF The TSF shall perform cryptographic extendable-output functions in accordance with a specified cryptographic algorithm [selection: SHAKE128, SHAKE256] and cryptographic key sizes [assignment: cryptographic key sizes] and output sizes in the range of [assignment: lower to upper range] bits that meet the following: FIPS PUB 202.
_Application Note: This SFR must be claimed when Ed448 is claimed from FCSCOP.1/SigGen. It is permissible for the lower and upper range to be identical, such as defining a fixed output length.
For the SD, update the test AAs to include the following:
FCS_COP.1/Hash
Modify the existing test specifications to label the existing "Short Messages Test", "Selection Long Messages Test" and "Pseudorandomly Generated Messages" tests as applicable only to SHA and SHA2. The preamble describing the modes the test cases can operate in is applicable to all SHA, SHA2 and SHA3 implementations.
[conditional: for SHA3 only]
Short Messages Test- Bit-oriented Mode
The evaluators devise an input set consisting of m+1 messages, where m is the rate of the hash algorithm. The length of the messages range sequentially from 0 to m bits (or 1 to m bits, if zero-length is not supported by the hash function). The message text shall be pseudorandomly generated. The evaluators compute the message digest for each of the messages and ensure that the correct result is produced when the messages are provided to the TSF.
Short Messages Test- Byte-oriented Mode
The evaluators devise an input set consisting of m/8+1 messages, where m is the rate of the hash algorithm. The length of the messages range sequentially from 0 to m/8 bytes (or 1 to m/8 bytes, if zero-length is not supported by the hash function), with each message being an integral number of bytes. The message text shall be pseudorandomly generated. The evaluators compute the message digest for each of the messages and ensure that the correct result is produced when the messages are provided to the TSF.
Selected Long Messages Test- Bit-oriented Mode
The evaluators devise an input set consisting of 100 messages. Each message ranges in Len size from rate+(rate+1) <= Len <= rate+(100*(rate+1) ) incrementing by rate+1. The evaluators compute the message digest for each of the messages and ensure that the correct result is produced when the messages are provided to the TSF.
Selected Long Messages Test- Byte-oriented Mode
The evaluators devise an input set consisting of 100 messages. Each message ranges in Len size from rate+(rate+8) <= Len <= rate+(100*(rate+8) ) incrementing by rate+8. The evaluators compute the message digest for each of the messages and ensure that the correct result is produced when the messages are provided to the TSF.
Pseudorandomly Generated Messages Test
This test is for byte-oriented implementations only. The evaluators randomly generate a seed that is n bits long. The seed is used as the initial input to the hashing function. The evaluators then formulate a set of 100 messages and associated digests by following the algorithm provided in [SHA3MCT-ACVP]. The evaluators then ensure that the correct result is produced when the messages are provided to the TSF.
Large Data Test
The evaluators devise an input set consisting of messages which are equal to or larger than 2^33 bits. The message text can be generated psuedorandomly or use a repeating bit pattern. The evaluators then ensure that the correct result is produced when the messages are provided to the TSF.
[To be considered an optional SFR]
FCS_COP.1/XOFTSS
The evaluator shall check that the association of the XOF with other TSF cryptographic functions (for example, the digital signature verification function) is documented in the TSS.
AGD
The evaluator checks the AGD documents to determine that any configuration that is required to configure the required XOF output size is present.
Tests
The TSF XOF must be capable of fixed-length output and can be implemented in one of two modes. The first mode is the byte-oriented mode. In this mode the TSF processes messages that are an integral number of bytes in length; i.e., the length (in bits) of the message to be processed is divisible by 8. The second mode is the bit-oriented mode. In this mode the TSF processes messages of arbitrary length. As there are different tests for each mode, an indication is given in the following sections for the bit-oriented vs. the byte-oriented tests. In all cases the length of the output must be the length of the security strength (128 bits for SHAKE128 and 256 bits for SHAKE256).
The evaluator shall perform all of the following tests for each XOF algorithm implemented by the TSF and used to satisfy the requirements of this PP.
Short Messages Test- Bit-oriented Mode
The evaluators devise an input set consisting of 2*m+1 messages, where m is the rate of the XOF algorithm. The length of the messages range sequentially from 0 to m bits (or 1 to m bits, if zero-length is not supported by the hash function). The message text shall be pseudorandomly generated. The evaluators compute the output for each of the messages and ensure that the correct result is produced when the messages are provided to the TSF.
Short Messages Test- Byte-oriented Mode
The evaluators devise an input set consisting of 2*m/8+1 messages, where m is the rate of the XOF algorithm. The length of the messages range sequentially from 0 to m/8 bytes (or 1 to m/8 bytes, if zero-length is not supported by the XOF), with each message being an integral number of bytes. The message text shall be pseudorandomly generated. The evaluators compute the output for each of the messages and ensure that the correct result is produced when the messages are provided to the TSF.
Selected Long Messages Test- Bit-oriented Mode
The evaluators devise an input set consisting of 100 messages. Each message ranges in Len size from rate+(rate+1) <= Len <= rate+(100*(rate+1) ) incrementing by rate+1. The evaluators compute the output for each of the messages and ensure that the correct result is produced when the messages are provided to the TSF.
Selected Long Messages Test- Byte-oriented Mode
The evaluators devise an input set consisting of 100 messages. Each message ranges in Len size from rate+(rate+8) <= Len <= rate+(100*(rate+8) ) incrementing by rate+8. The evaluators compute the output for each of the messages and ensure that the correct result is produced when the messages are provided to the TSF.
Pseudorandomly Generated Messages Test
This test is for byte-oriented implementations only. The evaluators randomly generate a seed that is 128 bits long. The seed is used as the initial input to the XOF. The evaluators then formulate a set of 100 messages and associated digests by following the algorithm provided in [SHA3MCT-ACVP]. The evaluators then ensure that the correct result is produced when the messages are provided to the TSF.
Variable Output Test - Bit-oriented Mode
The evaluators will devise an input set consisting of messages corresponding to the security strength of the XOF, i.e., for SHAKE128, the input message length will be 128 bits; for SHAKE256, the input message length will be 256 bits. Given an output bit range between MinRange and MaxRange bits, read the message into the XOF algorithm and generate the output of the given output length.
Variable Output Test - Byte-oriented Mode
The evaluators will devise an input set consisting of messages corresponding to the security strength of the XOF, i.e., for SHAKE128, the input message length will be 128 bits; for SHAKE256, the input message length will be 256 bits. Given an output bit range between MinRange and MaxRange bits, such that the output is a multiple of 8 bits, read the message into the XOF algorithm and generate the output of the given output length.
SHA3 is not a viable option yet. SHA3 is required in order to permit SHAKE, which is required in order to support Ed448 (as per #325). This request purposefully only adds SHA3 to the FCS_COP.1/Hash and does not affect FCS_COP.1/KeyedHash, FCS_RBG_EXT.1, or any cryptographic protocol SFR. A new optional SFR is included, FCS_COP.1/XOF to cleanly separate the SHA family of hashing functions from the differences in the SHAKE XOFs while not creating too much differences in the normal FCS_COP.1/Hash we've come to get used to.
Recommend the following changes to the cPP:
FCS_COP.1/Hash FCS_COP.1.1/Hash The TSF shall perform cryptographic hashing services in accordance with a specified cryptographic algorithm [selection: SHA-1, SHA2-256, SHA2-384, SHA2-512, SHA3-256, SHA3-384, SHA3-512]
and cryptographic key sizes [assignment: cryptographic key sizes]and message digest sizes [selection: 160, 256, 384, 512] bits that meet the following: ISO/IEC 10118-3:2018.[To be considered an optional SFR] FCS_COP.1/XOF FCS_COP.1.1/XOF The TSF shall perform cryptographic extendable-output functions in accordance with a specified cryptographic algorithm [selection: SHAKE128, SHAKE256]
and cryptographic key sizes [assignment: cryptographic key sizes]and output sizes in the range of [assignment: lower to upper range] bits that meet the following: FIPS PUB 202._Application Note: This SFR must be claimed when Ed448 is claimed from FCSCOP.1/SigGen. It is permissible for the lower and upper range to be identical, such as defining a fixed output length.
For the SD, update the test AAs to include the following: FCS_COP.1/Hash Modify the existing test specifications to label the existing "Short Messages Test", "Selection Long Messages Test" and "Pseudorandomly Generated Messages" tests as applicable only to SHA and SHA2. The preamble describing the modes the test cases can operate in is applicable to all SHA, SHA2 and SHA3 implementations.
[conditional: for SHA3 only] Short Messages Test- Bit-oriented Mode The evaluators devise an input set consisting of m+1 messages, where m is the rate of the hash algorithm. The length of the messages range sequentially from 0 to m bits (or 1 to m bits, if zero-length is not supported by the hash function). The message text shall be pseudorandomly generated. The evaluators compute the message digest for each of the messages and ensure that the correct result is produced when the messages are provided to the TSF.
Short Messages Test- Byte-oriented Mode The evaluators devise an input set consisting of m/8+1 messages, where m is the rate of the hash algorithm. The length of the messages range sequentially from 0 to m/8 bytes (or 1 to m/8 bytes, if zero-length is not supported by the hash function), with each message being an integral number of bytes. The message text shall be pseudorandomly generated. The evaluators compute the message digest for each of the messages and ensure that the correct result is produced when the messages are provided to the TSF.
Selected Long Messages Test- Bit-oriented Mode The evaluators devise an input set consisting of 100 messages. Each message ranges in Len size from rate+(rate+1) <= Len <= rate+(100*(rate+1) ) incrementing by rate+1. The evaluators compute the message digest for each of the messages and ensure that the correct result is produced when the messages are provided to the TSF.
Selected Long Messages Test- Byte-oriented Mode The evaluators devise an input set consisting of 100 messages. Each message ranges in Len size from rate+(rate+8) <= Len <= rate+(100*(rate+8) ) incrementing by rate+8. The evaluators compute the message digest for each of the messages and ensure that the correct result is produced when the messages are provided to the TSF.
Pseudorandomly Generated Messages Test This test is for byte-oriented implementations only. The evaluators randomly generate a seed that is n bits long. The seed is used as the initial input to the hashing function. The evaluators then formulate a set of 100 messages and associated digests by following the algorithm provided in [SHA3MCT-ACVP]. The evaluators then ensure that the correct result is produced when the messages are provided to the TSF.
NOTE: Add https://pages.nist.gov/ACVP/draft-celi-acvp-sha3.html#name-sha3-monte-carlo-test as the reference to [SHA3MCT-ACVP] in section 7 of the cPP as it defines an updated algorithm after SHA3VS was published.
Large Data Test The evaluators devise an input set consisting of messages which are equal to or larger than 2^33 bits. The message text can be generated psuedorandomly or use a repeating bit pattern. The evaluators then ensure that the correct result is produced when the messages are provided to the TSF.
NOTE: Unfortunately, the SHA3VS document in https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Algorithm-Validation-Program/documents/sha3/sha3vs.pdf doesn't describe the large message test as this was added after the fact. The large message test is rationalized in https://eprint.iacr.org/2019/1421.pdf and instantiated using NIST's ACVP validation system. Details were pulled from https://pages.nist.gov/ACVP/draft-celi-acvp-sha3.html#name-large-data-tests-for-sha-3.
[To be considered an optional SFR] FCS_COP.1/XOF TSS The evaluator shall check that the association of the XOF with other TSF cryptographic functions (for example, the digital signature verification function) is documented in the TSS.
AGD The evaluator checks the AGD documents to determine that any configuration that is required to configure the required XOF output size is present.
Tests The TSF XOF must be capable of fixed-length output and can be implemented in one of two modes. The first mode is the byte-oriented mode. In this mode the TSF processes messages that are an integral number of bytes in length; i.e., the length (in bits) of the message to be processed is divisible by 8. The second mode is the bit-oriented mode. In this mode the TSF processes messages of arbitrary length. As there are different tests for each mode, an indication is given in the following sections for the bit-oriented vs. the byte-oriented tests. In all cases the length of the output must be the length of the security strength (128 bits for SHAKE128 and 256 bits for SHAKE256).
The evaluator shall perform all of the following tests for each XOF algorithm implemented by the TSF and used to satisfy the requirements of this PP.
Short Messages Test- Bit-oriented Mode The evaluators devise an input set consisting of 2*m+1 messages, where m is the rate of the XOF algorithm. The length of the messages range sequentially from 0 to m bits (or 1 to m bits, if zero-length is not supported by the hash function). The message text shall be pseudorandomly generated. The evaluators compute the output for each of the messages and ensure that the correct result is produced when the messages are provided to the TSF.
Short Messages Test- Byte-oriented Mode The evaluators devise an input set consisting of 2*m/8+1 messages, where m is the rate of the XOF algorithm. The length of the messages range sequentially from 0 to m/8 bytes (or 1 to m/8 bytes, if zero-length is not supported by the XOF), with each message being an integral number of bytes. The message text shall be pseudorandomly generated. The evaluators compute the output for each of the messages and ensure that the correct result is produced when the messages are provided to the TSF.
Selected Long Messages Test- Bit-oriented Mode The evaluators devise an input set consisting of 100 messages. Each message ranges in Len size from rate+(rate+1) <= Len <= rate+(100*(rate+1) ) incrementing by rate+1. The evaluators compute the output for each of the messages and ensure that the correct result is produced when the messages are provided to the TSF.
Selected Long Messages Test- Byte-oriented Mode The evaluators devise an input set consisting of 100 messages. Each message ranges in Len size from rate+(rate+8) <= Len <= rate+(100*(rate+8) ) incrementing by rate+8. The evaluators compute the output for each of the messages and ensure that the correct result is produced when the messages are provided to the TSF.
Pseudorandomly Generated Messages Test This test is for byte-oriented implementations only. The evaluators randomly generate a seed that is 128 bits long. The seed is used as the initial input to the XOF. The evaluators then formulate a set of 100 messages and associated digests by following the algorithm provided in [SHA3MCT-ACVP]. The evaluators then ensure that the correct result is produced when the messages are provided to the TSF.
NOTE: Add https://pages.nist.gov/ACVP/draft-celi-acvp-sha3.html#name-sha3-monte-carlo-test as the reference to [SHA3MCT-ACVP] in section 7 of the cPP.
Variable Output Test - Bit-oriented Mode The evaluators will devise an input set consisting of messages corresponding to the security strength of the XOF, i.e., for SHAKE128, the input message length will be 128 bits; for SHAKE256, the input message length will be 256 bits. Given an output bit range between MinRange and MaxRange bits, read the message into the XOF algorithm and generate the output of the given output length.
Variable Output Test - Byte-oriented Mode The evaluators will devise an input set consisting of messages corresponding to the security strength of the XOF, i.e., for SHAKE128, the input message length will be 128 bits; for SHAKE256, the input message length will be 256 bits. Given an output bit range between MinRange and MaxRange bits, such that the output is a multiple of 8 bits, read the message into the XOF algorithm and generate the output of the given output length.