TS 32001/32002 used SHAKE256 algorithm identifier

[bsanchezb]

Describe the bug

ISO 32001 and ISO 32002 define a requirement for the used SHAKE256 algorithm identifier which looks contradictory to the specification defined in RFC 8419.

In particular, ISO 32001 defines that a digest algorithm with OID id-shake256 shall be used:

5.1.4 Changes to ISO 32000-2:2020, Table 260 — SubFilter value algorithm support ... SHAKE256 (PDF 2.x). When SHAKE256 is specified, the message digest algorithm identified by the id-shake256 object identifier (OID) in section 2.3 of RFC 8419 shall be used.

and similarly in ISO 32002:

Table 2 — Additional permitted SubFilter values for ISO 32000-2:2020, Table 260 When using the Ed25519 EdDSA elliptic curve algorithm, the message digest shall be computed using the SHA512 message digest algorithm with OID id-sha512 as defined in IETF RFC 8419:2018, 2.3. When using the Ed448 EdDSA elliptic curve algorithm, the message digest shall be computed using the SHAKE256 message digest algorithm with OID id-shake256 as defined in IETF RFC 8419:2018, 2.3.

and:

Table 4 — Supported EdDSA elliptic curves Ed448 SHAKE256 Message digests shall be calculated using the fixed length id-shake256 message digest algorithm in accordance with ISO/TS 32001.

While RFC 8419 specifies that a digest algorithm with identifier id-shake256-len shall be used when signing a CMS with signed-attributes (which is mandatory for CAdES signatures):

3.1. Signed-data Conventions with Signed Attributes The SignerInfo digestAlgorithm field includes the identifier of the message digest algorithms used by the signer. When signing with Ed25519, the digestAlgorithm MUST be id-sha512, and the algorithm parameters field MUST be absent. When signing with Ed448, the digestAlgorithm MUST be id-shake256-len, the algorithm parameters field MUST be present, and the parameter MUST contain 512, encoded as a positive integer value.

Which limits the appliance of ISO 32002 in particular to only CMS signatures without signed attributes (non CAdES conformant).

Is it an intentional limitation of the standard or my interpretation of the standard is not entirely correct? And how should one proceed when creating a CAdES conformant signature with Ed448 + id-shake256-len algorithm?

Additional context

The question was originally raised at EU eSig DSS JIRA.

[MatthiasValvekens]

Well, this is embarrassing... This one is probably on me 😓.

I remember raising the issue of which OID to use as a point of discussion at a fairly late stage of the process for both of these standards, and I remember going to look it up in that very same RFC, but I must've missed the fact that the requirement for CMS with signed attrs is opposite from the one without. (I would be very interested to know the rationale behind that distinction in CMS, though... it feels a bit arbitrary)

That said, I don't think we have much of a choice: we need to follow the CMS spec. I suggest changing the requirement (perhaps with a note) to use id-shake256-len with the length set to 512 bits if/when we roll this TS into "core" 32k.

Note that this changes nothing from the cryptographic PoV, it's purely a difference in the way the algorithm choice is presented to the consuming processor.

[bsanchezb]

@MatthiasValvekens , thank you for the quick reply.

So it looks more like an issue in the standard. Maybe a new version of the TS is possible with the fix in the requirement, in case an update of ISO 32000 is not planned in the near time? Would be nice to have it written formally somewhere for better interoperability.

[petervwyatt]

The PDF Association's Digital Signature TWG will take the lead on getting an agreed resolution ASAP. The PDF Association can then immediately publish that industry-recommended guidance to all via https://pdf-issues.pdfa.org/ and via our sponsored standards.

The ISO committees just met last week so timing is poor for formally initiating dated revisions or amendments. ISO committees next meet in Nov 2024, but it will still take many months to work through ISO processes.