SHAKE: input/output length restrictions not applied

usnistgov / ACVP-Server

A repository tracking releases of NIST's ACVP server. See www.github.com/usnistgov/ACVP for the protocol.

46 stars 16 forks source link

SHAKE: input/output length restrictions not applied #234

Closed smuellerDD closed 1 year ago

smuellerDD commented 1 year ago

environment Demo

testSessionId 321960

vsId 1237210, 1237211

Algorithm registration SHAKE 128:

"messageLength":[
          {
            "min":1344,
            "max":13440,
            "increment":1344
          }
        ],
        "outputLen":[
          {
            "min":1344,
            "max":13440,
            "increment":1344
          }
        ]

SHAKE256:

"messageLength":[
          {
            "min":1088,
            "max":10880,
            "increment":1088
          }
        ],
        "outputLen":[
          {
            "min":1088,
            "max":10880,
            "increment":1088
          }
        ]

Returned data:

message length has no relationship to the requested message length
output length is a multiple of the increment size, but max value is not applied

livebe01 commented 1 year ago

Hi, @smuellerDD, per Table 3 of the spec, messageLength is not a valid registration property for SHAKE.

I'm not seeing the issue with the output length. See tcId 217 for 1237210 and tcId 197 for 1237210 to see the max output lengths being tested for the respective vector sets.

smuellerDD commented 1 year ago

Am Montag, 21. November 2022, 18:25:29 CET schrieb livebe01:

Hi livebe01,

Hi, @smuellerDD, per Table 3 of the spec, messageLength is not a valid registration property for SHAKE.

Thanks for the note

I'm not seeing the issue with the output length. See tcId 217 for 1237210 and tcId 197 for 1237210 to see the max output lengths being tested for the respective vector sets.

The request contains the outlen to be

"outputLen":[ { "min":1088, "max":10880, "increment":1088 }

but I see other outlens like 128 bits.

Ciao Stephan

livebe01 commented 1 year ago

Take a look at the Test Types and Test Coverage, the VOT bullet in particular.

smuellerDD commented 1 year ago

Am Montag, 21. November 2022, 19:10:44 CET schrieb livebe01:

Hi livebe01,

Take a look at the Test Types and Test Coverage, the VOT bullet in particular.

Yes, the VOT vectors do provide the right sizes. But the others do not. So, if you have a specific SHAKE use case where SHAKE is dedicated to this use case and will only generate output for this use case (e.g. in rate chunks), it will pass VOT, but fail AFT and MCT.

Ciao Stephan

livebe01 commented 1 year ago

Sure, that makes sense @smuellerDD. Do you have such an implementation/such a need? @celic, do you have any additional thoughts on this case?

smuellerDD commented 1 year ago

Am Dienstag, 22. November 2022, 13:36:51 CET schrieb livebe01:

Hi livebe01,

Sure, that makes sense @smuellerDD. Do you have such an implementation/such a need? @celic, do you have any additional thoughts on this case?

I thought I had but then I found that the implementation has more freedom and I do not need the limitations.

But I am playing with Kyber and Dilithium which internally uses SHAKE 128 and 256 for well-defined input/output sizes. The assembler implementations I play with are specially crafted with 4 pipelines for SIMD operations. I can fathom that vendors may further streamline such implementation that only supports very special input/output sizes.

Ciao Stephan

livebe01 commented 1 year ago

That makes sense. Thanks @smuellerDD.