ECDSA with SHAKE output length - Githubissues

usnistgov / ACVP-Server

A repository tracking releases of NIST's ACVP server. See www.github.com/usnistgov/ACVP for the protocol.

46 stars 16 forks source link

ECDSA with SHAKE output length #349

Closed LikelyLee closed 1 month ago

LikelyLee commented 1 month ago

SHAKE length used in ECDSA issue: ECDSA with SHAKE as XOF algorithm, the hash output length does not follow the statement in FIPS 186-5 Section 6.4: "When SHAKE128 or SHAKE256 is used as an XOF in Sections 6.4.1 and 6.4.2 below, its output length shall be 256 or 512 bits, respectively."

Current situation:

For normal testing siggen / sigver: SHAKE-128 output 128 bits and SHAKE-256 output 256 bits which could be successfully validated
For the component testing siggen / sigver: the "message" shall be first truncated leftmost 128 bits for SHAKE-128 and 256 bits for SHAKE-256, and then could be successfully validated

Expected behavior:

For normal testing siggen / sigver: SHAKE-128 output 256 bits and SHAKE-256 output 512 bits which could be successfully validated
For the component testing siggen / sigver: no truncation on the "message" to be successfully validated

ECDSA and SHAKE Combination issue: ECDSA siggen / sigver with P-384 and P-521 shall not paired with SHAKE-128 since the output bits are not match the security strength. But now acvp server could request such combination and validate the results.

livebe01 commented 1 month ago

Closing as a duplicate of https://github.com/usnistgov/ACVP-Server/issues/348