RSA KeyGen modulus sizes

[jvdsn]

According the server code: https://github.com/usnistgov/ACVP-Server/blob/master/gen-val/src/crypto/src/NIST.CVP.ACVTS.Libraries.Crypto.Common/Asymmetric/RSA/PrimeGenerators/PrimeGeneratorGuard.cs#L14 public static int[] ValidModulusFips186_5 = { 2048, 3072, 4096, 6144, 8192, 15360 };

However, the protocol specification says only 2048, 3072, 4096, and 8192 are supported: https://github.com/usnistgov/ACVP/blob/master/src/rsa/sections/05-keygen-capabilities.adoc#property-registration-rsa-keygen-fips186-5

1. 15360 is a strange modulus size. Should this be 8192 * 2 = 16384?
2. Can the protocol specification be updated to reflect the sizes supported by the server?

[celic]

We use the same PrimeGenerator for KAS-IFC where this value may appear. After diving a bit deeper it seems that we tested RSA Key Generation internally a bit at 15360 which is a commonly used RSA modulus size before testing with 16384. The runtime of 15360 was not desirable for our testing and would not offer different assurances than the ones received with 8192-bit keys.

15360 may not be more common than 16384, but it is used.

See https://github.com/usnistgov/ACVP-Server/blob/master/gen-val/src/crypto/src/NIST.CVP.ACVTS.Libraries.Crypto.Common/KAS/Helpers/ParameterSetDetails.cs#L55 for where the modulus sizes for KAS-IFC are defined. 15360 is left off the list.

[livebe01]

FWIW, 15360 is also an interesting value in that it's the size associated w/ the 256-bit security strength in Table 2 of SP 800-57pt1r5.

[livebe01]

FYI, we plan to remove support for the 15360 modulus from ACVTS in a hotfix next week. The runtimes involved are too high.

[jvdsn]

Thanks for the heads-up.