ACVP-Server icon indicating copy to clipboard operation
ACVP-Server copied to clipboard
verified publisher icon usnistgov

ECDSA with SHAKE128/SHAKE256 using truncated digests

Open dghgit opened this issue 1 year ago • 2 comments

SHAKE variants of the ECDSA signature algorithms appear to be using truncated digests.

We've found we can pass on demo by truncating SHAKE128 to 16 bytes and SHAKE256 to 32 bytes.

FIPS PUB 186-5 Section 6.4 states "An approved hash function or an XOF shall be used during the generation of digital signatures. Approved XOFs are SHAKE128 and SHAKE256, which are specified in FIPS 202. When SHAKE128 or SHAKE256 is used as an XOF in Sections 6.4.1 and 6.4.2 below, its output length shall be 256 or 512 bits, respectively."

dghgit avatar Jul 24 '24 05:07 dghgit

I'm pasting in info from @LikelyLee below (see https://github.com/usnistgov/ACVP-Server/issues/349#issue-2427642629):

  1. SHAKE length used in ECDSA issue: ECDSA with SHAKE as XOF algorithm, the hash output length does not follow the statement in FIPS 186-5 Section 6.4: "When SHAKE128 or SHAKE256 is used as an XOF in Sections 6.4.1 and 6.4.2 below, its output length shall be 256 or 512 bits, respectively."

Current situation:

  • For normal testing siggen / sigver: SHAKE-128 output 128 bits and SHAKE-256 output 256 bits which could be successfully validated

  • For the component testing siggen / sigver: the "message" shall be first truncated leftmost 128 bits for SHAKE-128 and 256 bits for SHAKE-256, and then could be successfully validated

Expected behavior:

  • For normal testing siggen / sigver: SHAKE-128 output 256 bits and SHAKE-256 output 512 bits which could be successfully validated

  • For the component testing siggen / sigver: no truncation on the "message" to be successfully validated

  1. ECDSA and SHAKE Combination issue: ECDSA siggen / sigver with P-384 and P-521 shall not paired with SHAKE-128 since the output bits are not match the security strength. But now acvp server could request such combination and validate the results.

livebe01 avatar Jul 24 '24 13:07 livebe01

Thanks for reporting this @dghgit and @LikelyLee. The output lengths for SHAKE and ECDSA was something we addressed in a previous release, but we appear to have reverted those changes. We'll get this fixed and deployed in a release as soon as possible.

livebe01 avatar Jul 24 '24 13:07 livebe01

Hi @dghgit, @LikelyLee, we just deployed the fix for this issue to Demo as part of the v1.1.0.36 release. Would either of you be able to test it to confirm? Thank you.

livebe01 avatar Oct 07 '24 17:10 livebe01

@livebe01 Confirmed, works for us! Thanks, David.

dghgit avatar Oct 08 '24 00:10 dghgit

Great, thank you David!

livebe01 avatar Oct 08 '24 12:10 livebe01

The fix for this has been deployed to ACVTS Prod as part of the v1.1.0.36 release.

livebe01 avatar Oct 15 '24 17:10 livebe01