ACVP
ACVP copied to clipboard
usnistgov
Add an optional capability for maximum exponent to RSA keyGen and sigVer
FIPS 186-4 does not specify a required length, or lengths, for the RSA public key exponent 'e'. CAVS, when random exponents were specified historically produced value of 'e' up to 3-bytes in length. Several vendors have reported to us that their implementations only handle up to 4-bytes in length. ACVP, when random exponents are specified seems to produce values of 'e' up to at least 7-bytes in length.
Request that ACVP add an optional capability to report the IUT's maximum supported public key exponent length (something like "pubExpMaxLen"). This could apply to KeyGen and SigVer tests when testing "random" exponents and would be the max length, in bits, the IUT supports for that random public key exponent 'e'.
Interesting suggestion. Unless the implementation is operating in a closed environment, how would it prevent someone else's public key from being outside that range? That's not something the module itself has access to for something like SigVer. It is understandable in KeyGen.
Presumably if presented with a public key whose public exponent out of the range it can handle the IUT would have to report an error; and wouldn't be able to attempt to verify anything signed by the corresponding private key.
However, CAVP will validate an RSA implementation which uses only a single fixed public exponent, which is far more restrictive than an implementation that supports any exponent up to 4 bytes in length. That fixed exponent implementation would also be unable to verify signatures from keys that don't conform to its exponent restrictions.
Since FIPS 186-4 does not seem to require support for any particular public exponent, or length of public exponent, it seems vendors are free to set the limits of what they implement, whether a single fixed exponent, several fixed exponents, or maximum lengths of exponents. As such, it seems reasonable for CAVP to support as much flexibility as possible in validating whatever an RSA algorithm implementation may happen to support in the way of public exponents.