From 4b75eb552f07ce61aa17f150782c17fd5117552d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?John=20Preu=C3=9F=20Mattsson?= Date: Sat, 16 Mar 2024 18:56:39 +1000 Subject: [PATCH] Larger output sizes with KMAC As pointed out by Danny Niu: "Note that for the P-521 instance, 521 bits are needed". #2 If Hedged ECDSA is used with P-521 and SHAKE, step h would need to be repeated several times, i.e., several KMAC invocations. The new text optimizes the use of KMAC. --- draft-irtf-cfrg-det-sigs-with-noise.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-irtf-cfrg-det-sigs-with-noise.md b/draft-irtf-cfrg-det-sigs-with-noise.md index 46cc8cd..70e88c8 100644 --- a/draft-irtf-cfrg-det-sigs-with-noise.md +++ b/draft-irtf-cfrg-det-sigs-with-noise.md @@ -517,7 +517,7 @@ f. Set: called provided_data in HMAC_DRBG, is the same as in step (d). ~~~~~~~~~~~~~~~~~~~~~~~ -When ECDSA is used with SHAKE {{SHA3}} the HMAC construction above MAY be used but it is RECOMMENDED to use the more efficient KMAC construction {{KMAC}}. SHAKE is a variable-length hash function defined as SHAKE(M, d) where the output is a d-bits-long digest of message M. When ECDSA is used with SHAKE128(M, d), it is RECOMMENDED to replace HMAC(K, M) with KMAC128(K, M, d, ""). When ECDSA is used with SHAKE256(M, d), it is RECOMMENDED to replace HMAC(K, M) with KMAC256(K, M, d, ""). {{RFC8692}} and {{FIPS-186-5}} define the use of SHAKE128 with an output length of 256 bits and SHAKE256 with an output length or 512 bits. +When ECDSA is used with SHAKE {{SHA3}} the HMAC construction above MAY be used but it is RECOMMENDED to use the more efficient KMAC construction {{KMAC}}. SHAKE is a variable-length hash function defined as SHAKE(M, d) where the output is a d-bits-long digest of message M. When ECDSA is used with SHAKE128(M, d), it is RECOMMENDED to replace HMAC(K, M) with KMAC128(K, M, d2, ""), where d2 = max(d, qlen). When ECDSA is used with SHAKE256(M, d), it is RECOMMENDED to replace HMAC(K, M) with KMAC256(K, M, d2, ""), where d2 = max(d, qlen). {{RFC8692}} and {{FIPS-186-5}} define the use of SHAKE128 with an output length of 256 bits and SHAKE256 with an output length or 512 bits. In new deployments, where side-channel and fault injection attacks are a concern, EdDSA with additional randomness as specified in {{SecEdDSA}} is RECOMMENDED.