ECDSA/sigVer/sigGen wrong XOF length used with SHAKE-128/SHAKE-256 #301
Comments
|
Can you please confirm or reject this? |
|
Hi @szendros @sandor-szendro-i4p, just a note that we're actively looking at and working on this issue. |
|
The fix for this is on Demo in release v1.1.0.34. |
|
Hi @livebe01 and thanks for the notification However I did a test run on the Demo environment today and the result was the same: Are you sure this fix is on the Demo server? the test run's testSessionID was 500004 |
|
@szendros - Yes, I will look into it, ty. |
|
We're seeing this as well - the following from a SIGVer test with "vsId": 2287576, SHAKE-128 for P224. This does pass (which appears to be expected) if the SHAKE output is truncated to 16 bytes instead of being 32. |
|
The fix for this issue is now on Demo as of today's hotfix deployment. |
|
Would it also be possible to update the test vectors? e.g. |
|
I can confirm the fix in the Demo environment. |
Hi @slontis, this issue is for ECDSA/sigVer/sigGen. Are you saying that the sample test vectors for ECDSA/sigVer/sigGen need to be updated? Or is it that the RSA sigVer samples need to be updated? Thank you. |
|
Sorry, I meant the ECDSA test vectors. I assume they are incorrect if they were generated without this fix. |
|
Good call, I'll update them today, appreciated. |
Hi @slontis, I can confirm that the test vectors were updated/generated with this fix. Unfortunately, the internal commit history seems to get lost when we push the code/files from our internally hosted code repository to GitHub, but you can see that the prompt, expectedResults, and internalProjection files were updated as of the hotfix for v1.1.0.34 that was deployed to Demo last week. See here: https://github.com/usnistgov/ACVP-Server/tree/master/gen-val/json-files/ECDSA-SigGen-FIPS186-5. |
|
The fix for this is now on Prod as part of the v1.1.0.34 release. |
environment
Demo
testSessionId
462560
vsId
2006870
Algorithm registration
"algorithm":"ECDSA",
"mode":"sigVer",
"revision":"FIPS186-5",
"componentTest":false,
"capabilities":[
{
"curve":[
"P-224",
"P-256",
"P-384",
"P-521"
],
"hashAlg":[
"SHA2-224",
"SHA2-256",
"SHA2-384",
"SHA2-512",
"SHA3-224",
"SHA3-256",
"SHA3-384",
"SHA3-512",
"SHAKE-128",
"SHAKE-256"
]
}
Endpoint in which the error is experienced
https://demo.acvts.nist.gov/acvp/v1/testSessions GET
Expected behavior
For ECDSA/sigVer when hashAlg is SHAKE-128 / SHAKE-256 the expected results returned by ACVP server is calculated with the XOF length of 16 / 32 bytes instead of 32 and 64 bytes.
This also applies to ECDSA/sigGen as well.
For example :
"tgId": 9,
"testType": "AFT",
"componentTest": false,
"curve": "P-224",
"hashAlg": "SHAKE-128",
{
"tcId": 62,
"message": "CF9D6EA7D7B7703552B3B37F3DBD8BAF29CE59F5B2CCFD3ECC41AF14570CFA1DC48252BC823A9C2581253B38CAB2A0C79617F0DC8A668E225AF0E274DCF15A8EEB7E31DE8521C61AAAE35C41EF572FAEB58B06B29BE59BF560D8DE48544608DD672B8FFA6056539CC98CC2265CEFFB383937BBE5CFC2B97A789234D9BE90A66C",
"qx": "6BC5DF751BA4B84F003BE8B5D3040AEE25AC5B7160EE9BA478484627",
"qy": "E99462FA46ABC8BA83CBECDABC9C52BD383DB911D17EE8F28CC4FD2B",
"r": "8D97A315D570CE28C76C65A970E8CAAEB90DD479F31B3AFF7595BBE9",
"s": "F62FB523CDF04994F72869B8284F0579A83259048C8B9F4348891633"
},
The expectation says this signature is valid.
This vector will only be valid with the XOF len = 16 bytes, but XOF len of 32 bytes should be used.
Additional context
According to FIPS 186-6.4 ECDSA Digital Signature Generation and Verification
When SHAKE128 or SHAKE256 is used as an XOF in Sections 6.4.1 and 6.4.2 below, its output
length shall be 256 or 512 bits, respectively.
It seem like on the ACVP Server 16 / 32 bytes are used.
This issue seems similar to #277
The text was updated successfully, but these errors were encountered: