| rfc9814v2.txt | rfc9814.txt | |||
|---|---|---|---|---|
| skipping to change at line 332 ¶ | skipping to change at line 332 ¶ | |||
| 4. Signed-Data Conventions | 4. Signed-Data Conventions | |||
| As specified in CMS [RFC5652], the digital signature is produced from | As specified in CMS [RFC5652], the digital signature is produced from | |||
| the message digest and the signer's private key. The signature is | the message digest and the signer's private key. The signature is | |||
| computed over different values depending on whether signed attributes | computed over different values depending on whether signed attributes | |||
| are absent or present. | are absent or present. | |||
| When signed attributes are absent, the SLH-DSA (pure mode) signature | When signed attributes are absent, the SLH-DSA (pure mode) signature | |||
| is computed over the content. When signed attributes are present, a | is computed over the content. When signed attributes are present, a | |||
| hash MUST be computed over the content using the same hash function | hash SHOULD be computed over the DER-encoded signed attributes using | |||
| that is used in the SLH-DSA tree. The signed attributes MUST include | the same hash function that is used in the SLH-DSA tree. The signed | |||
| a content-type attribute and a message-digest attribute. The | attributes MUST include a content-type attribute and a message-digest | |||
| message-digest attribute contains the hash value of the content. The | attribute. The message-digest attribute contains the hash value of | |||
| SLH-DSA signature is computed over the DER encoding of the set of | the content. The SLH-DSA signature is computed over the DER encoding | |||
| signed attributes. The SLH-DSA signature-generation operation is | of the set of signed attributes. The SLH-DSA signature-generation | |||
| called slh_sign; see Section 10.2.1 of [FIPS205]. In summary: | operation is called slh_sign; see Section 10.2.1 of [FIPS205]. In | |||
| summary: | ||||
| IF (signed attributes are absent) | IF (signed attributes are absent) | |||
| THEN slh_sign(content) | THEN slh_sign(content) | |||
| ELSE message-digest attribute = Hash(content); | ELSE signed attributes message-digest attribute = Hash(content); | |||
| slh_sign(DER(SignedAttributes)) | slh_sign(DER(SignedAttributes)) | |||
| In some implementations, performance may be significantly improved by | In some implementations, performance may be significantly improved by | |||
| signing and verifying DER(SignedAttributes) when the content is | signing and verifying DER(SignedAttributes) when the content is | |||
| large. That is, passing an entire large message content to the | large. That is, passing an entire large message content to the | |||
| signing function or the signature validation function can have an | signing function or the signature validation function can have an | |||
| impact on performance. When the signed attributes are present, | impact on performance. When the signed attributes are present, | |||
| Section 5.3 of [RFC5652] requires the inclusion of the content-type | Section 5.3 of [RFC5652] requires the inclusion of the content-type | |||
| attribute and the message-digest attribute. Other attributes can | attribute and the message-digest attribute. Other attributes can | |||
| also be included. | also be included. | |||
| When using SLH-DSA and signed attributes are present in the | When using SLH-DSA and signed attributes are present in the | |||
| SignerInfo, the digestAlgorithms field in the SignedData MUST include | SignerInfo, the digestAlgorithms field in the SignedData MUST include | |||
| the identifier for the one-way hash function used to compute the | the identifier for the one-way hash function used to compute the | |||
| message digest. | message digest. | |||
| When using SLH-DSA, the fields in the SignerInfo are used as follows: | When using SLH-DSA, the fields in the SignerInfo are used as follows: | |||
| digestAlgorithm: | digestAlgorithm: | |||
| The digestAlgorithm MUST identify a one-way hash function. When | The digestAlgorithm MUST identify a one-way hash function. When | |||
| signed attributes are absent, the digestAlgorithm identifier MUST | signed attributes are absent, the digestAlgorithm identifier | |||
| match the hash function used in the SLH-DSA tree (as shown in the | SHOULD match the hash function used in the SLH-DSA tree (as shown | |||
| list below). When signed attributes are present, to ensure | in the list below), and it does not have any significance as it is | |||
| collision resistance, the identified hash function MUST produce a | not used to pre-hash the message with SLH-DSA. When signed | |||
| hash value that is at least twice the size of the hash function | attributes are present, to ensure collision resistance, the | |||
| used in the SLH-DSA tree. The hash functions defined in [FIPS180] | identified hash function MUST produce a hash value that is at | |||
| and [FIPS202] MUST be supported for use with the variants of SLH- | least twice the size of the hash function used in the SLH-DSA | |||
| DSA as shown below: | tree. The hash functions defined in [FIPS180] and [FIPS202] MUST | |||
| be supported for use with the variants of SLH-DSA as shown below: | ||||
| id-slh-dsa-sha2-128s: SHA-256 | id-slh-dsa-sha2-128s: SHA-256 | |||
| id-slh-dsa-sha2-128f: SHA-256 | id-slh-dsa-sha2-128f: SHA-256 | |||
| id-slh-dsa-sha2-192s: SHA-512 | id-slh-dsa-sha2-192s: SHA-512 | |||
| id-slh-dsa-sha2-192f: SHA-512 | id-slh-dsa-sha2-192f: SHA-512 | |||
| id-slh-dsa-sha2-256s: SHA-512 | id-slh-dsa-sha2-256s: SHA-512 | |||
| id-slh-dsa-sha2-256f: SHA-512 | id-slh-dsa-sha2-256f: SHA-512 | |||
| id-slh-dsa-shake-128s: SHAKE128 with 256-bit output | id-slh-dsa-shake-128s: SHAKE128 with 256-bit output | |||
| id-slh-dsa-shake-128f: SHAKE128 with 256-bit output | id-slh-dsa-shake-128f: SHAKE128 with 256-bit output | |||
| id-slh-dsa-shake-192s: SHAKE256 with 512-bit output | id-slh-dsa-shake-192s: SHAKE256 with 512-bit output | |||
| End of changes. 3 change blocks. | ||||
| 16 lines changed or deleted | 18 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||