1<?xml version='1.0' encoding='utf-8'?>
2<!-- This template is for creating an Internet Draft using xml2rfc,
3     which is available here: http://xml.resource.org. -->
4<!DOCTYPE rfc SYSTEM "rfc2629-xhtml.ent" [
5<!-- One method to get references from the online citation libraries.
6     There has to be one entity for each item to be referenced. 
7     An alternate method (rfc include) is described in the references. --><!ENTITY RFC2119 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml">
8<!ENTITY RFC3279 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3279.xml">
9<!-- <!ENTITY RFC3280 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3280.xml"> --><!ENTITY RFC4055 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4055.xml">
10<!-- <!ENTITY RFC4086 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4086.xml"> --><!ENTITY RFC5280 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5280.xml">
11<!ENTITY RFC5480 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5480.xml">
12<!ENTITY RFC5912 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5912.xml">
13<!ENTITY RFC6979 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6979.xml">
14<!ENTITY RFC8017 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8017.xml">
15<!ENTITY RFC8174 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8174.xml">
16<!ENTITY I-D.draft-josefsson-pkix-eddsa SYSTEM "http://xml2rfc.tools.ietf.org/public/rfc/bibxml-ids/reference.I-D.draft-josefsson-pkix-eddsa-04.xml">
17]>
18<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
19<!-- used by XSLT processors -->
20<!-- For a complete list and description of processing instructions (PIs), 
21     please see http://xml.resource.org/authoring/README.html. -->
22<!-- Below are generally applicable Processing Instructions (PIs) that most I-Ds might want to use.
23     (Here they are set differently than their defaults in xml2rfc v1.32) -->
24<?rfc strict="yes" ?>
25<!-- give errors regarding ID-nits and DTD validation -->
26<!-- control the table of contents (ToC) -->
27<?rfc toc="yes"?>
28<!-- generate a ToC -->
29<?rfc tocdepth="4"?>
30<!-- the number of levels of subsections in ToC. default: 3 -->
31<!-- control references -->
32<?rfc symrefs="yes"?>
33<!-- use symbolic references tags, i.e, [RFC2119] instead of [1] -->
34<?rfc sortrefs="yes" ?>
35<!-- sort the reference entries alphabetically -->
36<!-- control vertical white space 
37     (using these PIs as follows is recommended by the RFC Editor) -->
38<?rfc compact="yes" ?>
39<!-- do not start each main section on a new page -->
40<?rfc subcompact="no" ?>
41<!-- keep one blank line between list items -->
42<!-- end of list of popular I-D processing instructions -->
43<rfc xmlns:xi="http://www.w3.org/2001/XInclude" category="std" docName="draft-ietf-lamps-pkix-shake-15" ipr="trust200902" updates="3279" obsoletes="" submissionType="IETF" xml:lang="en" version="3">
44  <!-- xml2rfc v2v3 conversion 2.23.1 -->
45  <!-- category values: std, bcp, info, exp, and historic
46     ipr="full3978" (probably old)
47     ipr values: full3667, noModification3667, noDerivatives3667
48     you can add the attributes updates="NNNN" and obsoletes="NNNN" 
49     they will automatically be output with "(if approved)" -->
50  <!-- ***** FRONT MATTER ***** -->
51  <front>
52    <!-- The abbreviated title is used in the page header - it is only necessary if the 
53         full title is longer than 39 characters -->
54    <title abbrev="SHAKE identifiers in X.509">Internet X.509 Public Key Infrastructure: Additional Algorithm Identifiers for RSASSA-PSS and ECDSA using SHAKEs</title>
55    <seriesInfo name="Internet-Draft" value="draft-ietf-lamps-pkix-shake-15"/>
56    <!-- add 'role="editor"' below for the editors if appropriate -->
57    <author fullname="Panos Kampanakis" initials="P.K." surname="Kampanakis">
58      <organization>Cisco Systems</organization>
59      <address>
60        <email>pkampana@cisco.com</email>
61      </address>
62    </author>
63    <author fullname="Quynh Dang" initials="Q.D." surname="Dang">
64      <organization>NIST</organization>
65      <address>
66        <postal>
67          <street>100 Bureau Drive, Stop 8930</street>
68          <city>Gaithersburg</city>
69          <region>MD</region>
70          <code>20899-8930</code>
71          <country>USA</country>
72        </postal>
73        <!-- <phone>+44 7889 488 335</phone> -->
74        <email>quynh.dang@nist.gov</email>
75        <!-- uri and facsimile elements may also be added -->
76      </address>
77    </author>
78    <!-- <author fullname="Sean Turner" initials="S.T."
79            surname="Turner">
80      <organization>sn3rd</organization>
81      <address>
82        <postal>
83          <street></street>
84          <city>Soham</city>
85          <region></region>
86          <code></code>
87          <country>UK</country>
88        </postal>
89        <phone>+44 7889 488 335</phone>
90        <email>sean@sn3rd.com</email> 
91      </address>
92    </author> -->
93    <date year="2019"/>
94    <!-- If the month and year are both specified and are the current ones, xml2rfc will fill 
95         in the current day for you. If only the current year is specified, xml2rfc will fill 
96  in the current day and month for you. If the year is not the current one, it is 
97  necessary to specify at least a month (xml2rfc assumes day="1" if not specified for the 
98  purpose of calculating the expiry date).  With drafts it is normally sufficient to 
99  specify just the year. -->
100    <!-- Meta-data Declarations -->
101    <area>General</area>
102    <workgroup>LAMPS WG</workgroup>
103    <!-- WG name at the upperleft corner of the doc,
104         IETF is fine for individual submissions.  
105  If this element is not present, the default is "Network Working Group",
106         which is used by the RFC Editor as a nod to the history of the IETF. -->
107    <!-- <keyword>template</keyword> -->
108    <!-- Keywords will be incorporated into HTML output
109         files in a meta tag but they have no effect on text or nroff
110         output. If you submit your draft to the RFC Editor, the
111         keywords will be used for the searPKIch engine. -->
112    <abstract>
113      <t>Digital signatures are used to sign messages, X.509 
114   certificates and CRLs. This document updates the 
115   "Algorithms and Identifiers for the Internet 
116   X.509 Public Key Infrastructure Certificate and 
117   Certificate Revocation List Profile" (RFC3279)
118   and describes the conventions for using the SHAKE function 
119   family in Internet X.509 certificates and revocation lists 
120   as one-way hash functions with the RSA Probabilistic signature 
121   and ECDSA signature algorithms. The conventions for the 
122   associated subject public keys are also described.</t>
123    </abstract>
124  </front>
125  <middle>
126    <section numbered="true" toc="default">
127      <name>Introduction</name>
128      <t><xref target="RFC3279" format="default"/> defines cryptographic algorithm 
129   identifiers for the Internet X.509 Certificate and Certificate Revocation 
130   Lists (CRL) profile <xref target="RFC5280" format="default"/>. This document updates RFC3279 
131   and defines identifiers for several cryptographic algorithms that use 
132   variable length output SHAKE functions introduced in <xref target="SHA3" format="default"/> 
133   which can be used with . </t>
134      <t>In the SHA-3 family, two extendable-output functions (SHAKEs),  
135   SHAKE128 and SHAKE256, are defined. Four other hash function instances, SHA3-224, SHA3-256, 
136   SHA3-384, and SHA3-512, are also defined but are out of scope for this document. 
137   A SHAKE is a variable length hash function defined as SHAKE(M, d) where the 
138   output is a d-bits-long digest of message M. The corresponding collision and  second-preimage-resistance strengths for SHAKE128 are min(d/2,128) and min(d,128) 
139   bits, respectively (Appendix A.1 <xref target="SHA3" format="default"/>). 
140   And the corresponding collision and second-preimage-resistance strengths for SHAKE256 
141   are min(d/2,256) and min(d,256) bits, respectively.</t>
142      <t>A SHAKE can be used as the message digest function (to hash the message to be signed) 
143   in RSASSA-PSS <xref target="RFC8017" format="default"/> and ECDSA <xref target="X9.62" format="default"/> 
144      and as the hash in the mask generation function (MGF) in RSASSA-PSS. 
145   <!-- This specification describes the identifiers for SHAKEs to be used in X.509 and their 
146   meaning.--> </t>
147    </section>
148    <!-- This PI places the pagebreak correctly (before the section title) in the text output. -->
149    <section anchor="terminology" numbered="true" toc="default">
150      <name>Terminology</name>
151      <t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL 
152      NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
153      "MAY", and "OPTIONAL" in this document are to be interpreted as
154      described in BCP 14 <xref target="RFC2119" format="default"/> <xref target="RFC8174" format="default"/> 
155      when, and only when, they appear in all capitals, as shown here.</t>
156    </section>
157    <!-- Terminology -->
158    <section anchor="oids" numbered="true" toc="default">
159      <name>Identifiers</name>
160      <!-- Commention out the below OIDs as they are no longer pertinent for the below public keys and sigs -->
161      <!-- The Object Identifiers (OIDs) for these two hash functions are defined in 
162   <xref target="shake-nist-oids"/> and are included here for convenience: </t>
163      
164   <t><figure><artwork><![CDATA[
165  id-shake128-len OBJECT IDENTIFIER ::= { joint-iso-itu-t(2)
166 country(16) us(840) organization(1) gov(101) csor(3)
167 nistalgorithm(4) hashalgs(2) 17 } 
168
169  ShakeOutputLen ::= INTEGER - - Output length in octets
170]]></artwork></figure></t>
171   <t>When using the id-shake128-len algorithm identifier, the parameters 
172   MUST be present, and they MUST employ the ShakeOutputLen -->
173      <!-- "MUST employ syntax borrowed from RFC4055 -->
174      <!-- syntax that contains an encoded positive integer value at least 32  
175   in this specification.</t>
176   <t><figure><artwork><![CDATA[
177  id-shake256-len OBJECT IDENTIFIER ::= { joint-iso-itu-t(2)
178 country(16) us(840) organization(1) gov(101) csor(3)
179 nistalgorithm(4) hashalgs(2) 18 }   
180
181  ShakeOutputLen ::= INTEGER - - Output length in octets
182]]></artwork></figure></t>
183   <t>When using the id-shake256-len algorithm identifier, the parameters 
184   MUST be present, and they MUST employ the ShakeOutputLen -->
185      <!-- "MUST employ syntax borrowed from RFC4055 -->
186      <!-- syntax that contains an encoded positive integer value at least 64 
187   in this specification.</t> -->
188      <t>This section defines four new object identifiers (OIDs), for RSASSA-PSS and ECDSA with each 
189   of SHAKE128 and SHAKE256. The same algorithm identifiers can be  
190   used for identifying a public key in RSASSA-PSS.</t>
191      <t>The new identifiers for RSASSA-PSS signatures using SHAKEs are below.</t>
192      <artwork name="" type="" align="left" alt=""><![CDATA[
193  id-RSASSA-PSS-SHAKE128  OBJECT IDENTIFIER  ::=  { iso(1) 
194            identified-organization(3) dod(6) internet(1) 
195            security(5) mechanisms(5) pkix(7) algorithms(6)
196            TBD1 }
197
198  id-RSASSA-PSS-SHAKE256  OBJECT IDENTIFIER  ::=  { iso(1) 
199            identified-organization(3) dod(6) internet(1) 
200            security(5) mechanisms(5) pkix(7) algorithms(6)
201            TBD2 }
202]]></artwork>
203      <t>The new algorithm identifiers of ECDSA signatures using SHAKEs are below.</t>
204      <ul empty="true" spacing="normal">
205        <li>
206          <artwork name="" type="" align="left" alt=""><![CDATA[
207  id-ecdsa-with-shake128 OBJECT IDENTIFIER  ::=  { iso(1) 
208            identified-organization(3) dod(6) internet(1) 
209            security(5) mechanisms(5) pkix(7) algorithms(6)
210            TBD3 }            
211
212  id-ecdsa-with-shake256 OBJECT IDENTIFIER  ::=  { iso(1) 
213            identified-organization(3) dod(6) internet(1) 
214            security(5) mechanisms(5) pkix(7) algorithms(6)
215            TBD4 }
216]]></artwork>
217        </li>
218      </ul>
219      <!-- <xref target="RFC8017"/>, but we include it here as well for convenience:</t>
220   <t><figure><artwork><![CDATA[
221   id-mgf1  OBJECT IDENTIFIER  ::=  { pkcs-1 8 }
222]]></artwork></figure>-->
223      <!-- <t>The parameters field associated with id-mgf1 MUST have a hashAlgorithm value that identifies 
224   the hash used with MGF1. To use SHAKE as this hash, this parameter MUST be 
225   id-shake128-len or id-shake256-len as specified in <xref target="xofs" /> above. </t>-->
226      <t>The parameters for the four identifiers above MUST be absent. That is, 
227   the identifier SHALL be a SEQUENCE of one component, the OID.</t>
228      <t><xref target="rsa-sigs" format="default"/> and <xref target="ecdsa-sigs" format="default"/> specify the required output length 
229   for each use of SHAKE128 or SHAKE256 in RSASSA-PSS and ECDSA. In summary, when hashing messages
230      to be signed, output lengths of SHAKE128 and SHAKE256 are 256 and 512 bits respectively. 
231   When the SHAKEs are used as mask generation functions RSASSA-PSS, their output length is 
232   (8*ceil((n-1)/8) - 264) or (8*ceil((n-1)/8) - 520) bits, respectively, where n is the RSA modulus size in bits.</t>
233    </section>
234    <section numbered="true" toc="default">
235      <name>Use in PKIX</name>
236      <section anchor="sigs" numbered="true" toc="default">
237        <name>Signatures</name>
238        <t>Signatures are used in a number of different ASN.1 structures.
239        As shown in the ASN.1 representation from <xref target="RFC5280" format="default"/> 
240 below, in an X.509 certificate, a signature is encoded with an 
241 algorithm identifier in the signatureAlgorithm attribute and 
242 a signatureValue attribute that contains the actual signature.  
243        </t>
244        <artwork name="" type="" align="left" alt=""><![CDATA[
245   Certificate  ::=  SEQUENCE  {
246      tbsCertificate       TBSCertificate,
247      signatureAlgorithm   AlgorithmIdentifier,
248      signatureValue       BIT STRING  }
249]]></artwork>
250        <t>The identifiers defined in <xref target="oids" format="default"/> can be used 
251 as the AlgorithmIdentifier in the signatureAlgorithm field in the sequence 
252 Certificate and the signature field in the sequence TBSCertificate in X.509  
253 <xref target="RFC5280" format="default"/>. 
254 The parameters of these signature algorithms are absent as explained 
255 in <xref target="oids" format="default"/>.</t>
256        <t>Conforming CA implementations MUST specify the algorithms  
257 explicitly by using the OIDs specified in <xref target="oids" format="default"/> when 
258 encoding RSASSA-PSS or ECDSA with SHAKE signatures 
259 in certificates and CRLs.
260 Conforming client implementations that process certificates and CRLs 
261 using RSASSA-PSS or ECDSA with SHAKE MUST recognize the corresponding OIDs.
262 Encoding rules for RSASSA-PSS and ECDSA 
263 signature values are specified in <xref target="RFC4055" format="default"/> and 
264 <xref target="RFC5480" format="default"/>, respectively.</t>
265        <t>When using RSASSA-PSS or ECDSA with SHAKEs, the RSA modulus and ECDSA 
266 curve order SHOULD be chosen in line with the SHAKE output length. 
267 Refer to <xref target="Security" format="default"/> for more details.</t>
268        <section anchor="rsa-sigs" numbered="true" toc="default">
269          <name>RSASSA-PSS Signatures</name>
270          <t>The RSASSA-PSS algorithm is defined in <xref target="RFC8017" format="default"/>. 
271   When id-RSASSA-PSS-SHAKE128 or id-RSASSA-PSS-SHAKE256 specified in <xref target="oids" format="default"/> 
272   is used, the encoding MUST omit the parameters field. That is, 
273   the AlgorithmIdentifier SHALL be a SEQUENCE of one component,  
274   id-RSASSA-PSS-SHAKE128 or id-RSASSA-PSS-SHAKE256. <xref target="RFC4055" format="default"/>
275   defines RSASSA-PSS-params that are used to define the algorithms and inputs 
276   to the algorithm. This specification does not use parameters because the 
277   hash, mask generation algorithm, trailer and salt are embedded in 
278   the OID definition.</t>
279          <t>The hash algorithm to hash a message being signed and the hash algorithm used as the
280   mask generation function <!-- "MGF(H, emLen - hLen - 1)" <xref target="RFC8017"/> -->
281   in RSASSA-PSS MUST be the same: both SHAKE128 or both SHAKE256. The 
282   output length of the hash algorithm which hashes the message SHALL be 32 
283   (for SHAKE128) or 64 bytes (for SHAKE256). </t>
284          <t>The mask generation function takes an octet string of variable length and
285   a desired output length as input, and outputs an octet 
286   string of the desired length. In RSASSA-PSS with SHAKEs, the SHAKEs MUST be 
287   used natively as the MGF function, instead of the MGF1 algorithm that uses 
288   the hash function in multiple iterations as specified in Section B.2.1 of 
289   <xref target="RFC8017" format="default"/>. In other words, the MGF is defined as 
290   <!-- <t><figure><artwork><![CDATA[
291    SHAKE128(mgfSeed, maskLen) 
292]]></artwork></figure>
293          and 
294          <figure><artwork><![CDATA[
295    SHAKE256(mgfSeed, maskLen)
296]]></artwork></figure></t> --> 
297          the SHAKE128 or SHAKE256 output of the mgfSeed for id-RSASSA-PSS-SHAKE128 and 
298   id-RSASSA-PSS-SHAKE256, respectively. The mgfSeed is the seed 
299   from which mask is generated, an octet string <xref target="RFC8017" format="default"/>.   
300   As explained in Step 9 of section 9.1.1 of <xref target="RFC8017" format="default"/>, the output 
301   length of the MGF is emLen - hLen - 1 bytes. emLen is the maximum message 
302   length ceil((n-1)/8), where n is the RSA modulus in bits. hLen is 32 and 
303   64-bytes for id-RSASSA-PSS-SHAKE128 and id-RSASSA-PSS-SHAKE256, respectively. 
304   Thus when SHAKE is used as the MGF, the SHAKE output length maskLen is 
305   (8*emLen - 264) or (8*emLen - 520) bits, respectively. For example, when RSA modulus n is 2048, 
306   the output length of SHAKE128 or SHAKE256 as the MGF will be 1784 or 1528-bits 
307   when id-RSASSA-PSS-SHAKE128 or id-RSASSA-PSS-SHAKE256 is used, respectively. </t>
308          <t>The RSASSA-PSS saltLength MUST be 32 bytes for id-RSASSA-PSS-SHAKE128 
309   or 64 bytes for id-RSASSA-PSS-SHAKE256. 
310   Finally, the trailerField MUST be 1, which represents 
311   the trailer field with hexadecimal value 0xBC <xref target="RFC8017" format="default"/>.</t>
312          <!-- <t><figure><artwork><![CDATA[
313   id-RSASSA-PSS  OBJECT IDENTIFIER  ::=  { pkcs-1 k }
314
315   RSASSA-PSS-params  ::=  SEQUENCE  {
316         hashAlgorithm      HashAlgorithm, 
317         maskGenAlgorithm   MaskGenAlgorithm, 
318         saltLength         INTEGER, 
319         trailerField       INTEGER }
320]]></artwork></figure></t> -->
321          <!-- <section title="EdDSA with SHAKE">
322          <t>[ EDNOTE: For the group to decide: pre-hash version or non-prehash version EdDSAs. PureEdDSA, the pre-hashed version of EdDSA, as currently also proposed in draft-ietf-curdle-cms-eddsa-signatures mandates the hash function as SHA512 for Ed25519 and SHAKE256(x,64) for Ed448. The HashEdDSA version of EdDSA does not define the hash. It is up to the WG to go the Pre-hash route which would require an OID that contained the hash. ] </t>
323   <t>
324      <list>
325    <t><figure><artwork><![CDATA[
326id-eddsa-with-shake128 OBJECT IDENTIFIER ::= { }
327]]></artwork></figure></t>
328    <t><figure><artwork><![CDATA[
329id-eddsa-with-shake256 OBJECT IDENTIFIER ::= {  }
330]]></artwork></figure></t>
331    </list></t>
332        </section> -->
333        </section>
334        <section anchor="ecdsa-sigs" numbered="true" toc="default">
335          <name>ECDSA Signatures</name>
336          <t>The Elliptic Curve Digital Signature Algorithm (ECDSA) is defined in 
337       <xref target="X9.62" format="default"/>. When the id-ecdsa-with-shake128 or id-ecdsa-with-shake256
338   (specified in <xref target="oids" format="default"/>) algorithm identifier appears, the respective SHAKE 
339   function (SHAKE128 or SHAKE256) is used as the hash. 
340   The encoding MUST omit the parameters field. That is, the AlgorithmIdentifier 
341   SHALL be a SEQUENCE of one component, the OID id-ecdsa-with-shake128 or 
342   id-ecdsa-with-shake256.</t>
343          <t>For simplicity and compliance with the ECDSA standard specification, 
344       the output length of the hash function must be explicitly determined. The 
345       output length, d, for SHAKE128 or SHAKE256 used in ECDSA MUST be 256 or 512  
346   bits, respectively. </t>
347          <t>Conforming CA implementations that generate ECDSA with SHAKE signatures 
348   in certificates or CRLs SHOULD generate such signatures with a 
349   deterministically generated, non-random k in accordance with all 
350   the requirements specified in <xref target="RFC6979" format="default"/>. 
351   <!-- Sections 7.2 and 7.3 of 
352   <xref target="X9.62"/> or with all the requirements specified in Section 
353   4.1.3 of <xref target="SEC1"/>. -->
354   They MAY also generate such signatures 
355   in accordance with all other recommendations in <xref target="X9.62" format="default"/> or 
356   <xref target="SEC1" format="default"/> if they have a stated policy that requires 
357   conformance to those standards. Those standards have not specified  
358   SHAKE128 and SHAKE256 as hash algorithm options. However, SHAKE128 and 
359   SHAKE256 with output length being 32 and 64 octets, respectively, can  
360   be used instead of 256 and 512-bit output hash algorithms such as SHA256 
361   and SHA512.</t>
362          <!-- <t>In Section 3.2 "Generation of k" of <xref target="RFC6979"/>, HMAC is used to derive 
363   the deterministic k. Conforming implementations that generate deterministic 
364   ECDSA with SHAKE signatures in X.509 MUST use KMAC with SHAKE128 or KMAC with 
365   SHAKE256 as specfied in <xref target="SP800-185"/> when SHAKE128 or SHAKE256 is 
366   used as the message hashing algorithm, respectively. In this situation, KMAC with 
367   SHAKE128 and KMAC with SHAKE256 have 256-bit and 512-bit outputs respectively, 
368   and the optional customization bit string S is an empty string.</t> -->
369        </section>
370      </section>
371      <section numbered="true" toc="default">
372        <name>Public Keys</name>
373        <t>Certificates conforming to <xref target="RFC5280" format="default"/> can convey a 
374 public key for any public key algorithm. The certificate indicates 
375 the public key algorithm through an algorithm identifier. This algorithm 
376 identifier is an OID and optionally associated parameters.
377 The conventions and encoding for RSASSA-PSS and ECDSA <!-- and EdDSA --> 
378 public keys algorithm identifiers are as specified in 
379 Section 2.3.1 and 2.3.5 of <xref target="RFC3279" format="default"/>, 
380 Section 3.1 of <xref target="RFC4055" format="default"/> 
381 and Section 2.1 of <xref target="RFC5480" format="default"/>.
382 <!-- and <xref target="I-D.josefsson-pkix-eddsa"/>-->
383        </t>
384        <t>Traditionally, the rsaEncryption object identifier is used to
385 identify RSA public keys. The rsaEncryption object identifier 
386 continues to identify the subject public key when the RSA private 
387 key owner does not wish to limit the use of the public key 
388 exclusively to RSASSA-PSS with SHAKEs. When the RSA private 
389 key owner wishes to limit the use of the public key exclusively 
390 to RSASSA-PSS with SHAKEs, the AlgorithmIdentifiers for 
391 RSASSA-PSS defined in <xref target="oids" format="default"/> SHOULD be used as the algorithm 
392 field in the SubjectPublicKeyInfo sequence <xref target="RFC5280" format="default"/>. 
393 Conforming client implementations that process RSASSA-PSS 
394 with SHAKE public keys when processing certificates and CRLs MUST 
395 recognize the corresponding OIDs. </t>
396        <t>Conforming CA implementations MUST specify the X.509 public key 
397 algorithm explicitly by using the OIDs specified in <xref target="oids" format="default"/> 
398 when encoding ECDSA with SHAKE public keys in certificates and CRLs. 
399 Conforming client implementations that process ECDSA with 
400 SHAKE public keys when processing certificates and CRLs MUST recognize 
401 the corresponding OIDs. </t>
402        <t>The identifier parameters, as explained in <xref target="oids" format="default"/>, 
403 MUST be absent.</t>
404      </section>
405    </section>
406    <section anchor="IANA" numbered="true" toc="default">
407      <name>IANA Considerations</name>
408      <t>One object identifier for the ASN.1 module in <xref target="asn" format="default"/> 
409   is requested for the SMI Security for PKIX Module Identifiers 
410   (1.3.6.1.5.5.7.0) registry: </t>
411      <table align="center">
412        <thead>
413          <tr>
414            <th align="center">Decimal</th>
415            <th align="center">Description</th>
416            <th align="center">References</th>
417          </tr>
418        </thead>
419        <tbody>
420          <tr>
421            <td align="center">TBD</td>
422            <td align="center">id-mod-pkix1-shakes-2019</td>
423            <td align="center">[EDNOTE: THIS RFC]</td>
424          </tr>
425        </tbody>
426      </table>
427      <t>IANA is requested to update the 
428   SMI Security for PKIX Algorithms <xref target="SMI-PKIX" format="default"/>
429   (1.3.6.1.5.5.7.6) registry with four additional entries: </t>
430      <table align="center">
431        <thead>
432          <tr>
433            <th align="center">Decimal</th>
434            <th align="center">Description</th>
435            <th align="center">References</th>
436          </tr>
437        </thead>
438        <tbody>
439          <tr>
440            <td align="center">TBD1</td>
441            <td align="center">id-RSASSA-PSS-SHAKE128</td>
442            <td align="center">[EDNOTE: THIS RFC]</td>
443          </tr>
444          <tr>
445            <td align="center">TBD2</td>
446            <td align="center">id-RSASSA-PSS-SHAKE256</td>
447            <td align="center">[EDNOTE: THIS RFC]</td>
448          </tr>
449          <tr>
450            <td align="center">TBD3</td>
451            <td align="center">id-ecdsa-with-shake128</td>
452            <td align="center">[EDNOTE: THIS RFC]</td>
453          </tr>
454          <tr>
455            <td align="center">TBD4</td>
456            <td align="center">id-ecdsa-with-shake256</td>
457            <td align="center">[EDNOTE: THIS RFC]</td>
458          </tr>
459        </tbody>
460      </table>
461      <t>IANA is also requested to update the 
462   Hash Function Textual Names Registry <xref target="Hash-Texts" format="default"/>
463      with two additional entries for SHAKE128
464      and SHAKE256: </t>
465      <table align="center">
466        <thead>
467          <tr>
468            <th align="center">Hash Function Name</th>
469            <th align="center">OID</th>
470            <th align="center">Reference</th>
471          </tr>
472        </thead>
473        <tbody>
474          <tr>
475            <td align="center">shake128</td>
476            <td align="center">2.16.840.1.101.3.4.2.11</td>
477            <td align="center">[EDNOTE: THIS RFC]</td>
478          </tr>
479          <tr>
480            <td align="center">shake256</td>
481            <td align="center">2.16.840.1.101.3.4.2.12</td>
482            <td align="center">[EDNOTE: THIS RFC]</td>
483          </tr>
484        </tbody>
485      </table>
486    </section>
487    <section anchor="Security" numbered="true" toc="default">
488      <name>Security Considerations</name>
489      <t>This document updates <xref target="RFC3279" format="default"/>. The security considerations
490      section of that document applies to this specification as well.</t>
491      <t>NIST has defined appropriate use of the hash functions in terms of the algorithm 
492      strengths and expected time frames for secure use in Special Publications (SPs) 
493      <xref target="SP800-78-4" format="default"/> and <xref target="SP800-107" format="default"/>. 
494      These documents can be used as guides to choose appropriate key sizes 
495      for various security scenarios. </t>
496      <!-- <t>The SHAKEs are deterministic functions. Like any other deterministic function, 
497   executing multiple times with the same input will produce the 
498   same output. Therefore, users should not expect unrelated outputs (with the 
499   same or different output lengths) from running a SHAKE function with the 
500   same input multiple times. The shorter of any two outputs produced from a 
501   SHAKE with the same input is a prefix of the longer one. It is a similar 
502   situation as truncating a 512-bit output of SHA-512 by taking its 256 
503   left-most bits. These 256 left-most bits are a prefix of the 512-bit output.</t> -->
504      <!-- <t>Implementations must protect the signer's private key. Compromise of
505      the signer's private key permits masquerade attacks.</t> -->
506      <!-- <t>Implementations must randomly generate one-time values, such as the k value when generating a ECDSA
507      signature. In addition, the generation of public/private key pairs
508      relies on random numbers. The use of inadequate pseudo-random
509      number generators (PRNGs) to generate such cryptographic values can
510      result in little or no security. The generation of quality random
511      numbers is difficult. <xref target="RFC4086"/> offers important guidance 
512   in this area, and <xref target="SP800-90A"/> series provide acceptable 
513      PRNGs.</t> -->
514      <!-- <t>Implementers should be aware that cryptographic algorithms may 
515   become weaker with time. As new cryptanalysis techniques are developed 
516   and computing power increases, the work factor or time required to break a 
517   particular cryptographic algorithm may decrease. Therefore, cryptographic
518      algorithm implementations should be modular allowing new algorithms
519      to be readily inserted. That is, implementers should be prepared to
520      regularly update the set of algorithms in their implementations.</t> -->
521      <t>SHAKE128 with output length of 256-bits offers 128-bits of collision and preimage resistance. Thus, SHAKE128 OIDs in this specification are RECOMMENDED with 2048 (112-bit security) or 3072-bit (128-bit security) RSA modulus or curves with group order of 256-bits (128-bit security). SHAKE256 with 512-bits output length offers 256-bits of collision and preimage resistance. Thus, the SHAKE256 OIDs in this specification are RECOMMENDED with 4096-bit RSA modulus or higher or curves with group order of at least 512 bits such as NIST Curve P-521 (256-bit security). Note that we recommended 4096-bit RSA because we would need 15360-bit modulus for 256-bits of security which is impractical for today's technology.</t>
522    </section>
523    <!-- Possibly a 'Contributors' section ... -->
524    <section anchor="Acknowledgements" numbered="true" toc="default">
525      <name>Acknowledgements</name>
526      <t>We would like to thank Sean Turner, Jim Schaad and Eric 
527   Rescorla for their valuable contributions to this document.</t>
528      <t>The authors would like to thank Russ Housley for his guidance and 
529   very valuable contributions with the ASN.1 module.</t>
530    </section>
531  </middle>
532  <!--  *****BACK MATTER ***** -->
533  <back>
534    <!-- References split into informative and normative -->
535    <!-- There are 2 ways to insert reference entries from the citation libraries:
536     1. define an ENTITY at the top, and use "ampersand character"RFC2629; here (as shown)
537     2. simply use a PI "less than character"?rfc include="reference.RFC.2119.xml"?> here
538        (for I-Ds: include="reference.I-D.narten-iana-considerations-rfc2434bis.xml")
539
540     Both are cited textually in the same manner: by using xref elements.
541     If you use the PI option, xml2rfc will, by default, try to find included files in the same
542     directory as the including file. You can also define the XML_LIBRARY environment variable
543     with a value containing a set of directories to search.  These can be either in the local
544     filing system or remote ones accessed by http (http://domain/dir/... ).-->
545    <references>
546      <name>References</name>
547      <references>
548        <name>Normative References</name>
549        <!--?rfc include="http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml"?-->
550        <reference anchor="RFC2119" target="https://www.rfc-editor.org/info/rfc2119" xml:base="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml">
551          <front>
552            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
553            <seriesInfo name="DOI" value="10.17487/RFC2119"/>
554            <seriesInfo name="RFC" value="2119"/>
555            <seriesInfo name="BCP" value="14"/>
556            <author initials="S." surname="Bradner" fullname="S. Bradner">
557              <organization/>
558            </author>
559            <date year="1997" month="March"/>
560            <abstract>
561              <t>In many standards track documents several words are used to signify the requirements in the specification.  These words are often capitalized. This document defines these words as they should be interpreted in IETF documents.  This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
562            </abstract>
563          </front>
564        </reference>
565        <reference anchor="RFC3279" target="https://www.rfc-editor.org/info/rfc3279" xml:base="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.3279.xml">
566          <front>
567            <title>Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile</title>
568            <seriesInfo name="DOI" value="10.17487/RFC3279"/>
569            <seriesInfo name="RFC" value="3279"/>
570            <author initials="L." surname="Bassham" fullname="L. Bassham">
571              <organization/>
572            </author>
573            <author initials="W." surname="Polk" fullname="W. Polk">
574              <organization/>
575            </author>
576            <author initials="R." surname="Housley" fullname="R. Housley">
577              <organization/>
578            </author>
579            <date year="2002" month="April"/>
580            <abstract>
581              <t>This document specifies algorithm identifiers and ASN.1 encoding formats for digital signatures and subject public keys used in the Internet X.509 Public Key Infrastructure (PKI).  Digital signatures are used to sign certificates and certificate revocation list (CRLs).  Certificates include the public key of the named subject.  [STANDARDS-TRACK]</t>
582            </abstract>
583          </front>
584        </reference>
585        <reference anchor="RFC8174" target="https://www.rfc-editor.org/info/rfc8174" xml:base="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml">
586          <front>
587            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
588            <seriesInfo name="DOI" value="10.17487/RFC8174"/>
589            <seriesInfo name="RFC" value="8174"/>
590            <seriesInfo name="BCP" value="14"/>
591            <author initials="B." surname="Leiba" fullname="B. Leiba">
592              <organization/>
593            </author>
594            <date year="2017" month="May"/>
595            <abstract>
596              <t>RFC 2119 specifies common key words that may be used in protocol  specifications.  This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the  defined special meanings.</t>
597            </abstract>
598          </front>
599        </reference>
600        <!-- &RFC3280; -->
601        <reference anchor="RFC4055" target="https://www.rfc-editor.org/info/rfc4055" xml:base="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.4055.xml">
602          <front>
603            <title>Additional Algorithms and Identifiers for RSA Cryptography for use in the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile</title>
604            <seriesInfo name="DOI" value="10.17487/RFC4055"/>
605            <seriesInfo name="RFC" value="4055"/>
606            <author initials="J." surname="Schaad" fullname="J. Schaad">
607              <organization/>
608            </author>
609            <author initials="B." surname="Kaliski" fullname="B. Kaliski">
610              <organization/>
611            </author>
612            <author initials="R." surname="Housley" fullname="R. Housley">
613              <organization/>
614            </author>
615            <date year="2005" month="June"/>
616            <abstract>
617              <t>This document supplements RFC 3279.  It describes the conventions for using the RSA Probabilistic Signature Scheme (RSASSA-PSS) signature algorithm, the RSA Encryption Scheme - Optimal Asymmetric Encryption Padding (RSAES-OAEP) key transport algorithm and additional one-way hash functions with the Public-Key Cryptography Standards (PKCS) #1 version 1.5 signature algorithm in the Internet X.509 Public Key Infrastructure (PKI).  Encoding formats, algorithm identifiers, and parameter formats are specified.  [STANDARDS-TRACK]</t>
618            </abstract>
619          </front>
620        </reference>
621        <reference anchor="RFC5280" target="https://www.rfc-editor.org/info/rfc5280" xml:base="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.5280.xml">
622          <front>
623            <title>Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile</title>
624            <seriesInfo name="DOI" value="10.17487/RFC5280"/>
625            <seriesInfo name="RFC" value="5280"/>
626            <author initials="D." surname="Cooper" fullname="D. Cooper">
627              <organization/>
628            </author>
629            <author initials="S." surname="Santesson" fullname="S. Santesson">
630              <organization/>
631            </author>
632            <author initials="S." surname="Farrell" fullname="S. Farrell">
633              <organization/>
634            </author>
635            <author initials="S." surname="Boeyen" fullname="S. Boeyen">
636              <organization/>
637            </author>
638            <author initials="R." surname="Housley" fullname="R. Housley">
639              <organization/>
640            </author>
641            <author initials="W." surname="Polk" fullname="W. Polk">
642              <organization/>
643            </author>
644            <date year="2008" month="May"/>
645            <abstract>
646              <t>This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet.  An overview of this approach and model is provided as an introduction.  The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms.  Standard certificate extensions are described and two Internet-specific extensions are defined.  A set of required certificate extensions is specified.  The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions.  An algorithm for X.509 certification path validation is described.  An ASN.1 module and examples are provided in the appendices.  [STANDARDS-TRACK]</t>
647            </abstract>
648          </front>
649        </reference>
650        <reference anchor="RFC5480" target="https://www.rfc-editor.org/info/rfc5480" xml:base="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.5480.xml">
651          <front>
652            <title>Elliptic Curve Cryptography Subject Public Key Information</title>
653            <seriesInfo name="DOI" value="10.17487/RFC5480"/>
654            <seriesInfo name="RFC" value="5480"/>
655            <author initials="S." surname="Turner" fullname="S. Turner">
656              <organization/>
657            </author>
658            <author initials="D." surname="Brown" fullname="D. Brown">
659              <organization/>
660            </author>
661            <author initials="K." surname="Yiu" fullname="K. Yiu">
662              <organization/>
663            </author>
664            <author initials="R." surname="Housley" fullname="R. Housley">
665              <organization/>
666            </author>
667            <author initials="T." surname="Polk" fullname="T. Polk">
668              <organization/>
669            </author>
670            <date year="2009" month="March"/>
671            <abstract>
672              <t>This document specifies the syntax and semantics for the Subject Public Key Information field in certificates that support Elliptic Curve Cryptography.  This document updates Sections 2.3.5 and 5, and the ASN.1 module of "Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 3279.  [STANDARDS-TRACK]</t>
673            </abstract>
674          </front>
675        </reference>
676        <reference anchor="RFC8017" target="https://www.rfc-editor.org/info/rfc8017" xml:base="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8017.xml">
677          <front>
678            <title>PKCS #1: RSA Cryptography Specifications Version 2.2</title>
679            <seriesInfo name="DOI" value="10.17487/RFC8017"/>
680            <seriesInfo name="RFC" value="8017"/>
681            <author initials="K." surname="Moriarty" fullname="K. Moriarty" role="editor">
682              <organization/>
683            </author>
684            <author initials="B." surname="Kaliski" fullname="B. Kaliski">
685              <organization/>
686            </author>
687            <author initials="J." surname="Jonsson" fullname="J. Jonsson">
688              <organization/>
689            </author>
690            <author initials="A." surname="Rusch" fullname="A. Rusch">
691              <organization/>
692            </author>
693            <date year="2016" month="November"/>
694            <abstract>
695              <t>This document provides recommendations for the implementation of public-key cryptography based on the RSA algorithm, covering cryptographic primitives, encryption schemes, signature schemes with appendix, and ASN.1 syntax for representing keys and for identifying the schemes.</t>
696              <t>This document represents a republication of PKCS #1 v2.2 from RSA Laboratories' Public-Key Cryptography Standards (PKCS) series.  By publishing this RFC, change control is transferred to the IETF.</t>
697              <t>This document also obsoletes RFC 3447.</t>
698            </abstract>
699          </front>
700        </reference>
701        <!-- RFC8017 is Informational draft but we are keeping it in the Normative References even though idnits complains because we need a normative reference for RSASSA-PSS. RFC4056 does the same thing with RSASS-PSS v2.1 -->
702        <!-- <?rfc include="http://xml2rfc.tools.ietf.org/public/rfc/bibxml-ids/reference.I-D.draft-josefsson-pkix-eddsa-04.xml"?> -->
703        <reference anchor="SHA3" target="https://www.nist.gov/publications/sha-3-standard-permutation-based-hash-and-extendable-output-functions">
704          <front>
705            <title>SHA-3 Standard - Permutation-Based Hash and Extendable-Output Functions FIPS PUB 202</title>
706            <author>
707              <organization>National Institute of Standards and Technology (NIST)</organization>
708            </author>
709            <date month="August" year="2015"/>
710          </front>
711        </reference>
712      </references>
713      <references>
714        <name>Informative References</name>
715        <!-- Here we use entities that we defined at the beginning. -->
716        <!--&RFC2629; -->
717        <reference anchor="RFC5912" target="https://www.rfc-editor.org/info/rfc5912" xml:base="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.5912.xml">
718          <front>
719            <title>New ASN.1 Modules for the Public Key Infrastructure Using X.509 (PKIX)</title>
720            <seriesInfo name="DOI" value="10.17487/RFC5912"/>
721            <seriesInfo name="RFC" value="5912"/>
722            <author initials="P." surname="Hoffman" fullname="P. Hoffman">
723              <organization/>
724            </author>
725            <author initials="J." surname="Schaad" fullname="J. Schaad">
726              <organization/>
727            </author>
728            <date year="2010" month="June"/>
729            <abstract>
730              <t>The Public Key Infrastructure using X.509 (PKIX) certificate format, and many associated formats, are expressed using ASN.1.  The current ASN.1 modules conform to the 1988 version of ASN.1.  This document updates those ASN.1 modules to conform to the 2002 version of ASN.1. There are no bits-on-the-wire changes to any of the formats; this is simply a change to the syntax.  This document is not an Internet  Standards Track specification; it is published for informational  purposes.</t>
731            </abstract>
732          </front>
733        </reference>
734        <reference anchor="RFC6979" target="https://www.rfc-editor.org/info/rfc6979" xml:base="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.6979.xml">
735          <front>
736            <title>Deterministic Usage of the Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA)</title>
737            <seriesInfo name="DOI" value="10.17487/RFC6979"/>
738            <seriesInfo name="RFC" value="6979"/>
739            <author initials="T." surname="Pornin" fullname="T. Pornin">
740              <organization/>
741            </author>
742            <date year="2013" month="August"/>
743            <abstract>
744              <t>This document defines a deterministic digital signature generation procedure.  Such signatures are compatible with standard Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA) digital signatures and can be processed with unmodified verifiers, which need not be aware of the procedure described therein.  Deterministic signatures retain the cryptographic security features associated with digital signatures but can be more easily implemented in various environments, since they do not need access to a source of high-quality randomness.</t>
745            </abstract>
746          </front>
747        </reference>
748        <!-- &RFC4086; -->
749        <!--<reference anchor="shake-nist-oids" target="https://csrc.nist.gov/Projects/Computer-Security-Objects-Register/Algorithm-Registration">
750        <front>
751          <title>Computer Security Objects Register</title>
752          <author>
753            <organization>National Institute of Standards and Technology</organization>
754          </author>
755          <date month="October" year="2017" />
756        </front>
757      </reference> -->
758        <reference anchor="SEC1" target="http://www.secg.org/sec1-v2.pdf">
759          <front>
760            <title>SEC 1: Elliptic Curve Cryptography</title>
761            <author>
762              <organization>Standards for Efficient Cryptography Group</organization>
763            </author>
764            <date month="May" year="2009"/>
765          </front>
766        </reference>
767        <reference anchor="X9.62">
768          <front>
769            <title>X9.62-2005: Public Key Cryptography for the Financial Services Industry: The Elliptic Curve Digital Signature Standard (ECDSA)</title>
770            <author>
771              <organization>American National Standard for Financial Services (ANSI)</organization>
772            </author>
773            <date month="November" year="2005"/>
774          </front>
775        </reference>
776        <reference anchor="SP800-78-4" target="https://csrc.nist.gov/csrc/media/publications/sp/800-78/4/final/documents/sp800_78-4_revised_draft.pdf">
777          <front>
778            <title>SP800-78-4: Cryptographic Algorithms and Key Sizes for Personal Identity Verification</title>
779            <author>
780              <organization>National Institute of Standards and Technology (NIST)</organization>
781            </author>
782            <date month="May" year="2014"/>
783          </front>
784        </reference>
785        <reference anchor="SMI-PKIX" target="https://www.iana.org/assignments/smi-numbers/smi-numbers.xhtml#smi-numbers-1.3.6.1.5.5.7.6">
786          <front>
787            <title>SMI Security for PKIX Algorithms</title>
788            <author>
789              <organization>IANA</organization>
790            </author>
791            <date month="March" year="2019"/>
792          </front>
793        </reference>
794        <reference anchor="Hash-Texts" target="https://www.iana.org/assignments/hash-function-text-names/hash-function-text-names.xhtml">
795          <front>
796            <title>Hash Function Textual Names</title>
797            <author>
798              <organization>IANA</organization>
799            </author>
800            <date month="July" year="2017"/>
801          </front>
802        </reference>
803        <reference anchor="SP800-107" target="https://csrc.nist.gov/csrc/media/publications/sp/800-107/rev-1/final/documents/draft_revised_sp800-107.pdf">
804          <front>
805            <title>SP800-107: Recommendation for Applications Using Approved Hash Algorithms</title>
806            <author>
807              <organization>National Institute of Standards and Technology (NIST)</organization>
808            </author>
809            <date month="May" year="2014"/>
810          </front>
811        </reference>
812        <!-- <reference anchor="SP800-90A" target="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf">
813        <front>
814          <title>Recommendation for Random Number Generation Using Deterministic Random Bit Generators. NIST SP 800-90A</title>
815          <author>
816            <organization>National Institute of Standards and Technology</organization>
817          </author>
818          <date month="June" year="2015" />
819        </front>
820      </reference> -->
821        <!-- <reference anchor="SP800-185" target="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-185.pdf">
822        <front>
823          <title>SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash and ParallelHash. NIST SP 800-185</title>
824          <author>
825            <organization>National Institute of Standards and Technology</organization>
826          </author>
827          <date month="December" year="2016" />
828        </front>
829      </reference> -->
830      </references>
831    </references>
832    <section anchor="asn" numbered="true" toc="default">
833      <name>ASN.1 module</name>
834      <t>This appendix includes the ASN.1 module for SHAKEs in X.509. 
835    This module does not come from any existing RFC. </t>
836      <artwork name="" type="" align="left" alt=""><![CDATA[ 
837    PKIXAlgsForSHAKE-2019 { iso(1) identified-organization(3) dod(6)
838      internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
839      id-mod-pkix1-shakes-2019(TBD) }
840
841    DEFINITIONS EXPLICIT TAGS ::=
842
843    BEGIN
844
845    -- EXPORTS ALL;
846
847    IMPORTS
848
849    -- FROM [RFC5912]
850
851    PUBLIC-KEY, SIGNATURE-ALGORITHM, DIGEST-ALGORITHM, SMIME-CAPS
852    FROM AlgorithmInformation-2009
853      { iso(1) identified-organization(3) dod(6) internet(1) security(5)
854        mechanisms(5) pkix(7) id-mod(0)
855        id-mod-algorithmInformation-02(58) }
856
857    -- FROM [RFC5912]
858
859    RSAPublicKey, rsaEncryption, pk-rsa, pk-ec,
860    CURVE, id-ecPublicKey, ECPoint, ECParameters, ECDSA-Sig-Value
861    FROM PKIXAlgs-2009 { iso(1) identified-organization(3) dod(6)
862         internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
863         id-mod-pkix1-algorithms2008-02(56) }
864   ;
865
866    --
867    -- Message Digest Algorithms (mda-)
868    --
869    DigestAlgorithms DIGEST-ALGORITHM ::= {
870      -- This expands DigestAlgorithms from [RFC5912]
871      mda-shake128   |
872      mda-shake256,
873      ...
874    }
875
876    --
877    -- One-Way Hash Functions
878    --
879
880    -- SHAKE128
881    mda-shake128 DIGEST-ALGORITHM ::= {
882      IDENTIFIER id-shake128  -- with output length 32 bytes.
883    }
884    id-shake128 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16)
885                                        us(840) organization(1) gov(101)
886                                        csor(3) nistAlgorithm(4)
887                                        hashAlgs(2) 11 }
888
889    -- SHAKE256
890    mda-shake256 DIGEST-ALGORITHM ::= {
891      IDENTIFIER id-shake256  -- with output length 64 bytes.
892    }
893    id-shake256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16)
894                                        us(840) organization(1) gov(101)
895                                        csor(3) nistAlgorithm(4)
896                                        hashAlgs(2) 12 }
897
898    --
899    -- Public Key (pk-) Algorithms
900    --
901    PublicKeys PUBLIC-KEY ::= {
902      -- This expands PublicKeys from [RFC5912]
903      pk-rsaSSA-PSS-SHAKE128 |
904      pk-rsaSSA-PSS-SHAKE256,
905      ...
906    }
907
908    -- The hashAlgorithm is mda-shake128
909    -- The maskGenAlgorithm is id-shake128
910    -- Mask Gen Algorithm is SHAKE128 with output length
911    -- (8*ceil((n-1)/8) - 264) bits, where n is the RSA 
912    -- modulus in bits.
913    -- The saltLength is 32. The trailerField is 1.
914    pk-rsaSSA-PSS-SHAKE128 PUBLIC-KEY ::= {
915      IDENTIFIER id-RSASSA-PSS-SHAKE128
916      KEY RSAPublicKey
917      PARAMS ARE absent
918      -- Private key format not in this module --
919      CERT-KEY-USAGE { nonRepudiation, digitalSignature,
920                       keyCertSign, cRLSign }
921    }
922
923    -- The hashAlgorithm is mda-shake256
924    -- The maskGenAlgorithm is id-shake256
925    -- Mask Gen Algorithm is SHAKE256 with output length
926    -- (8*ceil((n-1)/8) - 520)-bits, where n is the RSA 
927    -- modulus in bits.
928    -- The saltLength is 64. The trailerField is 1.
929    pk-rsaSSA-PSS-SHAKE256 PUBLIC-KEY ::= {
930      IDENTIFIER id-RSASSA-PSS-SHAKE256
931      KEY RSAPublicKey
932      PARAMS ARE absent
933      -- Private key format not in this module --
934      CERT-KEY-USAGE { nonRepudiation, digitalSignature,
935                       keyCertSign, cRLSign }
936    }
937
938    --
939    -- Signature Algorithms (sa-)
940    --
941    SignatureAlgs SIGNATURE-ALGORITHM ::= {
942      -- This expands SignatureAlgorithms from [RFC5912]
943      sa-rsassapssWithSHAKE128 |
944      sa-rsassapssWithSHAKE256 |
945      sa-ecdsaWithSHAKE128 |
946      sa-ecdsaWithSHAKE256,
947      ...
948    }
949
950    --
951    -- SMIME Capabilities (sa-)
952    --
953    SMimeCaps SMIME-CAPS ::= {
954      -- The expands SMimeCaps from [RFC5912]
955      sa-rsassapssWithSHAKE128.&smimeCaps |
956      sa-rsassapssWithSHAKE256.&smimeCaps |
957      sa-ecdsaWithSHAKE128.&smimeCaps |
958      sa-ecdsaWithSHAKE256.&smimeCaps,
959      ...
960    }
961
962    -- RSASSA-PSS with SHAKE128
963    sa-rsassapssWithSHAKE128 SIGNATURE-ALGORITHM ::= {
964      IDENTIFIER id-RSASSA-PSS-SHAKE128
965      PARAMS ARE absent
966          -- The hashAlgorithm is mda-shake128
967          -- The maskGenAlgorithm is id-shake128
968          -- Mask Gen Algorithm is SHAKE128 with output length
969          -- (8*ceil((n-1)/8) - 264) bits, where n is the RSA 
970          -- modulus in bits.
971          -- The saltLength is 32. The trailerField is 1
972      HASHES { mda-shake128 }
973      PUBLIC-KEYS { pk-rsa | pk-rsaSSA-PSS-SHAKE128 }
974      SMIME-CAPS { IDENTIFIED BY id-RSASSA-PSS-SHAKE128 }
975    }
976    id-RSASSA-PSS-SHAKE128  OBJECT IDENTIFIER  ::=  { iso(1) 
977            identified-organization(3) dod(6) internet(1) 
978            security(5) mechanisms(5) pkix(7) algorithms(6)
979            TBD1 }
980
981    -- RSASSA-PSS with SHAKE256
982    sa-rsassapssWithSHAKE256 SIGNATURE-ALGORITHM ::= {
983      IDENTIFIER id-RSASSA-PSS-SHAKE256
984      PARAMS ARE absent
985          -- The hashAlgorithm is mda-shake256
986          -- The maskGenAlgorithm is id-shake256
987          -- Mask Gen Algorithm is SHAKE256 with output length
988          -- (8*ceil((n-1)/8) - 520)-bits, where n is the 
989          -- RSA modulus in bits.
990          -- The saltLength is 64. The trailerField is 1.
991     HASHES { mda-shake256 }
992     PUBLIC-KEYS { pk-rsa | pk-rsaSSA-PSS-SHAKE256 }
993     SMIME-CAPS { IDENTIFIED BY id-RSASSA-PSS-SHAKE256 }
994    }
995    id-RSASSA-PSS-SHAKE256  OBJECT IDENTIFIER  ::=  { iso(1) 
996            identified-organization(3) dod(6) internet(1) 
997            security(5) mechanisms(5) pkix(7) algorithms(6)
998            TBD2 }
999
1000    -- ECDSA with SHAKE128
1001    sa-ecdsaWithSHAKE128 SIGNATURE-ALGORITHM ::= {
1002      IDENTIFIER id-ecdsa-with-shake128
1003      VALUE ECDSA-Sig-Value
1004      PARAMS ARE absent
1005      HASHES { mda-shake128 }
1006      PUBLIC-KEYS { pk-ec }
1007      SMIME-CAPS { IDENTIFIED BY id-ecdsa-with-shake128 }
1008    }
1009    id-ecdsa-with-shake128 OBJECT IDENTIFIER  ::=  { iso(1) 
1010            identified-organization(3) dod(6) internet(1) 
1011            security(5) mechanisms(5) pkix(7) algorithms(6)
1012            TBD3 } 
1013
1014    -- ECDSA with SHAKE256
1015    sa-ecdsaWithSHAKE256 SIGNATURE-ALGORITHM ::= {
1016      IDENTIFIER id-ecdsa-with-shake256
1017      VALUE ECDSA-Sig-Value
1018      PARAMS ARE absent
1019      HASHES { mda-shake256 }
1020      PUBLIC-KEYS { pk-ec }
1021      SMIME-CAPS { IDENTIFIED BY id-ecdsa-with-shake256 }
1022    }
1023    id-ecdsa-with-shake256 OBJECT IDENTIFIER  ::=  { iso(1) 
1024            identified-organization(3) dod(6) internet(1) 
1025            security(5) mechanisms(5) pkix(7) algorithms(6)
1026            TBD4 }
1027
1028    END
1029 ]]></artwork>
1030    </section>
1031  </back>
1032</rfc>
1<reference anchor="RFC2119" target="https://www.rfc-editor.org/info/rfc2119" xml:base="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml">
2<front>
3<title>Key words for use in RFCs to Indicate Requirement Levels</title>
4<author initials="S." surname="Bradner" fullname="S. Bradner"><organization/></author>
5<date year="1997" month="March"/>
6<abstract><t>In many standards track documents several words are used to signify the requirements in the specification.  These words are often capitalized. This document defines these words as they should be interpreted in IETF documents.  This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t></abstract>
7</front>
8<seriesInfo name="BCP" value="14"/>
9<seriesInfo name="RFC" value="2119"/>
10<seriesInfo name="DOI" value="10.17487/RFC2119"/>
11</reference>
1<reference anchor="RFC3279" target="https://www.rfc-editor.org/info/rfc3279" xml:base="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.3279.xml">
2<front>
3<title>Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile</title>
4<author initials="L." surname="Bassham" fullname="L. Bassham"><organization/></author>
5<author initials="W." surname="Polk" fullname="W. Polk"><organization/></author>
6<author initials="R." surname="Housley" fullname="R. Housley"><organization/></author>
7<date year="2002" month="April"/>
8<abstract><t>This document specifies algorithm identifiers and ASN.1 encoding formats for digital signatures and subject public keys used in the Internet X.509 Public Key Infrastructure (PKI).  Digital signatures are used to sign certificates and certificate revocation list (CRLs).  Certificates include the public key of the named subject.  [STANDARDS-TRACK]</t></abstract>
9</front>
10<seriesInfo name="RFC" value="3279"/>
11<seriesInfo name="DOI" value="10.17487/RFC3279"/>
12</reference>
1<reference anchor="RFC8174" target="https://www.rfc-editor.org/info/rfc8174" xml:base="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml">
2<front>
3<title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
4<author initials="B." surname="Leiba" fullname="B. Leiba"><organization/></author>
5<date year="2017" month="May"/>
6<abstract><t>RFC 2119 specifies common key words that may be used in protocol  specifications.  This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the  defined special meanings.</t></abstract>
7</front>
8<seriesInfo name="BCP" value="14"/>
9<seriesInfo name="RFC" value="8174"/>
10<seriesInfo name="DOI" value="10.17487/RFC8174"/>
11</reference>
1<reference anchor="RFC4055" target="https://www.rfc-editor.org/info/rfc4055" xml:base="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.4055.xml">
2<front>
3<title>Additional Algorithms and Identifiers for RSA Cryptography for use in the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile</title>
4<author initials="J." surname="Schaad" fullname="J. Schaad"><organization/></author>
5<author initials="B." surname="Kaliski" fullname="B. Kaliski"><organization/></author>
6<author initials="R." surname="Housley" fullname="R. Housley"><organization/></author>
7<date year="2005" month="June"/>
8<abstract><t>This document supplements RFC 3279.  It describes the conventions for using the RSA Probabilistic Signature Scheme (RSASSA-PSS) signature algorithm, the RSA Encryption Scheme - Optimal Asymmetric Encryption Padding (RSAES-OAEP) key transport algorithm and additional one-way hash functions with the Public-Key Cryptography Standards (PKCS) #1 version 1.5 signature algorithm in the Internet X.509 Public Key Infrastructure (PKI).  Encoding formats, algorithm identifiers, and parameter formats are specified.  [STANDARDS-TRACK]</t></abstract>
9</front>
10<seriesInfo name="RFC" value="4055"/>
11<seriesInfo name="DOI" value="10.17487/RFC4055"/>
12</reference>
1<reference anchor="RFC5280" target="https://www.rfc-editor.org/info/rfc5280" xml:base="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.5280.xml">
2<front>
3<title>Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile</title>
4<author initials="D." surname="Cooper" fullname="D. Cooper"><organization/></author>
5<author initials="S." surname="Santesson" fullname="S. Santesson"><organization/></author>
6<author initials="S." surname="Farrell" fullname="S. Farrell"><organization/></author>
7<author initials="S." surname="Boeyen" fullname="S. Boeyen"><organization/></author>
8<author initials="R." surname="Housley" fullname="R. Housley"><organization/></author>
9<author initials="W." surname="Polk" fullname="W. Polk"><organization/></author>
10<date year="2008" month="May"/>
11<abstract><t>This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet.  An overview of this approach and model is provided as an introduction.  The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms.  Standard certificate extensions are described and two Internet-specific extensions are defined.  A set of required certificate extensions is specified.  The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions.  An algorithm for X.509 certification path validation is described.  An ASN.1 module and examples are provided in the appendices.  [STANDARDS-TRACK]</t></abstract>
12</front>
13<seriesInfo name="RFC" value="5280"/>
14<seriesInfo name="DOI" value="10.17487/RFC5280"/>
15</reference>
1<reference anchor="RFC5480" target="https://www.rfc-editor.org/info/rfc5480" xml:base="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.5480.xml">
2<front>
3<title>Elliptic Curve Cryptography Subject Public Key Information</title>
4<author initials="S." surname="Turner" fullname="S. Turner"><organization/></author>
5<author initials="D." surname="Brown" fullname="D. Brown"><organization/></author>
6<author initials="K." surname="Yiu" fullname="K. Yiu"><organization/></author>
7<author initials="R." surname="Housley" fullname="R. Housley"><organization/></author>
8<author initials="T." surname="Polk" fullname="T. Polk"><organization/></author>
9<date year="2009" month="March"/>
10<abstract><t>This document specifies the syntax and semantics for the Subject Public Key Information field in certificates that support Elliptic Curve Cryptography.  This document updates Sections 2.3.5 and 5, and the ASN.1 module of "Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 3279.  [STANDARDS-TRACK]</t></abstract>
11</front>
12<seriesInfo name="RFC" value="5480"/>
13<seriesInfo name="DOI" value="10.17487/RFC5480"/>
14</reference>
1<reference anchor="RFC8017" target="https://www.rfc-editor.org/info/rfc8017" xml:base="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8017.xml">
2<front>
3<title>PKCS #1: RSA Cryptography Specifications Version 2.2</title>
4<author initials="K." surname="Moriarty" fullname="K. Moriarty" role="editor"><organization/></author>
5<author initials="B." surname="Kaliski" fullname="B. Kaliski"><organization/></author>
6<author initials="J." surname="Jonsson" fullname="J. Jonsson"><organization/></author>
7<author initials="A." surname="Rusch" fullname="A. Rusch"><organization/></author>
8<date year="2016" month="November"/>
9<abstract><t>This document provides recommendations for the implementation of public-key cryptography based on the RSA algorithm, covering cryptographic primitives, encryption schemes, signature schemes with appendix, and ASN.1 syntax for representing keys and for identifying the schemes.</t><t>This document represents a republication of PKCS #1 v2.2 from RSA Laboratories' Public-Key Cryptography Standards (PKCS) series.  By publishing this RFC, change control is transferred to the IETF.</t><t>This document also obsoletes RFC 3447.</t></abstract>
10</front>
11<seriesInfo name="RFC" value="8017"/>
12<seriesInfo name="DOI" value="10.17487/RFC8017"/>
13</reference>
1<reference anchor="RFC5912" target="https://www.rfc-editor.org/info/rfc5912" xml:base="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.5912.xml">
2<front>
3<title>New ASN.1 Modules for the Public Key Infrastructure Using X.509 (PKIX)</title>
4<author initials="P." surname="Hoffman" fullname="P. Hoffman"><organization/></author>
5<author initials="J." surname="Schaad" fullname="J. Schaad"><organization/></author>
6<date year="2010" month="June"/>
7<abstract><t>The Public Key Infrastructure using X.509 (PKIX) certificate format, and many associated formats, are expressed using ASN.1.  The current ASN.1 modules conform to the 1988 version of ASN.1.  This document updates those ASN.1 modules to conform to the 2002 version of ASN.1. There are no bits-on-the-wire changes to any of the formats; this is simply a change to the syntax.  This document is not an Internet  Standards Track specification; it is published for informational  purposes.</t></abstract>
8</front>
9<seriesInfo name="RFC" value="5912"/>
10<seriesInfo name="DOI" value="10.17487/RFC5912"/>
11</reference>
1<reference anchor="RFC6979" target="https://www.rfc-editor.org/info/rfc6979" xml:base="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.6979.xml">
2<front>
3<title>Deterministic Usage of the Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA)</title>
4<author initials="T." surname="Pornin" fullname="T. Pornin"><organization/></author>
5<date year="2013" month="August"/>
6<abstract><t>This document defines a deterministic digital signature generation procedure.  Such signatures are compatible with standard Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA) digital signatures and can be processed with unmodified verifiers, which need not be aware of the procedure described therein.  Deterministic signatures retain the cryptographic security features associated with digital signatures but can be more easily implemented in various environments, since they do not need access to a source of high-quality randomness.</t></abstract>
7</front>
8<seriesInfo name="RFC" value="6979"/>
9<seriesInfo name="DOI" value="10.17487/RFC6979"/>
10</reference>
  • <?xml version="1.0" encoding="utf-8"?>
  • <!DOCTYPE rfc SYSTEM "rfc2629-xhtml.ent">
  • <?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
  • <?rfc strict="yes" ?>
  • <?rfc toc="yes"?>
  • <?rfc tocdepth="4"?>
  • <?rfc symrefs="yes"?>
  • <?rfc sortrefs="yes" ?>
  • <?rfc compact="yes" ?>
  • <?rfc subcompact="no" ?>
  • <rfc category="std" docName="draft-ietf-lamps-pkix-shake-15" ipr="trust200902" updates="3279" obsoletes="" submissionType="IETF" xml:lang="en" version="3" number="9999" consensus="true" tocInclude="true" symRefs="true" sortRefs="true">
    • <-- xml2rfc v2v3 conversion 2.23.1 -->
    • <-- category values: std, bcp, info, exp, and historic
           ipr="full3978" (probably old)
           ipr values: full3667, noModification3667, noDerivatives3667
           you can add the attributes updates="NNNN" and obsoletes="NNNN" 
           they will automatically be output with "(if approved)" -->
    • <-- ***** FRONT MATTER ***** -->
    • <front>
      • <-- The abbreviated title is used in the page header - it is only necessary if the 
                 full title is longer than 39 characters -->
      • <title abbrev="SHAKE identifiers in X.509">
        • Internet X.509 Public Key Infrastructure: Additional Algorithm Identifiers for RSASSA-PSS and ECDSA using SHAKEs
        • </title>
      • <seriesInfo name="Internet-Draft" "RFC" value="draft-ietf-lamps-pkix-shake-15" "9999" />
      • <-- add 'role="editor"' below for the editors if appropriate -->
      • <author fullname="Panos Kampanakis" initials="P.K." surname="Kampanakis">
        • <organization>
          • Cisco Systems
          • </organization>
        • <address>
          • <email>
            • pkampana@cisco.com
            • </email>
          • </address>
        • </author>
      • <author fullname="Quynh Dang" initials="Q.D." surname="Dang">
        • <organization>
          • NIST
          • </organization>
        • <address>
          • <postal>
            • <street>
              • 100 Bureau Drive, Stop 8930
              • </street>
            • <city>
              • Gaithersburg
              • </city>
            • <region>
              • MD
              • </region>
            • <code>
              • 20899-8930
              • </code>
            • <country>
              • USA
              • </country>
            • </postal>
          • <-- <phone>+44 7889 488 335</phone> -->
          • <email>
            • quynh.dang@nist.gov
            • </email>
          • <-- uri and facsimile elements may also be added -->
          • </address>
        • </author>
      • <-- <author fullname="Sean Turner" initials="S.T."
                    surname="Turner">
              <organization>sn3rd</organization>
              <address>
                <postal>
                  <street></street>
                  <city>Soham</city>
                  <region></region>
                  <code></code>
                  <country>UK</country>
                </postal>
                <phone>+44 7889 488 335</phone>
                <email>sean@sn3rd.com</email> 
              </address>
            </author> -->
      • <date year="2019" month="August"/>
      • <-- If the month and year are both specified and are the current ones, xml2rfc will fill 
                 in the current day for you. If only the current year is specified, xml2rfc will fill 
         in the current day and month for you. If the year is not the current one, it is 
         necessary to specify at least a month (xml2rfc assumes day="1" if not specified for the 
         purpose of calculating the expiry date).  With drafts it is normally sufficient to 
         specify just the year. -->
      • <-- Meta-data Declarations -->
      • <area>
        • General
        • </area>
      • <workgroup>
        • LAMPS WG
        • </workgroup>
      • <-- WG name at the upperleft corner of the doc,
                 IETF is fine for individual submissions.  
         If this element is not present, the default is "Network Working Group",
                 which is used by the RFC Editor as a nod to the history of the IETF. -->
      • <-- <keyword>template</keyword> -->
      • <-- Keywords will be incorporated into HTML output
                 files in a meta tag but they have no effect on text or nroff
                 output. If you submit your draft to the RFC Editor, the
                 keywords will be used for the searPKIch engine. -->
      • <abstract>
        • <t>
          • Digital signatures are used to sign messages, X.509 certificates and CRLs. This document updates the "Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List Profile" (RFC3279) and describes the conventions for using the SHAKE function family in Internet X.509 certificates and revocation lists as one-way hash functions with the RSA Probabilistic signature and ECDSA signature algorithms. The conventions for the associated subject public keys are also described.
          • </t>
        • </abstract>
      • </front>
    • <middle>
      • <section numbered="true" toc="default">
        • <name>
          • Introduction
          • </name>
        • <t>
          • <xref xmlns:xi="http://www.w3.org/2001/XInclude" target="RFC3279" format="default"/> defines cryptographic algorithm identifiers for the Internet X.509 Certificate and Certificate Revocation Lists (CRL) profile <xref xmlns:xi="http://www.w3.org/2001/XInclude" target="RFC5280" format="default"/>. This document updates RFC3279 and defines identifiers for several cryptographic algorithms that use variable length output SHAKE functions introduced in <xref xmlns:xi="http://www.w3.org/2001/XInclude" target="SHA3" format="default"/> which can be used with .
          • </t>
        • <t>
          • In the SHA-3 family, two extendable-output functions (SHAKEs), SHAKE128 and SHAKE256, are defined. Four other hash function instances, SHA3-224, SHA3-256, SHA3-384, and SHA3-512, are also defined but are out of scope for this document. A SHAKE is a variable length hash function defined as SHAKE(M, d) where the output is a d-bits-long digest of message M. The corresponding collision and second-preimage-resistance strengths for SHAKE128 are min(d/2,128) and min(d,128) bits, respectively (Appendix A.1 <xref xmlns:xi="http://www.w3.org/2001/XInclude" target="SHA3" format="default"/>). And the corresponding collision and second-preimage-resistance strengths for SHAKE256 are min(d/2,256) and min(d,256) bits, respectively.
          • </t>
        • <t>
          • A SHAKE can be used as the message digest function (to hash the message to be signed) in RSASSA-PSS <xref xmlns:xi="http://www.w3.org/2001/XInclude" target="RFC8017" format="default"/> and ECDSA <xref xmlns:xi="http://www.w3.org/2001/XInclude" target="X9.62" format="default"/> and as the hash in the mask generation function (MGF) in RSASSA-PSS. A SHAKE can be used as the message digest function (to hash the message to be signed) in RSASSA-PSS <xref xmlns:xi="http://www.w3.org/2001/XInclude" target="RFC8017" format="default"/> and ECDSA <xref xmlns:xi="http://www.w3.org/2001/XInclude" target="X9.62" format="default"/> and as the hash in the mask generation function (MGF) in RSASSA-PSS.
            <-- This specification describes the identifiers for SHAKEs to be used in X.509 and their 
              meaning.-->
          • </t>
        • </section>
      • <-- This PI places the pagebreak correctly (before the section title) in the text output. -->
      • <section anchor="terminology" numbered="true" toc="default">
        • <name>
          • Terminology
          • </name>
        • <t>
          • The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", "<bcp14 xmlns:xi="http://www.w3.org/2001/XInclude">MUST</bcp14>", "<bcp14 xmlns:xi="http://www.w3.org/2001/XInclude">MUST NOT</bcp14>", "<bcp14 xmlns:xi="http://www.w3.org/2001/XInclude">REQUIRED</bcp14>", "<bcp14 xmlns:xi="http://www.w3.org/2001/XInclude">SHALL</bcp14>", "<bcp14 xmlns:xi="http://www.w3.org/2001/XInclude">SHALL NOT</bcp14>", "<bcp14 xmlns:xi="http://www.w3.org/2001/XInclude">SHOULD</bcp14>", "<bcp14 xmlns:xi="http://www.w3.org/2001/XInclude">SHOULD NOT</bcp14>", "<bcp14 xmlns:xi="http://www.w3.org/2001/XInclude">RECOMMENDED</bcp14>", "<bcp14 xmlns:xi="http://www.w3.org/2001/XInclude">NOT RECOMMENDED</bcp14>", "<bcp14 xmlns:xi="http://www.w3.org/2001/XInclude">MAY</bcp14>", and "OPTIONAL" "<bcp14 xmlns:xi="http://www.w3.org/2001/XInclude">OPTIONAL</bcp14>" in this document are to be interpreted as described in BCP 14 <xref xmlns:xi="http://www.w3.org/2001/XInclude" target="RFC2119" format="default"/> "RFC2119"/> <xref xmlns:xi="http://www.w3.org/2001/XInclude" target="RFC8174" format="default"/> "RFC8174"/> when, and only when, they appear in all capitals, as shown here.
          • </t>
        • </section>
      • <-- Terminology  [rfced] Please review the type attribute of each sourcecode
        element in this XML file. In particular, what type should be used
        for the sourcecode elements in Sections 3 and 4.1? Should these be
        type="asn.1" or something else? Or should these be tagged as artwork rather
        than as sourcecode?

        The current list of types is in Section 2.48.4 of RFC 7991.
        -->
      • <section anchor="oids" numbered="true" toc="default">
        • <name>
          • Identifiers
          • </name>
        • <-- Commention out the below OIDs as they are no longer pertinent for the below public keys and sigs -->
        • <-- The Object Identifiers (OIDs) for these two hash functions are defined in 
            <xref target="shake-nist-oids"/> and are included here for convenience: </t>
                
            <t><figure><artwork><![CDATA[
            id-shake128-len OBJECT IDENTIFIER ::= { joint-iso-itu-t(2)
          country(16) us(840) organization(1) gov(101) csor(3)
          nistalgorithm(4) hashalgs(2) 17 } 

            ShakeOutputLen ::= INTEGER - - Output length in octets
          ]]></artwork></figure></t>
            <t>When using the id-shake128-len algorithm identifier, the parameters 
            MUST be present, and they MUST employ the ShakeOutputLen -->
        • <-- "MUST employ syntax borrowed from RFC4055 -->
        • <-- syntax that contains an encoded positive integer value at least 32  
            in this specification.</t>
            <t><figure><artwork><![CDATA[
            id-shake256-len OBJECT IDENTIFIER ::= { joint-iso-itu-t(2)
          country(16) us(840) organization(1) gov(101) csor(3)
          nistalgorithm(4) hashalgs(2) 18 }   

            ShakeOutputLen ::= INTEGER - - Output length in octets
          ]]></artwork></figure></t>
            <t>When using the id-shake256-len algorithm identifier, the parameters 
            MUST be present, and they MUST employ the ShakeOutputLen -->
        • <-- "MUST employ syntax borrowed from RFC4055 -->
        • <-- syntax that contains an encoded positive integer value at least 64 
            in this specification.</t> -->
        • <t>
          • This section defines four new object identifiers (OIDs), for RSASSA-PSS and ECDSA with each of SHAKE128 and SHAKE256. The same algorithm identifiers can be used for identifying a public key in RSASSA-PSS.
          • </t>
        • <t>
          • The new identifiers for RSASSA-PSS signatures using SHAKEs are below.
          • </t>
        • <artwork name="" type="" align="left" alt="">
          • <sourcecode type="">

            •  
                  id-RSASSA-PSS-SHAKE128  OBJECT IDENTIFIER  ::=  { iso(1)    
                          identified-organization(3) dod(6) internet(1)    
                          security(5) mechanisms(5) pkix(7) algorithms(6) 
                          TBD1 }  

                id-RSASSA-PSS-SHAKE256  OBJECT IDENTIFIER  ::=  { iso(1)    
                          identified-organization(3) dod(6) internet(1)    
                          security(5) mechanisms(5) pkix(7) algorithms(6) 
                          TBD2 } 
            • </sourcecode>
          • </artwork>
        • <t>
          • The new algorithm identifiers of ECDSA signatures using SHAKEs are below.
          • </t>
        • <ul empty="true" spacing="normal">
          • <li>
            • <sourcecode type="">
              • <artwork xmlns:xi="http://www.w3.org/2001/XInclude" name="" type="" align="left" alt=""><![CDATA[
                id-ecdsa-with-shake128 OBJECT IDENTIFIER ::= { iso(1)
                identified-organization(3) dod(6) internet(1)
                security(5) mechanisms(5) pkix(7) algorithms(6)
                TBD3 }

                id-ecdsa-with-shake256 OBJECT IDENTIFIER ::= { iso(1)
                identified-organization(3) dod(6) internet(1)
                security(5) mechanisms(5) pkix(7) algorithms(6)
                TBD4 }
                ]]></artwork>*    id-ecdsa-with-shake128 OBJECT IDENTIFIER  ::=  { iso(1)              identified-organization(3) dod(6) internet(1)              security(5) mechanisms(5) pkix(7) algorithms(6)             TBD3 }                id-ecdsa-with-shake256 OBJECT IDENTIFIER  ::=  { iso(1)              identified-organization(3) dod(6) internet(1)              security(5) mechanisms(5) pkix(7) algorithms(6)             TBD4 } 
              • </sourcecode>
            • </li>
          • </ul>
        • <-- <xref target="RFC8017"/>, but we include it here as well for convenience:</t>
            <t><figure><artwork><![CDATA[
             id-mgf1  OBJECT IDENTIFIER  ::=  { pkcs-1 8 }
          ]]></artwork></figure>-->
        • <-- <t>The parameters field associated with id-mgf1 MUST <bcp14>MUST</bcp14>  have a hashAlgorithm value that identifies 
            the hash used with MGF1. To use SHAKE as this hash, this parameter 
          MUST <bcp14>MUST</bcp14>  be 
            id-shake128-len or id-shake256-len as specified in <xref target="xofs" /> above. </t>-->
        • <t>
          • The parameters for the four identifiers above MUST <bcp14 xmlns:xi="http://www.w3.org/2001/XInclude">MUST</bcp14> be absent. That is, the identifier SHALL <bcp14 xmlns:xi="http://www.w3.org/2001/XInclude">SHALL</bcp14> be a SEQUENCE of one component, the OID.
          • </t>
        • <t>
          • Sections <xref xmlns:xi="http://www.w3.org/2001/XInclude" target="rsa-sigs" format="default"/> "counter"/> and <xref xmlns:xi="http://www.w3.org/2001/XInclude" target="ecdsa-sigs" format="default"/> "counter"/> specify the required output length for each use of SHAKE128 or SHAKE256 in RSASSA-PSS and ECDSA. In summary, when hashing messages to be signed, output lengths of SHAKE128 and SHAKE256 are 256 and 512 bits respectively. When the SHAKEs are used as mask generation functions RSASSA-PSS, their output length is (8*ceil((n-1)/8) - 264) or (8*ceil((n-1)/8) - 520) bits, respectively, where n is the RSA modulus size in bits.
          • </t>
        • </section>
      • <section numbered="true" toc="default">
        • <name>
          • Use in PKIX
          • </name>
        • <section anchor="sigs" numbered="true" toc="default">
          • <name>
            • Signatures
            • </name>
          • <t>
            • Signatures are used in a number of different ASN.1 structures. As shown in the ASN.1 representation from <xref xmlns:xi="http://www.w3.org/2001/XInclude" target="RFC5280" format="default"/> below, in an X.509 certificate, a signature is encoded with an algorithm identifier in the signatureAlgorithm attribute and a signatureValue attribute that contains the actual signature.
            • </t>
          • <artwork name="" type="" align="left" alt="">
            • <sourcecode type="asn.1">

              •  
                     Certificate  ::=  SEQUENCE  { 
                      tbsCertificate       TBSCertificate, 
                      signatureAlgorithm   AlgorithmIdentifier, 
                      signatureValue       BIT STRING  } 
              • </sourcecode>
            • </artwork>
          • <t>
            • The identifiers defined in <xref xmlns:xi="http://www.w3.org/2001/XInclude" target="oids" format="default"/> can be used as the AlgorithmIdentifier in the signatureAlgorithm field in the sequence Certificate and the signature field in the sequence TBSCertificate in X.509 <xref xmlns:xi="http://www.w3.org/2001/XInclude" target="RFC5280" format="default"/>. The parameters of these signature algorithms are absent as explained in <xref xmlns:xi="http://www.w3.org/2001/XInclude" target="oids" format="default"/>.
            • </t>
          • <t>
            • Conforming CA implementations MUST <bcp14 xmlns:xi="http://www.w3.org/2001/XInclude">MUST</bcp14> specify the algorithms explicitly by using the OIDs specified in <xref xmlns:xi="http://www.w3.org/2001/XInclude" target="oids" format="default"/> when encoding RSASSA-PSS or ECDSA with SHAKE signatures in certificates and CRLs. Conforming client implementations that process certificates and CRLs using RSASSA-PSS or ECDSA with SHAKE MUST <bcp14 xmlns:xi="http://www.w3.org/2001/XInclude">MUST</bcp14> recognize the corresponding OIDs. Encoding rules for RSASSA-PSS and ECDSA signature values are specified in <xref xmlns:xi="http://www.w3.org/2001/XInclude" target="RFC4055" format="default"/> and <xref xmlns:xi="http://www.w3.org/2001/XInclude" target="RFC5480" format="default"/>, respectively.
            • </t>
          • <t>
            • When using RSASSA-PSS or ECDSA with SHAKEs, the RSA modulus and ECDSA curve order SHOULD <bcp14 xmlns:xi="http://www.w3.org/2001/XInclude">SHOULD</bcp14> be chosen in line with the SHAKE output length. Refer to <xref xmlns:xi="http://www.w3.org/2001/XInclude" target="Security" format="default"/> for more details.
            • </t>
          • <section anchor="rsa-sigs" numbered="true" toc="default">
            • <name>
              • RSASSA-PSS Signatures
              • </name>
            • <t>
              • The RSASSA-PSS algorithm is defined in <xref xmlns:xi="http://www.w3.org/2001/XInclude" target="RFC8017" format="default"/>. When id-RSASSA-PSS-SHAKE128 or id-RSASSA-PSS-SHAKE256 specified in <xref xmlns:xi="http://www.w3.org/2001/XInclude" target="oids" format="default"/> is used, the encoding MUST <bcp14 xmlns:xi="http://www.w3.org/2001/XInclude">MUST</bcp14> omit the parameters field. That is, the AlgorithmIdentifier SHALL <bcp14 xmlns:xi="http://www.w3.org/2001/XInclude">SHALL</bcp14> be a SEQUENCE of one component, id-RSASSA-PSS-SHAKE128 or id-RSASSA-PSS-SHAKE256. <xref xmlns:xi="http://www.w3.org/2001/XInclude" target="RFC4055" format="default"/> defines RSASSA-PSS-params that are used to define the algorithms and inputs to the algorithm. This specification does not use parameters because the hash, mask generation algorithm, trailer and salt are embedded in the OID definition.
              • </t>
            • <t>
              • The hash algorithm to hash a message being signed and the hash algorithm used as the mask generation function
                <-- "MGF(H, emLen - hLen - 1)" <xref target="RFC8017"/> -->
                in RSASSA-PSS
                MUST <bcp14 xmlns:xi="http://www.w3.org/2001/XInclude">MUST</bcp14> be the same: both SHAKE128 or both SHAKE256. The output length of the hash algorithm which hashes the message SHALL <bcp14 xmlns:xi="http://www.w3.org/2001/XInclude">SHALL</bcp14> be 32 (for SHAKE128) or 64 bytes (for SHAKE256).
              • </t>
            • <t>
              • The mask generation function takes an octet string of variable length and a desired output length as input, and outputs an octet string of the desired length. In RSASSA-PSS with SHAKEs, the SHAKEs MUST <bcp14 xmlns:xi="http://www.w3.org/2001/XInclude">MUST</bcp14> be used natively as the MGF function, instead of the MGF1 algorithm that uses the hash function in multiple iterations as specified in Section B.2.1 of <xref xmlns:xi="http://www.w3.org/2001/XInclude" target="RFC8017" format="default"/>. sectionFormat="of" section="B.2.1"/>. In other words, the MGF is defined as
                <-- <t><figure><artwork><![CDATA[
                    SHAKE128(mgfSeed, maskLen) 
                ]]></artwork></figure>
                          and 
                          <figure><artwork><![CDATA[
                    SHAKE256(mgfSeed, maskLen)
                ]]></artwork></figure></t> -->
                the SHAKE128 or SHAKE256 output of the mgfSeed for id-RSASSA-PSS-SHAKE128 and id-RSASSA-PSS-SHAKE256, respectively. The mgfSeed is the seed from which mask is generated, an octet string <xref xmlns:xi="http://www.w3.org/2001/XInclude" target="RFC8017" format="default"/>. As explained in Step 9
                of section 9.1.1 of <xref xmlns:xi="http://www.w3.org/2001/XInclude" target="RFC8017" format="default"/>, sectionFormat="of" section="9.1.1"/>, the output length of the MGF is emLen - hLen - 1 bytes. emLen is the maximum message length ceil((n-1)/8), where n is the RSA modulus in bits. hLen is 32 and 64-bytes for id-RSASSA-PSS-SHAKE128 and id-RSASSA-PSS-SHAKE256, respectively. Thus when SHAKE is used as the MGF, the SHAKE output length maskLen is (8*emLen - 264) or (8*emLen - 520) bits, respectively. For example, when RSA modulus n is 2048, the output length of SHAKE128 or SHAKE256 as the MGF will be 1784 or 1528-bits when id-RSASSA-PSS-SHAKE128 or id-RSASSA-PSS-SHAKE256 is used, respectively.
              • </t>
            • <t>
              • The RSASSA-PSS saltLength MUST <bcp14 xmlns:xi="http://www.w3.org/2001/XInclude">MUST</bcp14> be 32 bytes for id-RSASSA-PSS-SHAKE128 or 64 bytes for id-RSASSA-PSS-SHAKE256. Finally, the trailerField MUST <bcp14 xmlns:xi="http://www.w3.org/2001/XInclude">MUST</bcp14> be 1, which represents the trailer field with hexadecimal value 0xBC <xref xmlns:xi="http://www.w3.org/2001/XInclude" target="RFC8017" format="default"/>.
              • </t>
            • <-- <t><figure><artwork><![CDATA[
                 id-RSASSA-PSS  OBJECT IDENTIFIER  ::=  { pkcs-1 k }

                 RSASSA-PSS-params  ::=  SEQUENCE  {
                       hashAlgorithm      HashAlgorithm, 
                       maskGenAlgorithm   MaskGenAlgorithm, 
                       saltLength         INTEGER, 
                       trailerField       INTEGER }
              ]]></artwork></figure></t> -->
            • <-- <section title="EdDSA with SHAKE">
                        <t>[ EDNOTE: For the group to decide: pre-hash version or non-prehash version EdDSAs. PureEdDSA, the pre-hashed version of EdDSA, as currently also proposed in draft-ietf-curdle-cms-eddsa-signatures mandates the hash function as SHA512 for Ed25519 and SHAKE256(x,64) for Ed448. The HashEdDSA version of EdDSA does not define the hash. It is up to the WG to go the Pre-hash route which would require an OID that contained the hash. ] </t>
                <t>
                   <list>
                 <t><figure><artwork><![CDATA[
              id-eddsa-with-shake128 OBJECT IDENTIFIER ::= { }
              ]]></artwork></figure></t>
                 <t><figure><artwork><![CDATA[
              id-eddsa-with-shake256 OBJECT IDENTIFIER ::= {  }
              ]]></artwork></figure></t>
                 </list></t>
                      </section> -->
            • </section>
          • <section anchor="ecdsa-sigs" numbered="true" toc="default">
            • <name>
              • ECDSA Signatures
              • </name>
            • <t>
              • The Elliptic Curve Digital Signature Algorithm (ECDSA) is defined in <xref xmlns:xi="http://www.w3.org/2001/XInclude" target="X9.62" format="default"/>. When the id-ecdsa-with-shake128 or id-ecdsa-with-shake256 (specified in <xref xmlns:xi="http://www.w3.org/2001/XInclude" target="oids" format="default"/>) algorithm identifier appears, the respective SHAKE function (SHAKE128 or SHAKE256) is used as the hash. The encoding MUST <bcp14 xmlns:xi="http://www.w3.org/2001/XInclude">MUST</bcp14> omit the parameters field. That is, the AlgorithmIdentifier SHALL <bcp14 xmlns:xi="http://www.w3.org/2001/XInclude">SHALL</bcp14> be a SEQUENCE of one component, the OID id-ecdsa-with-shake128 or id-ecdsa-with-shake256.
              • </t>
            • <t>
              • For simplicity and compliance with the ECDSA standard specification, the output length of the hash function must be explicitly determined. The output length, d, for SHAKE128 or SHAKE256 used in ECDSA MUST <bcp14 xmlns:xi="http://www.w3.org/2001/XInclude">MUST</bcp14> be 256 or 512 bits, respectively.
              • </t>
            • <t>
              • Conforming CA implementations that generate ECDSA with SHAKE signatures in certificates or CRLs SHOULD <bcp14 xmlns:xi="http://www.w3.org/2001/XInclude">SHOULD</bcp14> generate such signatures with a deterministically generated, non-random k in accordance with all the requirements specified in <xref xmlns:xi="http://www.w3.org/2001/XInclude" target="RFC6979" format="default"/>.
                <-- Sections 7.2 and 7.3 of 
                  <xref target="X9.62"/> or with all the requirements specified in Section 
                  4.1.3 of <xref target="SEC1"/>. -->
                They
                MAY <bcp14 xmlns:xi="http://www.w3.org/2001/XInclude">MAY</bcp14> also generate such signatures in accordance with all other recommendations in <xref xmlns:xi="http://www.w3.org/2001/XInclude" target="X9.62" format="default"/> or <xref xmlns:xi="http://www.w3.org/2001/XInclude" target="SEC1" format="default"/> if they have a stated policy that requires conformance to those standards. Those standards have not specified SHAKE128 and SHAKE256 as hash algorithm options. However, SHAKE128 and SHAKE256 with output length being 32 and 64 octets, respectively, can be used instead of 256 and 512-bit output hash algorithms such as SHA256 and SHA512.
              • </t>
            • <-- <t>In Section 3.2 "Generation of k" of <xref target="RFC6979"/>, HMAC is used to derive 
                the deterministic k. Conforming implementations that generate deterministic 
                ECDSA with SHAKE signatures in X.509 
              MUST <bcp14>MUST</bcp14>  use KMAC with SHAKE128 or KMAC with 
                SHAKE256 as specfied in <xref target="SP800-185"/> when SHAKE128 or SHAKE256 is 
                used as the message hashing algorithm, respectively. In this situation, KMAC with 
                SHAKE128 and KMAC with SHAKE256 have 256-bit and 512-bit outputs respectively, 
                and the optional customization bit string S is an empty string.</t> -->
            • </section>
          • </section>
        • <section numbered="true" toc="default">
          • <name>
            • Public Keys
            • </name>
          • <t>
            • Certificates conforming to <xref xmlns:xi="http://www.w3.org/2001/XInclude" target="RFC5280" format="default"/> can convey a public key for any public key algorithm. The certificate indicates the public key algorithm through an algorithm identifier. This algorithm identifier is an OID and optionally associated parameters. The conventions and encoding for RSASSA-PSS and ECDSA
              <-- and EdDSA -->
              public keys algorithm identifiers are as specified in
              Section 2.3.1 Sections <xref xmlns:xi="http://www.w3.org/2001/XInclude" target="RFC3279" sectionFormat="of" section="2.3.1"/> and 2.3.5 of <xref xmlns:xi="http://www.w3.org/2001/XInclude" target="RFC3279" format="default"/>, Section 3.1 of sectionFormat="of" section="2.3.5"/>, <xref xmlns:xi="http://www.w3.org/2001/XInclude" target="RFC4055" format="default"/> sectionFormat="of" section="3.1"/>, and Section 2.1 of <xref xmlns:xi="http://www.w3.org/2001/XInclude" target="RFC5480" sectionFormat="of" section="2.1"/>. format="default"/>.
              <-- and <xref target="I-D.josefsson-pkix-eddsa"/>-->
            • </t>
          • <t>
            • Traditionally, the rsaEncryption object identifier is used to identify RSA public keys. The rsaEncryption object identifier continues to identify the subject public key when the RSA private key owner does not wish to limit the use of the public key exclusively to RSASSA-PSS with SHAKEs. When the RSA private key owner wishes to limit the use of the public key exclusively to RSASSA-PSS with SHAKEs, the AlgorithmIdentifiers for RSASSA-PSS defined in <xref xmlns:xi="http://www.w3.org/2001/XInclude" target="oids" format="default"/> SHOULD <bcp14 xmlns:xi="http://www.w3.org/2001/XInclude">SHOULD</bcp14> be used as the algorithm field in the SubjectPublicKeyInfo sequence <xref xmlns:xi="http://www.w3.org/2001/XInclude" target="RFC5280" format="default"/>. Conforming client implementations that process RSASSA-PSS with SHAKE public keys when processing certificates and CRLs MUST <bcp14 xmlns:xi="http://www.w3.org/2001/XInclude">MUST</bcp14> recognize the corresponding OIDs.
            • </t>
          • <t>
            • Conforming CA implementations MUST <bcp14 xmlns:xi="http://www.w3.org/2001/XInclude">MUST</bcp14> specify the X.509 public key algorithm explicitly by using the OIDs specified in <xref xmlns:xi="http://www.w3.org/2001/XInclude" target="oids" format="default"/> when encoding ECDSA with SHAKE public keys in certificates and CRLs. Conforming client implementations that process ECDSA with SHAKE public keys when processing certificates and CRLs MUST <bcp14 xmlns:xi="http://www.w3.org/2001/XInclude">MUST</bcp14> recognize the corresponding OIDs.
            • </t>
          • <t>
            • The identifier parameters, as explained in <xref xmlns:xi="http://www.w3.org/2001/XInclude" target="oids" format="default"/>, MUST <bcp14 xmlns:xi="http://www.w3.org/2001/XInclude">MUST</bcp14> be absent.
            • </t>
          • </section>
        • </section>
      • <section anchor="IANA" numbered="true" toc="default">
        • <name>
          • IANA Considerations
          • </name>
        • <t>
          • One object identifier for the ASN.1 module in <xref xmlns:xi="http://www.w3.org/2001/XInclude" target="asn" format="default"/> is requested for the SMI Security for PKIX Module Identifiers (1.3.6.1.5.5.7.0) registry:
          • </t>
        • <table align="center" "left" >
          • <thead>
            • <tr>
              • <th align="center" "left" >
                • Decimal
                • </th>
              • <th align="center" "left" >
                • Description
                • </th>
              • <th align="center" "left" >
                • References
                • </th>
              • </tr>
            • </thead>
          • <tbody>
            • <tr>
              • <td align="center" "left" >
                • TBD
                • </td>
              • <td align="center" "left" >
                • id-mod-pkix1-shakes-2019
                • </td>
              • <td align="center" "left" >
                • [EDNOTE: THIS RFC] RFC 9999
                • </td>
              • </tr>
            • </tbody>
          • </table>
        • <t>
          • IANA is requested to update the SMI Security for PKIX Algorithms <xref xmlns:xi="http://www.w3.org/2001/XInclude" target="SMI-PKIX" format="default"/> (1.3.6.1.5.5.7.6) registry with four additional entries:
          • </t>
        • <table align="center" "left" >
          • <thead>
            • <tr>
              • <th align="center" "left" >
                • Decimal
                • </th>
              • <th align="center" "left" >
                • Description
                • </th>
              • <th align="center" "left" >
                • References
                • </th>
              • </tr>
            • </thead>
          • <tbody>
            • <tr>
              • <td align="center" "left" >
                • TBD1
                • </td>
              • <td align="center" "left" >
                • id-RSASSA-PSS-SHAKE128
                • </td>
              • <td align="center" "left" >
                • [EDNOTE: THIS RFC] RFC 9999
                • </td>
              • </tr>
            • <tr>
              • <td align="center" "left" >
                • TBD2
                • </td>
              • <td align="center" "left" >
                • id-RSASSA-PSS-SHAKE256
                • </td>
              • <td align="center" "left" >
                • [EDNOTE: THIS RFC] RFC 9999
                • </td>
              • </tr>
            • <tr>
              • <td align="center" "left" >
                • TBD3
                • </td>
              • <td align="center" "left" >
                • id-ecdsa-with-shake128
                • </td>
              • <td align="center" "left" >
                • [EDNOTE: THIS RFC] RFC 9999
                • </td>
              • </tr>
            • <tr>
              • <td align="center" "left" >
                • TBD4
                • </td>
              • <td align="center" "left" >
                • id-ecdsa-with-shake256
                • </td>
              • <td align="center" "left" >
                • [EDNOTE: THIS RFC] RFC 9999
                • </td>
              • </tr>
            • </tbody>
          • </table>
        • <t>
          • IANA is also requested to update the Hash Function Textual Names Registry <xref xmlns:xi="http://www.w3.org/2001/XInclude" target="Hash-Texts" format="default"/> with two additional entries for SHAKE128 and SHAKE256:
          • </t>
        • <table align="center" "left" >
          • <thead>
            • <tr>
              • <th align="center" "left" >
                • Hash Function Name
                • </th>
              • <th align="center" "left" >
                • OID
                • </th>
              • <th align="center" "left" >
                • Reference
                • </th>
              • </tr>
            • </thead>
          • <tbody>
            • <tr>
              • <td align="center" "left" >
                • shake128
                • </td>
              • <td align="center" "left" >
                • 2.16.840.1.101.3.4.2.11
                • </td>
              • <td align="center" "left" >
                • [EDNOTE: THIS RFC] RFC 9999
                • </td>
              • </tr>
            • <tr>
              • <td align="center" "left" >
                • shake256
                • </td>
              • <td align="center" "left" >
                • 2.16.840.1.101.3.4.2.12
                • </td>
              • <td align="center" "left" >
                • [EDNOTE: THIS RFC] RFC 9999
                • </td>
              • </tr>
            • </tbody>
          • </table>
        • </section>
      • <section anchor="Security" numbered="true" toc="default">
        • <name>
          • Security Considerations
          • </name>
        • <t>
          • This document updates <xref xmlns:xi="http://www.w3.org/2001/XInclude" target="RFC3279" format="default"/>. The security considerations section of that document applies to this specification as well.
          • </t>
        • <t>
          • NIST has defined appropriate use of the hash functions in terms of the algorithm strengths and expected time frames for secure use in Special Publications (SPs) <xref xmlns:xi="http://www.w3.org/2001/XInclude" target="SP800-78-4" format="default"/> and <xref xmlns:xi="http://www.w3.org/2001/XInclude" target="SP800-107" format="default"/>. These documents can be used as guides to choose appropriate key sizes for various security scenarios.
          • </t>
        • <-- <t>The SHAKEs are deterministic functions. Like any other deterministic function, 
            executing multiple times with the same input will produce the 
            same output. Therefore, users should not expect unrelated outputs (with the 
            same or different output lengths) from running a SHAKE function with the 
            same input multiple times. The shorter of any two outputs produced from a 
            SHAKE with the same input is a prefix of the longer one. It is a similar 
            situation as truncating a 512-bit output of SHA-512 by taking its 256 
            left-most bits. These 256 left-most bits are a prefix of the 512-bit output.</t> -->
        • <-- <t>Implementations must protect the signer's private key. Compromise of
                the signer's private key permits masquerade attacks.</t> -->
        • <-- <t>Implementations must randomly generate one-time values, such as the k value when generating a ECDSA
                signature. In addition, the generation of public/private key pairs
                relies on random numbers. The use of inadequate pseudo-random
                number generators (PRNGs) to generate such cryptographic values can
                result in little or no security. The generation of quality random
                numbers is difficult. <xref target="RFC4086"/> offers important guidance 
            in this area, and <xref target="SP800-90A"/> series provide acceptable 
                PRNGs.</t> -->
        • <-- <t>Implementers should be aware that cryptographic algorithms may 
            become weaker with time. As new cryptanalysis techniques are developed 
            and computing power increases, the work factor or time required to break a 
            particular cryptographic algorithm may decrease. Therefore, cryptographic
                algorithm implementations should be modular allowing new algorithms
                to be readily inserted. That is, implementers should be prepared to
                regularly update the set of algorithms in their implementations.</t> -->
        • <t>
          • SHAKE128 with output length of 256-bits offers 128-bits of collision and preimage resistance. Thus, SHAKE128 OIDs in this specification are RECOMMENDED <bcp14 xmlns:xi="http://www.w3.org/2001/XInclude">RECOMMENDED</bcp14> with 2048 (112-bit security) or 3072-bit (128-bit security) RSA modulus or curves with group order of 256-bits (128-bit security). SHAKE256 with 512-bits output length offers 256-bits of collision and preimage resistance. Thus, the SHAKE256 OIDs in this specification are RECOMMENDED <bcp14 xmlns:xi="http://www.w3.org/2001/XInclude">RECOMMENDED</bcp14> with 4096-bit RSA modulus or higher or curves with group order of at least 512 bits such as NIST Curve P-521 (256-bit security). Note that we recommended 4096-bit RSA because we would need 15360-bit modulus for 256-bits of security which is impractical for today's technology.
          • </t>
        • </section>
      • <-- Possibly a 'Contributors' section ... -->
      • <section anchor="Acknowledgements" numbered="true" toc="default">
        • <name>
          • Acknowledgements
          • </name>
        • <t>
          • We would like to thank Sean Turner, Jim Schaad and Eric Rescorla for their valuable contributions to this document.
          • </t>
        • <t>
          • The authors would like to thank Russ Housley for his guidance and very valuable contributions with the ASN.1 module.
          • </t>
        • </section>
      • </middle>
    • <--  *****BACK MATTER ***** -->
    • <back>
      • <-- References split into informative and normative -->
      • <-- There are 2 ways to insert reference entries from the citation libraries:
             1. define an ENTITY at the top, and use "ampersand character"RFC2629; here (as shown)
             2. simply use a PI "less than character"?rfc include="reference.RFC.2119.xml"?> here
                (for I-Ds: include="reference.I-D.narten-iana-considerations-rfc2434bis.xml")

             Both are cited textually in the same manner: by using xref elements.
             If you use the PI option, xml2rfc will, by default, try to find included files in the same
             directory as the including file. You can also define the XML_LIBRARY environment variable
             with a value containing a set of directories to search.  These can be either in the local
             filing system or remote ones accessed by http (http://domain/dir/... ).-->
      • <references>
        • <name>
          • References
          • </name>
        • <references>
          • <name>
            • Normative References
            • </name>
          • <--?rfc include="http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml"?-->
          • <reference anchor="RFC2119" target="https://www.rfc-editor.org/info/rfc2119" xml:base="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml">
            • <front>
              • <title>
                • Key words for use in RFCs to Indicate Requirement Levels
                • </title>
              • <seriesInfo name="DOI" value="10.17487/RFC2119"/>
              • <seriesInfo name="RFC" value="2119"/>
              • <seriesInfo name="BCP" value="14"/>
              • <author initials="S." surname="Bradner" fullname="S. Bradner">
                • <organization/>
                • </author>
              • <date year="1997" month="March"/>
              • <abstract>
                • <t>
                  • In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.
                  • </t>
                • </abstract>
              • </front>
            • <seriesInfo name="BCP" value="14"/>
            • <seriesInfo name="RFC" value="2119"/>
            • <seriesInfo name="DOI" value="10.17487/RFC2119"/>
            • </reference>
          • <reference anchor="RFC3279" target="https://www.rfc-editor.org/info/rfc3279" xml:base="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.3279.xml">
            • <reference anchor="RFC3279" target="https://www.rfc-editor.org/info/rfc3279" xml:base="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.3279.xml">
              • <front>
                • <title>
                  • Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
                  • </title>
                • <seriesInfo name="DOI" value="10.17487/RFC3279"/>
                • <seriesInfo name="RFC" value="3279"/>
                • <author initials="L." surname="Bassham" fullname="L. Bassham">
                  • <organization/>
                  • </author>
                • <author initials="W." surname="Polk" fullname="W. Polk">
                  • <organization/>
                  • </author>
                • <author initials="R." surname="Housley" fullname="R. Housley">
                  • <organization/>
                  • </author>
                • <date year="2002" month="April"/>
                • <abstract>
                  • <t>
                    • This document specifies algorithm identifiers and ASN.1 encoding formats for digital signatures and subject public keys used in the Internet X.509 Public Key Infrastructure (PKI). Digital signatures are used to sign certificates and certificate revocation list (CRLs). Certificates include the public key of the named subject. [STANDARDS-TRACK]
                    • </t>
                  • </abstract>
                • </front>
              • </reference>
            • </reference>
          • <reference anchor="RFC8174" target="https://www.rfc-editor.org/info/rfc8174" xml:base="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml">
            • <front>
              • <title>
                • Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words
                • </title>
              • <seriesInfo name="DOI" value="10.17487/RFC8174"/>
              • <seriesInfo name="RFC" value="8174" "3279" />
              • <seriesInfo name="BCP" "DOI" value="14" "10.17487/RFC3279" />
              • <author initials="B." surname="Leiba" fullname="B. Leiba">
                • <organization/>
                • </author>
              • <date year="2017" month="May"/>
              • <abstract>
                • <t>
                  • RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.
                  • </t>
                • </abstract>
              • </front>
            • </reference>
          • <-- &RFC3280; -->
          • <reference anchor="RFC4055" target="https://www.rfc-editor.org/info/rfc4055" xml:base="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.4055.xml">
            • <front>
              • <title>
                • Additional Algorithms and Identifiers for RSA Cryptography for use in the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
                • </title>
              • <seriesInfo name="DOI" value="10.17487/RFC4055"/>
              • <seriesInfo name="RFC" value="4055"/>
              • <author initials="J." surname="Schaad" fullname="J. Schaad">
                • <organization/>
                • </author>
              • <author initials="B." surname="Kaliski" fullname="B. Kaliski">
                • <organization/>
                • </author>
              • <author initials="R." surname="Housley" fullname="R. Housley">
                • <organization/>
                • </author>
              • <date year="2005" month="June"/>
              • <abstract>
                • <t>
                  • This document supplements RFC 3279. It describes the conventions for using the RSA Probabilistic Signature Scheme (RSASSA-PSS) signature algorithm, the RSA Encryption Scheme - Optimal Asymmetric Encryption Padding (RSAES-OAEP) key transport algorithm and additional one-way hash functions with the Public-Key Cryptography Standards (PKCS) #1 version 1.5 signature algorithm in the Internet X.509 Public Key Infrastructure (PKI). Encoding formats, algorithm identifiers, and parameter formats are specified. [STANDARDS-TRACK]
                  • </t>
                • </abstract>
              • </front>
            • <seriesInfo name="RFC" value="4055"/>
            • <seriesInfo name="DOI" value="10.17487/RFC4055"/>
            • </reference>
          • <reference anchor="RFC5280" target="https://www.rfc-editor.org/info/rfc5280" xml:base="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.5280.xml">
            • <front>
              • <title>
                • Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
                • </title>
              • <seriesInfo name="DOI" value="10.17487/RFC5280"/>
              • <seriesInfo name="RFC" value="5280"/>
              • <author initials="D." surname="Cooper" fullname="D. Cooper">
                • <organization/>
                • </author>
              • <author initials="S." surname="Santesson" fullname="S. Santesson">
                • <organization/>
                • </author>
              • <author initials="S." surname="Farrell" fullname="S. Farrell">
                • <organization/>
                • </author>
              • <author initials="S." surname="Boeyen" fullname="S. Boeyen">
                • <organization/>
                • </author>
              • <author initials="R." surname="Housley" fullname="R. Housley">
                • <organization/>
                • </author>
              • <author initials="W." surname="Polk" fullname="W. Polk">
                • <organization/>
                • </author>
              • <date year="2008" month="May"/>
              • <abstract>
                • <t>
                  • This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices. [STANDARDS-TRACK]
                  • </t>
                • </abstract>
              • </front>
            • <seriesInfo name="RFC" value="5280"/>
            • <seriesInfo name="DOI" value="10.17487/RFC5280"/>
            • </reference>
          • <reference anchor="RFC5480" target="https://www.rfc-editor.org/info/rfc5480" xml:base="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.5480.xml">
            • <front>
              • <title>
                • Elliptic Curve Cryptography Subject Public Key Information
                • </title>
              • <seriesInfo name="DOI" value="10.17487/RFC5480"/>
              • <seriesInfo name="RFC" value="5480"/>
              • <author initials="S." surname="Turner" fullname="S. Turner">
                • <organization/>
                • </author>
              • <author initials="D." surname="Brown" fullname="D. Brown">
                • <organization/>
                • </author>
              • <author initials="K." surname="Yiu" fullname="K. Yiu">
                • <organization/>
                • </author>
              • <author initials="R." surname="Housley" fullname="R. Housley">
                • <organization/>
                • </author>
              • <author initials="T." surname="Polk" fullname="T. Polk">
                • <organization/>
                • </author>
              • <date year="2009" month="March"/>
              • <abstract>
                • <t>
                  • This document specifies the syntax and semantics for the Subject Public Key Information field in certificates that support Elliptic Curve Cryptography. This document updates Sections 2.3.5 and 5, and the ASN.1 module of "Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 3279. [STANDARDS-TRACK]
                  • </t>
                • </abstract>
              • </front>
            • <seriesInfo name="RFC" value="5480"/>
            • <seriesInfo name="DOI" value="10.17487/RFC5480"/>
            • </reference>
          • <reference anchor="RFC8017" target="https://www.rfc-editor.org/info/rfc8017" xml:base="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8017.xml">
            • <front>
              • <title>
                • PKCS #1: RSA Cryptography Specifications Version 2.2
                • </title>
              • <seriesInfo name="DOI" value="10.17487/RFC8017"/>
              • <seriesInfo name="RFC" value="8017"/>
              • <author initials="K." surname="Moriarty" fullname="K. Moriarty" role="editor">
                • <organization/>
                • </author>
              • <author initials="B." surname="Kaliski" fullname="B. Kaliski">
                • <organization/>
                • </author>
              • <author initials="J." surname="Jonsson" fullname="J. Jonsson">
                • <organization/>
                • </author>
              • <author initials="A." surname="Rusch" fullname="A. Rusch">
                • <organization/>
                • </author>
              • <date year="2016" month="November"/>
              • <abstract>
                • <t>
                  • This document provides recommendations for the implementation of public-key cryptography based on the RSA algorithm, covering cryptographic primitives, encryption schemes, signature schemes with appendix, and ASN.1 syntax for representing keys and for identifying the schemes.
                  • </t>
                • <t>
                  • This document represents a republication of PKCS #1 v2.2 from RSA Laboratories' Public-Key Cryptography Standards (PKCS) series. By publishing this RFC, change control is transferred to the IETF.
                  • </t>
                • <t>
                  • This document also obsoletes RFC 3447.
                  • </t>
                • </abstract>
              • </front>
            • <seriesInfo name="RFC" value="8017"/>
            • <seriesInfo name="DOI" value="10.17487/RFC8017"/>
            • </reference>
          • <reference anchor="RFC8174" target="https://www.rfc-editor.org/info/rfc8174" xml:base="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml">
            • <front>
              • <title>
                • Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words
                • </title>
              • <author initials="B." surname="Leiba" fullname="B. Leiba">
                • <organization/>
                • </author>
              • <date year="2017" month="May"/>
              • <abstract>
                • <t>
                  • RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.
                  • </t>
                • </abstract>
              • </front>
            • <seriesInfo name="BCP" value="14"/>
            • <seriesInfo name="RFC" value="8174"/>
            • <seriesInfo name="DOI" value="10.17487/RFC8174"/>
            • </reference>
          • <-- RFC8017 is Informational draft but we are keeping it in the Normative References even though idnits complains because we need a normative reference for RSASSA-PSS. RFC4056 does the same thing with RSASS-PSS v2.1 -->
          • <-- <?rfc include="http://xml2rfc.tools.ietf.org/public/rfc/bibxml-ids/reference.I-D.draft-josefsson-pkix-eddsa-04.xml"?> -->
          • <reference anchor="SHA3" target="https://www.nist.gov/publications/sha-3-standard-permutation-based-hash-and-extendable-output-functions">
            • <front>
              • <title>
                • SHA-3 Standard - Permutation-Based Hash and Extendable-Output Functions FIPS PUB 202
                • </title>
              • <author>
                • <organization>
                  • National Institute of Standards and Technology (NIST)
                  • </organization>
                • </author>
              • <date month="August" year="2015"/>
              • </front>
            • </reference>
          • </references>
        • <references>
          • <name>
            • Informative References
            • </name>
          • <-- Here we use entities that we defined at the beginning. -->
          • <--&RFC2629; -->
          • <reference anchor="RFC5912" target="https://www.rfc-editor.org/info/rfc5912" xml:base="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.5912.xml">
            • <front>
              • <title>
                • New ASN.1 Modules for the Public Key Infrastructure Using X.509 (PKIX)
                • </title>
              • <seriesInfo name="DOI" value="10.17487/RFC5912"/>
              • <seriesInfo name="RFC" value="5912"/>
              • <author initials="P." surname="Hoffman" fullname="P. Hoffman">
                • <organization/>
                • </author>
              • <author initials="J." surname="Schaad" fullname="J. Schaad">
                • <organization/>
                • </author>
              • <date year="2010" month="June"/>
              • <abstract>
                • <t>
                  • The Public Key Infrastructure using X.509 (PKIX) certificate format, and many associated formats, are expressed using ASN.1. The current ASN.1 modules conform to the 1988 version of ASN.1. This document updates those ASN.1 modules to conform to the 2002 version of ASN.1. There are no bits-on-the-wire changes to any of the formats; this is simply a change to the syntax. This document is not an Internet Standards Track specification; it is published for informational purposes.
                  • </t>
                • </abstract>
              • </front>
            • <seriesInfo name="RFC" value="5912"/>
            • <seriesInfo name="DOI" value="10.17487/RFC5912"/>
            • </reference>
          • <reference anchor="RFC6979" target="https://www.rfc-editor.org/info/rfc6979" xml:base="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.6979.xml">
            • <front>
              • <title>
                • Deterministic Usage of the Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA)
                • </title>
              • <seriesInfo name="DOI" value="10.17487/RFC6979"/>
              • <seriesInfo name="RFC" value="6979"/>
              • <author initials="T." surname="Pornin" fullname="T. Pornin">
                • <organization/>
                • </author>
              • <date year="2013" month="August"/>
              • <abstract>
                • <t>
                  • This document defines a deterministic digital signature generation procedure. Such signatures are compatible with standard Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA) digital signatures and can be processed with unmodified verifiers, which need not be aware of the procedure described therein. Deterministic signatures retain the cryptographic security features associated with digital signatures but can be more easily implemented in various environments, since they do not need access to a source of high-quality randomness.
                  • </t>
                • </abstract>
              • </front>
            • <seriesInfo name="RFC" value="6979"/>
            • <seriesInfo name="DOI" value="10.17487/RFC6979"/>
            • </reference>
          • <-- &RFC4086; -->
          • <--<reference anchor="shake-nist-oids" target="https://csrc.nist.gov/Projects/Computer-Security-Objects-Register/Algorithm-Registration">
                    <front>
                      <title>Computer Security Objects Register</title>
                      <author>
                        <organization>National Institute of Standards and Technology</organization>
                      </author>
                      <date month="October" year="2017" />
                    </front>
                  </reference> -->
          • <reference anchor="SEC1" target="http://www.secg.org/sec1-v2.pdf">
            • <front>
              • <title>
                • SEC 1: Elliptic Curve Cryptography
                • </title>
              • <author>
                • <organization>
                  • Standards for Efficient Cryptography Group
                  • </organization>
                • </author>
              • <date month="May" year="2009"/>
              • </front>
            • </reference>
          • <reference anchor="X9.62">
            • <front>
              • <title>
                • X9.62-2005: Public Key Cryptography for the Financial Services Industry: The Elliptic Curve Digital Signature Standard (ECDSA)
                • </title>
              • <author>
                • <organization>
                  • American National Standard for Financial Services (ANSI)
                  • </organization>
                • </author>
              • <date month="November" year="2005"/>
              • </front>
            • </reference>
          • <reference anchor="SP800-78-4" target="https://csrc.nist.gov/csrc/media/publications/sp/800-78/4/final/documents/sp800_78-4_revised_draft.pdf">
            • <front>
              • <title>
                • SP800-78-4: Cryptographic Algorithms and Key Sizes for Personal Identity Verification
                • </title>
              • <author>
                • <organization>
                  • National Institute of Standards and Technology (NIST)
                  • </organization>
                • </author>
              • <date month="May" year="2014"/>
              • </front>
            • </reference>
          • <reference anchor="SMI-PKIX" target="https://www.iana.org/assignments/smi-numbers/smi-numbers.xhtml#smi-numbers-1.3.6.1.5.5.7.6">
            • <front>
              • <title>
                • SMI Security for PKIX Algorithms
                • </title>
              • <author>
                • <organization>
                  • IANA
                  • </organization>
                • </author>
              • <date month="March" year="2019"/>
              • </front>
            • </reference>
          • <reference anchor="Hash-Texts" target="https://www.iana.org/assignments/hash-function-text-names/hash-function-text-names.xhtml">
            • <front>
              • <title>
                • Hash Function Textual Names
                • </title>
              • <author>
                • <organization>
                  • IANA
                  • </organization>
                • </author>
              • <date month="July" year="2017"/>
              • </front>
            • </reference>
          • <reference anchor="SP800-107" target="https://csrc.nist.gov/csrc/media/publications/sp/800-107/rev-1/final/documents/draft_revised_sp800-107.pdf">
            • <front>
              • <title>
                • SP800-107: Recommendation for Applications Using Approved Hash Algorithms
                • </title>
              • <author>
                • <organization>
                  • National Institute of Standards and Technology (NIST)
                  • </organization>
                • </author>
              • <date month="May" year="2014"/>
              • </front>
            • </reference>
          • <-- <reference anchor="SP800-90A" target="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf">
                    <front>
                      <title>Recommendation for Random Number Generation Using Deterministic Random Bit Generators. NIST SP 800-90A</title>
                      <author>
                        <organization>National Institute of Standards and Technology</organization>
                      </author>
                      <date month="June" year="2015" />
                    </front>
                  </reference> -->
          • <-- <reference anchor="SP800-185" target="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-185.pdf">
                    <front>
                      <title>SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash and ParallelHash. NIST SP 800-185</title>
                      <author>
                        <organization>National Institute of Standards and Technology</organization>
                      </author>
                      <date month="December" year="2016" />
                    </front>
                  </reference> -->
          • </references>
        • </references>
      • <section anchor="asn" numbered="true" toc="default">
        • <name>
          • ASN.1 module
          • </name>
        • <t>
          • This appendix includes the ASN.1 module for SHAKEs in X.509. This module does not come from any existing RFC.
          • </t>
        • <artwork name="" type="" align="left" alt="">
          • <sourcecode type="asn.1">
            •  
               
                    PKIXAlgsForSHAKE-2019 { iso(1) identified-organization(3) dod(6) 
                    internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) 
                    id-mod-pkix1-shakes-2019(TBD) }  

                  DEFINITIONS EXPLICIT TAGS ::=

                  BEGIN

              =      BEGIN       -- EXPORTS ALL;  

                  IMPORTS  

                  -- FROM [RFC5912]  

                  PUBLIC-KEY, SIGNATURE-ALGORITHM, DIGEST-ALGORITHM, SMIME-CAPS 
                  FROM AlgorithmInformation-2009 
                    { iso(1) identified-organization(3) dod(6) internet(1) security(5) 
                      mechanisms(5) pkix(7) id-mod(0) 
                      id-mod-algorithmInformation-02(58) }  

                  -- FROM [RFC5912]  

                  RSAPublicKey, rsaEncryption, pk-rsa, pk-ec, 
                  CURVE, id-ecPublicKey, ECPoint, ECParameters, ECDSA-Sig-Value 
                  FROM PKIXAlgs-2009 { iso(1) identified-organization(3) dod(6) 
                       internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) 
                       id-mod-pkix1-algorithms2008-02(56) } 
                 ;  

                  -- 
                  -- Message Digest Algorithms (mda-) 
                  -- 
                  DigestAlgorithms DIGEST-ALGORITHM ::= { 
                    -- This expands DigestAlgorithms from [RFC5912] 
                    mda-shake128   | 
                    mda-shake256, 
                    ... 
                  }  

                  -- 
                  -- One-Way Hash Functions 
                  --  

                  -- SHAKE128 
                  mda-shake128 DIGEST-ALGORITHM ::= { 
                    IDENTIFIER id-shake128  -- with output length 32 bytes. 
                  } 
                  id-shake128 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) 
                                                      us(840) organization(1) gov(101) 
                                                      csor(3) nistAlgorithm(4) 
                                                      hashAlgs(2) 11 }  

                  -- SHAKE256 
                  mda-shake256 DIGEST-ALGORITHM ::= { 
                    IDENTIFIER id-shake256  -- with output length 64 bytes. 
                  } 
                  id-shake256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) 
                                                      us(840) organization(1) gov(101) 
                                                      csor(3) nistAlgorithm(4) 
                                                      hashAlgs(2) 12 }  

                  -- 
                  -- Public Key (pk-) Algorithms 
                  -- 
                  PublicKeys PUBLIC-KEY ::= { 
                    -- This expands PublicKeys from [RFC5912] 
                    pk-rsaSSA-PSS-SHAKE128 | 
                    pk-rsaSSA-PSS-SHAKE256, 
                    ... 
                  }  

                  -- The hashAlgorithm is mda-shake128 
                  -- The maskGenAlgorithm is id-shake128 
                  -- Mask Gen Algorithm is SHAKE128 with output length 
                  -- (8*ceil((n-1)/8) - 264) bits, where n is the RSA    
                  -- modulus in bits. 
                  -- The saltLength is 32. The trailerField is 1. 
                  pk-rsaSSA-PSS-SHAKE128 PUBLIC-KEY ::= { 
                    IDENTIFIER id-RSASSA-PSS-SHAKE128 
                    KEY RSAPublicKey 
                    PARAMS ARE absent 
                    -- Private key format not in this module -- 
                    CERT-KEY-USAGE { nonRepudiation, digitalSignature, 
                                     keyCertSign, cRLSign } 
                  }  

                  -- The hashAlgorithm is mda-shake256 
                  -- The maskGenAlgorithm is id-shake256 
                  -- Mask Gen Algorithm is SHAKE256 with output length 
                  -- (8*ceil((n-1)/8) - 520)-bits, where n is the RSA    
                  -- modulus in bits. 
                  -- The saltLength is 64. The trailerField is 1. 
                  pk-rsaSSA-PSS-SHAKE256 PUBLIC-KEY ::= { 
                    IDENTIFIER id-RSASSA-PSS-SHAKE256 
                    KEY RSAPublicKey 
                    PARAMS ARE absent 
                    -- Private key format not in this module -- 
                    CERT-KEY-USAGE { nonRepudiation, digitalSignature, 
                                     keyCertSign, cRLSign } 
                  }  

                  -- 
                  -- Signature Algorithms (sa-) 
                  -- 
                  SignatureAlgs SIGNATURE-ALGORITHM ::= { 
                    -- This expands SignatureAlgorithms from [RFC5912] 
                    sa-rsassapssWithSHAKE128 | 
                    sa-rsassapssWithSHAKE256 | 
                    sa-ecdsaWithSHAKE128 | 
                    sa-ecdsaWithSHAKE256, 
                    ... 
                  }  

                  -- 
                  -- SMIME Capabilities (sa-) 
                  -- 
                  SMimeCaps SMIME-CAPS ::= { 
                    -- The expands SMimeCaps from [RFC5912] 
                    sa-rsassapssWithSHAKE128.&smimeCaps | 
                    sa-rsassapssWithSHAKE256.&smimeCaps | 
                    sa-ecdsaWithSHAKE128.&smimeCaps | 
                    sa-ecdsaWithSHAKE256.&smimeCaps, 
                    ... 
                  }  

                  -- RSASSA-PSS with SHAKE128 
                  sa-rsassapssWithSHAKE128 SIGNATURE-ALGORITHM ::= { 
                    IDENTIFIER id-RSASSA-PSS-SHAKE128 
                    PARAMS ARE absent 
                        -- The hashAlgorithm is mda-shake128 
                        -- The maskGenAlgorithm is id-shake128 
                        -- Mask Gen Algorithm is SHAKE128 with output length 
                        -- (8*ceil((n-1)/8) - 264) bits, where n is the RSA    
                        -- modulus in bits. 
                        -- The saltLength is 32. The trailerField is 1 
                    HASHES { mda-shake128 } 
                    PUBLIC-KEYS { pk-rsa | pk-rsaSSA-PSS-SHAKE128 } 
                    SMIME-CAPS { IDENTIFIED BY id-RSASSA-PSS-SHAKE128 } 
                  } 
                  id-RSASSA-PSS-SHAKE128  OBJECT IDENTIFIER  ::=  { iso(1)    
                          identified-organization(3) dod(6) internet(1)    
                          security(5) mechanisms(5) pkix(7) algorithms(6) 
                          TBD1 }  

                  -- RSASSA-PSS with SHAKE256 
                  sa-rsassapssWithSHAKE256 SIGNATURE-ALGORITHM ::= { 
                    IDENTIFIER id-RSASSA-PSS-SHAKE256 
                    PARAMS ARE absent 
                        -- The hashAlgorithm is mda-shake256 
                        -- The maskGenAlgorithm is id-shake256 
                        -- Mask Gen Algorithm is SHAKE256 with output length 
                        -- (8*ceil((n-1)/8) - 520)-bits, where n is the    
                        -- RSA modulus in bits. 
                        -- The saltLength is 64. The trailerField is 1. 
                   HASHES { mda-shake256 } 
                   PUBLIC-KEYS { pk-rsa | pk-rsaSSA-PSS-SHAKE256 } 
                   SMIME-CAPS { IDENTIFIED BY id-RSASSA-PSS-SHAKE256 } 
                  } 
                  id-RSASSA-PSS-SHAKE256  OBJECT IDENTIFIER  ::=  { iso(1)    
                          identified-organization(3) dod(6) internet(1)    
                          security(5) mechanisms(5) pkix(7) algorithms(6) 
                          TBD2 }  

                  -- ECDSA with SHAKE128 
                  sa-ecdsaWithSHAKE128 SIGNATURE-ALGORITHM ::= { 
                    IDENTIFIER id-ecdsa-with-shake128 
                    VALUE ECDSA-Sig-Value 
                    PARAMS ARE absent 
                    HASHES { mda-shake128 } 
                    PUBLIC-KEYS { pk-ec } 
                    SMIME-CAPS { IDENTIFIED BY id-ecdsa-with-shake128 } 
                  } 
                  id-ecdsa-with-shake128 OBJECT IDENTIFIER  ::=  { iso(1)    
                          identified-organization(3) dod(6) internet(1)    
                          security(5) mechanisms(5) pkix(7) algorithms(6) 
                          TBD3 }     

                  -- ECDSA with SHAKE256 
                  sa-ecdsaWithSHAKE256 SIGNATURE-ALGORITHM ::= { 
                    IDENTIFIER id-ecdsa-with-shake256 
                    VALUE ECDSA-Sig-Value 
                    PARAMS ARE absent 
                    HASHES { mda-shake256 } 
                    PUBLIC-KEYS { pk-ec } 
                    SMIME-CAPS { IDENTIFIED BY id-ecdsa-with-shake256 } 
                  } 
                  id-ecdsa-with-shake256 OBJECT IDENTIFIER  ::=  { iso(1)    
                          identified-organization(3) dod(6) internet(1)    
                          security(5) mechanisms(5) pkix(7) algorithms(6) 
                          TBD4 }  

                  END 
            • </sourcecode>
          • </artwork>
        • </section>
      • </back>
    • </rfc>
1<?xml version='1.0' encoding='utf-8'?>
2
3<rfc number="9999" consensus="true" xmlns:xi="http://www.w3.org/2001/XInclude" category="std"
4     ipr="trust200902" updates="3279"
5     obsoletes="" submissionType="IETF" xml:lang="en" tocInclude="true"
6     symRefs="true" sortRefs="true" version="3">
7
8  <!-- ***** FRONT MATTER ***** -->
9  <front>
10
11    <title abbrev="SHAKE identifiers in X.509">Internet X.509 Public Key Infrastructure: Additional Algorithm Identifiers for RSASSA-PSS and ECDSA using SHAKEs</title>
12
13    <seriesInfo name="RFC" value="9999"/>
14
15    <author fullname="Panos Kampanakis" initials="P.K." surname="Kampanakis">
16      <organization>Cisco Systems</organization>
17      <address>
18        <email>pkampana@cisco.com</email>
19      </address>
20    </author>
21    <author fullname="Quynh Dang" initials="Q.D." surname="Dang">
22      <organization>NIST</organization>
23      <address>
24        <postal>
25          <street>100 Bureau Drive, Stop 8930</street>
26          <city>Gaithersburg</city>
27          <region>MD</region>
28          <code>20899-8930</code>
29          <country>USA</country>
30        </postal>
31
32        <email>quynh.dang@nist.gov</email>
33
34      </address>
35    </author>
36
37    <date month="August" year="2019"/>
38
39    <area>General</area>
40    <workgroup>LAMPS WG</workgroup>
41
42    <abstract>
43      <t>Digital signatures are used to sign messages, X.509 
44   certificates and CRLs. This document updates the 
45   "Algorithms and Identifiers for the Internet 
46   X.509 Public Key Infrastructure Certificate and 
47   Certificate Revocation List Profile" (RFC3279)
48   and describes the conventions for using the SHAKE function 
49   family in Internet X.509 certificates and revocation lists 
50   as one-way hash functions with the RSA Probabilistic signature 
51   and ECDSA signature algorithms. The conventions for the 
52   associated subject public keys are also described.</t>
53    </abstract>
54  </front>
55  <middle>
56
57
58    <section numbered="true" toc="default">
59      <name>Introduction</name>
60      <t><xref target="RFC3279" format="default"/> defines cryptographic algorithm 
61   identifiers for the Internet X.509 Certificate and Certificate Revocation 
62   Lists (CRL) profile <xref target="RFC5280" format="default"/>. This document updates RFC3279 
63   and defines identifiers for several cryptographic algorithms that use 
64   variable length output SHAKE functions introduced in <xref target="SHA3" format="default"/> 
65   which can be used with . </t>
66      <t>In the SHA-3 family, two extendable-output functions (SHAKEs),  
67   SHAKE128 and SHAKE256, are defined. Four other hash function instances, SHA3-224, SHA3-256, 
68   SHA3-384, and SHA3-512, are also defined but are out of scope for this document. 
69   A SHAKE is a variable length hash function defined as SHAKE(M, d) where the 
70   output is a d-bits-long digest of message M. The corresponding collision and  second-preimage-resistance strengths for SHAKE128 are min(d/2,128) and min(d,128) 
71   bits, respectively (Appendix A.1 <xref target="SHA3" format="default"/>). 
72   And the corresponding collision and second-preimage-resistance strengths for SHAKE256 
73   are min(d/2,256) and min(d,256) bits, respectively.</t>
74      <t>A SHAKE can be used as the message digest function (to hash the message to be signed) 
75   in RSASSA-PSS <xref target="RFC8017" format="default"/> and ECDSA <xref target="X9.62" format="default"/> 
76      and as the hash in the mask generation function (MGF) in RSASSA-PSS. 
77</t>
78    </section>
79
80    <section anchor="terminology" numbered="true" toc="default">
81      <name>Terminology</name>
82
83        <t>
84    The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>",
85    "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>",
86    "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>",
87    "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
88    "<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be
89    interpreted as described in BCP 14 <xref target="RFC2119"/> <xref
90    target="RFC8174"/> when, and only when, they appear in all capitals, as
91    shown here.
92        </t>
93
94
95    </section>
96
97<!-- [rfced] Please review the type attribute of each sourcecode
98element in this XML file. In particular, what type should be used
99for the sourcecode elements in Sections 3 and 4.1? Should these be
100type="asn.1" or something else? Or should these be tagged as artwork rather
101than as sourcecode?
102
103The current list of types is in Section 2.48.4 of RFC 7991.
104-->
105
106    <section anchor="oids" numbered="true" toc="default">
107      <name>Identifiers</name>
108
109      <t>This section defines four new object identifiers (OIDs), for RSASSA-PSS and ECDSA with each 
110   of SHAKE128 and SHAKE256. The same algorithm identifiers can be  
111   used for identifying a public key in RSASSA-PSS.</t>
112      <t>The new identifiers for RSASSA-PSS signatures using SHAKEs are below.</t>
113
114      <sourcecode type=""><![CDATA[
115  id-RSASSA-PSS-SHAKE128  OBJECT IDENTIFIER  ::=  { iso(1) 
116            identified-organization(3) dod(6) internet(1) 
117            security(5) mechanisms(5) pkix(7) algorithms(6)
118            TBD1 }
119
120  id-RSASSA-PSS-SHAKE256  OBJECT IDENTIFIER  ::=  { iso(1) 
121            identified-organization(3) dod(6) internet(1) 
122            security(5) mechanisms(5) pkix(7) algorithms(6)
123            TBD2 }
124]]></sourcecode>
125
126      <t>The new algorithm identifiers of ECDSA signatures using SHAKEs are below.</t>
127
128          <sourcecode type=""><![CDATA[
129  id-ecdsa-with-shake128 OBJECT IDENTIFIER  ::=  { iso(1) 
130            identified-organization(3) dod(6) internet(1) 
131            security(5) mechanisms(5) pkix(7) algorithms(6)
132            TBD3 }            
133
134  id-ecdsa-with-shake256 OBJECT IDENTIFIER  ::=  { iso(1) 
135            identified-organization(3) dod(6) internet(1) 
136            security(5) mechanisms(5) pkix(7) algorithms(6)
137            TBD4 }
138]]></sourcecode>
139
140      <!-- <xref target="RFC8017"/>, but we include it here as well for convenience:</t>
141   <t><figure><artwork><![CDATA[
142   id-mgf1  OBJECT IDENTIFIER  ::=  { pkcs-1 8 }
143]]></artwork></figure>-->
144      <!-- <t>The parameters field associated with id-mgf1 <bcp14>MUST</bcp14> have a hashAlgorithm value that identifies 
145   the hash used with MGF1. To use SHAKE as this hash, this parameter <bcp14>MUST</bcp14> be 
146   id-shake128-len or id-shake256-len as specified in <xref target="xofs" /> above. </t>-->
147      <t>The parameters for the four identifiers above <bcp14>MUST</bcp14> be absent. That is, 
148   the identifier <bcp14>SHALL</bcp14> be a SEQUENCE of one component, the OID.</t>
149      <t>Sections <xref target="rsa-sigs" format="counter"/> and <xref target="ecdsa-sigs" format="counter"/> specify the required output length 
150   for each use of SHAKE128 or SHAKE256 in RSASSA-PSS and ECDSA. In summary, when hashing messages
151      to be signed, output lengths of SHAKE128 and SHAKE256 are 256 and 512 bits respectively. 
152   When the SHAKEs are used as mask generation functions RSASSA-PSS, their output length is 
153   (8*ceil((n-1)/8) - 264) or (8*ceil((n-1)/8) - 520) bits, respectively, where n is the RSA modulus size in bits.</t>
154    </section>
155    <section numbered="true" toc="default">
156      <name>Use in PKIX</name>
157      <section anchor="sigs" numbered="true" toc="default">
158        <name>Signatures</name>
159        <t>Signatures are used in a number of different ASN.1 structures.
160        As shown in the ASN.1 representation from <xref target="RFC5280" format="default"/> 
161 below, in an X.509 certificate, a signature is encoded with an 
162 algorithm identifier in the signatureAlgorithm attribute and 
163 a signatureValue attribute that contains the actual signature.  
164        </t>
165        <sourcecode type="asn.1"><![CDATA[
166   Certificate  ::=  SEQUENCE  {
167      tbsCertificate       TBSCertificate,
168      signatureAlgorithm   AlgorithmIdentifier,
169      signatureValue       BIT STRING  }
170]]></sourcecode>
171        <t>The identifiers defined in <xref target="oids" format="default"/> can be used 
172 as the AlgorithmIdentifier in the signatureAlgorithm field in the sequence 
173 Certificate and the signature field in the sequence TBSCertificate in X.509  
174 <xref target="RFC5280" format="default"/>. 
175 The parameters of these signature algorithms are absent as explained 
176 in <xref target="oids" format="default"/>.</t>
177        <t>Conforming CA implementations <bcp14>MUST</bcp14> specify the algorithms  
178 explicitly by using the OIDs specified in <xref target="oids" format="default"/> when 
179 encoding RSASSA-PSS or ECDSA with SHAKE signatures 
180 in certificates and CRLs.
181 Conforming client implementations that process certificates and CRLs 
182 using RSASSA-PSS or ECDSA with SHAKE <bcp14>MUST</bcp14> recognize the corresponding OIDs.
183 Encoding rules for RSASSA-PSS and ECDSA 
184 signature values are specified in <xref target="RFC4055" format="default"/> and 
185 <xref target="RFC5480" format="default"/>, respectively.</t>
186        <t>When using RSASSA-PSS or ECDSA with SHAKEs, the RSA modulus and ECDSA 
187 curve order <bcp14>SHOULD</bcp14> be chosen in line with the SHAKE output length. 
188 Refer to <xref target="Security" format="default"/> for more details.</t>
189        <section anchor="rsa-sigs" numbered="true" toc="default">
190          <name>RSASSA-PSS Signatures</name>
191          <t>The RSASSA-PSS algorithm is defined in <xref target="RFC8017" format="default"/>. 
192   When id-RSASSA-PSS-SHAKE128 or id-RSASSA-PSS-SHAKE256 specified in <xref target="oids" format="default"/> 
193   is used, the encoding <bcp14>MUST</bcp14> omit the parameters field. That is, 
194   the AlgorithmIdentifier <bcp14>SHALL</bcp14> be a SEQUENCE of one component,  
195   id-RSASSA-PSS-SHAKE128 or id-RSASSA-PSS-SHAKE256. <xref target="RFC4055" format="default"/>
196   defines RSASSA-PSS-params that are used to define the algorithms and inputs 
197   to the algorithm. This specification does not use parameters because the 
198   hash, mask generation algorithm, trailer and salt are embedded in 
199   the OID definition.</t>
200          <t>The hash algorithm to hash a message being signed and the hash algorithm used as the
201   mask generation function <!-- "MGF(H, emLen - hLen - 1)" <xref target="RFC8017"/> -->
202   in RSASSA-PSS <bcp14>MUST</bcp14> be the same: both SHAKE128 or both SHAKE256. The 
203   output length of the hash algorithm which hashes the message <bcp14>SHALL</bcp14> be 32 
204   (for SHAKE128) or 64 bytes (for SHAKE256). </t>
205          <t>The mask generation function takes an octet string of variable length and
206   a desired output length as input, and outputs an octet 
207   string of the desired length. In RSASSA-PSS with SHAKEs, the SHAKEs <bcp14>MUST</bcp14> be 
208   used natively as the MGF function, instead of the MGF1 algorithm that uses 
209   the hash function in multiple iterations as specified in
210   <xref target="RFC8017" sectionFormat="of" section="B.2.1"/>. In other words, the MGF is defined as 
211   <!-- <t><figure><artwork><![CDATA[
212    SHAKE128(mgfSeed, maskLen) 
213]]></artwork></figure>
214          and 
215          <figure><artwork><![CDATA[
216    SHAKE256(mgfSeed, maskLen)
217]]></artwork></figure></t> --> 
218          the SHAKE128 or SHAKE256 output of the mgfSeed for id-RSASSA-PSS-SHAKE128 and 
219   id-RSASSA-PSS-SHAKE256, respectively. The mgfSeed is the seed 
220   from which mask is generated, an octet string <xref target="RFC8017" format="default"/>.   
221   As explained in Step 9 of <xref target="RFC8017" sectionFormat="of" section="9.1.1"/>, the output 
222   length of the MGF is emLen - hLen - 1 bytes. emLen is the maximum message 
223   length ceil((n-1)/8), where n is the RSA modulus in bits. hLen is 32 and 
224   64-bytes for id-RSASSA-PSS-SHAKE128 and id-RSASSA-PSS-SHAKE256, respectively. 
225   Thus when SHAKE is used as the MGF, the SHAKE output length maskLen is 
226   (8*emLen - 264) or (8*emLen - 520) bits, respectively. For example, when RSA modulus n is 2048, 
227   the output length of SHAKE128 or SHAKE256 as the MGF will be 1784 or 1528-bits 
228   when id-RSASSA-PSS-SHAKE128 or id-RSASSA-PSS-SHAKE256 is used, respectively. </t>
229          <t>The RSASSA-PSS saltLength <bcp14>MUST</bcp14> be 32 bytes for id-RSASSA-PSS-SHAKE128 
230   or 64 bytes for id-RSASSA-PSS-SHAKE256. 
231   Finally, the trailerField <bcp14>MUST</bcp14> be 1, which represents 
232   the trailer field with hexadecimal value 0xBC <xref target="RFC8017" format="default"/>.</t>
233          <!-- <t><figure><artwork><![CDATA[
234   id-RSASSA-PSS  OBJECT IDENTIFIER  ::=  { pkcs-1 k }
235
236   RSASSA-PSS-params  ::=  SEQUENCE  {
237         hashAlgorithm      HashAlgorithm, 
238         maskGenAlgorithm   MaskGenAlgorithm, 
239         saltLength         INTEGER, 
240         trailerField       INTEGER }
241]]></artwork></figure></t> -->
242          <!-- <section title="EdDSA with SHAKE">
243          <t>[ EDNOTE: For the group to decide: pre-hash version or non-prehash version EdDSAs. PureEdDSA, the pre-hashed version of EdDSA, as currently also proposed in draft-ietf-curdle-cms-eddsa-signatures mandates the hash function as SHA512 for Ed25519 and SHAKE256(x,64) for Ed448. The HashEdDSA version of EdDSA does not define the hash. It is up to the WG to go the Pre-hash route which would require an OID that contained the hash. ] </t>
244   <t>
245      <list>
246    <t><figure><artwork><![CDATA[
247id-eddsa-with-shake128 OBJECT IDENTIFIER ::= { }
248]]></artwork></figure></t>
249    <t><figure><artwork><![CDATA[
250id-eddsa-with-shake256 OBJECT IDENTIFIER ::= {  }
251]]></artwork></figure></t>
252    </list></t>
253        </section> -->
254        </section>
255        <section anchor="ecdsa-sigs" numbered="true" toc="default">
256          <name>ECDSA Signatures</name>
257          <t>The Elliptic Curve Digital Signature Algorithm (ECDSA) is defined in 
258       <xref target="X9.62" format="default"/>. When the id-ecdsa-with-shake128 or id-ecdsa-with-shake256
259   (specified in <xref target="oids" format="default"/>) algorithm identifier appears, the respective SHAKE 
260   function (SHAKE128 or SHAKE256) is used as the hash. 
261   The encoding <bcp14>MUST</bcp14> omit the parameters field. That is, the AlgorithmIdentifier 
262   <bcp14>SHALL</bcp14> be a SEQUENCE of one component, the OID id-ecdsa-with-shake128 or 
263   id-ecdsa-with-shake256.</t>
264          <t>For simplicity and compliance with the ECDSA standard specification, 
265       the output length of the hash function must be explicitly determined. The 
266       output length, d, for SHAKE128 or SHAKE256 used in ECDSA <bcp14>MUST</bcp14> be 256 or 512  
267   bits, respectively. </t>
268          <t>Conforming CA implementations that generate ECDSA with SHAKE signatures 
269   in certificates or CRLs <bcp14>SHOULD</bcp14> generate such signatures with a 
270   deterministically generated, non-random k in accordance with all 
271   the requirements specified in <xref target="RFC6979" format="default"/>. 
272
273   <!-- Sections 7.2 and 7.3 of 
274   <xref target="X9.62"/> or with all the requirements specified in Section 
275   4.1.3 of <xref target="SEC1"/>. -->
276
277   They <bcp14>MAY</bcp14> also generate such signatures 
278   in accordance with all other recommendations in <xref target="X9.62" format="default"/> or 
279   <xref target="SEC1" format="default"/> if they have a stated policy that requires 
280   conformance to those standards. Those standards have not specified  
281   SHAKE128 and SHAKE256 as hash algorithm options. However, SHAKE128 and 
282   SHAKE256 with output length being 32 and 64 octets, respectively, can  
283   be used instead of 256 and 512-bit output hash algorithms such as SHA256 
284   and SHA512.</t>
285          <!-- <t>In Section 3.2 "Generation of k" of <xref target="RFC6979"/>, HMAC is used to derive 
286   the deterministic k. Conforming implementations that generate deterministic 
287   ECDSA with SHAKE signatures in X.509 <bcp14>MUST</bcp14> use KMAC with SHAKE128 or KMAC with 
288   SHAKE256 as specfied in <xref target="SP800-185"/> when SHAKE128 or SHAKE256 is 
289   used as the message hashing algorithm, respectively. In this situation, KMAC with 
290   SHAKE128 and KMAC with SHAKE256 have 256-bit and 512-bit outputs respectively, 
291   and the optional customization bit string S is an empty string.</t> -->
292        </section>
293      </section>
294      <section numbered="true" toc="default">
295        <name>Public Keys</name>
296        <t>Certificates conforming to <xref target="RFC5280" format="default"/> can convey a 
297 public key for any public key algorithm. The certificate indicates 
298 the public key algorithm through an algorithm identifier. This algorithm 
299 identifier is an OID and optionally associated parameters.
300 The conventions and encoding for RSASSA-PSS and ECDSA <!-- and EdDSA -->
301 public keys algorithm identifiers are as specified in 
302 Sections <xref target="RFC3279"
303 sectionFormat="of" section="2.3.1"/> and <xref
304 target="RFC3279" sectionFormat="of" section="2.3.5"/>, 
305 <xref target="RFC4055" sectionFormat="of" section="3.1"/>,
306 and <xref target="RFC5480" sectionFormat="of" section="2.1"/>.
307
308        </t>
309        <t>Traditionally, the rsaEncryption object identifier is used to
310 identify RSA public keys. The rsaEncryption object identifier 
311 continues to identify the subject public key when the RSA private 
312 key owner does not wish to limit the use of the public key 
313 exclusively to RSASSA-PSS with SHAKEs. When the RSA private 
314 key owner wishes to limit the use of the public key exclusively 
315 to RSASSA-PSS with SHAKEs, the AlgorithmIdentifiers for 
316 RSASSA-PSS defined in <xref target="oids" format="default"/> <bcp14>SHOULD</bcp14> be used as the algorithm 
317 field in the SubjectPublicKeyInfo sequence <xref target="RFC5280" format="default"/>. 
318 Conforming client implementations that process RSASSA-PSS 
319 with SHAKE public keys when processing certificates and CRLs <bcp14>MUST</bcp14> 
320 recognize the corresponding OIDs. </t>
321        <t>Conforming CA implementations <bcp14>MUST</bcp14> specify the X.509 public key 
322 algorithm explicitly by using the OIDs specified in <xref target="oids" format="default"/> 
323 when encoding ECDSA with SHAKE public keys in certificates and CRLs. 
324 Conforming client implementations that process ECDSA with 
325 SHAKE public keys when processing certificates and CRLs <bcp14>MUST</bcp14> recognize 
326 the corresponding OIDs. </t>
327        <t>The identifier parameters, as explained in <xref target="oids" format="default"/>, 
328 <bcp14>MUST</bcp14> be absent.</t>
329      </section>
330    </section>
331    <section anchor="IANA" numbered="true" toc="default">
332      <name>IANA Considerations</name>
333
334      <t>One object identifier for the ASN.1 module in <xref target="asn" format="default"/> 
335   is requested for the SMI Security for PKIX Module Identifiers 
336   (1.3.6.1.5.5.7.0) registry: </t>
337      <table align="left">
338        <thead>
339          <tr>
340            <th align="left">Decimal</th>
341            <th align="left">Description</th>
342            <th align="left">References</th>
343          </tr>
344        </thead>
345        <tbody>
346          <tr>
347            <td align="left">TBD</td>
348            <td align="left">id-mod-pkix1-shakes-2019</td>
349            <td align="left">RFC 9999</td>
350          </tr>
351        </tbody>
352      </table>
353      <t>IANA is requested to update the 
354   SMI Security for PKIX Algorithms <xref target="SMI-PKIX" format="default"/>
355   (1.3.6.1.5.5.7.6) registry with four additional entries: </t>
356      <table align="left">
357        <thead>
358          <tr>
359            <th align="left">Decimal</th>
360            <th align="left">Description</th>
361            <th align="left">References</th>
362          </tr>
363        </thead>
364        <tbody>
365          <tr>
366            <td align="left">TBD1</td>
367            <td align="left">id-RSASSA-PSS-SHAKE128</td>
368            <td align="left">RFC 9999</td>
369          </tr>
370          <tr>
371            <td align="left">TBD2</td>
372            <td align="left">id-RSASSA-PSS-SHAKE256</td>
373            <td align="left">RFC 9999</td>
374          </tr>
375          <tr>
376            <td align="left">TBD3</td>
377            <td align="left">id-ecdsa-with-shake128</td>
378            <td align="left">RFC 9999</td>
379          </tr>
380          <tr>
381            <td align="left">TBD4</td>
382            <td align="left">id-ecdsa-with-shake256</td>
383            <td align="left">RFC 9999</td>
384          </tr>
385        </tbody>
386      </table>
387      <t>IANA is also requested to update the 
388   Hash Function Textual Names Registry <xref target="Hash-Texts" format="default"/>
389      with two additional entries for SHAKE128
390      and SHAKE256: </t>
391      <table align="left">
392        <thead>
393          <tr>
394            <th align="left">Hash Function Name</th>
395            <th align="left">OID</th>
396            <th align="left">Reference</th>
397          </tr>
398        </thead>
399        <tbody>
400          <tr>
401            <td align="left">shake128</td>
402            <td align="left">2.16.840.1.101.3.4.2.11</td>
403            <td align="left">RFC 9999</td>
404          </tr>
405          <tr>
406            <td align="left">shake256</td>
407            <td align="left">2.16.840.1.101.3.4.2.12</td>
408            <td align="left">RFC 9999</td>
409          </tr>
410        </tbody>
411      </table>
412    </section>
413    <section anchor="Security" numbered="true" toc="default">
414      <name>Security Considerations</name>
415      <t>This document updates <xref target="RFC3279" format="default"/>. The security considerations
416      section of that document applies to this specification as well.</t>
417      <t>NIST has defined appropriate use of the hash functions in terms of the algorithm 
418      strengths and expected time frames for secure use in Special Publications (SPs) 
419      <xref target="SP800-78-4" format="default"/> and <xref target="SP800-107" format="default"/>. 
420      These documents can be used as guides to choose appropriate key sizes 
421      for various security scenarios. </t>
422      <!-- <t>The SHAKEs are deterministic functions. Like any other deterministic function, 
423   executing multiple times with the same input will produce the 
424   same output. Therefore, users should not expect unrelated outputs (with the 
425   same or different output lengths) from running a SHAKE function with the 
426   same input multiple times. The shorter of any two outputs produced from a 
427   SHAKE with the same input is a prefix of the longer one. It is a similar 
428   situation as truncating a 512-bit output of SHA-512 by taking its 256 
429   left-most bits. These 256 left-most bits are a prefix of the 512-bit output.</t> -->
430      <!-- <t>Implementations must protect the signer's private key. Compromise of
431      the signer's private key permits masquerade attacks.</t> -->
432      <!-- <t>Implementations must randomly generate one-time values, such as the k value when generating a ECDSA
433      signature. In addition, the generation of public/private key pairs
434      relies on random numbers. The use of inadequate pseudo-random
435      number generators (PRNGs) to generate such cryptographic values can
436      result in little or no security. The generation of quality random
437      numbers is difficult. <xref target="RFC4086"/> offers important guidance 
438   in this area, and <xref target="SP800-90A"/> series provide acceptable 
439      PRNGs.</t> -->
440      <!-- <t>Implementers should be aware that cryptographic algorithms may 
441   become weaker with time. As new cryptanalysis techniques are developed 
442   and computing power increases, the work factor or time required to break a 
443   particular cryptographic algorithm may decrease. Therefore, cryptographic
444      algorithm implementations should be modular allowing new algorithms
445      to be readily inserted. That is, implementers should be prepared to
446      regularly update the set of algorithms in their implementations.</t> -->
447      <t>SHAKE128 with output length of 256-bits offers 128-bits of collision and preimage resistance. Thus, SHAKE128 OIDs in this specification are <bcp14>RECOMMENDED</bcp14> with 2048 (112-bit security) or 3072-bit (128-bit security) RSA modulus or curves with group order of 256-bits (128-bit security). SHAKE256 with 512-bits output length offers 256-bits of collision and preimage resistance. Thus, the SHAKE256 OIDs in this specification are <bcp14>RECOMMENDED</bcp14> with 4096-bit RSA modulus or higher or curves with group order of at least 512 bits such as NIST Curve P-521 (256-bit security). Note that we recommended 4096-bit RSA because we would need 15360-bit modulus for 256-bits of security which is impractical for today's technology.</t>
448    </section>
449    <!-- Possibly a 'Contributors' section ... -->
450    <section anchor="Acknowledgements" numbered="true" toc="default">
451      <name>Acknowledgements</name>
452      <t>We would like to thank Sean Turner, Jim Schaad and Eric 
453   Rescorla for their valuable contributions to this document.</t>
454      <t>The authors would like to thank Russ Housley for his guidance and 
455   very valuable contributions with the ASN.1 module.</t>
456    </section>
457  </middle>
458  <!--  *****BACK MATTER ***** -->
459  <back>
460    <!-- References split into informative and normative -->
461    <!-- There are 2 ways to insert reference entries from the citation libraries:
462     1. define an ENTITY at the top, and use "ampersand character"RFC2629; here (as shown)
463     2. simply use a PI "less than character"?rfc include="reference.RFC.2119.xml"?> here
464        (for I-Ds: include="reference.I-D.narten-iana-considerations-rfc2434bis.xml")
465
466     Both are cited textually in the same manner: by using xref elements.
467     If you use the PI option, xml2rfc will, by default, try to find included files in the same
468     directory as the including file. You can also define the XML_LIBRARY environment variable
469     with a value containing a set of directories to search.  These can be either in the local
470     filing system or remote ones accessed by http (http://domain/dir/... ).-->
471    <references>
472      <name>References</name>
473      <references>
474        <name>Normative References</name>
475
476<xi:include
477    href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/>
478<xi:include
479    href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.3279.xml"/>
480<xi:include
481    href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4055.xml"/>
482<xi:include
483    href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5280.xml"/>
484<xi:include
485    href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5480.xml"/>
486<xi:include
487    href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8017.xml"/>
488<xi:include
489    href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/>
490
491        <reference anchor="SHA3" target="https://www.nist.gov/publications/sha-3-standard-permutation-based-hash-and-extendable-output-functions">
492          <front>
493            <title>SHA-3 Standard - Permutation-Based Hash and Extendable-Output Functions FIPS PUB 202</title>
494            <author>
495              <organization>National Institute of Standards and Technology (NIST)</organization>
496            </author>
497            <date month="August" year="2015"/>
498          </front>
499        </reference>
500      </references>
501
502      <references>
503        <name>Informative References</name>
504
505<xi:include
506    href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5912.xml"/>
507<xi:include
508    href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6979.xml"/>
509
510        <reference anchor="SEC1" target="http://www.secg.org/sec1-v2.pdf">
511          <front>
512            <title>SEC 1: Elliptic Curve Cryptography</title>
513            <author>
514              <organization>Standards for Efficient Cryptography Group</organization>
515            </author>
516            <date month="May" year="2009"/>
517          </front>
518        </reference>
519        <reference anchor="X9.62">
520          <front>
521            <title>X9.62-2005: Public Key Cryptography for the Financial Services Industry: The Elliptic Curve Digital Signature Standard (ECDSA)</title>
522            <author>
523              <organization>American National Standard for Financial Services (ANSI)</organization>
524            </author>
525            <date month="November" year="2005"/>
526          </front>
527        </reference>
528        <reference anchor="SP800-78-4" target="https://csrc.nist.gov/csrc/media/publications/sp/800-78/4/final/documents/sp800_78-4_revised_draft.pdf">
529          <front>
530            <title>SP800-78-4: Cryptographic Algorithms and Key Sizes for Personal Identity Verification</title>
531            <author>
532              <organization>National Institute of Standards and Technology (NIST)</organization>
533            </author>
534            <date month="May" year="2014"/>
535          </front>
536        </reference>
537        <reference anchor="SMI-PKIX" target="https://www.iana.org/assignments/smi-numbers/smi-numbers.xhtml#smi-numbers-1.3.6.1.5.5.7.6">
538          <front>
539            <title>SMI Security for PKIX Algorithms</title>
540            <author>
541              <organization>IANA</organization>
542            </author>
543            <date month="March" year="2019"/>
544          </front>
545        </reference>
546        <reference anchor="Hash-Texts" target="https://www.iana.org/assignments/hash-function-text-names/hash-function-text-names.xhtml">
547          <front>
548            <title>Hash Function Textual Names</title>
549            <author>
550              <organization>IANA</organization>
551            </author>
552            <date month="July" year="2017"/>
553          </front>
554        </reference>
555        <reference anchor="SP800-107" target="https://csrc.nist.gov/csrc/media/publications/sp/800-107/rev-1/final/documents/draft_revised_sp800-107.pdf">
556          <front>
557            <title>SP800-107: Recommendation for Applications Using Approved Hash Algorithms</title>
558            <author>
559              <organization>National Institute of Standards and Technology (NIST)</organization>
560            </author>
561            <date month="May" year="2014"/>
562          </front>
563        </reference>
564        <!-- <reference anchor="SP800-90A" target="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf">
565        <front>
566          <title>Recommendation for Random Number Generation Using Deterministic Random Bit Generators. NIST SP 800-90A</title>
567          <author>
568            <organization>National Institute of Standards and Technology</organization>
569          </author>
570          <date month="June" year="2015" />
571        </front>
572      </reference> -->
573        <!-- <reference anchor="SP800-185" target="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-185.pdf">
574        <front>
575          <title>SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash and ParallelHash. NIST SP 800-185</title>
576          <author>
577            <organization>National Institute of Standards and Technology</organization>
578          </author>
579          <date month="December" year="2016" />
580        </front>
581      </reference> -->
582      </references>
583    </references>
584    <section anchor="asn" numbered="true" toc="default">
585      <name>ASN.1 module</name>
586      <t>This appendix includes the ASN.1 module for SHAKEs in X.509. 
587    This module does not come from any existing RFC. </t>
588      <sourcecode type="asn.1"><![CDATA[ 
589    PKIXAlgsForSHAKE-2019 { iso(1) identified-organization(3) dod(6)
590      internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
591      id-mod-pkix1-shakes-2019(TBD) }
592
593    DEFINITIONS EXPLICIT TAGS ::=
594
595    BEGIN
596
597    -- EXPORTS ALL;
598
599    IMPORTS
600
601    -- FROM [RFC5912]
602
603    PUBLIC-KEY, SIGNATURE-ALGORITHM, DIGEST-ALGORITHM, SMIME-CAPS
604    FROM AlgorithmInformation-2009
605      { iso(1) identified-organization(3) dod(6) internet(1) security(5)
606        mechanisms(5) pkix(7) id-mod(0)
607        id-mod-algorithmInformation-02(58) }
608
609    -- FROM [RFC5912]
610
611    RSAPublicKey, rsaEncryption, pk-rsa, pk-ec,
612    CURVE, id-ecPublicKey, ECPoint, ECParameters, ECDSA-Sig-Value
613    FROM PKIXAlgs-2009 { iso(1) identified-organization(3) dod(6)
614         internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
615         id-mod-pkix1-algorithms2008-02(56) }
616   ;
617
618    --
619    -- Message Digest Algorithms (mda-)
620    --
621    DigestAlgorithms DIGEST-ALGORITHM ::= {
622      -- This expands DigestAlgorithms from [RFC5912]
623      mda-shake128   |
624      mda-shake256,
625      ...
626    }
627
628    --
629    -- One-Way Hash Functions
630    --
631
632    -- SHAKE128
633    mda-shake128 DIGEST-ALGORITHM ::= {
634      IDENTIFIER id-shake128  -- with output length 32 bytes.
635    }
636    id-shake128 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16)
637                                        us(840) organization(1) gov(101)
638                                        csor(3) nistAlgorithm(4)
639                                        hashAlgs(2) 11 }
640
641    -- SHAKE256
642    mda-shake256 DIGEST-ALGORITHM ::= {
643      IDENTIFIER id-shake256  -- with output length 64 bytes.
644    }
645    id-shake256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16)
646                                        us(840) organization(1) gov(101)
647                                        csor(3) nistAlgorithm(4)
648                                        hashAlgs(2) 12 }
649
650    --
651    -- Public Key (pk-) Algorithms
652    --
653    PublicKeys PUBLIC-KEY ::= {
654      -- This expands PublicKeys from [RFC5912]
655      pk-rsaSSA-PSS-SHAKE128 |
656      pk-rsaSSA-PSS-SHAKE256,
657      ...
658    }
659
660    -- The hashAlgorithm is mda-shake128
661    -- The maskGenAlgorithm is id-shake128
662    -- Mask Gen Algorithm is SHAKE128 with output length
663    -- (8*ceil((n-1)/8) - 264) bits, where n is the RSA 
664    -- modulus in bits.
665    -- The saltLength is 32. The trailerField is 1.
666    pk-rsaSSA-PSS-SHAKE128 PUBLIC-KEY ::= {
667      IDENTIFIER id-RSASSA-PSS-SHAKE128
668      KEY RSAPublicKey
669      PARAMS ARE absent
670      -- Private key format not in this module --
671      CERT-KEY-USAGE { nonRepudiation, digitalSignature,
672                       keyCertSign, cRLSign }
673    }
674
675    -- The hashAlgorithm is mda-shake256
676    -- The maskGenAlgorithm is id-shake256
677    -- Mask Gen Algorithm is SHAKE256 with output length
678    -- (8*ceil((n-1)/8) - 520)-bits, where n is the RSA 
679    -- modulus in bits.
680    -- The saltLength is 64. The trailerField is 1.
681    pk-rsaSSA-PSS-SHAKE256 PUBLIC-KEY ::= {
682      IDENTIFIER id-RSASSA-PSS-SHAKE256
683      KEY RSAPublicKey
684      PARAMS ARE absent
685      -- Private key format not in this module --
686      CERT-KEY-USAGE { nonRepudiation, digitalSignature,
687                       keyCertSign, cRLSign }
688    }
689
690    --
691    -- Signature Algorithms (sa-)
692    --
693    SignatureAlgs SIGNATURE-ALGORITHM ::= {
694      -- This expands SignatureAlgorithms from [RFC5912]
695      sa-rsassapssWithSHAKE128 |
696      sa-rsassapssWithSHAKE256 |
697      sa-ecdsaWithSHAKE128 |
698      sa-ecdsaWithSHAKE256,
699      ...
700    }
701
702    --
703    -- SMIME Capabilities (sa-)
704    --
705    SMimeCaps SMIME-CAPS ::= {
706      -- The expands SMimeCaps from [RFC5912]
707      sa-rsassapssWithSHAKE128.&smimeCaps |
708      sa-rsassapssWithSHAKE256.&smimeCaps |
709      sa-ecdsaWithSHAKE128.&smimeCaps |
710      sa-ecdsaWithSHAKE256.&smimeCaps,
711      ...
712    }
713
714    -- RSASSA-PSS with SHAKE128
715    sa-rsassapssWithSHAKE128 SIGNATURE-ALGORITHM ::= {
716      IDENTIFIER id-RSASSA-PSS-SHAKE128
717      PARAMS ARE absent
718          -- The hashAlgorithm is mda-shake128
719          -- The maskGenAlgorithm is id-shake128
720          -- Mask Gen Algorithm is SHAKE128 with output length
721          -- (8*ceil((n-1)/8) - 264) bits, where n is the RSA 
722          -- modulus in bits.
723          -- The saltLength is 32. The trailerField is 1
724      HASHES { mda-shake128 }
725      PUBLIC-KEYS { pk-rsa | pk-rsaSSA-PSS-SHAKE128 }
726      SMIME-CAPS { IDENTIFIED BY id-RSASSA-PSS-SHAKE128 }
727    }
728    id-RSASSA-PSS-SHAKE128  OBJECT IDENTIFIER  ::=  { iso(1) 
729            identified-organization(3) dod(6) internet(1) 
730            security(5) mechanisms(5) pkix(7) algorithms(6)
731            TBD1 }
732
733    -- RSASSA-PSS with SHAKE256
734    sa-rsassapssWithSHAKE256 SIGNATURE-ALGORITHM ::= {
735      IDENTIFIER id-RSASSA-PSS-SHAKE256
736      PARAMS ARE absent
737          -- The hashAlgorithm is mda-shake256
738          -- The maskGenAlgorithm is id-shake256
739          -- Mask Gen Algorithm is SHAKE256 with output length
740          -- (8*ceil((n-1)/8) - 520)-bits, where n is the 
741          -- RSA modulus in bits.
742          -- The saltLength is 64. The trailerField is 1.
743     HASHES { mda-shake256 }
744     PUBLIC-KEYS { pk-rsa | pk-rsaSSA-PSS-SHAKE256 }
745     SMIME-CAPS { IDENTIFIED BY id-RSASSA-PSS-SHAKE256 }
746    }
747    id-RSASSA-PSS-SHAKE256  OBJECT IDENTIFIER  ::=  { iso(1) 
748            identified-organization(3) dod(6) internet(1) 
749            security(5) mechanisms(5) pkix(7) algorithms(6)
750            TBD2 }
751
752    -- ECDSA with SHAKE128
753    sa-ecdsaWithSHAKE128 SIGNATURE-ALGORITHM ::= {
754      IDENTIFIER id-ecdsa-with-shake128
755      VALUE ECDSA-Sig-Value
756      PARAMS ARE absent
757      HASHES { mda-shake128 }
758      PUBLIC-KEYS { pk-ec }
759      SMIME-CAPS { IDENTIFIED BY id-ecdsa-with-shake128 }
760    }
761    id-ecdsa-with-shake128 OBJECT IDENTIFIER  ::=  { iso(1) 
762            identified-organization(3) dod(6) internet(1) 
763            security(5) mechanisms(5) pkix(7) algorithms(6)
764            TBD3 } 
765
766    -- ECDSA with SHAKE256
767    sa-ecdsaWithSHAKE256 SIGNATURE-ALGORITHM ::= {
768      IDENTIFIER id-ecdsa-with-shake256
769      VALUE ECDSA-Sig-Value
770      PARAMS ARE absent
771      HASHES { mda-shake256 }
772      PUBLIC-KEYS { pk-ec }
773      SMIME-CAPS { IDENTIFIED BY id-ecdsa-with-shake256 }
774    }
775    id-ecdsa-with-shake256 OBJECT IDENTIFIER  ::=  { iso(1) 
776            identified-organization(3) dod(6) internet(1) 
777            security(5) mechanisms(5) pkix(7) algorithms(6)
778            TBD4 }
779
780    END
781 ]]></sourcecode>
782    </section>
783  </back>
784</rfc>
1<reference anchor="RFC2119" target="https://www.rfc-editor.org/info/rfc2119" xml:base="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml">
2<front>
3<title>Key words for use in RFCs to Indicate Requirement Levels</title>
4<author initials="S." surname="Bradner" fullname="S. Bradner"><organization/></author>
5<date year="1997" month="March"/>
6<abstract><t>In many standards track documents several words are used to signify the requirements in the specification.  These words are often capitalized. This document defines these words as they should be interpreted in IETF documents.  This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t></abstract>
7</front>
8<seriesInfo name="BCP" value="14"/>
9<seriesInfo name="RFC" value="2119"/>
10<seriesInfo name="DOI" value="10.17487/RFC2119"/>
11</reference>
1<reference anchor="RFC3279" target="https://www.rfc-editor.org/info/rfc3279" xml:base="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.3279.xml">
2<front>
3<title>Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile</title>
4<author initials="L." surname="Bassham" fullname="L. Bassham"><organization/></author>
5<author initials="W." surname="Polk" fullname="W. Polk"><organization/></author>
6<author initials="R." surname="Housley" fullname="R. Housley"><organization/></author>
7<date year="2002" month="April"/>
8<abstract><t>This document specifies algorithm identifiers and ASN.1 encoding formats for digital signatures and subject public keys used in the Internet X.509 Public Key Infrastructure (PKI).  Digital signatures are used to sign certificates and certificate revocation list (CRLs).  Certificates include the public key of the named subject.  [STANDARDS-TRACK]</t></abstract>
9</front>
10<seriesInfo name="RFC" value="3279"/>
11<seriesInfo name="DOI" value="10.17487/RFC3279"/>
12</reference>
1<reference anchor="RFC4055" target="https://www.rfc-editor.org/info/rfc4055" xml:base="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.4055.xml">
2<front>
3<title>Additional Algorithms and Identifiers for RSA Cryptography for use in the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile</title>
4<author initials="J." surname="Schaad" fullname="J. Schaad"><organization/></author>
5<author initials="B." surname="Kaliski" fullname="B. Kaliski"><organization/></author>
6<author initials="R." surname="Housley" fullname="R. Housley"><organization/></author>
7<date year="2005" month="June"/>
8<abstract><t>This document supplements RFC 3279.  It describes the conventions for using the RSA Probabilistic Signature Scheme (RSASSA-PSS) signature algorithm, the RSA Encryption Scheme - Optimal Asymmetric Encryption Padding (RSAES-OAEP) key transport algorithm and additional one-way hash functions with the Public-Key Cryptography Standards (PKCS) #1 version 1.5 signature algorithm in the Internet X.509 Public Key Infrastructure (PKI).  Encoding formats, algorithm identifiers, and parameter formats are specified.  [STANDARDS-TRACK]</t></abstract>
9</front>
10<seriesInfo name="RFC" value="4055"/>
11<seriesInfo name="DOI" value="10.17487/RFC4055"/>
12</reference>
1<reference anchor="RFC5280" target="https://www.rfc-editor.org/info/rfc5280" xml:base="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.5280.xml">
2<front>
3<title>Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile</title>
4<author initials="D." surname="Cooper" fullname="D. Cooper"><organization/></author>
5<author initials="S." surname="Santesson" fullname="S. Santesson"><organization/></author>
6<author initials="S." surname="Farrell" fullname="S. Farrell"><organization/></author>
7<author initials="S." surname="Boeyen" fullname="S. Boeyen"><organization/></author>
8<author initials="R." surname="Housley" fullname="R. Housley"><organization/></author>
9<author initials="W." surname="Polk" fullname="W. Polk"><organization/></author>
10<date year="2008" month="May"/>
11<abstract><t>This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet.  An overview of this approach and model is provided as an introduction.  The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms.  Standard certificate extensions are described and two Internet-specific extensions are defined.  A set of required certificate extensions is specified.  The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions.  An algorithm for X.509 certification path validation is described.  An ASN.1 module and examples are provided in the appendices.  [STANDARDS-TRACK]</t></abstract>
12</front>
13<seriesInfo name="RFC" value="5280"/>
14<seriesInfo name="DOI" value="10.17487/RFC5280"/>
15</reference>
1<reference anchor="RFC5480" target="https://www.rfc-editor.org/info/rfc5480" xml:base="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.5480.xml">
2<front>
3<title>Elliptic Curve Cryptography Subject Public Key Information</title>
4<author initials="S." surname="Turner" fullname="S. Turner"><organization/></author>
5<author initials="D." surname="Brown" fullname="D. Brown"><organization/></author>
6<author initials="K." surname="Yiu" fullname="K. Yiu"><organization/></author>
7<author initials="R." surname="Housley" fullname="R. Housley"><organization/></author>
8<author initials="T." surname="Polk" fullname="T. Polk"><organization/></author>
9<date year="2009" month="March"/>
10<abstract><t>This document specifies the syntax and semantics for the Subject Public Key Information field in certificates that support Elliptic Curve Cryptography.  This document updates Sections 2.3.5 and 5, and the ASN.1 module of "Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 3279.  [STANDARDS-TRACK]</t></abstract>
11</front>
12<seriesInfo name="RFC" value="5480"/>
13<seriesInfo name="DOI" value="10.17487/RFC5480"/>
14</reference>
1<reference anchor="RFC8017" target="https://www.rfc-editor.org/info/rfc8017" xml:base="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8017.xml">
2<front>
3<title>PKCS #1: RSA Cryptography Specifications Version 2.2</title>
4<author initials="K." surname="Moriarty" fullname="K. Moriarty" role="editor"><organization/></author>
5<author initials="B." surname="Kaliski" fullname="B. Kaliski"><organization/></author>
6<author initials="J." surname="Jonsson" fullname="J. Jonsson"><organization/></author>
7<author initials="A." surname="Rusch" fullname="A. Rusch"><organization/></author>
8<date year="2016" month="November"/>
9<abstract><t>This document provides recommendations for the implementation of public-key cryptography based on the RSA algorithm, covering cryptographic primitives, encryption schemes, signature schemes with appendix, and ASN.1 syntax for representing keys and for identifying the schemes.</t><t>This document represents a republication of PKCS #1 v2.2 from RSA Laboratories' Public-Key Cryptography Standards (PKCS) series.  By publishing this RFC, change control is transferred to the IETF.</t><t>This document also obsoletes RFC 3447.</t></abstract>
10</front>
11<seriesInfo name="RFC" value="8017"/>
12<seriesInfo name="DOI" value="10.17487/RFC8017"/>
13</reference>
1<reference anchor="RFC8174" target="https://www.rfc-editor.org/info/rfc8174" xml:base="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml">
2<front>
3<title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
4<author initials="B." surname="Leiba" fullname="B. Leiba"><organization/></author>
5<date year="2017" month="May"/>
6<abstract><t>RFC 2119 specifies common key words that may be used in protocol  specifications.  This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the  defined special meanings.</t></abstract>
7</front>
8<seriesInfo name="BCP" value="14"/>
9<seriesInfo name="RFC" value="8174"/>
10<seriesInfo name="DOI" value="10.17487/RFC8174"/>
11</reference>
1<reference anchor="RFC5912" target="https://www.rfc-editor.org/info/rfc5912" xml:base="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.5912.xml">
2<front>
3<title>New ASN.1 Modules for the Public Key Infrastructure Using X.509 (PKIX)</title>
4<author initials="P." surname="Hoffman" fullname="P. Hoffman"><organization/></author>
5<author initials="J." surname="Schaad" fullname="J. Schaad"><organization/></author>
6<date year="2010" month="June"/>
7<abstract><t>The Public Key Infrastructure using X.509 (PKIX) certificate format, and many associated formats, are expressed using ASN.1.  The current ASN.1 modules conform to the 1988 version of ASN.1.  This document updates those ASN.1 modules to conform to the 2002 version of ASN.1. There are no bits-on-the-wire changes to any of the formats; this is simply a change to the syntax.  This document is not an Internet  Standards Track specification; it is published for informational  purposes.</t></abstract>
8</front>
9<seriesInfo name="RFC" value="5912"/>
10<seriesInfo name="DOI" value="10.17487/RFC5912"/>
11</reference>
1<reference anchor="RFC6979" target="https://www.rfc-editor.org/info/rfc6979" xml:base="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.6979.xml">
2<front>
3<title>Deterministic Usage of the Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA)</title>
4<author initials="T." surname="Pornin" fullname="T. Pornin"><organization/></author>
5<date year="2013" month="August"/>
6<abstract><t>This document defines a deterministic digital signature generation procedure.  Such signatures are compatible with standard Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA) digital signatures and can be processed with unmodified verifiers, which need not be aware of the procedure described therein.  Deterministic signatures retain the cryptographic security features associated with digital signatures but can be more easily implemented in various environments, since they do not need access to a source of high-quality randomness.</t></abstract>
7</front>
8<seriesInfo name="RFC" value="6979"/>
9<seriesInfo name="DOI" value="10.17487/RFC6979"/>
10</reference>