Individual draft Q. Dang
Internet Draft NIST
Intended status: S. Turner
Expires: November 22, 2013 IECA
May 22, 2013
Recommended Usages of SHA-512/224, SHA-512/256
draft-dang-turner-sha-512-224-256-00.txt
Abstract
This document provides recommendations on the use of the secure hash
functions SHA-512/224 and SHA-512/256 specified in FIPS 180. SHA-
512/224 and SHA-512/256 are SHA-512-based and truncated to match the
output size of SHA-224 and SHA-256. On 64-bit platforms, the SHA-512-
truncated algorithms provide better performance than their comparably
sized SHA-224 and SHA-256 variants.
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that other
groups may also distribute working documents as Internet-Drafts.
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/1id-abstracts.html.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on November 22, 2013.
Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
Dang & Turner Expires November 22, 2013 [Page 1]
Internet-Draft SHA-512/224 and SHA-512/256 May 2013
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction..................................................... 2
2. Conventions used in this document.................... ........... 3
3. Usage Recommendation for Digital Signatures with SHA-512/224 and
SHA-512/256...................................................... 3
4. SHA-512/224 and SHA-512/256 in HMAC ............................. 5
5. Security Considerations.......................................... 5
6. IANA Considerations.............................................. 5
7. Conclusions...................................................... 5
8. References ...................................................... 5
8.1. Normative References ......................................... 5 5
8.2. Informative References ....................................... 6 6
9. Acknowledgments.................................................. 6
10. Authors'Addresses............................................... 7
1. Introduction
NIST specified two hash algorithms, SHA-512/224 and SHA-512/256, in
the hash algorithms standard: FIPS 180 [FIPS180]. These two hash
algorithms have the same performance characteristics of SHA-512
since the only differences between them and SHA-512 are the initial
hash values (IVs) and the truncation step to reduce the 512-bit last
internal hash value to become 224 or 256-bit final hash value for
SHA-512/224 and SHA-512/256 respectively.
SHA-512 consumes roughly 10-45% fewer clock cycles per byte than
SHA-256 as shown from performance-comparison data for SHA-256 and
SHA-512 on many different 64-bit platforms by [SHA256]. This means
that SHA-512 runs roughly 10-80% faster than SHA-256 and SHA-224
on these 64-bit machines, which are becoming more prevalent.
Also, [512/256] provides performance comparison data for SHA-256
and SHA-512 on a specific 2010 Intel architecture, the Xeon X5670
processor. The data shows that SHA-512 consumes roughly 37% fewer
clock cycles per byte than SHA-256. Put another way, SHA-512 is
roughly 60% faster (more efficient) than SHA-256 on this machine.
Dang & Turner Expires November 22,2013 [Page 2]
Internet-Draft SHA-512/224 and SHA-512/256 May 2013
This internet draft discusses the choices between using SHA-224 and
SHA-256 verses SHA-512/224 and SHA-512/256 in digital signature
applications and HMACs based on their performance advantages to each
other.
2. Conventions used in this document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
3. Usage Recommendation for Digital Signatures with SHA-512/224 and SHA-
512/256
Obviously, SHA-512/224 and SHA-512/256 may be substituted for SHA-224
and SHA-256 respectively in protocols and applications.
One of the common uses of hash functions is in digital signature
applications. There are three NIST-approved digital signature
algorithms defined in [FIPS186]: RSA, DSA and ECDSA.
When a 1024 or 2048-bit RSA digital signature algorithm is used, any
of the approved hash functions can be used since their biggest hash
value is only 512 bits (when SHA-512 is used). Different padding
methods have different required fields in the data block that is
signed by the RSA private key and the RSA moduli (1024 or 2048 bits).
The total size of these required fields and the hash value is not
greater than 1024 bits. Therefore, RSA digital signature applications
will not have any technical issues in deploying any of the approved
hash algorithms including SHA-512. Therefore, SHA-512/224 and SHA-
512/256 are not preferred over SHA-512 for RSA digital signature
applications. However, if a RSA digital signature application in a
system that is a 64-bit platform, SHA-512/224 and SHA-512/256 are
preferred over SHA-224 and SHA-256 respectively due to their
performance advantage over these latter two hash functions.
If communicating points in a protocol are mainly to be run on 64-bit
platforms, SHA-512/224 or SHA-512/256 should be used in 2048-bit RSA
digital signature application. It is important to note that 1024-bit
RSA digital signature generation is disallowed by NIST after 2013,
see SP 800-131A [131A] for more details.
If digital signature algorithm is negotiable in a protocol where
communicating points may be run on both 64-bit and smaller (32-bit
for example) platforms, RSA digital signature with either SHA-512/224
or SHA-512/256 should be an option if RSA digital signature algorithm
is supported. For example, if both ends of a communication run on 64-
Dang & Turner Expires November 22,2013 [Page 3]
Internet-Draft SHA-512/224 and SHA-512/256 May 2013
bit platforms, they may want to use RSA with SHA-512/224 or SHA-
512/256. If both ends of the communication run on 32-(or smaller) bit
platforms (constrained environments), they may prefer to use RSA with
SHA-224 or SHA-256 instead. And, if one end runs on 64-bit platform
and the other end runs on a 32-(or smaller) bit platform, then it
depends on the situation for which what digital signature algorithm:
RSA with SHA-512/224 (or SHA-512/256) or RSA with SHA-224 (or SHA-
256) should be used (from negotiation). A server running on a 64-bit
machine that handles a lot of computation with many clients may
prefer to use RSA with SHA-512/224 or SHA-512/256, but a constrained
client may prefer to use RSA with SHA-224 or SHA-256 instead.
For DSA, there are two key pair sizes, which are NIST-approved:
(L=2048, N=224) and (L=3072, N=256) (the key pair size: (L = 1024, N
= 160) is not NIST-allowed to generate new digital signatures after
the end of 2013). In DSA digital signature generation process (see
FIPS 186 for details), if the hash value of the message is greater
than N (size of p), only N left-most bits of the hash value will be
used in the signing operation. Therefore, there is no security
reasons to deploy a hash function which produces hash output larger
than N (in bits) such as SHA-512. So, when getting performance
advantage from SHA-512/224 and SHA-512/256 over SHA-224 and SHA-256
on the platforms which are optimized for 64-bit operations is a good
thing, SHA-512/224 and SHA-512/256 should be used for (L=2048, N=224)
and (L=3072, N=256) DSA digital signature applications respectively.
If communicating points in a protocol are mainly to be run on 64-bit
platforms, SHA-512/224 and SHA-512/256 should be used in (L=2048,
N=224) and (L=3072, N=256) DSA digital signature applications
respectively.
If digital signature algorithm is negotiable in a protocol where
communicating points may be run on both 64-bit and smaller (32-bit
for example) platforms, DSA with SHA-512/224 or SHA-512/256 should be
an option if DSA digital signature algorithm is supported
ECDSA digital signature algorithms are specified in FIPS 186. Their
NIST-approved key sizes and hash functions are described in SPs 800-
57, part 1 [57] and 800-131A [131A]. After 2013, only curves with n
at least 224 bits are NIST-approved for digital signature generation.
In ECDSA, if the hash function produces the hash value bigger than
the size of n, then only the n left-most bits of the hash value are
used in computing and verifying the ECDSA digital signatures.
Dang & Turner Expires November 22,2013 [Page 4]
Internet-Draft SHA-512/224 and SHA-512/256 May 2013
If communicating points in a protocol are mainly to be run on 64-bit
platforms, SHA-512/224 and SHA-512/256 should be used in 224 and 256-
bit ECDSA digital signature applications respectively.
If digital signature algorithm is negotiable in a protocol where
communicating points may be run on both 64-bit and smaller (32-bit
for example) platforms, 224 or 256-bit ECDSA with SHA-512/224 or SHA-
512/256 respectively should be an option if ECDSA digital signature
algorithm is supported.
4. SHA-512/224 and SHA-512/256 in HMAC
Besides being used in digital signature applications, hash functions
are also used in HMAC [RFC2104]. If an exact 224-bit or 256-bit HMAC
value is needed, SHA-512/224 and SHA-512/256 should be used instead
of truncating SHA-512's hash output. And, HMAC with SHA-512/224 or
SHA-512/256 is strongly recommended for protocols where communicating
parties are mainly to be run on 64-bit platforms over HMAC with SHA-
224 or SHA-256 respectively.
5. Security Considerations
Note that SHA-512/224 and SHA-512/256 provide 112 and 128 bits of
collision resistance for digital signatures. See NIST SP 800-107
[107] for more discussion about security of these two hash functions.
6. IANA Considerations
None.
7. Conclusions
Will be added later.
8. References
8.1. Normative References
[FIPS180] Federal Information Processing Standard (FIPS) 180-4,
Secure Hash Standard, National Institute of Standards
and Technology, March 2012.
[FIPS186] Federal Information Processing Standard (FIPS) 186-3,
Digital Signature Standard (DSS), National Institute of
Standards and Technology, June 2009.
Dang & Turner Expires November 22,2013 [Page 5]
Internet-Draft SHA-512/224 and SHA-512/256 May 2013
[RFC2104] Krawczyk, H., Bellare, M. and R. Canetti, "HMAC: Keyed-
Hashing for Message Authentication", RFC 2104, February
1997.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
8.2. Informative References
[SHA256] http://bench.cr.yp.to/xweb-hash/long-sha256.html
[512/256]Shay Gueron, Simon Johnson and Jesse Walker, SHA-512/256,
2011 Eighth International Conference on Information
Technology: New Generat 7.
[57] NIST Special Publication (SP) 800-57, Part 1, Recommendation
for Key Management: General,(Revision 3) July 2012.
[107] NIST SP 800-107, Revision 1, Recommendation for Applications
Using Approved Hash Algorithms, August 2012.
[131A] E. Barker and A. Roginsky, "Transitions: Recommendation for
Transitioning the Use of Cryptographic Algorithms and Key
Lengths", NIST Special Publication 800-131A, January 2011.
9. Acknowledgments
Will be added later.
Dang & Turner Expires November 22,2013 [Page 6]
Internet-Draft SHA-512/224 and SHA-512/256 May 2013
10. Authors' Addresses
Quynh Dang
NIST
100 Bureau Drive, Stop 8930
Gaithersburg, MD 20899-8930
USA
EMail: quynh.dang@nist.gov
Sean Turner
IECA, Inc.
3057 Nutley Street, Suite 106
Fairfax, VA 22031 USA
EMail: turners@ieca.com
Dang & Turner Expires November 22,2013 [Page 7]