10 The truncated message digest of λ bits provides an expected preimage resistance of λ bits, not L bits, regardless of the hash function used. The expected second preimage resistance strength of a message digest truncated to λ bits sometimes depends on the length of the message. This dependence is determined as specified in Appendix A. Note that there are situations for which the expected second preimage resistance strength does not depend on the message length. For example, a 130- bit truncated message digest generated using SHA-256 has an expected second preimage strength of 130 bits, rather than a value in the range specified in Table 1 above for SHA- 256. Truncating the message digest can have other impacts, as well. For example, applications that use a truncated message digest risk attacks based on confusion between different parties about the specific amount of truncation used, as well as the specific hash function that was used to produce the truncated message digest. Any application using a truncated message digest is responsible for ensuring that the truncation amount and the hash function used are known to all parties, with no chance of ambiguity.

5.2 Digital Signatures

A hash function is used to map a message of any eligible length see FIPS 180-4 to a fixed-length message digest. In a digital signature generation process, this message digest is then signed by a signing operation, such as an RSA private key operation, to produce a digital signature. The resulting digital signature is used to verify who signed the message and whether or not the message was altered either deliberately or accidentally after it was signed. When two different messages have the same message digest i.e., a collision is found, then a digital signature of one message could be used as a digital signature for the other message. If this happens, then a verified digital signature does not guarantee the authenticity of the signed message, because either one of the two messages could be considered valid. Therefore, a hash function used for digital signatures requires collision resistance. The approved hash functions are considered to provide the collision resistance strengths as specified in Table 1 of Section 4.2. For digital signature applications, the security strength of a hash function without any preprocessing is generally its collision resistance strength. When appropriate processing is applied to the data before the hash value is computed, the security strength may be more than the collision resistance strength see Section 5.2.3. Without any preprocessing of the message input to the hash function, the security strength of any digital signature that is generated using an algorithm specified in FIPS 186-3 is the minimum of the collision resistance strength of the hash algorithm and the security strength provided by the signing algorithm. More information on security strengths can be found in SP 800-57, Part 1. For instance, if a digital signature that is generated by one of the approved digital signature algorithms with SHA-1 as the hash 11 function and key sizes specified in FIPS 186-3 3 , then the security strength of this digital signature is less than 80 bits see Table 1 in Section 4.2; i.e., the strength of the digital signature process is determined by the strength of SHA-1, rather than the strength of the key, in this case. Therefore, SHA-1 shall not be used in any new digital signature applications that require at least 80 bits of security strength. Furthermore, SHA-1 shall not be used for the generation of digital signatures after the end of 2013 see SP 800- 131A [SP 800-131A] for information about the required key lengths for digital signature applications. More information on the security strengths of digital signature applications using the approved hash algorithms and the recommended lifetimes of cryptographic algorithm usage can be found in SP 800-57, Part 1. There are several ways to use hash functions with digital signature algorithms as described below.

5.2.1 Full-length Message Digests

When the untruncated output of an approved hash function as specified in FIPS 180-4 is used by an approved digital signature algorithm as specified in FIPS 186-3, the resulting full-length message digests can support security strengths up to those given in Table 1 of Section 4.2 for collision resistance.

5.2.2 Truncated Message Digests

In some specific situations, truncated message digests are used in generating digital signatures. Details about these situations, including the lengths required for the truncated hash values, can be found in FIPS 186-3. In such cases, the security strength that can be supported by a hash function depends on the length of these truncated values, as well as the particular hash function that is used. As noted in Section 5.1, when the outputs of an approved L-bit hash function are truncated to λ bits where λ L, the collision resistance strength supported by the truncated message digests is reduced to λ 2 bits. Therefore, in addition to the requirementsrestrictions imposed by FIPS 186-3, the value of λ shall be at least twice the desired security strength in bits required for the digital signature. For example, if a security strength of 112 bits is required for digital signatures, a truncated message digest of at least 224 bits must be used. If requireddesired, any approved hash functions except SHA-1 could be employed to generate truncated message digests of exactly 224 bits in length. For SHA-224 and SHA-512224, the hash functions output would not require truncation. It is recommended that the hash function chosen should minimize the number of truncation operations required to achieve the requireddesired length for the hash value. For the 224-bit example above, SHA-512224 should be chosen over SHA-384 and SHA-512256. All three hash functions employ one internal truncation operation to produce their output, but SHA-384 and SHA-512256 would each require an additional external truncation operation to pare their output down to the desired length of 224 bits. 3 Key sizes that provide at least 112 bits of strength are provided. 12

5.2.3 Randomized Hashing for Digital Signatures

As described in Section 5.2, the overall security strength of a digital signature is limited by the collision resistance strength of the hash function. However, when using the randomized hashing technique specified in SP 800-106 [SP 800-106], a randomized hash function may support a higher level of security with respect to a particular potential vulnerability, offering enhanced protection to a message signer against a collision attack by a malicious message preparer who formulates the message to be signed, but does not actually sign the message. In such an attack, the malicious message preparer would endeavor to find two messages that hash to the same value. Once the message signer had generated a signature for one of the messages, the malicious preparer could accuse the signer of having signed the other message instead. In situations where one party is asked to sign messages prepared by another party, the level of protection in bits that is provided to the message signer against a collision attack by using randomized hashing is determined by the minimum of the following three quantities: • The second preimage resistance strength in bits of the hash function. • The security strength in bits of the random bit generator RBG employed by the signer to produce bit strings used to randomize messages, or, the collision resistance strength in bits of the hash function – whichever is larger. • The sum of the collision resistance strength in bits of the hash function and the smaller of these two quantities: 1 The length in bits of bit strings used to randomize messages denoted rv in SP 800-106, and 2 The length in bits of the RBG output used to generate rv as specified in Section 3.3 of SP 800-106. When randomized hashing is used, the RBG see Section 5.5 below for more information employed to produce the bit strings used to randomize messages shall support a security strength that is equal to or greater than the security strength of the signing algorithm. See SP 800-57, Part 1, for information about security strengths of different signing algorithms. The randomization process itself shall conform to the specifications of SP 800-106 for digital signature applications supporting at least 112 bits of security. Under these conditions, SHA-1-based randomized hashing could provide 112 bits of security strength against a collision attack by a malicious message preparer, even though the unrandomized SHA-1 function has a collision resistance strength that is less than 80 bits. It is important to note what the use of randomized hashing for digital signatures does and does not provide: 1 Randomized hashing can offer a message signer additional protection by reducing the likelihood that a message preparer can find multiple messages that yield the same hash value during the digital signature 13 generation process – even if it is practical to find collisions for the unrandomized hash function. 2 Randomized hashing does not offer the message preparer or the signature verifiers any additional protection from a misbehaving signer who may, for example, generate one signature that can be associated with either of two chosen messages after finding randomized versions of those messages that hash to the same value. 3 Randomized hashing does not improve the assurance of origin authenticity, data integrity, andor signatory non-repudiation provided by the digital signature to signature verifiers i.e., relying parties. 5.3 Keyed-Hash Message Authentication Codes HMAC 5.3.1 Description