]> BLAKE2 Algorithms and Identifiers for use in the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile Google
320 N Morgan St #600 Chicago IL 60607 USA wconner@google.com
Google
340 Main St Venice CA 90291 USA agl@google.com
Google
200 W Franklin St #300 Chapel Hill NC 27516 USA sleevi@google.com
Microsoft
One Microsoft Way Redmond WA 98052 USA Andrei.Popov@microsoft.com
General BLAKE2 signature rsa ecdsa eddsa This document describes the conventions for using the BLAKE2b-512 hash function with each of the following algorithms: RSA Encryption Scheme - Optimal Asymmetric Encryption Padding (RSAES-OAEP), RSA Probabilistic Signature Scheme (RSASSA-PSS), RSA Public-Key Cryptography Standards #1 version 1.5 (RSASSA PKCS#1 v1.5), Digital Signature Algorithm (DSA), Elliptic Curve Digital Signature Algorithm (ECDSA), and Edwards-curve Digital Signature Algorithm (EdDSA). This specification applies to the Internet X.509 Public Key Infrastructure (PKI) when digital signatures are used to sign certificates and certificate revocation lists (CRLs). This document also specifies the object identifiers for the combinations of the BLAKE2b-512 hash function with the aforementioned algorithms.
The SHA-2 family of hash functions is currently the only secure and widely supported option for digital signatures in the PKIX ecosystem . While there is no reason to be seriously concerned about the security of SHA-2, which is still acceptable according to NIST SP 800-131A rev. 1, numerous previous hash functions have eventually suffered from collision attacks and needed to be replaced. Since it takes a very long time to establish support for new primitives in the PKIX ecosystem, it seems prudent to have an alternative prepared. This document specifies object identifiers to identify the combination of the BLAKE2b-512 hash function with each of RSAES-OAEP, RSASSA-PSS, RSASSA PKCS#1 v1.5, DSA, ECDSA, and EdDSA. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in .
This section describes the algorithms and corresponding object identifiers, which may be used in conjunction with the BLAKE2b-512 hash function.
specifies the BLAKE2 family of hash functions, including the BLAKE2b-512 hash function. The BLAKE2b-512 hash function is optimized for 64-bit platforms and produces 64-byte message digests. The object identifier for the BLAKE2b-512 hash algorithm is specified in and included below for reference.
The object identifiers for the encryption and signature algorithms that use the BLAKE2b-512 hash function will appear under the following arcs derived from .
specifies the object identifier for the mask generation function MGF1, which is included below for reference.
The algorithm identifiers for the BLAKE2b-512 hash function and the mask generation function MGF1 that uses the BLAKE2b-512 hash function are the following.
specifies the RSAES-OAEP algorithm and parameters. The sequence for the parameters is included below for reference.
This section specifies a single object identifier to identify the combination of RSAES-OAEP with BLAKE2b-512.
Using id-RSAEP-OAEP-with-blake2b512 requires the following RSAES-OAEP parameters.
specifies the RSASSA-PSS algorithm and parameters. The sequence for the parameters is included below for reference.
This section specifies a single object identifier to identify the combination of RSASSA-PSS with BLAKE2b-512.
Using id-RSASSA-PSS-with-blake2b512 requires the following RSASSA-PSS parameters.
specifies the RSASSA PKCS #1 v1.5 signature algorithm. This section specifies a single object identifier to identify the combination of RSASSA PKCS#1 v1.5 with BLAKE2b-512.
NIST FIPS PUB 186-4 specifies the DSA signature algorithm. This section specifies a single object identifier to identify the combination of DSA with BLAKE2b-512.
NIST FIPS PUB 186-4 specifies the ECDSA signature algorithm. specifies identifiers for using the SHA-2 family of hash functions with ECDSA. This section specifies a single object identifier to identify the combination of ECDSA with BLAKE2b-512.
specifies the EdDSA algorithm. This section specifies a single object identifier to identify the combination of EdDSA with the edwards448 curve and BLAKE2b-512 hash function.
For BLAKE2-specific security considerations, Section 4 of includes a brief security analysis of the BLAKE2 hash algorithm. The BLAKE hash algorithm, which was the predecessor of BLAKE2, was analyzed as part of the SHA-3 competition . The BLAKE2 hash algorithm builds on BLAKE with some tweaks. For general PKIX Certificate and CRL Profile security considerations, Section 8 of provides a good overview.
Although the algorithm identifiers are currently specified under the object identifier arc specified in , the authors would not oppose the assignment of these algorithms to object identifiers in a more suitable location under the IANA object identifier space in future drafts.
The authors would like to thank the designers for answering our questions about BLAKE2 and allowing us to use their object identifier space. In particular, our email exchanges with Jean-Philippe Aumasson were very helpful. The authors would also like to thank the participants of the LAMPS working group who provided valuable feedback.
&RFC2119; &RFC2313; &RFC4055; &RFC5280; &RFC5758; &RFC7693; &RFC8032; SHA-3 proposal BLAKE BLAKE2: simpler, smaller, fast as MD5 Secure Hash Standard (SHS) National Institute of Standards and Technology Digital Signature Standard (DSS) National Institute of Standards and Technology Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths