Extend Fuse/FE to 512-bits, Update HMAC384 to HMAC512 to meet PQC ML-DSA-87 requirement #581

mojtaba-bisheh · 2024-09-03T15:51:31Z

FIPS204 requires using SHA512 for pre-hash mode to maintain security level at category 5.
IETF Composite Keys and Signatures draft requires using SHA512 for hybrid mode between ML-DSA-87 and ECC Secp384r1.

Hence, HMAC384 needs to be updated to HMAC512 to maintain PQC flow at category 5. HMAC384 will be removed.

Since HMAC512 requires 512-bit key, UDS and FE needs to be extended to 512 bits.

KV needs to be extended to 512 bits as mentioned here: #580

Since PCR path needs to be implemented within hardware boundary, any IETF requirement for hybrid signature will be hardcoded.

calebofearth · 2024-11-27T01:49:03Z

Addressed in #625 and #589

mojtaba-bisheh · 2024-11-27T18:12:45Z

We support dual signatures, and FW/SW will be responsible for using composite signature or any other hybrid schemes
HMAC supports both HMAC384 and HMAC512.
PCR path will be addressed as a part of #645

mojtaba-bisheh added the 2.0 feature request label Sep 3, 2024

mojtaba-bisheh assigned mojtaba-bisheh and Nitsirks Sep 3, 2024

bharatpillilli added the Approved label Oct 8, 2024

mojtaba-bisheh closed this as completed Nov 27, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Extend Fuse/FE to 512-bits, Update HMAC384 to HMAC512 to meet PQC ML-DSA-87 requirement #581

Extend Fuse/FE to 512-bits, Update HMAC384 to HMAC512 to meet PQC ML-DSA-87 requirement #581

mojtaba-bisheh commented Sep 3, 2024

calebofearth commented Nov 27, 2024

mojtaba-bisheh commented Nov 27, 2024

Extend Fuse/FE to 512-bits, Update HMAC384 to HMAC512 to meet PQC ML-DSA-87 requirement #581

Extend Fuse/FE to 512-bits, Update HMAC384 to HMAC512 to meet PQC ML-DSA-87 requirement #581

Comments

mojtaba-bisheh commented Sep 3, 2024

calebofearth commented Nov 27, 2024

mojtaba-bisheh commented Nov 27, 2024