NIST is proposing to withdraw Special Publication (SP) 800-106. Please submit public comments by November 18, 2022.
As a part of the periodic review of NIST’s cryptographic standards and guidelines, NIST's Crypto Publication Review Board announced the review of NIST Special Publication (SP) 800-106, Randomized Hashing for Digital Signatures. NIST subsequently received and posted public comments.
NIST proposes to withdraw SP 800-106. Submit your comments on this decision by November 18, 2022 to cryptopubreviewboard [at] nist.gov (subject: Comments%20on%20Decision%20Proposal%20of%20SP%20800-106) with "Comments on Decision Proposal of SP 800-106" in the subject line. Comments received in response to this request will be posted on the Crypto Publication Review Project site after the due date. Submitters’ names and affiliations (when provided) will be included, while contact information will be removed. See the project site for additional information about the review process.
Rationale for the Withdrawal of SP 800-106
Digital signatures rely on collision-resistant hash functions to assure the authenticity of the signed message. SP 800-106 provides a method for randomized hashing to protect digital signatures that utilize hash functions with weak collision resistance. The standard offers a specific technique but allows any randomized hashing technique to be used in FIPS-approved systems.
SP 800-106 was published in 2009 when SHA-1 was demonstrated to contain weaknesses with respect to collision resistance. Since then, Federal Information Processing Standard (FIPS) 202 has been published announcing the SHA-3 family of hash functions. SHA-1 has also been deprecated for generating new digital signatures in SP 800-131A Revision 1 as of 2015.
SP 800-106 accomplished the original mission of strengthening the collision resistance for NIST-approved digital signature algorithms to avoid pitfalls while signing with SHA-1. In addition, message randomization has been built into newer digital signature schemes such as EdDSA. SP 800-106 neither mandated the use of a message randomization technique nor restricted message randomization to the specific technique introduced in the standard. Note that the use of randomized hashing in FIPS-approved systems is not disallowed with the withdrawal of SP 800-106.