RFC 8702, "Use of the SHAKE One-Way Hash Functions in the Cryptographic Message Syntax (CMS)", January 2020

Errata ID: 6188
Status: Reported
Type: Technical
Publication Format(s) : TEXT, PDF, HTML
Reported By: Panos Kampanakis
Date Reported: 2020-05-26

Section 3.4 says:

When calculating the KMAC output, the variable N is 0xD2B282C2, S is
an empty string, and L (the integer representing the requested output
length in bits) is 256 or 512 for KmacWithSHAKE128 or
KmacWithSHAKE256, respectively, in this specification.

It should say:

When calculating the KMAC output, the variable N is “KMAC” as defined 
in NIST SP800-185, S is an empty string, and L (the integer 
representing the requested output length in bits) is 256 or 512 for 
KmacWithSHAKE128 or KmacWithSHAKE256, respectively, in this 
specification.

Notes:

The originally described 0xD2B282C2 is the hex value of the binary representation (LSB first) of the string "KMAC" as defined in SP800-185. As it was pointed out to us, that representation was confusing and incorrect because NIST's KAT values include "KMAC" in hex format. Showing "KMAC" in binary (LSB first) is different than showing it in hex (MSB first). So, it is more accurate to keep the text generic as "KMAC" and point implementers to SP800-185.

Report New Errata