Hi there,

as a customer request I need to use ECDSA using SHAKE as hash algorithm. Unfortunately this seems not to be possible at the moment. Is there a way I can do that? Or otherwise consider this as a feature request.

Regards Chris

I think this works already. One thing to keep in mind is you have to specify the output length for SHAKE. Most standards seem to use 2*N bits of output for SHAKE-N

$ botan keygen --algo=ECDSA > ecdsa.key
$ botan sign --hash='SHAKE-128(256)' ecdsa.key readme.rst
eJ034iK9msJbbQyvQ+qm6KNc4p/G+jCJS38XwdQUSgfZ2zm8BTsiFFodf40zm3JP9b6TTWSyJjOLoST7Ofz4bg==

One thing that is missing is we don't have the ECDSA-with-SHAKE OIDs from RFC 8692. So out of the box you wouldn't be able to eg create an X.509 certificate using ECDSA+SHAKE. You can register new OIDs at runtime with OID::register_oid eg (untested!)

Botan::OID::register_oid(Botan::OID({1,3,6,1,5,5,7,6,32}), "ECDSA/SHAKE-128(256)");

Thank you for your quick response!
But I need to do that in my own software. In your example code for ECDSA, you are doing:

Botan::PK_Signer signer(key, rng, "SHA-256");
Botan::PK_Verifier verifier(key, "SHA-256");

following that I need to do something like that

Botan::PK_Signer signer(key, rng, "SHAKE-256(256)");
Botan::PK_Verifier verifier(key, "SHAKE-256(256)");

But it seems, that this isn't possible. I digged a bit into the source code of Botan and it looked to me that this simply isn't supported at the moment. And it wasn't obvious to me how to add support for this.

What fails, and how? The cli example I gave earlier itself uses PK_Signer to compute the signature.

Yes, you are right!
It is actually working ;-)
I tried this already several weeks ago and wasn't able to get it to work. I can't reproduce what I did wrong back then...
Sorry for wasting your time.
Chris