- Sep 2020
-
eprint.iacr.org eprint.iacr.org
-
ParseUasX‖Ywith|X|=d
This is exactly the pattern of calls to the hash function inside HMAC: Hash( (K' xor opad) || Hash( (K' xor ipad) || m ) ).
This clarifies that the simulator can only simulate calls to Hash that have this form, i.e. that are done from within HMAC. It cannot consistently simulate calls of a different form, i.e. that are done directly.
The consequence for a protocol that uses this theorem for its security proof is that the hash function cannot be used directly for arbitrary calls.
-
Another example is exactly the set of widestconsequence: the set of all keys of a fixed length that is less thand−1.
This works because internally, the key will be padded up to the block length. Then, there will be at least one byte where the two different paddings can be distinguished.
Tags
Annotators
URL
-
- Apr 2020
-
noiseprotocol.org noiseprotocol.org
-
HMAC is used with all hash functions instead of allowing hashes to use a more specialized function (e.g. keyed BLAKE2), because: HKDF requires the use of HMAC
This does not comment on the choice of HKDF over specialized hash function modes that are designed to be a KDF (like BLAKE3 seems to do). The comment “HMAC applies nested hashing to process each input. This "extra" hashing might mitigate the impact of hash function weakness.” applies on the level of HKDF, too.
-
SHA3 candidates such as Keccak and BLAKE were required to be suitable with HMAC
-