4 Matching Annotations
  1. Sep 2020
  2. eprint.iacr.org eprint.iacr.org
    To Hash or Not to Hash Again? \(In\)differentiability Results for H2 and HMAC
    2
    1. blipp 09 Sep 2020
      ParseUasX‖Ywith|X|=d

      This is exactly the pattern of calls to the hash function inside HMAC: Hash( (K' xor opad) || Hash( (K' xor ipad) || m ) ).

      This clarifies that the simulator can only simulate calls to Hash that have this form, i.e. that are done from within HMAC. It cannot consistently simulate calls of a different form, i.e. that are done directly.

      The consequence for a protocol that uses this theorem for its security proof is that the hash function cannot be used directly for arbitrary calls.

      HKDF HMAC indifferentiability
    2. blipp 09 Sep 2020
      Another example is exactly the set of widestconsequence: the set of all keys of a fixed length that is less thand−1.

      This works because internally, the key will be padded up to the block length. Then, there will be at least one byte where the two different paddings can be distinguished.

      HMAC HKDF indifferentiability
    Visit annotations in context

    Tags

    Annotators

    URL

    eprint.iacr.org/2013/382.pdf
  3. Apr 2020
  4. noiseprotocol.org noiseprotocol.org
    The Noise Protocol Framework
    2
    1. blipp 03 Apr 2020
      HMAC is used with all hash functions instead of allowing hashes to use a more specialized function (e.g. keyed BLAKE2), because: HKDF requires the use of HMAC

      This does not comment on the choice of HKDF over specialized hash function modes that are designed to be a KDF (like BLAKE3 seems to do). The comment “HMAC applies nested hashing to process each input. This "extra" hashing might mitigate the impact of hash function weakness.” applies on the level of HKDF, too.

      HKDF HMAC SHA3
    Visit annotations in context

    Tags

    Annotators

    URL

    noiseprotocol.org/noise.html