4 Matching Annotations
  1. Sep 2020
  2. eprint.iacr.org eprint.iacr.org
    To Hash or Not to Hash Again? \(In\)differentiability Results for H2 and HMAC
    2
    1. blipp 09 Sep 2020
      ParseUasX‖Ywith|X|=d

      This is exactly the pattern of calls to the hash function inside HMAC: Hash( (K' xor opad) || Hash( (K' xor ipad) || m ) ).

      This clarifies that the simulator can only simulate calls to Hash that have this form, i.e. that are done from within HMAC. It cannot consistently simulate calls of a different form, i.e. that are done directly.

      The consequence for a protocol that uses this theorem for its security proof is that the hash function cannot be used directly for arbitrary calls.

      HKDF HMAC indifferentiability
    2. blipp 09 Sep 2020
      Another example is exactly the set of widestconsequence: the set of all keys of a fixed length that is less thand−1.

      This works because internally, the key will be padded up to the block length. Then, there will be at least one byte where the two different paddings can be distinguished.

      HMAC HKDF indifferentiability
    Visit annotations in context

    Tags

    Annotators

    URL

    eprint.iacr.org/2013/382.pdf
  3. Mar 2020
  4. hal.inria.fr hal.inria.fr
    A Mechanised Cryptographic Proof of the WireGuard Virtual Private Network Protocol
    2
    1. blipp 25 Mar 2020
      Figure 2: Simulator forH
      indifferentiability simulator hkdf
    2. blipp 25 Mar 2020
      4 Indifferentiability of Hash Chains
      indifferentiability WireGuard hkdf
    Visit annotations in context

    Tags

    Annotators

    URL

    hal.inria.fr/hal-02100345v2/document