Abstract
In this paper, we study the MAC- and the PRF-security of \(\mathtt {HMAC}\) in the sense of generic security when replacing SHA-2 with SHA-3. We first consider the generic security of the SHA-3-based \(\mathtt {HMAC}\) construction: \(\mathtt {Sponge}\)-based \(\mathtt {HMAC}\). We provide (nearly) tight upper-bounds on the MAC- and the PRF-security of \(\mathtt {Sponge}\)-based \(\mathtt {HMAC}\), which are \(O(\frac{nq}{2^n})\) and \(O(\frac{q^2}{2^{n}})\), respectively. Here, q is the number of queries to \(\mathtt {HMAC}\) and \(n\) is the output length of the hash function.
We then compare the MAC- and the PRF-security of \(\mathtt {Sponge}\)-based \(\mathtt {HMAC}\) with those of the SHA-2-based \(\mathtt {HMAC}\) constructions: \(\mathtt {MD}\)- (Merkle-Damgård) or \(\mathtt {ChopMD}\)-based \(\mathtt {HMAC}\). It was proven that the upper-bounds on the MAC- and the PRF-security of \(\mathtt {MD}\)-based \(\mathtt {HMAC}\) are both \(O(\frac{\ell q^2}{2^n})\), and those for \(\mathtt {ChopMD}\)-based \(\mathtt {HMAC}\) are both \(O(\frac{q^2}{2^{n}} + \frac{\ell q^2}{2^{n+t}})\). Here, q is the number of queries to \(\mathtt {HMAC}\), \(\ell \) is the maximum query length, \(n\) is the output length of the hash function, and t is the number of truncated bits in \(\mathtt {ChopMD}\). Hence, replacing SHA-2 with SHA-3 enhances the MAC-security of \(\mathtt {HMAC}\). Replacing SHA-2 having the \(\mathtt {MD}\) construction with SHA-3 enhances the PRF-security of \(\mathtt {HMAC}\), and if \(\ell > 2^t\) then replacing SHA-2 having the \(\mathtt {ChopMD}\) construction with SHA-3 enhances the PRF-security of \(\mathtt {HMAC}\).
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Although the proofs in [2, 3, 11] deal with only \(\mathtt {HMAC}\_\mathtt {MD}\), these can be applied to \(\mathtt {HMAC}\_\mathtt {ChopMD}\). Their proofs only depend on \(\ell \) and the output length of a compression function. The upper-bounds for \(\mathtt {HMAC}\_\mathtt {ChopMD}\) are obtained by adding the probability corresponding with the truncated output length.
- 2.
Note that for the sake of simplicity, we omit the discussion for the probability of recovering a secret key that is \(O(\frac{Q}{2^k})\).
- 3.
Note that \(|K'| = r\) holds. Hence one can recover \(K'\) with \(Q \le 2^{r}\). In the case of SHA3-512 (\(c=1024\), \(r=574\) and \(n = 512\)), \(2^r \le 2^{b/2}\) holds, thereby, in order to obtain the bounds, we require the assumption that \(Q \le 2^{574}\).
References
Andreeva, E., Daemen, J., Mennink, B., Van Assche, G.: Security of keyed sponge constructions using a modular proof approach. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 364–384. Springer, Heidelberg (2015)
Bellare, M.: New proofs for \({\sf {NMAC}}\) and \({\sf {HMAC}}\): security without collision-resistance. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 602–619. Springer, Heidelberg (2006)
Bellare, M., Canetti, R., Krawczyk, H.: Keying hash functions for message authentication. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 1–15. Springer, Heidelberg (1996)
Bellare, M., Rogaway, P.: The security of triple encryption and a framework for code-based game-playing proofs. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 409–426. Springer, Heidelberg (2006)
Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Duplexing the sponge: single-pass authenticated encryption and other applications. In: Miri, A., Vaudenay, S. (eds.) SAC 2011. LNCS, vol. 7118, pp. 320–337. Springer, Heidelberg (2012)
Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Keccak. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 313–314. Springer, Heidelberg (2013)
Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: On the indifferentiability of the sponge construction. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 181–197. Springer, Heidelberg (2008)
Chen, S., Steinberger, J.: Tight security bounds for key-alternating ciphers. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 327–350. Springer, Heidelberg (2014)
Damgård, I.B.: A design principle for hash functions. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 416–427. Springer, Heidelberg (1990)
Dodis, Y., Ristenpart, T., Steinberger, J., Tessaro, S.: To hash or not to hash again? (In)Differentiability results for H \(^{2}\) and HMAC. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 348–366. Springer, Heidelberg (2012)
Gaži, P., Pietrzak, K., Rybár, M.: The exact PRF-security of NMAC and HMAC. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part I. LNCS, vol. 8616, pp. 113–130. Springer, Heidelberg (2014)
Gaži, P., Pietrzak, K., Tessaro, S.: The exact PRF security of truncation: tight bounds for keyed sponges and truncated CBC. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 368–387. Springer, Heidelberg (2015)
Jovanovic, P., Luykx, A., Mennink, B.: Beyond \(2^{c/2}\) security in sponge-based authenticated encryption modes. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 85–104. Springer, Heidelberg (2014)
Krawczyk, H., Bellare, M., Canetti, R.: HMAC: Keyed-Hashing for Message Authentication. Internet RFC 2104 (1997)
Maurer, U.M., Renner, R.S., Holenstein, C.: Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 21–39. Springer, Heidelberg (2004)
Mennink, B., Reyhanitabar, R., Vizár, D.: Security of full-state keyed and duplex sponge: applications to authenticated encryption. IACR Cryptology ePrint Archive 2015/541
Merkle, R.C.: One way hash functions and DES. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 428–446. Springer, Heidelberg (1990)
NIST: The keyed-hash message authentication code (HMAC). In: FIPS PUB 198–1 (2008)
NIST: Secure hash standard (SHS). In: DFIPS PUB 180–4 (2012)
NIST: SHA-3 standard: permutation-based hash and extendable-output functions. In: FIPS PUB 202 (2015)
Patarin, J.: The “Coefficients H” technique. In: Avanzi, R.M., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. 328–345. Springer, Heidelberg (2009)
Acknowledgements
Lei Wang is supported by Major State Basic Research Development Program (973 Plan) (2013CB338004), National Natural Science Foundation of China (61472250), Innovation Plan of Science and Technology of Shanghai (14511100300), Doctoral Fund of Ministry of Education of China (20120073110094), and National Natural Science Foundation of China (NO. 61402288).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Naito, Y., Wang, L. (2016). Replacing SHA-2 with SHA-3 Enhances Generic Security of \(\mathtt {HMAC}\) . In: Sako, K. (eds) Topics in Cryptology - CT-RSA 2016. CT-RSA 2016. Lecture Notes in Computer Science(), vol 9610. Springer, Cham. https://doi.org/10.1007/978-3-319-29485-8_23
Download citation
DOI: https://doi.org/10.1007/978-3-319-29485-8_23
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-29484-1
Online ISBN: 978-3-319-29485-8
eBook Packages: Computer ScienceComputer Science (R0)