TY - GEN
T1 - To hash or not to hash again? (In)differentiability results for H 2 and HMAC
AU - Dodis, Yevgeniy
AU - Ristenpart, Thomas
AU - Steinberger, John
AU - Tessaro, Stefano
N1 - Copyright:
Copyright 2012 Elsevier B.V., All rights reserved.
PY - 2012
Y1 - 2012
N2 - We show that the second iterate H 2(M) = H(H(M)) of a random oracle H cannot achieve strong security in the sense of indifferentiability from a random oracle. We do so by proving that indifferentiability for H 2 holds only with poor concrete security by providing a lower bound (via an attack) and a matching upper bound (via a proof requiring new techniques) on the complexity of any successful simulator. We then investigate HMAC when it is used as a general-purpose hash function with arbitrary keys (and not as a MAC or PRF with uniform, secret keys). We uncover that HMAC's handling of keys gives rise to two types of weak key pairs. The first allows trivial attacks against its indifferentiability; the second gives rise to structural issues similar to that which ruled out strong indifferentiability bounds in the case of H 2. However, such weak key pairs do not arise, as far as we know, in any deployed applications of HMAC. For example, using keys of any fixed length shorter than d - 1, where d is the block length in bits of the underlying hash function, completely avoids weak key pairs. We therefore conclude with a positive result: a proof that HMAC is indifferentiable from a RO (with standard, good bounds) when applications use keys of a fixed length less than d - 1.
AB - We show that the second iterate H 2(M) = H(H(M)) of a random oracle H cannot achieve strong security in the sense of indifferentiability from a random oracle. We do so by proving that indifferentiability for H 2 holds only with poor concrete security by providing a lower bound (via an attack) and a matching upper bound (via a proof requiring new techniques) on the complexity of any successful simulator. We then investigate HMAC when it is used as a general-purpose hash function with arbitrary keys (and not as a MAC or PRF with uniform, secret keys). We uncover that HMAC's handling of keys gives rise to two types of weak key pairs. The first allows trivial attacks against its indifferentiability; the second gives rise to structural issues similar to that which ruled out strong indifferentiability bounds in the case of H 2. However, such weak key pairs do not arise, as far as we know, in any deployed applications of HMAC. For example, using keys of any fixed length shorter than d - 1, where d is the block length in bits of the underlying hash function, completely avoids weak key pairs. We therefore conclude with a positive result: a proof that HMAC is indifferentiable from a RO (with standard, good bounds) when applications use keys of a fixed length less than d - 1.
KW - HMAC
KW - Hash functions
KW - Indifferentiability
UR - http://www.scopus.com/inward/record.url?scp=84865526160&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84865526160&partnerID=8YFLogxK
U2 - 10.1007/978-3-642-32009-5_21
DO - 10.1007/978-3-642-32009-5_21
M3 - Conference contribution
AN - SCOPUS:84865526160
SN - 9783642320088
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 348
EP - 366
BT - Advances in Cryptology, CRYPTO 2012 - 32nd Annual Cryptology Conference, Proceedings
T2 - 32nd Annual International Cryptology Conference, CRYPTO 2012
Y2 - 19 August 2012 through 23 August 2012
ER -