Paper 2013/382

To Hash or Not to Hash Again? (In)differentiability Results for H^2 and HMAC

Yevgeniy Dodis, Thomas Ristenpart, John Steinberger, and Stefano Tessaro

Abstract

We show that the second iterate H^2(M) = H(H(M)) of a random oracle H cannot achieve strong security in the sense of indifferentiability from a random oracle. We do so by proving that indifferentiability for H 2 holds only with poor concrete security by providing a lower bound (via an attack) and a matching upper bound (via a proof requiring new techniques) on the complexity of any successful simulator. We then investigate HMAC when it is used as a general-purpose hash function with arbitrary keys (and not as a MAC or PRF with uniform, secret keys). We uncover that HMAC’s handling of keys gives rise to two types of weak key pairs. The first allows trivial attacks against its indifferentiability; the second gives rise to structural issues similar to that which ruled out strong indifferentiability bounds in the case of H^2 . However, such weak key pairs do not arise, as far as we know, in any deployed applications of HMAC. For example, using keys of any fixed length shorter than d − 1, where d is the block length in bits of the underlying hash function, completely avoids weak key pairs. We therefore conclude with a positive result: a proof that HMAC is indifferentiable from a RO (with standard, good bounds) when applications use keys of a fixed length less than d − 1.

Note: Full version of Crypto 2012 paper.

Metadata
Available format(s)
PDF
Publication info
Published elsewhere. Advances in Cryptology - Crypto 2012
Keywords
Indifferentiabilityhash functionsHMAC
Contact author(s)
rist @ cs wisc edu
History
2013-08-08: last of 2 revisions
2013-06-17: received
See all versions
Short URL
https://ia.cr/2013/382
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2013/382,
      author = {Yevgeniy Dodis and Thomas Ristenpart and John Steinberger and Stefano Tessaro},
      title = {To Hash or Not to Hash Again? (In)differentiability Results for H^2 and HMAC},
      howpublished = {Cryptology ePrint Archive, Paper 2013/382},
      year = {2013},
      note = {\url{https://eprint.iacr.org/2013/382}},
      url = {https://eprint.iacr.org/2013/382}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.