Paper 2015/1198

Symmetric and Dual PRFs from Standard Assumptions: A Generic Validation of an HMAC Assumption

Mihir Bellare and Anna Lysyanskaya


The security of HMAC is proven under the assumption that its compression function is a dual PRF, meaning a PRF when keyed by either of its two inputs. But, not only do we not know whether particular compression functions really are dual PRFs, we do not know if dual PRFs even exist. What if the goal is impossible? This paper addresses this with a foundational treatment of dual PRFs, giving constructions based on standard assumptions. This provides what we call a generic validation of the dual PRF assumption for HMAC. Our approach is to introduce and construct symmetric PRFs, which imply dual PRFs and may be of independent interest. We give a general construction of a symmetric PRF based on a function having a weak form of collision resistance coupled with a leakage hardcore function, a strengthening of the usual notion of hardcore functions we introduce. We instantiate this general construction in two ways to obtain a symmetric and dual PRF assuming (1) Any collision-resistant hash function, or (2) Any one-way permutation. A construction based on any one-way function evades us and is left as an intriguing open problem.

Available format(s)
Publication info
Preprint. MINOR revision.
HMACPRFOne-Way FunctionHardcore FunctionExtractorHash Function
Contact author(s)
mihir @ eng ucsd edu
2015-12-16: revised
2015-12-16: received
See all versions
Short URL
Creative Commons Attribution


      author = {Mihir Bellare and Anna Lysyanskaya},
      title = {Symmetric and Dual PRFs from Standard Assumptions: A Generic Validation of an HMAC Assumption},
      howpublished = {Cryptology ePrint Archive, Paper 2015/1198},
      year = {2015},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.