Paper 2023/1305
About “$k$-bit security” of MACs based on hash function Streebog
Abstract
Various message authentication codes (MACs), including HMAC-Streebog and Streebog-K, are based on the keyless hash function Streebog. Under the assumption that the compression function of Streebog is resistant to the related key attacks, the security proofs of these algorithms were recently presented at CTCrypt 2022. We carefully detail the resources of the adversary in the related key settings, revisit the proof, and obtain tight security bounds. Let $n$ be the bit length of the hash function state. If the amount of processed data is less than about $2^{n-k}$ blocks, then for HMAC-Streebog-512 and Streebog-K, the only effective method of forgery (or distinguishing) is guessing the $k$-bit secret key or the tag if it is shorter than the key. So, we can speak about ``$k$-bit security'' without specifying the amount of material, if the key length is no longer than half of a state. The bound for HMAC-Streebog-256 is worse and equal to $2^{\frac{n}{2}-k}$ blocks.
Metadata
- Available format(s)
-
PDF
- Category
- Secret-key cryptography
- Publication info
- Published elsewhere. Minor revision. CTCrypt 2023 - 12th Workshop on Current Trends in Cryptology, June 6–9, 2023, Volgograd, Russia
- Keywords
- StreebogPRFHMACprovable security
- Contact author(s)
- vitaly kiryukhin @ sfblaboratory ru
- History
- 2023-09-02: approved
- 2023-09-01: received
- See all versions
- Short URL
- https://ia.cr/2023/1305
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2023/1305,
author = {Vitaly Kiryukhin},
title = {About “$k$-bit security” of MACs based on hash function Streebog},
howpublished = {Cryptology ePrint Archive, Paper 2023/1305},
year = {2023},
note = {\url{https://eprint.iacr.org/2023/1305}},
url = {https://eprint.iacr.org/2023/1305}
}
