Paper 2023/1305

About “$k$-bit security” of MACs based on hash function Streebog

Vitaly Kiryukhin, LLC "SFB Lab", JSC "InfoTeCS"
Abstract

Various message authentication codes (MACs), including HMAC-Streebog and Streebog-K, are based on the keyless hash function Streebog. Under the assumption that the compression function of Streebog is resistant to the related key attacks, the security proofs of these algorithms were recently presented at CTCrypt 2022. We carefully detail the resources of the adversary in the related key settings, revisit the proof, and obtain tight security bounds. Let $n$ be the bit length of the hash function state. If the amount of processed data is less than about $2^{n-k}$ blocks, then for HMAC-Streebog-512 and Streebog-K, the only effective method of forgery (or distinguishing) is guessing the $k$-bit secret key or the tag if it is shorter than the key. So, we can speak about ``$k$-bit security'' without specifying the amount of material, if the key length is no longer than half of a state. The bound for HMAC-Streebog-256 is worse and equal to $2^{\frac{n}{2}-k}$ blocks.

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
Published elsewhere. Minor revision. CTCrypt 2023 - 12th Workshop on Current Trends in Cryptology, June 6–9, 2023, Volgograd, Russia
Keywords
StreebogPRFHMACprovable security
Contact author(s)
vitaly kiryukhin @ sfblaboratory ru
History
2023-09-02: approved
2023-09-01: received
See all versions
Short URL
https://ia.cr/2023/1305
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2023/1305,
      author = {Vitaly Kiryukhin},
      title = {About “$k$-bit security” of {MACs} based on hash function Streebog},
      howpublished = {Cryptology {ePrint} Archive, Paper 2023/1305},
      year = {2023},
      url = {https://eprint.iacr.org/2023/1305}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.