Paper 2023/861
When Messages are Keys: Is HMAC a dual-PRF?
Abstract
In Internet security protocols including TLS 1.3, KEMTLS, MLS and Noise, HMAC is being assumed to be a dual-PRF, meaning a PRF not only when keyed conventionally (through its first input), but also when "swapped" and keyed (unconventionally) through its second (message) input. We give the first in-depth analysis of the dual-PRF assumption on HMAC. For the swap case, we note that security does not hold in general, but completely characterize when it does; we show that HMAC is swap-PRF secure if and only if keys are restricted to sets satisfying a condition called feasibility, that we give, and that holds in applications. The sufficiency is shown by proof and the necessity by attacks. For the conventional PRF case, we fill a gap in the literature by proving PRF security of HMAC for keys of arbitrary length. Our proofs are in the standard model, make assumptions only on the compression function underlying the hash function, and give good bounds in the multi-user setting. The positive results are strengthened through achieving a new notion of variable key-length PRF security that guarantees security even if different users use keys of different lengths, as happens in practice.
Metadata
- Available format(s)
- Category
- Secret-key cryptography
- Publication info
- A major revision of an IACR publication in CRYPTO 2023
- Keywords
- HMACPRFdual-PRFstandardsTLSMLSproofs
- Contact author(s)
-
mbackendal @ inf ethz ch
mbellare @ ucsd edu
felix guenther @ inf ethz ch
scmatteo @ inf ethz ch - History
- 2023-06-07: revised
- 2023-06-07: received
- See all versions
- Short URL
- https://ia.cr/2023/861
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2023/861, author = {Matilda Backendal and Mihir Bellare and Felix Günther and Matteo Scarlata}, title = {When Messages are Keys: Is {HMAC} a dual-{PRF}?}, howpublished = {Cryptology {ePrint} Archive, Paper 2023/861}, year = {2023}, url = {https://eprint.iacr.org/2023/861} }