Paper 2023/861

When Messages are Keys: Is HMAC a dual-PRF?

Matilda Backendal, ETH Zurich
Mihir Bellare, University of California, San Diego
Felix Günther, ETH Zurich
Matteo Scarlata, ETH Zurich

In Internet security protocols including TLS 1.3, KEMTLS, MLS and Noise, HMAC is being assumed to be a dual-PRF, meaning a PRF not only when keyed conventionally (through its first input), but also when "swapped" and keyed (unconventionally) through its second (message) input. We give the first in-depth analysis of the dual-PRF assumption on HMAC. For the swap case, we note that security does not hold in general, but completely characterize when it does; we show that HMAC is swap-PRF secure if and only if keys are restricted to sets satisfying a condition called feasibility, that we give, and that holds in applications. The sufficiency is shown by proof and the necessity by attacks. For the conventional PRF case, we fill a gap in the literature by proving PRF security of HMAC for keys of arbitrary length. Our proofs are in the standard model, make assumptions only on the compression function underlying the hash function, and give good bounds in the multi-user setting. The positive results are strengthened through achieving a new notion of variable key-length PRF security that guarantees security even if different users use keys of different lengths, as happens in practice.

Available format(s)
Secret-key cryptography
Publication info
A major revision of an IACR publication in CRYPTO 2023
Contact author(s)
mbackendal @ inf ethz ch
mbellare @ ucsd edu
felix guenther @ inf ethz ch
scmatteo @ inf ethz ch
2023-06-07: revised
2023-06-07: received
See all versions
Short URL
Creative Commons Attribution


      author = {Matilda Backendal and Mihir Bellare and Felix Günther and Matteo Scarlata},
      title = {When Messages are Keys: Is HMAC a dual-PRF?},
      howpublished = {Cryptology ePrint Archive, Paper 2023/861},
      year = {2023},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.