Paper 2023/861

When Messages are Keys: Is HMAC a dual-PRF?

Matilda Backendal, ETH Zurich
Mihir Bellare, University of California, San Diego
Felix Günther, ETH Zurich
Matteo Scarlata, ETH Zurich
Abstract

In Internet security protocols including TLS 1.3, KEMTLS, MLS and Noise, HMAC is being assumed to be a dual-PRF, meaning a PRF not only when keyed conventionally (through its first input), but also when "swapped" and keyed (unconventionally) through its second (message) input. We give the first in-depth analysis of the dual-PRF assumption on HMAC. For the swap case, we note that security does not hold in general, but completely characterize when it does; we show that HMAC is swap-PRF secure if and only if keys are restricted to sets satisfying a condition called feasibility, that we give, and that holds in applications. The sufficiency is shown by proof and the necessity by attacks. For the conventional PRF case, we fill a gap in the literature by proving PRF security of HMAC for keys of arbitrary length. Our proofs are in the standard model, make assumptions only on the compression function underlying the hash function, and give good bounds in the multi-user setting. The positive results are strengthened through achieving a new notion of variable key-length PRF security that guarantees security even if different users use keys of different lengths, as happens in practice.

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
A major revision of an IACR publication in CRYPTO 2023
Keywords
HMACPRFdual-PRFstandardsTLSMLSproofs
Contact author(s)
mbackendal @ inf ethz ch
mbellare @ ucsd edu
felix guenther @ inf ethz ch
scmatteo @ inf ethz ch
History
2023-06-07: revised
2023-06-07: received
See all versions
Short URL
https://ia.cr/2023/861
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2023/861,
      author = {Matilda Backendal and Mihir Bellare and Felix Günther and Matteo Scarlata},
      title = {When Messages are Keys: Is HMAC a dual-PRF?},
      howpublished = {Cryptology ePrint Archive, Paper 2023/861},
      year = {2023},
      note = {\url{https://eprint.iacr.org/2023/861}},
      url = {https://eprint.iacr.org/2023/861}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.