RE: [Cfrg] New Proofs for NMAC and HMAC: Security Without Collision-Resistance

["Blumenthal, Uri" <uri.blumenthal at intel.com>]

> This paper by Mihir Bellare seems fairly interesting and
> quite related to some recent threads on this mailing list.
> <http://eprint.iacr.org/2006/043>

Paul,

Thanks for bringing our attention to it. It is more than interesting.

One observation: this paper basically says that we were looking for
wrong properties! Collision resistance (strong or weak) is unnecessary:
if the underlying compression function is a PRF - then keyed MAC is
secure; and if it's not a PRF (Bellare proved that a slightly weaker
assumption is still OK) - then weak collision resistance won't help.

So when we specify requirements for crypto hash - what we really
want/need is Pseudo-Randomness. Then we can safely use it in key
derivation, and then keyed MAC is also secure. 

_______________________________________________
Cfrg mailing list
Cfrg at ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg