Re: [Cfrg] New Proofs for NMAC and HMAC: Security Without Collision-Resistance

[David McGrew <mcgrew at cisco.com>]

Hi Uri,

On Feb 7, 2006, at 7:41 AM, Blumenthal, Uri wrote:

> > This paper by Mihir Bellare seems fairly interesting and
> > quite related to some recent threads on this mailing list.
> > <http://eprint.iacr.org/2006/043>
>
> Paul,
>
> Thanks for bringing our attention to it. It is more than interesting.
>
> One observation: this paper basically says that we were looking for
> wrong properties! Collision resistance (strong or weak) is  
> unnecessary:
> if the underlying compression function is a PRF - then keyed MAC is
> secure; and if it's not a PRF (Bellare proved that a slightly weaker
> assumption is still OK) - then weak collision resistance won't help.
>
> So when we specify requirements for crypto hash - what we really
> want/need is Pseudo-Randomness. Then we can safely use it in key
> derivation, and then keyed MAC is also secure.

AFAICT, Mihir's work doesn't address the issue of whether or not NMAC  
or HMAC is a secure way of deriving symmetric keys from a Diffie- 
Hellman secret.  The abstract describes the work as showing that the  
functions are good PRFs (or just good MACs) based on some different  
assumptions, but a DH key derivation function can't be shown to be  
secure merely because it is a PRF.

Of course, this is not to suggest that HMAC is a bad KDF.  I suspect  
that it is a good one, but I just don't think that the work cited  
proves anything in that direction.

David

_______________________________________________
Cfrg mailing list
Cfrg at ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg