To hash or not to hash again? (In)differentiability results for H 2 and HMAC

Yevgeniy Dodis, Thomas Ristenpart, John Steinberger, Stefano Tessaro

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

We show that the second iterate H 2(M) = H(H(M)) of a random oracle H cannot achieve strong security in the sense of indifferentiability from a random oracle. We do so by proving that indifferentiability for H 2 holds only with poor concrete security by providing a lower bound (via an attack) and a matching upper bound (via a proof requiring new techniques) on the complexity of any successful simulator. We then investigate HMAC when it is used as a general-purpose hash function with arbitrary keys (and not as a MAC or PRF with uniform, secret keys). We uncover that HMAC's handling of keys gives rise to two types of weak key pairs. The first allows trivial attacks against its indifferentiability; the second gives rise to structural issues similar to that which ruled out strong indifferentiability bounds in the case of H 2. However, such weak key pairs do not arise, as far as we know, in any deployed applications of HMAC. For example, using keys of any fixed length shorter than d - 1, where d is the block length in bits of the underlying hash function, completely avoids weak key pairs. We therefore conclude with a positive result: a proof that HMAC is indifferentiable from a RO (with standard, good bounds) when applications use keys of a fixed length less than d - 1.

Original languageEnglish (US)
Title of host publicationAdvances in Cryptology, CRYPTO 2012 - 32nd Annual Cryptology Conference, Proceedings
Pages348-366
Number of pages19
Volume7417 LNCS
DOIs
StatePublished - 2012
Event32nd Annual International Cryptology Conference, CRYPTO 2012 - Santa Barbara, CA, United States
Duration: Aug 19 2012Aug 23 2012

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume7417 LNCS
ISSN (Print)03029743
ISSN (Electronic)16113349

Other

Other32nd Annual International Cryptology Conference, CRYPTO 2012
CountryUnited States
CitySanta Barbara, CA
Period8/19/128/23/12

Fingerprint

Hash functions
Differentiability
Simulators
Concretes
Random Oracle
Hash Function
Attack
Iterate
Trivial
Simulator
Lower bound
Upper bound
Arbitrary

Keywords

  • Hash functions
  • HMAC
  • Indifferentiability

ASJC Scopus subject areas

  • Computer Science(all)
  • Theoretical Computer Science

Cite this

Dodis, Y., Ristenpart, T., Steinberger, J., & Tessaro, S. (2012). To hash or not to hash again? (In)differentiability results for H 2 and HMAC. In Advances in Cryptology, CRYPTO 2012 - 32nd Annual Cryptology Conference, Proceedings (Vol. 7417 LNCS, pp. 348-366). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 7417 LNCS). https://doi.org/10.1007/978-3-642-32009-5_21

To hash or not to hash again? (In)differentiability results for H 2 and HMAC. / Dodis, Yevgeniy; Ristenpart, Thomas; Steinberger, John; Tessaro, Stefano.

Advances in Cryptology, CRYPTO 2012 - 32nd Annual Cryptology Conference, Proceedings. Vol. 7417 LNCS 2012. p. 348-366 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 7417 LNCS).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Dodis, Y, Ristenpart, T, Steinberger, J & Tessaro, S 2012, To hash or not to hash again? (In)differentiability results for H 2 and HMAC. in Advances in Cryptology, CRYPTO 2012 - 32nd Annual Cryptology Conference, Proceedings. vol. 7417 LNCS, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 7417 LNCS, pp. 348-366, 32nd Annual International Cryptology Conference, CRYPTO 2012, Santa Barbara, CA, United States, 8/19/12. https://doi.org/10.1007/978-3-642-32009-5_21
Dodis Y, Ristenpart T, Steinberger J, Tessaro S. To hash or not to hash again? (In)differentiability results for H 2 and HMAC. In Advances in Cryptology, CRYPTO 2012 - 32nd Annual Cryptology Conference, Proceedings. Vol. 7417 LNCS. 2012. p. 348-366. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). https://doi.org/10.1007/978-3-642-32009-5_21
Dodis, Yevgeniy ; Ristenpart, Thomas ; Steinberger, John ; Tessaro, Stefano. / To hash or not to hash again? (In)differentiability results for H 2 and HMAC. Advances in Cryptology, CRYPTO 2012 - 32nd Annual Cryptology Conference, Proceedings. Vol. 7417 LNCS 2012. pp. 348-366 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
@inproceedings{dcccb830e73343d08933e1201b3dc3f8,
title = "To hash or not to hash again? (In)differentiability results for H 2 and HMAC",
abstract = "We show that the second iterate H 2(M) = H(H(M)) of a random oracle H cannot achieve strong security in the sense of indifferentiability from a random oracle. We do so by proving that indifferentiability for H 2 holds only with poor concrete security by providing a lower bound (via an attack) and a matching upper bound (via a proof requiring new techniques) on the complexity of any successful simulator. We then investigate HMAC when it is used as a general-purpose hash function with arbitrary keys (and not as a MAC or PRF with uniform, secret keys). We uncover that HMAC's handling of keys gives rise to two types of weak key pairs. The first allows trivial attacks against its indifferentiability; the second gives rise to structural issues similar to that which ruled out strong indifferentiability bounds in the case of H 2. However, such weak key pairs do not arise, as far as we know, in any deployed applications of HMAC. For example, using keys of any fixed length shorter than d - 1, where d is the block length in bits of the underlying hash function, completely avoids weak key pairs. We therefore conclude with a positive result: a proof that HMAC is indifferentiable from a RO (with standard, good bounds) when applications use keys of a fixed length less than d - 1.",
keywords = "Hash functions, HMAC, Indifferentiability",
author = "Yevgeniy Dodis and Thomas Ristenpart and John Steinberger and Stefano Tessaro",
year = "2012",
doi = "10.1007/978-3-642-32009-5_21",
language = "English (US)",
isbn = "9783642320088",
volume = "7417 LNCS",
series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
pages = "348--366",
booktitle = "Advances in Cryptology, CRYPTO 2012 - 32nd Annual Cryptology Conference, Proceedings",

}

TY - GEN

T1 - To hash or not to hash again? (In)differentiability results for H 2 and HMAC

AU - Dodis, Yevgeniy

AU - Ristenpart, Thomas

AU - Steinberger, John

AU - Tessaro, Stefano

PY - 2012

Y1 - 2012

N2 - We show that the second iterate H 2(M) = H(H(M)) of a random oracle H cannot achieve strong security in the sense of indifferentiability from a random oracle. We do so by proving that indifferentiability for H 2 holds only with poor concrete security by providing a lower bound (via an attack) and a matching upper bound (via a proof requiring new techniques) on the complexity of any successful simulator. We then investigate HMAC when it is used as a general-purpose hash function with arbitrary keys (and not as a MAC or PRF with uniform, secret keys). We uncover that HMAC's handling of keys gives rise to two types of weak key pairs. The first allows trivial attacks against its indifferentiability; the second gives rise to structural issues similar to that which ruled out strong indifferentiability bounds in the case of H 2. However, such weak key pairs do not arise, as far as we know, in any deployed applications of HMAC. For example, using keys of any fixed length shorter than d - 1, where d is the block length in bits of the underlying hash function, completely avoids weak key pairs. We therefore conclude with a positive result: a proof that HMAC is indifferentiable from a RO (with standard, good bounds) when applications use keys of a fixed length less than d - 1.

AB - We show that the second iterate H 2(M) = H(H(M)) of a random oracle H cannot achieve strong security in the sense of indifferentiability from a random oracle. We do so by proving that indifferentiability for H 2 holds only with poor concrete security by providing a lower bound (via an attack) and a matching upper bound (via a proof requiring new techniques) on the complexity of any successful simulator. We then investigate HMAC when it is used as a general-purpose hash function with arbitrary keys (and not as a MAC or PRF with uniform, secret keys). We uncover that HMAC's handling of keys gives rise to two types of weak key pairs. The first allows trivial attacks against its indifferentiability; the second gives rise to structural issues similar to that which ruled out strong indifferentiability bounds in the case of H 2. However, such weak key pairs do not arise, as far as we know, in any deployed applications of HMAC. For example, using keys of any fixed length shorter than d - 1, where d is the block length in bits of the underlying hash function, completely avoids weak key pairs. We therefore conclude with a positive result: a proof that HMAC is indifferentiable from a RO (with standard, good bounds) when applications use keys of a fixed length less than d - 1.

KW - Hash functions

KW - HMAC

KW - Indifferentiability

UR - http://www.scopus.com/inward/record.url?scp=84865526160&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84865526160&partnerID=8YFLogxK

U2 - 10.1007/978-3-642-32009-5_21

DO - 10.1007/978-3-642-32009-5_21

M3 - Conference contribution

AN - SCOPUS:84865526160

SN - 9783642320088

VL - 7417 LNCS

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 348

EP - 366

BT - Advances in Cryptology, CRYPTO 2012 - 32nd Annual Cryptology Conference, Proceedings

ER -