On 01/05/2012 03:46 PM, Thor Lancelot Simon wrote:
I am asking whether the use of HMAC with two different, well known keys, one for each purpose, is better or worse than using the "folded" output of a single SHA invocation for one purpose and the unfolded output of that same invocation for the other.
But you don't need HMAC for this, HMAC's properties are evaluated for authentication.
What this usage needs is a tweakable one-way compression function. Like, say, a hash function with a different fixed input prefix for each operation. Having your tweak values a fixed size is a good idea.
HMAC is doing something similar, but using the secret key as the prefix. It expands the secret to the same size as the hash function's input block (usually 512 bits). Having them take up a whole input block might improve performance a little in some implementations because the intermediate state you have to store is smaller and in this case it could even be compile-time constant.
I don't like this idea of folding the output with XOR, especially down to 80 or 64 bits. (Actually, if you look at the details of MD5/SHA-(1,2) it already does some similar 'folding' using addition-mod-32 from twice the output size as the last step before output.)
The source code I saw (Linux kernel maybe?) had a comment indicating they were folding the output out of fear that the statistical properties of plain MD5 might be biased. Although this may have once been an open question, I don't think it's a valid concern any more. Rather, if you believe the output of your one-way compression function might be observably biased, then you ought to be using something else!
IMHO, tweaked SHA-2-256 (or SHA-2-512/256 whichever is faster) should work fine here.
- Marsh _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
