Re: [Cfrg] erratum for hmac what do we think...

Peter Gutmann <> Fri, 03 February 2017 10:24 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8C726129BE8 for <>; Fri, 3 Feb 2017 02:24:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -7.398
X-Spam-Status: No, score=-7.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-3.199, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id vvAe-b5UHlz5 for <>; Fri, 3 Feb 2017 02:24:09 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 61CBB129BDA for <>; Fri, 3 Feb 2017 02:24:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;;; q=dns/txt; s=mail; t=1486117449; x=1517653449; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=iVsQJ1mxI6FFhi/DlE/WkHPo+JOM0GgqS5+MkLtq4NU=; b=4lGsIrXaUovsUY5FdVxyIZUgKYsEVbX0UpbW4oGxMn3rBywUdeoYWxiz id0Mjf8uD/eOrqyxOcmjMywg7uLkj/0JPlXPbm8Balv9fO1Vf8BgWUnmM DfVsDl0SKgdKYn5b8rcG/7Yq7hkae1XqfF/LjGf2Lmb6gYylNpr/wuqb/ Rf4xY9OEY2PUhJWEfB9+Tbv21Rty6GGDDrPCj0OT6q3tpcGtKnpzOlORP El86mC/BeOKSLL5G2dWiGBYeH2zxkhfFQ2OTzmg5CjFsA3Xj/Dm7t8J/B +GyAdWgKY/FzyfyAql3TUWf5onVDdJ4wYuyi+ngTEZU1WBLiakawEOrfK g==;
X-IronPort-AV: E=Sophos;i="5.33,328,1477911600"; d="scan'208";a="133196915"
X-Ironport-Source: - Outgoing - Outgoing
Received: from (HELO ([]) by with ESMTP/TLS/AES256-SHA; 03 Feb 2017 23:24:06 +1300
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1178.4; Fri, 3 Feb 2017 23:24:06 +1300
Received: from ([]) by ([]) with mapi id 15.00.1178.000; Fri, 3 Feb 2017 23:24:06 +1300
From: Peter Gutmann <>
To: Hugo Krawczyk <>
Thread-Topic: [Cfrg] erratum for hmac what do we think...
Date: Fri, 03 Feb 2017 10:24:06 +0000
Message-ID: <>
References: <> <> <>, <>
In-Reply-To: <>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <>
Cc: "" <>
Subject: Re: [Cfrg] erratum for hmac what do we think...
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 03 Feb 2017 10:24:11 -0000

Hugo Krawczyk <> writes:

>For example, people wanted to use unlimited passphrases, and between having
>people truncate long keys or hash them first, the latter seemed the more
>robust solution. (BTW, the right way to deal with these issues using HMAC is
>to use HKDF.)

Another solution to the fact that there are two external-format keys that map
to a single internal-format key (i.e. the > blocksize key and its hash) would
be to reserve the first bit of the internal-format key to denote hashed vs.
non-hashed.  OTOH then people would complain about losing one bit of strength,
or someone would propose an attack based on knowing that the first bit will
almost always be zero (for non-hashed), or something similar.  You can't win