Re: [kitten] WGLC on draft-ietf-kitten-aes-cts-hmac-sha2-06

Nico Williams <> Wed, 15 April 2015 19:54 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 5C8511A89B8 for <>; Wed, 15 Apr 2015 12:54:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.266
X-Spam-Status: No, score=-0.266 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id pRFuinTvt-LN for <>; Wed, 15 Apr 2015 12:54:51 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 982631A89AF for <>; Wed, 15 Apr 2015 12:54:51 -0700 (PDT)
Received: from (localhost []) by (Postfix) with ESMTP id 61156360094; Wed, 15 Apr 2015 12:54:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed;; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to;; bh=AjoF6rFTbutBTN jU7R7Wd5t45h8=; b=EoBFeamoetpBBOVnBnTSdTVcYCxVcQVIvnNzceeF8KcIbO ZXOSNJFDSjA+/pdVeEbgljDCgnNiVopAADxa/dtQwj+0SS4s8kzE0OaF6RiG/WQ8 Q/DeAvzAGReJ8IdpNI7m95SCOfpIgL0AWlc6qwMBane/5/jLo9KSuTfd8v+FM=
Received: from localhost ( []) (Authenticated sender: by (Postfix) with ESMTPA id 2512F360093; Wed, 15 Apr 2015 12:54:49 -0700 (PDT)
Date: Wed, 15 Apr 2015 14:54:48 -0500
From: Nico Williams <>
To: Greg Hudson <>
Message-ID: <20150415195448.GC29890@localhost>
References: <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <>
Subject: Re: [kitten] WGLC on draft-ietf-kitten-aes-cts-hmac-sha2-06
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 15 Apr 2015 19:54:52 -0000

On Wed, Apr 08, 2015 at 06:48:36PM -0400, Greg Hudson wrote:
> I do not understand what assumptions would yield a security level of 128
> bits from SHA-256 truncated to 192 bits, and a security level of 192
> bits from SHA-384 truncated to 192 bits.  If there is a concern about
> birthday attacks on the integrity tag, then we can't get away with
> truncating at all; we would need to send a 256-bit tag for the 128-bit
> security level, and a 384-bit tag for the 192-bit security level.

I expect HMAC-SHA-256 with 128-bit HMAC keys provides 128-bit security
against forgeries (which is all we're after if we encrypt-then-MAC) no
matter length the result is truncated to as long as that length is 128
or more bits.

The reason is: the attacker has a 128-bit key search space, and any
forgery attack that requires more work than a key brute-force attack is
not worth it, so using a MAC length of more than 128 bits is not likely
to be useful (it will cause defenders to waste bandwidth) unless there
are forgery attacks at least a few bits better than the MAC length, for
HMAC with any given MAC length.

The critical thing here is the size of the HMAC key.

Perhaps HMAC-SHA256-192 with 192-bit keys could also provide 192-bit
security against distinguishing attacks and forgeries.  But if there are
such attacks depending only attacking the hash against collisions then
HMAC-SHA256-192 can't provide 192-bit security against forgeries -- it
seems prudent to assume such attacks.

ISTM prudent to use HMAC with keys of size matching the advertised
collision resistance of the base hash function and then truncate the
result to that same size.

So, HMAC-SHA256-128 w/ 128-bit keys is OK, but HMAC-SHA256-192 is not
(even if the keys are 192-bit).