LibreMail

Phillip Hallam-BakerI am just finishing off the UDF draft. What is the best way to create a MAC from a SHA3 digest function? For this application I need a 512 bit output so no nee 22/02/2019

Phillip Hallam-Baker <phill@hallambaker.com> to Cryptography Mailing List 22/02/2019

I am just finishing off the UDF draft. What is the best way to create a MAC from a SHA3 digest function? For this application I need a 512 bit output so no need to SHAKE. HMAC is an obvious choice but it was designed to overcome the limitations of Merkle Damgard construction. Is there a more appropriate, spongeworthy choice? _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography

Jon Callas On Feb 22, 2019, at 12:10 PM, Phillip Hallam-Baker wrote: > > I am just finishing off the UDF draft. > > What is the best way to create a MAC from a SHA3 di 22/02/2019

Jon Callas <jon@callas.org> to Phillip Hallam-Baker 22/02/2019

> On Feb 22, 2019, at 12:10 PM, Phillip Hallam-Baker <phill@hallambaker.com> wrote: > > I am just finishing off the UDF draft. > > What is the best way to create a MAC from a SHA3 digest function? For this application I need a 512 bit output so no need to SHAKE. > > HMAC is an obvious choice but it was designed to overcome the limitations of Merkle Damgard construction. Is there a more appropriate, spongeworthy choice? Each of the SHA3 finalists had as a feature that a keyed hash is as good as a MAC. Keccak and Skein explicitly had one-pass MACs in them. Keccak’s one-pass MAC evolved into SHAKE and I’m not an expert on where else it might be around. Thus, I first ask, “Oh, really? SHAKE is too much?” then agree with you that HMAC is overkill (I mean, if you don’t want to use SHAKE, you really don’t want to HMAC), and observe that a keyed hash is pretty likely good enough, and I bet you can get a proof of security for it, even if the proof is a hand wave. Jon _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography

Arnold Reinhold via cryptographyNIST SP 800-185 defines a set of MAC functions (KMAC) derived from SHA3. Arnold Reinhold _______________________________________________ The cryptography mai 24/02/2019

Arnold Reinhold via cryptography <cryptography@metzdowd.com> to cryptography@metzdowd.com 24/02/2019

NIST SP 800-185 defines a set of MAC functions (KMAC) derived from SHA3. Arnold Reinhold _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography

Phillip Hallam-BakerOn Sun, Feb 24, 2019 at 3:25 PM Arnold Reinhold wrote: > NIST SP 800-185 defines a set of MAC functions (KMAC) derived from SHA3. > > Arnold Reinhold > Perfe 24/02/2019

Phillip Hallam-Baker <phill@hallambaker.com> to Arnold Reinhold 24/02/2019

On Sun, Feb 24, 2019 at 3:25 PM Arnold Reinhold <agr@me.com> wrote: > NIST SP 800-185 defines a set of MAC functions (KMAC) derived from SHA3. > > Arnold Reinhold > Perfect _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography

LibreMail

[Cryptography] Best way to create a MAC from SHA3 Crypto

Move Messages

Apply Labels