International Association for Cryptologic Research

International Association
for Cryptologic Research


When Messages are Keys: Is HMAC a dual-PRF?

Matilda Backendal , ETH Zurich
Mihir Bellare , University of California San Diego
Felix Günther , ETH Zurich
Matteo Scarlata , ETH Zurich
DOI: 10.1007/978-3-031-38548-3_22 (login may be required)
Search ePrint
Search Google
Presentation: Slides
Conference: CRYPTO 2023
Abstract: In Internet security protocols including TLS 1.3, KEMTLS, MLS and Noise, HMAC is being assumed to be a dual-PRF, meaning a PRF not only when keyed conventionally (through its first input), but also when "swapped" and keyed (unconventionally) through its second (message) input. We give the first in-depth analysis of the dual-PRF assumption on HMAC. For the swap case, we note that security does not hold in general, but completely characterize when it does; we show that HMAC is swap-PRF secure if and only if keys are restricted to sets satisfying a condition called feasibility, that we give, and that holds in applications. The sufficiency is shown by proof and the necessity by attacks. For the conventional PRF case, we fill a gap in the literature by proving PRF security of HMAC for keys of arbitrary length. Our proofs are in the standard model, make assumptions only on the compression function underlying the hash function, and give good bounds in the multi-user setting. The positive results are strengthened through achieving a new notion of variable key-length PRF security that guarantees security even if different users use keys of different lengths, as happens in practice.
  title={When Messages are Keys: Is HMAC a dual-PRF?},
  author={Matilda Backendal and Mihir Bellare and Felix Günther and Matteo Scarlata},