[Cryptography] Best way to create a MAC from SHA3
Jon Callas
jon at callas.org
Fri Feb 22 15:37:08 EST 2019
> On Feb 22, 2019, at 12:10 PM, Phillip Hallam-Baker <phill at hallambaker.com> wrote:
>
> I am just finishing off the UDF draft.
>
> What is the best way to create a MAC from a SHA3 digest function? For this application I need a 512 bit output so no need to SHAKE.
>
> HMAC is an obvious choice but it was designed to overcome the limitations of Merkle Damgard construction. Is there a more appropriate, spongeworthy choice?
Each of the SHA3 finalists had as a feature that a keyed hash is as good as a MAC. Keccak and Skein explicitly had one-pass MACs in them. Keccak’s one-pass MAC evolved into SHAKE and I’m not an expert on where else it might be around.
Thus, I first ask, “Oh, really? SHAKE is too much?” then agree with you that HMAC is overkill (I mean, if you don’t want to use SHAKE, you really don’t want to HMAC), and observe that a keyed hash is pretty likely good enough, and I bet you can get a proof of security for it, even if the proof is a hand wave.
Jon
More information about the cryptography
mailing list