[cryptography] "folded" SHA1 vs HMAC for entropy extraction

Marsh Ray marsh at extendedsubset.com
Thu Jan 5 18:51:57 EST 2012

On 01/05/2012 03:46 PM, Thor Lancelot Simon wrote:
> I am asking whether the
> use of HMAC with two different, well known keys, one for each purpose,
> is better or worse than using the "folded" output of a single SHA
> invocation for one purpose and the unfolded output of that same
> invocation for the other.

But you don't need HMAC for this, HMAC's properties are evaluated for 

What this usage needs is a tweakable one-way compression function. Like, 
say, a hash function with a different fixed input prefix for each 
operation. Having your tweak values a fixed size is a good idea.

HMAC is doing something similar, but using the secret key as the prefix. 
It expands the secret to the same size as the hash function's input 
block (usually 512 bits). Having them take up a whole input block might 
improve performance a little in some implementations because the 
intermediate state you have to store is smaller and in this case it 
could even be compile-time constant.

I don't like this idea of folding the output with XOR, especially down 
to 80 or 64 bits. (Actually, if you look at the details of MD5/SHA-(1,2) 
it already does some similar 'folding' using addition-mod-32 from twice 
the output size as the last step before output.)

The source code I saw (Linux kernel maybe?) had a comment indicating 
they were folding the output out of fear that the statistical properties 
of plain MD5 might be biased. Although this may have once been an open 
question, I don't think it's a valid concern any more. Rather, if you 
believe the output of your one-way compression function might be 
observably biased, then you ought to be using something else!

IMHO, tweaked SHA-2-256 (or SHA-2-512/256 whichever is faster) should 
work fine here.

- Marsh

More information about the cryptography mailing list