[cryptography] "folded" SHA1 vs HMAC for entropy extraction
marsh at extendedsubset.com
Thu Jan 5 18:51:57 EST 2012
On 01/05/2012 03:46 PM, Thor Lancelot Simon wrote:
> I am asking whether the
> use of HMAC with two different, well known keys, one for each purpose,
> is better or worse than using the "folded" output of a single SHA
> invocation for one purpose and the unfolded output of that same
> invocation for the other.
But you don't need HMAC for this, HMAC's properties are evaluated for
What this usage needs is a tweakable one-way compression function. Like,
say, a hash function with a different fixed input prefix for each
operation. Having your tweak values a fixed size is a good idea.
HMAC is doing something similar, but using the secret key as the prefix.
It expands the secret to the same size as the hash function's input
block (usually 512 bits). Having them take up a whole input block might
improve performance a little in some implementations because the
intermediate state you have to store is smaller and in this case it
could even be compile-time constant.
I don't like this idea of folding the output with XOR, especially down
to 80 or 64 bits. (Actually, if you look at the details of MD5/SHA-(1,2)
it already does some similar 'folding' using addition-mod-32 from twice
the output size as the last step before output.)
The source code I saw (Linux kernel maybe?) had a comment indicating
they were folding the output out of fear that the statistical properties
of plain MD5 might be biased. Although this may have once been an open
question, I don't think it's a valid concern any more. Rather, if you
believe the output of your one-way compression function might be
observably biased, then you ought to be using something else!
IMHO, tweaked SHA-2-256 (or SHA-2-512/256 whichever is faster) should
work fine here.
More information about the cryptography