[cryptography] "folded" SHA1 vs HMAC for entropy extraction

Thor Lancelot Simon tls at panix.com
Thu Jan 5 18:59:23 EST 2012

On Thu, Jan 05, 2012 at 05:51:57PM -0600, Marsh Ray wrote:
> On 01/05/2012 03:46 PM, Thor Lancelot Simon wrote:
> >I am asking whether the
> >use of HMAC with two different, well known keys, one for each purpose,
> >is better or worse than using the "folded" output of a single SHA
> >invocation for one purpose and the unfolded output of that same
> >invocation for the other.
> But you don't need HMAC for this, HMAC's properties are evaluated
> for authentication.
> What this usage needs is a tweakable one-way compression function.
> Like, say, a hash function with a different fixed input prefix for
> each operation. Having your tweak values a fixed size is a good
> idea.
> HMAC is doing something similar, but using the secret key as the
> prefix. It expands the secret to the same size as the hash
> function's input block (usually 512 bits). Having them take up a
> whole input block might improve performance a little in some
> implementations because the intermediate state you have to store is
> smaller and in this case it could even be compile-time constant.

FWIW, using HMAC like this is the "extract" step of the two-step
extract-expand HMAC based construction that is HKDF:


HMAC does have some other desirable properties that the raw
hash functions do not, no?  I thought HMAC met the strict avalanche
criterion, while SHA1 does not, and that this was one of the reasons
why truncation of HMAC results was considered safer than truncation
of raw hash results.  In this application, the result will often be
truncated when it is used, which is another reason why I -- naive
crypto-plumber though I am -- thought HMAC might be a better choice.


More information about the cryptography mailing list