Is HMAC-SHA512 with 512 bit key Quantum Safe?

Question

is HMAC-SHA512 quantum safe , I am planning to use it for encrypt-then-mac scheme with aes256-cfb mode for a post quantum safe PGP like protocol.

score 2 · Answer 1 · answered Jul 19 '22 at 10:32

Yes, HMAC-SHA512 offers at least a 256-bit security level assuming a 256-bit+ key. Specifically, 256-bit collision resistance and 512-bit preimage/second preimage resistance, which is more important for MACs.

A 512-bit key is unnecessary as 512-bit preimage/second preimage resistance is excessive. However, it can be good for domain separation, and a key as long as the output length is often recommended so you don't get a security reduction.

Just make sure you derive a separate encryption key and MAC key using a KDF with the same input keying material. That's good practice and makes Encrypt-then-MAC committing.

Is HMAC-SHA512 with 512 bit key Quantum Safe?

1 Answers1