HMAC does nested hashing in order to prevent Length Extension Attacks.
Given that you use the SHA-3 hash (which is resistant against length extension attacks), would you still need to go through that procedure in order to produce a secure MAC?
Needless to say we'd still use a key, which we prepend or append to the message, but is that sufficient for a MAC?
Given that you use the SHA-3 hash (which is resistant against length extension attacks), would you still need to go through that procedure in order to produce a secure MAC?
No, you don't need to do that, but you can.
Needless to say we'd still use a key, which we prepend or append to the message, but is that sufficient for a MAC?
Yes, you can prepend the message with the key, i.e. use $H(K||M)$.
Quoting the Keccak (SHA3) website:
Unlike SHA-1 and SHA-2, Keccak does not have the length-extension weakness, hence does not need the HMAC nested construction. Instead, MAC computation can be performed by simply prepending the message with the key.
However, the original standard does not specify this MAC mode, only a hash function.
There is now a specification (pdf) of KMAC (and other constructions) based on SHA-3, or specifically the SHAKE extendable output functions. The changes from "prepend key to message" are key padding as well as the inclusion of constants and the output length, which are all done for domain separation.
It is possible to implement KMAC in this form using SHAKE128/SHAKE256 but not using the other SHA-3 variants.
KMAC has now been specified in NIST SP 800-185, chapter 4. It is based on cSHAKE128 and cSHAKE256, which both are based on the same Keccak sponge that SHA-3 is. It doesn't use any additional methods to protect against length extension as HMAC does.
Some additional construction on top of the hash is still required to make sure that there are no unfortunate collisions with previously hashed data or - more importantly - key / message pairs. Otherwise it could be that $H(K_1,M_1) = H(K_2,M_2)$ in case $K_1 | M_1 = K_2 | M_2$. This happens if $K_1 = A | X$, $M_1 = B$ and $K_2 = A$ while $M_2 = X | B$ as both would result in $H(A | X | B)$. The $|$ operator is concatenation of course.
So HMAC is indeed unnecessary, but some kind of MAC construction is still needed to keep the key and message apart (unless a fixed key size is used anyway).
