The crypto_auth function produces a 256-bit HMAC, with a 512-bit version also available. But the crypto_onetimeauth function (and the Box and SecretBox constructions that use it) only produces a 128-bit authenticator. Is there any particular reason NaCl doesn't include a 128-bit HMAC function?
Asked
Active
Viewed 512 times
1
Jack O'Connor
- 647
- 6
- 13
1 Answers
2
There are two things to consider.
First is that the security models differ: crypto_onetimeauth only has to be secure for one message, while crypto_auth needs to be secure for any (practical) number of messages. The reason crypto_secretbox gets away with using the Poly1305 authenticator internally is that it generates message-specific authentication keys based on the nonce.
Second is the size of the authenticator. There is no very secure 128-bit hash function – using MD5 would be iffy even if it is not known to be broken in HMAC. You could still truncate HMAC-SHA256 and get a 128-bit authentication tag, but that would require assuming more than just the security of SHA-256.
