12

I am planning to implement a MAC function for the SHA-3. I read that its latest variant is KMAC. I am confused by the comments on the Keccak website.

It says:

Unlike SHA-1 and SHA-2, Keccak does not have the length-extension weakness, hence does not need the HMAC nested construction. Instead, MAC computation can be performed by simply prepending the message with the key.

And:

KMAC is a keyed hash function or pseudo-random function (PRF) that can be used, e.g., to compute a message authentication code (MAC) or to derive a session key from a master key. It is more efficient than HMAC by removing the need for HMAC's nested construction.

So if I want to implement a MAC function can I just use the first method? Just pad the message with key and do the hash? Or do I need to follow the KMAC steps?

KMAC128(K, X, L, S): Validity Conditions: $len(K) < 2^{2040}$ and $0 \leq L < 2^{2040}$ and $len(S) < 2^{2040}$

  1. newX = bytepad(encode_string(K), 168) || X || right_encode(L).
  2. return cSHAKE128(newX, L, “KMAC”, S).

Which method we should use?

Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323
ajith
  • 121
  • 1
  • 3

2 Answers2

8

The prefix-PRF function $F_k\colon m \mapsto H(k \mathbin\| m)$ is conjectured to be a pseudorandom function family—and therefore a good MAC—under the key $k$ when $H$ is any of the fixed SHA-3 functions SHA3-256, SHAKE128, etc. This was an explicit design goal of SHA-3.

However, it also coincides with the fixed functions on some inputs: you could use $F_k(m)$ in one part of your application as a secret, and reveal the fixed hash under $H$ of the string $k \mathbin\| m$ for some reason, and as soon as you've done that, your security flies out the window.

The benefit of using $\operatorname{KMAC128}_k(m)$ instead of $H(k \mathbin\| m)$ is that there is no danger of such colliding uses.

Finally, while you technically can use HMAC with SHA-3, there's no point because KMAC and prefix-PRF are perfectly good choices with SHA-3, and are simpler and faster than HMAC.

Squeamish Ossifrage
  • 49,816
  • 3
  • 122
  • 230
5

So if I want to implement a MAC function Can i just do the first method ?? just pad the message with key and do the hash ?

Yes, $mac = \text{SHA3}(k||m)$ is a secure MAC if $k$ is a fixed-length key. This is an explicit design goal of SHA3.

You can also rely on HMAC or KMAC instantiated with SHA3. These will also give you secure MACs but the added complexity is not necessary.

real-or-random
  • 475
  • 6
  • 11