12

I am planning to implement a MAC function for the SHA3. I read that its latest variant is KMAC. I am confused by the comments in the http://keccak.noekeon.org/ website. Its says...

Unlike SHA-1 and SHA-2, Keccak does not have the length-extension weakness, hence does not need the HMAC nested construction. Instead, MAC computation can be performed by simply prepending the message with the key.

Also

KMAC is a keyed hash function or pseudo-random function (PRF) that can be used, e.g., to compute a message authentication code (MAC) or to derive a session key from a master key. It is more efficient than HMAC by removing the need for HMAC's nested construction.

So if I want to implement a MAC function Can i just do the first method ?? just pad the message with key and do the hash ? Or do I need to follow the KMAC steps?

KMAC128(K, X, L, S): Validity Conditions: $len(K) < 2^{2040}$ and $0 \leq L < 2^{2040}$ and $len(S) < 2^{2040}$

  1. newX = bytepad(encode_string(K), 168) || X || right_encode(L).
  2. return cSHAKE128(newX, L, “KMAC”, S). Could anyone help ? which method we should use
kelalaka
  • 48,443
  • 11
  • 116
  • 196
ajith
  • 121
  • 1
  • 3

2 Answers2

7

The prefix-PRF function $F_k\colon m \mapsto H(k \mathbin\| m)$ is conjectured to be a pseudorandom function family—and therefore a good MAC—under the key $k$ when $H$ is any of the fixed SHA-3 functions SHA3-256, SHAKE128, etc. This was an explicit design goal of SHA-3.

However, it also coincides with the fixed functions on some inputs: you could use $F_k(m)$ in one part of your application as a secret, and reveal the fixed hash under $H$ of the string $k \mathbin\| m$ for some reason, and as soon as you've done that, your security flies out the window.

The benefit of using $\operatorname{KMAC128}_k(m)$ instead of $H(k \mathbin\| m)$ is that there is no danger of such colliding uses.

Finally, while you technically can use HMAC with SHA-3, there's no point because KMAC and prefix-PRF are perfectly good choices with SHA-3, and are simpler and faster than HMAC.

Squeamish Ossifrage
  • 48,392
  • 3
  • 116
  • 223
4

So if I want to implement a MAC function Can i just do the first method ?? just pad the message with key and do the hash ?

Yes, $mac = \text{SHA3}(k||m)$ is a secure MAC if $k$ is a fixed-length key. This is an explicit design goal of SHA3.

You can also rely on HMAC or KMAC instantiated with SHA3. These will also give you secure MACs but the added complexity is not necessary.

real-or-random
  • 423
  • 4
  • 10
  • Just to put this out there, the mac should actually be: mac = SHA3(k || constant || m), is that a key and message "a" + "bc" = "ab" + "c" (where + is concatenation). The constant can simply be a space. (This is just a nitpick, but since future devs might see this, I would definitely put that out there.) – 09182736471890 Nov 27 '19 at 07:11
  • @09182736471890: My answer assumed that k is a fixed-length key and states this assumption. If k is not fixed-length, then you definitively need some way to encode the pair (k,m). However, I don't think that using a space will work: k or m could contain spaces, too. And then it's ambiguous. – real-or-random Nov 28 '19 at 09:08
  • The constant just has to be any character which isn't used by k or m, if spaces are unreliable, then use whatever character or string of characters you need. I like using "||" since any keys are unlikely to have those characters. – 09182736471890 Nov 28 '19 at 19:23
  • @09182736471890: What is the purpose of the constant? – Brandon Mar 18 '22 at 06:19