[Resource Topic] 2023/1305: About “$k$-bit security” of MACs based on hash function Streebog

Welcome to the resource topic for 2023/1305

About “$k$-bit security” of MACs based on hash function Streebog

Authors: Vitaly Kiryukhin


Various message authentication codes (MACs), including HMAC-Streebog and Streebog-K, are based on the keyless hash function Streebog. Under the assumption that the compression function of Streebog is resistant to the related key attacks, the security proofs of these algorithms were recently presented at CTCrypt 2022.

We carefully detail the resources of the adversary in the related key settings, revisit the proof, and obtain tight security bounds. Let n be the bit length of the hash function state. If the amount of processed data is less than about 2^{n-k} blocks, then for HMAC-Streebog-512 and Streebog-K, the only effective method of forgery (or distinguishing) is guessing the k-bit secret key or the tag if it is shorter than the key. So, we can speak about ``k-bit security’’ without specifying the amount of material, if the key length is no longer than half of a state. The bound for HMAC-Streebog-256 is worse and equal to 2^{\frac{n}{2}-k} blocks.

ePrint: https://eprint.iacr.org/2023/1305

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .